publishing PGP keys in DNS

Werner Koch wk at
Wed Dec 21 12:46:31 CET 2016

On Wed, 21 Dec 2016 12:00, bjoern at said:

> auto-key-locate cert pka wkd keyserver
> Does this means that gpg will try to find a WKD and a corresponding
> public key automatically if I write a email to someone I don't have a
> public key yet? Or will the lookup happen if I receive a mail?

Right; but only as long as the key has been specified by  mail address.

First gpg looks into the local keyring, then tries to find a CERT
record, then tries to get the fingerprint via PKA and downloads the key
From the included URL or a configured keyserver, then it tries to locate
via WKD, and finally b a simple keyserver search.  I would suggest to

 auto-key-locate wkd,dane,pka

if you want to find keys for signature verification you can also use


to fetch a key from a keyserver.  The drawback is that you need to wait
for the keyserver.  That latter will eventually be improved by using a
lower timeout and queue the request for later background retrieval



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: </pipermail/attachments/20161221/7402d950/attachment-0001.sig>

More information about the Gnupg-users mailing list