Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
Package: dirmngr Version: 2.1.17-6 Followup-For: Bug #849845 Dear Maintainer, For the record - this bug shows upstream is already aware of possible problems with IPv6 - on this IPv6 host, dirmngr is unable to find the default hkps.pool.sks-keyservers.net pg2 --search-keys somekeyhere gpg: no keyserver known (use option --keyserver) gpg: keyserver search failed: No keyserver available with the debug log showing: DBG: chan_6 <- KS_SEARCH -- somekeyhere_again can't connect to 'hkps.pool.sks-keyservers.net': no IP address for host error connecting to 'https://hkps.pool.sks-keyservers.net:443': Unknown host dirmngr[29062.6] marking host 'hkps.pool.sks-keyservers.net' as dead dirmngr[29062.6] host 'hkps.pool.sks-keyservers.net' marked as dead dirmngr[29062.6] command 'KS_SEARCH' failed: No keyserver available gpg-connect-agent --dirmngr 'keyserver --alive hkps.pool.sks-keyservers.net' /bye S # marking 'hkps.pool.sks-keyservers.net' as alive OK with the debug log showing DBG: chan_6 -> OK Dirmngr 2.1.17 at your service dirmngr[29062.6] connection from process 15130 (1000:1000) dirmngr[29062.6] DBG: chan_6 <- keyserver --alive hkps.pool.sks-keyservers.net dirmngr[29062.6] DBG: chan_6 -> S # marking 'hkps.pool.sks-keyservers.net' as alive dirmngr[29062.6] DBG: chan_6 -> OK but then, again: gpg2 --search-keys samesomekeyhere gpg: no keyserver known (use option --keyserver) gpg: keyserver search failed: No keyserver available -- System Information: Debian Release: 9.0 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages dirmngr depends on: ii adduser3.115 ii libassuan0 2.4.3-2 ii libc6 2.24-9 ii libgcrypt201.7.5-3 ii libgnutls303.5.8-1 ii libgpg-error0 1.26-2 ii libksba8 1.3.5-2 ii libldap-2.4-2 2.4.44+dfsg-3 ii libnpth0 1.3-1 ii lsb-base 9.20161125 Versions of packages dirmngr recommends: ii gnupg 2.1.17-6 Versions of packages dirmngr suggests: ii dbus-user-session 1.10.14-1 ii pinentry-gnome31.0.0-1 pn tor -- no debconf information
Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
at bottom :- On 08/01/2017, intrigeriwrote: > shirish शिरीष: >> ─[$] gpg --keyserver pgp.mit.edu --recv-keys DAD95197 > >> gpg: keyserver receive failed: No keyserver available > >> Tried it multiple times but get the above failure. > > [...] > >> Any ideas what I need to do next ? > > Add a "debug-all" line in ~/.gnupg/dirmngr.conf, restart > dirmngr.socket, try again and look at the logs (on my system they are > in the systemd Journal). > > Cheers, > -- > intrigeri > Umm.. there was no ~/.gnupg/dirmngr.conf hence had to make one $ touch ~/.gnupg/dirmngr.conf $ cd ~/.gnupg/ $ nano dirmngr.conf and just added debug-all ┌─[shirish@debian] - [~/.gnupg] - [10017] └─[$] cat dirmngr.conf debug-all Did the remaining bits. And this is the result. $ journalctl --since "1 hour ago" While I have shared all the entries, the most pertinent might be - Jan 08 14:46:40 debian dirmngr[1203]: DBG: chan_5 -> # Home: /home/shirish/.gnupg Jan 08 14:46:40 debian dirmngr[1203]: DBG: chan_5 -> # Config: /home/shirish/.gnupg/dirmngr.conf Jan 08 14:46:40 debian dirmngr[1203]: DBG: chan_5 -> OK Dirmngr 2.1.17 at your service Jan 08 14:46:40 debian dirmngr[1203]: connection from process 1370 (1000:1000) Jan 08 14:46:40 debian dirmngr[1203]: DBG: chan_5 <- GETINFO version Jan 08 14:46:40 debian dirmngr[1203]: DBG: chan_5 -> D 2.1.17 Jan 08 14:46:40 debian dirmngr[1203]: DBG: chan_5 -> OK Jan 08 14:46:40 debian dirmngr[1203]: DBG: chan_5 <- KEYSERVER --clear hkp://pgp.mit.edu Jan 08 14:46:40 debian dirmngr[1203]: DBG: chan_5 -> OK Jan 08 14:46:40 debian dirmngr[1203]: DBG: chan_5 <- KS_GET -- 0xDAD95197 Jan 08 14:46:40 debian dirmngr[1203]: DBG: dns: libdns initialized Jan 08 14:46:50 debian dirmngr[1203]: DBG: dns: getsrv(_hkp._tcp.pgp.mit.edu): Server indicated a failure Jan 08 14:46:50 debian dirmngr[1203]: command 'KS_GET' failed: Server indicated a failure Jan 08 14:46:50 debian dirmngr[1203]: DBG: chan_5 -> ERR 219 Server indicated a failure Jan 08 14:46:50 debian dirmngr[1203]: DBG: chan_5 <- BYE Jan 08 14:46:50 debian dirmngr[1203]: DBG: chan_5 -> OK closing connection Jan 08 14:46:50 debian dirmngr[1203]: handler for fd 5 terminated Please go through the attached logs and let me know if any improvements can be made. All any any advice would be useful. -- Regards, Shirish Agarwal शिरीष अग्रवाल My quotes in this email licensed under CC 3.0 http://creativecommons.org/licenses/by-nc/3.0/ http://flossexperiences.wordpress.com EB80 462B 08E1 A0DE A73A 2C2F 9F3D C7A4 E1C4 D2D8 Jan 08 14:46:21 debian systemd[2360]: dirmngr.socket: Trying to enqueue job dirmngr.socket/restart/replace Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: Installed new job dirmngr.service/restart as 219 Jan 08 14:46:21 debian systemd[2360]: dirmngr.socket: Installed new job dirmngr.socket/restart as 216 Jan 08 14:46:21 debian systemd[2360]: dirmngr.socket: Enqueued job dirmngr.socket/restart as 216 .. .. Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: Changed running -> stop-sigterm Jan 08 14:46:21 debian dirmngr[7477]: SIGTERM received - shutting down ... Jan 08 14:46:21 debian dirmngr[7477]: dirmngr (GnuPG) 2.1.17 stopped ... ... Jan 08 14:46:21 debian systemd[1]: Got cgroup empty notification for: /user.slice/user-1000.slice/user@1000.service/dirmngr.service Jan 08 14:46:21 debian systemd[2360]: Received SIGCHLD from PID 7477 (dirmngr). Jan 08 14:46:21 debian systemd[2360]: Child 7477 (dirmngr) died (code=exited, status=0/SUCCESS) Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: Child 7477 belongs to dirmngr.service Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: Main process exited, code=exited, status=0/SUCCESS Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: Changed stop-sigterm -> dead Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: Job dirmngr.service/restart finished, result=done Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: Converting job dirmngr.service/restart -> dirmngr.service/start Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: cgroup is empty . .. Jan 08 14:46:21 debian systemd[2360]: dirmngr.socket: Changed running -> dead Jan 08 14:46:21 debian systemd[2360]: dirmngr.socket: Job dirmngr.socket/restart finished, result=done Jan 08 14:46:21 debian systemd[2360]: dirmngr.socket: Converting job dirmngr.socket/restart -> dirmngr.socket/start Jan 08 14:46:21 debian systemd[2360]: dirmngr.socket: Changed dead -> listening Jan 08 14:46:21 debian systemd[2360]: dirmngr.socket: Job dirmngr.socket/start finished, result=done Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: Failed to set pids.max: No such file or directory Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: Passing 1 fds to service Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: About to execute: /usr/bin/dirmngr --supervised Jan 08 14:46:21 debian systemd[2360]: dirmngr.service: Forked /usr/bin/dirmngr
Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
shirish शिरीष: > ─[$] gpg --keyserver pgp.mit.edu --recv-keys DAD95197 > gpg: keyserver receive failed: No keyserver available > Tried it multiple times but get the above failure. [...] > Any ideas what I need to do next ? Add a "debug-all" line in ~/.gnupg/dirmngr.conf, restart dirmngr.socket, try again and look at the logs (on my system they are in the systemd Journal). Cheers, -- intrigeri
Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
at bottom :- On 08/01/2017, intrigeriwrote: > shirish शिरीष: >> in-line :- > >> On 07/01/2017, Daniel Kahn Gillmor wrote: >>> Have you restarted dirmngr since the upgrade? > >> how do I restart it ? > > systemctl --user restart dirmngr.socket > > :) > Did that and get the following - ─[$] systemctl --user restart dirmngr.socket ─[$] gpg --keyserver pgp.mit.edu --recv-keys DAD95197 gpg: keyserver receive failed: No keyserver available Tried it multiple times but get the above failure. http://isup.me/pgp.mit.edu/ says it's up. traceroute conks out at - 18 backbone-rtr-1-dmz-rtr-1.mit.edu (18.192.1.2) 292.026 ms 295.082 ms 291.067 ms 19 oc11-rtr-1-backbone-rtr-1.mit.edu (18.168.69.2) 300.451 ms 299.278 ms 306.400 ms 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * Any ideas what I need to do next ? -- Regards, Shirish Agarwal शिरीष अग्रवाल My quotes in this email licensed under CC 3.0 http://creativecommons.org/licenses/by-nc/3.0/ http://flossexperiences.wordpress.com EB80 462B 08E1 A0DE A73A 2C2F 9F3D C7A4 E1C4 D2D8
Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
shirish शिरीष: > in-line :- > On 07/01/2017, Daniel Kahn Gillmorwrote: >> Have you restarted dirmngr since the upgrade? > how do I restart it ? systemctl --user restart dirmngr.socket :)
Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
in-line :- On 07/01/2017, Daniel Kahn Gillmorwrote: > On Fri 2017-01-06 17:49:04 -0500, shirish शिरीष wrote: >> But issue is still continuing - >> >> ─[$] gpg --keyserver pgp.mit.edu --recv-keys DAD95197 >> >> [4:22:18] >> gpg: keyserver receive failed: No keyserver available >> >> I tried multiple times with various other keys but didn't succeed. > > Have you restarted dirmngr since the upgrade? how do I restart it ? dirmngr.service isn't even found :( ─[$] dpkg -L dirmngr | grep dirmngr.service /usr/lib/systemd/user/dirmngr.service ─[$] ll -h /usr/lib/systemd/user/dirmngr.service -rw-r--r-- 1 root root 250 2016-11-18 19:53 /usr/lib/systemd/user/dirmngr.service and trying to see if it works got me nothing :( [$] sudo systemctl status dirmngr.service [sudo] password for shirish: Unit dirmngr.service could not be found. I did do a cat and saw this - ─[$] cat /usr/lib/systemd/user/dirmngr.service [4:57:44] [Unit] Description=GnuPG network certificate management daemon Documentation=man:dirmngr(8) Requires=dirmngr.socket After=dirmngr.socket ## This is a socket-activated service: RefuseManualStart=true [Service] ExecStart=/usr/bin/dirmngr --supervised Can you help ? >are you using tor? if > you're using tor, have you removed all the ipv6 entries ? I actually have this in grub for few years now ─[$] cat /etc/default/grub | grep ipv6 GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1" Maybe this goves a clue, dunno > what does: > >gpg-connect-agent --dirmngr 'keyserver --hosttable' /bye > > show you? > > --dkg > └─[$] gpg-connect-agent --dirmngr 'keyserver --hosttable' /bye gpg-connect-agent: no running Dirmngr - starting '/usr/bin/dirmngr' gpg-connect-agent: waiting for the dirmngr to come up ... (5s) gpg-connect-agent: connection to the dirmngr established S # hosttable (idx, ipv6, ipv4, dead, name, time): Look forward to guidance. -- Regards, Shirish Agarwal शिरीष अग्रवाल My quotes in this email licensed under CC 3.0 http://creativecommons.org/licenses/by-nc/3.0/ http://flossexperiences.wordpress.com EB80 462B 08E1 A0DE A73A 2C2F 9F3D C7A4 E1C4 D2D8
Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
On Fri 2017-01-06 17:49:04 -0500, shirish शिरीष wrote: > But issue is still continuing - > > ─[$] gpg --keyserver pgp.mit.edu --recv-keys DAD95197 > > [4:22:18] > gpg: keyserver receive failed: No keyserver available > > I tried multiple times with various other keys but didn't succeed. Have you restarted dirmngr since the upgrade? are you using tor? if you're using tor, have you removed all the ipv6 entries ? what does: gpg-connect-agent --dirmngr 'keyserver --hosttable' /bye show you? --dkg
Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
Hi all, I was able to get the new version - ─[$] sudo aptitude install gnupg=2.1.17-3 dirmngr=2.1.17-3 gpgv=2.1.17-3 gnupg-agent=2.1.17-3 gpgsm=2.1.17-3 scdaemon=2.1.17-3 -y Installed it perfectly ─[$] apt-cache policy gnupg [4:19:09] gnupg: Installed: 2.1.17-3 Candidate: 2.1.17-3 Version table: *** 2.1.17-3 100 1 http://httpredir.debian.org/debian unstable/main amd64 Packages 100 /var/lib/dpkg/status 2.1.17-2 600 600 http://httpredir.debian.org/debian stretch/main amd64 Packages I did see the changelog entry ┌─[shirish@debian] - [/usr/share/doc/gnupg] - [10069] └─[$] zless changelog.Debian.gz gnupg2 (2.1.17-3) unstable; urgency=medium * more bugfixes from upstream (improving but not yet closing: #849845) -- Daniel Kahn GillmorTue, 03 Jan 2017 15:39:52 -0500 But issue is still continuing - ─[$] gpg --keyserver pgp.mit.edu --recv-keys DAD95197 [4:22:18] gpg: keyserver receive failed: No keyserver available I tried multiple times with various other keys but didn't succeed. So there's still work[TM] to be done . -- Regards, Shirish Agarwal शिरीष अग्रवाल My quotes in this email licensed under CC 3.0 http://creativecommons.org/licenses/by-nc/3.0/ http://flossexperiences.wordpress.com EB80 462B 08E1 A0DE A73A 2C2F 9F3D C7A4 E1C4 D2D8
Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
