My organization has its own HKP server, that we use to encrypt mails.
Our problem is that dirmngr can mark it "dead" for a number of reason (user connected to the wrong network, not connected to their VPN at home, not connected at all, etc). When that happens, even if our users realize their mistake and fix their network setup, they can't search or download any key, because dirmngr won't even try to connect because of the mark.
As I understand it, the dead feature is an optimization to reduce search time when multiple servers are in use; that makes sense, but it should NOT make GPG quit without doing anything.
How to reproduce:
Disconnect the host from wifi/eth, use gpg --keyserver myserver, reconnect, use gpg --keyserver myserver again.
Ways that it could be fixed:
- Always try to connect when --keyserver is used (if I give an option to gpg, I expect him to use it, for real);
- Ignore the dead mark when only one keyserver is configured (through options or config file);
- Retry servers if all servers in the list are marked dead;
In the meantime, I'm also looking for a way to get around the problem so that my (non IT) users are not bothered by this anymore; so, is it possible to ...
- Disable the whole "dead" feature somewhere in config ?
- Configure the time to wait before server comes "back from the dead" ?
- Tell GPG to spawn a non daemonized instance of dirmngr for each of its run ?
- Tell GPG to use the legacy (pre 2.1) --keyserver handler ?
Thank you for your time on this.