Re: [Sks-devel] DNS broken for hkps.pool.sks-keyservers.net

2019-03-18 Thread Jeremy T. Bouse 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 3/18/2019 1:08 PM, Kristian Fiskerstrand wrote:
> On 3/18/19 3:58 PM, Todd Fleisher wrote:
>> The GNUPG-users post mentions something that may be the root
>> cause: The status page for sks-keyservers.net shows no hosts are
>> currently available via hkps but other ports are available. 
>> https://sks-keyservers.net/status/
>> I’m speculating here, but if
>> whatever Kristian users to update the DNS for
>> hkps.pool.sks-keyservers.net
>>  doesn’t think there are
>> any valid nodes available perhaps it doesn’t publish any records.
>> This would result in NXDOMAIN. Given that pool.sks-keyservers.net
>>  & na.pool.sks-keyservers.net
>>  & others are still resolving
>> properly I don’t think it’s an EDNS issue.
>> 
>> Adding Kristian directly in case he filters sks-devel mail.
>> 
> 
> Well, its a simple enough issue. the CRL expired, so no host
> validated anymore.. Services should be returning to normal soon
> enough. Thanks for the ping.
> 

I had noticed that I was only able to resolve pool.sks-keyserver.net
and not any of the others, but I hadn't said anything as I was busy
putting out some other fires around here. Happy to report I'm seeing
full resolution of all pool hostnames once again though now.
-BEGIN PGP SIGNATURE-

iQGzBAEBCgAdFiEEakJ0F+CHS9VzhSFg6lYpTv4TPXUFAlyP8vUACgkQ6lYpTv4T
PXUQawv8C4cB1ThpmYmYv5EpPWSUuEK86oDp6vRJmoI0HQRvtZ05/m4+Pn2nHCr/
zrMxWQH56MV2BDQiiKl4UbrsceLu4DFfmG67LcJz8V2yQsFwEHa+Tv7XM9HmIGHS
UcKgclnVnGIcF3NwDBL+xHYZm/P0ipHuSbKf7fSomDeBc5h8/K6iu4n/S3mxm77B
t5m7y8BB395nbTs87GyWQNBUdhl52YkHaj0noSNGQKDP1dBWh3/tgLDk7/2mJAv1
EEASpCN/yvDxHYQxwQ7Kpiljr0SnF0mMaLdljhLoZW67Cj8EF20+7euWtRXfiJe4
t3h+AF3CAljjUzez55K31qRM33SlusMTs4C5mXxbOzFctq5tMVnlgZqqxylZzCfQ
sTEvC8prWYghXbIkeztb9YnSFFiMSpgOc8xWrP9WOBYM2LmddA5b5VEQ8LeQBErg
jqccDHpgJ4SZyqZBWXj8bo3USjI+h8fsNj7ufq6GgutjgZOUXcnhWi0yKSJoA4S2
wLjWR3VM
=0Ok2
-END PGP SIGNATURE-

___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] DNS broken for hkps.pool.sks-keyservers.net

2019-03-18 Thread Todd Fleisher 
Thanks Kristian, looks like it’s resolving now.

-T

> On Mar 18, 2019, at 10:08 AM, Kristian Fiskerstrand 
>  wrote:
> 
> Well, its a simple enough issue. the CRL expired, so no host validated
> anymore.. Services should be returning to normal soon enough. Thanks for
> the ping.





signature.asc
Description: Message signed with OpenPGP
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] DNS broken for hkps.pool.sks-keyservers.net

2019-03-18 Thread Kristian Fiskerstrand 
On 3/18/19 3:58 PM, Todd Fleisher wrote:
> The GNUPG-users post mentions something that may be the root cause:
> The status page for sks-keyservers.net shows no hosts are currently
> available via hkps but other ports are available.
> https://sks-keyservers.net/status/ I’m 
> speculating here, but if whatever Kristian users to update the DNS for 
> hkps.pool.sks-keyservers.net  doesn’t 
> think there are any valid nodes available perhaps it doesn’t publish any 
> records. This would result in NXDOMAIN. Given that pool.sks-keyservers.net 
>  & na.pool.sks-keyservers.net 
>  & others are still resolving properly I 
> don’t think it’s an EDNS issue.
> 
> Adding Kristian directly in case he filters sks-devel mail.
> 

Well, its a simple enough issue. the CRL expired, so no host validated
anymore.. Services should be returning to normal soon enough. Thanks for
the ping.


