Howto For DNS Key publishing.
|
View:
New views
4 Messages
—
Rating Filter:
Alert me
|
 |
Howto For DNS Key publishing.
by Dan Mahoney, System Admin
::
Rate this Message:
All,
I've written a pretty conclusive howto on how to publish keys in DNS, including detailing the advantages and disadvantages of each method, with full examples, details on testing, and real-world output. I've also re-implemented make-dns-cert as a shell script, so that it's more easily available to people who don't have the source, but who installed via a binary package (that's most people), including comments, cleaner record handling, auto-fingerprinting, etc. One command, three arguments, and you get all three record types. I cited credit where possible, but if I missed your name, let me know. Suggestions, feedback, requests, corrections, are all welcome. Initial publishing is to my livejournal, but I'm planning to wrap the whole thing to my webpage during a revamp. http://gushi.livejournal.com/524199.html Regards, -Dan Mahoney -- --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --------------------------- _______________________________________________ Gnupg-users mailing list Gnupg-users@... http://lists.gnupg.org/mailman/listinfo/gnupg-users |
|
|
Re: Howto For DNS Key publishing.
by Ciprian Dorin, Craciun
::
Rate this Message:
On Thu, Oct 29, 2009 at 7:52 AM, Dan Mahoney, System Admin
<danm@...> wrote: > All, > > I've written a pretty conclusive howto on how to publish keys in DNS, > including detailing the advantages and disadvantages of each method, with > full examples, details on testing, and real-world output. > > I've also re-implemented make-dns-cert as a shell script, so that it's more > easily available to people who don't have the source, but who installed via > a binary package (that's most people), including comments, cleaner record > handling, auto-fingerprinting, etc. One command, three arguments, and you > get all three record types. > > I cited credit where possible, but if I missed your name, let me know. > > Suggestions, feedback, requests, corrections, are all welcome. > > Initial publishing is to my livejournal, but I'm planning to wrap the whole > thing to my webpage during a revamp. > > http://gushi.livejournal.com/524199.html > > Regards, > > -Dan Mahoney Hello! Nice tutorial! I've tried to apply your methods (for now I'm just at the PKA method). But it seems that there is a problem with auto-key-locate option. For example for the following command: ~~~~ mkdir /tmp/gpg-test gpg2 --homedir /tmp/gpg-test --auto-key-locate pka --recipient ciprian@... --encrypt /dev/null ~~~~ it gives me the following error: ~~~~ gpg: requesting key A6FD8839 from http server stores.volution.ro gpg: /tmp/gpg-test/trustdb.gpg: trustdb created gpg: key A6FD8839: public key "Ciprian Dorin Craciun <ciprian@...>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 gpg: error retrieving `ciprian@...' via PKA: Unusable public key gpg: ciprian@...: skipped: No public key gpg: /dev/null: encryption failed: No public key ~~~~ Now, searching on the net for a solution, I've stumbled upon the following thread: http://lists.gnupg.org/pipermail/gnupg-users/2006-May/028637.html It seems that there was a bug in GnuPG. So the question is: * am I doing something wrong? * or is the bug still present in GnuPG? Thanks, Ciprian. _______________________________________________ Gnupg-users mailing list Gnupg-users@... http://lists.gnupg.org/mailman/listinfo/gnupg-users |
|
|
Re: Howto For DNS Key publishing.
