dirmngr doesn't handle IPv6 properly
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gnupg2 (Ubuntu) |
Triaged
|
Critical
|
Dimitri John Ledkov |
Bug Description
This is a regression from gpgv1 which will prevent direct interaction with an IPv6 key server and on single and dual-stack IPv6 network, this will cause gpg to seemingly hang for up to several minutes.
=== IPv6 gpgv1 on xenial
root@xenial:~# time gpg --keyserver hkp://[
gpg: requesting key 22F6E216 from hkp server [2a03:4000:
gpg: key 22F6E216: "LXC pre-built images <email address hidden>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
real 0m0.341s
user 0m0.000s
sys 0m0.000s
=== IPv6 gpgv2 on xenial
root@yakkety:~# time gpg --keyserver hkp://[
gpg: keyserver receive failed: Unknown host
real 0m0.827s
user 0m0.004s
sys 0m0.000s
=== Dual-stack DNS record gpgv1 on xenial
root@xenial:~# time gpg --keyserver hkp://pool.
gpg: requesting key 22F6E216 from hkp server pool.sks-
gpg: key 22F6E216: "LXC pre-built images <email address hidden>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
real 0m1.430s
user 0m0.000s
sys 0m0.000s
=== Dual-stack DNS record gpgv2 on yakkety
root@yakkety:~# time gpg --keyserver hkp://pool.
gpg: key BAEFF88C22F6E216: "LXC pre-built images <email address hidden>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
real 0m33.495s
user 0m0.000s
sys 0m0.004s
=== Dual-stack DNS record gpgv2 on yakkety (ipv6-only machine)
root@yakkety:~# time gpg --keyserver hkp://pool.
gpg: key BAEFF88C22F6E216: "LXC pre-built images <email address hidden>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
real 1m32.326s
user 0m0.004s
sys 0m0.000s
Figuring out what dirmngr is doing in these cases, can be aided with cranking up verbosity and logging the output, e.g.:
keyserver hkp://ipv6. pool.sks- keyservers. net pVKaTIdXs8/ .gnupg/ dirmngr. log
log-file /tmp/tmp.
debug-level guru
Options in $GNUPGHOME/ dirmngr. conf. Followed by gpgconf --kill dirmngr.
Whilst plenty of stuff is logged.... it doesn't actually tell me if he hit things over ipv6 or ipv4. It appears to be resolving a pool and picking a random thing to connect to.
Note the https:/ /bugs.gnupg. org/gnupg/ issue1989
dirmngr supposed to figure out that something is dead, is retry elsewhere. Does using hkp://ipv6. pool.sks- keyservers. net improve things for you? That pool should have all servers accessible over ipv6, unlike the main pool which may have ipv4-only servers.
Could you please crank up the logging, and check if it has excessive amount of resolving dns pools and messages marking them dead?