dirmngr logging confusion when trying to connect to a local keyserver (more reverse DNS?)
Peter Lebbing
peter at digitalbrains.com
Mon Nov 13 16:33:55 CET 2017
On 13/11/17 15:17, Werner Koch wrote:
> So that we can return and store the hostname with a key.
Isn't it better to use the hostname used for the forward lookup rather
than the reverse lookup? The forward lookup is what the user or the
preferred-keyserver or whatnot requested, the reverse lookup is not. It
could even be:
mykeyserver.example A 10.11.12.13
13.12.11.10.in-addr.arpa PTR host-42.sharedhosting.example
The "mykeyserver.example" is much more informative than the name of the
shared machine. Another variation is where the operator for the
keyserver does have their own IP, but runs multiple services on that one
IP. They could have A records saying "keyserver.mydomain.example" and
"mail.mydomain.example", but configure their PTR to say
"mail.mydomain.example". That's not a pretty name for a keyserver.
Even worse with IPv6, by the way. My provider (XS4ALL) provides native
IPv6 to their customers; you get a /48 block. When this was still an
experimental feature, you got reverse lookup. But now that it is a
normal feature, they no longer do that. They claim that there is
discussion in the community whether reverse lookup in IPv6 has
advantages that outweigh the costs, and as long as this discussion isn't
settled, they aren't going to invest in the infrastructure needed to let
every customer configure their NS records for their reverse zone. So I
don't have any reverse DNS for my IPv6 address space.
(Off-topic: since many mail servers decline mail from hosts without a
PTR record for anti-spam reasons, I think you can't reliably run a mail
server delivering over IPv6 with such an arrangement.)
My 2 cents,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20171113/0ad93ecf/attachment.sig>
More information about the Gnupg-devel
mailing list