Re: [Sks-devel] hkps and reverse proxy

[Todd Fleisher]

> On Mar 18, 2019, at 9:40 AM, fuat  wrote:
> 
> hkps to be active ServerAlias I need to notify the servers I have
> defined?
> 
> everything works when I do apache proxy settings via static ip.
> however, sks-keyservers.net does not detect the sks that I run on local
> ip with apache when I make proxy from static ip to local ip.

I’m not sure I understand your question. Sounds like you are trying to access 
an apache virtual host over an IP address and are not getting the expected 
content.

> Finally, what is the meaning of these records?
> 
> Error handling request (POST, / pks / add, [
> Accept: * / *
> Content-Length: 82
> content-type: application / x-www-form-urlencoded
> expect: 100-continua
> host: pool.sks-keyservers.net]): Failure ("Error while decoding ascii-
> armored key: text"
> 2019-03-18 19:34:00 Page not found: / pks / lookup / undefined1
>  prompt ('CVE-2014-3207') 

See 
https://bitbucket.org/skskeyserver/sks-keyserver/issues/26/cve-2014-3207-unfiltered-xss
 


-T



signature.asc
Description: Message signed with OpenPGP
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] hkps and reverse proxy

[Todd Fleisher]

> On Mar 18, 2019, at 11:06 AM, fuat  wrote:
> 
> hkps on my server is running.

That sounds accurate, based on what I am seeing @ https://sks.teknoloji360.com 


> ...
> 
> do I need to add hkps servers to my membership file?

The membership file controls recon and takes place over a specific port outside 
the realm of HKP vs. HKPS. Your membership file should contain a list of 
servers that have agreed to peer with you & their tcp port numbers. Per the 
following excerpt from 
https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering 
 (under Add 
Peers):
Note that the membership lines only provide the SKS recon port; key retrieval 
will happen on a port number one greater than the recon port. Thus recon lines 
are normally on port 11370 and retrieval happens on the normal HKP 11371 port.

-T



signature.asc
Description: Message signed with OpenPGP
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] DNS broken for hkps.pool.sks-keyservers.net

[Jeremy T. Bouse]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 3/18/2019 1:08 PM, Kristian Fiskerstrand wrote:
> On 3/18/19 3:58 PM, Todd Fleisher wrote:
>> The GNUPG-users post mentions something that may be the root
>> cause: The status page for sks-keyservers.net shows no hosts are
>> currently available via hkps but other ports are available. 
>> https://sks-keyservers.net/status/
>> I’m speculating here, but if
>> whatever Kristian users to update the DNS for
>> hkps.pool.sks-keyservers.net
>>  doesn’t think there are
>> any valid nodes available perhaps it doesn’t publish any records.
>> This would result in NXDOMAIN. Given that pool.sks-keyservers.net
>>  & na.pool.sks-keyservers.net
>>  & others are still resolving
>> properly I don’t think it’s an EDNS issue.
>> 
>> Adding Kristian directly in case he filters sks-devel mail.
>> 
> 
> Well, its a simple enough issue. the CRL expired, so no host
> validated anymore.. Services should be returning to normal soon
> enough. Thanks for the ping.
> 

I had noticed that I was only able to resolve pool.sks-keyserver.net
and not any of the others, but I hadn't said anything as I was busy
putting out some other fires around here. Happy to report I'm seeing
full resolution of all pool hostnames once again though now.
-BEGIN PGP SIGNATURE-

iQGzBAEBCgAdFiEEakJ0F+CHS9VzhSFg6lYpTv4TPXUFAlyP8vUACgkQ6lYpTv4T
PXUQawv8C4cB1ThpmYmYv5EpPWSUuEK86oDp6vRJmoI0HQRvtZ05/m4+Pn2nHCr/
zrMxWQH56MV2BDQiiKl4UbrsceLu4DFfmG67LcJz8V2yQsFwEHa+Tv7XM9HmIGHS
UcKgclnVnGIcF3NwDBL+xHYZm/P0ipHuSbKf7fSomDeBc5h8/K6iu4n/S3mxm77B
t5m7y8BB395nbTs87GyWQNBUdhl52YkHaj0noSNGQKDP1dBWh3/tgLDk7/2mJAv1
EEASpCN/yvDxHYQxwQ7Kpiljr0SnF0mMaLdljhLoZW67Cj8EF20+7euWtRXfiJe4
t3h+AF3CAljjUzez55K31qRM33SlusMTs4C5mXxbOzFctq5tMVnlgZqqxylZzCfQ
sTEvC8prWYghXbIkeztb9YnSFFiMSpgOc8xWrP9WOBYM2LmddA5b5VEQ8LeQBErg
jqccDHpgJ4SZyqZBWXj8bo3USjI+h8fsNj7ufq6GgutjgZOUXcnhWi0yKSJoA4S2
wLjWR3VM
=0Ok2
-END PGP SIGNATURE-

