gpg --refresh with large keyrings and hkps in 2.1.1

Guilhem Moulin guilhem at fripost.org
Wed Apr 22 13:04:05 CEST 2015


On Wed, 22 Apr 2015 at 10:04:04 +0200, Werner Koch wrote:
> On Mon, 20 Apr 2015 14:03, guilhem at fripost.org said:
>> That would be awesome!  Please beware DNS leaks, though.  Also, do you
> 
> DNS leaks a re a problem right now.  Dirmngr does its own resolving to
> be able to detect and then bypass dead keyservers in the pool.  Thus we
> need to find a way to get all A and AAAA records for a given pool name
> as well as to retrieve PTR records for the IP addresses.  Any hints on
> how to do that without extra configuration work for the user?

The only things that comes to my mind ATM would be to add a
‘dns-server=HOST[:PORT]’ option to the dirmngr.conf.  IMHO a user
configuring an ‘http-proxy’  wouldn't mind configuring a custom
resolver as well; they could point it to Tor's own resolver (specified
by ‘DNSPort’ in the torrc).  Unfortunately it wouldn't be very useful
ATM, as it doesn't seem to handle multiple replies:

    $ dig @127.0.0.1 -p 5353 +short pool.sks-keyservers.net
    80.90.43.162

I'll file a bug in the Tor tracker to follow up on that.  They might
also provide better to perform the resolving anonymously.

> It would also be useful to be able to fetch CERT records anonymously.
> However this is a different problem and can be mitigated by other methods
> of key lookup.  If we add a --use-tor option it should disable all CERT
> or DANE lookups.

Right.  Also, Tor's own resolver only supports A, AAAA and PTR records.

-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: </pipermail/attachments/20150422/59794450/attachment.sig>


More information about the Gnupg-devel mailing list