gpg: error retrieving 'erich at eckner.net' via WKD: Connection closed in DNS

Erich Eckner gnupg at eckner.net
Fri Jan 22 13:24:22 CET 2021 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, 22 Jan 2021, Werner Koch wrote:

> On Thu, 21 Jan 2021 15:05, Erich Eckner said:
>
>> 2021-01-21 14:41:32 dirmngr[3623955.6] DBG: dns: libdns initialized (tor mode)
>> 2021-01-21 14:41:32 dirmngr[3623955.6] DBG: dns:
>
> Your are using Tor for DNS queries, that is the actual DNS server is
> 8.8.8.8.  Tor mode is used if you are running the Tor client or the Tor
> browser.  Put no-use-tor into dirmngr.conf and to get DNS debug messages
> add "debug dns".

Ah, indeed: one machine runs a tor client, adding "no-use-tor" makes 
things work, there (as far as I can see, there is no tor dns endpoint 
exposed on that box). The other doesn't run tor, but adding "no-use-tor" 
makes things work, there, too.

To summarize the running DNS relevant software:

Box 1: tor (but no DNS endpoint exposed), named listening on 127.0.0.1:53 
(used by /etc/resolv.conf)

Box 2: named listening on 127.0.0.1:53 (used by /etc/resolv.conf), dnsdist 
listening on $all_public_ips:53 (used by external clients, relaying to 
named and iodine as needed), iodine listening on 127.0.0.1:5353

Does gnupg interpret any of these as tor dns endpoints? How does gnupg 
determine, how to query dns?

The additional "debug dns" line didn't change anything noticeably for me, 
I already have "debug ipc,network,dns", so probably it's redundant?

I'd prefer to use tor for retrieving keys (if possible). Is there a 
possibility to turn off dns resolution via tor, but still do all the rest 
through tor?

>
>> getsrv(_openpgpkey._tcp.eckner.net): Verbindung im DNS geschlossen
>
> (Yes, I known, GnUPG has two many debug stuff i18n).
>
>> I wonder, though, why the tried things differ on both machines - both run
>> arch linux with gnupg 2.2.26 and libgcrypt 1.8.7, no gpg.conf.
>
> Any proxy, Tor software running.  You may try "disable-ipv6" or
> "disable-ipv4" in your dirmngr.conf.

disable-ipv4 / disable-ipv6 does not make any difference (without also 
adding "no-use-tor", of course)

>
> FWIW, "gpgconf --show-versions" gives information on the used libraries,
> CPU, etc.

- From Box #2:

- ---8<---8<---8<---8<---8<---

* GnuPG 2.2.27 (0000000)
GNU/Linux

* Libgcrypt 1.8.7 ()
version:1.8.7:10807:1.39-unknown:12700:
cc:100200:gcc:10.2.0:
ciphers:arcfour:blowfish:cast5:des:aes:twofish:serpent:rfc2268:seed:camellia:idea:salsa20:gost28147:chacha20:
pubkeys:dsa:elgamal:rsa:ecc:
digests:crc:gostr3411-94::md4:md5:rmd160:sha1:sha256:sha512:sha3:tiger:whirlpool:stribog:blake2:
rnd-mod:linux:
cpu-arch:x86:
mpi-asm:amd64/mpih-add1.S:amd64/mpih-sub1.S:amd64/mpih-mul1.S:amd64/mpih-mul2.S:amd64/mpih-mul3.S:amd64/mpih-lshift.S:amd64/mpih-rshift.S:
hwflist:intel-cpu:intel-fast-shld:intel-bmi2:intel-ssse3:intel-sse4.1:intel-pclmul:intel-aesni:intel-rdrand:intel-avx:intel-avx2:intel-fast-vpgather:intel-rdtsc:
fips-mode:n:n:
rng-type:standard:1:2010000:1:

* GpgRT 1.41-unknown (0000000)

* Libassuan 2.5.4 (e368b40)

* KSBA 1.4.0 (?)

* GNUTLS 3.7.0

- --->8--->8--->8--->8--->8---

I don't see any libdns there. Box #1 only differs in the cpu flags line:

- -hwflist:intel-cpu:intel-fast-shld:intel-bmi2:intel-ssse3:intel-sse4.1:intel-pclmul:intel-aesni:intel-rdrand:intel-avx:intel-avx2:intel-fast-vpgather:intel-rdtsc:
+hwflist:intel-cpu:intel-fast-shld:intel-ssse3:intel-sse4.1:intel-pclmul:intel-avx:intel-rdtsc:

>
>
> Shalom-Salam,
>
>   Werner

Thank you for your time.

Cheers,
Erich

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmAKw/gACgkQCu7JB1Xa
e1qPIhAAt/r3BohQnWRd5zdV7DQmfOVEDUbhnoktk5luG/0bPy/zNc5Qr7h2h4Zp
aqDM3PsghlCVlqei8S1sM+/FJi+qZzdELMFoFZ/8LCmYORTzee157oBEQXcFvE08
DT0QWeb7QNjEMvof1sKMDbdqSAxh0y+EPm6vsH/CbzRDcvjG7osLgzVNVDf5DDY7
3gUNILnsLCclF3g/u2GEBCVa1j9EaybTgsq3OTya/OVCPbCfoAzJ6FQipwH9Wow1
juUMDM57juX3/YJt5MNPZ50KDI/2E4b83t+YqNobZroZo3o7s/DuIhHiTOHWp4Kf
3BeRMmYzdd4guBsJS3b6pr+PsxXbolECE2g31lWWKck8P+rUxhkZ8kCBVIohx0s4
Ae5bXb4yCA1e/Xh4lIFi61IRcjlLNiPAoVT6hZ0bSDBjsesxdzKgHOmTteUKOLAn
sE2QGl4XwN3BhJttOEXZva4GDLPAU9idw/fIljhuvu/dBn3hV6DdOl5HxLpCyVtW
dDAaObvwP16TTdO7vYH0dDNC/1CjtUHnk/AeTG1eO3Ji49eJfYn++5L3GEf149Kw
voRq82b/X6IGKlm2DVBbEpBUTxU1HyOrPUjC5Kl+hDINxMBmnLl5QIt54fVmhvWP
+LEQD9KorvYmEnyj+f7+zbrCL0BOtuKynHRGp4mmCRWOL1cwHkI=
=/2O4
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list