* dirmngr/crlcache.c: Clearly document that this fucntions takes
ownership of MD.
(abort_sig_check): Allow NULL for MD.
(crl_parse_insert): Immediately set MD to NULL. Remove check for md
before a calling abort_sig_check.
--
GnuPG-bug-id: 3510
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/ks-engine-http.c (ks_http_fetch): Forbid redirects from
a https URI to a http URI.
--
GnuPG-bug-id: 3436
Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
* dirmngr/certcache.c (any_cert_of_class): New var.
(put_cert): Set it.
(cert_cache_deinit): Clear it.
(cert_cache_any_in_class): New func.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Add hack to
override empty list of HKP certs.
--
This patch carries the changes for GNUTLS from commit
7c1613d41566f7d8db116790087de323621205fe over to NTBTLS. NTBTLS works
quite different and thus we need to do it this way.
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/gpg-agent.c (have_homedir_inotify): New var.
(reliable_homedir_inotify): New var.
(main): Set reliable_homedir_inotify.
(handle_tick): Call stat on the homedir.
(handle_connections): Mark availibility of the inotify watch.
* dirmngr/dirmngr.c (handle_tick): Call stat on the homedir.
(TIMERTICK_INTERVAL_SHUTDOWN): New.
(handle_connections): Depend tick interval on the shutdown state.
--
The stat call is used on systems which do not support inotify and also
when we assume that the inotify does not work reliable.
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/gpg-agent.c (main): Always to the chdir.
* dirmngr/dirmngr.c (main): Ditto.
* scd/scdaemon.c (main): Ditto.
--
Note that only dirmngr did not call the chdir with --no-detach. thus
we kept it this way.
Tested gpg-agent by checking the properties shown by procexp.
Gnupg-bug-id: 2670
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/server.c (cmd_wkd_get): Print a SOURCE status.
--
This status allows to see whether the the WKD requests has been
resolved from the standard address or from a SRV record derived one.
We return only host and port and not the .well-known suffix because
that is obvious. HTTP redirects are not taken in account because they
may chnage at any time due to load balancing etc and not relevant for
gpg which may use the URL to detect changes in the WKD results.
For example my current setup returns
S SOURCE https://wkd.gnupg.org
for wk@gnupg.org. Without a SRV record
S SOURCE https://gnupg.org
would have been returned.
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/gpg-agent.c [HAVE_W32_SYSTEM]: Include <direct.h>.
(main) [HAVE_W32_SYSTEM]: Change working directory to \.
* dirmngr/dirmngr.c [HAVE_W32_SYSTEM]: Include <direct.h>.
(main) [HAVE_W32_SYSTEM]: Change working directory to \.
* scd/scdaemon.c [HAVE_W32_SYSTEM]: Include <direct.h>.
(main) [HAVE_W32_SYSTEM]: Change working directory to \.
Signed-off-by: Marcus Brinkmann <mb@g10code.com>
GnuPG-bug-id: 2670
* dirmngr/dns.c (HAVE_STATIC_ASSERT, HAVE___ATOMIC_FETCH_ADD)
(DNS_HAVE_SOCKADDR_UN, HAVE_SOCK_NONBLOCK): Don't use defined
to be expanded for expression evaluation.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* dirmngr/http.c (send_request): If a http proxy is to be used, and we
want to use TLS, try to use the CONNECT method to get a connection to
the target server.
GnuPG-bug-id: 2940
Signed-off-by: Justus Winter <justus@g10code.com>
* dirmngr/http.c (http_wait_response): Get the 'use_tls' flag from the
write cookie, not from the URI.
Signed-off-by: Justus Winter <justus@g10code.com>
* dirmngr/http.c (send_request): Do not use the 'srvtag' intended for
the target host to connect to the http proxy.
Signed-off-by: Justus Winter <justus@g10code.com>
* dirmngr/http.c (parse_uri): Keep an unmodified copy of the URI.
* dirmngr/http.h (struct parsed_uri_s): New field 'original'.
* dirmngr/ks-action.c (ks_action_get): Properly handle http and https
URLs.
--
If a key has a http or https URL as preferred keyserver, fetch the key
from there. Previously, dirmngr unconditionally interpreted these
URLs as hkp servers.
GnuPG-bug-id: 2924
Signed-off-by: Justus Winter <justus@g10code.com>
--
This double license note was accidentally added while only wanting to
add another copyright line.
Fixes-commit: 3419a339d9c4e800bf30e9021e05982d8c1021c1
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/ks-engine-hkp.c (enum ks_protocol): New type.
