Arch Linux

solonovamax

Member

Registered: 2020-05-04

Posts: 60

Website

gpg: keyserver receive failed: Server indicated a failure

I'm completely unsure what's causing this, however if I attempt to execute

gpg --recv-keys B420FD3777CCE3A7F0076B55C85668DF69375001

then I will get

gpg: keyserver receive failed: Server indicated a failure

this only occurs on my laptop. on my desktop, which has an identical config to my laptop, this does not occur. I have no clue why.
I've tried so many different things, and am honestly completely dumbfounded on why it's not working.

Here are some things I've tried/stuff about my environment, in no particular order:

gpg config

$ cat ~/.gnupg/gpg.conf
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
cert-digest-algo SHA512

(note: the same issue occurs with all of these removed. I have only added these to my config in an attempt to exactly mirror the config of my desktop)

using different protocols/keyservers

$ gpg --keyserver https://keyserver.ubuntu.com --recv-keys B420FD3777CCE3A7F0076B55C85668DF69375001
gpg: keyserver receive failed: Server indicated a failure

$ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys B420FD3777CCE3A7F0076B55C85668DF69375001
gpg: keyserver receive failed: Server indicated a failure

$ gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys B420FD3777CCE3A7F0076B55C85668DF69375001
gpg: keyserver receive failed: Server indicated a failure

$ gpg --keyserver https://pgp.mit.edu --recv-keys B420FD3777CCE3A7F0076B55C85668DF69375001
gpg: keyserver receive failed: Server indicated a failure

$ gpg --keyserver hkp://pgp.mit.edu --recv-keys B420FD3777CCE3A7F0076B55C85668DF69375001
gpg: keyserver receive failed: Server indicated a failure

$ gpg --keyserver $(dig +short keyserver.ubuntu.com | head -n1) --recv-keys B420FD3777CCE3A7F0076B55C85668DF69375001
gpg: keyserver receive failed: No keyserver available

max debug level logs

$ cat > ~/.gnupg/dirmngr.conf <<EOF
log-file /home/solonovamax/.gnupg/dirmngr.log
verbose
debug-level guru
EOF
$ pkill dirmngr
$ gpg --debug-level=guru --recv-keys B420FD3777CCE3A7F0076B55C85668DF69375001
gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog
gpg: enabled compatibility flags:
gpg: DBG: [no clock] start
gpg: DBG: chan_3 <- # Home: /home/solonovamax/.gnupg
gpg: DBG: chan_3 <- # Config: /home/solonovamax/.gnupg/dirmngr.conf
gpg: DBG: chan_3 <- OK Dirmngr 2.4.7 at your service, process 12808
gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_3 -> GETINFO version
gpg: DBG: chan_3 <- D 2.4.7
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KS_GET -- 0xB420FD3777CCE3A7F0076B55C85668DF69375001
gpg: DBG: chan_3 <- ERR 219 Server indicated a failure <Unspecified source>
gpg: keyserver receive failed: Server indicated a failure
gpg: DBG: chan_3 -> BYE
gpg: DBG: [no clock] stop
gpg: keydb: handles=0 locks=0 parse=0 get=0
gpg:        build=0 update=0 insert=0 delete=0
gpg:        reset=0 found=0 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=0 cached=0 good=0 bad=0
gpg: objcache: keys=0/0/0 chains=0,0..0 buckets=0/0 attic=0
gpg: objcache: uids=0/0/0 chains=0,0..0 buckets=0/0
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0
gpg: secmem usage: 0/32768 bytes in 0 blocks
$ cat ~/.gnupg/dirmngr.log
2025-03-07 14:26:32 dirmngr[21123.0] permanently loaded certificates: 150
2025-03-07 14:26:32 dirmngr[21123.0]     runtime cached certificates: 0
2025-03-07 14:26:32 dirmngr[21123.0]            trusted certificates: 150 (150,0,0,0)
2025-03-07 14:26:32 dirmngr[21123.6] handler for fd 6 started
2025-03-07 14:26:32 dirmngr[21123.6] DBG: chan_6 -> # Home: /home/solonovamax/.gnupg
2025-03-07 14:26:32 dirmngr[21123.6] DBG: chan_6 -> # Config: /home/solonovamax/.gnupg/dirmngr.conf
2025-03-07 14:26:32 dirmngr[21123.6] DBG: chan_6 -> OK Dirmngr 2.4.7 at your service, process 21123
2025-03-07 14:26:32 dirmngr[21123.6] connection from process 21122 (1000:1000)
2025-03-07 14:26:32 dirmngr[21123.6] DBG: chan_6 <- GETINFO version
2025-03-07 14:26:32 dirmngr[21123.6] DBG: chan_6 -> D 2.4.7
2025-03-07 14:26:32 dirmngr[21123.6] DBG: chan_6 -> OK
2025-03-07 14:26:32 dirmngr[21123.6] DBG: chan_6 <- KS_GET -- 0xB420FD3777CCE3A7F0076B55C85668DF69375001
2025-03-07 14:26:42 dirmngr[21123.6] command 'KS_GET' failed: Server indicated a failure <Unspecified source>
2025-03-07 14:26:42 dirmngr[21123.6] DBG: chan_6 -> ERR 219 Server indicated a failure <Unspecified source>
2025-03-07 14:26:42 dirmngr[21123.6] DBG: chan_6 <- BYE
2025-03-07 14:26:42 dirmngr[21123.6] DBG: chan_6 -> OK closing connection
2025-03-07 14:26:42 dirmngr[21123.6] handler for fd 6 terminated

