gpg: error retrieving 'erich at' via WKD: Connection closed in DNS

Werner Koch wk at
Fri Jan 22 14:49:37 CET 2021

On Fri, 22 Jan 2021 13:24, Erich Eckner said:

> Box 1: tor (but no DNS endpoint exposed), named listening on
> (used by /etc/resolv.conf)

In Tor mode we use as DNS Server unless you use

   --nameserver ipaddr

     In ``Tor mode'' Dirmngr uses a public resolver via Tor to resolve
     DNS names.  If the default public resolver, which is,
     shall not be used a different one can be given us‐ ing this option.
     Note that a numerical IP address must be given (IPv6 or IPv4) and
     that no error checking is done for ipaddr.

this is all implemented using a full DNS resolver library inside dirmngr
(which you can also truns into a --recursive-resolver).  If you don't
want this, or DNS over Tor and if you are not on Windows you may use

> Box 2: named listening on (used by /etc/resolv.conf), dnsdist
> listening on $all_public_ips:53 (used by external clients, relaying to
> named and iodine as needed), iodine listening on
> Does gnupg interpret any of these as tor dns endpoints? How does gnupg
> determine, how to query dns?

In non-Tor mode /etc/resolv.conf etc is parsed.  --debug dns should show
errors or fallbacks for unknown statements.

> The additional "debug dns" line didn't change anything noticeably for me,
> I already have "debug ipc,network,dns", so probably it's redundant?

I see.  I would need to check how to enable all DNS debugging.  You have
"verbose" also in your dirmngr.conf?

> I'd prefer to use tor for retrieving keys (if possible). Is there a
> possibility to turn off dns resolution via tor, but still do all the rest
> through tor?

I don't think so.  It is quite some time since I last worked on the Tor
features.  (dirmngr/dns-stuff.c, dirmngr/dns.c are the main files)

> disable-ipv4 / disable-ipv6 does not make any difference (without also
> adding "no-use-tor", of course)

Sometimes it makes a difference in particular on my Windows VM.

> version:1.8.7:10807:1.39-unknown:12700:

Build against an older libgpg-error (aka gpgrt) version but that does
not matter.

> * GpgRT 1.41-unknown (0000000)

That is the actual version used.

> I don't see any libdns there. Box #1 only differs in the cpu flags line:

No library but the (modified) implementation by William Ahern.

CPU flags are not relevant here; they are runtime tested.



* Free Assange and protect free journalism!
* Germany: Sign the Treaty on the Prohibition of Nuclear Weapons!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list