On Fri 2017-01-06 14:47:46 -0500, shirish शिरीष wrote: > I can confirm Jaden's findings. Perhaps the content hasn't reached his > mirror yet. It's same thing at my end. I just updated to see if the > new version has come up at my end. (not even in sid/unstable) > > [$] apt-cache policy gpgv > [1:14:58] > gpgv: > Installed: 2.1.17-2 > Candidate: 2.1.17-2 > Version table: > *** 2.1.17-2 600 > 600 http://httpredir.debian.org/debian stretch/main amd64 Packages > 1 http://httpredir.debian.org/debian unstable/main amd64 Packages > 100 /var/lib/dpkg/status > > Timing is in IST. My last apt update run was about 5 minutes ago and I > do know that the update mirrors are hit every 4 hours or more, so > maybe in the next 4-8 hours the new binary might be available. 1 dkg@alice:~$ rmadison -a amd64 gpgv gpgv | 1.4.12-7+deb7u7 | oldstable | amd64 gpgv | 1.4.18-7+deb8u3 | stable | amd64 gpgv | 2.1.17-2| testing | amd64 gpgv | 2.1.17-3| buildd-unstable | amd64 gpgv | 2.1.17-3| unstable| amd64 0 dkg@alice:~$ I'm not sure what to make of this confusion, but it seems to be related to the mirror network, not to the gnupg2 source package. If it's still a confusion or a problem for you in the next day, this might need to be kicked over to the mirror network or the archive managers. --dkg
Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
at bottom :- On 07/01/2017, Daniel Kahn Gillmorwrote: > On Fri 2017-01-06 12:49:32 -0500, Jaden Peterson wrote: >> I have no place in the topic of this bug, but I installed the patches >> you provided on January 5th onto my Debian Testing system. I would like >> to notify you that gpgv2 depends on gpgv version 2.1.17-3 or greater, >> which is not provided, and results in mixed versions. > > I'm sorry, i don't understand! 2.1.17-3 was only released this morning > (shortly before you sent this mail) and is still in unstable. if you > used only patches i pointed to, then you wouldn't have had 2.1.17-3 > anywhere. > > can you explain more about the state of your system? > > --dkg > > -- > To unsubscribe, send mail to 849845-unsubscr...@bugs.debian.org. > Dear Daniel, I can confirm Jaden's findings. Perhaps the content hasn't reached his mirror yet. It's same thing at my end. I just updated to see if the new version has come up at my end. (not even in sid/unstable) [$] apt-cache policy gpgv [1:14:58] gpgv: Installed: 2.1.17-2 Candidate: 2.1.17-2 Version table: *** 2.1.17-2 600 600 http://httpredir.debian.org/debian stretch/main amd64 Packages 1 http://httpredir.debian.org/debian unstable/main amd64 Packages 100 /var/lib/dpkg/status Timing is in IST. My last apt update run was about 5 minutes ago and I do know that the update mirrors are hit every 4 hours or more, so maybe in the next 4-8 hours the new binary might be available. -- Regards, Shirish Agarwal शिरीष अग्रवाल My quotes in this email licensed under CC 3.0 http://creativecommons.org/licenses/by-nc/3.0/ http://flossexperiences.wordpress.com EB80 462B 08E1 A0DE A73A 2C2F 9F3D C7A4 E1C4 D2D8
Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
On Fri 2017-01-06 12:49:32 -0500, Jaden Peterson wrote: > I have no place in the topic of this bug, but I installed the patches > you provided on January 5th onto my Debian Testing system. I would like > to notify you that gpgv2 depends on gpgv version 2.1.17-3 or greater, > which is not provided, and results in mixed versions. I'm sorry, i don't understand! 2.1.17-3 was only released this morning (shortly before you sent this mail) and is still in unstable. if you used only patches i pointed to, then you wouldn't have had 2.1.17-3 anywhere. can you explain more about the state of your system? --dkg
Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
On Thu, 05 Jan 2017 16:56:40 -0500 Daniel Kahn Gillmorwrote: > Control: fowarded 849845 https://bugs.gnupg.org/gnupg/issue2902 > > On Thu 2017-01-05 08:15:06 -0500, intrigeri wrote: > > Daniel Kahn Gillmor: > >> The remaining problem for me ws that when i use tor, if i get back > >> records, the connections fail, but the IPv6 records are not marked as > >> dead, so they fail repeatedly. > > > > Same here, with a package built from commit > > 32bae0c609cb0c6180e9405a3d6a8fb3c0dec20e in the Vcs-Git (which by the > > way fixes the other problem I've reported here :) > > thanks for the reportback! I've reported the remaining issue upstream > (see the url above). I'll do an upload to unstable with the > intermediate fix later today, unless i can sort out a fix for the whole > issue first. > > --dkg Hi, I have no place in the topic of this bug, but I installed the patches you provided on January 5th onto my Debian Testing system. I would like to notify you that gpgv2 depends on gpgv version 2.1.17-3 or greater, which is not provided, and results in mixed versions.
Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
Control: fowarded 849845 https://bugs.gnupg.org/gnupg/issue2902 On Thu 2017-01-05 08:15:06 -0500, intrigeri wrote: > Daniel Kahn Gillmor: >> The remaining problem for me ws that when i use tor, if i get back >> records, the connections fail, but the IPv6 records are not marked as >> dead, so they fail repeatedly. > > Same here, with a package built from commit > 32bae0c609cb0c6180e9405a3d6a8fb3c0dec20e in the Vcs-Git (which by the > way fixes the other problem I've reported here :) thanks for the reportback! I've reported the remaining issue upstream (see the url above). I'll do an upload to unstable with the intermediate fix later today, unless i can sort out a fix for the whole issue first. --dkg signature.asc Description: PGP signature
Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
Hi, Daniel Kahn Gillmor: > The remaining problem for me ws that when i use tor, if i get back > records, the connections fail, but the IPv6 records are not marked as > dead, so they fail repeatedly. Same here, with a package built from commit 32bae0c609cb0c6180e9405a3d6a8fb3c0dec20e in the Vcs-Git (which by the way fixes the other problem I've reported here :) Cheers, -- intrigeri
Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
On Wed 2017-01-04 09:27:16 -0500, intrigeri wrote: > Daniel Kahn Gillmor: >> I've been able to replicate the problems described by intrigeri in >> https://bugs.debian.org/849845; i'm preparing an update to gpg with >> cherry-picked patches that resolves most of them for me. > > I'd be happy to test these changes before you upload. If you wish, > push them to the packaging Vcs-Git (in a dedicated branch if you > prefer) and I'll build & try it :) Thanks, intrigeri! I've pushed 32bae0c609cb0c6180e9405a3d6a8fb3c0dec20e to Vcs-Git master branch. Please let me know how it goes for you. --dkg signature.asc Description: PGP signature
Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
Daniel Kahn Gillmor: > I've been able to replicate the problems described by intrigeri in > https://bugs.debian.org/849845; i'm preparing an update to gpg with > cherry-picked patches that resolves most of them for me. I'd be happy to test these changes before you upload. If you wish, push them to the packaging Vcs-Git (in a dedicated branch if you prefer) and I'll build & try it :)
Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
Control: severity 849845 grave Hi all-- I've been able to replicate the problems described by intrigeri in https://bugs.debian.org/849845; i'm preparing an update to gpg with cherry-picked patches that resolves most of them for me. This issue is bad enough that it basically makes dirmngr unusable, afaict. The remaining problem for me ws that when i use tor, if i get back records, the connections fail, but the IPv6 records are not marked as dead, so they fail repeatedly. here's an example: Jan 03 15:48:37 alice dirmngr[11194]: DBG: chan_5 <- KS_GET -- 0x4FA73DE89ADE75998AC24E97B8C1D523FE7AAA84 Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2a02:898:31:0:48:4558:73:6b73]' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2a00:14b0:4200:3000:27::27]' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2606:1c00:2802::b]' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:bc8:4700:2300::10:f15]' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:738:0:600:216:3eff:fe02:42]' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:720:418:caf1::8]' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:610:1108:5011::70]' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:470:1:116::6]' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '216.66.15.2' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '212.12.48.27' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '193.224.163.43' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '192.94.109.73' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '131.155.141.70' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '130.206.1.8' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '94.142.242.225' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '51.15.53.138' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '37.191.238.78' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '18.9.60.141' Jan 03 15:48:42 alice dirmngr[11194]: DBG: gnutls:L3: ASSERT: mpi.c[_gnutls_x509_read_uint]:246 Jan 03 15:48:42 alice dirmngr[11194]: DBG: gnutls:L5: REC[0x7f6d240086b0]: Allocating epoch #0 Jan 03 15:48:42 alice dirmngr[11194]: can't connect to '2a02:898:31:0:48:4558:73:6b73': Invalid argument Jan 03 15:48:42 alice dirmngr[11194]: error connecting to 'https://[2a02:898:31:0:48:4558:73:6b73]:443': Invalid argument Jan 03 15:48:42 alice dirmngr[11194]: DBG: gnutls:L5: REC[0x7f6d240086b0]: Start of epoch cleanup Jan 03 15:48:42 alice dirmngr[11194]: DBG: gnutls:L5: REC[0x7f6d240086b0]: End of epoch cleanup Jan 03 15:48:42 alice dirmngr[11194]: DBG: gnutls:L5: REC[0x7f6d240086b0]: Epoch #0 freed Jan 03 15:48:42 alice dirmngr[11194]: command 'KS_GET' failed: Invalid argument Jan 03 15:48:42 alice dirmngr[11194]: DBG: chan_5 -> ERR 167804976 Invalid argument Jan 03 15:48:42 alice dirmngr[11194]: DBG: chan_5 <- BYE Jan 03 15:48:42 alice dirmngr[11194]: DBG: chan_5 -> OK closing connection Jan 03 15:48:42 alice dirmngr[11194]: handler for fd 5 terminated Jan 03 15:49:11 alice dirmngr[11194]: handler for fd 5 started Jan 03 15:49:11 alice dirmngr[11194]: DBG: chan_5 -> # Home: /home/dkg/.gnupg Jan 03 15:49:11 alice dirmngr[11194]: DBG: chan_5 -> # Config: /home/dkg/.gnupg/dirmngr.conf Jan 03 15:49:11 alice dirmngr[11194]: DBG: chan_5 -> OK Dirmngr 2.1.17 at your service Jan 03 15:49:11 alice dirmngr[11194]: connection from process 11200 (1000:1000) Jan 03 15:49:11 alice dirmngr[11194]: DBG: chan_5 <- GETINFO version Jan 03 15:49:11 alice dirmngr[11194]: DBG: chan_5 -> D 2.1.17 Jan 03 15:49:11 alice dirmngr[11194]: DBG: chan_5 -> OK Jan 03 15:49:11 alice dirmngr[11194]: DBG: chan_5 <- KS_GET -- 0x4FA73DE89ADE75998AC24E97B8C1D523FE7AAA84 Jan 03 15:49:11 alice dirmngr[11194]: DBG: gnutls:L3: ASSERT: mpi.c[_gnutls_x509_read_uint]:246 Jan 03 15:49:11 alice dirmngr[11194]: DBG: gnutls:L5: REC[0x7f6d2400c090]: Allocating epoch #0 Jan 03 15:49:11 alice dirmngr[11194]: can't connect to '2a02:898:31:0:48:4558:73:6b73': Invalid argument Jan 03 15:49:11 alice dirmngr[11194]: error connecting to 'https://[2a02:898:31:0:48:4558:73:6b73]:443': Invalid argument Jan 03 15:49:11 alice dirmngr[11194]: DBG: gnutls:L5: REC[0x7f6d2400c090]: Start of epoch cleanup Jan 03 15:49:11 alice dirmngr[11194]: DBG: gnutls:L5:
Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
Hi, Werner Koch: > On Mon, 2 Jan 2017 13:46, intrig...@debian.org said: >> ... which is expected if querying 127.0.0.1, that doesn't support >> SRV records. > The question is whether we should gracefully handle this failure and > return 0 records found (as done < 2.1.17)? I lack the background that would allow me to have any informed opinion on this topic. Today I'm merely a user whose GnuPG got broken by an upgrade :) >> Jan 02 13:37:57 dirmngr[8281]: DBG: dns: >> resolve_dns_name(hkps.pool.sks-keyservers.net): Success >> Jan 02 13:37:57 dirmngr[8281]: can't connect to >> 'hkps.pool.sks-keyservers.net': no IP address for host > I can't replicate this [...] Ouch. I see this consistently after I've seen the previous (SRV) failure. > What options do you have in your dirmngr.conf ? I only have: debug-all use-tor Cheers, -- intrigeri
Bug#849845: [pkg-gnupg-maint] Bug#849845: Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
On Mon, 2 Jan 2017 13:46, intrig...@debian.org said: > ... which is expected if querying 127.0.0.1, that doesn't support > SRV records. The question is whether we should gracefully handle this failure and return 0 records found (as done < 2.1.17)? > Jan 02 13:37:57 dirmngr[8281]: DBG: dns: > resolve_dns_name(hkps.pool.sks-keyservers.net): Success > Jan 02 13:37:57 dirmngr[8281]: can't connect to > 'hkps.pool.sks-keyservers.net': no IP address for host I can't replicate this neither when running dirmnagr as dirmngr --options /dev/null --debug ipc,dns -v \ --log-file socket:// --daemon nor when bypassing the new libdns: dirmngr --options /dev/null --debug ipc,dns -v \ --log-file socket:// --daemon --standard-resolver What options do you have in your dirmngr.conf ? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgp__tobb90N5.pgp Description: PGP signature
Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
Hi Werner! Werner Koch: > The attached patch fixes this problem. Thanks for caring! I've tried rebuilding the package currently in sid with this patch applied, but it doesn't seem to be enough. The first --recv-keys triggers: Jan 02 13:36:33 dirmngr[8281]: DBG: dns: getsrv(_hkp._tcp.hkps.pool.sks-keyservers.net): Server indicated a failure Jan 02 13:36:33 dirmngr[8281]: command 'KS_GET' failed: Server indicated a failure Jan 02 13:36:33 dirmngr[8281]: DBG: chan_5 -> ERR 219 Server indicated a failure ... which is expected if querying 127.0.0.1, that doesn't support SRV records. And the next attempts, after manually telling dirmngr that my keyserver is alive: Jan 02 13:37:56 dirmngr[8281]: connection from process 8506 (1002:1002) Jan 02 13:37:56 dirmngr[8281]: DBG: chan_5 <- GETINFO version Jan 02 13:37:56 dirmngr[8281]: DBG: chan_5 -> D 2.1.17 Jan 02 13:37:56 dirmngr[8281]: DBG: chan_5 -> OK Jan 02 13:37:56 dirmngr[8281]: DBG: chan_5 <- KEYSERVER --clear hkps://hkps.pool.sks-keyservers.net Jan 02 13:37:56 dirmngr[8281]: DBG: chan_5 -> OK Jan 02 13:37:56 dirmngr[8281]: DBG: chan_5 <- KS_GET -- 0x7C84A74CFB12BC439E81BA78C92949B8A63BB098 Jan 02 13:37:57 dirmngr[8281]: DBG: dns: resolve_dns_name(hkps.pool.sks-keyservers.net): Success Jan 02 13:37:57 dirmngr[8281]: can't connect to 'hkps.pool.sks-keyservers.net': no IP address for host Jan 02 13:37:57 dirmngr[8281]: error connecting to 'https://hkps.pool.sks-keyservers.net:443': Unknown host Jan 02 13:37:57 dirmngr[8281]: marking host 'hkps.pool.sks-keyservers.net' as dead strace still seems to indicate that resolv.conf is read, and then 127.0.0.1 is queried. Cheers, -- intrigeri
Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
Hi! The attached patch fixes this problem. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From b200e636ab20d2aa93d9f71f3789db5a04af0a56 Mon Sep 17 00:00:00 2001 From: Werner KochDate: Mon, 2 Jan 2017 10:00:33 +0100 Subject: [PATCH] dirmngr: Strip root zone suffix from libdns cname results. * dirmngr/dns-stuff.c (resolve_name_libdns): Strip trailing dot. (get_dns_cname_libdns): Ditto. -- Signed-off-by: Werner Koch --- dirmngr/dns-stuff.c | 11 +++ 1 file changed, 11 insertions(+) diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c index a31b073..f2e1df9 100644 --- a/dirmngr/dns-stuff.c +++ b/dirmngr/dns-stuff.c @@ -732,6 +732,10 @@ resolve_name_libdns (const char *name, unsigned short port, err = gpg_error_from_syserror (); goto leave; } + /* Libdns appends the root zone part which is problematic + * for most other functions - strip it. */ + if (**r_canonname && (*r_canonname)[strlen (*r_canonname)-1] == '.') +(*r_canonname)[strlen (*r_canonname)-1] = 0; } dai = xtrymalloc (sizeof *dai + ent->ai_addrlen -1); @@ -1899,6 +1903,13 @@ get_dns_cname_libdns (const char *name, char **r_cname) *r_cname = xtrystrdup (cname.host); if (!*r_cname) err = gpg_error_from_syserror (); + else +{ + /* Libdns appends the root zone part which is problematic + * for most other functions - strip it. */ + if (**r_cname && (*r_cname)[strlen (*r_cname)-1] == '.') +(*r_cname)[strlen (*r_cname)-1] = 0; +} leave: dns_free (ans); -- 2.8.1 pgp9mvglUVpLn.pgp Description: PGP signature
Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