-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Corruptissima re publica plurimæ leges
The greater the degeneration of the republic, the more of its laws



signature.asc
Description: OpenPGP digital signature
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] DNS broken for hkps.pool.sks-keyservers.net

2019-03-18 Thread Todd Fleisher 
The GNUPG-users post mentions something that may be the root cause:
The status page for sks-keyservers.net shows no hosts are currently
available via hkps but other ports are available.
https://sks-keyservers.net/status/ I’m 
speculating here, but if whatever Kristian users to update the DNS for 
hkps.pool.sks-keyservers.net  doesn’t 
think there are any valid nodes available perhaps it doesn’t publish any 
records. This would result in NXDOMAIN. Given that pool.sks-keyservers.net 
 & na.pool.sks-keyservers.net 
 & others are still resolving properly I 
don’t think it’s an EDNS issue.

Adding Kristian directly in case he filters sks-devel mail.

-T

> On Mar 18, 2019, at 8:42 AM, Jim Popovitch  wrote:
> 
> The outage is also mentioned here:
> 
> https://lists.gnupg.org/pipermail/gnupg-users/2019-March/061771.html 
> 


signature.asc
Description: Message signed with OpenPGP
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] DNS broken for hkps.pool.sks-keyservers.net

2019-03-18 Thread Daniel Austin 
Hi,
All my secondaries (ns.dan.*) should validate fine with EDNS0 packets, so this 
should be a fairly minimal issue (although one that should still be addressed).
For hkps.pool.sks-keyservers.net, we'll need to wait for Kristian to take a 
look as it doesn't appear to be in the zonefile at the moment.
Thanks,
Dan.
On Mon, Mar 18, 2019 at 15:47, Jim Popovitch  wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Mon, 2019-03-18 at 11:42 -0400, Jim Popovitch wrote:
On Mon, 2019-03-18 at 08:27 -0700, Sparr wrote:
hkps.pool.sks-keyservers.net does not seem to resolve currently,
from public or local or whois-authoritative nameservers.

There's also been quite a few DNSSEC validation errors for RSIGs, for some
time now.

Sorry, wrong error for that domain.  sks-keyservers.net has EDNS0 issues not
RSIG errors. (DNS Flag Day was last month)

https://ednscomp.isc.org/ednscomp/57d26bc180 
(https://ednscomp.isc.org/ednscomp/57d26bc180)

- -Jim P.
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEECPbAhaBWEfiXj/kxdRlcPb+1fkUFAlyPvVsACgkQdRlcPb+1
fkXdnw//Xga1uS9YPH/3OoavB26YgQ5vaPHoPNBPggSWK++F9idoSK11+NF5Hg1S
s2rW00zuoQyIIMbJ5Zel582i1ZgP+arfNDMmY7wlhgFf+XIcMIaLsuzZ6SohTbdm
H6P+97KMvLeIaSD6YyWFg+kZV6e/U9HGMUQewECKGKbpvfgu/6jMRKmuSiSq1mQ4
7zUBgCUop8l+bk6kYFim93+Jx764Y+JJtdDJeqJtfiJv2LYYIvJ++PJq7uC6HPIy
FnGxAdoRtZ0ZK1mSwlAkuz2f4mOxIhlW0MJaW5S1X30gFDrIpeMFeTYM1RSn+wbf
MEelNPgunjzI2kosrJ5OeYbgI0eTMOKyvymZt0CIfPDSWnGYlCUirI3kQaFpNJy8
6bCo5dYBj5x6iK1Rx5nzZC4fa0jECONc0XrgNbaIPT6xEd+/dGdzBTMCzeml+LOX
+3Ils4w6Qn6UJPPB925iRd+slxZcMnSUAFSsNMa9fH4u/4XPJtOq/ju4fAhSnUzL
iqaP61WNYb20gtm+CgSd6xka+Eq5ltUkoQY6Ut5IziRItg7SQ7WQruzfW5BL3d+Y
KgcsC1J7KiukaxtmjD6lOZbiLTH7AqVj4RUKJ+5hFMSIkjq+wy2i738wn/ShMkg3
26b5qyQEQ4yy6Eeq93KFJj/vn0kv8IIJd9Xm9FRCYc+bmQ8M6Lk=
=cFT6
-END PGP SIGNATURE-

___
Sks-devel mailing list
Sks-devel@nongnu.org (mailto:Sks-devel@nongnu.org)
https://lists.nongnu.org/mailman/listinfo/sks-devel 
(https://lists.nongnu.org/mailman/listinfo/sks-devel)
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] DNS broken for hkps.pool.sks-keyservers.net

2019-03-18 Thread Jim Popovitch 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Mon, 2019-03-18 at 11:42 -0400, Jim Popovitch wrote:
> On Mon, 2019-03-18 at 08:27 -0700, Sparr wrote:
> > hkps.pool.sks-keyservers.net does not seem to resolve currently,
> > from public or local or whois-authoritative nameservers.
> 
> There's also been quite a few DNSSEC validation errors for RSIGs, for some
> time now.

