[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] throttle lookups? / multihomed server
|
From: |
John Clizbe |
|
Subject: |
Re: [Sks-devel] throttle lookups? / multihomed server |
|
Date: |
Tue, 18 Dec 2012 17:44:39 -0600 |
|
User-agent: |
Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0 SeaMonkey/2.14.1 |
Stephan Seitz wrote:
> Hi guys,
>
> after a quick peek into my sks logs (without a particular reason ;) ), I
> found a few interestingly huge blocks of lookup requests. These
> unusual(?) amounts of lookups were requested en-bloc by a single IP.
>
> Sometimes single IPs were requesting upto a few hundred times the very
> same key.
>
> I can imagine a few scenarios why this happens, going from badly
> configured keyservers to address harvesters, to users falling asleep on
> the F5 key...
>
> Just out of interest: Is it reasonable to think about limiting the
> requests per IP per second? Or is it just the prevailing noise on the
> wire, the keyservers have to live with?
Sounds like the pool polling process.
> anyway, I'm more concerned about the following entries:
>
> Reconciliation attempt from <ADDR_INET [REDACTED]:55073> while gossip
> disabled. Ignoring.
>
> These attempts are done by about 20 different IPs. I compared a few of
> the PTR records against the servers in the membership file and found at
> least 2 matches. So my server *should* accept at least some of theses
> reconciliation attempts.
> I suspect multihomed servers and/or dual-stack as the reason for this,
> but I'm not entirely sure.
>
> Could some of you offer some suggestions, helping to understand and
> probably fix this?
One, this is quite normal. Two, there is nothing to fix. When two servers set
up a reconciliation, they disable gossip so that another server does not try
to initiate a new reconciliation until the present one is complete.
Multihomed servers trying to gossip from an address not in membership generate
"Reconciliation attempt from unauthorized host <ADDR_INET [i.j.k.l]:s>.
Ignoring" messages. It's actually the only message I tend to look at. If it's
multihoming, I add the IP to membership if the keyserver name resolves to a
different IP. If it's a server I have not setup in membership, I dig deeper. I
tend to get new keyserver ops adding me without first contacting me with a
request to peer.
Presently, I only see one IP address and that one is a known (to me)
misconfigured setup. I explained it to the operator once and they went ahead
with the misconfiguration -- Ports 11370 and 11371 are coming from different
IP addresses.
PTR records often don't match up because of mapping back to an ISPs namespace
or CNAMEs. E.G.,
address@hidden:sks# host keyserver.gingerbear.net
keyserver.gingerbear.net has address 173.175.219.145
address@hidden:sks# host 173.175.219.145
145.219.175.173.in-addr.arpa domain name pointer
cpe-173-175-219-145.tx.res.rr.com.
Try accessing the server's stats page
http://173.175.219.145:11371/pks/lookup?op=stats
--
John P. Clizbe Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or
mailto:address@hidden
Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"
signature.asc
Description: OpenPGP digital signature