DNS keyserver (was Re: gnupg-1.0.7: keyserver subdir?)

David Shaw dshaw@jabberwocky.com
Tue Jul 9 15:50:01 2002

On Tue, Jul 09, 2002 at 12:21:02AM +0200, Simon Josefsson wrote:
> David Shaw <dshaw@jabberwocky.com> writes:
> > On Mon, Jul 08, 2002 at 06:46:19PM -0300, Andreas Hasenack wrote:
> >> Em Mon, Jul 08, 2002 at 05:25:15PM -0400, David Shaw escreveu:
> >> > automatically installed when you install GnuPG.  GnuPG will call them
> >> > when needed.
> >> 
> >> Ah, I see now, gpg would call them depending on the type of
> >> keyserver being used via --keyserver, for example.
> >
> > Yes.  I keep meaning to document the keyserver API so people can write
> > their own plugins...
> FYI, I have written one for retrieving OpenPGP certificates from DNS,
> see http://josefsson.org/gpgkeys_jkp/.

Hey, this is quite nice!

I have a few minor comments/concerns (maybe we should drag this over
to gnupg-devel?):

1) You shouldn't send the PROGRAM ("PROGRAM 1.1.91\n") line back to
   GnuPG unless you require a particular version of GnuPG.  This will
   cause a warning if someone uses your plugin with anything other
   than 1.1.91.  It's really intended for those gpgkeys_x programs
   that ship with GnuPG itself.

2) Why "jkp"?  Why not use dns: as per
   http://josefsson.org/draft-josefsson-dns-url.txt ?

   After reading your draft, I think I should modify the keyserver URI
   parser in GnuPG to be able to accept a raw URI scheme like "dns",
   which works well with the syntax in your draft to indicate a DNS
   retrieval without specifying a particular server to get it from.
   This way both "dns" and "dns://keyserver.com/" could be used.

3) I see that you didn't follow the CERT RFC recommendation on naming
   the CERT RRs.  Frankly, I think your method is better since it is
   common to know the keyid of a key without knowing the userid (say,
   for verifying signatures).  However, why not take it a step further
   and use the fingerprint (or at least the 64-bit keyid) as the RR
   name?  Searching by fingerprint is the most accurate way to
   retrieve a key as it is too easy to invent a collision with plain

   What do you think of structuring the records like this:

   ; The full CERT, named by fingerprint
   0x7D92..(full fpr)... CERT 3 0 0 (blah blah blah)

   ; The short keyid CNAMEd to the fingerprint
   0x99242560 CNAME 0x7D92...

   ; The long keyid CNAMEd to the fingerprint
   0xDB698D7199242560 CNAME 0x7D92...

   ; The user id in DNS form CNAMEd to the fingerprint
   dshaw.jabberwocky.com CNAME 0x7D92....

   This scheme also lets you index by multiple user ids - just add a
   CNAME for each.


   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson