Page MenuHome GnuPG

gpg recv-keys fail if first dns server end up with "Connection refused"
Closed, ResolvedPublic

Description

If for example you have 2 dns servers in /etc/resolv.conf and first of them will return "connection refused" the whole check will fail, it might be a problem more upstream (libdns).

$ cat /etc/resolv.conf
nameserver 127.0.0.1 #bad server that returns connection refused - might be a local dns cache that did die like in my case
nameserver 8.8.8.8 #good server

$ gpg --recv-keys 8F0871F202119294
gpg: keyserver receive failed: Connection refused

$ dirmngr --debug-all --daemon --no-detach
dirmngr[15063]: Note: no default option file '/home/kolorafa/.gnupg/dirmngr.conf'
dirmngr[15063]: enabled debug flags: x509 crypto memory cache memstat hashing ipc dns network lookup extprog
dirmngr[15063]: listening on socket '/run/user/1000/gnupg/S.dirmngr'
DIRMNGR_INFO=/run/user/1000/gnupg/S.dirmngr:15064:1; export DIRMNGR_INFO;
dirmngr[15064.0]: permanently loaded certificates: 146
dirmngr[15064.0]: runtime cached certificates: 0
dirmngr[15064.0]: trusted certificates: 146 (145,0,0,1)
dirmngr[15064.5]: handler for fd 5 started
dirmngr[15064.5]: DBG: chan_5 -> # Home: /home/kolorafa/.gnupg
dirmngr[15064.5]: DBG: chan_5 -> # Config: [none]
dirmngr[15064.5]: DBG: chan_5 -> OK Dirmngr 2.1.23 at your service
dirmngr[15064.5]: connection from process 15067 (1000:100)
dirmngr[15064.5]: DBG: chan_5 <- GETINFO version
dirmngr[15064.5]: DBG: chan_5 -> D 2.1.23
dirmngr[15064.5]: DBG: chan_5 -> OK
dirmngr[15064.5]: DBG: chan_5 <- KS_GET -- 0x8F0871F202119294
dirmngr[15064.5]: DBG: dns: libdns initialized
dirmngr[15064.5]: DBG: dns: getsrv(_pgpkey-https._tcp.hkps.pool.sks-keyservers.net): Connection refused
dirmngr[15064.5]: command 'KS_GET' failed: Connection refused
dirmngr[15064.5]: DBG: chan_5 -> ERR 167804953 Connection refused <Dirmngr>
dirmngr[15064.5]: DBG: chan_5 <- BYE
dirmngr[15064.5]: DBG: chan_5 -> OK closing connection
dirmngr[15064.5]: handler for fd 5 terminated