(struct hostinfo_s): New flags indicating whether we already did a
A lookup, or a SRV lookup per protocol. Turn 'port' into an array.
(create_new_hostinfo): Initialize new fields.
(add_host): Update the port for the given protocol.
(map_host): Simplify hosttable lookup misses. Check the SRV records
for both protocols on demand, do the A lookup just once. Return the
correct port.
--
Previously, if a host had both a SRV record for hkp and hkps, the
wrong port was used for the protocol that was used second, because the
hostinfo did not store a port per protocol, and the hosttable does not
discriminate between hosts using the protocol.
Fix this by querying the SRV records on demand, storing a port per
protocol, and returning the right port.
GnuPG-bug-id: 3033
Signed-off-by: Justus Winter <justus@g10code.com>
* dirmngr/ks-engine-hkp.c (struct hostinfo_s): Add explicit length and
size fields.
(MAX_POOL_SIZE): New macro.
(create_new_hostinfo): Initialize new fields.
(host_in_pool_p): Adapt.
(select_random_host): Likewise.
(add_host): Likewise. Move the resizing logic here.
(hostinfo_sort_pool): New function.
(map_host): Simplify. Move the resizing logic away from here.
(ks_hkp_mark_host): Adapt.
(ks_hkp_print_hosttable): Likewise.
--
The current code assumes that the pool array is only filled when the
hostinfo object is created. This patch removes that limitation.
GnuPG-bug-id: 3033
Signed-off-by: Justus Winter <justus@g10code.com>
* dirmngr/dns.c (dns_so_check): Reinitialize sockets on address family
mismatch.
(enum dns_res_state): New states for querying over IPv6.
(dns_res_exec): Implement the new states by copying and modifying the
IPv4 variants. Branch to their respective counterparts if the current
list of resolvers using the current address family is exhausted.
--
This allows dirmngr to resolve names on systems where the nameservers
are only reachable via IPv6.
GnuPG-bug-id: 2990
Signed-off-by: Justus Winter <justus@g10code.com>
* dirmngr/dirmngr.c (oConnectTimeout, oConnectQuickTimeout): New
enums.
(opts): New options --connect-timeout and --connect-quick-timeout.
(DEFAULT_CONNECT_TIMEOUT): New.
(DEFAULT_CONNECT_QUICK_TIMEOUT): New.
(parse_rereadable_options): Handle new options.
(post_option_parsing): New. Use instead of direct calls to
set_debug() and set_tor_mode ().
(main): Setup default timeouts.
(dirmngr_init_default_ctrl): Set standard connect timeout.
* dirmngr/dirmngr.h (opt): New fields connect_timeout and
connect_quick_timeout.
(server_control_s): New field timeout.
* dirmngr/ks-engine-finger.c (ks_finger_fetch): Pass timeout to
http_raw_connect.
* dirmngr/ks-engine-hkp.c (send_request): Call
http_session_set_timeout.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/server.c (cmd_wkd_get, cmd_ks_search, cmd_ks_get)
(cmd_ks_fetch): Implement --quick option.
--
The standard connect timeouts are way to long so we add a timeout to
the connect calls. Also implement the --quick option which is already
used by gpg for non-important requests (e.g. looking up a key for
verification).
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/http.c: Include fcntl.h.
(http_session_s): Add field 'connect_timeout'.
(http_session_new): Clear that.
(http_session_set_timeout): New function.
(my_wsagetlasterror) [W32]: New.
(connect_with_timeout): New function.
(connect_server): Add arg 'timeout' and call connect_with_timeout.
(send_request): Add arg 'timeout' and pass it to connect_server.
(http_raw_connect): Add arg 'timeout'.
(http_open): Pass TIMEOUT from the session to connect_server.
--
Note that the non-blocking connect we implement is traditional a
pretty non-portable thing due to slighly different semantics. The
code uses the strategy W. Richard Stevens suggested in 1998.
Hopefully current OS versions got it all right.
The code has not been tested on Windows.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dns-stuff.c: Include sys/stat.h.
(RESOLV_CONF_NAME): New macro to replace a string.
(resolv_conf_changed_p): New.
(libdns_init): Call new function
(libdns_res_open): Ditto.
--
Don't panic. This is a simple change
Suggested-by: Stefan Bühler <stbuehler@web.de>
to avoid complicated if-up.d hooks to reload resolv.conf.
Signed-off-by: Werner Koch <wk@gnupg.org>
Summary:
* dirmngr/ldap-wrapper-ce.c (outstream_cookie_s): Add buffer_read_pos.
