*.gnu.org fails to resolve with systemd-resolvd (was: Re: 'staging' is FROZEN)

[Marius Bakke]

Hello Bengt,

Bengt Richter <address@hidden> writes:

> On +2019-10-15 19:03:41 +0200, Marius Bakke wrote:
>> Hello Guixers,
>> 
>> The 'staging' branch is now considered "frozen" and only takes
>> bug-fixes for new regressions.  You can follow progress here:
>> 
>> https://ci.guix.gnu.org/jobset/staging-staging
>>
>
> No I can't, unfortunately -- not without setting DNSSEC=off :-(
>
> (I did that as a temporary measure, just to see, and I do get through
> that way, but I don't want to turn DNSSEC off).
>
> (Thank you Marius, BTW, who pointed me to
> https://github.com/systemd/systemd/issues/9867
> where I got the DNSSEC=off clue).
>
> https://gnu.org works fine with DNSSEC=on (with the exception of page
> links from there to guix.gnu.org or savannah.gnu.org (that I know of)).
>
> Why does gnu.org work and guix.gnu.org not??
>
> That gnu.org works makes me think the problem is at guix.gnu.org,
> not in a configuration problem on my machine.
>
> I wonder if key infrastructure potholes like this are not putting off
> more potential contributors than other recently discussed put-offs :)

You do not have to disable DNSSEC.  You just have to use a resolver that
properly handles signed-but-not-authenticated DNS records such as those
on *.gnu.org.  I.e. by replacing systemd-resolvd with a "proper"
recursor like dnsmasq or Unbound, or by using an external DNS server
such as the one provided by your ISP.

The GNU/FSF sysadmins are aware of the issue and will fix the gnu.org
domains eventually, but the problem really is with systemd-resolvd.  It
is not supposed to return SERVFAIL at all, but rather omit the
"authenticated" flag in the response.

The last comment on the GitHub issue says archlinux.org itself was
affected.  I wonder if they had just enabled DNSSEC, or if they rotated
signing keys.  Both scenarious could trigger this problem.

Unfortunately there is nothing we can do about it :-/

signature.asc
Description: PGP signature