dns cert support

Peter Palfrader gnupg-users=gnupg.org at lists.palfrader.org
Wed Apr 5 15:18:31 CEST 2006


On Wed, 05 Apr 2006, David Shaw wrote:

> On Wed, Apr 05, 2006 at 12:30:42PM +0200, Peter Palfrader wrote:
> 
> > I notice that if I have both, a IPGP and a PGP CERT RR that GnuPG fails
> > to import the key some of the time:
> 
> [..]
> 
> > } ;; ANSWER SECTION:
> > } peter.palfrader.org.    43200   IN      CERT    6 0 0 FFsAyW1dVK7hIGuvhN56r26UwJx/
> > } peter.palfrader.org.    43200   IN      CERT    PGP 0 0 mQGiBDgp0YcRBACN9s8EycXRsu9ym3Sjou1N.....
> > 
> > Is having them both not supported or is there a bug somewhere?
> 
> At the moment, GnuPG will take whichever it sees first (the PGP or the
> IPGP, but not both).  So given round robining, if you have both, it
> will seem to flip back and forth between the two.  I'm thinking about
> having GPG favor one or the other in these cases (probably PGP since
> if it has already fetched the whole key, it may as well import it
> rather than go to a web page or keyserver somewhere).

On the other hand the key that is fetched via DNS has serious size
constraints - DNS limits the RDATA to 64k and I think GnuPG further
limits this to 16k.  In my case I have significantly stripped down my
key in order to store it in DNS, so maybe going to the keyserver or the
location specified in IPGP might be a good idea.

> The reason it is not fetching from the IPGP record you have there is
> there is only a fingerprint, and you must have a --keyserver defined
> for it to fetch the fingerprint from in that case.  Do you have a
> --keyserver defined?

Ah, now that I do it works nicely.  Thanks!  Maybe gpg should say that
it wants to have a keyserver in this case?

Cheers,
Peter
-- 
 PGP signed and encrypted  |  .''`.  ** Debian GNU/Linux **
    messages preferred.    | : :' :      The  universal
                           | `. `'      Operating System
 http://www.palfrader.org/ |   `-    http://www.debian.org/



More information about the Gnupg-users mailing list