dirmngr DNS resolution strategy
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Oct 27 00:39:25 CEST 2016
Hi GnuPG folks--
over in https://bugs.gnupg.org/gnupg/issue2745 i did a bit of inspection
of dirmngr DNS traffic during a simple lookup.
I did this from a temporary GNUPGHOME, via:
GNUPGHOME=$(mktemp -d) gpg-connect-agent --dirmngr
You can do this test yourself with:
keyserver hkps://pool.sks-keyservers.net
keyserver --resolve hkps://pool.sks-keyservers.net
If you record the DNS traffic that results from this, you'll see:
a) SRV records for the pool (_hkp._tcp.hkps.pool.sks-keyservers.net)
came back NXDOMAIN
b) as soon as that response came back, dirmngr sent out a request for A
records for hkps.pool.sks-keyservers.net, which was fulfilled with 10
addresses
c) dirmngr subsequently looked up PTR records for each of those
addressses
d) dirmngr was fine continuing to use some of those 10 addresses.
This is all using the adns library, which should allow for asynchronous
DNS requests. I'm assuming that the goal here is for dirmngr to be as
fast as possible in its responses.
This raises several questions for me:
0) There's no reason to have the request for A records (step b) sent
out *after* the SRV response comes in. Both requests could be sent
concurrently, and dirmngr could update its host table with whatever
answers it gets. If you prefer SRV records, then discard any A
responses that come in after SRV records, while overwriting any A
responses that are already present when SRV responses come in.
1) Each of the PTR records looked up in step c were done one after the
other. There should be no need to wait on this; if you need PTR
records, simply send all 10 PTR requests concurrently, and process
them as they come back in. This parallelization will reduce the
number of round trips dramatically.
2) More importantly -- why does dirmngr need PTR records at all?
what's the advantage of having them? If the user is asking to
connect to a pool, doing a reverse DNS lookup just seems to be an
additional round trip requirement.
any thoughts?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20161026/4481b7dc/attachment.sig>
More information about the Gnupg-devel
mailing list