Re: OT: dns zone transfer (was: public key is not available)
His nameserver doesn't need to be broken, your's might very well be. His nameserver refuses to answer a zone transfer request (9 NOAUTH) because it's not authoritative on that zone (that's absolutely correct behaviour). OK I'll take your word for that my DNS is broken, his is not. As I said, I am no DNS guru. I have bind running locally, could that explain it? Your's does answer that request. The funny thing is that among the authoritative nameservers of the pgp.net zone, some answer the zone transfer request and sgme do not (5 REFUSED). I tried $ host -v -l pgp.net and it seems my dns is not queried to do zone transfers $ host -v -l pgp.net Query about pgp.net for record types A NS PTR Finding nameservers for pgp.net ... Query done, 6 answers, status: no error Found 1 address for ns1.pipex.net Found 1 address for procert.cert.dfn.de Found 1 address for auth01.ns.uu.net Found 1 address for dns0.cl.cam.ac.uk Found 1 address for nac.no Found 1 address for ns0.pipex.net Trying server 158.43.192.7 (ns1.pipex.net) ... Asking zone transfer for pgp.net ... Query failed, 0 answers, status: query refused pgp.net AXFR record query refused by ns1.pipex.net Asking SOA record for pgp.net ... Query done, 1 answer, authoritative status: no error [ my comment: host asked ns1.pipex.net for a zone transfer, got none] [ ... other servers in the list above tried, got no answers] If understand things correctly, host does not ask my dns for a zone transfer for pgp.net. So my DNS is not broken. Right - your DNS server cannot know about zone data for pgp.net (only cached parts of it). For zone transfers, it's always one of the authoritative name servers that's asked. Correct default behavior for authoritative name servers is to refuse zone transfers from anyone not local (or even anyone not running a secondary). In this case, where zone transfers are used to publish information about which key servers to contact (according to the documentation even!), the correct behavior would instead be to accept zone queries from anyone. Seems the pgp.net servers are misconfigured. So my DNS is not broken, but why did $ host -l pgp.net | grep www not work for Paul J. Lucas? Because he used host from the bind9-host package while I used host from the host package. Maybe both have different limits on how many servers to try, or even different methods to query for zone data. Either way, the documented way of figuring out key servers does not work reliably, and the documentation should be fixed to suggest a more reliable method (or the pgp.net DNS needs fixing if that's possible; they may have switched off zone queries for a reason). Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: dns zone transfer (was: public key is not available)
Hans Ekbrand escribe: I took the host -l pgp.net-method from the default .gnupg/options, is there anything wrong with that method? Yes. It works for very few people. I'm at Spain and I always use pgp.rediris.es which is very complete and transfers very fast. I encourage people to guess which PGP server's in their country, if any, even if it isn't a pgp.net host. Cordially, Ismael -- Dropping science like when Galileo dropped his orange pgp0hPMvvCLuF.pgp Description: PGP signature
Re: OT: dns zone transfer (was: public key is not available)
On Wed, Jan 18, 2006 at 10:53:46PM +0100, Kiko Piris wrote: On 18/01/2006 at 22:16 +0100, Hans Ekbrand wrote: pgp.net is not a host, it's a zone. My guess is that your nameserver is broken, but I'm no DNS guru. Here are some of the servers that my nameserver replies to the above command: His nameserver doesn't need to be broken, your's might very well be. His nameserver refuses to answer a zone transfer request (9 NOAUTH) because it's not authoritative on that zone (that's absolutely correct behaviour). OK I'll take your word for that my DNS is broken, his is not. As I said, I am no DNS guru. I have bind running locally, could that explain it? Your's does answer that request. The funny thing is that among the authoritative nameservers of the pgp.net zone, some answer the zone transfer request and some do not (5 REFUSED). I don't really see the fun in it :-) I do find it funny that the broken DNS:s return the info requested, while the non-broken ones do not. I took the host -l pgp.net-method from the default .gnupg/options, is there anything wrong with that method? -- Hans Ekbrand (http://sociologi.cjb.net) [EMAIL PROTECTED] Q. What is that strange attachment in this mail? A. My digital signature, see www.gnupg.org for info on how you could use it to ensure that this mail is from me and has not been altered on the way to you. signature.asc Description: Digital signature
Re: OT: dns zone transfer (was: public key is not available)
On Wed, Jan 18, 2006 at 11:30:31PM +0100, Hans Ekbrand wrote: On Wed, Jan 18, 2006 at 10:53:46PM +0100, Kiko Piris wrote: On 18/01/2006 at 22:16 +0100, Hans Ekbrand wrote: pgp.net is not a host, it's a zone. My guess is that your nameserver is broken, but I'm no DNS guru. Here are some of the servers that my nameserver replies to the above command: His nameserver doesn't need to be broken, your's might very well be. His nameserver refuses to answer a zone transfer request (9 NOAUTH) because it's not authoritative on that zone (that's absolutely correct behaviour). OK I'll take your word for that my DNS is broken, his is not. As I said, I am no DNS guru. I have bind running locally, could that explain it? Your's does answer that request. The funny thing is that among the authoritative nameservers of the pgp.net zone, some answer the zone transfer request and sgme do not (5 REFUSED). I tried $ host -v -l pgp.net and it seems my dns is not queried to do zone transfers $ host -v -l pgp.net Query about pgp.net for record types A NS PTR Finding nameservers for pgp.net ... Query done, 6 answers, status: no error Found 1 address for ns1.pipex.net Found 1 address for procert.cert.dfn.de Found 1 address for auth01.ns.uu.net Found 1 address for dns0.cl.cam.ac.uk Found 1 address for nac.no Found 1 address for ns0.pipex.net Trying server 158.43.192.7 (ns1.pipex.net) ... Asking zone transfer for pgp.net ... Query failed, 0 answers, status: query refused pgp.net AXFR record query refused by ns1.pipex.net Asking SOA record for pgp.net ... Query done, 1 answer, authoritative status: no error [ my comment: host asked ns1.pipex.net for a zone transfer, got none] [ ... other servers in the list above tried, got no answers] Trying server 128.232.0.19 (dns0.cl.cam.ac.uk) ... Asking zone transfer for pgp.net ... pgp.net.8640IN NS nac.no. pgp.net.8640IN NS ns0.pipex.net. pgp.net.8640IN NS ns1.pipex.net. pgp.net.8640IN NS dns0.cl.cam.ac.uk. pgp.net.8640IN NS orgo.progsoc.uts.edu.au. pgp.net.8640IN NS robin.dfn-cert.de. pgp.net.8640IN NS auth01.ns.uu.net. ftp.at.pgp.net. 8640IN A 195.64.0.34 www.at.pgp.net. 8640IN A 195.64.0.35 ftp.au.pgp.net. 8640IN A 203.5.112.20 www.au.pgp.net. 8640IN A 128.232.0.23 [...] If understand things correctly, host does not ask my dns for a zone transfer for pgp.net. So my DNS is not broken. If I explicitly tell host to use my DNS, it fails: $ host -v -l pgp.net 127.0.0.1 Server: localhost.localdomain Address: 127.0.0.1 Aliases: localhost samir Query about pgp.net for record types A NS PTR Trying server 127.0.0.1 (localhost.localdomain) ... Asking zone transfer for pgp.net ... Query failed, 0 answers, status: query refused pgp.net AXFR record query refused by localhost.localdomain Asking SOA record for pgp.net ... Query failed, 0 answers, status: no error pgp.net SOA record currently not present at localhost.localdomain No nameservers for pgp.net responded So my DNS is not broken, but why did $ host -l pgp.net | grep www not work for Paul J. Lucas? Because he used host from the bind9-host package while I used host from the host package. -- Hans Ekbrand (http://sociologi.cjb.net) [EMAIL PROTECTED] Q. What is that strange attachment in this mail? A. My digital signature, see www.gnupg.org for info on how you could use it to ensure that this mail is from me and has not been altered on the way to you. signature.asc Description: Digital signature
