That does not work because a property of WKD is that the key you retrieve has only the requested mail address and no other mail address. Merging them all into one file, which you need to do with your proposal, removes that property.

With Letsencrypt you have a very similar need which can easily be solved using a couple of symlinks. The same can be done with the Web Key Service.

BTW, autoconfig has a catch-22 when you want to use with with https instead of http.

FWIW, I plan to add a few features to gpg-wks-server to make the setup of a new domain and installation of keys easier.

I know, that I can't handle all WKD request under one domain for multiple once. But i could make sure, that autoconfig.<domain> would result under another IP adresse so I can handle all of the WKD request at another server. Add a own VirtualHost entry etc.

FWIW, I plan to add a few features to gpg-wks-server to make the setup of a new domain and installation of keys easier.

where i see these plans?

With Letsencrypt you have a very similar need which can easily be solved using a couple of symlinks. The same can be done with the Web Key Service.

with let's encrypt i can also do DNS based authentification. So I do not need the symlinks.

BTW, autoconfig has a catch-22 when you want to use with with https instead of http.

I don't get it.

Using a different server is actually supported:

$ host -t SRV  _openpgpkey._tcp.gnupg.org
_openpgpkey._tcp.gnupg.org SRV 0 0 0 wkd.gnupg.org.
_openpgpkey._tcp.gnupg.org SRV 0 0 443 wkd.xgnupg.org.
_openpgpkey._tcp.gnupg.org SRV 0 0 0 wkd.gnupg.net.

(xgnupg.org and gnupg.net are just for testing)

The only requirement here is that you use a subdomain of gnupg.org (here wkd, but any will work). This was added for those providers who have outsourced the top level domain but can still add new DNS entries.

gpg-wks-server already has these dummy commands:

--install-key FILE   
                 install a key from FILE into the WKD
--remove-key ADDR   
                 remove the key ADDR from the WKD
--revoke-key ADDR   
                 mark the key ADDR in the WKD as revoked

If you have a need for more helpful features, let's discuss them here. And yes, I need to write an update on how to install the web key services.

autoconfig is intended for provisining. For example certificates (server and user) and other credentials. The catch-22 is that you need to to convey them over an unsecured medium (http) which is obviously a an easy MiTM loophole. We discussed this once at an eco mail provider round table; iirc the idea was to find an easier solution than Letsencrypt which might not be able to handle hundred thousands of domains in a short time frame from the same IP.

okay, I see. Than I havn't found the documentation for this feature. This is enough for defining a different sever.

But I'm a little bit curious, how the SRV entry work together with tor support. Because as far i know tor don't support SRV entries.

gpg-wks-server already has these dummy commands:

currently i use the script generate-openpgpkey-hu to manage the keys. ANd I'm happy ith the approch keyring -> folder with keys...

dirmngr has its own stub resolver to do DNS resolution via TCP so that it can be routed via Tor (to 8.8.8.8 which is a heavy traffic resolver and thus it will be hard to single out requests to other often used addresses.).

In T3437#104021, @werner wrote:

dirmngr has its own stub resolver to do DNS resolution via TCP so that it can be routed via Tor (to 8.8.8.8 which is a heavy traffic resolver and thus it will be hard to single out requests to other often used addresses.).

Ah okay you connect via tor to one DNS sever that speaks TCP. Looking forward to the day, that Tor gets a propper DNS support.