Bug#798911: sks: one of my listed peers seems to be unauthorized

Mon, 14 Sep 2015 11:05:43 -0700 

Thanks for your quick response.  That definitely is not a bug with sks
then.  This bug may be resolved.

On Mon, Sep 14, 2015 at 10:49 AM, Daniel Kahn Gillmor <d...@fifthhorseman.net
> wrote:

> Hi Brian--
>
> [re: https://bugs.debian.org/798911 ]
>
> On Sun 2015-09-13 22:36:00 -0400, Brian Minton wrote:
> > I was looking at my sks logs, and I saw the following error:
> >
> > ==> /var/log/sks/recon.log <==
> > 2015-09-13 22:28:00 Reconciliation attempt from unauthorized host
> > <ADDR_INET [157.7.123.130]:49955>.  Ignoring
> >
> > I checked that host, and it is one that is in my membership file.
> >
> > bminton:~# host 157.7.123.130
> > 130.123.7.157.in-addr.arpa domain name pointer tyo1.sks.reimu.io.
> > bminton:~# grep tyo /etc/sks/membership
> > tyo1.sks.reimu.io 11370 # Siyuan Miao <i...@xswan.net> 0x367B7A82
>
> The reverse lookup may indicate this IP address is OK, but the forward
> lookup from the hostname doesn't exist -- it is a CNAME to
> tyo1-ipv6.sks, which is not a valid hostname:
>
> 0 dkg@alice:~$ dig tyo1.sks.reimu.io
>
> ; <<>> DiG 9.9.5-12-Debian <<>> tyo1.sks.reimu.io
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64824
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1280
> ;; QUESTION SECTION:
> ;tyo1.sks.reimu.io.             IN      A
>
> ;; ANSWER SECTION:
> tyo1.sks.reimu.io.      232     IN      CNAME   tyo1-ipv6.sks.
>
> ;; AUTHORITY SECTION:
> .                       1732    IN      SOA     a.root-servers.net.
> nstld.verisign-grs.com. 2015091400 1800 900 604800 86400
>
> ;; Query time: 21 msec
> ;; SERVER: 10.70.0.254#53(10.70.0.254)
> ;; WHEN: Mon Sep 14 10:45:49 EDT 2015
> ;; MSG SIZE  rcvd: 148
>
> 0 dkg@alice:~$
>
> sks can't (shouldn't) rely on reverse lookups.  Otherwise, anyone who
> knows who your peers are (which is anyone, since most sks hosts publish
> their list of peers) can just set up their reverse DNS to say any of
> your peers, and you'd accept traffic from them.
>
> You should ask Siyuan Miao (cc'ed here) to clean up the DNS records
> published for your peer.
>
> So i think sks is doing the right thing here; i'm closing this bug
> because i think it's behaving as intended.  But i could be wrong!  If
> so, please explain what i've missed, and feel free to re-open the bug
> (or ask me to re-open it, which i'll happily do).
>
> Regards,
>
>    --dkg
>

Reply via email to