If I commend-out the bad one leaving only good one everything works:
$ dirmngr --debug-all --daemon
dirmngr[15249]: Note: no default option file '/home/kolorafa/.gnupg/dirmngr.conf'
dirmngr[15249]: enabled debug flags: x509 crypto memory cache memstat hashing ipc dns network lookup extprog
dirmngr[15249]: listening on socket '/run/user/1000/gnupg/S.dirmngr'
DIRMNGR_INFO=/run/user/1000/gnupg/S.dirmngr:15250:1; export DIRMNGR_INFO;
dirmngr[15250.0]: permanently loaded certificates: 146
dirmngr[15250.0]: runtime cached certificates: 0
dirmngr[15250.0]: trusted certificates: 146 (145,0,0,1)
dirmngr[15250.5]: handler for fd 5 started
dirmngr[15250.5]: DBG: chan_5 -> # Home: /home/kolorafa/.gnupg
dirmngr[15250.5]: DBG: chan_5 -> # Config: [none]
dirmngr[15250.5]: DBG: chan_5 -> OK Dirmngr 2.1.23 at your service
dirmngr[15250.5]: connection from process 15251 (1000:100)
dirmngr[15250.5]: DBG: chan_5 <- GETINFO version
dirmngr[15250.5]: DBG: chan_5 -> D 2.1.23
dirmngr[15250.5]: DBG: chan_5 -> OK
dirmngr[15250.5]: DBG: chan_5 <- KS_GET -- 0x8F0871F202119294
dirmngr[15250.5]: DBG: dns: libdns initialized
dirmngr[15250.5]: DBG: dns: getsrv(_pgpkey-https._tcp.hkps.pool.sks-keyservers.net) -> 0 records
dirmngr[15250.5]: DBG: dns: resolve_dns_name(hkps.pool.sks-keyservers.net): Success
dirmngr[15250.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15250.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2a02:c205:3001:3626::1]'
dirmngr[15250.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15250.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2a02:898:31:0:48:4558:73:6b73]'
dirmngr[15250.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15250.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2a01:4a0:59:1000:223:9eff:fe00:100f]'
dirmngr[15250.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15250.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2a00:14b0:4200:3000:27::27]'
dirmngr[15250.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15250.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2606:1c00:2802::b]'
dirmngr[15250.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15250.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:bc8:4700:2300::10:f15]'
dirmngr[15250.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15250.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:bc8:214f:200::1]'
dirmngr[15250.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15250.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:738:0:600:216:3eff:fe02:42]'
dirmngr[15250.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15250.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:610:1:40cc::9164:b9e5]'
dirmngr[15250.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15250.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '212.12.48.27'
dirmngr[15250.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15250.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '193.224.163.43'
dirmngr[15250.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15250.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '193.164.133.100'
dirmngr[15250.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15250.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '192.94.109.73'
dirmngr[15250.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15250.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '176.9.147.41'
dirmngr[15250.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15250.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '145.100.185.229'
dirmngr[15250.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15250.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '94.142.242.225'
dirmngr[15250.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15250.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '92.43.111.21'
dirmngr[15250.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15250.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '51.15.53.138'
dirmngr[15250.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15250.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '51.15.0.17'
dirmngr[15250.5]: DBG: http.c:connect_server: trying name='212.12.48.27' port=443
dirmngr[15250.5]: DBG: dns: resolve_dns_name(212.12.48.27): Success
dirmngr[15250.5]: DBG: http.c:1819:socket_new: object 0x00007f7340008660 for fd 7 created
dirmngr[15250.5]: DBG: http.c:request:
dirmngr[15250.5]: DBG: >> GET /pks/lookup?op=get&options=mr&search=0x8F0871F202119294 HTTP/1.0\r\n
dirmngr[15250.5]: DBG: >> Host: hkps.pool.sks-keyservers.net\r\n
dirmngr[15250.5]: DBG: http.c:request-header:
dirmngr[15250.5]: DBG: >> \r\n
dirmngr[15250.5]: DBG: http.c:response:
dirmngr[15250.5]: DBG: >> HTTP/1.1 200 OK\r\n
dirmngr[15250.5]: http.c:RESP: 'Date: Mon, 28 Aug 2017 12:08:46 GMT'
dirmngr[15250.5]: http.c:RESP: 'Content-Type: application/pgp-keys; charset=UTF-8'
dirmngr[15250.5]: http.c:RESP: 'Content-Length: 3045'
dirmngr[15250.5]: http.c:RESP: 'Connection: close'
dirmngr[15250.5]: http.c:RESP: 'Server: sks_www/1.1.6'
dirmngr[15250.5]: http.c:RESP: 'Cache-Control: no-cache'
dirmngr[15250.5]: http.c:RESP: 'Pragma: no-cache'
dirmngr[15250.5]: http.c:RESP: 'Expires: 0'
dirmngr[15250.5]: http.c:RESP: 'X-HKP-Results-Count: 1'
dirmngr[15250.5]: http.c:RESP: 'Content-disposition: attachment; filename=gpgkey.asc'
dirmngr[15250.5]: http.c:RESP: 'Access-Control-Allow-Origin: *'
dirmngr[15250.5]: http.c:RESP: 'Via: 1.1 keys.digitalis.org:443 (nginx)'
dirmngr[15250.5]: http.c:RESP: ''
dirmngr[15250.5]: DBG: chan_5 -> S SOURCE https://212.12.48.27:443
dirmngr[15250.5]: DBG: (3045 bytes sent via D lines not shown)
dirmngr[15250.5]: DBG: chan_5 -> OK
dirmngr[15250.5]: DBG: chan_5 <- BYE
dirmngr[15250.5]: DBG: chan_5 -> OK closing connection
dirmngr[15250.5]: handler for fd 5 terminated

