2.0.20 breaks DNS SRV hkp keyserver access via web proxy server

John Marshall john.marshall at riverwillow.com.au
Thu Jun 13 09:18:50 CEST 2013

On Thu, 13 Jun 2013, 00:13 -0400, David Shaw wrote:

> I'm not convinced that it makes sense for a client to resolve the SRV, and then pass the resulting hostname to a proxy.  For example, leaving aside SRV, the client does not try and resolve an A record or chase a CNAME, but rather passes the requested resource to the proxy and the proxy does the work translating that to a DNS name, looking up that name, making the connection, etc.  Indeed, the client may not even be able to resolve external DNS at all.

I think you're right.  Here am I complaining about 2.0.20 breaking that
functionality and it should never have been there in the first place.
So why is the gnupg client doing DNS work for hkp(s) in the presence of
a configured HTTP proxy server?

> It's true this worked in a previous version of GnuPG, but this was due to an incorrect implementation in GPG and the way your DNS and proxy is set up.  It was basically doing part of the DNS work in the client, and then passing the intermediate result to the proxy to do the rest, sort of like a DNS-level redirect, which as you point out does not follow the intent of RFC2782.

Well, the way we were using it worked because 2.0.19 did the SRV
processing, selected a keyserver, and passed the SELECTED keyserver's
domain name to the proxy for connection.  It broke in 2.0.20 because
gnupg no longer passes the SELECTED keyserver's domain name to the proxy
server.  I understand, from Phil's response, the reasons for the change.
It seems to me that my problem arose from me failing to realize that
gnupg, in this configuration, is an HTTP proxy client and, as such,
should not be doing any DNS resolution (SRV or otherwise) at all.  I was
capitalizing on the fact that it did!

> One thing you might do is "keyserver-options no-try-dns-srv", but even that won't really help with names like "au.gnupg.net".  A SRV-only keyserver name isn't going to work properly with a proxy.

If there was a --no-try-dns-at-all-with-http-proxy option, that would be
the one to use - but then, perhaps gnupg should do that all by itself -
and, yes, using domain names which point to anything other than address
records is the wrong thing to do when using an HTTP proxy.  I think I've
learned that lesson.


Couldn't this work (gnupg doing SRV selection) with a SOCKS5 proxy?  I
can't find SOCKS in the man page or in the source code.  Are there any
plans for gnupg to support keyserver connection via a SOCKS5 proxy?

John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: </pipermail/attachments/20130613/2f50882d/attachment.sig>

More information about the Gnupg-devel mailing list