is it possible to manually decrypt a geli partition from the loader prompt, after calling geli_load to load the key? it has a password

gah

It's been a while since I rebooted my system, but doesn't the prompt come after the GELI passphrase+decryption stage?

i made a mistake in my loader.conf (specified the wrong device) and don't have an image available at the moment to boot from to fix it

so it doesn't attempt to automatically decrypt during boot and i reach the mountroot prompt, with the partition still encrypoted

i've also tried : load_geli $PARTITION_TO_ENCRYPT $KEYFILE_LOCATION_IN_LOADER_PARTITION , same result

i meant decrypt not encrypt

loads the key but no decryption once i attempt boot

it might be that the geli module is configured specifically in the loader.conf by the _type variable that specifies the parititon to encrypt

that's where i made my mistake in the conf

Does ser2net only work with USB devices that are for low speed serial (RS-232)? For example, can I use it to for USB soundcard?

Soundcard is just an example, I know there are better ways for that specific function

serial 2 net ?

yeah

yeah I wouldnt do that for a soundcard

RS232 maxes out as 115200kbits so slow as hell in our std but fast back in the early 90 80's

some industrial devices still use it though but not for playing sound

-.-

some things claim ~230kbps for rs232

not enough for hq PCM audio

Is there an alternative to ser2net that isn't speed limited like that?

again... audio was only an example. looking for something in general

_what are you doing_

Example Usecase: I want to plug a USB device in a Raspberry Pi and access that device from a virtualized FreeBSD instance on a diffrent machine

/ 134

RS232 is one of thing we invented but we dont want to use any more

... ha

the GEOM gate devices can be be used to share any device across the network, see: apropos ggate

owo

i'm out of ideas..ifound a CD and corrected my loader.conf, but geli is not trying to decrypt the device at boot. i have this working on several systems, same exact kernel, loader, geom_eli.ko, same exact loader.conf except the partition number etc, everything but the key and the contents of the partition are the same. not sure if there's a good way to proceed

might ask the forum or mailing list

it does load the key, but no output in the console regarding decrypting

hm, is something horked with geo.freebsd.org dns?

I can't acces and freebsd.org site, so something must be going on

Also haven't recived anything in the mailing lists

I smell a bad load balancer at HE

hm, maybe not

ah.

it's related to having the DO (dnssec OK) flag set in the query

querying ns[12345].he.net for _.geo.freebsd.org with dnssec enabled returns a truncated response regardless of how big an EDNS size was specified

and they don't answer to TCP fallback

Freebsd.org has been having dns issues since at least late last night. Seems worse today than last night, though (maybe some things were just cached last night, and have since expired).

are you having issues with freebsd.org itself, or just stuff under .geo.freebsd.org ?

Mainly the latter

hm, I'm also seeing quite slow responses and/or timeouts from ns*.he.net even without dnssec on

But git. fails too

git.freebsd.org -> gitmir.geo.freebsd.org

There you go

;-)

what I'm seeing is this: queries for freebsd.org zone are sometimes getting timeouts or slow responses, but otherwise get correct answers whether dnssec is on or not

but queries for geo.freebsd.org are getting proper referrals from he.net only when dnssec is off, and if it's on they get only truncated responses

I am getting a lot of timeouts. no matter what I use to resolve it (local DNS in a handfull of data centers across the world, or google, cloudflare, etc.)

Hopefully resolved soon... afk

File a PR?

Erhard: you can use github as a mirror if you need to

COol idea. KNow how to do that offhand before I search for it?

Like how would I get a git pull to work in /usr/src ?

Erhard, Are you thinking of fetching changes on top of existing clone|checkout?

Yes, would that be possible?

I could just make my own hosts entry or other dns entry of course.

that's actually a good idea seeing that I'm stuck on not being able to install packages (and my local poudriere build hasn't been updated since September)

if the github mirror is properly in sync, then just some stuff with git remote should work, no?

If I knew git that well...

That last RCS I actually knew was cvs

You could try changing "remote.freebsd.url" attribute

I do host my own DNS resolvers.... I wonder if I could get a copy of the zone records from somewhere and use that temporaroly

if you run a local resolver, you might be able to convince it not to use dnssec, temporarily

Not sure that helps here.

