[gentoo-user] Change keyserver used by portage?

[gentoo-user] Change keyserver used by portage?

[Elijah Mark Anderson]

[-- Attachment #1: Type: text/plain, Size: 319 bytes --]

Anyone one know how I can change the keyserver address used by portage? I keep 
getting "no route to host" for hkps.pool.sks-keyservers.net when I sync. 
-- 
Elijah Mark Anderson
mark@kd0bpv.name
--
「塵も積もれば山となる。」
"Even dust, when piled up, becomes a mountain" - Ancient Japanese proverb

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Change keyserver used by portage?

[R0b0t1]

On Sat, Jun 30, 2018 at 10:26 AM, Elijah Mark Anderson <mark@kd0bpv.name> wrote:
> Anyone one know how I can change the keyserver address used by portage? I keep
> getting "no route to host" for hkps.pool.sks-keyservers.net when I sync.

I'm getting the same thing. Also with pgp.mit.edu. Is there any fix?
The webrsync-gpg keys have expired, and the documentation says that
`gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release
--refresh-keys` should be run.

Re: [gentoo-user] Change keyserver used by portage?

[R0b0t1]

On Sat, Jun 30, 2018 at 10:26 AM, Elijah Mark Anderson <mark@kd0bpv.name> wrote:
> Anyone one know how I can change the keyserver address used by portage? I keep
> getting "no route to host" for hkps.pool.sks-keyservers.net when I sync.

What are you trying to do? Find the command being run and run it
manually while specifying --keyserver. Also file a bug report.

I posted my last reply after pgp.mit.edu also failed. The URL you give
is obviously a key server pool, but it looks like MIT's may be also
(without inspecting it). I retried on MIT's URL until the request went
through. If you can't change the URL then keep trying.

The issue is, I think, that the pool will give you servers that don't
support HKP, but I have had this issue when contacting keyservers
directly.

Cheers,
     R0b0t1

Re: [gentoo-user] Change keyserver used by portage?

[Elijah Mark Anderson]

[-- Attachment #1: Type: text/plain, Size: 1373 bytes --]

On Sunday, July 1, 2018 8:55:05 PM CDT R0b0t1 wrote:
> On Sat, Jun 30, 2018 at 10:26 AM, Elijah Mark Anderson <mark@kd0bpv.name> 
wrote:
> > Anyone one know how I can change the keyserver address used by portage? I
> > keep getting "no route to host" for hkps.pool.sks-keyservers.net when I
> > sync.
> What are you trying to do? Find the command being run and run it
> manually while specifying --keyserver. Also file a bug report.
> 
> I posted my last reply after pgp.mit.edu also failed. The URL you give
> is obviously a key server pool, but it looks like MIT's may be also
> (without inspecting it). I retried on MIT's URL until the request went
> through. If you can't change the URL then keep trying.
> 
> The issue is, I think, that the pool will give you servers that don't
> support HKP, but I have had this issue when contacting keyservers
> directly.
> 
> Cheers,
>      R0b0t1

Currently, portage is using that pool url when I run emaint's sync module. I 
keep getting the "no route to host" error from it, and no indication what 
server it's actually being directed to. 

What I want to do is reconfigure portage to use a particular server that I know 
is reliable.

-- 
Elijah Mark Anderson
mark@kd0bpv.name
--
「塵も積もれば山となる。」
"Even dust, when piled up, becomes a mountain" - Ancient Japanese proverb

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Change keyserver used by portage?

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 1982 bytes --]

> > > Anyone one know how I can change the keyserver address used by
> portage? I
> > > keep getting "no route to host" for hkps.pool.sks-keyservers.net when
> I
> > > sync.
> > What are you trying to do? Find the command being run and run it
> > manually while specifying --keyserver. Also file a bug report.
> >
> > I posted my last reply after pgp.mit.edu also failed. The URL you give
> > is obviously a key server pool, but it looks like MIT's may be also
> > (without inspecting it). I retried on MIT's URL until the request went
> > through. If you can't change the URL then keep trying.
> >
> > The issue is, I think, that the pool will give you servers that don't
> > support HKP, but I have had this issue when contacting keyservers
> > directly.
> >
> > Cheers,
> >      R0b0t1
>
> Currently, portage is using that pool url when I run emaint's sync module.
> I
> keep getting the "no route to host" error from it, and no indication what
> server it's actually being directed to.
>
> What I want to do is reconfigure portage to use a particular server that I
> know
> is reliable.
>

