WKD on http2 server

Werner Koch wk at gnupg.org
Mon Sep 30 09:41:42 CEST 2019


On Thu, 19 Sep 2019 19:02, Phil Pennock via gnupg-devel at gnupg.org said:

> But if there are bad interactions then it's not as simple as "GnuPG is
> not compatible with nginx servers which enable HTTP/2 support".  Since
> that works for me.

We meanwhile solved the problem (https://dev.gnupg.org/T4708); it is due
to a misconfiguration of the server.  Here is my comment from the

  It does not work either. Your problem is the use of a wildcard DNS for

  $ host foosomething.archlinux32.org
  foosomething.archlinux32.org is an alias for archlinux32.org.
  Now dirmngr does an initial DNS lookup for openpgpkey.archlinux32.org
  and the wildcard DNS entry hits. dirmngr knows that the modern
  subdomain lookup is possible and uses this. Because you don't have
  that domain in your cert it fails. The solution to this is given in
  the latest WKD draft:
      Sites which do not use the advanced method but employ wildcard DNS
      for their sub-domains MUST make sure that the ~openpgpkey~
      sub-domain is not subject to the wildcarding. This can be done by
      inserting an empty TXT RR for this sub-domain.
  Now, why we have different results with HTTP/2 and without is not
  clear to me. It could be a DNS caching issue but it might also be that
  you are not running 2.2.17 but an older version of dirmngr. We changed
  the way of looking up the openpgpkey sub-domain only in 2.2.17 to get
  better error messages.

Given that the OP was indeed using 2.2.17 the problem is very likely
that of a DNS caching issue.  I have changed the ticket to a
documentaion issue.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20190930/9e52b64d/attachment.sig>

More information about the Gnupg-devel mailing list