Page MenuHome GnuPG

Members

  • This project does not have any members.
  • View All

Watchers

  • This project does not have any watchers.
  • View All

Details

Description

DNS related

Recent Activity

Jun 26 2023

werner claimed T6500: Keyserver access via http-proxy isn't attempted when using standard-resolver.
Jun 26 2023, 4:37 PM · dns, gnupg24, Bug Report

May 24 2023

mgorny added a comment to T6500: Keyserver access via http-proxy isn't attempted when using standard-resolver.

For the record, we've removed the SRV record for keys.gentoo.org for now, to work around the problem. Without the SRV record, everything works as expected.

May 24 2023, 10:03 AM · dns, gnupg24, Bug Report

May 22 2023

werner added projects to T6500: Keyserver access via http-proxy isn't attempted when using standard-resolver: gnupg24, dns.

Seems it gets a record but is not able to parse it (gnupg/dirmngr/dns-stuff.c:getsrv-standard) in your setup. Not sure why it loops - need to debug it.

May 22 2023, 9:25 AM · dns, gnupg24, Bug Report

Apr 5 2023

ebo moved T4729: WKD via http_proxy does not work if DNS is broken/unavailable from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Apr 5 2023, 1:53 PM · gnupg (gpg22), Restricted Project, dns, dirmngr

Jan 19 2023

werner removed a project from T4443: IPv6 address with scope not accepted as keyserver: gnupg (gpg23).
Jan 19 2023, 4:51 PM · gnupg24, dirmngr, dns, Bug Report

Apr 25 2022

werner closed T4729: WKD via http_proxy does not work if DNS is broken/unavailable as Resolved.

Was fixed in 2.3.5

Apr 25 2022, 4:53 PM · gnupg (gpg22), Restricted Project, dns, dirmngr

Mar 21 2022

werner moved T4729: WKD via http_proxy does not work if DNS is broken/unavailable from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Mar 21 2022, 10:56 PM · gnupg (gpg22), Restricted Project, dns, dirmngr
werner changed the status of T4729: WKD via http_proxy does not work if DNS is broken/unavailable from Open to Testing.
Mar 21 2022, 10:56 PM · gnupg (gpg22), Restricted Project, dns, dirmngr
werner added a comment to T4729: WKD via http_proxy does not work if DNS is broken/unavailable.

Actually this is pretty obvious; we better ignore such misbehaving servers.

Mar 21 2022, 10:40 PM · gnupg (gpg22), Restricted Project, dns, dirmngr

Mar 16 2022

werner claimed T4729: WKD via http_proxy does not work if DNS is broken/unavailable.
Mar 16 2022, 4:31 PM · gnupg (gpg22), Restricted Project, dns, dirmngr
werner raised the priority of T4729: WKD via http_proxy does not work if DNS is broken/unavailable from Normal to High.
Mar 16 2022, 4:30 PM · gnupg (gpg22), Restricted Project, dns, dirmngr

Dec 6 2021

piec added a comment to T5657: dirmngr: libdns sends malformed dns requests.

Hi guys, I just tested the git version (426d82fcf1c133bfc1d5c931109d71db3f3815a9) and it works well thank you.

Dec 6 2021, 11:02 AM · Info Needed, Bug Report, dns, dirmngr
gniibe closed T5657: dirmngr: libdns sends malformed dns requests as Resolved.

Fixed in 2.2.33.

Dec 6 2021, 1:01 AM · Info Needed, Bug Report, dns, dirmngr

Oct 15 2021

gniibe added a comment to T5657: dirmngr: libdns sends malformed dns requests.

I don't know if it's same in your case, but to fix my case, I pushed a change rG48359c723206: dns: Make reading resolv.conf more robust.

Oct 15 2021, 3:52 AM · Info Needed, Bug Report, dns, dirmngr
gniibe added a comment to T5657: dirmngr: libdns sends malformed dns requests.

I managed to create a case. Put a line:

Oct 15 2021, 3:28 AM · Info Needed, Bug Report, dns, dirmngr
gniibe added a comment to T5657: dirmngr: libdns sends malformed dns requests.

BTW, in your screen shot (log is preferred here), it shows 1c00, that must be actually written as AAAA (0x1c). In the bug T3803, we saw byte sequence like that, additional 00 was added then resulted malformed DNS packet.

