View previous topic :: View next topic |
Author |
Message |
Fiouz n00b
Joined: 13 Jan 2004 Posts: 25
|
Posted: Fri Mar 06, 2020 11:24 am Post subject: Banned from keys.gentoo.org? [solved: faulty DNS] |
|
|
Hi,
I haven't been able to since I upgraded my internet connection from xDSL to fiber, each time I get the following result:
Code: | # emerge --sync
>>> Syncing repository 'gentoo' into '/usr/portage'...
* Using keys from /usr/share/openpgp-keys/gentoo-release.asc
* Refreshing keys via WKD ... [ !! ]
* Refreshing keys from keyserver hkps://keys.gentoo.org ...OpenPGP keyring refresh failed:
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: Server indicated a failure
OpenPGP keyring refresh failed:
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: Server indicated a failure
OpenPGP keyring refresh failed:
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: Server indicated a failure
OpenPGP keyring refresh failed:
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: Server indicated a failure
|
Trying to manually retrieve GPG keys also fails:
Code: | # gpg -v --debug-level=10 --keyserver hkps://keys.gentoo.org --recv-keys 18F703D702B1B9591373148C55D3238EC050396E
gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust ipc clock lookup extprog
gpg: DBG: [not enabled in the source] start
gpg: no running Dirmngr - starting '/usr/bin/dirmngr'
gpg: waiting for the dirmngr to come up ... (5s)
gpg: DBG: chan_3 <- # Home: /root/.gnupg
gpg: DBG: chan_3 <- # Config: [none]
gpg: DBG: chan_3 <- OK Dirmngr 2.2.17 at your service
gpg: connection to dirmngr established
gpg: DBG: chan_3 -> GETINFO version
gpg: DBG: chan_3 <- D 2.2.17
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KEYSERVER --clear hkps://keys.gentoo.org
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KS_GET -- 0x18F703D702B1B9591373148C55D3238EC050396E
gpg: DBG: chan_3 <- ERR 219 Server indicated a failure <Unspecified source>
gpg: keyserver receive failed: Server indicated a failure
gpg: DBG: chan_3 -> BYE
gpg: DBG: [not enabled in the source] stop
gpg: keydb: handles=0 locks=0 parse=0 get=0
gpg: build=0 update=0 insert=0 delete=0
gpg: reset=0 found=0 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=0 cached=0 good=0 bad=0
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0
gpg: secmem usage: 0/65536 bytes in 0 blocks
|
Switching to a different ISP (via phone tethering) works as expected.
Is it possible that has IP filtering?
For the past days, I happened to have a sub-optimal workaround by using but it now seems it has been disabled in the latest Portage
Code: | # emerge-webrsync
emerge-webrsync: error: Do not call emerge-webrsync directly, instead call emerge --sync or emaint sync.
|
System info:
Code: | # emerge --info
Portage 2.3.89 (python 3.6.10-final-0, default/linux/amd64/17.1/desktop/gnome/systemd, gcc-9.2.0, glibc-2.29-r7, 4.19.97-gentoo-x86_64 x86_64)
=================================================================
System uname: Linux-4.19.97-gentoo-x86_64-x86_64-Intel-R-_Core-TM-_i7-7500U_CPU_@_2.70GHz-with-gentoo-2.6
KiB Mem: 16188552 total, 13028392 free
KiB Swap: 524284 total, 524284 free
Timestamp of repository gentoo: Tue, 03 Mar 2020 00:45:02 +0000
Head commit of repository flatpak-overlay: ea16fa7c90c16c8720e4a388e7ddcdd70ad30221
Timestamp of repository snapd: Sat, 22 Feb 2020 11:10:24 +0000
Head commit of repository snapd: 2e38a942fe9b9081c2f29be3b311e839d84592e1
sh bash 4.4_p23-r1
ld GNU ld (Gentoo 2.33.1 p2) 2.33.1
app-shells/bash: 4.4_p23-r1::gentoo
dev-java/java-config: 2.2.0-r4::gentoo
dev-lang/perl: 5.30.1::gentoo
