Bug#849845: dirmngr: Can't resolve keyserver hostname anymore

[Gijs Hillenius]

Package: dirmngr
Version: 2.1.17-6
Followup-For: Bug #849845

Dear Maintainer,

For the record - this bug shows upstream is already aware of possible problems 
with IPv6 - on this IPv6 host, dirmngr is unable to find the default 
hkps.pool.sks-keyservers.net

pg2   --search-keys  somekeyhere
gpg: no keyserver known (use option --keyserver)
gpg: keyserver search failed: No keyserver available



with the debug log showing:


DBG: chan_6 <- KS_SEARCH -- somekeyhere_again
can't connect to 'hkps.pool.sks-keyservers.net': no IP address for host
error connecting to 'https://hkps.pool.sks-keyservers.net:443': Unknown host
dirmngr[29062.6] marking host 'hkps.pool.sks-keyservers.net' as dead
dirmngr[29062.6] host 'hkps.pool.sks-keyservers.net' marked as dead
dirmngr[29062.6] command 'KS_SEARCH' failed: No keyserver available


gpg-connect-agent --dirmngr 'keyserver --alive hkps.pool.sks-keyservers.net' 
/bye
S # marking 'hkps.pool.sks-keyservers.net' as alive
OK


with the debug log showing

DBG: chan_6 -> OK Dirmngr 2.1.17 at your service
dirmngr[29062.6] connection from process 15130 (1000:1000)
dirmngr[29062.6] DBG: chan_6 <- keyserver --alive hkps.pool.sks-keyservers.net
dirmngr[29062.6] DBG: chan_6 -> S # marking 'hkps.pool.sks-keyservers.net' as 
alive
dirmngr[29062.6] DBG: chan_6 -> OK

but then, again:

gpg2   --search-keys  samesomekeyhere 
gpg: no keyserver known (use option --keyserver)
gpg: keyserver search failed: No keyserver available




-- System Information:
Debian Release: 9.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages dirmngr depends on:
ii  adduser3.115
ii  libassuan0 2.4.3-2
ii  libc6  2.24-9
ii  libgcrypt201.7.5-3
ii  libgnutls303.5.8-1
ii  libgpg-error0  1.26-2
ii  libksba8   1.3.5-2
ii  libldap-2.4-2  2.4.44+dfsg-3
ii  libnpth0   1.3-1
ii  lsb-base   9.20161125

Versions of packages dirmngr recommends:
ii  gnupg  2.1.17-6

Versions of packages dirmngr suggests:
ii  dbus-user-session  1.10.14-1
ii  pinentry-gnome31.0.0-1
pn  tor

-- no debconf information

Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore

[shirish शिरीष]

at bottom :-

On 08/01/2017, intrigeri  wrote:
> shirish शिरीष:
>> ─[$] gpg --keyserver pgp.mit.edu --recv-keys DAD95197
>
>> gpg: keyserver receive failed: No keyserver available
>
>> Tried it multiple times but get the above failure.
>
> [...]
>
>> Any ideas what I need to do next ?
>
> Add a "debug-all" line in ~/.gnupg/dirmngr.conf, restart
> dirmngr.socket, try again and look at the logs (on my system they are
> in the systemd Journal).
>
> Cheers,
> --
> intrigeri
>

Umm.. there was no ~/.gnupg/dirmngr.conf hence had to make one

$ touch ~/.gnupg/dirmngr.conf

$ cd ~/.gnupg/

$ nano dirmngr.conf

and just added debug-all

┌─[shirish@debian] - [~/.gnupg] - [10017]
└─[$] cat dirmngr.conf

debug-all



Did the remaining bits.

And this is the result.

$ journalctl --since "1 hour ago"

While I have shared all the entries, the most pertinent might be -

Jan 08 14:46:40 debian dirmngr[1203]: DBG: chan_5 -> # Home:
/home/shirish/.gnupg
Jan 08 14:46:40 debian dirmngr[1203]: DBG: chan_5 -> # Config:
/home/shirish/.gnupg/dirmngr.conf
Jan 08 14:46:40 debian dirmngr[1203]: DBG: chan_5 -> OK Dirmngr 2.1.17
at your service
Jan 08 14:46:40 debian dirmngr[1203]: connection from process 1370 (1000:1000)
Jan 08 14:46:40 debian dirmngr[1203]: DBG: chan_5 <- GETINFO version
Jan 08 14:46:40 debian dirmngr[1203]: DBG: chan_5 -> D 2.1.17
Jan 08 14:46:40 debian dirmngr[1203]: DBG: chan_5 -> OK
Jan 08 14:46:40 debian dirmngr[1203]: DBG: chan_5 <- KEYSERVER --clear
hkp://pgp.mit.edu
Jan 08 14:46:40 debian dirmngr[1203]: DBG: chan_5 -> OK
Jan 08 14:46:40 debian dirmngr[1203]: DBG: chan_5 <- KS_GET -- 0xDAD95197
Jan 08 14:46:40 debian dirmngr[1203]: DBG: dns: libdns initialized
Jan 08 14:46:50 debian dirmngr[1203]: DBG: dns:
getsrv(_hkp._tcp.pgp.mit.edu): Server indicated a failure
Jan 08 14:46:50 debian dirmngr[1203]: command 'KS_GET' failed: Server
indicated a failure 
Jan 08 14:46:50 debian dirmngr[1203]: DBG: chan_5 -> ERR 219 Server
indicated a failure 
Jan 08 14:46:50 debian dirmngr[1203]: DBG: chan_5 <- BYE
Jan 08 14:46:50 debian dirmngr[1203]: DBG: chan_5 -> OK closing connection
Jan 08 14:46:50 debian dirmngr[1203]: handler for fd 5 terminated

Please go through the attached logs and let me know if any
improvements can be made.

