Using the "preferred keyserver URL" in GnuPG 1.4

David Shaw dshaw at
Tue Dec 21 23:17:04 CET 2004

On Tue, Dec 21, 2004 at 10:27:59PM +0100, Simon Josefsson wrote:
> David Shaw <dshaw at> writes:
> >> But writing a gpgkeys_dns.c using res_query should not be difficult.
> >> Would you accept it if I wrote it?  Could be a fun Christmas
> >> project...
> >
> > If it is okay with Werner, it is ok with me.  The only thing is that
> > we need a copyright assignment to the FSF.  Keep in mind that you're
> > committing yourself to maintain it on different platforms :) :)
> I think the main concern is that res_query is non-standard, but when
> it is not available, disabling gpgkeys_dns seem like a simple
> solution.  Fortunately there seem to already be code in gpg that have
> the same issue, so much can be reused.

Yes, the SRV code uses res_query.  If you use HAVE_DNS_SRV to detect
whether res_query is available and link with @SRVLIBS@ then you can
safely use res_query anywhere.  If HAVE_DNS_SRV is set, you can rely
on res_query(), dn_expand(), and dn_skipname().

> >> Can gpg use the keyserver infrastructure for revocation checking?
> >
> > Not currently.  Somewhere on the todo list is a change to allow that.
> > It is difficult since there is no way to say "give me this update only
> > if it is revoked" in many keyserver protocols.  It is possible in
> > LDAP, and with CERT of course.
> Perhaps gpg could support it for those keyserver protocols were it is
> easy to support that model.  Could be a nice test of PGP revocation
> certs using CERT.  On the other hand, there are some advantages in
> creating a new DNS type for OpenPGP revocation certs, that is separate
> from CERT.  (Query IN CERT to see why...  The PKIX
> certificate would still overflow the UDP limit.)  However,
> implementing the idea in gpg might be a first step in dispersing
> knowledge about the idea...

I'll make you a deal - if you write the DNS handler to properly handle
a flag passed from gpg to do a revocation-only search, I'll write the
code in gpg to pass that flag when appropriate.  Since a
revocation-only check can also be fulfilled (though slower) by a
regular check, this would be nicely backwards compatible.


More information about the Gnupg-users mailing list