Howto For DNS Key publishing.

Dan Mahoney, System Admin danm at prime.gushi.org
Fri Oct 30 10:31:23 CET 2009


On Thu, 29 Oct 2009, Ciprian Dorin, Craciun wrote:

> On Thu, Oct 29, 2009 at 7:52 AM, Dan Mahoney, System Admin
> <danm at prime.gushi.org> wrote:
>> All,
>>
>> I've written a pretty conclusive howto on how to publish keys in DNS,
>> including detailing the advantages and disadvantages of each method, with
>> full examples, details on testing, and real-world output.
>>
>> I've also re-implemented make-dns-cert as a shell script, so that it's more
>> easily available to people who don't have the source, but who installed via
>> a binary package (that's most people), including comments, cleaner record
>> handling, auto-fingerprinting, etc.  One command, three arguments, and you
>> get all three record types.
>>
>> I cited credit where possible, but if I missed your name, let me know.
>>
>> Suggestions, feedback, requests, corrections, are all welcome.
>>
>> Initial publishing is to my livejournal, but I'm planning to wrap the whole
>> thing to my webpage during a revamp.
>>
>> http://gushi.livejournal.com/524199.html
>>
>> Regards,
>>
>> -Dan Mahoney
>
>    Hello!
>
>    Nice tutorial! I've tried to apply your methods (for now I'm just
> at the PKA method).
>
>    But it seems that there is a problem with auto-key-locate option.
> For example for the following command:
> ~~~~
>        mkdir /tmp/gpg-test
>        gpg2 --homedir /tmp/gpg-test --auto-key-locate pka --recipient
> ciprian at volution.ro --encrypt /dev/null
> ~~~~
>
>    it gives me the following error:
> ~~~~
> gpg: requesting key A6FD8839 from http server stores.volution.ro
> gpg: /tmp/gpg-test/trustdb.gpg: trustdb created
> gpg: key A6FD8839: public key "Ciprian Dorin Craciun
> <ciprian at volution.ro>" imported
> gpg: no ultimately trusted keys found
> gpg: Total number processed: 1
> gpg:               imported: 1
> gpg: error retrieving `ciprian at volution.ro' via PKA: Unusable public key
> gpg: ciprian at volution.ro: skipped: No public key
> gpg: /dev/null: encryption failed: No public key
> ~~~~
>
>    Now, searching on the net for a solution, I've stumbled upon the
> following thread:
>        http://lists.gnupg.org/pipermail/gnupg-users/2006-May/028637.html
>
>    It seems that there was a bug in GnuPG. So the question is:
>    * am I doing something wrong?
>    * or is the bug still present in GnuPG?
>
>    Thanks,
>    Ciprian.

Okay, so here's what I've learned.  I've manually retrieved your key, and 
imported it manually to my machine with gpg --import < file

And I then get this:

dmahoney at dmahoney-laptop:~/Desktop$ echo "foo" | gpg --encrypt -r 
ciprian at volution.ro
gpg: ciprian at volution.ro: skipped: unusable public key
gpg: [stdin]: encryption failed: unusable public key

So it's not the PKA record.  Upon examining it a little further, I see 
this:

dmahoney at dmahoney-laptop:~/Desktop$ gpg --list-keys ciprian at volution.ro
pub   3072D/A6FD8839 2008-10-19 [expires: 2009-11-21]
uid                  Ciprian Dorin Craciun <ciprian at volution.ro>
uid                  Ciprian Dorin Craciun <ccraciun at cci.uvt.ro>
uid                  Ciprian Dorin Craciun <ciprian.craciun at gmail.com>
uid                  Ciprian Dorin Craciun <ccraciun at info.uvt.ro>

dmahoney at dmahoney-laptop:~/Desktop$ gpg <ciprian at volution.ro.pub.gpg
pub  3072D/A6FD8839 2008-10-19 Ciprian Dorin Craciun <ciprian at volution.ro>
uid                            Ciprian Dorin Craciun <ccraciun at cci.uvt.ro>
uid                            Ciprian Dorin Craciun 
<ciprian.craciun at gmail.com>
uid                            Ciprian Dorin Craciun 
<ccraciun at info.uvt.ro>
sub  4096g/15F68B01 2008-10-19 [expires: 2009-10-19]

Looks like your subkey that I'd use to encrypt to you has expired, and 
thus my GPG didn't import it.



-- 

"Man, this is such a trip"

-Dan Mahoney, October 25, 1997

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------


More information about the Gnupg-users mailing list