Pkg_add, syspatch and fw_update "no address associated with name" after upgrade to 7.0

Syst3m-F41lur3 · March 12, 2025, 12:44pm

Hi, this is my first post on reddit. I have been using OpenBSD for about a year, and for the first time I am stuck by a problem.

I just upgraded a small VPS running OpenBSD from 6.9 to 7.0. Upgrade process went well until I ran pkg_add -u:

# pkg_add -u                                                                                                                                                                                           
https://cdn.openbsd.org/pub/OpenBSD/7.0/packages-stable/amd64/: ftp: cdn.openbsd.org: no address associated with name
https://cdn.openbsd.org/pub/OpenBSD/7.0/packages/amd64/: ftp: cdn.openbsd.org: no address associated with name
https://cdn.openbsd.org/pub/OpenBSD/7.0/packages/amd64/: empty
Couldn't find updates for ...

syspatch and fw_update fail with the same error message:

# syspatch                                                                                                                                                                                             
syspatch: cdn.openbsd.org: no address associated with name
# fw_update                                                                                                                                                                                            
http://firmware.openbsd.org/firmware/7.0/: ftp: firmware.openbsd.org: no address associated with name
http://firmware.openbsd.org/firmware/7.0/: empty
Couldn't find updates for intel-firmware-20210608v0

Looks like an obvious DNS resolution issue, but I can resolve domain names with host or dig:

# host cdn.openbsd.org
cdn.openbsd.org is an alias for dualstack.osff.map.fastly.net.
dualstack.osff.map.fastly.net has address 151.101.114.217
dualstack.osff.map.fastly.net has IPv6 address 2a04:4e42:3::729
# dig +short firmware.openbsd.org
145.238.169.11
94.142.244.34
217.197.80.132
94.142.241.170
209.58.5.75

Running ftp manually, I can access https://cdn.openbsd.org/pub/OpenBSD/7.0/packages-stable/amd64/ without any problem. The following command is working as expected:

# ftp -o - https://cdn.openbsd.org/pub/OpenBSD/7.0/packages-stable/amd64/ | less

In fact, everything seems to work perfectly, except pkg_add, syspatch, fw_update and some others like ping. As another example, curl is working, not ping:

$ curl openbsd.org
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>301 Moved Permanently</title>
<style type="text/css"><!--
body { background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }
hr { border: 0; border-bottom: 1px dashed; }
u/media (prefers-color-scheme: dark) {
body { background-color: #1E1F21; color: #EEEFF1; }
a { color: #BAD7FF; }
}
--></style>
</head>
<body>
<h1>301 Moved Permanently</h1>
<hr>
<address>OpenBSD httpd</address>
</body>
</html>
$ ping openbsd.org
ping: no address associated with name

My two network interfaces get an IP by DHCP and DHCPv6, and I’m using unbound as a local DNS resolver. After the upgrade to 7.0, resolvd was started at boot and prepended my ISP’s DNS servers to /etc/resolv.conf (before 127.0.0.1). I stopped and disabled resolvd, but the problem persists no matter if resolvd is running or not: some programs can resolve domain names while others cannot.

I would be grateful for your help.

EDIT1: This VPS serves in particular as a wireguard VPN. Remote endpoints can connect and resolve domain names using the VPS’ unbound just as usual.

EDIT2: Running resolvd manually (without rcctl), then killing it, seems to work:

# resolvd -dv
resolvd: rebuilding: route proposals
^C

After that I can use syspatch, pkg_add -u and ping normally! resolvd changes /etc/resolv.conf, which I don’t want, but I can edit this file afterwards to use my local resolver. It don’t understand what happened, and I don’t know yet if I’ll have to run resolvd again after the next reboot, but for now my machine is up to date and I’m happy with it.

brynet · March 12, 2025, 12:44pm

Are you by chance filtering network access in pf.conf(5) for regular users? pkg_add drops to an unprivileged user (_pkgfetch) to run ftp(1).

rjcz · March 12, 2025, 12:44pm

My two network interfaces get an IP by DHCP and DHCPv6, and I’m using unbound as a local DNS resolver.