Sorry, wrong error for that domain.  sks-keyservers.net has EDNS0 issues not
RSIG errors. (DNS Flag Day was last month)

https://ednscomp.isc.org/ednscomp/57d26bc180

- -Jim P.
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEECPbAhaBWEfiXj/kxdRlcPb+1fkUFAlyPvVsACgkQdRlcPb+1
fkXdnw//Xga1uS9YPH/3OoavB26YgQ5vaPHoPNBPggSWK++F9idoSK11+NF5Hg1S
s2rW00zuoQyIIMbJ5Zel582i1ZgP+arfNDMmY7wlhgFf+XIcMIaLsuzZ6SohTbdm
H6P+97KMvLeIaSD6YyWFg+kZV6e/U9HGMUQewECKGKbpvfgu/6jMRKmuSiSq1mQ4
7zUBgCUop8l+bk6kYFim93+Jx764Y+JJtdDJeqJtfiJv2LYYIvJ++PJq7uC6HPIy
FnGxAdoRtZ0ZK1mSwlAkuz2f4mOxIhlW0MJaW5S1X30gFDrIpeMFeTYM1RSn+wbf
MEelNPgunjzI2kosrJ5OeYbgI0eTMOKyvymZt0CIfPDSWnGYlCUirI3kQaFpNJy8
6bCo5dYBj5x6iK1Rx5nzZC4fa0jECONc0XrgNbaIPT6xEd+/dGdzBTMCzeml+LOX
+3Ils4w6Qn6UJPPB925iRd+slxZcMnSUAFSsNMa9fH4u/4XPJtOq/ju4fAhSnUzL
iqaP61WNYb20gtm+CgSd6xka+Eq5ltUkoQY6Ut5IziRItg7SQ7WQruzfW5BL3d+Y
KgcsC1J7KiukaxtmjD6lOZbiLTH7AqVj4RUKJ+5hFMSIkjq+wy2i738wn/ShMkg3
26b5qyQEQ4yy6Eeq93KFJj/vn0kv8IIJd9Xm9FRCYc+bmQ8M6Lk=
=cFT6
-END PGP SIGNATURE-


___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] DNS broken for hkps.pool.sks-keyservers.net

2019-03-18 Thread Jim Popovitch 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Mon, 2019-03-18 at 08:27 -0700, Sparr wrote:
> hkps.pool.sks-keyservers.net does not seem to resolve currently,
> from public or local or whois-authoritative nameservers.

There's also been quite a few DNSSEC validation errors for RSIGs, for some
time now.

http://dnsviz.net/d/sks-keyservers.net/dnssec/

The outage is also mentioned here:

https://lists.gnupg.org/pipermail/gnupg-users/2019-March/061771.html


- -Jim P.
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEECPbAhaBWEfiXj/kxdRlcPb+1fkUFAlyPvF0ACgkQdRlcPb+1
fkVFTQ//dgHWZIw4fekFhSCMAFLTkqsy7hdlr1Su4dUJmxFZmwzhs6ZMS4DhvX90
hY9VC2iFwks8SzJGvsr62an89JaybuVbMzlpGLoQ02TctjoiSUdvuDwCCPCJsE21
OZIl9jEIJIeG7xkPk64wqxTm/wM94tUyeI3NNiDfmVBaDnfZNRnpzveFEZ14IF7L
DCUBrr4J5RQtmzEsD4vVLfPFLk1uXLUOK3/35xtfcbHjV9vFQHVh4ClZ1Ui5FrlF
TWpVjP6eM7WFFlA1zF3fkQ/0p5jE1KYKW8vqfmZx2MXC6/hTjHyhetYpk64tfX/v
d4ZNrT615K/GGdl1BbNWHFkQSjqGvKfIi3Sd0S3LYp/vp0CwWZ4V62kGfB+Vkw5g
AfVEk3cUupid7/qyKcKeY/J0s1ZAEUurSCoqakcn1Q2RVgGVeuO5h8WnozpLAxwl
GS6+Q0ll7I4PBELp4NSYywF1NtqZvYUXGDEacdbWEpA0VfZsGaKMOyrKE7VvTXzz
XgW7cwlVjE7COS2nVKOXmew44Suas0vkXrk2GYwfVTXxlQAPV3inYRz91UxRiqBa
0byUv7bNBK1lkU092ZWnQmuc4JBh+dD8ABMdBWaNGPgIknyOo34uEX6V1YUPYHtm
VLIW8cgh+D364mcwp7PL7hfpixPlDRXjgyqQlkFPzD/UC5ahSXk=
=EeDV
-END PGP SIGNATURE-


___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel