Howto For DNS Key publishing.
Ciprian Dorin, Craciun
ciprian.craciun at gmail.com
Fri Oct 30 10:55:55 CET 2009
On Fri, Oct 30, 2009 at 11:31 AM, Dan Mahoney, System Admin
<danm at prime.gushi.org> wrote:
> On Thu, 29 Oct 2009, Ciprian Dorin, Craciun wrote:
>
>> On Thu, Oct 29, 2009 at 7:52 AM, Dan Mahoney, System Admin
>> <danm at prime.gushi.org> wrote:
>>>
>>> All,
>>>
>>> I've written a pretty conclusive howto on how to publish keys in DNS,
>>> including detailing the advantages and disadvantages of each method, with
>>> full examples, details on testing, and real-world output.
>>>
>>> I've also re-implemented make-dns-cert as a shell script, so that it's
>>> more
>>> easily available to people who don't have the source, but who installed
>>> via
>>> a binary package (that's most people), including comments, cleaner record
>>> handling, auto-fingerprinting, etc. One command, three arguments, and
>>> you
>>> get all three record types.
>>>
>>> I cited credit where possible, but if I missed your name, let me know.
>>>
>>> Suggestions, feedback, requests, corrections, are all welcome.
>>>
>>> Initial publishing is to my livejournal, but I'm planning to wrap the
>>> whole
>>> thing to my webpage during a revamp.
>>>
>>> http://gushi.livejournal.com/524199.html
>>>
>>> Regards,
>>>
>>> -Dan Mahoney
>>
>> Hello!
>>
>> Nice tutorial! I've tried to apply your methods (for now I'm just
>> at the PKA method).
>>
>> But it seems that there is a problem with auto-key-locate option.
>> For example for the following command:
>> ~~~~
>> mkdir /tmp/gpg-test
>> gpg2 --homedir /tmp/gpg-test --auto-key-locate pka --recipient
>> ciprian at volution.ro --encrypt /dev/null
>> ~~~~
>>
>> it gives me the following error:
>> ~~~~
>> gpg: requesting key A6FD8839 from http server stores.volution.ro
>> gpg: /tmp/gpg-test/trustdb.gpg: trustdb created
>> gpg: key A6FD8839: public key "Ciprian Dorin Craciun
>> <ciprian at volution.ro>" imported
>> gpg: no ultimately trusted keys found
>> gpg: Total number processed: 1
>> gpg: imported: 1
>> gpg: error retrieving `ciprian at volution.ro' via PKA: Unusable public key
>> gpg: ciprian at volution.ro: skipped: No public key
>> gpg: /dev/null: encryption failed: No public key
>> ~~~~
>>
>> Now, searching on the net for a solution, I've stumbled upon the
>> following thread:
>> http://lists.gnupg.org/pipermail/gnupg-users/2006-May/028637.html
>>
>> It seems that there was a bug in GnuPG. So the question is:
>> * am I doing something wrong?
>> * or is the bug still present in GnuPG?
>>
>> Thanks,
>> Ciprian.
>
> Okay, so here's what I've learned. I've manually retrieved your key, and
> imported it manually to my machine with gpg --import < file
>
> And I then get this:
>
> dmahoney at dmahoney-laptop:~/Desktop$ echo "foo" | gpg --encrypt -r
> ciprian at volution.ro
> gpg: ciprian at volution.ro: skipped: unusable public key
> gpg: [stdin]: encryption failed: unusable public key
>
> So it's not the PKA record. Upon examining it a little further, I see this:
>
> dmahoney at dmahoney-laptop:~/Desktop$ gpg --list-keys ciprian at volution.ro
> pub 3072D/A6FD8839 2008-10-19 [expires: 2009-11-21]
> uid Ciprian Dorin Craciun <ciprian at volution.ro>
> uid Ciprian Dorin Craciun <ccraciun at cci.uvt.ro>
> uid Ciprian Dorin Craciun <ciprian.craciun at gmail.com>
> uid Ciprian Dorin Craciun <ccraciun at info.uvt.ro>
>
> dmahoney at dmahoney-laptop:~/Desktop$ gpg <ciprian at volution.ro.pub.gpg
> pub 3072D/A6FD8839 2008-10-19 Ciprian Dorin Craciun <ciprian at volution.ro>
> uid Ciprian Dorin Craciun <ccraciun at cci.uvt.ro>
> uid Ciprian Dorin Craciun
> <ciprian.craciun at gmail.com>
> uid Ciprian Dorin Craciun <ccraciun at info.uvt.ro>
> sub 4096g/15F68B01 2008-10-19 [expires: 2009-10-19]
>
> Looks like your subkey that I'd use to encrypt to you has expired, and thus
> my GPG didn't import it.
>
> --
>
> "Man, this is such a trip"
>
> -Dan Mahoney, October 25, 1997
Ops! Sorry!
Yesterday evening I came upon the same conclusion and prolonged
the expiration date... (But I didn't connect the dots with my
report..)
Sorry for wasting time! :)
Anyway, good tutorial! Thanks!
More information about the Gnupg-users
mailing list