WKD on http2 server
Werner Koch
wk at gnupg.org
Mon Sep 30 09:41:42 CEST 2019
Hi!
On Thu, 19 Sep 2019 19:02, Phil Pennock via gnupg-devel at gnupg.org said:
> But if there are bad interactions then it's not as simple as "GnuPG is
> not compatible with nginx servers which enable HTTP/2 support". Since
> that works for me.
We meanwhile solved the problem (https://dev.gnupg.org/T4708); it is due
to a misconfiguration of the server. Here is my comment from the
ticket:
It does not work either. Your problem is the use of a wildcard DNS for
archlinux32.org:
$ host foosomething.archlinux32.org
foosomething.archlinux32.org is an alias for archlinux32.org.
Now dirmngr does an initial DNS lookup for openpgpkey.archlinux32.org
and the wildcard DNS entry hits. dirmngr knows that the modern
subdomain lookup is possible and uses this. Because you don't have
that domain in your cert it fails. The solution to this is given in
the latest WKD draft:
Sites which do not use the advanced method but employ wildcard DNS
for their sub-domains MUST make sure that the ~openpgpkey~
sub-domain is not subject to the wildcarding. This can be done by
inserting an empty TXT RR for this sub-domain.
Now, why we have different results with HTTP/2 and without is not
clear to me. It could be a DNS caching issue but it might also be that
you are not running 2.2.17 but an older version of dirmngr. We changed
the way of looking up the openpgpkey sub-domain only in 2.2.17 to get
better error messages.
Given that the OP was indeed using 2.2.17 the problem is very likely
that of a DNS caching issue. I have changed the ticket to a
documentaion issue.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20190930/9e52b64d/attachment.sig>
More information about the Gnupg-devel
mailing list