___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] hkps and reverse proxy

[fuat]

hkps on my server is running.

[fuat@fuxproject ~]$ gpg2 --keyserver hkps://sks.teknoloji360.com --
recv-key D6379D85
gpg: key 0B7F8B60E3EDFAE3: 1223 signatures not checked due to missing
keys
gpg: anahtar 0B7F8B60E3EDFAE3: "Kristian Fiskerstrand <
kristian.fiskerstr...@sumptuouscapital.com>" değişmedi
gpg: İşlenmiş toplam miktar: 1
gpg: değişmedi: 1

apache virtualhost.


ServerAdmin  i...@teknoloji360.com
ServerName   sks.teknoloji360.com

ServerAlias  http-keys.gnupg.net
 
ServerAlias  eu.pool.sks-keyservers.net
ServerAlias  na.pool.sks-keyservers.net

ServerAlias  pool.sks-keyservers.net
ServerAlias  ipv4.pool.sks-keyservers.net
ServerAlias  hkps.pool.sks-keyservers.net
ServerAlias  subset.pool.sks-keyservers.net
...

named zone

; The Domains OpenPGP Keyserver Service
_hkp._tcp.sks.teknoloji360.com.   IN  SRV 10 10
11371 sks.teknoloji360.com.
_pgpkey-http._tcp.sks.teknoloji360.com.   IN  SRV 10 10
11371 sks.teknoloji360.com.
_pgpkey-https._tcp.sks.teknoloji360.com.  IN  SRV 10
10   443 sks.teknoloji360.com.
sks.teknoloji360.com. IN  A   185.1
26.179.97
...

; OpenPGP PKA Records
info._pka IN  TXT ("v=p
ka1;fpr=CE093A9439F29DDD82E73E835E17DF6833F048DF;"
  "uri=
https://teknoloji360.com/keys/0x33F048DF.asc";)
fuat._pka IN  TXT ("v=p
ka1;fpr=F0D4521D60378B67CE64665EE7C9735903E48A51;"
  "uri=
https://teknoloji360.com/keys/0x03E48A51.asc";)
...


do I need to add hkps servers to my membership file?


Pzt, 2019-03-18 tarihinde 19:40 +0300 saatinde, fuat yazdı:
> hkps to be active ServerAlias I need to notify the servers I have
> defined?
> 
> everything works when I do apache proxy settings via static ip.
> however, sks-keyservers.net does not detect the sks that I run on
> local
> ip with apache when I make proxy from static ip to local ip.
> 
> Finally, what is the meaning of these records?
> 
> Error handling request (POST, / pks / add, [
> Accept: * / *
> Content-Length: 82
> content-type: application / x-www-form-urlencoded
> expect: 100-continua
> host: pool.sks-keyservers.net]): Failure ("Error while decoding
> ascii-
> armored key: text"
> 2019-03-18 19:34:00 Page not found: / pks / lookup / undefined1
>  prompt ('CVE-2014-3207') 
> 
> I'd appreciate it if you could help.
> 
> -- 
> ┌--┐
> > Fuat Bölük  fuat[at]teknoloji360[dot]com |
> > --|
> > -- hkps://sks.teknoloji360.com/ --|
> > --|
> > F0D4521D60378B67CE64665EE7C9735903E48A51 |
> └--┘
> -- 
>  I do not know english. I'm using translate.
-- 
┌--┐
| Fuat Bölük  fuat[at]teknoloji360[dot]com |
|--|
|-- hkps://sks.teknoloji360.com/ --|
|--|
| F0D4521D60378B67CE64665EE7C9735903E48A51 |
└--┘
-- 
 I do not know english. I'm using translate.
-- 


___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] DNS broken for hkps.pool.sks-keyservers.net

[Todd Fleisher]

Thanks Kristian, looks like it’s resolving now.