All any any advice would be useful.

-- 
  Regards,
  Shirish Agarwal  शिरीष अग्रवाल
  My quotes in this email licensed under CC 3.0
http://creativecommons.org/licenses/by-nc/3.0/
http://flossexperiences.wordpress.com
EB80 462B 08E1 A0DE A73A  2C2F 9F3D C7A4 E1C4 D2D8
Jan 08 14:46:21 debian systemd[2360]: dirmngr.socket: Trying to enqueue job 
dirmngr.socket/restart/replace
Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: Installed new job 
dirmngr.service/restart as 219
Jan 08 14:46:21 debian systemd[2360]: dirmngr.socket: Installed new job 
dirmngr.socket/restart as 216
Jan 08 14:46:21 debian systemd[2360]: dirmngr.socket: Enqueued job 
dirmngr.socket/restart as 216
..
..
Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: Changed running -> 
stop-sigterm
Jan 08 14:46:21 debian dirmngr[7477]: SIGTERM received - shutting down ...
Jan 08 14:46:21 debian dirmngr[7477]: dirmngr (GnuPG) 2.1.17 stopped
...
...
Jan 08 14:46:21 debian systemd[1]: Got cgroup empty notification for: 
/user.slice/user-1000.slice/user@1000.service/dirmngr.service
Jan 08 14:46:21 debian systemd[2360]: Received SIGCHLD from PID 7477 (dirmngr).
Jan 08 14:46:21 debian systemd[2360]: Child 7477 (dirmngr) died (code=exited, 
status=0/SUCCESS)
Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: Child 7477 belongs to 
dirmngr.service
Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: Main process exited, 
code=exited, status=0/SUCCESS
Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: Changed stop-sigterm -> 
dead
Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: Job 
dirmngr.service/restart finished, result=done
Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: Converting job 
dirmngr.service/restart -> dirmngr.service/start
Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: cgroup is empty
.
..
Jan 08 14:46:21 debian systemd[2360]: dirmngr.socket: Changed running -> dead
Jan 08 14:46:21 debian systemd[2360]: dirmngr.socket: Job 
dirmngr.socket/restart finished, result=done
Jan 08 14:46:21 debian systemd[2360]: dirmngr.socket: Converting job 
dirmngr.socket/restart -> dirmngr.socket/start
Jan 08 14:46:21 debian systemd[2360]: dirmngr.socket: Changed dead -> listening
Jan 08 14:46:21 debian systemd[2360]: dirmngr.socket: Job dirmngr.socket/start 
finished, result=done
Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: Failed to set pids.max: 
No such file or directory
Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: Passing 1 fds to service
Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: About to execute: 
/usr/bin/dirmngr --supervised
Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: Forked /usr/bin/dirmngr 

Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore

[intrigeri]

shirish शिरीष:
> ─[$] gpg --keyserver pgp.mit.edu --recv-keys DAD95197

> gpg: keyserver receive failed: No keyserver available

> Tried it multiple times but get the above failure.

[...]

> Any ideas what I need to do next ?

Add a "debug-all" line in ~/.gnupg/dirmngr.conf, restart
dirmngr.socket, try again and look at the logs (on my system they are
in the systemd Journal).

Cheers,
-- 
intrigeri

Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore

[shirish शिरीष]

at bottom :-

On 08/01/2017, intrigeri  wrote:
> shirish शिरीष:
>> in-line :-
>
>> On 07/01/2017, Daniel Kahn Gillmor  wrote:
>>> Have you restarted dirmngr since the upgrade?
>
>> how do I restart it ?
>
> systemctl --user restart dirmngr.socket
>
> :)
>

Did that and get the following -

─[$] systemctl --user restart dirmngr.socket

─[$] gpg --keyserver pgp.mit.edu --recv-keys DAD95197

gpg: keyserver receive failed: No keyserver available

Tried it multiple times but get the above failure.

http://isup.me/pgp.mit.edu/ says it's up.

traceroute conks out at -

18  backbone-rtr-1-dmz-rtr-1.mit.edu (18.192.1.2)  292.026 ms  295.082
ms  291.067 ms
19  oc11-rtr-1-backbone-rtr-1.mit.edu (18.168.69.2)  300.451 ms
299.278 ms  306.400 ms
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

Any ideas what I need to do next ?

-- 
  Regards,
  Shirish Agarwal  शिरीष अग्रवाल
  My quotes in this email licensed under CC 3.0
http://creativecommons.org/licenses/by-nc/3.0/
http://flossexperiences.wordpress.com
EB80 462B 08E1 A0DE A73A  2C2F 9F3D C7A4 E1C4 D2D8

Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore

[intrigeri]

shirish शिरीष:
> in-line :-

> On 07/01/2017, Daniel Kahn Gillmor  wrote:
>> Have you restarted dirmngr since the upgrade?

