Thanks for your quick response. That definitely is not a bug with sks then. This bug may be resolved.
On Mon, Sep 14, 2015 at 10:49 AM, Daniel Kahn Gillmor <d...@fifthhorseman.net > wrote: > Hi Brian-- > > [re: https://bugs.debian.org/798911 ] > > On Sun 2015-09-13 22:36:00 -0400, Brian Minton wrote: > > I was looking at my sks logs, and I saw the following error: > > > > ==> /var/log/sks/recon.log <== > > 2015-09-13 22:28:00 Reconciliation attempt from unauthorized host > > <ADDR_INET [157.7.123.130]:49955>. Ignoring > > > > I checked that host, and it is one that is in my membership file. > > > > bminton:~# host 157.7.123.130 > > 130.123.7.157.in-addr.arpa domain name pointer tyo1.sks.reimu.io. > > bminton:~# grep tyo /etc/sks/membership > > tyo1.sks.reimu.io 11370 # Siyuan Miao <i...@xswan.net> 0x367B7A82 > > The reverse lookup may indicate this IP address is OK, but the forward > lookup from the hostname doesn't exist -- it is a CNAME to > tyo1-ipv6.sks, which is not a valid hostname: > > 0 dkg@alice:~$ dig tyo1.sks.reimu.io > > ; <<>> DiG 9.9.5-12-Debian <<>> tyo1.sks.reimu.io > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64824 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1280 > ;; QUESTION SECTION: > ;tyo1.sks.reimu.io. IN A > > ;; ANSWER SECTION: > tyo1.sks.reimu.io. 232 IN CNAME tyo1-ipv6.sks. > > ;; AUTHORITY SECTION: > . 1732 IN SOA a.root-servers.net. > nstld.verisign-grs.com. 2015091400 1800 900 604800 86400 > > ;; Query time: 21 msec > ;; SERVER: 10.70.0.254#53(10.70.0.254) > ;; WHEN: Mon Sep 14 10:45:49 EDT 2015 > ;; MSG SIZE rcvd: 148 > > 0 dkg@alice:~$ > > sks can't (shouldn't) rely on reverse lookups. Otherwise, anyone who > knows who your peers are (which is anyone, since most sks hosts publish > their list of peers) can just set up their reverse DNS to say any of > your peers, and you'd accept traffic from them. > > You should ask Siyuan Miao (cc'ed here) to clean up the DNS records > published for your peer. > > So i think sks is doing the right thing here; i'm closing this bug > because i think it's behaving as intended. But i could be wrong! If > so, please explain what i've missed, and feel free to re-open the bug > (or ask me to re-open it, which i'll happily do). > > Regards, > > --dkg >