using the 1.1.1.1 dns

Changing /etc/resolv.conf from

# Generated by NetworkManager
search lan
nameserver 192.168.86.1

to

# Generated by NetworkManager
search lan
nameserver 1.1.1.1

Checking to make sure that it can resolve keyserver.ubuntu.com (note: the result is the same regardless of dns server used)

$ ping keyserver.ubuntu.com
PING keyserver.ubuntu.com (185.125.188.26) 56(84) bytes of data.

(note: keyserver.ubuntu.com does not respond to pings, but as shown it can resolve properly)

$ nslookup keyserver.ubuntu.com
Server:		192.168.86.1
Address:	192.168.86.1#53

Non-authoritative answer:
Name:	keyserver.ubuntu.com
Address: 185.125.188.27
Name:	keyserver.ubuntu.com
Address: 185.125.188.26
Name:	keyserver.ubuntu.com
Address: 2620:2d:4000:1007::70c
Name:	keyserver.ubuntu.com
Address: 2620:2d:4000:1007::d43

mtr

$ mtr --tcp --report -c 10 keyserver.ubuntu.com
Start: 2025-03-07T14:41:29-0500
HOST: solo-laptop                 Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 46dd6c48c6fc81fab0cb98d86  0.0%    10    2.2   5.9   2.2  26.3   7.3
  2.|-- 192.168.2.1                0.0%    10    2.7  24.4   2.7 107.2  41.4
  3.|-- 10.11.16.9                 0.0%    10   56.0  16.1   4.1  56.0  18.2
  4.|-- ???                       100.0    10    0.0   0.0   0.0   0.0   0.0
  5.|-- 10.115.51.122              0.0%    10  118.7  27.4   5.1 118.7  42.6
  6.|-- ???                       100.0    10    0.0   0.0   0.0   0.0   0.0
  7.|-- 64.230.38.186              0.0%    10    7.0   8.1   5.5  15.5   2.8
        64.230.38.188
        64.230.38.184
  8.|-- 64.230.26.133              0.0%    10  108.1  25.3   6.4 108.1  38.3
        64.230.33.141
        64.230.33.142
  9.|-- port-channel3.switch1.ymq 30.0%    10  4109. 3103.   7.4 5255. 1703.7
 10.|-- as6939.core1.nyc4.he.net   0.0%    10  3090. 637.0  12.7 3090. 990.7
 11.|-- port-channel20.core3.lon2 20.0%    10  4209. 1383.  83.4 4209. 1524.6
 12.|-- 100ge0-35.core1.lon6.he.n  0.0%    10  106.7  96.3  81.5 198.6  36.8
 13.|-- swp9.il3-core1.canonical.  0.0%    10  155.6 107.6  79.8 167.8  34.9
        swp9.il3-core2.canonical.com
 14.|-- keyserver.ubuntu.com       0.0%    10  120.2 122.9  79.4 245.2  66.2

using systemd-resolved's dns

$ sudo rm -rf /etc/resolv.conf
$ sudo ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
$ cat /etc/resolv.conf
# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad
search lan
$ sudo systemd-resolve --flush-caches
$ gpg --keyserver https://keyserver.ubuntu.com --recv-keys B420FD3777CCE3A7F0076B55C85668DF69375001
gpg: keyserver receive failed: Server indicated a failure

at the same time, I had also done

$ sudo systemctl edit systemd-resolved

and added

[Service]
Environment=SYSTEMD_LOG_LEVEL=debug

and then watched the log with

$ sudo systemctl restart systemd-resolve
$ journalctl -u systemd-resolved -f

and see absolutely nothing in the logs.
however, if I instead do

$ sudo systemd-resolve --flush-caches
$ gpg --keyserver $(dig +short keyserver.ubuntu.com | head -n1) --recv-keys B420FD3777CCE3A7F0076B55C85668DF69375001
gpg: keyserver receive failed: No keyserver available

then the following shows up in the logs:

Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Received dns UDP packet of size 61, ifindex=0, ttl=64, fragsize=0, sender=127.0.0.1, destination=127.0.0.53
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Got DNS stub UDP query packet for id 2486
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Looking up RR for keyserver.ubuntu.com IN A.
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Cache miss for keyserver.ubuntu.com IN A
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Firing regular transaction 28695 for <keyserver.ubuntu.com IN A> scope dns on */* (validate=yes).
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Using feature level UDP+EDNS0 for transaction 28695.
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Using DNS server 45.90.28.0#solo-laptop-a6b773.dns.nextdns.io for transaction 28695.
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Announcing packet size 1472 in egress EDNS(0) packet.
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Emitting UDP, link MTU is 1500, socket MTU is 1500, minimal MTU is 40
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Sending query packet with id 28695 of size 49.
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Cache miss for keyserver.ubuntu.com IN A
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Firing regular transaction 42433 for <keyserver.ubuntu.com IN A> scope dns on wlo1/* (validate=yes).
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Using feature level UDP+EDNS0 for transaction 42433.
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Using DNS server 192.168.86.1 for transaction 42433.
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Announcing packet size 1472 in egress EDNS(0) packet.
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Emitting UDP, link MTU is 1500, socket MTU is 0, minimal MTU is 40
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Sending query packet with id 42433 of size 49.
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Processing query...
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Received dns UDP packet of size 81, ifindex=3, ttl=0, fragsize=0, sender=192.168.86.1, destination=192.168.86.239
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Processing incoming packet of size 81 on transaction 42433 (rcode=SUCCESS).
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Added positive unauthenticated non-confidential cache entry for keyserver.ubuntu.com IN A 569s on wlo1/INET/192.168.86.1
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Added positive unauthenticated non-confidential cache entry for keyserver.ubuntu.com IN A 569s on wlo1/INET/192.168.86.1
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Regular transaction 42433 for <keyserver.ubuntu.com IN A> on scope dns on wlo1/* now complete with <success> from network (unsigned; non-confidential).
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Sending response packet with id 2486 on interface 1/AF_INET of size 81.
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Freeing transaction 42433.
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Received dns UDP packet of size 81, ifindex=3, ttl=0, fragsize=0, sender=45.90.28.0, destination=192.168.86.239
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Processing incoming packet of size 81 on transaction 28695 (rcode=SUCCESS).
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Added positive unauthenticated non-confidential cache entry for keyserver.ubuntu.com IN A 600s on wlo1/INET/45.90.28.0
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Added positive unauthenticated non-confidential cache entry for keyserver.ubuntu.com IN A 600s on wlo1/INET/45.90.28.0
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Regular transaction 28695 for <keyserver.ubuntu.com IN A> on scope dns on */* now complete with <success> from network (unsigned; non-confidential).
Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Freeing transaction 28695.

so it seems like for some reason, it's not using my system dns??? and possibly it might just have a broken network configuration somehow??

if I add

standard-resolver

to ~/.gnupg/dirmngr.conf and then execute

$ sudo systemd-resolve --flush-caches
$ gpg --debug-level=guru --keyserver https://keyserver.ubuntu.com --recv B420FD3777CCE3A7F0076B55C85668DF69375001

