BSS_Snag Posted September 13 Share Posted September 13 5 hours ago, Lisias said: September 9th and 11th. Yeah website was down at those times for me, not able to get to any spacedock page Quote Link to comment Share on other sites More sharing options...
Lisias Posted September 14 Share Posted September 14 On 9/13/2024 at 9:38 AM, BSS_Snag said: Yeah website was down at those times for me, not able to get to any spacedock page I don't think this is related. Would be a shortage on the server itself, all the add'ons would had been handicapped the same, as I had shown on my previous post: On 9/13/2024 at 4:28 AM, Lisias said: Guys, @VITAS I think there's something weird happening on SpaceDock. Since Sep 9th, the downloads for the majority of the add'ons I checked plummeted from 6 to even 16 times less than the day before! Hide contents This is a too much dramatic drop, something wrong must be happening - or perhaps was happening before? However, digging around, I found that not all the add'ons are being affected! See: There's something else happening, and I'm failing to detect a pattern. On a (pretty naive) eyeballing fest, I think that approximately 3 in 4 add'ons are being handicapped right now since last September 9th. @VITAS, are you aware of this? Quote Link to comment Share on other sites More sharing options...
Lisias Posted September 16 Share Posted September 16 On 9/14/2024 at 5:24 PM, Lisias said: I don't think this is related. Would be a shortage on the server itself, all the add'ons would had been handicapped the same, as I had shown on my previous post: However, digging around, I found that not all the add'ons are being affected! See: There's something else happening, and I'm failing to detect a pattern. On a (pretty naive) eyeballing fest, I think that approximately 3 in 4 add'ons are being handicapped right now since last September 9th. @VITAS, are you aware of this? Never mind. It was a change on CKAN that I wasn't aware. My apologies, @VITAS. Quote Link to comment Share on other sites More sharing options...
Giancarlo Kerman Posted October 14 Share Posted October 14 (edited) Hey @VITAS Be advised that Spacedock is throwing errors again, nothing on the website is loading at all| Code: cdfx Edited October 14 by Giancarlo Kerman adding error code Quote Link to comment Share on other sites More sharing options...
Lisias Posted October 14 Share Posted October 14 (edited) 10 hours ago, Giancarlo Kerman said: Hey @VITAS Be advised that Spacedock is throwing errors again, nothing on the website is loading at all| Code: cdfx Right now, 2024-1014T11:14 Zulu, it's working fine for me. Edited October 14 by Lisias Entertaining grammars made slightely less entertaining... Quote Link to comment Share on other sites More sharing options...
Cheesecake Posted November 1 Share Posted November 1 Is Spacedock down? Quote Link to comment Share on other sites More sharing options...
Royale37 Posted November 1 Share Posted November 1 No, just tried it, it seems to be up. Quote Link to comment Share on other sites More sharing options...
Cheesecake Posted November 1 Share Posted November 1 (edited) Hm, strange. I can call up Spacedock with Edge, it loads briefly with Firefox and then nothing is displayed. Cache and temp files deleted, but still not working. No error is displayed either. Just a white page. Edit: Now I have the following message: Quote Fehler: Gesicherte Verbindung fehlgeschlagen Beim Verbinden mit spacedock.info trat ein Fehler auf. Die Website kann nicht angezeigt werden, da die Authentizität der erhaltenen Daten nicht verifiziert werden konnte. Kontaktieren Sie bitte den Inhaber der Website, um ihn über dieses Problem zu informieren. Weitere Informationen… in english probably (translated): Quote Error: Secured connection failed An error occurred while connecting to spacedock.info. The website cannot be displayed because the authenticity of the data received could not be verified. Please contact the owner of the website to inform him about this problem. Further information... The Firefox website says that it may be a certificate error of the website. Edited November 1 by Cheesecake Quote Link to comment Share on other sites More sharing options...
