openpgp: Use DNS resolver of OS

[duxsco]

No description provided.

[mgorny]

Ok. I've fired up the CI, lemme know when it's ready for review.

[duxsco]

I tried to setup reproducible tests:
https://github.com/duxsco/gemato-test-pr31

But, GnuPG doesn't act as expected for reasons. Gonna test further, when I have more brain power again.

[duxsco]

I decided to test directly on my Gentoo laptop.

1. Outgoing traffic on port 53 over interface "wlan0" is disabled:

#!/sbin/nft -f

flush ruleset

table inet filter {
  chain input {
    type filter hook input priority filter; policy drop;

    icmp type 8 accept

    # https://datatracker.ietf.org/doc/html/rfc4890#section-4.4.1
    icmpv6 type 128 accept
    ip6 hoplimit 255 icmpv6 type { 133, 134, 135, 136, 141, 142, 148, 149 } accept
    ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 143, 151, 152, 153 } accept

    ct state vmap { invalid : drop, established : accept, related : accept, untracked : drop }
    iif "lo" accept
  }

  chain forward {
    type filter hook forward priority filter; policy drop;
    ct state vmap { invalid : drop, established : accept, related : accept, untracked : drop }
  }

  chain output {
    type filter hook output priority filter; policy accept;
    oifname "wlan0" tcp dport 53 reject
    oifname "wlan0" udp dport 53 reject
  }
}

2. DNS-over-TLS is configured as follows:
   https://gentoo.duxsco.de/cleanup_and_reboot/

This results in DNS resolution working if you use the system's DNS resolver. But, it fails if you do recursive DNS resolution:

With that setup, a refresh over WKD still works without this PR having been applied:

❯ eix-sync
 * Running emerge --sync
>>> Syncing repository 'gentoo' into '/var/db/repos/gentoo'...
/usr/bin/git fetch origin --depth 1
remote: Total 0 (delta 0), reused 0 (delta 0), pack-reused 0
 * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
 * Refreshing keys via WKD ...                                     [ ok ]
 * Trusted signature found on top commit
=== Sync completed for gentoo

Action: sync for repo: gentoo, returned code = 0


 * Main gentoo tree does not appear to have changed: exiting
 * Use -a or set have_changed=: in a ! hook to override this check
 * Time statistics:
     4 seconds for syncing
     4 seconds total

Apparently, GnuPG doesn't solely rely on recursive DNS resolution. On my corporate laptop, I had to set "standard-resolver" in ~/.gnupg/dirmngr.conf though to get pubkey fetching working 🤷

[duxsco]

@mgorny If at all, I think it's better to just provide a config option to be able to turn "standard-resolver" on if desired.

[duxsco]

I don't mind closing this PR.

[mgorny]

Well, lemme rephrase: is there any real advantage to using GPG's recursive resolver?

[mgorny]

Sorry, my question might have been unclear: is there any reason not to merge it as-is?

[duxsco]

The only thing that comes to mind is the 2nd sentence:

❯ man dirmngr | sed -n '/--standard-resolver/,/^$/p' | sed 's/^/> /'
--standard-resolver
This option forces the use of the system's standard DNS resolver code. This
is mainly used for debugging. Note that on Windows a standard resolver is
not used and all DNS access will return the error ``Not Implemented'' if this
option is used. Using this together with enabled Tor mode returns the error
``Not Enabled''.

Nevertheless, I prefer having the operating system's DNS resolver in use. If you run into problems (in corporate networks or public wifi hotspots) with DNS resolution provided by the operating system, you more likely know where to look at. Since recently, I didn't know of GnuPG's approach. Debugging with dirmngr's --debug-level guru and --log-file <file> doesn't provide any useful information:

FYI, AFAIK GnuPG doesn't support DNSSEC (see bug T4618).

[duxsco]

So, I prefer this PR getting merged due to above reasons or giving the user the choice between "--recursive-resolver" and "--standard-resolver". But, I don't know whether it's worth investing time implementing this with PR27 being worked on.

[mgorny]

I agree. It's the same thing as with proxy — GPG does weird stuff by default for "reasons", and you don't learn of it until it causes an actual problem.