Bug#798911: sks: one of my listed peers seems to be unauthorized

[Daniel Kahn Gillmor]

Hi Brian--

[re: https://bugs.debian.org/798911 ]

On Sun 2015-09-13 22:36:00 -0400, Brian Minton wrote:
> I was looking at my sks logs, and I saw the following error:
>
> ==> /var/log/sks/recon.log <==
> 2015-09-13 22:28:00 Reconciliation attempt from unauthorized host
> <ADDR_INET [157.7.123.130]:49955>.  Ignoring
>
> I checked that host, and it is one that is in my membership file.
>
> bminton:~# host 157.7.123.130
> 130.123.7.157.in-addr.arpa domain name pointer tyo1.sks.reimu.io.
> bminton:~# grep tyo /etc/sks/membership
> tyo1.sks.reimu.io 11370 # Siyuan Miao <i...@xswan.net> 0x367B7A82

The reverse lookup may indicate this IP address is OK, but the forward
lookup from the hostname doesn't exist -- it is a CNAME to
tyo1-ipv6.sks, which is not a valid hostname:

0 dkg@alice:~$ dig tyo1.sks.reimu.io

; <<>> DiG 9.9.5-12-Debian <<>> tyo1.sks.reimu.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64824
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;tyo1.sks.reimu.io.             IN      A

;; ANSWER SECTION:
tyo1.sks.reimu.io.      232     IN      CNAME   tyo1-ipv6.sks.

;; AUTHORITY SECTION:
.                       1732    IN      SOA     a.root-servers.net. 
nstld.verisign-grs.com. 2015091400 1800 900 604800 86400

;; Query time: 21 msec
;; SERVER: 10.70.0.254#53(10.70.0.254)
;; WHEN: Mon Sep 14 10:45:49 EDT 2015
;; MSG SIZE  rcvd: 148

0 dkg@alice:~$ 

sks can't (shouldn't) rely on reverse lookups.  Otherwise, anyone who
knows who your peers are (which is anyone, since most sks hosts publish
their list of peers) can just set up their reverse DNS to say any of
your peers, and you'd accept traffic from them.

You should ask Siyuan Miao (cc'ed here) to clean up the DNS records
published for your peer.

So i think sks is doing the right thing here; i'm closing this bug
because i think it's behaving as intended.  But i could be wrong!  If
so, please explain what i've missed, and feel free to re-open the bug
(or ask me to re-open it, which i'll happily do).

Regards,

   --dkg

signature.asc
Description: PGP signature