Howto For DNS Key publishing.
Dan Mahoney, System Admin
danm at prime.gushi.org
Fri Oct 30 10:31:23 CET 2009
On Thu, 29 Oct 2009, Ciprian Dorin, Craciun wrote:
> On Thu, Oct 29, 2009 at 7:52 AM, Dan Mahoney, System Admin
> <danm at prime.gushi.org> wrote:
>> All,
>>
>> I've written a pretty conclusive howto on how to publish keys in DNS,
>> including detailing the advantages and disadvantages of each method, with
>> full examples, details on testing, and real-world output.
>>
>> I've also re-implemented make-dns-cert as a shell script, so that it's more
>> easily available to people who don't have the source, but who installed via
>> a binary package (that's most people), including comments, cleaner record
>> handling, auto-fingerprinting, etc. One command, three arguments, and you
>> get all three record types.
>>
>> I cited credit where possible, but if I missed your name, let me know.
>>
>> Suggestions, feedback, requests, corrections, are all welcome.
>>
>> Initial publishing is to my livejournal, but I'm planning to wrap the whole
>> thing to my webpage during a revamp.
>>
>> http://gushi.livejournal.com/524199.html
>>
>> Regards,
>>
>> -Dan Mahoney
>
> Hello!
>
> Nice tutorial! I've tried to apply your methods (for now I'm just
> at the PKA method).
>
> But it seems that there is a problem with auto-key-locate option.
> For example for the following command:
> ~~~~
> mkdir /tmp/gpg-test
> gpg2 --homedir /tmp/gpg-test --auto-key-locate pka --recipient
> ciprian at volution.ro --encrypt /dev/null
> ~~~~
>
> it gives me the following error:
> ~~~~
> gpg: requesting key A6FD8839 from http server stores.volution.ro
> gpg: /tmp/gpg-test/trustdb.gpg: trustdb created
> gpg: key A6FD8839: public key "Ciprian Dorin Craciun
> <ciprian at volution.ro>" imported
> gpg: no ultimately trusted keys found
> gpg: Total number processed: 1
> gpg: imported: 1
> gpg: error retrieving `ciprian at volution.ro' via PKA: Unusable public key
> gpg: ciprian at volution.ro: skipped: No public key
> gpg: /dev/null: encryption failed: No public key
> ~~~~
>
> Now, searching on the net for a solution, I've stumbled upon the
> following thread:
> http://lists.gnupg.org/pipermail/gnupg-users/2006-May/028637.html
>
> It seems that there was a bug in GnuPG. So the question is:
> * am I doing something wrong?
> * or is the bug still present in GnuPG?
>
> Thanks,
> Ciprian.
Okay, so here's what I've learned. I've manually retrieved your key, and
imported it manually to my machine with gpg --import < file
And I then get this:
dmahoney at dmahoney-laptop:~/Desktop$ echo "foo" | gpg --encrypt -r
ciprian at volution.ro
gpg: ciprian at volution.ro: skipped: unusable public key
gpg: [stdin]: encryption failed: unusable public key
So it's not the PKA record. Upon examining it a little further, I see
this:
dmahoney at dmahoney-laptop:~/Desktop$ gpg --list-keys ciprian at volution.ro
pub 3072D/A6FD8839 2008-10-19 [expires: 2009-11-21]
uid Ciprian Dorin Craciun <ciprian at volution.ro>
uid Ciprian Dorin Craciun <ccraciun at cci.uvt.ro>
uid Ciprian Dorin Craciun <ciprian.craciun at gmail.com>
uid Ciprian Dorin Craciun <ccraciun at info.uvt.ro>
dmahoney at dmahoney-laptop:~/Desktop$ gpg <ciprian at volution.ro.pub.gpg
pub 3072D/A6FD8839 2008-10-19 Ciprian Dorin Craciun <ciprian at volution.ro>
uid Ciprian Dorin Craciun <ccraciun at cci.uvt.ro>
uid Ciprian Dorin Craciun
<ciprian.craciun at gmail.com>
uid Ciprian Dorin Craciun
<ccraciun at info.uvt.ro>
sub 4096g/15F68B01 2008-10-19 [expires: 2009-10-19]
Looks like your subkey that I'd use to encrypt to you has expired, and
thus my GPG didn't import it.
--
"Man, this is such a trip"
-Dan Mahoney, October 25, 1997
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
More information about the Gnupg-users
mailing list