(buffer_get_data): Use seperate read pos.
--
Using a single buffer pos for reading and writing caused the read
to return 0 as it read from the end of the buffer. Now we use
a seperate reader position.
Differential: D427
Signed-off-by: Andre Heinecke <aheinecke@intevation.de>
* dirmngr/http.c (read_server, write_server): Use assuan_fd_t.
(http_wait_response): Use FD2INT to get unsigned integer fd.
(read_server, write_server): Likewise.
(simple_cookie_read, simple_cookie_write): Use assuan_fd_t.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* dirmngr/http.c (simple_cookie_read, simple_cookie_write): Only
valid with HTTP_USE_NTBTLS.
(_my_socket_new): Simply cast to int since it's for debug.
(_my_socket_ref, _my_socket_unref): Likewise.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* dirmngr/dns-stuff.c (T_CERT): Define our own.
--
T_CERT may be defined by another enum type even if the value is same.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* dirmngr/dns-stuff.c: Don't include arpa/nameser.h.
--
It is not needed at all. T_CERT may be defined by different type of
ns_type.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* dirmngr/dns.c (plus1_ns): New.
(dns_p_push): Use it.
--
On OpenBSD, htons and ntohs are expanded to GCC's statement
expressions where local variable is allowed. Consecutive use
of htons and ntohs causes problem of variable name.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* dirmngr/dirmngr.h (struct opt): Add field 'disable_ipv6'.
* dirmngr/dirmngr.c (oDisableIPv6): New const.
(opts): New option --disable-ipv6.
(parse_rereadable_options): Set that option.
* dirmngr/dns-stuff.c (opt_disable_ipv6): New var.
(set_dns_disable_ipv6): New.
(resolve_name_standard): Make use of it.
* dirmngr/ks-engine-finger.c (ks_finger_fetch): Take care of
OPT.DISABLE_IPV6.
* dirmngr/ks-engine-hkp.c (map_host): Ditto.
(send_request): Ditto.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/ocsp.c (do_ocsp_request): Ditto.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dns-stuff.c (libdns_init): No Windows specific handling of a
missing /etc/hosts.
--
My last comment on this was flawed. Windows seems to always have its
version of /etc/hosts. Only the en passant fixed bad escaping led me
assume that this was the case. Thanks to Andre for complaining about
my comment remark.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dns-stuff.c (libdns_init): Do not bail out.
--
A standard Windows installation does not have a hosts file and thus we
can't bail out here. We should also not bail out on a Unix system
because /etc/hosts is just one method in nsswitch.conf.
Fixes-commit: 88f1505f0613894d5544290a170119eb538921e5
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dns-stuff.c (libdns_init): Actually load the hosts file into
libdns.
--
Previously, connecting to key servers specified in /etc/hosts was not
possible because libdns' hosts structure was initialized, but not
filled with the content of the hosts file.
GnuPG-bug-id: 2977
Signed-off-by: Justus Winter <justus@g10code.com>
* dirmngr/t-http.c (my_http_tls_verify_cb): Avoid warnings when not
using ntbtls.
--
Without this patch, when building without ntbtls, we see the following
warnings during "make check":
t-http.c: In function ‘my_http_tls_verify_cb’:
t-http.c:141:16: warning: implicit declaration of function
‘ntbtls_x509_get_peer_cert’ [-Wimplicit-function-declaration]
(cert = ntbtls_x509_get_peer_cert (tls_context, idx)); idx++)
^~~~~~~~~~~~~~~~~~~~~~~~~
t-http.c:141:14: warning: assignment makes pointer from integer
without a cast -Wint-conversion]
(cert = ntbtls_x509_get_peer_cert (tls_context, idx)); idx++)
^
At top level:
t-http.c:123:1: warning: ‘my_http_tls_verify_cb’ defined but not
used [-Wunused-function]
my_http_tls_verify_cb (void *opaque,
^~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* dirmngr/dirmngr.h (DBG_EXTPROG_VALUE, DBG_EXTPROG): New macros.
* dirmngr/dirmngr.c (debug_flags): Add flag "extprog".
(handle_connections): Use a macro instead of -1 for an invalid socket.
* dirmngr/loadswdb.c (verify_status_cb): Debug the gpgv call.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/validate.h (VALIDATE_FLAG_SYSTRUST): Remove
(VALIDATE_FLAG_EXTRATRUST): Remove
(VALIDATE_FLAG_TRUST_SYSTEM): New.
(VALIDATE_FLAG_TRUST_CONFIG): New.
(VALIDATE_FLAG_TRUST_HKP): New.
