Re: DMARC/DKIM and OpenBSD Mailinglists
Moin, > I am intentionally double-posting this email (once from my personal > domain, once from reads-this-mailinglist.com) to see how well > preserving messages as sent works/impacts deliverability. Some results on this: For the mail from @reads-this-mailinglist.com all DMARC reports indicated successful delivery. With the mail from fiebig.nl (p=reject, SPF -all), a handful of mails were either quarantined (11) or rejected (4) due to a DKIM missmatch/validation failure. Most of these were from providers that simultaneously saw messages with valid DKIM. I would suspect that this is due to some subscribers having features active that still require changes to mails that are incompatible with DKIM's signed headers for this domain. However, in general, this is still a relatively low amount of missed messages; So i'd say that the current solution also works. With best regards, Tobias
Re: unbound signature expired
> ... however I'm getting different errors now for the Slack-group > specific URLs: > > ... > > validation failure : signatures from unknown keys > from 2620:fe::fe Was able to fix this by running `unbound-anchor` after fixing my system clock. I think everything is working normally now. Thanks!
Re: unbound signature expired
> You can use rdate to jump the clock instead.
That updated my system clock to the correct time. dig queries against
Slack now work as expected, however I'm getting different errors now for
the Slack-group specific URLs:
```
# dig @::1 kubernetes.slack.com
; <<>> DiG 9.10.6 <<>> kubernetes.slack.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50998
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 09 76 61 6c 69 64 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 20 3c 6b
75 62 65 72 6e 65 74 65 73 2e 73 6c 61 63 6b 2e 63 6f 6d 2e 20 41 20 49 4e 3e
3a 20 73 69 67 6e 61 74 75 72 65 73 20 66 72 6f 6d 20 75 6e 6b 6e 6f 77 6e 20
6b 65 79 73 20 66 72 6f 6d 20 32 36 32 30 3a 66 65 3a 3a 66 65 ("..validation
failure : signatures from unknown keys from
2620:fe::fe")
;; QUESTION SECTION:
;kubernetes.slack.com. IN A
;; Query time: 20 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Mar 18 13:46:54 PDT 2024
;; MSG SIZE rcvd: 149
```
Again, querying directly from Quad9 works.
Any idea what's going on here?
Re: unbound signature expired
On 2024-03-18, Evan Sherwood wrote: >> Wild guess, your time is off. > > Huh, I think you're right. `date` shows me 7 hours ahead of my timezone. > > I restarted ntpd and I see no errors in /var/log/daemon, but the time is > still off. I should be 1200 PDT but it's showing me as 1900 PDT (not > UTC). > > What do I do to fix this? Pretty sure I had set my timezone to > America/Los_Angeles when I installed OpenBSD. ntpd will take ages to correct that much offset (it can set the clock _forwards_ more quickly to the time of a trusted server at startup, but not backwards). You can use rdate to jump the clock instead. -- Please keep replies on the mailing list.
Re: unbound signature expired
> Wild guess, your time is off. Huh, I think you're right. `date` shows me 7 hours ahead of my timezone. I restarted ntpd and I see no errors in /var/log/daemon, but the time is still off. I should be 1200 PDT but it's showing me as 1900 PDT (not UTC). What do I do to fix this? Pretty sure I had set my timezone to America/Los_Angeles when I installed OpenBSD.
Re: unbound signature expired
They seem to be using extremely short-lived signatures, probably created
by an online-signer.
$ dig +short ns slack.com
ns-1493.awsdns-58.org.
ns-166.awsdns-20.com.
ns-1901.awsdns-45.co.uk.
ns-606.awsdns-11.net.
$ TZ=UTC dig @ns-1493.awsdns-58.org. +norec +dnssec +multiline +nocrypto
slack.com
; <<>> DiG 9.18.24 <<>> @ns-1493.awsdns-58.org. +norec +dnssec +multiline
+nocrypto slack.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8196
;; flags: qr aa ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;slack.com. IN A
;; ANSWER SECTION:
slack.com. 60 IN A 18.134.215.41
slack.com. 60 IN A 18.169.120.191
slack.com. 60 IN A 18.168.172.238
slack.com. 60 IN A 18.169.61.189
slack.com. 60 IN RRSIG A 13 2 60 (
20240318194315 20240318174215 8040 slack.com.
[omitted] )
;; Query time: 44 msec
;; SERVER: 2600:9000:5305:d500::1#53(ns-1493.awsdns-58.org.) (UDP)
;; WHEN: Mon Mar 18 18:42:15 UTC 2024
;; MSG SIZE rcvd: 207
The signature is only valid for an hour.
