Page MenuHome GnuPG
Create Task
Maniphest T2745

gpg 2.1.15, *no* keyservers found for submit/recv, "DNS query returned an error or no records: No such domain (nxdomain)"
Closed, ResolvedPublic
Actions

Description

I've installed

gpg2 --version

		gpg (GnuPG) 2.1.15
		libgcrypt 1.7.3
		Copyright (C) 2016 Free Software Foundation, Inc.
		License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
		This is free software: you are free to change and redistribute it.
		There is NO WARRANTY, to the extent permitted by law.

		Home: /home/test/.gnupg
		Supported algorithms:
		Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
		Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
		        CAMELLIA128, CAMELLIA192, CAMELLIA256
		Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
		Compression: Uncompressed, ZIP, ZLIB, BZIP2

I can generate key pairs and rev certs OK.

But when I try to upload/retrieve from any keyserver, I get "ERR 167772346 No
keyserver available <Dirmngr>".

Here's an attempt with keyserver == pool @ hkps://hkps.pool.sks-keyservers.net

gpg -v --debug-all --recv-keys 0x673A03E4C1DB921F

		gpg: reading options from '/home/test/.gnupg/gpg.conf'
		gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat

trust hashing cardio ipc clock lookup extprog

		gpg: DBG: [not enabled in the source] start
		gpg: DBG: chan_3 <- # Home: /home/test/.gnupg
		gpg: DBG: chan_3 <- # Config: /home/test/.gnupg/dirmngr.conf
		gpg: DBG: chan_3 <- OK Dirmngr 2.1.15 at your service
		gpg: DBG: connection to the dirmngr established
		gpg: DBG: chan_3 -> GETINFO version
		gpg: DBG: chan_3 <- D 2.1.15
		gpg: DBG: chan_3 <- OK
		gpg: DBG: chan_3 -> KEYSERVER --clear hkps://hkps.pool.sks-keyservers.net
		gpg: DBG: chan_3 <- OK
		gpg: DBG: chan_3 -> KS_GET -- 0x673A03E4C1DB921F
		gpg: DBG: chan_3 <- ERR 167772346 No keyserver available <Dirmngr>
		gpg: keyserver receive failed: No keyserver available
		gpg: DBG: chan_3 -> BYE
		gpg: DBG: [not enabled in the source] stop
		gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
		              outmix=0 getlvl1=0/0 getlvl2=0/0
		gpg: secmem usage: 0/65536 bytes in 0 blocks

I've tried a bunch of different keyservers with always the same result.

I added logging to dirmgr.conf

+ log-file /var/log/gnupg/dirmngr.log

On the failed attempt this is the log tail

2016-10-09 08:27:02 dirmngr[32460.0] permanently loaded certificates: 0
2016-10-09 08:27:02 dirmngr[32460.0] runtime cached certificates: 0
2016-10-09 08:27:03 dirmngr[32460.0] DNS query returned an error or no records:
No such domain (nxdomain)
2016-10-09 08:27:03 dirmngr[32460.0] DNS query failed: System error w/o errno
2016-10-09 08:27:03 dirmngr[32460.0] resolving 'hkps.pool.sks-keyservers.net'
failed: System error w/o errno
2016-10-09 08:27:03 dirmngr[32460.0] DNS query failed: System error w/o errno
2016-10-09 08:27:03 dirmngr[32460.0] resolving 'hkps.pool.sks-keyservers.net'
failed: System error w/o errno
2016-10-09 08:27:03 dirmngr[32460.0] can't connect to
'hkps.pool.sks-keyservers.net': host not found
2016-10-09 08:27:03 dirmngr[32460.0] error connecting to
'https://hkps.pool.sks-keyservers.net:443': Unknown host
2016-10-09 08:27:03 dirmngr[32460.0] marking host
'hkps.pool.sks-keyservers.net' as dead
2016-10-09 08:27:03 dirmngr[32460.0] host 'hkps.pool.sks-keyservers.net' marked
as dead
2016-10-09 08:27:03 dirmngr[32460.0] command 'KS_GET' failed: No keyserver
available

