dns cert support

David Shaw dshaw at jabberwocky.com
Wed Apr 5 16:52:39 CEST 2006

On Wed, Apr 05, 2006 at 03:18:31PM +0200, Peter Palfrader wrote:
> On Wed, 05 Apr 2006, David Shaw wrote:
> > On Wed, Apr 05, 2006 at 12:30:42PM +0200, Peter Palfrader wrote:
> > 
> > > I notice that if I have both, a IPGP and a PGP CERT RR that GnuPG fails
> > > to import the key some of the time:
> > 
> > [..]
> > 
> > > } ;; ANSWER SECTION:
> > > } peter.palfrader.org.    43200   IN      CERT    6 0 0 FFsAyW1dVK7hIGuvhN56r26UwJx/
> > > } peter.palfrader.org.    43200   IN      CERT    PGP 0 0 mQGiBDgp0YcRBACN9s8EycXRsu9ym3Sjou1N.....
> > > 
> > > Is having them both not supported or is there a bug somewhere?
> > 
> > At the moment, GnuPG will take whichever it sees first (the PGP or the
> > IPGP, but not both).  So given round robining, if you have both, it
> > will seem to flip back and forth between the two.  I'm thinking about
> > having GPG favor one or the other in these cases (probably PGP since
> > if it has already fetched the whole key, it may as well import it
> > rather than go to a web page or keyserver somewhere).
> On the other hand the key that is fetched via DNS has serious size
> constraints - DNS limits the RDATA to 64k and I think GnuPG further
> limits this to 16k.  In my case I have significantly stripped down my
> key in order to store it in DNS, so maybe going to the keyserver or the
> location specified in IPGP might be a good idea.

Certainly the CERT PGP type has size restrictions, but I think that's
fine: I don't really see the CERT PGP type as a repository for whole
keys with dozens of signatures like on a keyserver.  Rather, it's a
place to store minimal (via export-minimal) keys.  Once this "seed"
key is gotten via CERT PGP, it can be fleshed out via a keyserver or
preferred keyserver subpacket on the key itself.

The GnuPG 16k max-cert-size is changeable, by the way:

  --keyserver-options max-cert-size=65536

16k was a bit of a guess as to a good value since CERT is so new.

Whether to favor CERT PGP or CERT IPGP is one of those things where a
reasonable case can be made for either path.  It depends on what
you're using CERT for: if you were using CERT in a PKA-like scheme,
you'd want CERT PGP to get the answer as fast as possible, while if
you were using CERT as a automatic key locater you'd probably want
CERT IPGP to get all the signatures.

> > The reason it is not fetching from the IPGP record you have there is
> > there is only a fingerprint, and you must have a --keyserver defined
> > for it to fetch the fingerprint from in that case.  Do you have a
> > --keyserver defined?
> Ah, now that I do it works nicely.  Thanks!  Maybe gpg should say that
> it wants to have a keyserver in this case?

Yes, I think it should.  Note that you could make your IPGP contain
both a fingerprint and a URL - that way you get to specify where the
user will fetch your key from (it may not exist in the manner you
desire on their particular keyserver).


More information about the Gnupg-users mailing list