dev-lang/python: 2.7.17-r1::gentoo, 3.6.10::gentoo, 3.7.6::gentoo
dev-util/cmake: 3.14.6::gentoo
dev-util/pkgconfig: 0.29.2::gentoo
sys-apps/baselayout: 2.6-r1::gentoo
sys-apps/sandbox: 2.13::gentoo
sys-devel/autoconf: 2.13-r1::gentoo, 2.69-r4::gentoo
sys-devel/automake: 1.16.1-r1::gentoo
sys-devel/binutils: 2.33.1-r1::gentoo
sys-devel/gcc: 8.3.0-r1::gentoo, 9.2.0-r2::gentoo
sys-devel/gcc-config: 2.2::gentoo
sys-devel/libtool: 2.4.6-r6::gentoo
sys-devel/make: 4.2.1-r4::gentoo
sys-kernel/linux-headers: 4.19::gentoo (virtual/os-headers)
sys-libs/glibc: 2.29-r7::gentoo
Repositories:
gentoo
location: /usr/portage
sync-type: webrsync
sync-uri: rsync://rsync.asia.gentoo.org/gentoo-portage
priority: -1000
sync-webrsync-verify-signature: yes
flatpak-overlay
location: /var/db/repos/flatpak-overlay
sync-type: git
sync-uri: https://github.com/fosero/flatpak-overlay.git
masters: gentoo
snapd
location: /var/db/repos/snapd
sync-type: git
sync-uri: https://github.com/gentoo-mirror/snapd.git
masters: gentoo
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="@FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--with-bdeps=y --complete-graph=y --ask-enter-invalid"
ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs cgroup config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync mount-sandbox multilib-strict network-sandbox news parallel-fetch parallel-install pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://gentoo.aditsu.net:8000/ http://mirror.rise.ph/gentoo http://mirrors.163.com/gentoo/"
INSTALL_MASK="/usr/share/locale -/usr/share/locale/en -/usr/share/locale/en_US"
LANG="en_GB.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac aalib acl acpi alsa amd64 avahi berkdb bluetooth branding bzip2 cairo caps cjk cli colord crypt cxx dbus dri dts dvdr editorconfig egl eglfs emboss evdev evo exif fbcon flac fontconfig gdbm geolocation gif gnome gnome-keyring gnome-online-accounts gpm gstreamer gtk ibus iconv icu introspection ipv6 jpeg kde kms lcms libass libcaca libnotify libsecret libtirpc lm_sensors mad matroska mmx mng modplug mp3 mp4 mpeg mtp multilib nas nautilus ncurses networkmanager nls nptl ogg opencc opengl openmp pam pango pcre pdf phonon png policykit ppds pulseaudio qml qt5 readline samba scripttools sdl seccomp semantic-desktop spell split-usr sse sse2 ssl startup-notification svg systemd tcpd threads tiff touchpad tracker truetype tslib udev udisks unicode upnp-av upower usb vaapi vdpau vorbis vpx wayland widgets wifi wxwidgets x264 xattr xcb xinerama xml xscreensaver xv xvid zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="hda-intel usb-audio" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2 aes avx avx2 fma3 fma4 popcnt sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_6" RUBY_TARGETS="ruby24 ruby25" USERLAND="GNU" VIDEO_CARDS="fbdev intel i965" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset: CC, CPPFLAGS, CTARGET, CXX, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
|
Code: | # host keys.gentoo.org
keys.gentoo.org is an alias for keys.geodns.gentoo.org.
keys.geodns.gentoo.org is an alias for keys.geodns-asia.gentoo.org.
keys.geodns-asia.gentoo.org has address 89.238.71.4
keys.geodns-asia.gentoo.org has address 140.211.166.190
keys.geodns-asia.gentoo.org has address 208.116.51.2
keys.geodns-asia.gentoo.org has IPv6 address 2a00:1828:a00d:ffff::4
keys.geodns-asia.gentoo.org has IPv6 address 2001:470:1f06:a91::2
keys.geodns-asia.gentoo.org has IPv6 address 2001:470:ea4a:1:230:48ff:fef8:9fdc
|
(IPv6 is not enabled on the router)
Any idea on how to reach the folks at keys.gentoo.org (or any alternative idea)?