As djbdns didn't resolve it either. and it does not support dnssec

I have "dnssec-validation no;" in my resolver, it doesn't help

it's not validation that's the problem, just asking for dnssec breaks it

Current git configuration for "remote" in /usr/src for "stable/13": termbin.com/cffnr

Erhard: I guess your problem might differ from mine. what does drill -4 -b 8192 @ns3.he.net gitmir.geo.freebsd.org cname return for you?

er, s/cname/a

hmm, this seems to be returnign responses " drill @ns0.freebsd.org gitmir.geo.freebsd.org"

Hangs

and what about drill -4 -b 8192 @ns3.he.net git.freebsd.org cname

Oh, wait

Finally came back with results

"drill -4 -b 8192 @ns3.he.net git.freebsd.org cname" resturns a response

tuaris: so what? ns0.freebsd.org isn't a nameserver for freebsd.org

hmm? that's what it returns when I do "drill SOA freebsd.org"

tuaris: what's in the SOA means almost nothing. what matters are what the .org zone thinks the freebsd.org nameservers are

Though I think they are supposed to match by RFC, no?

tuaris: (which are ns[2345].he.net )

no, the "primary" name in the SOA is basically documentary

The guys over at #dns can tell you all the SHOULD vs. MUST stuff ;-)

<--- ran DNS servers for years for a commercial service

interesting... when I do a lookup directly at each of ns[1-5].he.net all return a response.

tuaris: add the -D option to drill

tuaris: (which sets the "dnssec OK" flag)

when I do that, the result is always an empty truncated one.

" drill -D @ns5.he.net pkg.freebsd.org" ... -> "Error: could not find any address for the name: `ns5.he.net'"

I get ns5.he.net. 55617 IN A 216.66.80.18 for ns5.he.net

Drill doesn't return anything here. Though host pkg.freebsd.org ns5.he.net works fine

what drill command exactly?

Drill without the -D returns that pkg is a CNAME for PKGMIR

drill -D @ns5.he.net pkg.freebsd.org

Returns ansers 0

answers

Without the -D returns the CNAME record

with -D you should see it warns about a truncated response

It does do that

that's the problem

what's more, specifying a larger response size with EDNS doesn't help

(truncation is supposed to trigger the resolver doing the query to try a larger buffer size or use TCP instead, and neither of those work in this case)

Created a forward zone for freebsd.org on my DNS resolver, that seems to be allowing stuff to resolve for now.

That was my result as well

forwarding to where?

to ns[1-5].he.net

example: bin.morante.net/?dcac6420459f8cd3#8…Bg6fSQs32RCrxkswBMEZJkxcmGmaJnAFjtf

looks like I got to setup a similiar forward for geo.freebsd.org

yeah. it's a hack but it seems to work well enough

ahhhhh

interesting

you actually should only need the geo.freebsd.org one

geo.freebsd.org is forwarding to 213.138.116.75 and 96.47.72.24 and at least I can install/updates pacakges now.

oh

cpet daemon agreed. I think I'll just give root access. it's not a cloud hosted thing anyway.

Yes.

DNS blackout in 2/3rd of the zone (or what I was told anyway).

I thought it was an issue on my side so I was trying to figure out with the pdns guys.

They looked at the zone and said 2/3rd of it is "blacked out", so 2/3 requests are likely to not resolve.

er, my bad...1/3, not 2/3.

I was originally seeing the issue with freshports.org, but I guess freebsd.org also has a similar issue?

Title: freshports.org | DNSViz

Title: freebsd.org | DNSViz

hi all

_xor: I have my doubts that it's the same issue, but both may be experiencing issues at the same time.

antranigv: it's kind of interesting, to me anyway, that Unix-like literature often treats uid 0 as being the highest privilege, as there's at least one higher.

And it's not a coincidence that it crops up a lot in infosec circles, because whoever has physical access is, by its very nature, at a higher privilege than someone logged in as root.

Forcing a console to drop to single-user mode with no networking pretty succinctly deals even with attackers who've gained root access.

That's also why it's almost impossible to overstate how important it is to keep physical access, OOB BMCs, and the like absolutely locked down as tight as possible.

I'm tempted to say that OOB BMCs should only be accessible through 802.1x accessible VLAN.

g'morning all

quick question, are git.freebsd & pkg.freebsd down?

