Howto For DNS Key publishing.

Dan Mahoney, System Admin danm at
Fri Oct 30 10:31:23 CET 2009

On Thu, 29 Oct 2009, Ciprian Dorin, Craciun wrote:

> On Thu, Oct 29, 2009 at 7:52 AM, Dan Mahoney, System Admin
> <danm at> wrote:
>> All,
>> I've written a pretty conclusive howto on how to publish keys in DNS,
>> including detailing the advantages and disadvantages of each method, with
>> full examples, details on testing, and real-world output.
>> I've also re-implemented make-dns-cert as a shell script, so that it's more
>> easily available to people who don't have the source, but who installed via
>> a binary package (that's most people), including comments, cleaner record
>> handling, auto-fingerprinting, etc.  One command, three arguments, and you
>> get all three record types.
>> I cited credit where possible, but if I missed your name, let me know.
>> Suggestions, feedback, requests, corrections, are all welcome.
>> Initial publishing is to my livejournal, but I'm planning to wrap the whole
>> thing to my webpage during a revamp.
>> Regards,
>> -Dan Mahoney
>    Hello!
>    Nice tutorial! I've tried to apply your methods (for now I'm just
> at the PKA method).
>    But it seems that there is a problem with auto-key-locate option.
> For example for the following command:
> ~~~~
>        mkdir /tmp/gpg-test
>        gpg2 --homedir /tmp/gpg-test --auto-key-locate pka --recipient
> ciprian at --encrypt /dev/null
> ~~~~
>    it gives me the following error:
> ~~~~
> gpg: requesting key A6FD8839 from http server
> gpg: /tmp/gpg-test/trustdb.gpg: trustdb created
> gpg: key A6FD8839: public key "Ciprian Dorin Craciun
> <ciprian at>" imported
> gpg: no ultimately trusted keys found
> gpg: Total number processed: 1
> gpg:               imported: 1
> gpg: error retrieving `ciprian at' via PKA: Unusable public key
> gpg: ciprian at skipped: No public key
> gpg: /dev/null: encryption failed: No public key
> ~~~~
>    Now, searching on the net for a solution, I've stumbled upon the
> following thread:
>    It seems that there was a bug in GnuPG. So the question is:
>    * am I doing something wrong?
>    * or is the bug still present in GnuPG?
>    Thanks,
>    Ciprian.

Okay, so here's what I've learned.  I've manually retrieved your key, and 
imported it manually to my machine with gpg --import < file

And I then get this:

dmahoney at dmahoney-laptop:~/Desktop$ echo "foo" | gpg --encrypt -r 
ciprian at
gpg: ciprian at skipped: unusable public key
gpg: [stdin]: encryption failed: unusable public key

So it's not the PKA record.  Upon examining it a little further, I see 

dmahoney at dmahoney-laptop:~/Desktop$ gpg --list-keys ciprian at
pub   3072D/A6FD8839 2008-10-19 [expires: 2009-11-21]
uid                  Ciprian Dorin Craciun <ciprian at>
uid                  Ciprian Dorin Craciun <ccraciun at>
uid                  Ciprian Dorin Craciun <ciprian.craciun at>
uid                  Ciprian Dorin Craciun <ccraciun at>

dmahoney at dmahoney-laptop:~/Desktop$ gpg <ciprian at
pub  3072D/A6FD8839 2008-10-19 Ciprian Dorin Craciun <ciprian at>
uid                            Ciprian Dorin Craciun <ccraciun at>
uid                            Ciprian Dorin Craciun 
<ciprian.craciun at>
uid                            Ciprian Dorin Craciun 
<ccraciun at>
sub  4096g/15F68B01 2008-10-19 [expires: 2009-10-19]

Looks like your subkey that I'd use to encrypt to you has expired, and 
thus my GPG didn't import it.


"Man, this is such a trip"

-Dan Mahoney, October 25, 1997

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM

More information about the Gnupg-users mailing list