Oct 15 2021, 2:17 AM · Info Needed, Bug Report, dns, dirmngr

Oct 14 2021

werner triaged T5657: dirmngr: libdns sends malformed dns requests as Normal priority.
Oct 14 2021, 1:26 PM · Info Needed, Bug Report, dns, dirmngr
werner added a comment to T5657: dirmngr: libdns sends malformed dns requests.

dots are not allowed in hostnames.

Oct 14 2021, 1:25 PM · Info Needed, Bug Report, dns, dirmngr
piec added a comment to T5657: dirmngr: libdns sends malformed dns requests.

OK, I'll gdb in there to see what happens. My domain is a classic pgp.domain.com

Oct 14 2021, 11:13 AM · Info Needed, Bug Report, dns, dirmngr
gniibe added a comment to T5657: dirmngr: libdns sends malformed dns requests.

Ah, other possible case is .. in hostname.

Oct 14 2021, 7:50 AM · Info Needed, Bug Report, dns, dirmngr
gniibe added a project to T5657: dirmngr: libdns sends malformed dns requests: Info Needed.
Oct 14 2021, 7:45 AM · Info Needed, Bug Report, dns, dirmngr
gniibe added a comment to T5657: dirmngr: libdns sends malformed dns requests.

It's hard to investigate your problem, with no information of host for the query.
I mean, there is no case to replicate (for us).

Oct 14 2021, 7:44 AM · Info Needed, Bug Report, dns, dirmngr

Oct 13 2021

piec created T5657: dirmngr: libdns sends malformed dns requests.
Oct 13 2021, 5:10 PM · Info Needed, Bug Report, dns, dirmngr

Aug 13 2021

werner changed the edit policy for dns.
Aug 13 2021, 10:56 PM

Dec 22 2020

pert added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

Granted I'm not familiar with the functions and it may not be applicable, but the DNS resolver functions in the GNU C Library have semi-recently gained parameters (RES_USE_DNSSEC) to check for DNSSEC validation IIRC. Recent versions of glibc also don't trust the 'ad' bit unless an indication of its trustworthiness is set in /etc/resolv.conf, say if using a local validating resolver, so one can be sure that it's trustworthy. It also appears musl libc may support this.

Dec 22 2020, 5:35 AM · dns, dirmngr

Nov 26 2020

gniibe added a comment to T3722: gpg "No name" error.

Or it might be related issue of name server access like in T3168: dirmngr: gpg: keyserver receive failed: No keyserver available.

Nov 26 2020, 7:56 AM · dns
gniibe added a parent task for T3168: dirmngr: gpg: keyserver receive failed: No keyserver available: T3517: dirmngr: retry without SRV due to buggy routers.
Nov 26 2020, 7:51 AM · dns, dirmngr
gniibe added a subtask for T3517: dirmngr: retry without SRV due to buggy routers: T3168: dirmngr: gpg: keyserver receive failed: No keyserver available.
Nov 26 2020, 7:51 AM · Feature Request, dns, dirmngr
gniibe merged task T3722: gpg "No name" error into T3517: dirmngr: retry without SRV due to buggy routers.
Nov 26 2020, 7:31 AM · dns
gniibe merged T3722: gpg "No name" error into T3517: dirmngr: retry without SRV due to buggy routers.
Nov 26 2020, 7:31 AM · Feature Request, dns, dirmngr
gniibe added a comment to T3722: gpg "No name" error.

This must be an issue of SRV record retrieval.
Merging.

Nov 26 2020, 7:31 AM · dns

Jul 1 2020

werner closed T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures as Wontfix.
Jul 1 2020, 2:10 PM · dns, dirmngr
werner added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

DANE for OpenPGP is an experimental RFC (RFC-7929) and it is likely that we will remove the support because it is too hard for most users to add keys to a zone. Further a validating resolver on the desktop is too hard to maintain and the cause of too many other failures. And no, unbound etc is not an option because it is not usable by the majority of GnuPG users.

Jul 1 2020, 2:10 PM · dns, dirmngr

Jun 30 2020

dkg added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

The same concern has been reported at https://bugs.debian.org/964033 -- if dirmngr is not going to follow the specification, it should at least document (and maybe warn?) about how it is divergent.