-T

> On Mar 18, 2019, at 10:08 AM, Kristian Fiskerstrand 
>  wrote:
> 
> Well, its a simple enough issue. the CRL expired, so no host validated
> anymore.. Services should be returning to normal soon enough. Thanks for
> the ping.





signature.asc
Description: Message signed with OpenPGP
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

[Sks-devel] hkps and reverse proxy

[fuat]

hkps to be active ServerAlias I need to notify the servers I have
defined?

everything works when I do apache proxy settings via static ip.
however, sks-keyservers.net does not detect the sks that I run on local
ip with apache when I make proxy from static ip to local ip.

Finally, what is the meaning of these records?

Error handling request (POST, / pks / add, [
Accept: * / *
Content-Length: 82
content-type: application / x-www-form-urlencoded
expect: 100-continua
host: pool.sks-keyservers.net]): Failure ("Error while decoding ascii-
armored key: text"
2019-03-18 19:34:00 Page not found: / pks / lookup / undefined1
 prompt ('CVE-2014-3207') 

I'd appreciate it if you could help.

-- 
┌--┐
| Fuat Bölük  fuat[at]teknoloji360[dot]com |
|--|
|-- hkps://sks.teknoloji360.com/ --|
|--|
| F0D4521D60378B67CE64665EE7C9735903E48A51 |
└--┘
-- 
 I do not know english. I'm using translate.
-- 


___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] DNS broken for hkps.pool.sks-keyservers.net

[Kristian Fiskerstrand]

On 3/18/19 3:58 PM, Todd Fleisher wrote:
> The GNUPG-users post mentions something that may be the root cause:
> The status page for sks-keyservers.net shows no hosts are currently
> available via hkps but other ports are available.
> https://sks-keyservers.net/status/ I’m 
> speculating here, but if whatever Kristian users to update the DNS for 
> hkps.pool.sks-keyservers.net  doesn’t 
> think there are any valid nodes available perhaps it doesn’t publish any 
> records. This would result in NXDOMAIN. Given that pool.sks-keyservers.net 
>  & na.pool.sks-keyservers.net 
>  & others are still resolving properly I 
> don’t think it’s an EDNS issue.
> 
> Adding Kristian directly in case he filters sks-devel mail.
> 

Well, its a simple enough issue. the CRL expired, so no host validated
anymore.. Services should be returning to normal soon enough. Thanks for
the ping.


-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Corruptissima re publica plurimæ leges
The greater the degeneration of the republic, the more of its laws



signature.asc
Description: OpenPGP digital signature
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] DNS broken for hkps.pool.sks-keyservers.net

[Todd Fleisher]

The GNUPG-users post mentions something that may be the root cause:
The status page for sks-keyservers.net shows no hosts are currently
available via hkps but other ports are available.
https://sks-keyservers.net/status/ I’m 
speculating here, but if whatever Kristian users to update the DNS for 
hkps.pool.sks-keyservers.net  doesn’t 
think there are any valid nodes available perhaps it doesn’t publish any 
records. This would result in NXDOMAIN. Given that pool.sks-keyservers.net 
 & na.pool.sks-keyservers.net 
 & others are still resolving properly I 
don’t think it’s an EDNS issue.

Adding Kristian directly in case he filters sks-devel mail.

-T

> On Mar 18, 2019, at 8:42 AM, Jim Popovitch  wrote:
> 
> The outage is also mentioned here:
> 
> https://lists.gnupg.org/pipermail/gnupg-users/2019-March/061771.html 
> 


signature.asc
Description: Message signed with OpenPGP
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] DNS broken for hkps.pool.sks-keyservers.net

[Daniel Austin]

Hi,
All my secondaries (ns.dan.*) should validate fine with EDNS0 packets, so this 
should be a fairly minimal issue (although one that should still be addressed).
For hkps.pool.sks-keyservers.net, we'll need to wait for Kristian to take a 
look as it doesn't appear to be in the zonefile at the moment.
Thanks,
Dan.
On Mon, Mar 18, 2019 at 15:47, Jim Popovitch  wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Mon, 2019-03-18 at 11:42 -0400, Jim Popovitch wrote:
On Mon, 2019-03-18 at 08:27 -0700, Sparr wrote:
hkps.pool.sks-keyservers.net does not seem to resolve currently,
from public or local or whois-authoritative nameservers.