I see

Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: varlink: New incoming connection.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: varlink: Connections of user 1000: 0 (of 576 max)
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: varlink-28-28: Setting state idle-server
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: varlink-28-28: Received message: {"method":"io.systemd.Resolve.ResolveHostname","parameters":{"name":"keyserver.ubuntu.com","flags":0}}
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: varlink-28-28: Changing state idle-server → processing-method
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: idn2_lookup_u8: keyserver.ubuntu.com → keyserver.ubuntu.com
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Looking up RR for keyserver.ubuntu.com IN A.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Looking up RR for keyserver.ubuntu.com IN AAAA.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Cache miss for keyserver.ubuntu.com IN A
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Firing regular transaction 4613 for <keyserver.ubuntu.com IN A> scope dns on */* (validate=yes).
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Using feature level UDP+EDNS0 for transaction 4613.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Using DNS server 45.90.28.0#solo-laptop-a6b773.dns.nextdns.io for transaction 4613.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Announcing packet size 1472 in egress EDNS(0) packet.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Emitting UDP, link MTU is 1500, socket MTU is 1500, minimal MTU is 40
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Sending query packet with id 4613 of size 49.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Cache miss for keyserver.ubuntu.com IN AAAA
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Firing regular transaction 6170 for <keyserver.ubuntu.com IN AAAA> scope dns on */* (validate=yes).
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Using feature level UDP+EDNS0 for transaction 6170.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Using DNS server 45.90.28.0#solo-laptop-a6b773.dns.nextdns.io for transaction 6170.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Announcing packet size 1472 in egress EDNS(0) packet.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Emitting UDP, link MTU is 1500, socket MTU is 1500, minimal MTU is 40
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Sending query packet with id 6170 of size 49.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Cache miss for keyserver.ubuntu.com IN AAAA
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Firing regular transaction 54496 for <keyserver.ubuntu.com IN AAAA> scope dns on wlo1/* (validate=yes).
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Using feature level UDP+EDNS0 for transaction 54496.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Using DNS server 192.168.86.1 for transaction 54496.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Announcing packet size 1472 in egress EDNS(0) packet.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Emitting UDP, link MTU is 1500, socket MTU is 0, minimal MTU is 40
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Sending query packet with id 54496 of size 49.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Cache miss for keyserver.ubuntu.com IN A
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Firing regular transaction 22399 for <keyserver.ubuntu.com IN A> scope dns on wlo1/* (validate=yes).
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Using feature level UDP+EDNS0 for transaction 22399.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Using DNS server 192.168.86.1 for transaction 22399.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Announcing packet size 1472 in egress EDNS(0) packet.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Emitting UDP, link MTU is 1500, socket MTU is 0, minimal MTU is 40
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Sending query packet with id 22399 of size 49.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: varlink-28-28: Changing state processing-method → pending-method
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Received dns UDP packet of size 81, ifindex=3, ttl=0, fragsize=0, sender=192.168.86.1, destination=192.168.86.239
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Processing incoming packet of size 81 on transaction 22399 (rcode=SUCCESS).
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Added positive unauthenticated non-confidential cache entry for keyserver.ubuntu.com IN A 40s on wlo1/INET/192.168.86.1
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Added positive unauthenticated non-confidential cache entry for keyserver.ubuntu.com IN A 40s on wlo1/INET/192.168.86.1
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Regular transaction 22399 for <keyserver.ubuntu.com IN A> on scope dns on wlo1/* now complete with <success> from network (unsigned; non-confidential).
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Received dns UDP packet of size 105, ifindex=3, ttl=0, fragsize=0, sender=192.168.86.1, destination=192.168.86.239
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Processing incoming packet of size 105 on transaction 54496 (rcode=SUCCESS).
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Added positive unauthenticated non-confidential cache entry for keyserver.ubuntu.com IN AAAA 567s on wlo1/INET/192.168.86.1
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Added positive unauthenticated non-confidential cache entry for keyserver.ubuntu.com IN AAAA 567s on wlo1/INET/192.168.86.1
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Regular transaction 54496 for <keyserver.ubuntu.com IN AAAA> on scope dns on wlo1/* now complete with <success> from network (unsigned; non-confidential).
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Freeing transaction 22399.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: varlink-28-28: Sending message: {"parameters":{"addresses":[{"ifindex":3,"family":10,"address":[38,32,0,45,64,0,16,7,0,0,0,0,0,0,7,12]},{"ifindex":3,"family":10,"address":[38,32,0,45,64,0,16,7,0,0,0,0,0,0,13,67]},{"ifindex":3,"family":2,"address":[185,125,188,27]},{"ifindex":3,"family":2,"address":[185,125,188,26]}],"name":"keyserver.ubuntu.com","flags":8388609}}
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: varlink-28-28: Changing state pending-method → idle-server
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Freeing transaction 54496.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: varlink-28-28: Got POLLHUP from socket.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: varlink-28-28: Changing state idle-server → pending-disconnect
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: varlink-28-28: Changing state pending-disconnect → processing-disconnect
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: varlink-28-28: Changing state processing-disconnect → disconnected
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Received dns UDP packet of size 105, ifindex=3, ttl=0, fragsize=0, sender=45.90.28.0, destination=192.168.86.239
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Processing incoming packet of size 105 on transaction 6170 (rcode=SUCCESS).
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Added positive unauthenticated non-confidential cache entry for keyserver.ubuntu.com IN AAAA 293s on wlo1/INET/45.90.28.0
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Added positive unauthenticated non-confidential cache entry for keyserver.ubuntu.com IN AAAA 293s on wlo1/INET/45.90.28.0
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Regular transaction 6170 for <keyserver.ubuntu.com IN AAAA> on scope dns on */* now complete with <success> from network (unsigned; non-confidential).
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Freeing transaction 6170.
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Received dns UDP packet of size 81, ifindex=3, ttl=0, fragsize=0, sender=45.90.28.0, destination=192.168.86.239
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Processing incoming packet of size 81 on transaction 4613 (rcode=SUCCESS).
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Added positive unauthenticated non-confidential cache entry for keyserver.ubuntu.com IN A 600s on wlo1/INET/45.90.28.0
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Added positive unauthenticated non-confidential cache entry for keyserver.ubuntu.com IN A 600s on wlo1/INET/45.90.28.0
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Regular transaction 4613 for <keyserver.ubuntu.com IN A> on scope dns on */* now complete with <success> from network (unsigned; non-confidential).
Mar 07 15:09:28 solo-laptop systemd-resolved[12376]: Freeing transaction 4613.

in the systemd-resolved logs, however the gpg command hangs at

gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog
gpg: enabled compatibility flags:
gpg: DBG: [no clock] start
gpg: DBG: chan_3 <- # Home: /home/solonovamax/.gnupg
gpg: DBG: chan_3 <- # Config: /home/solonovamax/.gnupg/dirmngr.conf
gpg: DBG: chan_3 <- OK Dirmngr 2.4.7 at your service, process 28929
gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_3 -> GETINFO version
gpg: DBG: chan_3 <- D 2.4.7
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KEYSERVER --clear https://keyserver.ubuntu.com
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KS_GET -- B420FD3777CCE3A7F0076B55C85668DF69375001

forever (from what I can tell), and dirmngr needs to be killed with

pkill -9 dirmngr

or else it just won't exit.

if there's any more info that is needed, please let me know.

---

Thanks for your time,
solonovamax

https://solonovamax.gay

-thc

Member

Registered: 2017-03-15

Posts: 809

Re: gpg: keyserver receive failed: Server indicated a failure

Burrowed in the systemd-resolved logs are hints that the DNS resolution is done via

Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Using DNS server 45.90.28.0#solo-laptop-a6b773.dns.nextdns.io for transaction 28695.

and "nextdns.io" is advertising itself as "NextDNS - The new firewall for the modern Internet".

Is this configuration intended and the same for the other PCs on which gpg works?

solonovamax

Member

Registered: 2020-05-04

Posts: 60

Website

Re: gpg: keyserver receive failed: Server indicated a failure

Burrowed in the systemd-resolved logs are hints that the DNS resolution is done via

Mar 07 14:58:40 solo-laptop systemd-resolved[12376]: Using DNS server 45.90.28.0#solo-laptop-a6b773.dns.nextdns.io for transaction 28695.

and "nextdns.io" is advertising itself as "NextDNS - The new firewall for the modern Internet".

Is this configuration intended and the same for the other PCs on which gpg works?

I believe it is the case, however even if it isn't I don't think dns is the issue because

• when using 1.1.1.1 as my dns, it still did not work

• when contacting the ip address directly, it still did not work

• I was able to resolve the ip address for the domain name

further, in my nextdns configuration, I have all firewall features disabled. they also offer web3 features as well (yuck), which I have also disabled. I just checked, and the only feature I have enabled is to "allow affiliate & tracking links", aka to not block those.

I can test later if changing it to instead use 1.1.1.1 would allow it through, however I doubt this will have any effect.

Last edited by solonovamax (2025-03-09 03:49:54)

---

Thanks for your time,
solonovamax

https://solonovamax.gay

-thc

Member

Registered: 2017-03-15

Posts: 809

Re: gpg: keyserver receive failed: Server indicated a failure

O.K.

Just a couple of things you can try:

- Temporarily remove your dirmgr.conf
- prepend a "0x" to the key number ("0xB420FD3777CCE3A7F0076B55C85668DF6937500")
- use the IP address "185.125.188.26" instead of "keyserver.ubuntu.com".

seth

Member

Registered: 2012-09-03

Posts: 62,032

Re: gpg: keyserver receive failed: Server indicated a failure

I would primarily test w/o nextdns altogether, primarily because of the fw.
And/also check netfilter/iptables …errr… tables.

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

solonovamax

Member

Registered: 2020-05-04

Posts: 60

Website

Re: gpg: keyserver receive failed: Server indicated a failure

sorry, this took me a hot minute to get to.
I'd previously tried looking to see if iptables or anything was disrupting it, but forgot to include it in the original post.

Note: after each test, I returned the environment to what it was previously (and also made sure to restart dirmngr where appropriate)

Remove dirmngr.conf

$ mv dirmngr.conf dirmngr.conf.bak
renamed 'dirmngr.conf' -> 'dirmngr.conf.bak'
$ pkill dirmngr
$ gpg --recv-keys B420FD3777CCE3A7F0076B55C85668DF69375001
gpg: keyserver receive failed: Server indicated a failure

Prepend 0x to key id

$ gpg --recv-keys 0xB420FD3777CCE3A7F0076B55C85668DF69375001
gpg: keyserver receive failed: Server indicated a failure

Use the ip address directly

Technically I already did this before with the "dig +short keyserver.ubuntu.com | head -n1" command, but I'll do it again with the ip address directly

$ gpg --keyserver 185.125.188.26 --recv-keys B420FD3777CCE3A7F0076B55C85668DF69375001
gpg: keyserver receive failed: No keyserver available

