dns cert support
Peter Palfrader
gnupg-users=gnupg.org at lists.palfrader.org
Wed Apr 5 15:18:31 CEST 2006
On Wed, 05 Apr 2006, David Shaw wrote:
> On Wed, Apr 05, 2006 at 12:30:42PM +0200, Peter Palfrader wrote:
>
> > I notice that if I have both, a IPGP and a PGP CERT RR that GnuPG fails
> > to import the key some of the time:
>
> [..]
>
> > } ;; ANSWER SECTION:
> > } peter.palfrader.org. 43200 IN CERT 6 0 0 FFsAyW1dVK7hIGuvhN56r26UwJx/
> > } peter.palfrader.org. 43200 IN CERT PGP 0 0 mQGiBDgp0YcRBACN9s8EycXRsu9ym3Sjou1N.....
> >
> > Is having them both not supported or is there a bug somewhere?
>
> At the moment, GnuPG will take whichever it sees first (the PGP or the
> IPGP, but not both). So given round robining, if you have both, it
> will seem to flip back and forth between the two. I'm thinking about
> having GPG favor one or the other in these cases (probably PGP since
> if it has already fetched the whole key, it may as well import it
> rather than go to a web page or keyserver somewhere).
On the other hand the key that is fetched via DNS has serious size
constraints - DNS limits the RDATA to 64k and I think GnuPG further
limits this to 16k. In my case I have significantly stripped down my
key in order to store it in DNS, so maybe going to the keyserver or the
location specified in IPGP might be a good idea.
> The reason it is not fetching from the IPGP record you have there is
> there is only a fingerprint, and you must have a --keyserver defined
> for it to fetch the fingerprint from in that case. Do you have a
> --keyserver defined?
Ah, now that I do it works nicely. Thanks! Maybe gpg should say that
it wants to have a keyserver in this case?
Cheers,
Peter
--
PGP signed and encrypted | .''`. ** Debian GNU/Linux **
messages preferred. | : :' : The universal
| `. `' Operating System
http://www.palfrader.org/ | `- http://www.debian.org/
More information about the Gnupg-users
mailing list