There's also been quite a few DNSSEC validation errors for RSIGs, for some
time now.

Sorry, wrong error for that domain.  sks-keyservers.net has EDNS0 issues not
RSIG errors. (DNS Flag Day was last month)

https://ednscomp.isc.org/ednscomp/57d26bc180 
(https://ednscomp.isc.org/ednscomp/57d26bc180)

- -Jim P.
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEECPbAhaBWEfiXj/kxdRlcPb+1fkUFAlyPvVsACgkQdRlcPb+1
fkXdnw//Xga1uS9YPH/3OoavB26YgQ5vaPHoPNBPggSWK++F9idoSK11+NF5Hg1S
s2rW00zuoQyIIMbJ5Zel582i1ZgP+arfNDMmY7wlhgFf+XIcMIaLsuzZ6SohTbdm
H6P+97KMvLeIaSD6YyWFg+kZV6e/U9HGMUQewECKGKbpvfgu/6jMRKmuSiSq1mQ4
7zUBgCUop8l+bk6kYFim93+Jx764Y+JJtdDJeqJtfiJv2LYYIvJ++PJq7uC6HPIy
FnGxAdoRtZ0ZK1mSwlAkuz2f4mOxIhlW0MJaW5S1X30gFDrIpeMFeTYM1RSn+wbf
MEelNPgunjzI2kosrJ5OeYbgI0eTMOKyvymZt0CIfPDSWnGYlCUirI3kQaFpNJy8
6bCo5dYBj5x6iK1Rx5nzZC4fa0jECONc0XrgNbaIPT6xEd+/dGdzBTMCzeml+LOX
+3Ils4w6Qn6UJPPB925iRd+slxZcMnSUAFSsNMa9fH4u/4XPJtOq/ju4fAhSnUzL
iqaP61WNYb20gtm+CgSd6xka+Eq5ltUkoQY6Ut5IziRItg7SQ7WQruzfW5BL3d+Y
KgcsC1J7KiukaxtmjD6lOZbiLTH7AqVj4RUKJ+5hFMSIkjq+wy2i738wn/ShMkg3
26b5qyQEQ4yy6Eeq93KFJj/vn0kv8IIJd9Xm9FRCYc+bmQ8M6Lk=
=cFT6
-END PGP SIGNATURE-

___
Sks-devel mailing list
Sks-devel@nongnu.org (mailto:Sks-devel@nongnu.org)
https://lists.nongnu.org/mailman/listinfo/sks-devel 
(https://lists.nongnu.org/mailman/listinfo/sks-devel)
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] DNS broken for hkps.pool.sks-keyservers.net

[Jim Popovitch]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Mon, 2019-03-18 at 11:42 -0400, Jim Popovitch wrote:
> On Mon, 2019-03-18 at 08:27 -0700, Sparr wrote:
> > hkps.pool.sks-keyservers.net does not seem to resolve currently,
> > from public or local or whois-authoritative nameservers.
> 
> There's also been quite a few DNSSEC validation errors for RSIGs, for some
> time now.

Sorry, wrong error for that domain.  sks-keyservers.net has EDNS0 issues not
RSIG errors. (DNS Flag Day was last month)

