pka-lookups and dnssec

Werner Koch wk at
Mon Dec 5 16:32:27 CET 2011

On Mon,  5 Dec 2011 15:30, gnupg at said:

> I then tried verifying the output from the above command, by piping it
> into this, using a gpg homedir that didn't contain my key:
> gpg --verify-options pka-lookups --verify

You may want to use:

  gpg --verify-options pka-lookups,pka-trust-increase --verify 

so that gpg returns full trust.  Without that you need to evaluate the
PKA info yourself.

> gpg: Signature made Mon 05 Dec 2011 14:25:17 GMT using RSA key ID C1D1E704
> gpg: Can't check signature: No public key
> Where have I gone wrong?

I can't tell.  What about posting such a signature or sending them in

> Yes, it displays that the key was retrieved using PKA. It doesn't
> however state that the PKA record was DNSSEC signed. Knowing that the
> fingerprint retrieved from the DNS was signed with DNSSEC is worthy of

I don't know how to do it using the standard API.  In any case I would
not put too much weight into DNSSEC.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list