Package: dirmngr Version: 2.1.17-2 Severity: important Hi! since the upgrade to 2.1.17 (not sure if it's in -1 or -2), my dirmngr is unusable. Any network operation triggers: can't connect to 'hkps.pool.sks-keyservers.net': no IP address for host ... almost immediately, i.e. resolver-timeout seems to be ignored. I've tried multiple combinations of the following settings in dirmngr.conf: * disabling "use-tor" * enabling "standard-resolver" * pointing "nameserver" to 127.0.0.1 (my Tor DNSPort, that only listens on UDP 127.0.0.1:53) * pointing "nameserver" to 8.8.8.8 (which should be the default given I have "use-tor" enabled, but well) * raising the value of "resolver-timeout" … but none of them helped. Downgrading to 2.1.16-3 fixes this problem. The only weird thing about my system that I can think of is that my /etc/resolv.conf points to 127.0.0.1 (where I have Tor's DNSPort listening, that only handles A, , and PTR requests). In theory this should not matter since with use-tor, DNS queries are done over Tor to 8.8.8.8, if I got the manpage right. However, my limited strace skills allow me to notice that dirmngr reads /etc/resolv.conf and then connects to 127.0.0.1 and not to 8.8.8.8 (even if I explicitly set "nameserver 8.8.8.8" in dirmngr.conf): 23694 10:51:07.455096 socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 6 <0.15> 23694 10:51:07.455145 bind(6, {sa_family=AF_INET, sin_port=htons(53891), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 <0.07> 23694 10:51:07.455196 connect(6, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.1")}, 16) = 0 <0.09> 23694 10:51:07.455218 sendto(6, "\250\302\1\0\0\1\0\0\0\0\0\0\4hkps\4pool\16sks-keyse"..., 46, 0, NULL, 0) = 46 <0.39> | 0 a8 c2 01 00 00 01 00 00 00 00 00 00 04 68 6b 70 .hkp | | 00010 73 04 70 6f 6f 6c 0e 73 6b 73 2d 6b 65 79 73 65 s.pool.sks-keyse | | 00020 72 76 65 72 73 03 6e 65 74 00 00 01 00 01rvers.net. | 23694 10:51:07.455298 recvfrom(6, 0x7fda90009d4c, 768, 0, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable) <0.04> 23694 10:51:07.455318 select(7, [6], [], NULL, {tv_sec=1, tv_usec=0}) = 1 (in [6], left {tv_sec=0, tv_usec=922029}) <0.077993> 23694 10:51:07.533390 recvfrom(6, "\250\302\201\200\0\1\0\1\0\0\0\0\4hkps\4pool\16sks-keyse"..., 768, 0, NULL, NULL) = 62 <0.32> | 0 a8 c2 81 80 00 01 00 01 00 00 00 00 04 68 6b 70 .hkp | | 00010 73 04 70 6f 6f 6c 0e 73 6b 73 2d 6b 65 79 73 65 s.pool.sks-keyse | | 00020 72 76 65 72 73 03 6e 65 74 00 00 01 00 01 c0 0c rvers.net... | | 00030 00 01 00 01 00 00 00 3c 00 04 d1 87 d3 8d...<.. | 23694 10:51:07.533551 connect(6, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.1")}, 16) = 0 <0.41> 23694 10:51:07.533627 sendto(6, "\3601\1\0\0\1\0\0\0\0\0\0\4hkps\4pool\16sks-keyse"..., 46, 0, NULL, 0) = 46 <0.46> | 0 f0 31 01 00 00 01 00 00 00 00 00 00 04 68 6b 70 .1...hkp | | 00010 73 04 70 6f 6f 6c 0e 73 6b 73 2d 6b 65 79 73 65 s.pool.sks-keyse | | 00020 72 76 65 72 73 03 6e 65 74 00 00 1c 00 01rvers.net. | 23694 10:51:07.533720 recvfrom(6, 0x7fda9000a10c, 768, 0, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable) <0.10> 23694 10:51:07.533763 select(7, [6], [], NULL, {tv_sec=1, tv_usec=0}) = 1 (in [6], left {tv_sec=0, tv_usec=921164}) <0.078863> 23694 10:51:07.612705 recvfrom(6, "\3601\201\203\0\1\0\0\0\0\0\0\4hkps\4pool\16sks-keyse"..., 768, 0, NULL, NULL) = 46 <0.22> | 0 f0 31 81 83 00 01 00 00 00 00 00 00 04 68 6b 70 .1...hkp | | 00010 73 04 70 6f 6f 6c 0e 73 6b 73 2d 6b 65 79 73 65 s.pool.sks-keyse | | 00020 72 76 65 72 73 03 6e 65 74 00 00 1c 00 01rvers.net. | 23694 10:51:07.612832 connect(6, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.1")}, 16) = 0 <0.14> 23694 10:51:07.612894 sendto(6, "\224J\1\0\0\1\0\0\0\0\0\0\4hkps\4pool\16sks-keyse"..., 47, 0, NULL, 0) = 47 <0.49> | 0 94 4a 01 00 00 01 00 00 00 00 00 00 04 68 6b 70 .J...hkp | | 00010 73 04 70 6f 6f 6c 0e 73 6b 73 2d 6b 65 79 73 65 s.pool.sks-keyse | | 00020 72 76 65 72 73 03 6e 65 74 00 00 00 1c 00 01 rvers.net.. | 23694 10:51:07.612999 recvfrom(6, "\224J\201\204\0\1\0\0\0\0\0\0\4hkps\4pool\16sks-keyse"..., 768, 0, NULL, NULL) = 46 <0.23> | 0 94 4a 81 84 00 01 00 00 00 00 00 00 04 68 6b 70 .J...hkp | | 00010 73 04 70 6f 6f 6c 0e 73 6b 73 2d 6b 65 79 73 65 s.pool.sks-keyse | | 00020 72 76 65 72 73 03 6e 65 74 00 00 00 1c 00rvers.net. | 23694 10:51:07.613070 close(6) = 0 <0.17> 23694 10:51:07.613113 write(2, "can't connect to 'hkps.pool.sks-"..., 71) = 71 <0.18> 23694 10:51:07.613149 write(2, "\n", 1) = 1 <0.11> 23694 10:51:07.613198 write(2,