This

DNS query returned an error or no records: No such domain (nxdomain)

looks like a (R)DNS lookup problem from WITHIN dirmngr/gnupg

Here, from cmd line

host hkps.pool.sks-keyservers.net

		hkps.pool.sks-keyservers.net has address 92.43.111.21
		hkps.pool.sks-keyservers.net has address 209.135.211.141
		hkps.pool.sks-keyservers.net has address 104.236.209.43
		hkps.pool.sks-keyservers.net has address 178.62.203.205
		hkps.pool.sks-keyservers.net has address 212.12.48.27
		hkps.pool.sks-keyservers.net has address 18.9.60.141
		hkps.pool.sks-keyservers.net has address 193.164.133.100
		hkps.pool.sks-keyservers.net has address 140.211.169.202
		hkps.pool.sks-keyservers.net has address 37.97.129.189
		hkps.pool.sks-keyservers.net has address 94.142.242.225
		hkps.pool.sks-keyservers.net has IPv6 address 2a03:b0c0:2:d0::6e3:a001
		hkps.pool.sks-keyservers.net has IPv6 address 2606:9500:201:1::141
		hkps.pool.sks-keyservers.net has IPv6 address 2a02:898:31:0:48:4558:73:6b73
		hkps.pool.sks-keyservers.net has IPv6 address 2a01:7c8:aabc:45a:5054:ff:fe9b:59a3
		hkps.pool.sks-keyservers.net has IPv6 address 2604:a880:800:10::163:b001
		hkps.pool.sks-keyservers.net has IPv6 address 2a02:c205:3001:3626::1
		hkps.pool.sks-keyservers.net has IPv6 address 2a00:14b0:4200:3000:27::27
		hkps.pool.sks-keyservers.net has IPv6 address 2a01:4a0:59:1000:223:9eff:fe00:100f

dig A hkps.pool.sks-keyservers.net

		; <<>> DiG 9.10.3-P4 <<>> A hkps.pool.sks-keyservers.net
		;; global options: +cmd
		;; Got answer:
		;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18016
		;; flags: qr rd ra ad; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 1

		;; OPT PSEUDOSECTION:
		; EDNS: version: 0, flags:; udp: 4096
		;; QUESTION SECTION:
		;hkps.pool.sks-keyservers.net.  IN      A

		;; ANSWER SECTION:
		hkps.pool.sks-keyservers.net. 12 IN     A       92.43.111.21
		hkps.pool.sks-keyservers.net. 12 IN     A       18.9.60.141
		hkps.pool.sks-keyservers.net. 12 IN     A       178.62.203.205
		hkps.pool.sks-keyservers.net. 12 IN     A       104.236.209.43
		hkps.pool.sks-keyservers.net. 12 IN     A       209.135.211.141
		hkps.pool.sks-keyservers.net. 12 IN     A       37.97.129.189
		hkps.pool.sks-keyservers.net. 12 IN     A       212.12.48.27
		hkps.pool.sks-keyservers.net. 12 IN     A       140.211.169.202
		hkps.pool.sks-keyservers.net. 12 IN     A       193.164.133.100
		hkps.pool.sks-keyservers.net. 12 IN     A       94.142.242.225

		;; Query time: 0 msec
		;; SERVER: 10.19.2.100#53(10.19.2.100)
		;; WHEN: Sun Oct 09 08:28:06 PDT 2016
		;; MSG SIZE  rcvd: 217

checking with gpg-connect-agent

gpg-connect-agent -v --dirmngr 'keyserver --resolve' /bye

		S # hkps://hkps.pool.sks-keyservers.net:443: resolve failed: No keyserver

available

		OK
		gpg-connect-agent: closing connection to agent

and verifying with telnet

telnet hkps.pool.sks-keyservers.net 443

		Trying 216.66.15.2...
		Connected to hkps.pool.sks-keyservers.net.
		Escape character is '^]'.
		^]
		telnet> quit
		Connection closed.

