WKD, wildcard DNS resolution (Re: Error when trying to locate key via WKD)
andrewg at andrewg.com
Thu Oct 28 13:59:39 CEST 2021
On 28/10/2021 12:25, Bernhard Reiter wrote:
> Am Donnerstag 28 Oktober 2021 12:07:52 schrieb Andrew Gallagher via
>> The megathread from hell starts here :-)
> That is not gnupg-_devel_ (where I was searching). :)
To be fair to Ingo, he did say "here OR on gnupg-devel" :-)
> Interesting to me is:
> Ingo explaning that it is considered a security drawback if a domain
> for the advanced method is there but does not allow a connection
> with a valid TLS certificate.
> The understanding of the current draft therefore is
> If the subdomain for the advanced method resolves via DNS,
> the direct method MUST NOT be used.
As Werner pointed out on the other thread, the mail provider can disable
the advanced method by creating a TXT record for openpgpkey.mail.de -
the existence of the TXT record will prevent the wildcard from matching
the advanced method's A lookup, and gnupg should fail back to the old
The ball belongs in mail.de's court IMO, however the confusion is
> On the other hand, if I trust my email domain webserver, the DNS provider can
> create the advanced method DNS entry and attack me. However this DNS provider
> could also just change the entry to my email domain webserver.
Indeed, if you don't trust your DNS provider, you have worse problems... ;-)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users