Without nextdns

I edited /etc/systemd/resolved.conf and replaced

DNS=45.90.28.0#[...].dns.nextdns.io
DNS=2a07:a8c0::#[...].dns.nextdns.io
DNS=45.90.30.0#[...].dns.nextdns.io
DNS=2a07:a8c1::#[...].dns.nextdns.io

with

DNS=1.1.1.1#cloudflare-dns.com
DNS=2606:4700:4700::1111#cloudflare-dns.com

$ sudo nano /etc/systemd/resolved.conf
$ sudo systemctl restart systemd-resolved.service
$ sudo rm -rf /etc/resolv.conf
$ sudo ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
$ gpg --recv-keys B420FD3777CCE3A7F0076B55C85668DF69375001
gpg: keyserver receive failed: Server indicated a failure

iptables

I believe that if there's any firewall rules, they should be listed here:

$ sudo iptables -n -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  0    --  0.0.0.0/0            0.0.0.0/0
DOCKER-FORWARD  0    --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination
DROP       0    --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-BRIDGE (1 references)
target     prot opt source               destination
DOCKER     0    --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-CT (1 references)
target     prot opt source               destination
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
target     prot opt source               destination
DOCKER-CT  0    --  0.0.0.0/0            0.0.0.0/0
DOCKER-ISOLATION-STAGE-1  0    --  0.0.0.0/0            0.0.0.0/0
DOCKER-BRIDGE  0    --  0.0.0.0/0            0.0.0.0/0
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  0    --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination
DROP       0    --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     0    --  0.0.0.0/0            0.0.0.0/0

Also, I believe that all the different *tables services (and other firewall services) are disabled:

$ systemctl status iptables.service
○ iptables.service - IPv4 Packet Filtering Framework
     Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; preset: disabled)
     Active: inactive (dead)
$ systemctl status ip6tables.service
○ ip6tables.service - IPv6 Packet Filtering Framework
     Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled; preset: disabled)
     Active: inactive (dead)
$ systemctl status nftables.service
○ nftables.service - Netfilter Tables
     Loaded: loaded (/usr/lib/systemd/system/nftables.service; disabled; preset: disabled)
     Active: inactive (dead)
       Docs: man:nft(8)
$ systemctl status ufw
○ ufw.service - CLI Netfilter Manager
     Loaded: loaded (/usr/lib/systemd/system/ufw.service; disabled; preset: disabled)
     Active: inactive (dead)

(is there maybe some better way to test if there is smth else I forgot about, like via an nmap scan or smth?)

---

Thanks for your time,
solonovamax

https://solonovamax.gay

seth

Member

Registered: 2012-09-03

Posts: 62,032

Re: gpg: keyserver receive failed: Server indicated a failure

gpg --keyserver 185.125.188.26 --recv-keys B420FD3777CCE3A7F0076B55C85668DF69375001
gpg: keyserver receive failed: No keyserver available

nmap -p 80,443,11371 185.125.188.26
ip r get 185.125.188.26

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

solonovamax

Member

Registered: 2020-05-04

Posts: 60

Website

Re: gpg: keyserver receive failed: Server indicated a failure

nmap -p 80,443,11371 185.125.188.26
ip r get 185.125.188.26

sorry for the long response again, I didn't see the email for this and then forgored about it. Here's the output of those commands:

$ nmap -p 80,443,11371 185.125.188.26
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-16 13:47 EDT
Nmap scan report for keyserver.ubuntu.com (185.125.188.26)
Host is up (0.082s latency).

PORT      STATE SERVICE
80/tcp    open  http
443/tcp   open  https
11371/tcp open  pksd

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
$ ip r get 185.125.188.26
185.125.188.26 via 192.168.86.1 dev wlo1 src 192.168.86.239 uid 1000
    cache

it definitely doesn't seem to be an issue with port blocking, as nmap is able to see it.
this issue seems to be somehow isolated entirely to gnupg tools (since dirmngr belongs to gnupg), but I have absolutely no clue why??

also I forgot to mention it in the original post, but on both my desktop and my laptop

• the /etc/gnupg directory does not exist which, afaik, is the global config

• the $GNUPGHOME environment variable is unset (if this exist, then gnupg tools will look here for configuration, otherwise they look in ~/.gnupg

• ~/.gnupg/common.conf does not exist, which is a config file shared between all tools

so I don't think this is caused by some funny configuration?

this is completely baffling me as to what the issue is...

also also, I forgot to mention this as well, but this happens with (from what I can tell) all keys. not just this specific one.