Jun 30 2020, 9:30 PM · dns, dirmngr

Oct 25 2019

werner triaged T4729: WKD via http_proxy does not work if DNS is broken/unavailable as Normal priority.
Oct 25 2019, 11:01 AM · gnupg (gpg22), Restricted Project, dns, dirmngr
werner triaged T4728: GnuPG fails to connect to 127.0.0.1 when many domains are specified in /etc/hosts as Normal priority.
Oct 25 2019, 11:00 AM · gnupg24, gnupg (gpg23), dns, dirmngr
mgorny added a comment to T4444: dirmngr fails with keyservers specified by IP without rDNS; reported as dead host or uses wrong Host header.

Ping.

Oct 25 2019, 10:54 AM · Keyserver, dns, dirmngr, Bug Report

Aug 22 2019

gniibe closed T4228: Leaked FILE from tmpfile() in dns.c dns_trace_open as Resolved.

Fixed in master.

Aug 22 2019, 5:55 AM · dns, gnupg
gniibe added a comment to T4228: Leaked FILE from tmpfile() in dns.c dns_trace_open.

This part of code is questionable. It always comes fp!=NULL, so the part should be removed.
If fp==NULL, use of tmpfile is quite questionable because a user can't know where the trace output goes.
I'm going to remove that part.

Aug 22 2019, 5:54 AM · dns, gnupg

Aug 10 2019

dkg added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

WKD and DANE/OPENPGPKEY offer rather distinct properties. I'd be hard-pressed to say that one is "better" than the other without understanding the threat model and concerns of the evaluator:

Aug 10 2019, 4:24 AM · dns, dirmngr

Aug 6 2019

wiktor-k added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

DNSSEC is a centralized CA system. Just different than the TLS one. Given that Certificate Transparency exists I'd say DNSSEC is less transparent than TLS. For example if you happen to have a .ly domain then the Libyan can silently control your signed zone. Given that there is no CT for DNSSEC they can do so selectively, for any connection they want. It wouldn't be the first problem with them.

Aug 6 2019, 1:56 PM · dns, dirmngr
mejo added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

I'm left wondering: are there cases where OPENPGPKEY would be preferred over WKD?

Aug 6 2019, 1:43 PM · dns, dirmngr

Jul 11 2019

wiktor-k added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

Is this really necessary to duplicate functionality that already is provided by Web Key Directory?

Jul 11 2019, 12:25 PM · dns, dirmngr

Jul 10 2019

dkg added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

I agree, many currently-shipped DNS client library implementations do not provide DNSSEC validity checks.

Jul 10 2019, 9:44 PM · dns, dirmngr
werner triaged T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures as Normal priority.

Sure it is not validated. Standard clients do not provide the system features to do that. That is one of the problems with DNSSEC adoption - it works only for servers in practice.

Jul 10 2019, 7:17 PM · dns, dirmngr
dkg created T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.
Jul 10 2019, 6:48 PM · dns, dirmngr

Jul 3 2019

werner changed the edit policy for T3065: dirmngr: proxy issues with dnslookup causing failure.
Jul 3 2019, 6:19 PM · gnupg (gpg22), dns, dirmngr
werner closed T3065: dirmngr: proxy issues with dnslookup causing failure as Invalid.

I asked you to carry this to a mailing list and not re-open this task.

Jul 3 2019, 6:19 PM · gnupg (gpg22), dns, dirmngr

May 23 2019

wheelerlaw reopened T3065: dirmngr: proxy issues with dnslookup causing failure as "Open".

Are you not reading what I am saying to you?? Once again, your explanation is INVALID because that would mean that gnupg would be BROKEN, because it would be a NON-COMPLIANT http client according to the RFC I quoted.

May 23 2019, 1:58 PM · gnupg (gpg22), dns, dirmngr
werner closed T3065: dirmngr: proxy issues with dnslookup causing failure as Wontfix.

I explained why the keyserver access requires access to the DNS. If that is not possible the keyserver code will not work. If you don't allow DNS to work you either have to use Tor (which we use to also tunnel DNS requests) or get your keys from elsewhere. Also note that the keyserver network is current several broken and under DoS and thus it is unlikely that it can be operated in the future.

May 23 2019, 9:42 AM · gnupg (gpg22), dns, dirmngr