(VALIDATE_FLAG_TRUST_HKPSPOOL): New.
(VALIDATE_FLAG_MASK_TRUST): New.
* dirmngr/validate.c (check_header_constants): New.
(validate_cert_chain): Call new function. Simplify call to
is_trusted_cert.
* dirmngr/crlcache.c (crl_parse_insert): Pass
VALIDATE_FLAG_TRUST_CONFIG to validate_cert_chain
* dirmngr/server.c (cmd_validate): Use VALDIATE_FLAG_TRUST_SYSTEM and
VALIDATE_FLAG_TRUST_CONFIG.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Check provided TLS
context. Set trustclass flags using the new VALIDATE_FLAG_TRUST
values.
* dirmngr/certcache.c (cert_cache_init): Load the standard pool
certificate prior to the --hkp-cacerts.
--
Note that this changes the way the standard cert is used: We require
that it is installed at /usr/share/gnupg and we do not allow to change
it. If this is not desired, the the standard cert can be removed or
replaced by a newer one.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dirmngr.c (hkp_cacert_filenames): New var.
(parse_rereadable_options): Store filenames from --hkp-cacert in the
new var.
(main, dirmngr_sighup_action): Pass that var to cert_cache_init.
* dirmngr/certcache.c (cert_cache_init): Add arg 'hkp_cacert' and load
those certs.
(load_certs_from_file): Use autodetect so that PEM and DER encodings
are possible.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/certcache.c (load_certs_from_file): Always build this
function. Add args 'trustclasses' and 'no_error'. Pass TRUSTCLASSES
to put_cert.
(load_certs_from_system): Pass CERTTRUST_CLASS_SYSTEM to
load_certs_from_file.
(cert_cache_init): Try to load "sks-keyservers.netCA.pem". Don't make
function fail in an out-of-core condition.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/certcache.h (CERTTRUST_CLASS_SYSTEM): New.
(CERTTRUST_CLASS_CONFIG): New.
(CERTTRUST_CLASS_HKP): New.
(CERTTRUST_CLASS_HKPSPOOL): New.
* dirmngr/certcache.c (MAX_EXTRA_CACHED_CERTS): Rename to ...
(MAX_NONPERM_CACHED_CERTS): this.
(total_extra_certificates): Rename to ...
(total_nonperm_certificates): this.
(total_config_certificates): Remove.
(total_trusted_certificates): Remove.
(total_system_trusted_certificates): Remove.
(cert_item_s): Remove field 'flags'. Add fields 'permanent' and
'trustclasses'.
(clean_cache_slot): Clear new fields.
(put_cert): Change for new cert_item_t structure.
(load_certs_from_dir): Rename arg 'are_trusted' to 'trustclass'
(load_certs_from_file): Use CERTTRUST_CLASS_ value for put_cert.
(load_certs_from_w32_store): Ditto.
(cert_cache_init): Ditto.
(cert_cache_print_stats): Rewrite.
(is_trusted_cert): Replace arg 'with_systrust' by 'trustclasses'.
Chnage the test.
* dirmngr/validate.c (allowed_ca): Pass CERTTRUST_CLASS_CONFIG to
is_trusted_cert.
(validate_cert_chain): Pass CERTTRUST_CLASS_ values to
is_trusted_cert.
--
These trust classes make it easier to select certain sets of root
certificates.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dirmngr.h (server_control_s): New flag 'http_no_crl'.
* dirmngr/dirmngr.c (dirmngr_init_default_ctrl): Set this flag.
* dirmngr/server.c (option_handler): New option "http-crl"
* dirmngr/http.h (HTTP_FLAG_NO_CRL): New flag.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Consult this flag.
* dirmngr/ks-engine-hkp.c (send_request): Set flag depending on CTRL.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/t-http.c (main): New option --no-crl.
--
This new option can be used to enable CRL checks on a per session
base. The default is not to use CRLs for https connections.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/http.c (HTTP_SESSION_MAGIC): New.
(http_session_s): New field 'magic'.
(HTTP_CONTEXT_MAGIC): New.
(http_context_s): New field 'magic'.
(my_ntbtls_verify_cb): Assert MAGIC.
(fp_onclose_notification): Ditto.
(session_unref): Ditto. Reset MAGIC.
(http_session_new): Set MAGIC.
(http_open): Ditto.
(http_raw_connect): Ditto.
(http_close): Assert MAGIC. Reset MAGIC.
* dirmngr/t-http.c (my_http_tls_verify_cb): MArk HTTP_FLAGS unused.
