[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Fwd: sks-keyserver unavailable
|
From: |
Phil Pennock |
|
Subject: |
Re: [Sks-devel] Fwd: sks-keyserver unavailable |
|
Date: |
Tue, 26 Feb 2013 17:17:57 -0500 |
On 2013-02-26 at 11:16 +0100, Niels Laukens wrote:
> I'm having trouble getting keys of the pools on sks-keyservers.net. I've
> just retried with the suggested debug-option with following result:
Okay, I ran:
unbound-control local_data hkps.pool.sks-keyservers.net. A 84.215.15.221
to talk to the same server. This is keys2.kfwebs.net, Kristian's
server.
Kristian: do you have some kind of content-examining firewall setup, or
kernel-based early acceptors, or something else weird in place?
I can replicate this with gpg2 (2.0.19) but not with gpg1.
When things fail, the request has been sent to the server in two
packets, "GET" & "Host:" in the first, "Cache-Control:" and "Pragma:"
(and trailing blank line) in the second. The server replies with two
ACKs and no payload; the second ACK contains a FIN flag, so I see the
*server* closing the connection first.
The request in the failure case is HTTP/1.0.
When things succeed, there is one packet sent, "GET", "Host:",
"Accept:", "Pragma:" and "Cache-Control:" (and trailing blank line) in
that packet. The server sends back a single ACK and then the results.
The request in this case is HTTP/1.1. (The large time-gap is because
this is copy/pasted from a later query, after checking hosts, because I
didn't initially notice that the first packet of the response, the first
time, was only received after a SACK "1 {1449:10569}" caused
"1:1449(1448)" to be retransmitted, with the headers.)
If I paste into telnet the exact failing query, things succeed. If I
paste in parts, they succeed. When I do this, the packets are either
sent with each header in a different packet, or the GET request in one
packet and the other headers in a later packet.
I can only see a problem when the GET and the first header are in one
packet and the later headers in the next, which I can't duplicate with
telnet(1)
Thus my thoughts turn to some kind of anti-slow-request DoS protection
in a firewall ... I don't have a better explanation.
-Phil
Failure, gpg2:
----------------------------8< cut here >8------------------------------
16:47:31.663614 IP (tos 0x0, ttl 64, id 13187, offset 0, flags [DF], proto TCP
(6), length 156, bad cksum 0 (->5390)!) 94.142.240.6.58086 >
84.215.15.221.11371: P, cksum 0x9ab4 (correct), 1:105(104) ack 1 win 8326
<nop,nop,timestamp 794590175 133661292>
0x0000: 4500 009c 3383 4000 4006 0000 5e8e f006 address@hidden@...^...
0x0010: 54d7 0fdd e2e6 2c6b 26fb 053f 0ebc 8fb7 T.....,k&..?....
0x0020: 8018 2086 9ab4 0000 0101 080a 2f5c 7bdf ............/\{.
0x0030: 07f7 826c 4745 5420 2f70 6b73 2f6c 6f6f ...lGET./pks/loo
0x0040: 6b75 703f 6f70 3d67 6574 266f 7074 696f kup?op=get&optio
0x0050: 6e73 3d6d 7226 7365 6172 6368 3d30 7830 ns=mr&search=0x0
0x0060: 3841 4234 3834 3920 4854 5450 2f31 2e30 8AB4849.HTTP/1.0
0x0070: 0d0a 486f 7374 3a20 686b 7073 2e70 6f6f ..Host:.hkps.poo
0x0080: 6c2e 736b 732d 6b65 7973 6572 7665 7273 l.sks-keyservers
0x0090: 2e6e 6574 3a31 3133 3731 0d0a .net:11371..
16:47:31.663665 IP (tos 0x0, ttl 64, id 13188, offset 0, flags [DF], proto TCP
(6), length 97, bad cksum 0 (->53ca)!) 94.142.240.6.58086 >
84.215.15.221.11371: FP, cksum 0x25e1 (correct), 105:150(45) ack 1 win 8326
<nop,nop,timestamp 794590175 133661292>
0x0000: 4500 0061 3384 4000 4006 0000 5e8e f006 address@hidden@...^...
0x0010: 54d7 0fdd e2e6 2c6b 26fb 05a7 0ebc 8fb7 T.....,k&.......
0x0020: 8019 2086 25e1 0000 0101 080a 2f5c 7bdf ....%......./\{.
0x0030: 07f7 826c 4361 6368 652d 436f 6e74 726f ...lCache-Contro
0x0040: 6c3a 206e 6f2d 6361 6368 650d 0a50 7261 l:.no-cache..Pra
0x0050: 676d 613a 206e 6f2d 6361 6368 650d 0a0d gma:.no-cache...
0x0060: 0a .
16:47:31.711455 IP (tos 0x0, ttl 54, id 3524, offset 0, flags [DF], proto TCP
(6), length 52) 84.215.15.221.11371 > 94.142.240.6.58086: ., cksum 0xb2f4
(correct), 1:1(0) ack 105 win 114 <nop,nop,timestamp 133661299 794590175>
0x0000: 4500 0034 0dc4 4000 3606 83b7 54d7 0fdd address@hidden
0x0010: 5e8e f006 2c6b e2e6 0ebc 8fb7 26fb 05a7 ^...,k......&...
0x0020: 8010 0072 b2f4 0000 0101 080a 07f7 8273 ...r...........s
0x0030: 2f5c 7bdf /\{.
16:47:31.711466 IP (tos 0x0, ttl 54, id 3525, offset 0, flags [DF], proto TCP
(6), length 52) 84.215.15.221.11371 > 94.142.240.6.58086: F, cksum 0xb2c5
(correct), 1:1(0) ack 151 win 114 <nop,nop,timestamp 133661299 794590175>
0x0000: 4500 0034 0dc5 4000 3606 83b6 54d7 0fdd address@hidden
0x0010: 5e8e f006 2c6b e2e6 0ebc 8fb7 26fb 05d5 ^...,k......&...
0x0020: 8011 0072 b2c5 0000 0101 080a 07f7 8273 ...r...........s
0x0030: 2f5c 7bdf /\{.
16:47:31.711481 IP (tos 0x0, ttl 64, id 13189, offset 0, flags [DF], proto TCP
(6), length 52, bad cksum 0 (->53f6)!) 94.142.240.6.58086 >
84.215.15.221.11371: ., cksum 0x9252 (correct), 151:151(0) ack 2 win 8325
<nop,nop,timestamp 794590271 133661299>
0x0000: 4500 0034 3385 4000 4006 0000 5e8e f006 address@hidden@...^...
0x0010: 54d7 0fdd e2e6 2c6b 26fb 05d5 0ebc 8fb8 T.....,k&.......
0x0020: 8010 2085 9252 0000 0101 080a 2f5c 7c3f .....R....../\|?
0x0030: 07f7 8273 ...s
----------------------------8< cut here >8------------------------------
Success, gpg1:
----------------------------8< cut here >8------------------------------
17:00:03.861455 IP (tos 0x0, ttl 64, id 29164, offset 0, flags [DF], proto TCP
(6), length 214, bad cksum 0 (->14ed)!) 94.142.240.6.53949 >
84.215.15.221.11371: P, cksum 0x4563 (correct), 1:163(162) ack 1 win 8326
<nop,nop,timestamp 796094730 133736528>
0x0000: 4500 00d6 71ec 4000 4006 0000 5e8e f006 address@hidden@...^...
0x0010: 54d7 0fdd d2bd 2c6b ce65 4184 88ce c93b T.....,k.eA....;
0x0020: 8018 2086 4563 0000 0101 080a 2f73 710a ....Ec....../sq.
0x0030: 07f8 a850 4745 5420 2f70 6b73 2f6c 6f6f ...PGET./pks/loo
0x0040: 6b75 703f 6f70 3d67 6574 266f 7074 696f kup?op=get&optio
0x0050: 6e73 3d6d 7226 7365 6172 6368 3d30 7830 ns=mr&search=0x0
0x0060: 3841 4234 3834 3920 4854 5450 2f31 2e31 8AB4849.HTTP/1.1
0x0070: 0d0a 486f 7374 3a20 686b 7073 2e70 6f6f ..Host:.hkps.poo
0x0080: 6c2e 736b 732d 6b65 7973 6572 7665 7273 l.sks-keyservers
0x0090: 2e6e 6574 3a31 3133 3731 0d0a 4163 6365 .net:11371..Acce
0x00a0: 7074 3a20 2a2f 2a0d 0a50 7261 676d 613a pt:.*/*..Pragma:
0x00b0: 206e 6f2d 6361 6368 650d 0a43 6163 6865 .no-cache..Cache
0x00c0: 2d43 6f6e 7472 6f6c 3a20 6e6f 2d63 6163 -Control:.no-cac
0x00d0: 6865 0d0a 0d0a he....
17:00:03.903667 IP (tos 0x0, ttl 54, id 24942, offset 0, flags [DF], proto TCP
(6), length 52) 84.215.15.221.11371 > 94.142.240.6.53949: ., cksum 0x1070
(correct), 1:1(0) ack 163 win 122 <nop,nop,timestamp 133736533 796094730>
0x0000: 4500 0034 616e 4000 3606 300d 54d7 0fdd address@hidden
0x0010: 5e8e f006 2c6b d2bd 88ce c93b ce65 4226 ^...,k.....;.eB&
0x0020: 8010 007a 1070 0000 0101 080a 07f8 a855 ...z.p.........U
0x0030: 2f73 710a /sq.