Wild guess, your time is off.
On 2024-03-18 19:20 +01, Evan Sherwood wrote:
> I have an unbound server using Quad9 as an upstream DNS provider. I have
> been unable to resolve records from slack.com recently using my local
> unbound.
>
> On the server:
>
> ```
> # dig @::1 slack.com
>
> ; <<>> dig 9.10.8-P1 <<>> @::1 slack.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54174
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; EDE: 7 (Signature Expired): 76 61 6c 69 64 61 74 69 6f 6e 20 66 61
> 69 6c 75 72 65 20 3c 73 6c 61 63 6b 2e 63 6f 6d 2e 20 41 20 49 4e 3e
> 3a 20 73 69 67 6e 61 74 75 72 65 20 65 78 70 69 72 65 64 20 66 72 6f
> 6d 20 32 36 32 30 3a 66 65 3a 3a 66 65 ("validation failure
> : signature expired from 2620:fe::fe")
> ;; QUESTION SECTION:
> ;slack.com. IN A
>
> ;; Query time: 26 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Mon Mar 18 18:02:25 PDT 2024
> ;; MSG SIZE rcvd: 116
> ```
>
> But when I try to query Quad9 directly, it works:
>
> ```
> # dig @2620:fe::fe slack.com
>
> ; <<>> dig 9.10.8-P1 <<>> slack.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2705
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ;; QUESTION SECTION:
> ;slack.com. IN A
>
> ;; ANSWER SECTION:
> slack.com. 10 IN A 35.81.85.251
> slack.com. 10 IN A 44.234.235.93
> slack.com. 10 IN A 54.70.179.16
> slack.com. 10 IN A 44.237.180.172
> slack.com. 10 IN A 52.89.90.67
> slack.com. 10 IN A 54.245.50.245
> slack.com. 10 IN A 54.188.33.22
> slack.com. 10 IN A 54.71.95.193
> slack.com. 10 IN A 35.82.91.193
>
> ;; Query time: 2 msec
> ;; SERVER: 2620:fe::fe#53(2620:fe::fe)
> ;; WHEN: Mon Mar 18 18:05:05 PDT 2024
> ;; MSG SIZE rcvd: 182
> ```
>
> I've tried
>
> - `unbound-control reload`
> - `unbound-control flush slack.com`
> - `unbound-anchor`
>
> ... and there's no change. All other domains I've tried work.
>
> I am using one of StevenBlack's block lists and I changed that recently
> (from one list to another one), if that's relevant.
>
> I tried removing the block list entirely and saw no change.
>
> Here's my unbound.conf:
>
> ```
> server:
> interface: ::1
> interface: :::::
> do-ip6: yes
> ede: yes
> do-nat64: yes
> access-control: ::0/0 refuse
> access-control: ::1 allow
> access-control: ::::: allow
> access-control: 192.168.1.0/32 allow
> access-control: :::5700::/64 allow
> access-control: :::5702::/64 allow
> do-not-query-localhost: no
> hide-identity: yes
> hide-version: yes
> auto-trust-anchor-file: "/var/unbound/db/root.key"
> val-log-level: 2
> aggressive-nsec: yes
> private-address: ::1/128
> private-address: :::0:0/96
> private-address: fd00::/8
> private-address: fe80::/10
> module-config: "dns64 validator iterator"
> include: /etc/unwind.conf.deny
>
> remote-control:
> control-enable: yes
> control-interface: /var/run/unbound.sock
>
> forward-zone:
> name: "."
> forward-addr:
unbound signature expired
I have an unbound server using Quad9 as an upstream DNS provider. I have
been unable to resolve records from slack.com recently using my local
unbound.