Last edited by solonovamax (2025-03-16 18:02:40)

---

Thanks for your time,
solonovamax

https://solonovamax.gay

seth

Member

Registered: 2012-09-03

Posts: 62,032

Re: gpg: keyserver receive failed: Server indicated a failure

Try adding "--keyserver-options timeout=100" to see whether it's just "you're too slow"…
Also are you behind/do you configure a proxy?

printenv | grep -i proxy

And what do you get for "gpg --refresh-keys"?
Did you play around w/ TOR?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

solonovamax

Member

Registered: 2020-05-04

Posts: 60

Website

Re: gpg: keyserver receive failed: Server indicated a failure

Try adding "--keyserver-options timeout=100" to see whether it's just "you're too slow"…

as-per the gpg configuration options page, that option is deprecated and now does nothing (as of gnupg 2.1).

instead, I've added the following to my ~/.gnupg/dirmngr.conf (options found on the dirmngr options page):

resolver-timeout 100
connect-timeout 100
connect-quick-timeout 100

the result is:

$ gpg --recv-keys B420FD3777CCE3A7F0076B55C85668DF69375001
gpg: keyserver receive failed: Server indicated a failure

this command takes 10 seconds to execute, exactly the same as before.

Also are you behind/do you configure a proxy?

nope, no proxy.

printenv | grep -i proxy

outputs nothing.

And what do you get for "gpg --refresh-keys"?

took an a while to complete. (according to the logs, 3 minutes and 30 seconds. unsure why it took that specific amount of time. if it took 10 seconds per key, then for 30 keys that would have been exactly 5 minutes, so I'm not sure why it ended up taking this long. who knows.)

$ gpg --refresh-keys
gpg: refreshing 30 keys from hkps://keyserver.ubuntu.com
gpg: keyserver refresh failed: Server indicated a failure

here are the dirmngr logs (note: there are some logs included from some previous attempts the other day to fetch the key, but I felt like including the full logs):