Sometimes i also get a "Network is unreachable" because of missing IPv6, maybe there can be a logic that will try at least one ipv4 and ipv6 before failing? That would be great :)

$ killall dirmngr; sleep 1; dirmngr --debug-all --daemon
dirmngr[15320.0]: SIGTERM received - shutting down ...
dirmngr[15320.0]: dirmngr (GnuPG) 2.1.23 stopped
dirmngr[15353]: Note: no default option file '/home/kolorafa/.gnupg/dirmngr.conf'
dirmngr[15353]: enabled debug flags: x509 crypto memory cache memstat hashing ipc dns network lookup extprog
dirmngr[15353]: listening on socket '/run/user/1000/gnupg/S.dirmngr'
DIRMNGR_INFO=/run/user/1000/gnupg/S.dirmngr:15354:1; export DIRMNGR_INFO;
dirmngr[15354.0]: permanently loaded certificates: 146
dirmngr[15354.0]: runtime cached certificates: 0
dirmngr[15354.0]: trusted certificates: 146 (145,0,0,1)
dirmngr[15354.5]: handler for fd 5 started
dirmngr[15354.5]: DBG: chan_5 -> # Home: /home/kolorafa/.gnupg
dirmngr[15354.5]: DBG: chan_5 -> # Config: [none]
dirmngr[15354.5]: DBG: chan_5 -> OK Dirmngr 2.1.23 at your service
dirmngr[15354.5]: connection from process 15357 (1000:100)
dirmngr[15354.5]: DBG: chan_5 <- GETINFO version
dirmngr[15354.5]: DBG: chan_5 -> D 2.1.23
dirmngr[15354.5]: DBG: chan_5 -> OK
dirmngr[15354.5]: DBG: chan_5 <- KS_GET -- 0x8F0871F202119294
dirmngr[15354.5]: DBG: dns: libdns initialized
dirmngr[15354.5]: DBG: dns: getsrv(_pgpkey-https._tcp.hkps.pool.sks-keyservers.net) -> 0 records
dirmngr[15354.5]: DBG: dns: resolve_dns_name(hkps.pool.sks-keyservers.net): Success
dirmngr[15354.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15354.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2a02:c205:3001:3626::1]'
dirmngr[15354.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15354.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2a02:898:31:0:48:4558:73:6b73]'
dirmngr[15354.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15354.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2a01:4a0:59:1000:223:9eff:fe00:100f]'
dirmngr[15354.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15354.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2a00:14b0:4200:3000:27::27]'
dirmngr[15354.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15354.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2606:1c00:2802::b]'
dirmngr[15354.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15354.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:bc8:4700:2300::10:f15]'
dirmngr[15354.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15354.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:bc8:214f:200::1]'
dirmngr[15354.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15354.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:738:0:600:216:3eff:fe02:42]'
dirmngr[15354.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15354.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:610:1:40cc::9164:b9e5]'
dirmngr[15354.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15354.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '212.12.48.27'
dirmngr[15354.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15354.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '193.224.163.43'
dirmngr[15354.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15354.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '193.164.133.100'
dirmngr[15354.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15354.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '192.94.109.73'
dirmngr[15354.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15354.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '176.9.147.41'