> how do I restart it ?

systemctl --user restart dirmngr.socket 

:)

Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore

[shirish शिरीष]

in-line :-

On 07/01/2017, Daniel Kahn Gillmor  wrote:
> On Fri 2017-01-06 17:49:04 -0500, shirish शिरीष wrote:
>> But issue is still continuing -
>>
>> ─[$] gpg --keyserver pgp.mit.edu --recv-keys DAD95197
>>
>> [4:22:18]
>> gpg: keyserver receive failed: No keyserver available
>>
>> I tried multiple times with various other keys but didn't succeed.
>
> Have you restarted dirmngr since the upgrade?

how do I restart it ?

dirmngr.service isn't even found :(

─[$] dpkg -L dirmngr | grep dirmngr.service
/usr/lib/systemd/user/dirmngr.service

─[$] ll -h /usr/lib/systemd/user/dirmngr.service

-rw-r--r-- 1 root root 250 2016-11-18 19:53
/usr/lib/systemd/user/dirmngr.service

and trying to see if it works got me nothing :(


[$] sudo systemctl status dirmngr.service

[sudo] password for shirish:
Unit dirmngr.service could not be found.


I did do a cat and saw this -

─[$] cat /usr/lib/systemd/user/dirmngr.service

[4:57:44]
[Unit]
Description=GnuPG network certificate management daemon
Documentation=man:dirmngr(8)
Requires=dirmngr.socket
After=dirmngr.socket
## This is a socket-activated service:
RefuseManualStart=true

[Service]
ExecStart=/usr/bin/dirmngr --supervised

Can you help ?


>are you using tor?  if
> you're using tor, have you removed all the ipv6 entries ?

I actually have this in grub for few years now

─[$] cat /etc/default/grub | grep ipv6

GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1"

Maybe this goves a clue, dunno

> what does:
>
>gpg-connect-agent --dirmngr 'keyserver --hosttable' /bye
>
> show you?
>
>  --dkg
>
└─[$] gpg-connect-agent --dirmngr 'keyserver --hosttable' /bye

gpg-connect-agent: no running Dirmngr - starting '/usr/bin/dirmngr'
gpg-connect-agent: waiting for the dirmngr to come up ... (5s)
gpg-connect-agent: connection to the dirmngr established
S # hosttable (idx, ipv6, ipv4, dead, name, time):


Look forward to guidance.
-- 
  Regards,
  Shirish Agarwal  शिरीष अग्रवाल
  My quotes in this email licensed under CC 3.0
http://creativecommons.org/licenses/by-nc/3.0/
http://flossexperiences.wordpress.com
EB80 462B 08E1 A0DE A73A  2C2F 9F3D C7A4 E1C4 D2D8

Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore

[Daniel Kahn Gillmor]

On Fri 2017-01-06 17:49:04 -0500, shirish शिरीष wrote:
> But issue is still continuing -
>
> ─[$] gpg --keyserver pgp.mit.edu --recv-keys DAD95197
>
> [4:22:18]
> gpg: keyserver receive failed: No keyserver available
>
> I tried multiple times with various other keys but didn't succeed.

Have you restarted dirmngr since the upgrade?  are you using tor?  if
you're using tor, have you removed all the ipv6 entries ?

what does:

   gpg-connect-agent --dirmngr 'keyserver --hosttable' /bye

show you?

 --dkg

Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore

[shirish शिरीष]

Hi all,

I was able to get the new version -

─[$] sudo aptitude install gnupg=2.1.17-3 dirmngr=2.1.17-3
gpgv=2.1.17-3 gnupg-agent=2.1.17-3 gpgsm=2.1.17-3 scdaemon=2.1.17-3 -y

Installed it perfectly

─[$] apt-cache policy gnupg

[4:19:09]
gnupg:
  Installed: 2.1.17-3
  Candidate: 2.1.17-3
  Version table:
 *** 2.1.17-3 100
  1 http://httpredir.debian.org/debian unstable/main amd64 Packages
100 /var/lib/dpkg/status
 2.1.17-2 600
600 http://httpredir.debian.org/debian stretch/main amd64 Packages

I did see the changelog entry

┌─[shirish@debian] - [/usr/share/doc/gnupg] - [10069]
└─[$] zless changelog.Debian.gz

gnupg2 (2.1.17-3) unstable; urgency=medium

  * more bugfixes from upstream (improving but not yet closing: #849845)

 -- Daniel Kahn Gillmor   Tue, 03 Jan 2017 15:39:52 
-0500

But issue is still continuing -

─[$] gpg --keyserver pgp.mit.edu --recv-keys DAD95197

[4:22:18]
gpg: keyserver receive failed: No keyserver available

I tried multiple times with various other keys but didn't succeed.

So there's still work[TM] to be done .

