dirmngr vs. tor gateways

Werner Koch wk at gnupg.org
Wed Feb 28 20:56:16 CET 2018


On Wed, 28 Feb 2018 16:34, o at immerda.ch said:

> I don't think that such a resolver exists for tor at the moment. The
> ticket seems to still be open [0].

Well, dirmngr implements such a resolver its own use.  For years I tried
to get a similar thing into ADNS but that was rejected by its
maintainer.  If really needed we could add a public interface to
dirmngr's internal resolver.

> ok, I guess I don't see the full picture. But it does work with gpg 1.x,
> so it should be possible to at least have some fallback mechanism.

it works using a couple of tricks.  The keyserver helpers of GnuPG-1
have major drawbacks: For example they entirely rely on the system
resolver and have no means to detect a non-working keyserver and thus as
soon as a keyserver does not respond you need to wait until its TTL runs
off so that another keyserver from the pool can be tried.  In contrast
dirmngr keeps state and does not rely on any upstream round-robin AAAA
resource record distribution.


Salam-Shalom,

   Werner


-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180228/c5a9701f/attachment.sig>


More information about the Gnupg-devel mailing list