2.0.20 breaks DNS SRV hkp keyserver access via web proxy server

David Shaw dshaw at jabberwocky.com
Tue Jun 11 14:33:15 CEST 2013

On Jun 10, 2013, at 6:33 AM, John Marshall <john.marshall at riverwillow.com.au> wrote:

> The "SNI" changes to gnupg's handling of DNS SRV keyserver records means
> that a client accessing an hkp keyserver via a web proxy server can no
> longer contact the selected target keyserver.
> In 2.0.19, the target host from the SRV list would be selected and the
> HTTP query would be addressed to that target host domain.  In 2.0.20,
> the target host is selected, its address looked up, a fake record
> constructed comprising the SRV record owner's domain name (not the SRV
> target's domain name) and the query is constructed using the SRV
> record owner's domain as the host part.  Although not following the
> intention of RFC2782, this works fine for a directly-connected client
> because the IP address of the selected target is used.  However, in the
> case of a client behind a web proxy, the fake (SRV RR owner) domain is
> used as the hostname in the query and passed to the web proxy server.
> If the SRV RR owner also has an A or AAAA record, that (rather than
> whatever address was selected by gnupg) will be used by the proxy server
> to contact what may or may not be a keyserver.  If there is no A record
> in the SRV RR owner domain, the proxy server returns an error to gnupg.
> Either way it's broken.

I think I'm following what the problem is here.  Can you confirm something :  Are you using the libcurl support in GnuPG, or the built-in HTTP support?

I suspect you are using libcurl, and I can see how you would get exactly the behavior you describe.  Out of curiosity, if you are indeed using libcurl, can you try the built-in HTTP support and see if that works better (i.e. properly) for you?  Just build with "./configure --without-libcurl"


More information about the Gnupg-devel mailing list