A lot of questions about CERT, PKA and make-dns-cert
dshaw at jabberwocky.com
Wed Oct 21 06:17:06 CEST 2009
On Oct 20, 2009, at 10:55 PM, Dan Mahoney, System Admin wrote:
> On Thu, 15 Oct 2009, David Shaw wrote:
>> On Oct 15, 2009, at 9:37 PM, Dan Mahoney, System Admin wrote:
>>> I'm running:
>>> echo foo | gpg -v -v --auto-key-locate cert --recipient gushi at gushi.org
>>> --encrypt -a
>>> And get gpg: error retrieving `gushi at gushi.org' via DNS CERT: No
>>> I exported my key with:
>>> gpg --export --export-options minimal > file; and make-dns-cert -n
>>> gushi.gushi.org -f file
>> It works fine for me. What version of GPG are you using?
> I tried this again, after I nuked the "fingerprint" cert record.
> Oddly, running on gpg2 on an older debian system, I get:
> # echo "foo" | gpg2 -v -v --auto-key-locate cert --encrypt -r gushi at gushi.org
> gpg: no keyserver known (use option --keyserver)
> gpg: error retrieving `gushi at gushi.org' via DNS CERT: General error
> gpg: gushi at gushi.org: skipped: General error
> gpg: [stdin]: encryption failed: General error
> That first line specifically makes me scratch my head a bit.
You didn't give an actual version number (run gpg2 --version), so I
can only make an educated guess, but I do think I see your problem.
You don't have one key in your CERT - you have two (309C17C5 and
624BB249) combined into one DNS record. That doesn't work - it's a
one-name-one-key mapping. We should give a better error message in
Can you try again with a single key in your CERT? Alternately, if you
want both of your keys, you could use 2 different CERT records for the
gushi.gushi.org. name, each with one of your keys (rather than 1 CERT
record with a payload containing two keys). Note that this will
usually result in round-robining for those people who don't have your
key, which may or may not be what you want.
At least using gpg 2.0.13, and a single key in the CERT, this works
properly for me. I can't speak for an earlier version.
All of that said, I think it's worth pointing out that IPGP (the
fingerprint+URL variation of CERT) is far more useful that PGP (the
full key). Not all systems are going to be able to pass a 1718-byte
DNS message, as yours is.
> I suspect strongly that this feature doesn't get the most broad
> platform testing. Let me know if you'd like to help.
Please do! More testing is always welcome.
More information about the Gnupg-users