GnuPG 2.1: --auto-key-locate dane

Werner Koch wk at
Fri Nov 27 07:58:17 CET 2015

On Thu, 26 Nov 2015 23:00, mls at said:

> returns no key. So AFAIS the error is not at you or gpg, but at gmx.
> The OpenPGPKey-DNS-entry for my mail-adress works, if you like to test gpg.

Not for me:

  $ gpg --auto-key-locate clear,pka,dane,local -v --locate-key mls at dabpunkt.ue
  gpg: error retrieving 'mls at dabpunkt.ue' via PKA: Not found
  gpg: error retrieving 'mls at dabpunkt.ue' via DANE: Not found
  gpg: can't handle public key algorithm 105
  gpg: error retrieving 'mls at dabpunkt.ue' via Local: No public key
  gpg: key "mls at dabpunkt.ue" not found: No public key
This is the current version but there are no changes related to DANE
since 2.1.9.  I redacted your address in the above transscript (eu->ue).
A likely reason for the problem is a change of the algorithm from
SHA-224 to a truncated SHA-256 in one of the last OpenPGP drafts.

Use "gpg --print-dane-records -k mls at dabpunkt.ue" to output a suitbale
DANE record.

Here is a working example:

  $ gpg --auto-key-locate clear,dane,local -v --locate-key wk at
  gpg: pub  dsa2048/F2AD85AC1E42B367 2007-12-31  Werner Koch <wk at>
  gpg: key F2AD85AC1E42B367: "Werner Koch <wk at>" not changed
  gpg: Total number processed: 1
  gpg:              unchanged: 1
  gpg: auto-key-locate found fingerprint 80615870F5BAD690333686D0F2AD85AC1E42B367
  gpg: automatically retrieved 'wk at' via DANE

Note that using --locate-key is better because it uses the same strategy
as used by -r.  In the second example I left out PKA because I also have
a PKA entry for my address. By using "clear" I override defaults set in
gpg.conf and "local" instructs gpg to check the local keyring after
"dane".  Another address for testing is my g10code address.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list