dns cert support (was: GnuPG 1.4.3 released)

[David Shaw]

On Tue, Apr 04, 2006 at 08:25:01PM +0200, Peter Palfrader wrote:
> On Mon, 03 Apr 2006, Werner Koch wrote:
> 
> >     * New auto-key-locate option that takes an ordered list of methods
> >       to locate a key if it is not available at encryption time (-r or
> >       --recipient).  Possible methods include "cert" (use DNS CERT as
> >       per RFC2538bis, "pka" (use DNS PKA), "ldap" (consult the LDAP
> >       server for the domain in question), "keyserver" (use the
> >       currently defined keyserver), as well as arbitrary keyserver
> >       URIs that will be contacted for the key.
> > 
> >     * Able to retrieve keys using DNS CERT records as per RFC-2538bis
> >       (currently in draft): http://www.josefsson.org/rfc2538bis
> 
> How would I try to retrieve the key for peter at palfrader.org from DNS[1]
> using GnuPG's command line, other than simulating an encryption (like in
> gpg --auto-key-locate cert --recipient peter at palfrader.org --encrypt)
> to the user in question?

While you could try and do some magic with piping the output of dig
into a script, at the moment, simulating an encryption is the only
easy way to do it directly from GnuPG.  I do plan to have a
--locate-keys command to do this in the next version; I just didn't
want to delay the 1.4.3 release any further.

> Also, is there a tool that produces a snippet which is ready for
> inclusion into a zone file anywhere?  Something similar to ssh-keygen
> for SSHFP RRs:
>   weasel at galaxy:~$ ssh-keygen -r galaxy -f /etc/ssh/ssh_host_rsa_key -g
>   galaxy IN TYPE44 \# 22 01 01 40cc5559546421d15fe9c1064713636a02373ad2
>   weasel at galaxy:~$ ssh-keygen -r galaxy -f /etc/ssh/ssh_host_rsa_key
>   galaxy IN SSHFP 1 1 40cc5559546421d15fe9c1064713636a02373ad2

Good idea.  I just checked one in to the GnuPG SVN.

David