WKD, wildcard DNS resolution (Re: Error when trying to locate key via WKD)

Andrew Gallagher andrewg at andrewg.com
Thu Oct 28 13:59:39 CEST 2021

On 28/10/2021 12:25, Bernhard Reiter wrote:
> Am Donnerstag 28 Oktober 2021 12:07:52 schrieb Andrew Gallagher via
> Gnupg-users:
>> The megathread from hell starts here :-)
>> https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064567.html
> That is not gnupg-_devel_ (where I was searching). :)

To be fair to Ingo, he did say "here OR on gnupg-devel" :-)

> Interesting to me is:
> https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064584.html
> Ingo explaning that it is considered a security drawback if a domain
> for the advanced method is there but does not allow a connection
> with a valid TLS certificate.
> The understanding of the current draft therefore is
>    If the subdomain for the advanced method resolves via DNS,
>    the direct method MUST NOT be used.

As Werner pointed out on the other thread, the mail provider can disable 
the advanced method by creating a TXT record for openpgpkey.mail.de - 
the existence of the TXT record will prevent the wildcard from matching 
the advanced method's A lookup, and gnupg should fail back to the old 

The ball belongs in mail.de's court IMO, however the confusion is 

> On the other hand, if I trust my email domain webserver, the DNS provider can
> create the advanced method DNS entry and attack me. However this DNS provider
> could also just change the entry to my email domain webserver.

Indeed, if you don't trust your DNS provider, you have worse problems... ;-)

Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211028/4f966740/attachment.sig>

More information about the Gnupg-users mailing list