From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: *.gnu.org fails to resolve with systemd-resolvd (was: Re: 'staging' is FROZEN) Date: Thu, 17 Oct 2019 20:55:58 +0200 Message-ID: <877e5319s1.fsf@devup.no> References: <87o8yi0wlu.fsf@devup.no> <20191016044720.GA76890@PhantoNv4ArchGx.localdomain> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:36082) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iLAwO-0007Mi-Qb for guix-devel@gnu.org; Thu, 17 Oct 2019 14:56:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iLAwN-0001s8-FB for guix-devel@gnu.org; Thu, 17 Oct 2019 14:56:04 -0400 Received: from wout4-smtp.messagingengine.com ([64.147.123.20]:49793) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iLAwN-0001rv-4V for guix-devel@gnu.org; Thu, 17 Oct 2019 14:56:03 -0400 In-Reply-To: <20191016044720.GA76890@PhantoNv4ArchGx.localdomain> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Bengt Richter Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hello Bengt, Bengt Richter writes: > On +2019-10-15 19:03:41 +0200, Marius Bakke wrote: >> Hello Guixers, >>=20 >> The 'staging' branch is now considered "frozen" and only takes >> bug-fixes for new regressions. You can follow progress here: >>=20 >> https://ci.guix.gnu.org/jobset/staging-staging >> > > No I can't, unfortunately -- not without setting DNSSEC=3Doff :-( > > (I did that as a temporary measure, just to see, and I do get through > that way, but I don't want to turn DNSSEC off). > > (Thank you Marius, BTW, who pointed me to > https://github.com/systemd/systemd/issues/9867 > where I got the DNSSEC=3Doff clue). > > https://gnu.org works fine with DNSSEC=3Don (with the exception of page > links from there to guix.gnu.org or savannah.gnu.org (that I know of)). > > Why does gnu.org work and guix.gnu.org not?? > > That gnu.org works makes me think the problem is at guix.gnu.org, > not in a configuration problem on my machine. > > I wonder if key infrastructure potholes like this are not putting off > more potential contributors than other recently discussed put-offs :) You do not have to disable DNSSEC. You just have to use a resolver that properly handles signed-but-not-authenticated DNS records such as those on *.gnu.org. I.e. by replacing systemd-resolvd with a "proper" recursor like dnsmasq or Unbound, or by using an external DNS server such as the one provided by your ISP. The GNU/FSF sysadmins are aware of the issue and will fix the gnu.org domains eventually, but the problem really is with systemd-resolvd. It is not supposed to return SERVFAIL at all, but rather omit the "authenticated" flag in the response. The last comment on the GitHub issue says archlinux.org itself was affected. I wonder if they had just enabled DNSSEC, or if they rotated signing keys. Both scenarious could trigger this problem. Unfortunately there is nothing we can do about it :-/ --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl2ouT4ACgkQoqBt8qM6 VPoJ3ggAoxFa/z1+cIYn9UHe/pEhR0qEUW5P1cL+Ux7JZTqO0DfzVfCE2G3a2GmY XbKsQw0UUaYNHPgujx34JJOH+9SGSa2PjlC4d8ju8Kn4hPk+un68B1UcusjL7ef3 RMcptiH0WZhtYlDuYipG5pY2d89kRfRUfyKR2W32+1gGX0hJHh1aD6uwA4HFqnal UlT//Q/HdXIbOx134zfoGVF5Fb9IqJkEXk7kwSc9o2YPtXj9BAQt8FtX0DczF4fq WDCGH0sFJSSdBmhMnzlfnvQ2vpHId4WY1GxPEj69pd/X9Ka9xRRsG6KBs8yWBItr b11hYv//hzBfF1FEsF7uNHC4YClz5A== =6V2D -----END PGP SIGNATURE----- --=-=-=--