dirmngr[15354.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15354.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '145.100.185.229'
dirmngr[15354.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15354.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '94.142.242.225'
dirmngr[15354.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15354.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '92.43.111.21'
dirmngr[15354.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15354.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '51.15.53.138'
dirmngr[15354.5]: DBG: dns: resolve_dns_addr(): Success
dirmngr[15354.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '51.15.0.17'
dirmngr[15354.5]: DBG: http.c:connect_server: trying name='2001:bc8:214f:200::1' port=443
dirmngr[15354.5]: DBG: dns: resolve_dns_name(2001:bc8:214f:200::1): Success
dirmngr[15354.5]: can't connect to '2001:bc8:214f:200::1': Network is unreachable
dirmngr[15354.5]: error connecting to 'https://[2001:bc8:214f:200::1]:443': Network is unreachable
dirmngr[15354.5]: marking host '[2001:bc8:214f:200::1]' as dead
dirmngr[15354.5]: DBG: http.c:connect_server: trying name='2a01:4a0:59:1000:223:9eff:fe00:100f' port=443
dirmngr[15354.5]: DBG: dns: resolve_dns_name(2a01:4a0:59:1000:223:9eff:fe00:100f): Success
dirmngr[15354.5]: can't connect to '2a01:4a0:59:1000:223:9eff:fe00:100f': Network is unreachable
dirmngr[15354.5]: error connecting to 'https://[2a01:4a0:59:1000:223:9eff:fe00:100f]:443': Network is unreachable
dirmngr[15354.5]: marking host '[2a01:4a0:59:1000:223:9eff:fe00:100f]' as dead
dirmngr[15354.5]: DBG: http.c:connect_server: trying name='2001:738:0:600:216:3eff:fe02:42' port=443
dirmngr[15354.5]: DBG: dns: resolve_dns_name(2001:738:0:600:216:3eff:fe02:42): Success
dirmngr[15354.5]: can't connect to '2001:738:0:600:216:3eff:fe02:42': Network is unreachable
dirmngr[15354.5]: error connecting to 'https://[2001:738:0:600:216:3eff:fe02:42]:443': Network is unreachable
dirmngr[15354.5]: marking host '[2001:738:0:600:216:3eff:fe02:42]' as dead
dirmngr[15354.5]: DBG: http.c:connect_server: trying name='2001:bc8:4700:2300::10:f15' port=443
dirmngr[15354.5]: DBG: dns: resolve_dns_name(2001:bc8:4700:2300::10:f15): Success
dirmngr[15354.5]: can't connect to '2001:bc8:4700:2300::10:f15': Network is unreachable
dirmngr[15354.5]: error connecting to 'https://[2001:bc8:4700:2300::10:f15]:443': Network is unreachable
dirmngr[15354.5]: marking host '[2001:bc8:4700:2300::10:f15]' as dead
dirmngr[15354.5]: command 'KS_GET' failed: Network is unreachable
dirmngr[15354.5]: DBG: chan_5 -> ERR 167805002 Network is unreachable <Dirmngr>
dirmngr[15354.5]: DBG: chan_5 <- BYE
dirmngr[15354.5]: DBG: chan_5 -> OK closing connection
dirmngr[15354.5]: handler for fd 5 terminated

Details

Version
2.1.23

Event Timeline

werner triaged this task as Normal priority.Aug 28 2017, 7:34 PM
werner added a project: dns.

I'm using gnupg 2.2.4 and this problem repros for me, and it impacts downstream things like pacman-key (Arch Linux) quite insidiously, which fails with an misleading error message that would not point a regular user to this line of investigation.

$ sudo pacman-key --refresh-keys
gpg: refreshing 101 keys from hkp://pool.sks-keyservers.net
gpg: keyserver refresh failed: Connection refused
==> ERROR: A specified local key could not be updated from a keyserver.
werner raised the priority of this task from Normal to High.Jan 10 2018, 4:11 PM
gniibe changed the task status from Open to Testing.Jun 20 2018, 4:34 AM

Applied to 2.2 branch.