FS#62059 - [gnupg] hkps.pool.sks-keyservers.net does not resolve, breaks gpg keyserver functionality

Attached to Project: Arch Linux
Opened by Clarence Risher (sparr) - Monday, 18 March 2019, 16:08 GMT
Last edited by Doug Newgard (Scimmia) - Monday, 18 March 2019, 16:15 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To No-one
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

The default keyserver baked into gnupg is currently not resolving (via its authoritative nameservers such as s01.sks-keyservers.net or ns.dan.host, or via public nameservers like 4.2.2.1 and 8.8.8.8, or via worldwide dns propagation testing tools like https://dnschecker.org/#A/hkps.pool.sks-keyservers.net or https://dnsmap.io/#A/hkps.pool.sks-keyservers.net) which breaks gpg functionality for users who have not specified an alternate keyserver or who do not have old config specifying an old default.

The arch default was removed here: https://git.archlinux.org/pacman.git/commit/?id=9058d7fe

The current gnupg default is described here: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=configure.ac;h=41dedf72b56ac88e791390afc488373767deed36;hb=HEAD#l1895


Additional info:
* package version(s): gnupg 2.2.13-1

Steps to reproduce:

rm -rf /etc/pacman.d/gnupg
pacman-key --init
This task depends upon

Closed by  Doug Newgard (Scimmia)
Monday, 18 March 2019, 16:15 GMT
Reason for closing:  Not a bug
Comment by Clarence Risher (sparr) - Monday, 18 March 2019, 16:14 GMT
From the sks-devel mailing list:





On Mon, Mar 18, 2019 at 8:27 AM Sparr <sparr0@gmail.com> wrote:
>
> hkps.pool.sks-keyservers.net does not seem to resolve currently, from public or local or whois-authoritative nameservers.

On Mon, Mar 18, 2019 at 9:09 AM Kristian Fiskerstrand <kristian.fiskerstrand@sumptuouscapital.com> wrote:
>
> On 3/18/19 3:58 PM, Todd Fleisher wrote:
> > The GNUPG-users post mentions something that may be the root cause:
> > The status page for sks-keyservers.net shows no hosts are currently
> > available via hkps but other ports are available.
> > https://sks-keyservers.net/status/ <https://sks-keyservers.net/status/>I’m speculating here, but if whatever Kristian users to update the DNS for hkps.pool.sks-keyservers.net <http://hkps.pool.sks-keyservers.net/> doesn’t think there are any valid nodes available perhaps it doesn’t publish any records. This would result in NXDOMAIN. Given that pool.sks-keyservers.net <http://pool.sks-keyservers.net/> & na.pool.sks-keyservers.net <http://na.pool.sks-keyservers.net/> & others are still resolving properly I don’t think it’s an EDNS issue.
> >
> > Adding Kristian directly in case he filters sks-devel mail.
> >
>
> Well, its a simple enough issue. the CRL expired, so no host validated
> anymore.. Services should be returning to normal soon enough. Thanks for
> the ping.

Loading...