*carefully backs away from keyboard & reaches for tea*

puretone: no, but there was (or still is) a issue with the dns

I can't get any response from pkg.freebsd git.freebsd & download.freebsd

can you resolve git.freebsd.org (host git.freebsd.org)?

negative

haven't beem able to since yesterday at some point

I've switched to pull from github.com for now... I can get to cgit.freebsd.org fine, but git.freebsd.org is totally unreachable. Ditto for pkg.freebsd.org & dowload.freebsd.org

More servers down/missing - from nslookup - ** server can't find distcache.FreeBSD.org: SERVFAIL

and pkg: pkg.freebsd.org/FreeBSD:13:amd64/latest/meta.txz: No address record

puretone: Both distcache.freebsd.org and pkg.freebsd.org resolve fine for me.

I can't for the life of me get to them

puretone: Maybe try switching to a different DNS server in /etc/resolv.conf?

tried from 7 different mahcines on different links

puretone: What does "drill @1.1.1.1 pkg.freebsd.org" say?

opcode: QUERY, rcode: SERVFAIL, id: 57057

I'm trying to enable IPv6 rtsol on bge0. bge0 is connected to a switch that has an OpenBSD router that delivers IPv6 addresses to Linux, Windows and Android clients. FreeBSD doesn't get its IPv6 address. `ifconfig bge0 inet6 accept_rtadv`; `service rtsold onestart` ; `rtsol bge0` ; *crickets*

(OpenBSD runs a rad(8) daemon, no fancy/weird DHCPv6)

moviuro, ping6 ff02::2%bge0

CrtxReavr: crickets, 100% packet loss

So it can't reach anything on your network listening on the all-routers multicast address.

L1 problem? Right VLAN?

right, but that doesn't sound like a requirement because every other machine on the network did get an address

yes, same VLAN/network as my own machine

So an L1 problem?

What does work?

Also. . .I'm not sure why you would run rtsol manually.

ifconfig_bg0_ipv6="inet6 accept_rtadv"

I'd add that to your rc.conf, then: sudo service netif restart && sudo service routing && restart

ek: interresting bit - drill @1.1.1.1 fails but @8.8.8.8 works

I wouldn't use either, but you do you.

CrtxReavr: hmmm the machine is now gone?.. no ping, no ssh :/

YOu didn't useThat second && shouldn't have been in what I typed.

'course. . .if you ran ``sudo service netif restart`` without `` && sudo service routing restart`` then that's on you.

I'll need to get the full explanation as to why there are so many footguns one day

"With great power, comes great responsibility."

yeah, well restarting the network daemon without also routing sounds really stupid :(

Don't blindly type shit that people supply on IRC. . . ask questions. . . read manpages.

I'm trying to help. . . but there are people that will try to sabotage you.

Do you understand what && does?

yes, that's not the issue

the issue is the netif && routing. That's a footgun

I do it all the time.

Are you *SURE* you undestand what && does?

'Course. . . I'm also assuming you have a valid network config in your /etc/rc.conf

🎶 when the route does not work cause an irc jerk, that's a footgun. 🎵

lol

well, hopefully you've got a way to reboot into the console on this host

Or have competant onsite hands.

Or can take a walk into the datacenter.

I have booked out my office, down a hall, around a corner, down another hall, up a flight of stairs, down another hallway, accross a lab to a table, with a KVM setup, all while saying "shit shit shit shit," plenty of times.

Sketchy PS/2 KVMs with questionable switching ability. . .

Don't miss those days.

although after having all my freetime in a weekened used to drive 6 hours one way to get a host to boot; i tend to do riskier things locally first, or autorevertable

Yeah - always careful, depending on the situation.

pkg.freebsd.org not resolving for anyone else?

pkg.freebsd.org. 300 IN CNAME pkgmir.geo.freebsd.org.

pkgmir.geo.freebsd.org. 300 IN A 147.28.184.43

pkgmir.geo.freebsd.org has address 204.15.11.66

Freebsd has been having dns issues for about 36 hours or so

pkgmir.geo.freebsd.org has address 147.28.184.43

pkgmir.geo.freebsd.org has address 213.138.116.73

pkgmir.geo.freebsd.org has IPv6 address 2604:1380:4091:a001::50:2

pkgmir.geo.freebsd.org mail is handled by 0 .

haven't seen any signs of that, Erhard

Scroll back here... Big discussion yesterday

I still can'

t resolve a lot

host pkg.freebsd.org 1.1.1.1

Host pkg.freebsd.org not found: 3(NXDOMAIN)

Even cloudflare still can't

is only freebsd domain the problem?

I think it was anything under geo.freebsd.org

Which pkg cnames to

Erhard: using 1.1.1.1 for that resolves to my own ip

does it for you? `host pkg.freebsd.org. 1.1.1.1`

let's see your resolv.conf

No. I get nxdomain from cloudflare's server

with the trailing period?

if you specify the server it doen't use resolv.conf

right. i know; but since cloudflare has multiple dns servers in different zones, it's probably not helping to figure out where the problem lies

I see. Well, no clue. It says using 1.1.1.1. So wherever that routes to for me I suppose

But I see it on Oracle cloud too

And Kamatera in Texas.

Could still be caching issues. Or somehow related to dnssec, was what somebody (I think RhodiumToad ) thought

So what was the exact issue from yesterday?

Some TTL?

Never got a straight answer

Most people could not resolve anything under geo.freebsd.org

Would TTL not only be a problem for servers with changing IP adresses?

I could not from 7 different physcial locations using as many unique nameservers.

TTL is ignored by some nameservers.

LIterally the he servers weren't responding correctly.

Lasting problems could certaily by caching. (ttl)

Not sure if it has been resolved. Mine still don't resolve, but I haven't cleared the cache.

Cloudflare is still not resolving, but I have heard they cache everything for 24 hours regardless (no clue if that is true)

have you queried agianst gns[1-2].freebsd.org ?

Seems like someone is on it... twitter.com/bkidney/status/1596952088176640000

Title: Brian Kidney (@bkidney⊙bn) on Twitter: "@ed_maste is there an issue with the FreeBSD DNS? I cannot resolve t.co/IJor4TRH4a, even if I use the Google server 8.8.8.8." / Twitter

Host pkg.freebsd.org not found: 5(REFUSED)

for gns

It's on their end. I will wait

put some hostfile lines in and call it a day

Yes, one option.

I'm in no hurry and don't want to do that on 11 servers.

And then have to remove it, etc.

no centeral management on those 11 servers?

Nope. too spread out and unique in other ways

Just not worth the fuss. Other things to do today

The trailing dot on NS queries is just a little added namespace syntax - should be quite moot for IPs.

pkg.freebsd.org is out-of-zone for the gns* servers, hence the REFUSED

So what's the status of the DNS issue(s) now?

those serve only .geo.freebsd.org queries, and pkg.freebsd.org is a cname to pkgmir.geo.freebsd.org

still broken by my tests, same way as last night

ns*.he.net are returning truncated results any time they are queried _with dnssec enabled_ for names that should result in a referral to gns*.freebsd.org

Hmm, I'd been having issues with freshports.org (yes, unrelated) for a while. Now I'm seeing the same with various subs on freebsd.org.

oh, and also ns*.he.net have been variably slow and/or timing out, which may be a separate problem

right now they're responding ok tho

Is there a discussion thread for this issue somewhere or is it mostly ad-hoc?

to see the problem, compare drill @ns2.he.net git.freebsd.org a with drill -D @ns2.he.net git.freebsd.org a

(the -D option sets the "dnssec OK" flag in the query)

ah

So is turning off dnssec on my side a stop-gap fix for this for the time being?

Well, dnssec for that domain I mean.

if it stops your resolver from setting the DO bit in the relevant queries, then it will help

(otherwise, not)

ahhhh

ok, so here's another wrinkle: the correct answer can be obtained when querying by TCP

but last night, that wasn't working (none of ns*.he.net would answer to TCP queries)

the ns*.he.net answer is 2071 bytes, so one might speculate that their nameserver is refusing to send responses of that size even when EDNS allows it

(add -t to those drill commands to see it)

so to correct my previous statement, the problem does seem to be fixed now

Yes, where not cached it seems to be working. Cool

the fact that it fails to resolve at all when tcp fallback isn't working is pretty sub-optimal, though

Sounds like the he servers are misconfigured. Or the firewall or some agressive anti-spoof or something

or they were under attack and were not mitigating it properly

YEah, amplification attack mitigation that blocked large replies, which was having side effects.

checking around, the reply size limit may be a normal setting; the failure is due to failing to allow TCP fallback

Better to structure things so the reply is smaller ;-)

I'm not a huge fan of the dnssec implementation. While signing is good for validation something still needs to be done about privacy

most of the reply is of course dnssec signatures

I figured, hence my statement there.

afk.

kk

hi nay