Looks like its using multiple A records;

$ host hkps.pool.sks-keyservers.net
hkps.pool.sks-keyservers.net has address 18.9.60.141
hkps.pool.sks-keyservers.net has address 18.191.65.131
hkps.pool.sks-keyservers.net has address 37.191.226.104
hkps.pool.sks-keyservers.net has address 92.43.111.21
hkps.pool.sks-keyservers.net has address 193.164.133.100
hkps.pool.sks-keyservers.net has address 216.66.15.2
hkps.pool.sks-keyservers.net has IPv6 address 2001:470:1:116::6
hkps.pool.sks-keyservers.net has IPv6 address 2600:1f16:41e:bd0a::73:6b73
hkps.pool.sks-keyservers.net has IPv6 address
2a01:4a0:59:1000:223:9eff:fe00:100f
hkps.pool.sks-keyservers.net has IPv6 address 2a02:c205:3001:3626::1

For an ugly hack you could test these to find one that works, then add that
one to your /etc/hosts file.

Perhaps there's a hostmaster@hkps.pool.sks-keyservers.net you could notify
to fix it?

[-- Attachment #2: Type: text/html, Size: 3278 bytes --]

Re: [gentoo-user] Change keyserver used by portage?

[Elijah Mark Anderson]

[-- Attachment #1: Type: text/plain, Size: 3087 bytes --]

On Monday, July 2, 2018 12:40:29 AM CDT Adam Carter wrote:
> > > > Anyone one know how I can change the keyserver address used by
> > 
> > portage? I
> > 
> > > > keep getting "no route to host" for hkps.pool.sks-keyservers.net when
> > 
> > I
> > 
> > > > sync.
> > > 
> > > What are you trying to do? Find the command being run and run it
> > > manually while specifying --keyserver. Also file a bug report.
> > > 
> > > I posted my last reply after pgp.mit.edu also failed. The URL you give
> > > is obviously a key server pool, but it looks like MIT's may be also
> > > (without inspecting it). I retried on MIT's URL until the request went
> > > through. If you can't change the URL then keep trying.
> > > 
> > > The issue is, I think, that the pool will give you servers that don't
> > > support HKP, but I have had this issue when contacting keyservers
> > > directly.
> > > 
> > > Cheers,
> > > 
> > >      R0b0t1
> > 
> > Currently, portage is using that pool url when I run emaint's sync module.
> > I
> > keep getting the "no route to host" error from it, and no indication what
> > server it's actually being directed to.
> > 
> > What I want to do is reconfigure portage to use a particular server that I
> > know
> > is reliable.
> 
> Looks like its using multiple A records;
> 
> $ host hkps.pool.sks-keyservers.net
> hkps.pool.sks-keyservers.net has address 18.9.60.141
> hkps.pool.sks-keyservers.net has address 18.191.65.131
> hkps.pool.sks-keyservers.net has address 37.191.226.104
> hkps.pool.sks-keyservers.net has address 92.43.111.21
> hkps.pool.sks-keyservers.net has address 193.164.133.100
> hkps.pool.sks-keyservers.net has address 216.66.15.2
> hkps.pool.sks-keyservers.net has IPv6 address 2001:470:1:116::6
> hkps.pool.sks-keyservers.net has IPv6 address 2600:1f16:41e:bd0a::73:6b73
> hkps.pool.sks-keyservers.net has IPv6 address
> 2a01:4a0:59:1000:223:9eff:fe00:100f
> hkps.pool.sks-keyservers.net has IPv6 address 2a02:c205:3001:3626::1
> 
> For an ugly hack you could test these to find one that works, then add that
> one to your /etc/hosts file.
> 
> Perhaps there's a hostmaster@hkps.pool.sks-keyservers.net you could notify
> to fix it?

Yes. That is how the pool URL works. It does some sort of load-balancing via 
DNS resolution. That's why it has so many addresses. 

I am well aware of the /etc/hosts hack, but it's an ugly work-around. I'd 
rather be able to configure portage itself to use a different pool or a specific 
server, rather than mess around with DNS resolutions. And I haven't been 
having any luck in searching for how to configure the keyserver used by 
Portage.