by Dan Mahoney, System Admin
::
Rate this Message:
On Thu, 29 Oct 2009, Ciprian Dorin, Craciun wrote:
> On Thu, Oct 29, 2009 at 7:52 AM, Dan Mahoney, System Admin > <danm@...> wrote: >> All, >> >> I've written a pretty conclusive howto on how to publish keys in DNS, >> including detailing the advantages and disadvantages of each method, with >> full examples, details on testing, and real-world output. >> >> I've also re-implemented make-dns-cert as a shell script, so that it's more >> easily available to people who don't have the source, but who installed via >> a binary package (that's most people), including comments, cleaner record >> handling, auto-fingerprinting, etc. One command, three arguments, and you >> get all three record types. >> >> I cited credit where possible, but if I missed your name, let me know. >> >> Suggestions, feedback, requests, corrections, are all welcome. >> >> Initial publishing is to my livejournal, but I'm planning to wrap the whole >> thing to my webpage during a revamp. >> >> http://gushi.livejournal.com/524199.html >> >> Regards, >> >> -Dan Mahoney > > Hello! > > Nice tutorial! I've tried to apply your methods (for now I'm just > at the PKA method). > > But it seems that there is a problem with auto-key-locate option. > For example for the following command: > ~~~~ > mkdir /tmp/gpg-test > gpg2 --homedir /tmp/gpg-test --auto-key-locate pka --recipient > ciprian@... --encrypt /dev/null > ~~~~ > > it gives me the following error: > ~~~~ > gpg: requesting key A6FD8839 from http server stores.volution.ro > gpg: /tmp/gpg-test/trustdb.gpg: trustdb created > gpg: key A6FD8839: public key "Ciprian Dorin Craciun > <ciprian@...>" imported > gpg: no ultimately trusted keys found > gpg: Total number processed: 1 > gpg: imported: 1 > gpg: error retrieving `ciprian@...' via PKA: Unusable public key > gpg: ciprian@...: skipped: No public key > gpg: /dev/null: encryption failed: No public key > ~~~~ > > Now, searching on the net for a solution, I've stumbled upon the > following thread: > http://lists.gnupg.org/pipermail/gnupg-users/2006-May/028637.html > > It seems that there was a bug in GnuPG. So the question is: > * am I doing something wrong? > * or is the bug still present in GnuPG? > > Thanks, > Ciprian. imported it manually to my machine with gpg --import < file And I then get this: dmahoney@dmahoney-laptop:~/Desktop$ echo "foo" | gpg --encrypt -r ciprian@... gpg: ciprian@...: skipped: unusable public key gpg: [stdin]: encryption failed: unusable public key So it's not the PKA record. Upon examining it a little further, I see this: dmahoney@dmahoney-laptop:~/Desktop$ gpg --list-keys ciprian@... pub 3072D/A6FD8839 2008-10-19 [expires: 2009-11-21] uid Ciprian Dorin Craciun <ciprian@...> uid Ciprian Dorin Craciun <ccraciun@...> uid Ciprian Dorin Craciun <ciprian.craciun@...> uid Ciprian Dorin Craciun <ccraciun@...> dmahoney@dmahoney-laptop:~/Desktop$ gpg <ciprian@... pub 3072D/A6FD8839 2008-10-19 Ciprian Dorin Craciun <ciprian@...> uid Ciprian Dorin Craciun <ccraciun@...> uid Ciprian Dorin Craciun <ciprian.craciun@...> uid Ciprian Dorin Craciun <ccraciun@...> sub 4096g/15F68B01 2008-10-19 [expires: 2009-10-19] Looks like your subkey that I'd use to encrypt to you has expired, and thus my GPG didn't import it. -- "Man, this is such a trip" -Dan Mahoney, October 25, 1997 --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --------------------------- _______________________________________________ Gnupg-users mailing list Gnupg-users@... http://lists.gnupg.org/mailman/listinfo/gnupg-users |
|
|
Re: Howto For DNS Key publishing.
