gpg: error retrieving 'erich at eckner.net' via WKD: Connection closed in DNS
Werner Koch
wk at gnupg.org
Fri Jan 22 14:49:37 CET 2021
On Fri, 22 Jan 2021 13:24, Erich Eckner said:
> Box 1: tor (but no DNS endpoint exposed), named listening on 127.0.0.1:53
> (used by /etc/resolv.conf)
In Tor mode we use 8.8.8.8 as DNS Server unless you use
--nameserver ipaddr
In ``Tor mode'' Dirmngr uses a public resolver via Tor to resolve
DNS names. If the default public resolver, which is 8.8.8.8,
shall not be used a different one can be given us‐ ing this option.
Note that a numerical IP address must be given (IPv6 or IPv4) and
that no error checking is done for ipaddr.
this is all implemented using a full DNS resolver library inside dirmngr
(which you can also truns into a --recursive-resolver). If you don't
want this, or DNS over Tor and if you are not on Windows you may use
--standard-resolver.
> Box 2: named listening on 127.0.0.1:53 (used by /etc/resolv.conf), dnsdist
> listening on $all_public_ips:53 (used by external clients, relaying to
> named and iodine as needed), iodine listening on 127.0.0.1:5353
>
> Does gnupg interpret any of these as tor dns endpoints? How does gnupg
> determine, how to query dns?
In non-Tor mode /etc/resolv.conf etc is parsed. --debug dns should show
errors or fallbacks for unknown statements.
> The additional "debug dns" line didn't change anything noticeably for me,
> I already have "debug ipc,network,dns", so probably it's redundant?
I see. I would need to check how to enable all DNS debugging. You have
"verbose" also in your dirmngr.conf?
> I'd prefer to use tor for retrieving keys (if possible). Is there a
> possibility to turn off dns resolution via tor, but still do all the rest
> through tor?
I don't think so. It is quite some time since I last worked on the Tor
features. (dirmngr/dns-stuff.c, dirmngr/dns.c are the main files)
> disable-ipv4 / disable-ipv6 does not make any difference (without also
> adding "no-use-tor", of course)
Sometimes it makes a difference in particular on my Windows VM.
> version:1.8.7:10807:1.39-unknown:12700:
Build against an older libgpg-error (aka gpgrt) version but that does
not matter.
> * GpgRT 1.41-unknown (0000000)
That is the actual version used.
> I don't see any libdns there. Box #1 only differs in the cpu flags line:
No library but the (modified) implementation by William Ahern.
CPU flags are not relevant here; they are runtime tested.
Shalom-Salam,
Werner
--
* Free Assange and protect free journalism!
* Germany: Sign the Treaty on the Prohibition of Nuclear Weapons!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210122/82a130b8/attachment.sig>
More information about the Gnupg-users
mailing list