Launchpad itself

keyserver.ubuntu.com has no IPv6 connectivity

Asked by dnmvisser

Was about to install a custom package on my IPv6 only Lucid system.
This involved adding a new key to apt, but that failed:

root@testdev:~# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7C1A977926535DB3
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyserver keyserver.ubuntu.com --recv-keys 7C1A977926535DB3
gpg: requesting key 26535DB3 from hkp server keyserver.ubuntu.com
gpgkeys: HTTP fetch error 7: Failed to connect to 91.189.89.49: Network is unreachable
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

I guess this hosts sits in the same network as ntp.ubuntu.com, which also lacks IPv6 support.
Any idea when these important boxes will get IPv6 connectivity?

Question information

Language:
English Edit question
Status:
Answered
For:
Launchpad itself Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Laura Czajkowski (czajkowski) said : 		#1

At present there isn't support for IPV6 but we are looking to change this in the future.

Revision history for this message
Ryan Rawdon (flieslikeabrick) said : 		#2

Hello,

IPv6 has now been added to other official Canonical resources including archive.ubuntu.com and security.ubuntu.com, amongst other repositories, since the last time this question was updated.

It appears that these are hosted on or very close to the same network as the key server -- can this be raised for some discussion? Ubuntu/Canonical made great progress on v6 in the last 18 months, it would be great to carry some momentum from it.

The keyserver is something which is not mirrored (or mirrorable, to my knowledge/understanding)and can block some administration tasks on IPv6-only machines/clusters/environments. It would be great to see this kind of critical infrastructure gain IPv6 connectivity.

Revision history for this message
William Grant (wgrant) said : 		#3

keyserver.ubuntu.com is actually just a part of the replicated sks-keyservers.net network. pool.sks-keyservers.net has AAAAs.

Revision history for this message
Wido den Hollander (wido) said : 		#4

I would really like to see IPv6 support for the keyserver.

We are deploying multiple IPv6 only servers which require keys from the Ubuntu keyserver.

Could you please add the AAAA-record?

Revision history for this message
William Grant (wgrant) said : 		#5

An AAAA will be added to keyserver.ubuntu.com eventually, but it's not currently top priority because IPv6-only hosts can easily use pool.sks-keyservers.net in its place, and that has AAAAs.

Revision history for this message
Johan Jatko (armedguy) said : 		#6

Will this be revisited? It is 2019 now and keyserver still doesn't have AAAA. The suggestion of using pool.sks-keyservers.net doesn't seem to work for all ppa packages.

Revision history for this message
Colin Watson (cjwatson) said : 		#7

I've added it to our internal tracking card for LP IPv6 support.

Revision history for this message
Alexander Lazarev (gummeah) said (last edit ): 		#8

Any news? pool.sks-keyservers.net is dead now.

Revision history for this message
Dolf Schimmel (Freeaqingme) (freeaqingme) said : 		#9

I second this request. On the sks-keyservers page I see: "Update 2021-06-21: Due to even more GDPR takedown requests, the DNS records for the pool will no longer be provided at all.".

As a result, IPv6-only hosts are no longer able to access the Ubuntu keyserver(s).

Revision history for this message
Angelo Hongens (ahongens) said : 		#10

I was recently setting up some ipv6-only hosts on public clouds as well, and this issue is biting me as well. We're seeing more and more ipv6-only hosts, and having critical infrastructure such as gpg key servers not being available is really a big thing.

Revision history for this message
Christian Kuhn (lolli42) said (last edit ): 		#11

I hope it's ok to ping on this issue again, hoping this is finally pushed forward.

This is a blocker for the increasing number of IPv6 only machines out there, when you don't want to work around using proxy foo.

Feels awkward by now. I'm really trying not asking myself questions about the status of the ubuntu infrastructure when such a security related system can not be updated from legacy-IP-only within a 10 year time frame.

Is there any other alternative like an official mirror that supports non-legacy IP? If so, where is this documented? Is there some FAQ for ipv6-only clients that i missed or something like that? What else could be done except using a proxy or copy & pasting ppa gpg key stuff around?

Revision history for this message
Colin Watson (cjwatson) said : 		#12

So the thing is that Launchpad is only a client of the Ubuntu keyserver; we don't actually run it. As such, tickets such as this one have generally taken second place behind things that we can actually do something about ourselves. For a long time this was blocked for some internal infrastructural reasons, but those have now been resolved and so it looks like it should be possible now.

I've opened https://portal.admin.canonical.com/C155855 for this. That's in our sysadmins' internal ticketing system, so I'm afraid that only Canonical staff can see it, but I'll try to remember to relay updates as appropriate. However, as I say, it's not actually our service so I don't have direct leverage to make it go faster.

Revision history for this message
Colin Watson (cjwatson) said : 		#13

keyserver.ubuntu.com supports IPv6 now, thanks to our sysadmins.

Revision history for this message
Meg Gruberman (mgruberman) said : 		#14

Our IPv4-only automation have started failing ~50% of the time in apt-key when dirmngr started receiving IPv6 addresses from keyserver.ubuntu.com. When debugged, we've noticed that that it fails with:

    connect(7, {sa_family=AF_INET6, sin6_port=htons(11371), inet_pton(AF_INET6, "2620:2d:4000:1007::d43", &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, 28) = -1 EADDRNOTAVAIL (Cannot assign requested address)

The above address is one of the two IPv6 addresses associated with the keyserver:

    $ host keyserver.ubuntu.com
    keyserver.ubuntu.com has address 185.125.188.26
    keyserver.ubuntu.com has address 185.125.188.27
    keyserver.ubuntu.com has IPv6 address 2620:2d:4000:1007::d43
    keyserver.ubuntu.com has IPv6 address 2620:2d:4000:1007::70c

Is there an address that does not return any IPv6?

Revision history for this message
Guruprasad (lgp171188) said : 		#15

Hi Meg, since your issue is not related to Launchpad itself, can you send this question to rt at ubuntu.com?

Can you help with this problem?

Provide an answer of your own, or ask dnmvisser for more information if necessary.

To post a message you must log in.