by Ciprian Dorin, Craciun
::
Rate this Message:
On Fri, Oct 30, 2009 at 11:31 AM, Dan Mahoney, System Admin
<danm@...> wrote: > On Thu, 29 Oct 2009, Ciprian Dorin, Craciun wrote: > >> On Thu, Oct 29, 2009 at 7:52 AM, Dan Mahoney, System Admin >> <danm@...> wrote: >>> >>> All, >>> >>> I've written a pretty conclusive howto on how to publish keys in DNS, >>> including detailing the advantages and disadvantages of each method, with >>> full examples, details on testing, and real-world output. >>> >>> I've also re-implemented make-dns-cert as a shell script, so that it's >>> more >>> easily available to people who don't have the source, but who installed >>> via >>> a binary package (that's most people), including comments, cleaner record >>> handling, auto-fingerprinting, etc. One command, three arguments, and >>> you >>> get all three record types. >>> >>> I cited credit where possible, but if I missed your name, let me know. >>> >>> Suggestions, feedback, requests, corrections, are all welcome. >>> >>> Initial publishing is to my livejournal, but I'm planning to wrap the >>> whole >>> thing to my webpage during a revamp. >>> >>> http://gushi.livejournal.com/524199.html >>> >>> Regards, >>> >>> -Dan Mahoney >> >> Hello! >> >> Nice tutorial! I've tried to apply your methods (for now I'm just >> at the PKA method). >> >> But it seems that there is a problem with auto-key-locate option. >> For example for the following command: >> ~~~~ >> mkdir /tmp/gpg-test >> gpg2 --homedir /tmp/gpg-test --auto-key-locate pka --recipient >> ciprian@... --encrypt /dev/null >> ~~~~ >> >> it gives me the following error: >> ~~~~ >> gpg: requesting key A6FD8839 from http server stores.volution.ro >> gpg: /tmp/gpg-test/trustdb.gpg: trustdb created >> gpg: key A6FD8839: public key "Ciprian Dorin Craciun >> <ciprian@...>" imported >> gpg: no ultimately trusted keys found >> gpg: Total number processed: 1 >> gpg: imported: 1 >> gpg: error retrieving `ciprian@...' via PKA: Unusable public key >> gpg: ciprian@...: skipped: No public key >> gpg: /dev/null: encryption failed: No public key >> ~~~~ >> >> Now, searching on the net for a solution, I've stumbled upon the >> following thread: >> http://lists.gnupg.org/pipermail/gnupg-users/2006-May/028637.html >> >> It seems that there was a bug in GnuPG. So the question is: >> * am I doing something wrong? >> * or is the bug still present in GnuPG? >> >> Thanks, >> Ciprian. > > Okay, so here's what I've learned. I've manually retrieved your key, and > imported it manually to my machine with gpg --import < file > > And I then get this: > > dmahoney@dmahoney-laptop:~/Desktop$ echo "foo" | gpg --encrypt -r > ciprian@... > gpg: ciprian@...: skipped: unusable public key > gpg: [stdin]: encryption failed: unusable public key > > So it's not the PKA record. Upon examining it a little further, I see this: > > dmahoney@dmahoney-laptop:~/Desktop$ gpg --list-keys ciprian@... > pub 3072D/A6FD8839 2008-10-19 [expires: 2009-11-21] > uid Ciprian Dorin Craciun <ciprian@...> > uid Ciprian Dorin Craciun <ccraciun@...> > uid Ciprian Dorin Craciun <ciprian.craciun@...> > uid Ciprian Dorin Craciun <ccraciun@...> > > dmahoney@dmahoney-laptop:~/Desktop$ gpg <ciprian@... > pub 3072D/A6FD8839 2008-10-19 Ciprian Dorin Craciun <ciprian@...> > uid Ciprian Dorin Craciun <ccraciun@...> > uid Ciprian Dorin Craciun > <ciprian.craciun@...> > uid Ciprian Dorin Craciun <ccraciun@...> > sub 4096g/15F68B01 2008-10-19 [expires: 2009-10-19] > > Looks like your subkey that I'd use to encrypt to you has expired, and thus > my GPG didn't import it. > > -- > > "Man, this is such a trip" > > -Dan Mahoney, October 25, 1997 Ops! Sorry! Yesterday evening I came upon the same conclusion and prolonged the expiration date... (But I didn't connect the dots with my report..) Sorry for wasting time! :) Anyway, good tutorial! Thanks! _______________________________________________ Gnupg-users mailing list Gnupg-users@... http://lists.gnupg.org/mailman/listinfo/gnupg-users |
| Free embeddable forum powered by Nabble | Forum Help |