On the server:
```
# dig @::1 slack.com
; <<>> dig 9.10.8-P1 <<>> @::1 slack.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54174
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 7 (Signature Expired): 76 61 6c 69 64 61 74 69 6f 6e 20 66 61 69 6c 75
72 65 20 3c 73 6c 61 63 6b 2e 63 6f 6d 2e 20 41 20 49 4e 3e 3a 20 73 69 67 6e
61 74 75 72 65 20 65 78 70 69 72 65 64 20 66 72 6f 6d 20 32 36 32 30 3a 66 65
3a 3a 66 65 ("validation failure : signature expired from
2620:fe::fe")
;; QUESTION SECTION:
;slack.com. IN A
;; Query time: 26 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Mar 18 18:02:25 PDT 2024
;; MSG SIZE rcvd: 116
```
But when I try to query Quad9 directly, it works:
```
# dig @2620:fe::fe slack.com
; <<>> dig 9.10.8-P1 <<>> slack.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2705
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;slack.com. IN A
;; ANSWER SECTION:
slack.com. 10 IN A 35.81.85.251
slack.com. 10 IN A 44.234.235.93
slack.com. 10 IN A 54.70.179.16
slack.com. 10 IN A 44.237.180.172
slack.com. 10 IN A 52.89.90.67
slack.com. 10 IN A 54.245.50.245
slack.com. 10 IN A 54.188.33.22
slack.com. 10 IN A 54.71.95.193
slack.com. 10 IN A 35.82.91.193
;; Query time: 2 msec
;; SERVER: 2620:fe::fe#53(2620:fe::fe)
;; WHEN: Mon Mar 18 18:05:05 PDT 2024
;; MSG SIZE rcvd: 182
```
I've tried
- `unbound-control reload`
- `unbound-control flush slack.com`
- `unbound-anchor`
... and there's no change. All other domains I've tried work.
I am using one of StevenBlack's block lists and I changed that recently
(from one list to another one), if that's relevant.
I tried removing the block list entirely and saw no change.
Here's my unbound.conf:
```
server:
interface: ::1
interface: :::::
do-ip6: yes
ede: yes
do-nat64: yes
access-control: ::0/0 refuse
access-control: ::1 allow
access-control: ::::: allow
access-control: 192.168.1.0/32 allow
access-control: :::5700::/64 allow
access-control: :::5702::/64 allow
do-not-query-localhost: no
hide-identity: yes
hide-version: yes
auto-trust-anchor-file: "/var/unbound/db/root.key"
val-log-level: 2
aggressive-nsec: yes
private-address: ::1/128
private-address: :::0:0/96
private-address: fd00::/8
private-address: fe80::/10
module-config: "dns64 validator iterator"
include: /etc/unwind.conf.deny
remote-control:
control-enable: yes
control-interface: /var/run/unbound.sock
forward-zone:
name: "."
forward-addr: 2620:fe::fe
```
This feels like a caching issue to me, but I don't know what to do to
resolve it.
Unbound logs show the same error from the failing dig command.
Would appreciate any help.
Re: From Xfce to Mate
Claudio Miranda : > MATE in OpenBSD does have a display utility. Via the command line, > it's called mate-display-properties. Launching from the MATE menu, > it's in System --> Preferences --> Hardware --> Displays. > > You might have been missing some of the MATE packages. Strange, I started from mate-1.26, the meta package.. However, thanks for this one. Anyway, just to mention.. Mate is the desktop environm. of choise of OpenIndiana. -Dan
Re: From Xfce to Mate
MATE in OpenBSD does have a display utility. Via the command line, it's called mate-display-properties. Launching from the MATE menu, it's in System --> Preferences --> Hardware --> Displays. You might have been missing some of the MATE packages. On Mon, Mar 18, 2024 at 11:48 AM Dan wrote: > > Hello, > > In these days searching to fix security details on my station, eg. reducing > the exposure to GUI programs, > etc. I tried to port my dev environment from Xfce to Mate and here some of my > thoughts: > > 1) Mate is much lighter, eg tcl/tk software go up like a twist; > 2) by multi screens the porting is a true adventure cause Mate doesn't come > with a > "Display utility", all the screen configuration happens by xrandr; > 3) the software that accompaign Mate is few or doesnt run, eg the power > management > utility doesnt function or I can't set my custom 5 Mode background (the > background utility > doesnt pop up); > 4) the context menu by right clicking anywhere on the desktop has no > application menu > apparently.. this the latest problem.. > > I passed a full night with Mate (..) but for now I was happy to come > back to my steps and restore Xfce, although performances seem very > interesting. > -Dan >
From Xfce to Mate
Hello, In these days searching to fix security details on my station, eg. reducing the exposure to GUI programs, etc. I tried to port my dev environment from Xfce to Mate and here some of my thoughts: 1) Mate is much lighter, eg tcl/tk software go up like a twist; 2) by multi screens the porting is a true adventure cause Mate doesn't come with a "Display utility", all the screen configuration happens by xrandr; 3) the software that accompaign Mate is few or doesnt run, eg the power management utility doesnt function or I can't set my custom 5 Mode background (the background utility doesnt pop up); 4) the context menu by right clicking anywhere on the desktop has no application menu apparently.. this the latest problem.. I passed a full night with Mate (..) but for now I was happy to come back to my steps and restore Xfce, although performances seem very interesting. -Dan
