WKD via http_proxy does not work if DNS is broken/unavailable
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	mgorny
	Oct 25 2019, 10:52 AM

Description

Fetching keys via WKD does not work in isolated environments where DNS server is unavailable and the only method connecting to the outside world is via http_proxy. The relevant portion of dirmngr log is:

2019-10-17 16:28:05 dirmngr[17548] listening on socket '/tmp/gpg/S.dirmngr'
2019-10-17 16:28:05 dirmngr[17549.0] permanently loaded certificates: 141
2019-10-17 16:28:05 dirmngr[17549.0]     runtime cached certificates: 0
2019-10-17 16:28:05 dirmngr[17549.0]            trusted certificates: 141 (140,0,0,1)
2019-10-17 16:28:05 dirmngr[17549.6] handler for fd 6 started
2019-10-17 16:28:05 dirmngr[17549.6] DBG: chan_6 -> # Home: /tmp/gpg
2019-10-17 16:28:05 dirmngr[17549.6] DBG: chan_6 -> # Config: /tmp/gpg/dirmngr.conf
2019-10-17 16:28:05 dirmngr[17549.6] DBG: chan_6 -> OK Dirmngr 2.2.17 at your service
2019-10-17 16:28:05 dirmngr[17549.6] connection from process 17546 (0:0)
2019-10-17 16:28:05 dirmngr[17549.6] DBG: chan_6 <- GETINFO version
2019-10-17 16:28:05 dirmngr[17549.6] DBG: chan_6 -> D 2.2.17
2019-10-17 16:28:05 dirmngr[17549.6] DBG: chan_6 -> OK
2019-10-17 16:28:05 dirmngr[17549.6] DBG: chan_6 <- WKD_GET -- infrastructure@gentoo.org
2019-10-17 16:28:05 dirmngr[17549.6] DBG: dns: libdns initialized
2019-10-17 16:28:05 dirmngr[17549.6] DBG: dns: resolve_dns_name(openpgpkey.gentoo.org): Server indicated a failure
2019-10-17 16:28:05 dirmngr[17549.6] DBG: dns: getsrv(_openpgpkey._tcp.gentoo.org): Server indicated a failure
2019-10-17 16:28:05 dirmngr[17549.6] command 'WKD_GET' failed: Server indicated a failure <Unspecified source>
2019-10-17 16:28:05 dirmngr[17549.6] DBG: chan_6 -> ERR 219 Server indicated a failure <Unspecified source>
2019-10-17 16:28:05 dirmngr[17549.6] DBG: chan_6 <- BYE
2019-10-17 16:28:05 dirmngr[17549.6] DBG: chan_6 -> OK closing connection
2019-10-17 16:28:05 dirmngr[17549.6] handler for fd 6 terminated

FWICS, dirmngr is trying to perform a DNS lookup for the more fancy WKD method. However, when the lookup results in server failure, it aborts immediately rather than going for the proxy as if the lookup resulted no entries.

Details

Version: 2.2.17

Revisions and Commits

rG GnuPG
	rG6d30fb6940d5 dirmngr: Make WKD_GET work even for servers not handling SRV RRs.
	rG92c8ae720e69 dirmngr: Make WKD_GET work even for servers not handling SRV RRs.

Related Objects

Mentioned In: T5928: Release GnuPG 2.2.35
T5743: Release GnuPG 2.3.5

Event Timeline

mgorny created this task.Oct 25 2019, 10:52 AM

• werner triaged this task as Normal priority.Oct 25 2019, 11:01 AM

• werner edited projects, added dirmngr, gnupg (gpg23), dns; removed Bug Report.

• werner claimed this task.Mar 16 2022, 4:30 PM

• werner raised the priority of this task from Normal to High.

• werner edited projects, added Restricted Project, gnupg (gpg22); removed gnupg (gpg23).

• werner added a commit: rG92c8ae720e69: dirmngr: Make WKD_GET work even for servers not handling SRV RRs..Mar 21 2022, 10:40 PM

Actually this is pretty obvious; we better ignore such misbehaving servers.

• werner added a commit: rG6d30fb6940d5: dirmngr: Make WKD_GET work even for servers not handling SRV RRs..Mar 21 2022, 10:41 PM

• werner changed the task status from Open to Testing.Mar 21 2022, 10:56 PM

• werner moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

• werner mentioned this in T5743: Release GnuPG 2.3.5.Apr 21 2022, 5:59 PM

Was fixed in 2.3.5

• werner mentioned this in T5928: Release GnuPG 2.2.35.Apr 25 2022, 7:12 PM

• ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Apr 5 2023, 1:53 PM