2025-03-16 13:59:50 dirmngr[18306.0] permanently loaded certificates: 150
2025-03-16 13:59:50 dirmngr[18306.0]     runtime cached certificates: 0
2025-03-16 13:59:50 dirmngr[18306.0]            trusted certificates: 150 (150,0,0,0)
2025-03-16 13:59:50 dirmngr[18306.6] handler for fd 6 started
2025-03-16 13:59:50 dirmngr[18306.6] DBG: chan_6 -> # Home: /home/solonovamax/.gnupg
2025-03-16 13:59:50 dirmngr[18306.6] DBG: chan_6 -> # Config: /home/solonovamax/.gnupg/dirmngr.conf
2025-03-16 13:59:50 dirmngr[18306.6] DBG: chan_6 -> OK Dirmngr 2.4.7 at your service, process 18306
2025-03-16 13:59:50 dirmngr[18306.6] connection from process 18305 (1000:1000)
2025-03-16 13:59:50 dirmngr[18306.6] DBG: chan_6 <- GETINFO version
2025-03-16 13:59:50 dirmngr[18306.6] DBG: chan_6 -> D 2.4.7
2025-03-16 13:59:50 dirmngr[18306.6] DBG: chan_6 -> OK
2025-03-16 13:59:50 dirmngr[18306.6] DBG: chan_6 <- KS_GET -- 0xB420FD3777CCE3A7F0076B55C85668DF69375001
2025-03-16 14:00:00 dirmngr[18306.6] command 'KS_GET' failed: Server indicated a failure <Unspecified source>
2025-03-16 14:00:00 dirmngr[18306.6] DBG: chan_6 -> ERR 219 Server indicated a failure <Unspecified source>
2025-03-16 14:00:00 dirmngr[18306.6] DBG: chan_6 <- BYE
2025-03-16 14:00:00 dirmngr[18306.6] DBG: chan_6 -> OK closing connection
2025-03-16 14:00:00 dirmngr[18306.6] handler for fd 6 terminated
2025-03-16 21:30:16 dirmngr[18306.0] running scheduled tasks
2025-03-18 11:07:41 dirmngr[38420.0] permanently loaded certificates: 150
2025-03-18 11:07:41 dirmngr[38420.0]     runtime cached certificates: 0
2025-03-18 11:07:41 dirmngr[38420.0]            trusted certificates: 150 (150,0,0,0)
2025-03-18 11:07:41 dirmngr[38420.6] handler for fd 6 started
2025-03-18 11:07:41 dirmngr[38420.6] DBG: chan_6 -> # Home: /home/solonovamax/.gnupg
2025-03-18 11:07:41 dirmngr[38420.6] DBG: chan_6 -> # Config: /home/solonovamax/.gnupg/dirmngr.conf
2025-03-18 11:07:41 dirmngr[38420.6] DBG: chan_6 -> OK Dirmngr 2.4.7 at your service, process 38420
2025-03-18 11:07:41 dirmngr[38420.6] connection from process 38418 (1000:1000)
2025-03-18 11:07:41 dirmngr[38420.6] DBG: chan_6 <- GETINFO version
2025-03-18 11:07:41 dirmngr[38420.6] DBG: chan_6 -> D 2.4.7
2025-03-18 11:07:41 dirmngr[38420.6] DBG: chan_6 -> OK
2025-03-18 11:07:41 dirmngr[38420.6] DBG: chan_6 <- KS_GET -- 0xB420FD3777CCE3A7F0076B55C85668DF69375001
2025-03-18 11:07:51 dirmngr[38420.6] command 'KS_GET' failed: Server indicated a failure <Unspecified source>
2025-03-18 11:07:51 dirmngr[38420.6] DBG: chan_6 -> ERR 219 Server indicated a failure <Unspecified source>
2025-03-18 11:07:51 dirmngr[38420.6] DBG: chan_6 <- BYE
2025-03-18 11:07:51 dirmngr[38420.6] DBG: chan_6 -> OK closing connection
2025-03-18 11:07:51 dirmngr[38420.6] handler for fd 6 terminated
2025-03-18 11:07:57 dirmngr[38420.6] handler for fd 6 started
2025-03-18 11:07:57 dirmngr[38420.6] DBG: chan_6 -> # Home: /home/solonovamax/.gnupg
2025-03-18 11:07:57 dirmngr[38420.6] DBG: chan_6 -> # Config: /home/solonovamax/.gnupg/dirmngr.conf
2025-03-18 11:07:57 dirmngr[38420.6] DBG: chan_6 -> OK Dirmngr 2.4.7 at your service, process 38420
2025-03-18 11:07:57 dirmngr[38420.6] connection from process 38500 (1000:1000)
2025-03-18 11:07:57 dirmngr[38420.6] DBG: chan_6 <- GETINFO version
2025-03-18 11:07:57 dirmngr[38420.6] DBG: chan_6 -> D 2.4.7
2025-03-18 11:07:57 dirmngr[38420.6] DBG: chan_6 -> OK
2025-03-18 11:07:57 dirmngr[38420.6] DBG: chan_6 <- KEYSERVER
2025-03-18 11:07:57 dirmngr[38420.6] DBG: chan_6 -> S KEYSERVER hkps://keyserver.ubuntu.com
2025-03-18 11:07:57 dirmngr[38420.6] DBG: chan_6 -> OK
2025-03-18 11:07:57 dirmngr[38420.6] DBG: chan_6 <- KS_GET -- 0xA88441BD4864F95BEE08E63A71EB474019940E11 0x248097092B458509C508DAC0350585C4E9518F26 0x19882D92DDA4C400C22C0D56CC2AF4472167BE03 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290 0xABBAD1CB484F53024CF5868B69332F9203F21F5C 0xF9A211976ED662F00E59361E5E3C45D7B312C643 0x3E09F5908333DD83DBDCE7375680CA389D365A88 0xD3A93CAD751C2AF4F8C7AD516C35B99309B5FA62 0x13975A70E63C361C73AE69EF6EEB81F8981C74C7 0x86CFFCA918CF3AF47147588051E8B148A9999C34 0xF3691687D867B81B51CE07D9BBE43771487328A9 0x060C6B7D3869F148C4C4ACD43C9BE9B64EC1EA64 0xD81C0CB38EB725EF6691C385BB463350D6EF31EF 0xF23275E4BF10AFC1DF6914A6DBD2CE893E2D1C87 0xCA262C6C83DE4D2FB28A332A3A6A4DB839EAA6D7 0x7C35920F1CE2899E8EA9AAD02E7C0367B9BFA089 0x6B42D40B4CC6B3018F2AF209ED0FC2D44CD76482 0x6A5571928D2222D83BC7456E4EDE055B645F044F 0x748231EBCBD808A14F5E85D28C004C2F93481F6B 0x7B74D1299568B586BA9962B5649E4D4AF74E7DEC 0xFCF986EA15E6E293A5644F10B4322F04D67658D8
2025-03-18 11:11:27 dirmngr[38420.6] command 'KS_GET' failed: Server indicated a failure <Unspecified source>
2025-03-18 11:11:27 dirmngr[38420.6] DBG: chan_6 -> ERR 219 Server indicated a failure <Unspecified source>
2025-03-18 11:11:27 dirmngr[38420.6] DBG: chan_6 <- BYE
2025-03-18 11:11:27 dirmngr[38420.6] DBG: chan_6 -> OK closing connection
2025-03-18 11:11:27 dirmngr[38420.6] handler for fd 6 terminated
2025-03-18 11:12:21 dirmngr[38420.0] SIGTERM received - shutting down ...
2025-03-18 11:12:21 dirmngr[38420.0] dirmngr (GnuPG) 2.4.7 stopped

Did you play around w/ TOR?

nope

Last edited by solonovamax (2025-03-18 15:32:00)

---

Thanks for your time,
solonovamax

https://solonovamax.gay

seth

Member

Registered: 2012-09-03

Posts: 62,032

Re: gpg: keyserver receive failed: Server indicated a failure

Yubikey, oversized MTU (jumbo frames), VPN?
Any success using the IPv6

gpg --keyserver hkps://2620:2d:4000:1007::d43 …

?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc