Can not access keyserver without the standard-resolver option
Closed, ResolvedPublic

Description

This is on Arch Linux. This is a reproducible error. Without the
standard-resolver option I can not connect to keyservers

Begin /etc/nsswitch.conf

passwd: compat mymachines systemd
group: compat mymachines systemd
shadow: compat

publickey: files

hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
networks: files

protocols: files
services: files
ethers: files
rpc: files

netgroup: files

  1. End /etc/nsswitch.conf

Details

Version
2.1.18

walkingrobot set Version to 2.1.18.
werner added a subscriber: werner.Mar 6 2017, 12:52 PM

What's your /etc/resolv.conf ? Would you mind to also test with 2.1.19?

my resolv.conf
nameserver 127.0.0.1
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver ::1
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844

I have test with 2.1.19 it works the same

werner assigned this task to justus.Mar 8 2017, 12:37 PM
werner raised the priority of this task from Low to Normal.
werner added a subscriber: justus.

Justs, can you please check this bug. It is related to the migration to libdns
and thus we should consider this a bug.

justus added a comment.Mar 8 2017, 3:01 PM

Hi,

can you tell me what kind of DNS resolver is listening on localhost? Does it
support UDP? TCP?

Hi,

I am using systemd-resolved. It is listening on localhost UDP.

walkingrobot lowered the priority of this task from Normal to Low.Mar 10 2017, 1:30 PM
walkingrobot removed a project: Info Needed.

It would appear I was wrong. The localhost address should not have been in the
/etc/resolv.conf. I have removed it and the standard-resolver option and it is
working. I have tried this several times.

justus closed this task as Resolved.Mar 21 2017, 2:38 PM

Ok, closing this bug. Feel free to reopen it if you reconsider.

AladW reopened this task as Open.EditedJan 27 2018, 2:09 PM
AladW added a subscriber: AladW.

I can reproduce this issue with gpg 2.2.4, systemd-resolved and Arch Linux. Unlike the original reporter, I do not have 127.0.0.1 in my /etc/resolv.conf. I do however have it in /etc/hosts.

My configuration files look as follows:

/etc/nsswitch.conf

# Name Service Switch configuration file.
# See nsswitch.conf(5) for details.

passwd: files mymachines systemd
group: files mymachines systemd
shadow: files

publickey: files

hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
networks: files

protocols: files
services: files
ethers: files
rpc: files

netgroup: files

/etc/hosts (not including the entry for my permanent IP address)

# Static table lookup for hostnames.
# See hosts(5) for details.
127.0.0.1       localhost
::1             localhost

/etc/resolv.conf

# Resolver configuration file.
# See resolv.conf(5) for details.

stat /etc/resolv.conf

  File: /etc/resolv.conf
  Size: 65              Blocks: 8          IO Block: 4096   regular file
Device: 803h/2051d      Inode: 16778387    Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2018-01-26 21:47:34.644281895 +0100
Modify: 2017-10-17 09:32:47.000000000 +0200
Change: 2018-01-25 13:25:37.618173388 +0100
 Birth: -

gpg --version

gpg (GnuPG) 2.2.4
libgcrypt 1.8.2
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/archie/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

I can reproduce the issue with an empty ~/.gnupg folder. Should you need any more information, please let me know.

AladW added a comment.Jan 27 2018, 2:29 PM

Note that it works as expected if I symlink /run/systemd/resolve/stub-resolv.conf to /etc/resolv.conf. Other programs appear to not require this change.

dirmngr looks into /.etc/resolv.conf and does not know anything about systemd specific things (nor do I). Thus having a symlink seems to be an appropriate solution.

AladW added a comment.Jan 27 2018, 5:44 PM

I just thought that going by your comment on Sat, Jan 27, 5:29 PM that you would use libdns, instead of resolv.conf directly. Maybe I understood that comment wrong.

justus removed justus as the assignee of this task.Jun 28 2018, 4:15 PM
gniibe claimed this task.Jun 29 2018, 1:57 AM
gniibe closed this task as Resolved.
gniibe added a subscriber: gniibe.

The cause is: ! in nsswitch.conf
This was fixed (2.2 branch) by rGd4c0187dd931: libdns: Hack to skip negation term. for GnuPG in Jan 2017.
I found it was fixed in the original libdns, and this fix is merged into rG20c289606f89: libdns: Sync to upstream. to GnuPG.

Thus, closing.