dns cert support (was: GnuPG 1.4.3 released)
David Shaw
dshaw at jabberwocky.com
Tue Apr 4 23:57:07 CEST 2006
On Tue, Apr 04, 2006 at 08:25:01PM +0200, Peter Palfrader wrote:
> On Mon, 03 Apr 2006, Werner Koch wrote:
>
> > * New auto-key-locate option that takes an ordered list of methods
> > to locate a key if it is not available at encryption time (-r or
> > --recipient). Possible methods include "cert" (use DNS CERT as
> > per RFC2538bis, "pka" (use DNS PKA), "ldap" (consult the LDAP
> > server for the domain in question), "keyserver" (use the
> > currently defined keyserver), as well as arbitrary keyserver
> > URIs that will be contacted for the key.
> >
> > * Able to retrieve keys using DNS CERT records as per RFC-2538bis
> > (currently in draft): http://www.josefsson.org/rfc2538bis
>
> How would I try to retrieve the key for peter at palfrader.org from DNS[1]
> using GnuPG's command line, other than simulating an encryption (like in
> gpg --auto-key-locate cert --recipient peter at palfrader.org --encrypt)
> to the user in question?
While you could try and do some magic with piping the output of dig
into a script, at the moment, simulating an encryption is the only
easy way to do it directly from GnuPG. I do plan to have a
--locate-keys command to do this in the next version; I just didn't
want to delay the 1.4.3 release any further.
> Also, is there a tool that produces a snippet which is ready for
> inclusion into a zone file anywhere? Something similar to ssh-keygen
> for SSHFP RRs:
> weasel at galaxy:~$ ssh-keygen -r galaxy -f /etc/ssh/ssh_host_rsa_key -g
> galaxy IN TYPE44 \# 22 01 01 40cc5559546421d15fe9c1064713636a02373ad2
> weasel at galaxy:~$ ssh-keygen -r galaxy -f /etc/ssh/ssh_host_rsa_key
> galaxy IN SSHFP 1 1 40cc5559546421d15fe9c1064713636a02373ad2
Good idea. I just checked one in to the GnuPG SVN.
David
More information about the Gnupg-users
mailing list