--
We pass those handles through opaque pointers. The magic numbers will
help to detect wrong use.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/http-ntbtls.c: New.
* dirmngr/Makefile.am (dirmngr_SOURCES): Add file.
* dirmngr/dirmngr.h (SERVER_CONTROL_MAGIC): New.
(server_conrol_s): Add field 'magic',
* dirmngr/dirmngr.c (dirmngr_init_default_ctrl): Set MAGIC.
(dirmngr_deinit_default_ctrl): Set MAGIC to deadbeef.
* dirmngr/http.c (my_ntbtls_verify_cb): New.
(http_session_new) [HTTP_USE_NTBTLS]: Remove all CA setting code.
(send_request) [HTTP_USE_NTBTLS]: Set the verify callback. Do not call
the verify callback after the handshake.
* dirmngr/ks-engine-hkp.c (send_request): Pass
gnupg_http_tls_verify_cb to http_session_new.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/t-http.c (my_http_tls_verify_cb): New.
(main): Rename option --gnutls-debug to --tls-debug.
(main) [HTTP_USE_NTBTLS]: Create a session.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/certcache.h (certlist_s, certlist_t): New.
* dirmngr/certcache.c (read_certlist_from_stream): New.
(release_certlist): New.
* dirmngr/server.c (MAX_CERTLIST_LENGTH): New.
(cmd_validate): Add options --tls and --systrust. Implement them
using a kludge for now.
* dirmngr/validate.c (validate_cert_chain): Support systrust
checking. Add kludge to disable the CRL checking for tls mode.
--
This can now be used to test a list of certificates as returned by
TLS. Put the certs PEM encoded into a a file certlist.pem with the
target certificate being the first. Then run
gpg-connect-agent --dirmngr \
'/definqfile CERTLIST wiki-gnupg-chain.pem' \
'validate --systrust --tls' /bye
CRLS check has been disabled becuase we can't yet pass the systrust
flag to the CRL checking code.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/validate.c (enum cert_usage_modes): New.
(cert_usage_p): Change type of arg MODE. Use enums instead of
hardwired values. Use a switch instead of tricky bit tests.
(cert_use_cert_p, cert_use_ocsp_p, cert_use_crl_p): Adjust.
* dirmngr/validate.c (cert_usage_p): Rename to check_cert_usage.
(cert_use_cert_p): Rename to check_cert_use_cert.
(cert_use_ocsp_p): Rename to check_cert_use_ocsp.
(cert_use_crl_p): Rename to check_cert_use_crl.
* dirmngr/validate.h (VALIDATE_MODE_CERT_SYSTRUST): New.
(VALIDATE_MODE_TLS, VALIDATE_MODE_TLS_SYSTRUST): New.
--
A function with a "_p" suffix return 0 for a True just looks weird.
We now use names which better indicate that an error code is returned.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/certcache.c (CERTOPENSYSTEMSTORE) [W32]: New type.
(CERTENUMCERTIFICATESINSTORE) [W32]: New type.
(CERTCLOSESTORE) [W32]: New type.
(load_certs_from_file) [W32]: Do not build.
(load_certs_from_w32_store) [W32]: New.
(load_certs_from_system) [W32]: Call new function.
--
GnuTLS loads the system certificates from the "ROOT" and "CA" store;
thus we do the same. On a Visa box you may for example see 21 from
"ROOT" and 6 from "CA".
Signed-off-by: Werner Koch <wk@gnupg.org>
* configure.ac: Add option --default-trust-store.
(DEFAULT_TRUST_STORE_FILE): New ac_define.
* dirmngr/certcache.c: Include ksba-io-support.h.
(total_trusted_certificates, total_system_trusted_certificates): New.
(put_cert): Manage the new counters.
(cert_cache_deinit): Reset them.
(cert_cache_print_stats): Print them.
(is_trusted_cert): Add arg WITH_SYSTRUST. Change all callers to pass
false.
(load_certs_from_file): New.
(load_certs_from_system): New.
(cert_cache_init): Load system certificates.
--
Note that this code does not yet allow to load the system certificates
on Windows.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/certcache.c (cert_item_s): Rename 'flags.loaded' to
'flags.config'. Add 'flags.systrust'.
(total_loaded_certificates): Rename to total_config_certificates.
(put_cert): Rename args for clarity. Set SYSTRUST flag.
(load_certs_from_dir): Make sure put_cert does not set the SYSTRUST
flag.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dns-stuff.c (resolve_name_libdns): Work around an
incompatibility between the glibc resolver and libdns.
Signed-off-by: Werner Koch <wk@gnupg.org>