Lisias Posted November 1 Share Posted November 1 (edited) 1 hour ago, Cheesecake said: Hm, strange. I can call up Spacedock with Edge, it loads briefly with Firefox and then nothing is displayed. Cache and temp files deleted, but still not working. No error is displayed either. Just a white page. Edit: Now I have the following message: in english probably (translated): The Firefox website says that it may be a certificate error of the website. [EDIT]YIKES... had read the wrong field. my bad. Spoiler Not a problem. SpaceDock uses LetsEncrypt, that need to be renewed each 3 months. And the current certificate was issued at "1 November 2024 09:36:53 GMT-3", two minutes ago on my time zone. You was luck enough to hit SpaceDock exactly while the HTTPS certificate was being renewed. Edited November 1 by Lisias yikes... Quote Link to comment Share on other sites More sharing options...
HebaruSan Posted November 1 Share Posted November 1 51 minutes ago, Cheesecake said: Quote Error: Secured connection failed An error occurred while connecting to spacedock.info. The website cannot be displayed because the authenticity of the data received could not be verified. Please contact the owner of the website to inform him about this problem. Further information... Firefox 132.0 now does this "Secure Connection Failed" thing, whereas Firefox 128.0 (the "Extended Support Release") still works fine. Nobody knows why, but @VITAShas been alerted in case there is some new server folk ritual to perform. I suspect a bug in the newer version of Firefox because other browsers are not complaining. 19 minutes ago, Lisias said: the current certificate was issued at "1 November 2024 09:36:53 GMT-3", two minutes ago on my time zone. I don't know where you're seeing that; my browser says: It does seem to be a real issue for users of Firefix 132.0. Quote Link to comment Share on other sites More sharing options...
Cheesecake Posted November 1 Share Posted November 1 33 minutes ago, Lisias said: Not a problem. SpaceDock uses LetsEncrypt, that need to be renewed each 3 months. And the current certificate was issued at "1 November 2024 09:36:53 GMT-3", two minutes ago on my time zone. You was luck enough to hit SpaceDock exactly while the HTTPS certificate was being renewed. However, the error still exists. I use Firefox 132.0, like @HebaruSan. Quote Link to comment Share on other sites More sharing options...
Lisias Posted November 1 Share Posted November 1 (edited) 1 hour ago, HebaruSan said: I don't know where you're seeing that; my browser says: It does seem to be a real issue for users of Firefix 132.0. Misread a field name. Totally my bad. Thanks for pinpoint my mistake. 42 minutes ago, Cheesecake said: However, the error still exists. I use Firefox 132.0, like @HebaruSan. I took the liberty of submitting SpaceDock.info into a tool for automated analysis: https://check-your-website.server-daten.de/?q=spacedock.info It emitted the following alerts: Quote spacedock.info 0 DS RR in the parent zone found DS-Query in the parent zone has a valid NSEC3 RR as result with the hashed query name "14bsnrgqpbrmsvvih9ecqqsm15p9qff3" between the hashed NSEC3-owner "14bmvbrch241qvht8i28k5a8j36pi704" and the hashed NextOwner "14buk4blh4vfdinfmibatf7jefggt74s". So the parent zone confirmes the not-existence of a DS RR. Bitmap: NS, DS, RRSIG Validated: RRSIG-Owner 14bmvbrch241qvht8i28k5a8j36pi704.info., Algorithm: 8, 2 Labels, original TTL: 3600 sec, Signature-expiration: 15.11.2024, 19:07:53 +, Signature-Inception: 25.10.2024, 18:07:53 +, KeyTag 16948, Signer-Name: info DS-Query in the parent zone sends valid NSEC3 RR with the Hash "nts9719ejeced08jegq9ombmafneqsd7" as Owner. That's the Hash of "info" with the NextHashedOwnerName "ntsgcq8bftqmnbickse3jqev1v3utmru". So that domain name is the Closest Encloser of "spacedock.info". Opt-Out: True. Bitmap: NS, SOA, RRSIG, DNSKEY, NSEC3PARAM Validated: RRSIG-Owner nts9719ejeced08jegq9ombmafneqsd7.info., Algorithm: 8, 2 Labels, original TTL: 3600 sec, Signature-expiration: 22.11.2024, 13:49:36 +, Signature-Inception: 01.11.2024, 12:49:36 +, KeyTag 16948, Signer-Name: info 1 DNSKEY RR found Public Key with Algorithm 13, KeyTag 32290, Flags 257 (SEP = Secure Entry Point) 1 RRSIG RR to validate DNSKEY RR found RRSIG-Owner spacedock.info., Algorithm: 13, 2 Labels, original TTL: 3600 sec, Signature-expiration: 14.11.2024, 00:00:00 +, Signature-Inception: 24.10.2024, 00:00:00 +, KeyTag 32290, Signer-Name: spacedock.info • Status: Good - Algorithmus 13 and DNSKEY with KeyTag 32290 used to validate the DNSKEY RRSet Error: DNSKEY 32290 signs DNSKEY RRset, but no confirming DS RR in the parent zone found. No chain of trust created. Perhaps the problem is on the DNSSEC setup? Edited November 1 by Lisias brute force post merge Quote Link to comment Share on other sites More sharing options...
VITAS Posted November 2 Author Share Posted November 2 (edited) i did a thing. Edited November 2 by VITAS Quote Link to comment Share on other sites More sharing options...
Cheesecake Posted November 2 Share Posted November 2 1 hour ago, VITAS said: i did a thing. Didn`t work for me. Quote Link to comment Share on other sites More sharing options...
Iapetus7342 Posted November 2 Share Posted November 2 3 hours ago, Cheesecake said: Didn`t work for me. Same. Quote Link to comment Share on other sites More sharing options...
Lisias Posted November 3 Share Posted November 3 (edited) 20 hours ago, VITAS said: i did a thing. @VITAS, I think you should add a DS record for spacedock.info into the info TLD. For example, running delv on cloudflare: lisias@macmini62 ~ > delv cloudflare.net +rtrace ;; fetch: cloudflare.net/A ;; fetch: cloudflare.net/DNSKEY ;; fetch: cloudflare.net/DS ;; fetch: net/DNSKEY ;; fetch: net/DS ;; fetch: ./DNSKEY ; fully validated cloudflare.net. 5 IN A 104.16.208.90 cloudflare.net. 5 IN A 104.17.156.85 cloudflare.net. 5 IN RRSIG A 13 2 300 20241104073905 20241102053905 34505 cloudflare.net. H6bwxUdZI+t0/ovM0XE/51VwgDXcxp23mcrkwDe+ctGSWtFIb4QQ0/ZP 1ciMYoE4Ge6ncoMZAeEugjKzyQhcaw== While for spacedock, I get: lisias@macmini62 ~ > delv spacedock.info +rtrace ;; fetch: spacedock.info/A ;; fetch: spacedock.info/DNSKEY ;; fetch: spacedock.info/DS ;; fetch: info/DNSKEY ;; fetch: info/DS ;; fetch: ./DNSKEY ;; validating spacedock.info/A: no valid signature found ; unsigned answer spacedock.info. 60 IN A 95.217.59.158 spacedock.info. 60 IN RRSIG A 13 2 60 20241114000000 20241024000000 32290 spacedock.info. CO/gBAQhCmnpBmlZWRRI8PFJxOOQQDZFRljWVRFmqqWs3LcirYlpFHcP R81TkN5Ktxvj8FilRgGZj8q8y5NfSw== lisias@macmini62 ~ The problem is the "unsigned answer" - you have a RRSIG entry in your DNS, but it's not being validated. Running spacedock.info on the verisign's dns analyzer https://dnssec-analyzer.verisignlabs.com/spacedock.info it returns Quote No DS records found for spacedock.info in the info zone Found 1 DNSKEY records for spacedock.info Found 1 RRSIGs over DNSKEY RRset RRSIG=32290 and DNSKEY=32290/SEP verifies the DNSKEY RRset ns4.inwx.com is authoritative for spacedock.info spacedock.info A RR has value 95.217.59.158 Found 1 RRSIGs over A RRset RRSIG=32290 and DNSKEY=32290/SEP verifies the A RRset what corroborates my initial guess. You need to reach your registrar to see how to add the DS entry - assuming it can be done in your setup, as I could not do it for my domain: I'm using AWS Route 53 for DNS resolving, but my registrar only allows DS entries if I use their crappy DNS servers (and pay for the service). So until I move my domain to AWS's registrar, I'm out of DNSSEC. Not all TLDs support DNSSEC either, by the way - and the ones that support, some of them support only a few algorithms. If this table is updated, the info TLD supports only Algorithm 8 and you are using the 13 in your RRSIG, === == = EDIT = == === Nope, the info TLD supports algorithms from 6 to 14. Edited November 3 by Lisias EDIT - info has the Alg 13. Quote Link to comment Share on other sites More sharing options...
Cheesecake Posted November 3 Share Posted November 3 I already wrote this to @VITAS yesterday, but now here too: With another PC and Firefox 131.00 the access works. So I have downgraded Firefox to 131.00 on my PC. Including a new Firefox profile. That worked. The page could be called up. I then updated to 132.00 again. After that, the page could no longer be opened. However, all other pages can be called up with 132.00 without any problems. So there is definitely a problem in the Spacedock - Firefox 132.00 constellation. Quote Link to comment Share on other sites More sharing options...
HebaruSan Posted November 3 Share Posted November 3 (edited) A Discord user reported it to Firefox's bug tracker: https://github.com/webcompat/web-bugs/issues/143437 whereupon one of the team members confirmed it and migrated it to their other bug tracker: https://bugzilla.mozilla.org/show_bug.cgi?id=1928600 So, it might be a bug in Firefox, and they might be investigating it? Presumably that second ticket will be the one to follow for updates. If they find and fix a bug, then some future Firefox update will work properly again. If they decide Firefox is working properly, then hopefully they'll specify exactly what SpaceDock is doing wrong so it can be fixed. Edited November 3 by HebaruSan Quote Link to comment Share on other sites More sharing options...
VITAS Posted November 3 Author Share Posted November 3 (edited) What i know so far: i can reproduce the problem under Fedora 41 with FF 132. In general many pages have a delay in loading fromt ime to time so somethign with first contact or lookup is amiss. I indeed am missing the DS record in the TLD so the chain of trust IS broken. DNSEC sould be optional and a site laod shouldnt fail because of it not being supportetd by an NS. I added the missing entries for approval by the info registry but i got an error /delayed back. A Ticket with my domain registry is pending (its sunday). The mozilla changelog doesnt tell me what theyve changed that causes these problems. Someone could test this in other browsers like chrome. If they fail they might have better error messages. For now im waiting for word to get back from support. Workarround for now: dont use FF 132? Edited November 3 by VITAS Quote Link to comment Share on other sites More sharing options...
Lisias Posted November 3 Share Posted November 3 (edited) 53 minutes ago, VITAS said: The mozilla changelog doesnt tell me what theyve changed that causes these problems. I found this pretty old entries: Spoiler What Firefox 132 apparently did was to adhere to the DNSSEC specs, demanding the full chain to be present - or not to exist at all. Interesting enough, I found this entry on Firefox's HG repository: https://phabricator.services.mozilla.com/D87698 Bug 1525854 - TRR shouldn't fallback to DNS on DNSSEC error r=#necko https://bugzilla.mozilla.org/show_bug.cgi?id=1525854 "Firefox should only fallback on network error, not on DNSSEC errors." Why this is only kicking on 132 is still a mystery to me. I'm being screwed by DNSSEC too, by the way, I tried to add it to my personal domain to wet my feet on it as I will need to add it to the company's too in a near future. It's a royal pain in the cheeks to have it set up because you depends of your registrar for doing it correctly, it's not a individual effort. And some registrars are using DNSSEC to take some more pennies from their users (like mine). (sigh) 53 minutes ago, VITAS said: WOrkarroudn for now: dont use FF 132? Well... I installed it and used it for 5 minutes, then rolled back to 115.15. This thing was incredibly cranky on my rig, it was nearly unusable. So, yeah. At least for now, I would recommend to rolback to FF 115 - not only due this mishap, but for some other instabilities. Interesting enough, I rolled back to 115.15 and since then Firefox was peskying me to update to 132. Curiously, right now it's peskying me to update to 115.17 instead. Well, I'm updating. If I vanish from the Forum for today, you guys know why. 54 minutes ago, VITAS said: DNSEC sould be optional and a site laod shouldnt fail because of it not being supportetd by an NS. Reading the AWS documentation and some posts on StackOverflow, the information I got is that the RRSig entry is optional - but once it's there, it's mandatory a DS entry on the TLD. Edited November 3 by Lisias brute force post merge Quote Link to comment Share on other sites More sharing options...
VITAS Posted November 4 Author Share Posted November 4 i had a lot of problems with uptimes for the past month. ckan also does mirror mods whos lincense allow it to github. Apart form that its normaly that i dont change things but browsers add new restrictions that prevent the site from working there. Quote Link to comment Share on other sites More sharing options...
JuergenAuer Posted November 4 Share Posted November 4 Hi @All, I'm the owner of "check-your-website". The DNSSEC configuration is not working - but that's not a problem. If a domain name has this entry > 0 DS RR in the parent zone found all DNSSEC informations in the zone are ignored. That's how DNSSEC is defined. But if a domain owner wants to add DNSSEC: First he adds the local DNSKEY - RR, then the RRSIG. Then tools may show correct / green results in the zone. See all the green results in the domain check. Last step: Adding the DS in the parent zone. -- If DNSSEC would be broken and if a user uses a validating NameServer, the user gets no ip address of that domain name. So the error message something like "Domain not found". See the test domains rhybar.cz or dnssec-failed.org to see a critical broken DNSSEC. The parent zone has a DS, but the zone has no matching DNSKEY. So the validating name server ignores the result. -- Most domains don't use DNSSEC. Such a configuration (no parent DS, but correct local DNSKEY + RRSIG) is sometimes visible. Very rare: Broken DNSSEC. Happens sometimes if a user switches the name server. Old NS supports DNSSEC and has created a DS, that DS exists, but the new NS doesn't support DNSSEC or isn't configured, the (now wrong) DS exists. Hope that helps. Quote Link to comment Share on other sites More sharing options...
VITAS Posted November 5 Author Share Posted November 5 Yes ive added the needed DS RR in my domain providers panel but gotten an error from the info registry. ive opened a ticket on sundy with my domain provider but he hasnt gotten back to me yet i will cal him today. as you said i doubt this is suddenly a problem that should be taken so serious. but i think the "chain of trust" error of firefox gives us the clue that it might be it. Quote Link to comment Share on other sites More sharing options...
JuergenAuer Posted November 5 Share Posted November 5 Quote but i think the "chain of trust" error of firefox gives us the clue that it might be it. No, exact not, these are two completely different things. FireFox can't validate the certificate or can't talk with the server. But FF has an ip of the domain name to do that step. If DNSSEC would be broken, FF would not get an IP address, so no connection would be possible. 1. Browser gets a domain name 2. Browser must find minimal one ip address 3. Browser connects the ip via TCP / not encrypted 4. Browser upgrades the connection to SSL 5. If SSL is established, Browser sends the first http GET command to that ip ( GET /, Host spacedoc.info If DNSSEC is broken, step 2 doesn't work. The FF error message says: 4 is the problem, so 2 is resolved. Compare it with the really broken http://dnssec-failed.org/ - http fails. Quote Error: Secured connection failed An error occurred while connecting to spacedock.info. That's a (4) - problem while upgrading the TCP-connection to SSL - "while connecting" is different from "Server failed while finding the ip address". > nslookup dnssec-failed.org with a validating name server -> Server failed. If your internet provider standard name server doesn't validate DNSSEC, you will never see such a message. > nslookup spacedock.info Result: Two ip addresses, so the browser goes to step (3). Quote Link to comment Share on other sites More sharing options...
VITAS Posted November 5 Author Share Posted November 5 (edited) i was unsure if the lookup does work. browsers have all sorts of things with dns they (can) do nowdays like dns over https. so the fact the os can lookup doesnt mean the browser can and is happy. the result is one ipv4 and one ipv6 because ipv6 has higher priority the network stack will auto use that if ipv6 is available and only fall back to v4 if not or connection fails. i will try to fix dnssec. its a good idear anyways. is there a way to get more debugging data than the error page we get? i can say that the problem exists for all my domains that use the apache traffic server rev proxy spacedock uses. so either it IS the domain setup (because i did it based on templates i made for all of them), the dns server or the rev proxy. In terms of versions for ATS (rev proxy) im a bit restricted because theres no distro i can run that has newer versions on offer as packets. but they are recent enough (at least they should). so bottom line: we dont have any clue what the issue is and thus how to solve it (yet) Edited November 5 by VITAS Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.