gpg --refresh with large keyrings and hkps in 2.1.1
Guilhem Moulin
guilhem at fripost.org
Wed Apr 22 13:04:05 CEST 2015
On Wed, 22 Apr 2015 at 10:04:04 +0200, Werner Koch wrote:
> On Mon, 20 Apr 2015 14:03, guilhem at fripost.org said:
>> That would be awesome! Please beware DNS leaks, though. Also, do you
>
> DNS leaks a re a problem right now. Dirmngr does its own resolving to
> be able to detect and then bypass dead keyservers in the pool. Thus we
> need to find a way to get all A and AAAA records for a given pool name
> as well as to retrieve PTR records for the IP addresses. Any hints on
> how to do that without extra configuration work for the user?
The only things that comes to my mind ATM would be to add a
‘dns-server=HOST[:PORT]’ option to the dirmngr.conf. IMHO a user
configuring an ‘http-proxy’ wouldn't mind configuring a custom
resolver as well; they could point it to Tor's own resolver (specified
by ‘DNSPort’ in the torrc). Unfortunately it wouldn't be very useful
ATM, as it doesn't seem to handle multiple replies:
$ dig @127.0.0.1 -p 5353 +short pool.sks-keyservers.net
80.90.43.162
I'll file a bug in the Tor tracker to follow up on that. They might
also provide better to perform the resolving anonymously.
> It would also be useful to be able to fetch CERT records anonymously.
> However this is a different problem and can be mitigated by other methods
> of key lookup. If we add a --use-tor option it should disable all CERT
> or DANE lookups.
Right. Also, Tor's own resolver only supports A, AAAA and PTR records.
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: </pipermail/attachments/20150422/59794450/attachment.sig>
More information about the Gnupg-devel
mailing list