17:00:03.904604 IP (tos 0x0, ttl 54, id 24943, offset 0, flags [DF], proto TCP
(6), length 1500) 84.215.15.221.11371 > 94.142.240.6.53949: ., cksum 0x12a5
(correct), 1:1449(1448) ack 163 win 122 <nop,nop,timestamp 133736533 796094730>
0x0000: 4500 05dc 616f 4000 3606 2a64 54d7 0fdd address@hidden
0x0010: 5e8e f006 2c6b d2bd 88ce c93b ce65 4226 ^...,k.....;.eB&
0x0020: 8010 007a 12a5 0000 0101 080a 07f8 a855 ...z...........U
0x0030: 2f73 710a 4854 5450 2f31 2e31 2032 3030 /sq.HTTP/1.1.200
0x0040: 204f 4b0d 0a44 6174 653a 2054 7565 2c20 .OK..Date:.Tue,.
0x0050: 3236 2046 6562 2032 3031 3320 3231 3a35 26.Feb.2013.21:5
0x0060: 393a 3337 2047 4d54 0d0a 436f 6e74 656e 9:37.GMT..Conten
0x0070: 742d 5479 7065 3a20 6170 706c 6963 6174 t-Type:.applicat
0x0080: 696f 6e2f 7067 702d 6b65 7973 3b20 6368 ion/pgp-keys;.ch
0x0090: 6172 7365 743d 5554 462d 380d 0a43 6f6e arset=UTF-8..Con
0x00a0: 7465 6e74 2d4c 656e 6774 683a 2031 3032 tent-Length:.102
0x00b0: 3036 0d0a 436f 6e6e 6563 7469 6f6e 3a20 06..Connection:.
0x00c0: 6b65 6570 2d61 6c69 7665 0d0a 4b65 6570 keep-alive..Keep
0x00d0: 2d41 6c69 7665 3a20 7469 6d65 6f75 743d -Alive:.timeout=
0x00e0: 3230 0d0a 5365 7276 6572 3a20 736b 735f 20..Server:.sks_
0x00f0: 7777 772f 312e 312e 342b 0d0a 4361 6368 www/1.1.4+..Cach
0x0100: 652d 436f 6e74 726f 6c3a 206e 6f2d 6361 e-Control:.no-ca
0x0110: 6368 650d 0a50 7261 676d 613a 206e 6f2d che..Pragma:.no-
0x0120: 6361 6368 650d 0a45 7870 6972 6573 3a20 cache..Expires:.
0x0130: 300d 0a58 2d48 4b50 2d52 6573 756c 7473 0..X-HKP-Results
0x0140: 2d43 6f75 6e74 3a20 310d 0a43 6f6e 7465 -Count:.1..Conte
0x0150: 6e74 2d64 6973 706f 7369 7469 6f6e 3a20 nt-disposition:.
0x0160: 6174 7461 6368 6d65 6e74 3b20 6669 6c65 attachment;.file
0x0170: 6e61 6d65 3d67 7067 6b65 792e 6173 630d name=gpgkey.asc.
0x0180: 0a56 6961 3a20 312e 3120 6b65 7973 322e .Via:.1.1.keys2.
0x0190: 6b66 7765 6273 2e6e 6574 0d0a 0d0a 2d2d kfwebs.net....--
0x01a0: 2d2d 2d42 4547 494e 2050 4750 2050 5542 ---BEGIN.PGP.PUB
0x01b0: 4c49 4320 4b45 5920 424c 4f43 4b2d 2d2d LIC.KEY.BLOCK---
0x01c0: 2d2d 0a56 6572 7369 6f6e 3a20 534b 5320 --.Version:.SKS.
0x01d0: 312e 312e 342b 0a43 6f6d 6d65 6e74 3a20 1.1.4+.Comment:.
0x01e0: 486f 7374 6e61 6d65 3a20 6b65 7973 322e Hostname:.keys2.
0x01f0: 6b66 7765 6273 2e6e 6574 0a0a 6d51 494e kfwebs.net..mQIN
0x0200: 4246 4569 6930 6f42 4541 4330 6d4d 6543 BFEii0oBEAC0mMeC
0x0210: 696e 4d34 324f 5044 3870 4f64 7462 504b inM42OPD8pOdtbPK
0x0220: 6964 5365 5573 5579 6a54 5837 6746 504f idSeUsUyjTX7gFPO
0x0230: 4951 4675 744a 434b 554c 795a 6137 6174 IQFutJCKULyZa7at
0x0240: 4445 5152 0a30 3245 3133 466c 4b75 6c7a DEQR.02E13FlKulz
[...]
----------------------------8< cut here >8------------------------------
pgpbO1C0_XNJe.pgp
Description: PGP signature