Details

Version
2.1.15

Related Objects

Event Timeline

lssl added projects: dirmngr, Bug Report.Oct 9 2016, 6:49 PM
lssl set Version to 2.1.15.
lssl added a subscriber: lssl.
lssl added a comment.Oct 10 2016, 1:25 AM

from a question on the ML

gpg-connect-agent --dirmngr

GETINFO dnsinfo

OK - ADNS w/o Tor support

GETINFO tor

ERR 167772416 False <Dirmngr> - Tor mode is NOT enabled

dkg added a subscriber: dkg.Oct 26 2016, 11:30 PM

I'm trying to understand this, but I'm not seeing it.

Here's the test i did. While recording all traffic from my machine on port 53
(the dns port), i ran:

    GNUPGHOME=$(mktemp -d) gpg-connect-agent --dirmngr

That interactive session looked like this:

> getinfo dnsinfo
OK - ADNS w/o Tor support
> getinfo tor
dirmngr[11713.1]: command 'GETINFO' failed: False
ERR 167772416 False <Dirmngr> - Tor mode is NOT enabled
> keyserver --clear
OK
> keyserver hkps://hkps.pool.sks-keyservers.net
OK
> keyserver --resolve hkps://hkps.pool.sks-keyservers.net
dirmngr[11713.1]: DNS query returned an error or no records: No such domain

(nxdomain)

dirmngr[11713.1]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net':

'bone.digitalis.org'

dirmngr[11713.1]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net':

'ip-209-135-211-141.ragingwire.net'

dirmngr[11713.1]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net':

'gpg.nebrwesleyan.edu'

dirmngr[11713.1]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net':

'host-37-191-220-247.lynet.no'

dirmngr[11713.1]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net':

'cryptonomicon.mit.edu'

dirmngr[11713.1]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net':

'zimmerman.mayfirst.org'

dirmngr[11713.1]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net':

'sks.srv.dumain.com'

dirmngr[11713.1]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net':

'b4ckbone.de'

dirmngr[11713.1]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net':

'sks.spodhuis.org'

dirmngr[11713.1]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net':

'oteiza.siccegge.de'

    S # https://cryptonomicon.mit.edu:443
    OK
    > keyserver --hosttable
    S # hosttable (idx, ipv6, ipv4, dead, name, time):
    S #   0       hkps.pool.sks-keyservers.net
    S #   .   --> 8 1 5* 3 4 2 10 9 7 6
    S #   1   4   bone.digitalis.org v4=212.12.48.27
    S #   2   4   ip-209-135-211-141.ragingwire.net v4=209.135.211.141
    S #   3   4   gpg.nebrwesleyan.edu v4=192.94.109.73
    S #   4   4   host-37-191-220-247.lynet.no v4=37.191.220.247
    S #   5   4   cryptonomicon.mit.edu v4=18.9.60.141
    S #   6   4   zimmerman.mayfirst.org v4=216.66.15.2
    S #   7   4   sks.srv.dumain.com v4=85.119.82.209
    S #   8   4   b4ckbone.de v4=193.164.133.100
    S #   9   4   sks.spodhuis.org v4=94.142.242.225
    S #  10   4   oteiza.siccegge.de v4=92.43.111.21
    OK
    >

So, the SRV lookup did indeed fail, but subsequent queries succeeded.

I've attached a pcapng file of the network traffic sent and received from the
described test.

