Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
On Thu, 05 Jan 2017 16:56:40 -0500 Daniel Kahn Gillmorwrote: > Control: fowarded 849845 https://bugs.gnupg.org/gnupg/issue2902 > > On Thu 2017-01-05 08:15:06 -0500, intrigeri wrote: > > Daniel Kahn Gillmor: > >> The remaining problem for me ws that when i use tor, if i get back > >> records, the connections fail, but the IPv6 records are not marked as > >> dead, so they fail repeatedly. > > > > Same here, with a package built from commit > > 32bae0c609cb0c6180e9405a3d6a8fb3c0dec20e in the Vcs-Git (which by the > > way fixes the other problem I've reported here :) > > thanks for the reportback! I've reported the remaining issue upstream > (see the url above). I'll do an upload to unstable with the > intermediate fix later today, unless i can sort out a fix for the whole > issue first. > > --dkg Hi, I have no place in the topic of this bug, but I installed the patches you provided on January 5th onto my Debian Testing system. I would like to notify you that gpgv2 depends on gpgv version 2.1.17-3 or greater, which is not provided, and results in mixed versions.
Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
Control: fowarded 849845 https://bugs.gnupg.org/gnupg/issue2902 On Thu 2017-01-05 08:15:06 -0500, intrigeri wrote: > Daniel Kahn Gillmor: >> The remaining problem for me ws that when i use tor, if i get back >> records, the connections fail, but the IPv6 records are not marked as >> dead, so they fail repeatedly. > > Same here, with a package built from commit > 32bae0c609cb0c6180e9405a3d6a8fb3c0dec20e in the Vcs-Git (which by the > way fixes the other problem I've reported here :) thanks for the reportback! I've reported the remaining issue upstream (see the url above). I'll do an upload to unstable with the intermediate fix later today, unless i can sort out a fix for the whole issue first. --dkg signature.asc Description: PGP signature
Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
Hi, Daniel Kahn Gillmor: > The remaining problem for me ws that when i use tor, if i get back > records, the connections fail, but the IPv6 records are not marked as > dead, so they fail repeatedly. Same here, with a package built from commit 32bae0c609cb0c6180e9405a3d6a8fb3c0dec20e in the Vcs-Git (which by the way fixes the other problem I've reported here :) Cheers, -- intrigeri
Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
On Wed 2017-01-04 09:27:16 -0500, intrigeri wrote: > Daniel Kahn Gillmor: >> I've been able to replicate the problems described by intrigeri in >> https://bugs.debian.org/849845; i'm preparing an update to gpg with >> cherry-picked patches that resolves most of them for me. > > I'd be happy to test these changes before you upload. If you wish, > push them to the packaging Vcs-Git (in a dedicated branch if you > prefer) and I'll build & try it :) Thanks, intrigeri! I've pushed 32bae0c609cb0c6180e9405a3d6a8fb3c0dec20e to Vcs-Git master branch. Please let me know how it goes for you. --dkg signature.asc Description: PGP signature
Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
Daniel Kahn Gillmor: > I've been able to replicate the problems described by intrigeri in > https://bugs.debian.org/849845; i'm preparing an update to gpg with > cherry-picked patches that resolves most of them for me. I'd be happy to test these changes before you upload. If you wish, push them to the packaging Vcs-Git (in a dedicated branch if you prefer) and I'll build & try it :)
Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
