WKD, wildcard DNS resolution (Re: Error when trying to locate key via WKD)
Andrew Gallagher
andrewg at andrewg.com
Thu Oct 28 13:59:39 CEST 2021
On 28/10/2021 12:25, Bernhard Reiter wrote:
> Am Donnerstag 28 Oktober 2021 12:07:52 schrieb Andrew Gallagher via
> Gnupg-users:
>> The megathread from hell starts here :-)
>> https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064567.html
>
> That is not gnupg-_devel_ (where I was searching). :)
To be fair to Ingo, he did say "here OR on gnupg-devel" :-)
> Interesting to me is:
> https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064584.html
> Ingo explaning that it is considered a security drawback if a domain
> for the advanced method is there but does not allow a connection
> with a valid TLS certificate.
>
> The understanding of the current draft therefore is
> If the subdomain for the advanced method resolves via DNS,
> the direct method MUST NOT be used.
As Werner pointed out on the other thread, the mail provider can disable
the advanced method by creating a TXT record for openpgpkey.mail.de -
the existence of the TXT record will prevent the wildcard from matching
the advanced method's A lookup, and gnupg should fail back to the old
method.
The ball belongs in mail.de's court IMO, however the confusion is
understandable.
> On the other hand, if I trust my email domain webserver, the DNS provider can
> create the advanced method DNS entry and attack me. However this DNS provider
> could also just change the entry to my email domain webserver.
Indeed, if you don't trust your DNS provider, you have worse problems... ;-)
--
Andrew Gallagher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211028/4f966740/attachment.sig>
More information about the Gnupg-users
mailing list