https://ednscomp.isc.org/ednscomp/57d26bc180

- -Jim P.
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEECPbAhaBWEfiXj/kxdRlcPb+1fkUFAlyPvVsACgkQdRlcPb+1
fkXdnw//Xga1uS9YPH/3OoavB26YgQ5vaPHoPNBPggSWK++F9idoSK11+NF5Hg1S
s2rW00zuoQyIIMbJ5Zel582i1ZgP+arfNDMmY7wlhgFf+XIcMIaLsuzZ6SohTbdm
H6P+97KMvLeIaSD6YyWFg+kZV6e/U9HGMUQewECKGKbpvfgu/6jMRKmuSiSq1mQ4
7zUBgCUop8l+bk6kYFim93+Jx764Y+JJtdDJeqJtfiJv2LYYIvJ++PJq7uC6HPIy
FnGxAdoRtZ0ZK1mSwlAkuz2f4mOxIhlW0MJaW5S1X30gFDrIpeMFeTYM1RSn+wbf
MEelNPgunjzI2kosrJ5OeYbgI0eTMOKyvymZt0CIfPDSWnGYlCUirI3kQaFpNJy8
6bCo5dYBj5x6iK1Rx5nzZC4fa0jECONc0XrgNbaIPT6xEd+/dGdzBTMCzeml+LOX
+3Ils4w6Qn6UJPPB925iRd+slxZcMnSUAFSsNMa9fH4u/4XPJtOq/ju4fAhSnUzL
iqaP61WNYb20gtm+CgSd6xka+Eq5ltUkoQY6Ut5IziRItg7SQ7WQruzfW5BL3d+Y
KgcsC1J7KiukaxtmjD6lOZbiLTH7AqVj4RUKJ+5hFMSIkjq+wy2i738wn/ShMkg3
26b5qyQEQ4yy6Eeq93KFJj/vn0kv8IIJd9Xm9FRCYc+bmQ8M6Lk=
=cFT6
-END PGP SIGNATURE-


___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] DNS broken for hkps.pool.sks-keyservers.net

[Jim Popovitch]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Mon, 2019-03-18 at 08:27 -0700, Sparr wrote:
> hkps.pool.sks-keyservers.net does not seem to resolve currently,
> from public or local or whois-authoritative nameservers.

There's also been quite a few DNSSEC validation errors for RSIGs, for some
time now.

http://dnsviz.net/d/sks-keyservers.net/dnssec/

The outage is also mentioned here:

https://lists.gnupg.org/pipermail/gnupg-users/2019-March/061771.html


- -Jim P.
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEECPbAhaBWEfiXj/kxdRlcPb+1fkUFAlyPvF0ACgkQdRlcPb+1
fkVFTQ//dgHWZIw4fekFhSCMAFLTkqsy7hdlr1Su4dUJmxFZmwzhs6ZMS4DhvX90
hY9VC2iFwks8SzJGvsr62an89JaybuVbMzlpGLoQ02TctjoiSUdvuDwCCPCJsE21
OZIl9jEIJIeG7xkPk64wqxTm/wM94tUyeI3NNiDfmVBaDnfZNRnpzveFEZ14IF7L
DCUBrr4J5RQtmzEsD4vVLfPFLk1uXLUOK3/35xtfcbHjV9vFQHVh4ClZ1Ui5FrlF
TWpVjP6eM7WFFlA1zF3fkQ/0p5jE1KYKW8vqfmZx2MXC6/hTjHyhetYpk64tfX/v
d4ZNrT615K/GGdl1BbNWHFkQSjqGvKfIi3Sd0S3LYp/vp0CwWZ4V62kGfB+Vkw5g
AfVEk3cUupid7/qyKcKeY/J0s1ZAEUurSCoqakcn1Q2RVgGVeuO5h8WnozpLAxwl
GS6+Q0ll7I4PBELp4NSYywF1NtqZvYUXGDEacdbWEpA0VfZsGaKMOyrKE7VvTXzz
XgW7cwlVjE7COS2nVKOXmew44Suas0vkXrk2GYwfVTXxlQAPV3inYRz91UxRiqBa
0byUv7bNBK1lkU092ZWnQmuc4JBh+dD8ABMdBWaNGPgIknyOo34uEX6V1YUPYHtm
VLIW8cgh+D364mcwp7PL7hfpixPlDRXjgyqQlkFPzD/UC5ahSXk=
=EeDV
-END PGP SIGNATURE-


___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

[Sks-devel] DNS broken for hkps.pool.sks-keyservers.net

[Sparr]

hkps.pool.sks-keyservers.net does not seem to resolve currently, from
public or local or whois-authoritative nameservers.
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel