[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
*.gnu.org fails to resolve with systemd-resolvd (was: Re: 'staging' is F
From: |
Marius Bakke |
Subject: |
*.gnu.org fails to resolve with systemd-resolvd (was: Re: 'staging' is FROZEN) |
Date: |
Thu, 17 Oct 2019 20:55:58 +0200 |
User-agent: |
Notmuch/0.29.1 (https://notmuchmail.org) Emacs/26.2 (x86_64-pc-linux-gnu) |
Hello Bengt,
Bengt Richter <address@hidden> writes:
> On +2019-10-15 19:03:41 +0200, Marius Bakke wrote:
>> Hello Guixers,
>>
>> The 'staging' branch is now considered "frozen" and only takes
>> bug-fixes for new regressions. You can follow progress here:
>>
>> https://ci.guix.gnu.org/jobset/staging-staging
>>
>
> No I can't, unfortunately -- not without setting DNSSEC=off :-(
>
> (I did that as a temporary measure, just to see, and I do get through
> that way, but I don't want to turn DNSSEC off).
>
> (Thank you Marius, BTW, who pointed me to
> https://github.com/systemd/systemd/issues/9867
> where I got the DNSSEC=off clue).
>
> https://gnu.org works fine with DNSSEC=on (with the exception of page
> links from there to guix.gnu.org or savannah.gnu.org (that I know of)).
>
> Why does gnu.org work and guix.gnu.org not??
>
> That gnu.org works makes me think the problem is at guix.gnu.org,
> not in a configuration problem on my machine.
>
> I wonder if key infrastructure potholes like this are not putting off
> more potential contributors than other recently discussed put-offs :)
You do not have to disable DNSSEC. You just have to use a resolver that
properly handles signed-but-not-authenticated DNS records such as those
on *.gnu.org. I.e. by replacing systemd-resolvd with a "proper"
recursor like dnsmasq or Unbound, or by using an external DNS server
such as the one provided by your ISP.
The GNU/FSF sysadmins are aware of the issue and will fix the gnu.org
domains eventually, but the problem really is with systemd-resolvd. It
is not supposed to return SERVFAIL at all, but rather omit the
"authenticated" flag in the response.
The last comment on the GitHub issue says archlinux.org itself was
affected. I wonder if they had just enabled DNSSEC, or if they rotated
signing keys. Both scenarious could trigger this problem.
Unfortunately there is nothing we can do about it :-/
signature.asc
Description: PGP signature