Have you tried without unbound(8) in the mix? What happens then?

/u/brynet already mentioned pf(4) but it would also be good to see your rc.conf.local(5) as well as hostname.if(5).

rjcz · March 12, 2025, 12:44pm

As another example, curl is working, not ping:

Sorry, I missed that earlier - again, as per what /u/brynet had mentioned, this looks very much user-related as ping(8) is SUID root and and also drops its privileges - here to user _ping.

alvmangi · March 12, 2025, 12:44pm

I have had the same issue after I changed the default umask value on /etc/login.conf to 027. After that change (btw, this was advised by Lynis, a tool for hardening your system) I was not able to run as root any of these commands:- syspatch- pkg_add- pkg_info

I didn’t try other commands. Interesting thing was that pkg_info -Q was working fine as a normal user.

Once I’ve switched back the umask value to 022 then everything starts working again as usual.

I am running OpenBSD 7.4, btw.

Syst3m-F41lur3 · March 12, 2025, 12:44pm

Thank you for your answer, but no, I don’t filter by user. I even tried a very minimal pf config, using /etc/examples/pf.conf, but the problem is still there :

# pfctl -sr
block return all
pass all flags S/SA
block return in on ! lo0 proto tcp from any to any port 6000:6010
# pkg_add -u
https://cdn.openbsd.org/pub/OpenBSD/7.0/packages-stable/amd64/: ftp: cdn.openbsd.org: no address associated with name
https://cdn.openbsd.org/pub/OpenBSD/7.0/packages/amd64/: ftp: cdn.openbsd.org: no address associated with name
https://cdn.openbsd.org/pub/OpenBSD/7.0/packages/amd64/: empty
Couldn't find updates for ...

DHCP provides two DNS servers, I can ping their IP address and query them directly with dig. unbound is running and can also resolve domain names.

Syst3m-F41lur3 · March 12, 2025, 12:44pm

Have you tried without unbound(8) in the mix? What happens then?

Yes I tried, but it doesn’t change anything:

# rcctl stop unbound
unbound(ok)
# ping google.com
ping: no address associated with name
# rcctl enable resolvd
# rcctl start resolvd
resolvd(ok)
# ping google.com
ping: no address associated with name

it would also be good to see your rc.conf.local(5)

This is my current rc.conf.local (unbound is enabled) :

# cat /etc/rc.conf.local
pkg_scripts=dhcpcd
slaacd_flags=NO
sndiod_flags=NO
unbound_flags=

as well as hostname.if(5)

I get IPv4 connectivity via vio0, and IPv6 via vio2 (this is how my hosting provider works):

# cat /etc/hostname.vio0
inet autoconf
# cat /etc/hostname.vio2
inet6 autoconf

IPv6 on vio2 is not configured by slaac, I have to use dhcpcd:

# cat /etc/dhcpcd.conf
ipv6only
noipv6rs
duid
persistent
option rapid_commit
require dhcp_server_identifier

script ""

allowinterfaces vio2
denyinterfaces vio0 vio1
interface vio2
  ipv6rs
  ia_na 1

Syst3m-F41lur3 · March 12, 2025, 12:44pm

That’s an interesting path to follow. Do you have any idea what could prevent unprivileged users from resolving domain names?

MinimalistWolf · March 12, 2025, 12:44pm

I just hit this same issue after attempting to apply some lynis recommendations as well. Will need to see if there is a work around to update the umask to match what lynis recommends but upon changing the umask back in login.conf and rebooting the ability to use syspatch and pkg_add was restored.

I don’t have the mental capacity to troubleshoot the cause at the moment so I’m taking your solution for now and updating this thread with a confirmation that this is indeed the problem and the fix.