The textual version of the traffic is:

query 0x311f SRV _hkp._tcp.hkps.pool.sks-keyservers.net
query response 0x311f No such name SRV

_hkp._tcp.hkps.pool.sks-keyservers.net SOA ns2.kfwebs.net

query 0x3120 A hkps.pool.sks-keyservers.net
query response 0x3120 A hkps.pool.sks-keyservers.net A 92.43.111.21 A

94.142.242.225 A 193.164.133.100 A 85.119.82.209 A 216.66.15.2 A 18.9.60.141 A
37.191.220.247 A 192.94.109.73 A 209.135.211.141 A 212.12.48.27

query 0xbd61 PTR 27.48.12.212.in-addr.arpa
query response 0xbd61 PTR 27.48.12.212.in-addr.arpa PTR bone.digitalis.org
query 0x384a PTR 141.211.135.209.in-addr.arpa
query response 0x384a PTR 141.211.135.209.in-addr.arpa PTR

ip-209-135-211-141.ragingwire.net

query 0xb36e PTR 73.109.94.192.in-addr.arpa
query response 0xb36e PTR 73.109.94.192.in-addr.arpa PTR gpg.nebrwesleyan.edu
query 0xcac3 PTR 247.220.191.37.in-addr.arpa
query response 0xcac3 PTR 247.220.191.37.in-addr.arpa PTR

host-37-191-220-247.lynet.no

query 0xd28b PTR 141.60.9.18.in-addr.arpa
query response 0xd28b PTR 141.60.9.18.in-addr.arpa PTR cryptonomicon.mit.edu
query 0x4be9 PTR 2.15.66.216.in-addr.arpa
query response 0x4be9 PTR 2.15.66.216.in-addr.arpa CNAME

2.0-27.15.66.216.in-addr.arpa PTR zimmerman.mayfirst.org PTR zimmermann.mayfirst.org

query 0x823b PTR 209.82.119.85.in-addr.arpa
query response 0x823b PTR 209.82.119.85.in-addr.arpa PTR sks.srv.dumain.com
query 0x3b0c PTR 100.133.164.193.in-addr.arpa
query response 0x3b0c PTR 100.133.164.193.in-addr.arpa PTR b4ckbone.de
query 0x9600 PTR 225.242.142.94.in-addr.arpa
query response 0x9600 PTR 225.242.142.94.in-addr.arpa PTR sks.spodhuis.org
query 0xed36 PTR 21.111.43.92.in-addr.arpa
query response 0xed36 PTR 21.111.43.92.in-addr.arpa PTR oteiza.siccegge.de
dkg added a comment.Oct 26 2016, 11:31 PM

898_dirmngr-dns0.pcapng3 KBDownload

gniibe added a subscriber: gniibe.Oct 27 2016, 8:09 AM

It seems that it's related to ADNS.
I fixed error handling in the commits of 8a9341b and 6f1d812, so that correct
error from adns_synchronous will be logged.
I mean, the error message of "DNS query failed: System error w/o errno" will be
improved with correct error value.

werner claimed this task.Nov 8 2016, 5:20 PM
werner added a subscriber: werner.
werner added a project: gnupg.Dec 1 2016, 10:38 AM
werner added a comment.Jan 9 2017, 9:36 AM

This seems to be closely related to T2451.

The ML discussion started during my fall vacation and thus scrolled out of my
sight :-(. While doing some unrelated SRV experiments yesterday, I figured the
problem myself and K_F pointed me to the discussion.

The actual cause for the bugs might be that I missed to forward-port David's
patch from 2009 for changing the service name to the 2.1 branch. I will further
investigate. The move to libdns introduced other bugs and covered the actual bug.

werner added a comment.Jan 9 2017, 10:57 AM

Please try current master where I hopefully fixed T2451. This may also fix
this issue.

werner added a project: Restricted Project.Jan 9 2017, 10:57 AM
werner added a comment.Jan 23 2017, 11:12 PM

Should be fixed in the just released 2.1.18

werner closed this task as Resolved.Jan 31 2017, 1:28 PM
werner removed a project: Restricted Project.
marcus mentioned this in T2907: make DNS look ups more parallel.Jul 27 2017, 2:07 PM