-- 
  Regards,
  Shirish Agarwal  शिरीष अग्रवाल
  My quotes in this email licensed under CC 3.0
http://creativecommons.org/licenses/by-nc/3.0/
http://flossexperiences.wordpress.com
EB80 462B 08E1 A0DE A73A  2C2F 9F3D C7A4 E1C4 D2D8

Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore

[Daniel Kahn Gillmor]

On Fri 2017-01-06 14:47:46 -0500, shirish शिरीष wrote:
> I can confirm Jaden's findings. Perhaps the content hasn't reached his
> mirror yet. It's same thing at my end. I just updated to see if the
> new version has come up at my end. (not even in sid/unstable)
>
> [$] apt-cache policy gpgv
>  [1:14:58]
> gpgv:
>   Installed: 2.1.17-2
>   Candidate: 2.1.17-2
>   Version table:
>  *** 2.1.17-2 600
> 600 http://httpredir.debian.org/debian stretch/main amd64 Packages
>   1 http://httpredir.debian.org/debian unstable/main amd64 Packages
> 100 /var/lib/dpkg/status
>
> Timing is in IST. My last apt update run was about 5 minutes ago and I
> do know that the update mirrors are hit every 4 hours or more, so
> maybe in the next 4-8 hours the new binary might be available.

1 dkg@alice:~$ rmadison -a amd64 gpgv
gpgv   | 1.4.12-7+deb7u7 | oldstable   | amd64
gpgv   | 1.4.18-7+deb8u3 | stable  | amd64
gpgv   | 2.1.17-2| testing | amd64
gpgv   | 2.1.17-3| buildd-unstable | amd64
gpgv   | 2.1.17-3| unstable| amd64
0 dkg@alice:~$ 

I'm not sure what to make of this confusion, but it seems to be related
to the mirror network, not to the gnupg2 source package.  If it's still
a confusion or a problem for you in the next day, this might need to be
kicked over to the mirror network or the archive managers.

   --dkg

Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore

[shirish शिरीष]

at bottom :-

On 07/01/2017, Daniel Kahn Gillmor  wrote:
> On Fri 2017-01-06 12:49:32 -0500, Jaden Peterson wrote:
>> I have no place in the topic of this bug, but I installed the patches
>> you provided on January 5th onto my Debian Testing system. I would like
>> to notify you that gpgv2 depends on gpgv version 2.1.17-3 or greater,
>> which is not provided, and results in mixed versions.
>
> I'm sorry, i don't understand!  2.1.17-3 was only released this morning
> (shortly before you sent this mail) and is still in unstable.  if you
> used only patches i pointed to, then you wouldn't have had 2.1.17-3
> anywhere.
>
> can you explain more about the state of your system?
>
> --dkg
>
> --
> To unsubscribe, send mail to 849845-unsubscr...@bugs.debian.org.
>

Dear Daniel,

I can confirm Jaden's findings. Perhaps the content hasn't reached his
mirror yet. It's same thing at my end. I just updated to see if the
new version has come up at my end. (not even in sid/unstable)

[$] apt-cache policy gpgv
 [1:14:58]
gpgv:
  Installed: 2.1.17-2
  Candidate: 2.1.17-2
  Version table:
 *** 2.1.17-2 600
600 http://httpredir.debian.org/debian stretch/main amd64 Packages
  1 http://httpredir.debian.org/debian unstable/main amd64 Packages
100 /var/lib/dpkg/status

Timing is in IST. My last apt update run was about 5 minutes ago and I
do know that the update mirrors are hit every 4 hours or more, so
maybe in the next 4-8 hours the new binary might be available.

-- 
  Regards,
  Shirish Agarwal  शिरीष अग्रवाल
  My quotes in this email licensed under CC 3.0
http://creativecommons.org/licenses/by-nc/3.0/
http://flossexperiences.wordpress.com
EB80 462B 08E1 A0DE A73A  2C2F 9F3D C7A4 E1C4 D2D8

Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore

[Daniel Kahn Gillmor]

On Fri 2017-01-06 12:49:32 -0500, Jaden Peterson wrote:
> I have no place in the topic of this bug, but I installed the patches 
> you provided on January 5th onto my Debian Testing system. I would like 
> to notify you that gpgv2 depends on gpgv version 2.1.17-3 or greater, 
> which is not provided, and results in mixed versions.

I'm sorry, i don't understand!  2.1.17-3 was only released this morning
(shortly before you sent this mail) and is still in unstable.  if you
used only patches i pointed to, then you wouldn't have had 2.1.17-3
anywhere.

can you explain more about the state of your system?

--dkg

Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore

[Jaden Peterson]

On Thu, 05 Jan 2017 16:56:40 -0500 Daniel Kahn Gillmor 
 wrote:

> Control: fowarded 849845 https://bugs.gnupg.org/gnupg/issue2902
>
> On Thu 2017-01-05 08:15:06 -0500, intrigeri wrote:
> > Daniel Kahn Gillmor:
> >> The remaining problem for me ws that when i use tor, if i get 
back 
> >> records, the connections fail, but the IPv6 records are not 
marked as

> >> dead, so they fail repeatedly.
> >
> > Same here, with a package built from commit
> > 32bae0c609cb0c6180e9405a3d6a8fb3c0dec20e in the Vcs-Git (which by 
the

> > way fixes the other problem I've reported here :)
>
> thanks for the reportback!  I've reported the remaining issue 
upstream

> (see the url above).  I'll do an upload to unstable with the
> intermediate fix later today, unless i can sort out a fix for the 
whole

> issue first.
>
>  --dkg

Hi,

I have no place in the topic of this bug, but I installed the patches 
you provided on January 5th onto my Debian Testing system. I would like 
to notify you that gpgv2 depends on gpgv version 2.1.17-3 or greater, 
which is not provided, and results in mixed versions.

Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore

[Daniel Kahn Gillmor]

Control: fowarded 849845 https://bugs.gnupg.org/gnupg/issue2902

On Thu 2017-01-05 08:15:06 -0500, intrigeri wrote:
> Daniel Kahn Gillmor:
>> The remaining problem for me ws that when i use tor, if i get back 
>> records, the connections fail, but the IPv6 records are not marked as
>> dead, so they fail repeatedly.
>
> Same here, with a package built from commit
> 32bae0c609cb0c6180e9405a3d6a8fb3c0dec20e in the Vcs-Git (which by the
> way fixes the other problem I've reported here :)

thanks for the reportback!  I've reported the remaining issue upstream
(see the url above).  I'll do an upload to unstable with the
intermediate fix later today, unless i can sort out a fix for the whole
issue first.

 --dkg


signature.asc
Description: PGP signature

Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore

[intrigeri]

Hi,

Daniel Kahn Gillmor:
> The remaining problem for me ws that when i use tor, if i get back 
> records, the connections fail, but the IPv6 records are not marked as
> dead, so they fail repeatedly.

Same here, with a package built from commit
32bae0c609cb0c6180e9405a3d6a8fb3c0dec20e in the Vcs-Git (which by the
way fixes the other problem I've reported here :)

Cheers,
-- 
intrigeri

Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore

[Daniel Kahn Gillmor]

On Wed 2017-01-04 09:27:16 -0500, intrigeri wrote:
> Daniel Kahn Gillmor:
>> I've been able to replicate the problems described by intrigeri in
>> https://bugs.debian.org/849845; i'm preparing an update to gpg with
>> cherry-picked patches that resolves most of them for me.
>
> I'd be happy to test these changes before you upload. If you wish,
> push them to the packaging Vcs-Git (in a dedicated branch if you
> prefer) and I'll build & try it :)

Thanks, intrigeri!  I've pushed 32bae0c609cb0c6180e9405a3d6a8fb3c0dec20e
to Vcs-Git master branch.  Please let me know how it goes for you.

   --dkg


signature.asc
Description: PGP signature

Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore

[intrigeri]

Daniel Kahn Gillmor:
> I've been able to replicate the problems described by intrigeri in
> https://bugs.debian.org/849845; i'm preparing an update to gpg with
> cherry-picked patches that resolves most of them for me.

I'd be happy to test these changes before you upload. If you wish,
push them to the packaging Vcs-Git (in a dedicated branch if you
prefer) and I'll build & try it :)

Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore

[Daniel Kahn Gillmor]

Control: severity 849845 grave

Hi all--

I've been able to replicate the problems described by intrigeri in
https://bugs.debian.org/849845; i'm preparing an update to gpg with
cherry-picked patches that resolves most of them for me.  This issue is
bad enough that it basically makes dirmngr unusable, afaict.

The remaining problem for me ws that when i use tor, if i get back 
records, the connections fail, but the IPv6 records are not marked as
dead, so they fail repeatedly.

here's an example:


Jan 03 15:48:37 alice dirmngr[11194]: DBG: chan_5 <- KS_GET -- 
0x4FA73DE89ADE75998AC24E97B8C1D523FE7AAA84
Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '[2a02:898:31:0:48:4558:73:6b73]'
Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '[2a00:14b0:4200:3000:27::27]'
Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '[2606:1c00:2802::b]'
Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '[2001:bc8:4700:2300::10:f15]'
Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '[2001:738:0:600:216:3eff:fe02:42]'
Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '[2001:720:418:caf1::8]'
Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '[2001:610:1108:5011::70]'
Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '[2001:470:1:116::6]'
Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '216.66.15.2'
Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '212.12.48.27'
Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '193.224.163.43'
Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '192.94.109.73'
Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '131.155.141.70'
Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '130.206.1.8'
Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '94.142.242.225'
Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '51.15.53.138'
Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '37.191.238.78'
Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 
'hkps.pool.sks-keyservers.net': '18.9.60.141'
Jan 03 15:48:42 alice dirmngr[11194]: DBG: gnutls:L3: ASSERT: 
mpi.c[_gnutls_x509_read_uint]:246
Jan 03 15:48:42 alice dirmngr[11194]: DBG: gnutls:L5: REC[0x7f6d240086b0]: 
Allocating epoch #0
Jan 03 15:48:42 alice dirmngr[11194]: can't connect to 
'2a02:898:31:0:48:4558:73:6b73': Invalid argument
Jan 03 15:48:42 alice dirmngr[11194]: error connecting to 
'https://[2a02:898:31:0:48:4558:73:6b73]:443': Invalid argument
Jan 03 15:48:42 alice dirmngr[11194]: DBG: gnutls:L5: REC[0x7f6d240086b0]: 
Start of epoch cleanup
Jan 03 15:48:42 alice dirmngr[11194]: DBG: gnutls:L5: REC[0x7f6d240086b0]: End 
of epoch cleanup
Jan 03 15:48:42 alice dirmngr[11194]: DBG: gnutls:L5: REC[0x7f6d240086b0]: 
Epoch #0 freed
Jan 03 15:48:42 alice dirmngr[11194]: command 'KS_GET' failed: Invalid argument
Jan 03 15:48:42 alice dirmngr[11194]: DBG: chan_5 -> ERR 167804976 Invalid 
argument 
Jan 03 15:48:42 alice dirmngr[11194]: DBG: chan_5 <- BYE
Jan 03 15:48:42 alice dirmngr[11194]: DBG: chan_5 -> OK closing connection
Jan 03 15:48:42 alice dirmngr[11194]: handler for fd 5 terminated
Jan 03 15:49:11 alice dirmngr[11194]: handler for fd 5 started
Jan 03 15:49:11 alice dirmngr[11194]: DBG: chan_5 -> # Home: /home/dkg/.gnupg
Jan 03 15:49:11 alice dirmngr[11194]: DBG: chan_5 -> # Config: 
/home/dkg/.gnupg/dirmngr.conf
Jan 03 15:49:11 alice dirmngr[11194]: DBG: chan_5 -> OK Dirmngr 2.1.17 at your 
service
Jan 03 15:49:11 alice dirmngr[11194]: connection from process 11200 (1000:1000)
Jan 03 15:49:11 alice dirmngr[11194]: DBG: chan_5 <- GETINFO version
Jan 03 15:49:11 alice dirmngr[11194]: DBG: chan_5 -> D 2.1.17
Jan 03 15:49:11 alice dirmngr[11194]: DBG: chan_5 -> OK
Jan 03 15:49:11 alice dirmngr[11194]: DBG: chan_5 <- KS_GET -- 
0x4FA73DE89ADE75998AC24E97B8C1D523FE7AAA84
Jan 03 15:49:11 alice dirmngr[11194]: DBG: gnutls:L3: ASSERT: 
mpi.c[_gnutls_x509_read_uint]:246
Jan 03 15:49:11 alice dirmngr[11194]: DBG: gnutls:L5: REC[0x7f6d2400c090]: 
Allocating epoch #0
Jan 03 15:49:11 alice dirmngr[11194]: can't connect to 
'2a02:898:31:0:48:4558:73:6b73': Invalid argument
Jan 03 15:49:11 alice dirmngr[11194]: error connecting to 
'https://[2a02:898:31:0:48:4558:73:6b73]:443': Invalid argument
Jan 03 15:49:11 alice dirmngr[11194]: DBG: gnutls:L5: REC[0x7f6d2400c090]: 
Start of epoch cleanup
Jan 03 15:49:11 alice dirmngr[11194]: DBG: gnutls:L5: 

Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore

[intrigeri]

Hi,

Werner Koch:
> On Mon,  2 Jan 2017 13:46, intrig...@debian.org said:
>> ... which is expected if querying 127.0.0.1, that doesn't support
>> SRV records.

> The question is whether we should gracefully handle this failure and
> return 0 records found (as done < 2.1.17)?

I lack the background that would allow me to have any informed opinion
on this topic. Today I'm merely a user whose GnuPG got broken by an
upgrade :)

>>   Jan 02 13:37:57 dirmngr[8281]: DBG: dns: 
>> resolve_dns_name(hkps.pool.sks-keyservers.net): Success
>>   Jan 02 13:37:57 dirmngr[8281]: can't connect to 
>> 'hkps.pool.sks-keyservers.net': no IP address for host

> I can't replicate this [...]

Ouch. I see this consistently after I've seen the previous
(SRV) failure.

> What options do you have in your dirmngr.conf ?

I only have:

  debug-all
  use-tor

Cheers,
-- 
intrigeri

Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore

[Werner Koch]

On Mon,  2 Jan 2017 13:46, intrig...@debian.org said:

> ... which is expected if querying 127.0.0.1, that doesn't support
> SRV records.

The question is whether we should gracefully handle this failure and
return 0 records found (as done < 2.1.17)?

>   Jan 02 13:37:57 dirmngr[8281]: DBG: dns: 
> resolve_dns_name(hkps.pool.sks-keyservers.net): Success
>   Jan 02 13:37:57 dirmngr[8281]: can't connect to 
> 'hkps.pool.sks-keyservers.net': no IP address for host

I can't replicate this neither when running dirmnagr as

  dirmngr --options /dev/null --debug ipc,dns -v \
  --log-file socket:// --daemon

nor when bypassing the new libdns:

  dirmngr --options /dev/null --debug ipc,dns -v \
  --log-file socket:// --daemon --standard-resolver

What options do you have in your dirmngr.conf ?


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgp__tobb90N5.pgp
Description: PGP signature

Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore

[intrigeri]

Hi Werner!

Werner Koch:
> The attached patch fixes this problem.  

Thanks for caring! I've tried rebuilding the package currently in sid
with this patch applied, but it doesn't seem to be enough.

The first --recv-keys triggers:

  Jan 02 13:36:33 dirmngr[8281]: DBG: dns: 
getsrv(_hkp._tcp.hkps.pool.sks-keyservers.net): Server indicated a failure
  Jan 02 13:36:33 dirmngr[8281]: command 'KS_GET' failed: Server indicated a 
failure 
  Jan 02 13:36:33 dirmngr[8281]: DBG: chan_5 -> ERR 219 Server indicated a 
failure 

... which is expected if querying 127.0.0.1, that doesn't support
SRV records.

And the next attempts, after manually telling dirmngr that my
keyserver is alive:

  Jan 02 13:37:56 dirmngr[8281]: connection from process 8506 (1002:1002)
  Jan 02 13:37:56 dirmngr[8281]: DBG: chan_5 <- GETINFO version
  Jan 02 13:37:56 dirmngr[8281]: DBG: chan_5 -> D 2.1.17
  Jan 02 13:37:56 dirmngr[8281]: DBG: chan_5 -> OK
  Jan 02 13:37:56 dirmngr[8281]: DBG: chan_5 <- KEYSERVER --clear 
hkps://hkps.pool.sks-keyservers.net
  Jan 02 13:37:56 dirmngr[8281]: DBG: chan_5 -> OK
  Jan 02 13:37:56 dirmngr[8281]: DBG: chan_5 <- KS_GET -- 
0x7C84A74CFB12BC439E81BA78C92949B8A63BB098
  Jan 02 13:37:57 dirmngr[8281]: DBG: dns: 
resolve_dns_name(hkps.pool.sks-keyservers.net): Success
  Jan 02 13:37:57 dirmngr[8281]: can't connect to 
'hkps.pool.sks-keyservers.net': no IP address for host
  Jan 02 13:37:57 dirmngr[8281]: error connecting to 
'https://hkps.pool.sks-keyservers.net:443': Unknown host
  Jan 02 13:37:57 dirmngr[8281]: marking host 'hkps.pool.sks-keyservers.net' as 
dead


strace still seems to indicate that resolv.conf is read, and then
127.0.0.1 is queried.

Cheers,
-- 
intrigeri

Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore

[Werner Koch]

Hi!

The attached patch fixes this problem.  


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
From b200e636ab20d2aa93d9f71f3789db5a04af0a56 Mon Sep 17 00:00:00 2001
From: Werner Koch 
Date: Mon, 2 Jan 2017 10:00:33 +0100
Subject: [PATCH] dirmngr: Strip root zone suffix from libdns cname results.

* dirmngr/dns-stuff.c (resolve_name_libdns): Strip trailing dot.
(get_dns_cname_libdns): Ditto.
--

Signed-off-by: Werner Koch 
---
 dirmngr/dns-stuff.c | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
index a31b073..f2e1df9 100644
--- a/dirmngr/dns-stuff.c
+++ b/dirmngr/dns-stuff.c
@@ -732,6 +732,10 @@ resolve_name_libdns (const char *name, unsigned short port,
   err = gpg_error_from_syserror ();
   goto leave;
 }
+  /* Libdns appends the root zone part which is problematic
+   * for most other functions - strip it.  */
+  if (**r_canonname && (*r_canonname)[strlen (*r_canonname)-1] == '.')
+(*r_canonname)[strlen (*r_canonname)-1] = 0;
 }
 
   dai = xtrymalloc (sizeof *dai + ent->ai_addrlen -1);
@@ -1899,6 +1903,13 @@ get_dns_cname_libdns (const char *name, char **r_cname)
   *r_cname = xtrystrdup (cname.host);
   if (!*r_cname)
 err = gpg_error_from_syserror ();
+  else
+{
+  /* Libdns appends the root zone part which is problematic
+   * for most other functions - strip it.  */
+  if (**r_cname && (*r_cname)[strlen (*r_cname)-1] == '.')
+(*r_cname)[strlen (*r_cname)-1] = 0;
+}
 
  leave:
   dns_free (ans);
-- 
2.8.1



pgp9mvglUVpLn.pgp
Description: PGP signature

Bug#849845: dirmngr: Can't resolve keyserver hostname anymore

[intrigeri]

Package: dirmngr
Version: 2.1.17-2
Severity: important

Hi!

since the upgrade to 2.1.17 (not sure if it's in -1 or -2), my dirmngr
is unusable. Any network operation triggers:

  can't connect to 'hkps.pool.sks-keyservers.net': no IP address for host

... almost immediately, i.e. resolver-timeout seems to be ignored.

I've tried multiple combinations of the following settings in
dirmngr.conf:

 * disabling "use-tor"
 * enabling "standard-resolver"
 * pointing "nameserver" to 127.0.0.1 (my Tor DNSPort, that only
   listens on UDP 127.0.0.1:53)
 * pointing "nameserver" to 8.8.8.8 (which should be the default
   given I have "use-tor" enabled, but well)
 * raising the value of "resolver-timeout"

… but none of them helped.

Downgrading to 2.1.16-3 fixes this problem.

The only weird thing about my system that I can think of is that my
/etc/resolv.conf points to 127.0.0.1 (where I have Tor's DNSPort
listening, that only handles A, , and PTR requests). In theory
this should not matter since with use-tor, DNS queries are done over
Tor to 8.8.8.8, if I got the manpage right. However, my limited strace
skills allow me to notice that dirmngr reads /etc/resolv.conf and then
connects to 127.0.0.1 and not to 8.8.8.8 (even if I explicitly set
"nameserver 8.8.8.8" in dirmngr.conf):