Last edited by Fiouz on Wed Mar 11, 2020 5:41 am; edited 3 times in total |
|
Back to top |
|
|
Banana Moderator
Joined: 21 May 2004 Posts: 1480 Location: Germany
|
|
Back to top |
|
|
Fiouz n00b
Joined: 13 Jan 2004 Posts: 25
|
Posted: Fri Mar 06, 2020 11:44 am Post subject: |
|
|
Hi Banana,
Banana wrote: | Are you behind a firewall, local or router? |
I am behind a Netgear R7800 router (vendor firmware) but had the same issue with a Netgear WNR3500 v2 router (Tomato firmware), which is too weak to handle gigabit connection (reason for changing router).
Edit 2020-03-11: The above statement regarding the older router having the same issue is wrong (my memory was faulty :( )
Banana wrote: | Dou you have any DNS name resolution problems lately? |
I have not had any issue with DNS (the router is configured to use CloudFlare 1.1.1.1 but I had the same results with ISP DNS), at least not that I am aware of.
Banana wrote: | Is your system time correct? |
My system clock is synchronized to Google DNS which has leap-smear time https://developers.google.com/time/smear. Would it cause gpg to fail?
Code: | # cat /etc/systemd/timesyncd.conf
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See timesyncd.conf(5) for details.
[Time]
#NTP=
#FallbackNTP=0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org
NTP=time.google.com
#RootDistanceMaxSec=5
#PollIntervalMinSec=32
#PollIntervalMaxSec=2048
|
Code: | # timedatectl
Local time: Fri 2020-03-06 19:43:48 HKT
Universal time: Fri 2020-03-06 11:43:48 UTC
RTC time: Fri 2020-03-06 11:43:48
Time zone: Asia/Hong_Kong (HKT, +0800)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
|
Thank you.
Edit: amended statement regarding older router being KO
Last edited by Fiouz on Wed Mar 11, 2020 5:40 am; edited 1 time in total |
|
Back to top |
|
|
Banana Moderator
Joined: 21 May 2004 Posts: 1480 Location: Germany
|
|
Back to top |
|
|
Ionen Developer
Joined: 06 Dec 2018 Posts: 2732
|
Posted: Fri Mar 06, 2020 12:15 pm Post subject: |
|
|
I don't use this service to confirm or not, but there's a bug that was open recently about it unavailable which should reach them if there's a problem. |
|
Back to top |
|
|
molletts Tux's lil' helper
Joined: 16 Feb 2013 Posts: 119
|
Posted: Fri Mar 06, 2020 1:37 pm Post subject: |
|
|
Have you tried switching to using git instead of rsync for your portage sync? The git tree is implicitly signed through git's built-in data integrity measures.
You can do this by updating your /etc/portage/repos.conf/gentoo.conf: (here's mine)
Code: | [gentoo]
location = /var/db/repos/gentoo
# Old rsync settings:
#sync-type = rsync
#sync-uri = rsync://rsync.uk.gentoo.org/gentoo-portage
# New git settings:
sync-type = git
sync-uri = https://github.com/gentoo-mirror/gentoo
auto-sync = true
sync-depth = 1
|
You'll probably need to start with an empty $PORTDIR but it sounds like you're not strapped for bandwidth. |
|
Back to top |
|
|
Fiouz n00b
Joined: 13 Jan 2004 Posts: 25
|
Posted: Fri Mar 06, 2020 3:33 pm Post subject: |
|
|
Ionen wrote: | there's a bug that was open recently about it unavailable which should reach them if there's a problem. |
I'll follow that bug to see whether I need to report the issue (not sure whether the issue is the same), thank you for the hint!
molletts wrote: | Have you tried switching to using git instead of rsync for your portage sync? |
Thank you! That workaround works and I can now
Cheers! |
|
Back to top |
|
|
Fiouz n00b
Joined: 13 Jan 2004 Posts: 25
|
Posted: Wed Mar 11, 2020 5:32 am Post subject: Issue caused by Netgear firmware not handling SRV requests |
|
|
I got distracted by the client/server nature of the debug messages and I wrongly assumed the error response came from keys.gentoo.org: it is actually the inter-process communication messages between gpg and dirmngr (part of GnuPG) on my side that I was seeing in the debug output.
