A lot of questions about CERT, PKA and make-dns-cert

David Shaw dshaw at jabberwocky.com
Wed Oct 21 06:17:06 CEST 2009

On Oct 20, 2009, at 10:55 PM, Dan Mahoney, System Admin wrote:

> On Thu, 15 Oct 2009, David Shaw wrote:
>> On Oct 15, 2009, at 9:37 PM, Dan Mahoney, System Admin wrote:
>>> I'm running:
>>> echo foo | gpg -v -v --auto-key-locate cert --recipient gushi at gushi.org 
>>>  --encrypt -a
>>> And get gpg: error retrieving `gushi at gushi.org' via DNS CERT: No  
>>> fingerprint
>>> I exported my key with:
>>> gpg --export --export-options minimal > file; and make-dns-cert -n  
>>> gushi.gushi.org -f file
>> It works fine for me.  What version of GPG are you using?
> I tried this again, after I nuked the "fingerprint" cert record.
> Oddly, running on gpg2 on an older debian system, I get:
> # echo "foo" | gpg2 -v -v --auto-key-locate cert --encrypt -r gushi at gushi.org
> gpg: no keyserver known (use option --keyserver)
> gpg: error retrieving `gushi at gushi.org' via DNS CERT: General error
> gpg: gushi at gushi.org: skipped: General error
> gpg: [stdin]: encryption failed: General error
> That first line specifically makes me scratch my head a bit.

You didn't give an actual version number (run gpg2 --version), so I  
can only make an educated guess, but I do think I see your problem.   
You don't have one key in your CERT - you have two (309C17C5 and  
624BB249) combined into one DNS record.  That doesn't work - it's a  
one-name-one-key mapping.  We should give a better error message in  
this case.

Can you try again with a single key in your CERT?  Alternately, if you  
want both of your keys, you could use 2 different CERT records for the  
gushi.gushi.org. name, each with one of your keys (rather than 1 CERT  
record with a payload containing two keys).  Note that this will  
usually result in round-robining for those people who don't have your  
key, which may or may not be what you want.

At least using gpg 2.0.13, and a single key in the CERT, this works  
properly for me.  I can't speak for an earlier version.

All of that said, I think it's worth pointing out that IPGP (the  
fingerprint+URL variation of CERT) is far more useful that PGP (the  
full key).  Not all systems are going to be able to pass a 1718-byte  
DNS message, as yours is.

> I suspect strongly that this feature doesn't get the most broad  
> platform testing.  Let me know if you'd like to help.

Please do!  More testing is always welcome.


More information about the Gnupg-users mailing list