From: Marius Bakke <mbakke@fastmail.com>
To: Bengt Richter <bokr@bokr.com>
Cc: guix-devel@gnu.org
Subject: *.gnu.org fails to resolve with systemd-resolvd (was: Re: 'staging' is FROZEN)
Date: Thu, 17 Oct 2019 20:55:58 +0200 [thread overview]
Message-ID: <877e5319s1.fsf@devup.no> (raw)
In-Reply-To: <20191016044720.GA76890@PhantoNv4ArchGx.localdomain>
[-- Attachment #1: Type: text/plain, Size: 1965 bytes --]
Hello Bengt,
Bengt Richter <bokr@bokr.com> writes:
> On +2019-10-15 19:03:41 +0200, Marius Bakke wrote:
>> Hello Guixers,
>>
>> The 'staging' branch is now considered "frozen" and only takes
>> bug-fixes for new regressions. You can follow progress here:
>>
>> https://ci.guix.gnu.org/jobset/staging-staging
>>
>
> No I can't, unfortunately -- not without setting DNSSEC=off :-(
>
> (I did that as a temporary measure, just to see, and I do get through
> that way, but I don't want to turn DNSSEC off).
>
> (Thank you Marius, BTW, who pointed me to
> https://github.com/systemd/systemd/issues/9867
> where I got the DNSSEC=off clue).
>
> https://gnu.org works fine with DNSSEC=on (with the exception of page
> links from there to guix.gnu.org or savannah.gnu.org (that I know of)).
>
> Why does gnu.org work and guix.gnu.org not??
>
> That gnu.org works makes me think the problem is at guix.gnu.org,
> not in a configuration problem on my machine.
>
> I wonder if key infrastructure potholes like this are not putting off
> more potential contributors than other recently discussed put-offs :)
You do not have to disable DNSSEC. You just have to use a resolver that
properly handles signed-but-not-authenticated DNS records such as those
on *.gnu.org. I.e. by replacing systemd-resolvd with a "proper"
recursor like dnsmasq or Unbound, or by using an external DNS server
such as the one provided by your ISP.
The GNU/FSF sysadmins are aware of the issue and will fix the gnu.org
domains eventually, but the problem really is with systemd-resolvd. It
is not supposed to return SERVFAIL at all, but rather omit the
"authenticated" flag in the response.
The last comment on the GitHub issue says archlinux.org itself was
affected. I wonder if they had just enabled DNSSEC, or if they rotated
signing keys. Both scenarious could trigger this problem.
Unfortunately there is nothing we can do about it :-/
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
prev parent reply other threads:[~2019-10-17 18:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-15 17:03 'staging' is FROZEN Marius Bakke
2019-10-16 4:47 ` Bengt Richter
2019-10-17 18:55 ` Marius Bakke [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877e5319s1.fsf@devup.no \
--to=mbakke@fastmail.com \
--cc=bokr@bokr.com \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).