|
| From: | Daniel Kahn Gillmor |
| Subject: | Re: [Sks-devel] simple DoS against SKS's HKP interface :/ |
| Date: | Sun, 25 Mar 2012 18:46:42 -0400 |
| User-agent: | Mozilla/5.0 (X11; Linux i686; rv:9.0) Gecko/20120125 Icedove/9.0.1 |
On 03/25/2012 05:53 PM, Kristian Fiskerstrand wrote:
Did a few more changes[0] to speed up the IP lookup process, and included adding IPv6 for some subset pools (including the HA one)
Hm, just looking for the regular IPv4 A records for the HA pool from different authoritative nameservers seems problematic. Some servers return NXDOMAIN, some just time out. only two of the authoritative ones i queried returned any A records:
0 address@hidden:~$ for ns in $(dig +short ns sks-keyservers.net); do echo ...$ns...; dig +short -t a @$ns ha.pool.sks-keyservers.net; done
...ns1.kfwebs.net.... ...ns2.kfwebs.net.... 84.215.6.5 217.197.135.103 130.133.110.62 130.206.1.8 193.151.30.147 213.161.224.2 109.230.243.87 ...ns4.sks-keyservers.net.... ...ns5.sks-keyservers.net.... ...ns2.sks-keyservers.net.... ...ns1.sks-keyservers.net.... ;; connection timed out; no servers could be reached ...ns9.kfwebs.net.... ;; connection timed out; no servers could be reached ...ns7.sks-keyservers.net.... ...ns8.sks-keyservers.net.... ...ns3.sks-keyservers.net.... 0 address@hidden:~$maybe something broke or needs to be rolled out differently to these different authoritative nameservers?
(btw, until now i hadn't realized there were so many authoritative servers for this zone; thanks for maintaining them!)
--dkg
| [Prev in Thread] | Current Thread | [Next in Thread] |