pka-lookups and dnssec
wk at gnupg.org
Mon Dec 5 16:32:27 CET 2011
On Mon, 5 Dec 2011 15:30, gnupg at lists.grepular.com said:
> I then tried verifying the output from the above command, by piping it
> into this, using a gpg homedir that didn't contain my key:
> gpg --verify-options pka-lookups --verify
You may want to use:
gpg --verify-options pka-lookups,pka-trust-increase --verify
so that gpg returns full trust. Without that you need to evaluate the
PKA info yourself.
> gpg: Signature made Mon 05 Dec 2011 14:25:17 GMT using RSA key ID C1D1E704
> gpg: Can't check signature: No public key
> Where have I gone wrong?
I can't tell. What about posting such a signature or sending them in
> Yes, it displays that the key was retrieved using PKA. It doesn't
> however state that the PKA record was DNSSEC signed. Knowing that the
> fingerprint retrieved from the DNS was signed with DNSSEC is worthy of
I don't know how to do it using the standard API. In any case I would
not put too much weight into DNSSEC.
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users