Home GnuPG
Diffusion GnuPG 88dc3af3d4ae

dirmngr: Implement experimental SRV record lookup for WKD.
88dc3af3d4aeUnpublished

Unpublished Commit · Learn More

Not On Permanent Ref: This commit is not an ancestor of any permanent ref.

Description

dirmngr: Implement experimental SRV record lookup for WKD.

* dirmngr/server.c (cmd_wkd_get): Support SRV records.

This patch changes the way a WKD query is done. Now we first look for
a SRV record for service "openpgpkey" and port "tcp" under the
to-be-queried domain. If such a record was found and the target host
matches the to-be-queried domain or is a suffix to that domain, that
target host is used instead of the domain name. The SRV record also
allows to change the port and obviously can be used for
load-balancing.

For example a query for the submission address of example.org with the
SRV record specification

_openpgpkey._tcp IN SRV 0 0 0 wkd.foo.org.

IN     SRV   0 0  0    wkd.example.net.
IN     SRV   0 0  4711 wkd.example.org.

(queried using the name "_openpgpkey._tcp.example.org") would fetch
from this URL:

https://wkd.example.org:4711/.well-known/openpgpkey/submission-address

Note that the first two SRV records won't be used because foo.org and
example.net do not match example.org. We require that the target host
is identical to the domain or be a subdomain of it. This is so that
an attacker modifying the SRV records needs to setup a server in a
sub-domain of the actual domain and can't use an arbitrary domain.
Whether this is a sufficient requirement is not clear and needs
further discussion.

  • Signed-off-by: Werner Koch <wk@gnupg.org>

Details

Provenance
wernerAuthored on Jan 8 2017, 6:42 PM
Parents
rG714faea4fa7f: dirmngr: Improve debug output for TLS.
Branches
Unknown
Tags
Unknown

Event Timeline