A lot of questions about CERT, PKA and make-dns-cert

Dan Mahoney, System Admin danm at prime.gushi.org
Fri Oct 16 03:37:08 CEST 2009


I'm in the process of writing a blog entry about the PKA and CERT methods. 
A couple people have written them a long time ago, and I'd like to bring 
some of the info up to date. (If this is better asked on gnupg-dev, let me know).

For starters:

1) Currently the only tool that can generate a CERT record, make-dns-cert, 
is not built or packaged by default under any os I've found (I've tried 
FreeBSD and ubuntu).  It has no documentation, no examples, and only a 
terse 4-line usage summary.  I've also seen a few bugs reported with it, 
that I don't know if they're fixed, such as not handling whitespace in the 
key fingerprint properly.

2) I realize this is a fringe feature, but other than a few scattered blog 
posts that reference each other, some of which are written by gnupg 
developers, info on these methods is HARD TO FIND. There's nothing in the 
docs/faq about this, at all.  I think adoption would be much more 
widespread if this were a faq-able item.  It's mentioned once in the 
manpage, once in the default gnupg.conf, and that's really it.  If you 
document it, people will use it (and with thawte dropping personal 
freemail certs lately, this is something you want).

3) As far as I know, PKA isn't standardized in any RFC.  Has this been 
changed?  I saw mention of applying to IANA for its own typecode.  Is 
there a list somewhere of what uri types are supported?  I saw talk of it 
not supporting http 1.1, but that may be fixed with curl.

Of the two methods, I tend to actually prefer PKA because it lets me 
delegate _pka.example.com to its own sub-zone, whereas CERT records must 
be inserted into the main zone.

4) Try though I might, I can't seem to get my full-key in CERT format to 
recognize.  I am not sure if this is because my key is "complicated" (i.e. 
it has subkeys), because the cert is not under my primary uid, or because 
I just plain exported it wrong.

I'm running:

echo foo | gpg -v -v --auto-key-locate cert --recipient gushi at gushi.org 
--encrypt -a

And get gpg: error retrieving `gushi at gushi.org' via DNS CERT: No fingerprint

I exported my key with:

gpg --export --export-options minimal > file; and make-dns-cert -n 
gushi.gushi.org -f file

It's still live if anyone wants to try.

5) Finally, the quality of records being generated, while consistent with 
rfc3597, leaves them as a real bear to manage, and import.  If you're 
going to export them in hex, could we please also get whitespace so we can 
get this into an editor easily?  Ideally, the things would just be base64 
encoded, in accordance with rfc4398.

Most versions of bind9 understand the CERT record, with base64 
representation, and numeric typecodes.  bind9.6 understands the PGP type 
value mnemonic but not IPGP.  BIND 9.7 understands IPGP.

What would be really, really cool, is step by step instructions for 
exporting, or hell, let gpg generate these records, the way ssh-keygen 
generates SSHFP records.

Those are my thoughts.



--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org

More information about the Gnupg-users mailing list