  23694 10:51:07.455096 socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 
IPPROTO_IP) = 6 <0.15>
  23694 10:51:07.455145 bind(6, {sa_family=AF_INET, sin_port=htons(53891), 
sin_addr=inet_addr("0.0.0.0")}, 16) = 0 <0.07>
  23694 10:51:07.455196 connect(6, {sa_family=AF_INET, sin_port=htons(53), 
sin_addr=inet_addr("127.0.0.1")}, 16) = 0 <0.09>
  23694 10:51:07.455218 sendto(6, 
"\250\302\1\0\0\1\0\0\0\0\0\0\4hkps\4pool\16sks-keyse"..., 46, 0, NULL, 0) = 46 
<0.39>
   | 0  a8 c2 01 00 00 01 00 00  00 00 00 00 04 68 6b 70  .hkp |
   | 00010  73 04 70 6f 6f 6c 0e 73  6b 73 2d 6b 65 79 73 65  s.pool.sks-keyse |
   | 00020  72 76 65 72 73 03 6e 65  74 00 00 01 00 01rvers.net.   |
  23694 10:51:07.455298 recvfrom(6, 0x7fda90009d4c, 768, 0, NULL, NULL) = -1 
EAGAIN (Resource temporarily unavailable) <0.04>
  23694 10:51:07.455318 select(7, [6], [], NULL, {tv_sec=1, tv_usec=0}) = 1 (in 
[6], left {tv_sec=0, tv_usec=922029}) <0.077993>
  23694 10:51:07.533390 recvfrom(6, 
"\250\302\201\200\0\1\0\1\0\0\0\0\4hkps\4pool\16sks-keyse"..., 768, 0, NULL, 
NULL) = 62 <0.32>
   | 0  a8 c2 81 80 00 01 00 01  00 00 00 00 04 68 6b 70  .hkp |
   | 00010  73 04 70 6f 6f 6c 0e 73  6b 73 2d 6b 65 79 73 65  s.pool.sks-keyse |
   | 00020  72 76 65 72 73 03 6e 65  74 00 00 01 00 01 c0 0c  rvers.net... |
   | 00030  00 01 00 01 00 00 00 3c  00 04 d1 87 d3 8d...<..   |
  23694 10:51:07.533551 connect(6, {sa_family=AF_INET, sin_port=htons(53), 
sin_addr=inet_addr("127.0.0.1")}, 16) = 0 <0.41>
  23694 10:51:07.533627 sendto(6, 
"\3601\1\0\0\1\0\0\0\0\0\0\4hkps\4pool\16sks-keyse"..., 46, 0, NULL, 0) = 46 
<0.46>
   | 0  f0 31 01 00 00 01 00 00  00 00 00 00 04 68 6b 70  .1...hkp |
   | 00010  73 04 70 6f 6f 6c 0e 73  6b 73 2d 6b 65 79 73 65  s.pool.sks-keyse |
   | 00020  72 76 65 72 73 03 6e 65  74 00 00 1c 00 01rvers.net.   |
  23694 10:51:07.533720 recvfrom(6, 0x7fda9000a10c, 768, 0, NULL, NULL) = -1 
EAGAIN (Resource temporarily unavailable) <0.10>
  23694 10:51:07.533763 select(7, [6], [], NULL, {tv_sec=1, tv_usec=0}) = 1 (in 
[6], left {tv_sec=0, tv_usec=921164}) <0.078863>
  23694 10:51:07.612705 recvfrom(6, 
"\3601\201\203\0\1\0\0\0\0\0\0\4hkps\4pool\16sks-keyse"..., 768, 0, NULL, NULL) 
= 46 <0.22>
   | 0  f0 31 81 83 00 01 00 00  00 00 00 00 04 68 6b 70  .1...hkp |
   | 00010  73 04 70 6f 6f 6c 0e 73  6b 73 2d 6b 65 79 73 65  s.pool.sks-keyse |
   | 00020  72 76 65 72 73 03 6e 65  74 00 00 1c 00 01rvers.net.   |
  23694 10:51:07.612832 connect(6, {sa_family=AF_INET, sin_port=htons(53), 
sin_addr=inet_addr("127.0.0.1")}, 16) = 0 <0.14>
  23694 10:51:07.612894 sendto(6, 
"\224J\1\0\0\1\0\0\0\0\0\0\4hkps\4pool\16sks-keyse"..., 47, 0, NULL, 0) = 47 
<0.49>
   | 0  94 4a 01 00 00 01 00 00  00 00 00 00 04 68 6b 70  .J...hkp |
   | 00010  73 04 70 6f 6f 6c 0e 73  6b 73 2d 6b 65 79 73 65  s.pool.sks-keyse |
   | 00020  72 76 65 72 73 03 6e 65  74 00 00 00 1c 00 01 rvers.net..  |
  23694 10:51:07.612999 recvfrom(6, 
"\224J\201\204\0\1\0\0\0\0\0\0\4hkps\4pool\16sks-keyse"..., 768, 0, NULL, NULL) 
= 46 <0.23>
   | 0  94 4a 81 84 00 01 00 00  00 00 00 00 04 68 6b 70  .J...hkp |
   | 00010  73 04 70 6f 6f 6c 0e 73  6b 73 2d 6b 65 79 73 65  s.pool.sks-keyse |
   | 00020  72 76 65 72 73 03 6e 65  74 00 00 00 1c 00rvers.net.   |
  23694 10:51:07.613070 close(6)  = 0 <0.17>
  23694 10:51:07.613113 write(2, "can't connect to 'hkps.pool.sks-"..., 71) = 
71 <0.18>
  23694 10:51:07.613149 write(2, "\n", 1) = 1 <0.11>
  23694 10:51:07.613198 write(2,