Hi,
Le 03/14, Schanzenbach, Martin a écrit : > > On 14. Mar 2020, at 12:00, Tanguy Le Carrour <tan...@bioneland.org> wrote: > > Le 03/13, Schanzenbach, Martin a écrit : > >>> On 13. Mar 2020, at 18:32, Tanguy Le Carrour <tan...@bioneland.org> wrote: > >>> Le 03/10, Tanguy Le Carrour a écrit : > >>>> Le 03/09, Christian Grothoff a écrit : > >>>>> 2) try adding a TLSA record for gnunet.org to GNS, thereby avoiding > >>>>> the use of Letsencrypt and really directly verifying via GNS. > >>>> I'll try this and let you know, thanks! > >>> So, I did my homework, used a generator [1][] and ended up with this: > >>> ``` > >>> _443._tcp.gnunet.org. IN TLSA 3 1 1 > >>> 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939 > >>> ``` > >>> [1]: https://www.huque.com/bin/gen_tlsa > >>> So I now have: > >>> ``` > >>> $ gnunet-namestore -z myself -a -e "1 d" -p -t TLSA -n gnunet -V "3 1 1 > >>> 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939" > >>> $ gnunet-gns --type ANY --lookup gnunet.myself > >>> gnunet.myself: > >>> Got `TLSA' record: 3 1 1 > >>> 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939 > >>> Got `LEHO' record: gnunet.org > >>> Got `A' record: 131.159.74.67 > >>> ``` > >>> I didn't know where to put the `_443._tcp` part. `gnunet-namestore` > >>> complained > >>> about the name containing a `.`. > >>> There's something in the doc [2][] about `_port._proto.`, but it's for > >>> BOX records only. > >> > >> Indeed, instead of a TLSA records, for GNS, you should add a box record > >> that contains a TLSA record. Like so: > >> $ gnunet-namestore -z myself -a -e "1 d" -p -t BOX -n gnunet -V "6 443 3 1 > >> 1 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939" > >> 6 is the protocol (tcp), 443 is the service (https). > > > > Unfortunately… > > > > ``` > > $ gnunet-namestore -z myself -a -e "1 d" -p -t BOX -n gnunet -V "6 443 3 1 > > 1 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939" > > Value `6 443 3 1 1 > > 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939' invalid > > for record type `BOX' > > > > $ gnunet-namestore --version > > gnunet-namestore v0.12.2 release > > ``` > > > > From the code [1][], I could not guess what the correct format should be. > > > > [1]: src/gnsrecord/plugin_gnsrecord_dns.c:656 > > src/include/gnunet_gnsrecord_lib.h:297 > > Ah, the record type is missing, sorry I did that out of my head. Try: > > $ gnunet-namestore -z myself -a -e "1 d" -p -t BOX -n gnunet -V "6 443 52 3 1 > 1 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939" Much better, thanks! ``` $ gnunet-gns --type ANY --lookup gnunet.myself gnunet.myself: Got `BOX' record: 6 443 52 3 1 1 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939 Got `LEHO' record: gnunet.org Got `A' record: 131.159.74.67 ``` But still, when I try to access `gnunet.myself`, I get a blank page after 5-10 seconds and the same lines in the log: ``` $ /home/tanguy/.guix-extra-profiles/gnunet/current/lib/gnunet/libexec/gnunet-gns-proxy --log DEBUG Mar 14 14:48:07-948036 gnunet-gns-proxy-1450 ERROR Download curl gnunet.org/ failed: SSL peer certificate or SSH remote key was not OK Mar 14 14:48:24-877522 gnunet-gns-proxy-1450 ERROR Download curl gnunet.org/favicon.ico failed: SSL peer certificate or SSH remote key was not OK ``` The good thing is that you were right! Adding a BOX record was apparently not needed! Any thing else I can try? In the meantime, I'll keep on reading the doc, learn some more and play with the other components! Regards -- Tanguy