Enabling more verbose output from dirmngr (add verbose + debug-all in ~/.gnupg/dirmngr.conf) and directly querying it revealed the following two issues:
- inability to perform SRV record DNS query - root cause
- incomplete error feedback from dirmngr when handling DNS failure (at least when it comes to SRV record RFC2782) - hides the root cause
Code: | # dirmngr
dirmngr[55635]: enabled debug flags: x509 crypto memory cache memstat hashing ipc dns network lookup extprog
dirmngr[55635.0]: permanently loaded certificates: 141
dirmngr[55635.0]: runtime cached certificates: 0
dirmngr[55635.0]: trusted certificates: 141 (140,0,0,1)
dirmngr[55635.0]: DBG: chan_3 -> # Home: /root/.gnupg
# Home: /root/.gnupg
dirmngr[55635.0]: DBG: chan_3 -> # Config: /root/.gnupg/dirmngr.conf
# Config: /root/.gnupg/dirmngr.conf
dirmngr[55635.0]: DBG: chan_3 -> OK Dirmngr 2.2.19 at your service
OK Dirmngr 2.2.19 at your service
GETINFO version
dirmngr[55635.0]: DBG: chan_3 <- GETINFO version
dirmngr[55635.0]: DBG: chan_3 -> D 2.2.19
D 2.2.19
dirmngr[55635.0]: DBG: chan_3 -> OK
OK
KEYSERVER --clear hkps://keys.gentoo.org
dirmngr[55635.0]: DBG: chan_3 <- KEYSERVER --clear hkps://keys.gentoo.org
dirmngr[55635.0]: DBG: chan_3 -> OK
OK
KS_GET -- 0x18F703D702B1B9591373148C55D3238EC050396E
dirmngr[55635.0]: DBG: chan_3 <- KS_GET -- 0x18F703D702B1B9591373148C55D3238EC050396E
dirmngr[55635.0]: DBG: dns: getsrv(_pgpkey-https._tcp.keys.gentoo.org): Try again later
dirmngr[55635.0]: command 'KS_GET' failed: Try again later
dirmngr[55635.0]: DBG: chan_3 -> ERR 167772472 Try again later <Dirmngr>
ERR 167772472 Try again later <Dirmngr>
dirmngr[55635.0]: DBG: chan_3 <- [eof] |
(gnupg was also updated to 2.2.19 but it did not seem to be of importance here)
The DNS failure originates from the router (Netgear R7800) vendor firmware which does not understand SRV lookups. Installing a custom firmware (such as OpenWRT) or bypassing the DHCP-provided embedded DNS server with an external one (such as CloudFlare 1.1.1.1) addresses the problem and let gpg (or rather dirmngr) retrieve the key:
Code: | dirmngr[55656.0]: DBG: chan_3 <- KS_GET -- 0x18F703D702B1B9591373148C55D3238EC050396E
dirmngr[55656.0]: DBG: dns: getsrv(_pgpkey-https._tcp.keys.gentoo.org) -> 0 records
dirmngr[55656.0]: DBG: dns: resolve_dns_name(keys.gentoo.org): Success
dirmngr[55656.0]: DBG: dns: resolve_dns_addr(): Success
... truncated output ... |
(I initially misdiagnosed the issue where I stated that the issue happened with previous router, I guess it did not and I was too hasty to deploy the new router; I will amend the post)
This explanation was initially published to bug 711766 |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|