[pkg-gnupg-maint] Bug#862682: dirmngr fails to resolve keyservers over IPv6

Eric Landgraf echarlie at vt.edu
Mon May 15 19:44:06 UTC 2017 

Package: dirmngr
Version: 2.1.18-6

When nameservers in /etc/resolv.conf are only IPv6 addresses, dirmngr
fails to resolve hostnames. System is up-to-date Stretch install (kernel
4.9.0-2-amd64 #1 SMP Debian 4.9.18-1, glibc 2.24-10).

Expected behaviour: dirmngr works with IPv6 DNS resolvers.

~/.gnupg/dirmngr.conf:

    debug-all
    verbose

Transcript (gpg):

    $ gpg -vv --debug-all --keyserver keyserver.cns.vt.edu --recv-keys B2F41D360340F41AE0B2841773AC5687477EB9EE
    gpg: Note: no default option file '/home/eric/.gnupg/gpg.conf'
    gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog
    gpg: DBG: [not enabled in the source] start
    gpg: DBG: chan_3 <- # Home: /home/eric/.gnupg
    gpg: DBG: chan_3 <- # Config: /home/eric/.gnupg/dirmngr.conf
    gpg: DBG: chan_3 <- OK Dirmngr 2.1.18 at your service
    gpg: DBG: connection to the dirmngr established
    gpg: DBG: chan_3 -> GETINFO version
    gpg: DBG: chan_3 <- D 2.1.18
    gpg: DBG: chan_3 <- OK
    gpg: DBG: chan_3 -> KEYSERVER --clear hkp://keyserver.cns.vt.edu
    gpg: DBG: chan_3 <- OK
    gpg: DBG: chan_3 -> KS_GET -- 0xB2F41D360340F41AE0B2841773AC5687477EB9EE
    gpg: DBG: chan_3 <- ERR 167772379 Server indicated a failure <Dirmngr>
    gpg: keyserver receive failed: Server indicated a failure
    gpg: DBG: chan_3 -> BYE
    gpg: DBG: [not enabled in the source] stop
    gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
                  outmix=0 getlvl1=0/0 getlvl2=0/0
    gpg: secmem usage: 0/65536 bytes in 0 blocks

System Journal:

    May 15 15:29:59 cannondale dirmngr[2563]: handler for fd 5 started
    May 15 15:29:59 cannondale dirmngr[2563]: DBG: chan_5 -> # Home: /home/eric/.gnupg
    May 15 15:29:59 cannondale dirmngr[2563]: DBG: chan_5 -> # Config: /home/eric/.gnupg/dirmngr.conf
    May 15 15:29:59 cannondale dirmngr[2563]: DBG: chan_5 -> OK Dirmngr 2.1.18 at your service
    May 15 15:29:59 cannondale dirmngr[2563]: connection from process 2759 (1000:1000)
    May 15 15:29:59 cannondale dirmngr[2563]: DBG: chan_5 <- GETINFO version
    May 15 15:29:59 cannondale dirmngr[2563]: DBG: chan_5 -> D 2.1.18
    May 15 15:29:59 cannondale dirmngr[2563]: DBG: chan_5 -> OK
    May 15 15:29:59 cannondale dirmngr[2563]: DBG: chan_5 <- KEYSERVER --clear hkp://keyserver.cns.vt.edu
    May 15 15:29:59 cannondale dirmngr[2563]: DBG: chan_5 -> OK
    May 15 15:29:59 cannondale dirmngr[2563]: DBG: chan_5 <- KS_GET -- 0xB2F41D360340F41AE0B2841773AC5687477EB9EE
    May 15 15:29:59 cannondale dirmngr[2563]: number of system provided CAs: 173
    May 15 15:29:59 cannondale dirmngr[2563]: DBG: http.c:connect_server: trying name='keyserver.cns.vt.edu' port=11371
    May 15 15:29:59 cannondale dirmngr[2563]: DBG: dns: resolve_dns_name(keyserver.cns.vt.edu): Server indicated a failure
    May 15 15:29:59 cannondale dirmngr[2563]: resolving 'keyserver.cns.vt.edu' failed: Server indicated a failure
    May 15 15:29:59 cannondale dirmngr[2563]: can't connect to 'keyserver.cns.vt.edu': host not found
    May 15 15:29:59 cannondale dirmngr[2563]: error connecting to 'http://keyserver.cns.vt.edu:11371': Server indicated a failure
    May 15 15:29:59 cannondale dirmngr[2563]: command 'KS_GET' failed: Server indicated a failure
    May 15 15:29:59 cannondale dirmngr[2563]: DBG: chan_5 -> ERR 167772379 Server indicated a failure <Dirmngr>
    May 15 15:29:59 cannondale dirmngr[2563]: DBG: chan_5 <- BYE
    May 15 15:29:59 cannondale dirmngr[2563]: DBG: chan_5 -> OK closing connection
    May 15 15:29:59 cannondale dirmngr[2563]: handler for fd 5 terminated

When I add a legacy IP DNS server to my /etc/resolv.conf and restart
dirmngr.socket, things behave as expected (I won't include transcript).

I also ran a tcpdump; no network traffic is generated by dirmngr to my
DNS servers when I only specify IPv6 addresses, and the SRV query (when
I modify my resolv.conf) is over legacy IP.

	Regards,
	Eric C. Landgraf

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170515/312242e8/attachment.sig>

More information about the pkg-gnupg-maint mailing list