Yes, there is an email address I could message to notify them that there is a 
problematic server, but because Portage tells me nothing about which server 
it's using other than the pool URL, I have nothing helpful to tell them.

-- 
Elijah Mark Anderson
mark@kd0bpv.name
--
「塵も積もれば山となる。」
"Even dust, when piled up, becomes a mountain" - Ancient Japanese proverb

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Change keyserver used by portage?

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 858 bytes --]

Yes. That is how the pool URL works. It does some sort of load-balancing
via

> DNS resolution. That's why it has so many addresses.

I am well aware of the /etc/hosts hack, but it's an ugly work-around. I'd
> rather be able to configure portage itself to use a different pool or a
> specific
> server, rather than mess around with DNS resolutions. And I haven't been
> having any luck in searching for how to configure the keyserver used by
> Portage.
>
> Yes, there is an email address I could message to notify them that there
> is a
> problematic server, but because Portage tells me nothing about which
> server
> it's using other than the pool URL, I have nothing helpful to tell them.
>

Since you know the server IPs, and there's only a small number so you could
try connection to each of them and see which one(s) fail.

Or tcpdump, or netstat etc.

[-- Attachment #2: Type: text/html, Size: 1367 bytes --]

Re: [gentoo-user] Change keyserver used by portage?

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 812 bytes --]

>
> Since you know the server IPs, and there's only a small number so you
> could try connection to each of them and see which one(s) fail.
>
> Or tcpdump, or netstat etc.
>

FWIW i can route to all the v4 addresses;

# for i in 18.9.60.141 18.191.65.131 37.191.226.104 92.43.111.21
193.164.133.100 216.66.15.2 ; do nc -zv $i 443; done
cryptonomicon.mit.edu [18.9.60.141] 443 (https) open
ec2-18-191-65-131.us-east-2.compute.amazonaws.com [18.191.65.131] 443
(https) open
host-37-191-226-104.lynet.no [37.191.226.104] 443 (https) open
Warning: forward host lookup failed for oteiza.siccegge.de:
oteiza.siccegge.de [92.43.111.21] 443 (https) open
DNS fwd/rev mismatch: mail.b4ckbone.de != beta.b4ckbone.de
mail.b4ckbone.de [193.164.133.100] 443 (https) open
zimmermann.mayfirst.org [216.66.15.2] 443 (https) open

[-- Attachment #2: Type: text/html, Size: 1742 bytes --]

Re: [gentoo-user] Change keyserver used by portage?

[Bill Kenworthy]

On 04/07/18 13:09, Adam Carter wrote:
>
>     Since you know the server IPs, and there's only a small number so
>     you could try connection to each of them and see which one(s) fail.
>
>     Or tcpdump, or netstat etc.
>
>
> FWIW i can route to all the v4 addresses;
>
> # for i in 18.9.60.141 18.191.65.131 37.191.226.104 92.43.111.21
> 193.164.133.100 216.66.15.2 ; do nc -zv $i 443; done
> cryptonomicon.mit.edu <http://cryptonomicon.mit.edu> [18.9.60.141] 443
> (https) open
> ec2-18-191-65-131.us-east-2.compute.amazonaws.com
> <http://ec2-18-191-65-131.us-east-2.compute.amazonaws.com>
> [18.191.65.131] 443 (https) open
> host-37-191-226-104.lynet.no <http://host-37-191-226-104.lynet.no>
> [37.191.226.104] 443 (https) open
> Warning: forward host lookup failed for oteiza.siccegge.de
> <http://oteiza.siccegge.de>:
> oteiza.siccegge.de <http://oteiza.siccegge.de> [92.43.111.21] 443
> (https) open
> DNS fwd/rev mismatch: mail.b4ckbone.de <http://mail.b4ckbone.de> !=
> beta.b4ckbone.de <http://beta.b4ckbone.de>
> mail.b4ckbone.de <http://mail.b4ckbone.de> [193.164.133.100] 443
> (https) open
> zimmermann.mayfirst.org <http://zimmermann.mayfirst.org> [216.66.15.2]
> 443 (https) open
>
I tried the host hack - still fails though a different message.  I
suspect the keyservers are not the problem because:

"gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release --refresh-keys"

mostly works fine (with or without the hosts hack).

But I have never had a successful run with emerge --sync

Portage is sys-apps/portage-2.3.40-r1


Bug or what?


BillK