Hello Bengt, Bengt Richter <b...@bokr.com> writes:
> On +2019-10-15 19:03:41 +0200, Marius Bakke wrote: >> Hello Guixers, >> >> The 'staging' branch is now considered "frozen" and only takes >> bug-fixes for new regressions. You can follow progress here: >> >> https://ci.guix.gnu.org/jobset/staging-staging >> > > No I can't, unfortunately -- not without setting DNSSEC=off :-( > > (I did that as a temporary measure, just to see, and I do get through > that way, but I don't want to turn DNSSEC off). > > (Thank you Marius, BTW, who pointed me to > https://github.com/systemd/systemd/issues/9867 > where I got the DNSSEC=off clue). > > https://gnu.org works fine with DNSSEC=on (with the exception of page > links from there to guix.gnu.org or savannah.gnu.org (that I know of)). > > Why does gnu.org work and guix.gnu.org not?? > > That gnu.org works makes me think the problem is at guix.gnu.org, > not in a configuration problem on my machine. > > I wonder if key infrastructure potholes like this are not putting off > more potential contributors than other recently discussed put-offs :) You do not have to disable DNSSEC. You just have to use a resolver that properly handles signed-but-not-authenticated DNS records such as those on *.gnu.org. I.e. by replacing systemd-resolvd with a "proper" recursor like dnsmasq or Unbound, or by using an external DNS server such as the one provided by your ISP. The GNU/FSF sysadmins are aware of the issue and will fix the gnu.org domains eventually, but the problem really is with systemd-resolvd. It is not supposed to return SERVFAIL at all, but rather omit the "authenticated" flag in the response. The last comment on the GitHub issue says archlinux.org itself was affected. I wonder if they had just enabled DNSSEC, or if they rotated signing keys. Both scenarious could trigger this problem. Unfortunately there is nothing we can do about it :-/
signature.asc
Description: PGP signature