Control: severity 849845 grave Hi all-- I've been able to replicate the problems described by intrigeri in https://bugs.debian.org/849845; i'm preparing an update to gpg with cherry-picked patches that resolves most of them for me. This issue is bad enough that it basically makes dirmngr unusable, afaict. The remaining problem for me ws that when i use tor, if i get back records, the connections fail, but the IPv6 records are not marked as dead, so they fail repeatedly. here's an example: Jan 03 15:48:37 alice dirmngr[11194]: DBG: chan_5 <- KS_GET -- 0x4FA73DE89ADE75998AC24E97B8C1D523FE7AAA84 Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2a02:898:31:0:48:4558:73:6b73]' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2a00:14b0:4200:3000:27::27]' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2606:1c00:2802::b]' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:bc8:4700:2300::10:f15]' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:738:0:600:216:3eff:fe02:42]' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:720:418:caf1::8]' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:610:1108:5011::70]' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:470:1:116::6]' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '216.66.15.2' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '212.12.48.27' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '193.224.163.43' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '192.94.109.73' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '131.155.141.70' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '130.206.1.8' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '94.142.242.225' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '51.15.53.138' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '37.191.238.78' Jan 03 15:48:42 alice dirmngr[11194]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '18.9.60.141' Jan 03 15:48:42 alice dirmngr[11194]: DBG: gnutls:L3: ASSERT: mpi.c[_gnutls_x509_read_uint]:246 Jan 03 15:48:42 alice dirmngr[11194]: DBG: gnutls:L5: REC[0x7f6d240086b0]: Allocating epoch #0 Jan 03 15:48:42 alice dirmngr[11194]: can't connect to '2a02:898:31:0:48:4558:73:6b73': Invalid argument Jan 03 15:48:42 alice dirmngr[11194]: error connecting to 'https://[2a02:898:31:0:48:4558:73:6b73]:443': Invalid argument Jan 03 15:48:42 alice dirmngr[11194]: DBG: gnutls:L5: REC[0x7f6d240086b0]: Start of epoch cleanup Jan 03 15:48:42 alice dirmngr[11194]: DBG: gnutls:L5: REC[0x7f6d240086b0]: End of epoch cleanup Jan 03 15:48:42 alice dirmngr[11194]: DBG: gnutls:L5: REC[0x7f6d240086b0]: Epoch #0 freed Jan 03 15:48:42 alice dirmngr[11194]: command 'KS_GET' failed: Invalid argument Jan 03 15:48:42 alice dirmngr[11194]: DBG: chan_5 -> ERR 167804976 Invalid argument Jan 03 15:48:42 alice dirmngr[11194]: DBG: chan_5 <- BYE Jan 03 15:48:42 alice dirmngr[11194]: DBG: chan_5 -> OK closing connection Jan 03 15:48:42 alice dirmngr[11194]: handler for fd 5 terminated Jan 03 15:49:11 alice dirmngr[11194]: handler for fd 5 started Jan 03 15:49:11 alice dirmngr[11194]: DBG: chan_5 -> # Home: /home/dkg/.gnupg Jan 03 15:49:11 alice dirmngr[11194]: DBG: chan_5 -> # Config: /home/dkg/.gnupg/dirmngr.conf Jan 03 15:49:11 alice dirmngr[11194]: DBG: chan_5 -> OK Dirmngr 2.1.17 at your service Jan 03 15:49:11 alice dirmngr[11194]: connection from process 11200 (1000:1000) Jan 03 15:49:11 alice dirmngr[11194]: DBG: chan_5 <- GETINFO version Jan 03 15:49:11 alice dirmngr[11194]: DBG: chan_5 -> D 2.1.17 Jan 03 15:49:11 alice dirmngr[11194]: DBG: chan_5 -> OK Jan 03 15:49:11 alice dirmngr[11194]: DBG: chan_5 <- KS_GET -- 0x4FA73DE89ADE75998AC24E97B8C1D523FE7AAA84 Jan 03 15:49:11 alice dirmngr[11194]: DBG: gnutls:L3: ASSERT: mpi.c[_gnutls_x509_read_uint]:246 Jan 03 15:49:11 alice dirmngr[11194]: DBG: gnutls:L5: REC[0x7f6d2400c090]: Allocating epoch #0 Jan 03 15:49:11 alice dirmngr[11194]: can't connect to '2a02:898:31:0:48:4558:73:6b73': Invalid argument Jan 03 15:49:11 alice dirmngr[11194]: error connecting to 'https://[2a02:898:31:0:48:4558:73:6b73]:443': Invalid argument Jan 03 15:49:11 alice dirmngr[11194]: DBG: gnutls:L5: REC[0x7f6d2400c090]: Start of epoch cleanup Jan 03 15:49:11 alice dirmngr[11194]: DBG: gnutls:L5:
Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
Hi Werner! Werner Koch: > The attached patch fixes this problem. Thanks for caring! I've tried rebuilding the package currently in sid with this patch applied, but it doesn't seem to be enough. The first --recv-keys triggers: Jan 02 13:36:33 dirmngr[8281]: DBG: dns: getsrv(_hkp._tcp.hkps.pool.sks-keyservers.net): Server indicated a failure Jan 02 13:36:33 dirmngr[8281]: command 'KS_GET' failed: Server indicated a failure Jan 02 13:36:33 dirmngr[8281]: DBG: chan_5 -> ERR 219 Server indicated a failure ... which is expected if querying 127.0.0.1, that doesn't support SRV records. And the next attempts, after manually telling dirmngr that my keyserver is alive: Jan 02 13:37:56 dirmngr[8281]: connection from process 8506 (1002:1002) Jan 02 13:37:56 dirmngr[8281]: DBG: chan_5 <- GETINFO version Jan 02 13:37:56 dirmngr[8281]: DBG: chan_5 -> D 2.1.17 Jan 02 13:37:56 dirmngr[8281]: DBG: chan_5 -> OK Jan 02 13:37:56 dirmngr[8281]: DBG: chan_5 <- KEYSERVER --clear hkps://hkps.pool.sks-keyservers.net Jan 02 13:37:56 dirmngr[8281]: DBG: chan_5 -> OK Jan 02 13:37:56 dirmngr[8281]: DBG: chan_5 <- KS_GET -- 0x7C84A74CFB12BC439E81BA78C92949B8A63BB098 Jan 02 13:37:57 dirmngr[8281]: DBG: dns: resolve_dns_name(hkps.pool.sks-keyservers.net): Success Jan 02 13:37:57 dirmngr[8281]: can't connect to 'hkps.pool.sks-keyservers.net': no IP address for host Jan 02 13:37:57 dirmngr[8281]: error connecting to 'https://hkps.pool.sks-keyservers.net:443': Unknown host Jan 02 13:37:57 dirmngr[8281]: marking host 'hkps.pool.sks-keyservers.net' as dead strace still seems to indicate that resolv.conf is read, and then 127.0.0.1 is queried. Cheers, -- intrigeri
Bug#849845: [pkg-gnupg-maint] Bug#849845: dirmngr: Can't resolve keyserver hostname anymore
Hi! The attached patch fixes this problem. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From b200e636ab20d2aa93d9f71f3789db5a04af0a56 Mon Sep 17 00:00:00 2001 From: Werner KochDate: Mon, 2 Jan 2017 10:00:33 +0100 Subject: [PATCH] dirmngr: Strip root zone suffix from libdns cname results. * dirmngr/dns-stuff.c (resolve_name_libdns): Strip trailing dot. (get_dns_cname_libdns): Ditto. -- Signed-off-by: Werner Koch --- dirmngr/dns-stuff.c | 11 +++ 1 file changed, 11 insertions(+) diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c index a31b073..f2e1df9 100644 --- a/dirmngr/dns-stuff.c +++ b/dirmngr/dns-stuff.c @@ -732,6 +732,10 @@ resolve_name_libdns (const char *name, unsigned short port, err = gpg_error_from_syserror (); goto leave; } + /* Libdns appends the root zone part which is problematic + * for most other functions - strip it. */ + if (**r_canonname && (*r_canonname)[strlen (*r_canonname)-1] == '.') +(*r_canonname)[strlen (*r_canonname)-1] = 0; } dai = xtrymalloc (sizeof *dai + ent->ai_addrlen -1); @@ -1899,6 +1903,13 @@ get_dns_cname_libdns (const char *name, char **r_cname) *r_cname = xtrystrdup (cname.host); if (!*r_cname) err = gpg_error_from_syserror (); + else +{ + /* Libdns appends the root zone part which is problematic + * for most other functions - strip it. */ + if (**r_cname && (*r_cname)[strlen (*r_cname)-1] == '.') +(*r_cname)[strlen (*r_cname)-1] = 0; +} leave: dns_free (ans); -- 2.8.1 pgp9mvglUVpLn.pgp Description: PGP signature