Error when trying to locate key via WKD

Ingo Klöcker kloecker at
Wed Oct 27 22:54:48 CEST 2021

[Putting this back on the mailing list. Please keep replies on the list.]

On Mittwoch, 27. Oktober 2021 21:20:03 CEST Christoph Klassen wrote:
> On 27.10.21 20:54, Ingo Klöcker wrote:
> > The important part is
> > 2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> GET
> > /.well-known/openpgpkey/
> > istoph-klassen HTTP/1.0\r\n i.e. in the URL that dirmngr requests there is
> > an additional "" between "/openpgp/" and "/hu/" that is missing in
> > your URL.
> That would be the advanced method of WKD (Here's the draft:
> which indeed doesn't work with my mail provider. But when I try the
> direct method (Example from the draft:
> hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe) I can get the key from my
> provider's WKD server. I admit I forgot the parameter in the URL I post.
> But that wasn't the point. My problem is that GnuGP couldn't get the key
> via WKD and I don't understand why because it seems like it should work.

The problem is that the domain exists (or seems to exist) 
although doesn't support the advanced method. The draft you mentioned 

   There are two variants on how to form the request URI: The advanced
   and the direct method.  Implementations MUST first try the advanced
   method.  Only if the required sub-domain does not exist, they SHOULD
   fall back to the direct method.

   The advanced method requires that a sub-domain with the fixed name
   "openpgpkey" is created and queried.

Because the sub-domain exists (or rather, seems to exist), 
gpg first tries the advanced method. This fails. gpg doesn't fall back to the 
direct method as per the spec: "Only if the required sub-domain does not 
exist, they SHOULD fall back to the direct method."

The problem is that redirects any sub-domain to, e.g.
`curl` is also redirected to ``. The 
problem with wildcard sub-domains and WKD has been discussed here or on 
gnupg-devel recently.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the Gnupg-users mailing list