2.0.20 breaks DNS SRV hkp keyserver access via web proxy server

John Marshall john.marshall at riverwillow.com.au
Wed Jun 19 09:42:51 CEST 2013 

On Sat, 15 Jun 2013, 10:57 -0400, David Shaw wrote:
> On Jun 13, 2013, at 3:18 AM, John Marshall wrote:
> > On Thu, 13 Jun 2013, 00:13 -0400, David Shaw wrote:
> >> I'm not convinced that it makes sense for a client to resolve the SRV, and then pass the resulting hostname to a proxy.  For example, leaving aside SRV, the client does not try and resolve an A record or chase a CNAME, but rather passes the requested resource to the proxy and the proxy does the work translating that to a DNS name, looking up that name, making the connection, etc.  Indeed, the client may not even be able to resolve external DNS at all.
> > 
> > I think you're right.  Here am I complaining about 2.0.20 breaking that
> > functionality and it should never have been there in the first place.
> > So why is the gnupg client doing DNS work for hkp(s) in the presence of
> > a configured HTTP proxy server?
> 
> Bug.  It shouldn't be.
> 
> > Couldn't this work (gnupg doing SRV selection) with a SOCKS5 proxy?  I
> > can't find SOCKS in the man page or in the source code.  Are there any
> > plans for gnupg to support keyserver connection via a SOCKS5 proxy?
> 
> As you discovered, SOCKS5 does work - we get this for free because libcurl supports it.  There is a gotcha with all this proxy stuff, however.  If you're going over something like TOR, you are effectively "leaking" what queries you are doing because GPG will do the keyserver SRV request through the local DNS before sending the actual keyserver query through TOR.
> 
> I wonder if the healthiest thing to do here is to just flip SRV to off if any proxy is provided.  If the user chooses to turn it back on again, that's up to them, but it should default to off.

s/SRV/DNS/  ...but only for the types of proxy where it makes sense, e.g.

 proxy scheme http://     <-- proxy should resolve DNS
 proxy scheme socks5h://  <-- proxy should resolve DNS
 proxy scheme socks5://   <-- client should resolve DNS

  [From curl_easy_setopt(3) - under CURLOPT_PROXY]

  Since 7.21.7, the proxy string may be specified with a protocol://
  prefix to specify alternative proxy protocols.  Use socks4://,
  socks4a://, socks5:// or socks5h:// (the last one to enable socks5
  and asking the proxy to do the resolving, also known as
  CURLPROXY_SOCKS5_HOSTNAME type) to request the specific SOCKS version
  to be used. No protocol specified, http:// and all others will be
  treated as HTTP proxies.

> Comments from people using TOR would be welcome!

-- 
John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: </pipermail/attachments/20130619/a3606ee6/attachment.sig>

More information about the Gnupg-devel mailing list