Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: users

Howto For DNS Key publishing.

  

 
GnuPG users RSS feed   Index | Next | Previous | View Threaded


danm at prime

Oct 28, 2009, 10:52 PM

Post #1 of 5 (979 views)
Permalink
Howto For DNS Key publishing.
All,

I've written a pretty conclusive howto on how to publish keys in DNS,
including detailing the advantages and disadvantages of each method, with
full examples, details on testing, and real-world output.

I've also re-implemented make-dns-cert as a shell script, so that it's
more easily available to people who don't have the source, but who
installed via a binary package (that's most people), including comments,
cleaner record handling, auto-fingerprinting, etc. One command, three
arguments, and you get all three record types.

I cited credit where possible, but if I missed your name, let me know.

Suggestions, feedback, requests, corrections, are all welcome.

Initial publishing is to my livejournal, but I'm planning to wrap the
whole thing to my webpage during a revamp.

http://gushi.livejournal.com/524199.html

Regards,

-Dan Mahoney

--

--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


ciprian.craciun at gmail

Oct 29, 2009, 4:42 AM

Post #2 of 5 (890 views)
Permalink
Re: Howto For DNS Key publishing. [In reply to]
On Thu, Oct 29, 2009 at 7:52 AM, Dan Mahoney, System Admin
<danm [at] prime> wrote:
> All,
>
> I've written a pretty conclusive howto on how to publish keys in DNS,
> including detailing the advantages and disadvantages of each method, with
> full examples, details on testing, and real-world output.
>
> I've also re-implemented make-dns-cert as a shell script, so that it's more
> easily available to people who don't have the source, but who installed via
> a binary package (that's most people), including comments, cleaner record
> handling, auto-fingerprinting, etc.  One command, three arguments, and you
> get all three record types.
>
> I cited credit where possible, but if I missed your name, let me know.
>
> Suggestions, feedback, requests, corrections, are all welcome.
>
> Initial publishing is to my livejournal, but I'm planning to wrap the whole
> thing to my webpage during a revamp.
>
> http://gushi.livejournal.com/524199.html
>
> Regards,
>
> -Dan Mahoney

Hello!

Nice tutorial! I've tried to apply your methods (for now I'm just
at the PKA method).

But it seems that there is a problem with auto-key-locate option.
For example for the following command:
~~~~
mkdir /tmp/gpg-test
gpg2 --homedir /tmp/gpg-test --auto-key-locate pka --recipient
ciprian [at] volution --encrypt /dev/null
~~~~

it gives me the following error:
~~~~
gpg: requesting key A6FD8839 from http server stores.volution.ro
gpg: /tmp/gpg-test/trustdb.gpg: trustdb created
gpg: key A6FD8839: public key "Ciprian Dorin Craciun
<ciprian [at] volution>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
gpg: error retrieving `ciprian [at] volution' via PKA: Unusable public key
gpg: ciprian [at] volution: skipped: No public key
gpg: /dev/null: encryption failed: No public key
~~~~

Now, searching on the net for a solution, I've stumbled upon the
following thread:
http://lists.gnupg.org/pipermail/gnupg-users/2006-May/028637.html

It seems that there was a bug in GnuPG. So the question is:
* am I doing something wrong?
* or is the bug still present in GnuPG?

Thanks,
Ciprian.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


danm at prime

Oct 30, 2009, 2:31 AM

Post #3 of 5 (883 views)
Permalink
Re: Howto For DNS Key publishing. [In reply to]
On Thu, 29 Oct 2009, Ciprian Dorin, Craciun wrote:

> On Thu, Oct 29, 2009 at 7:52 AM, Dan Mahoney, System Admin
> <danm [at] prime> wrote:
>> All,
>>
>> I've written a pretty conclusive howto on how to publish keys in DNS,
>> including detailing the advantages and disadvantages of each method, with
>> full examples, details on testing, and real-world output.
>>
>> I've also re-implemented make-dns-cert as a shell script, so that it's more
>> easily available to people who don't have the source, but who installed via
>> a binary package (that's most people), including comments, cleaner record
>> handling, auto-fingerprinting, etc. One command, three arguments, and you
>> get all three record types.
>>
>> I cited credit where possible, but if I missed your name, let me know.
>>
>> Suggestions, feedback, requests, corrections, are all welcome.
>>
>> Initial publishing is to my livejournal, but I'm planning to wrap the whole
>> thing to my webpage during a revamp.
>>
>> http://gushi.livejournal.com/524199.html
>>
>> Regards,
>>
>> -Dan Mahoney
>
> Hello!
>
> Nice tutorial! I've tried to apply your methods (for now I'm just
> at the PKA method).
>
> But it seems that there is a problem with auto-key-locate option.
> For example for the following command:
> ~~~~
> mkdir /tmp/gpg-test
> gpg2 --homedir /tmp/gpg-test --auto-key-locate pka --recipient
> ciprian [at] volution --encrypt /dev/null
> ~~~~
>
> it gives me the following error:
> ~~~~
> gpg: requesting key A6FD8839 from http server stores.volution.ro
> gpg: /tmp/gpg-test/trustdb.gpg: trustdb created
> gpg: key A6FD8839: public key "Ciprian Dorin Craciun
> <ciprian [at] volution>" imported
> gpg: no ultimately trusted keys found
> gpg: Total number processed: 1
> gpg: imported: 1
> gpg: error retrieving `ciprian [at] volution' via PKA: Unusable public key
> gpg: ciprian [at] volution: skipped: No public key
> gpg: /dev/null: encryption failed: No public key
> ~~~~
>
> Now, searching on the net for a solution, I've stumbled upon the
> following thread:
> http://lists.gnupg.org/pipermail/gnupg-users/2006-May/028637.html
>
> It seems that there was a bug in GnuPG. So the question is:
> * am I doing something wrong?
> * or is the bug still present in GnuPG?
>
> Thanks,
> Ciprian.

Okay, so here's what I've learned. I've manually retrieved your key, and
imported it manually to my machine with gpg --import < file

And I then get this:

dmahoney [at] dmahoney-lapto:~/Desktop$ echo "foo" | gpg --encrypt -r
ciprian [at] volution
gpg: ciprian [at] volution: skipped: unusable public key
gpg: [stdin]: encryption failed: unusable public key

So it's not the PKA record. Upon examining it a little further, I see
this:

dmahoney [at] dmahoney-lapto:~/Desktop$ gpg --list-keys ciprian [at] volution
pub 3072D/A6FD8839 2008-10-19 [expires: 2009-11-21]
uid Ciprian Dorin Craciun <ciprian [at] volution>
uid Ciprian Dorin Craciun <ccraciun [at] cci>
uid Ciprian Dorin Craciun <ciprian.craciun [at] gmail>
uid Ciprian Dorin Craciun <ccraciun [at] info>

dmahoney [at] dmahoney-lapto:~/Desktop$ gpg <ciprian [at] volution
pub 3072D/A6FD8839 2008-10-19 Ciprian Dorin Craciun <ciprian [at] volution>
uid Ciprian Dorin Craciun <ccraciun [at] cci>
uid Ciprian Dorin Craciun
<ciprian.craciun [at] gmail>
uid Ciprian Dorin Craciun
<ccraciun [at] info>
sub 4096g/15F68B01 2008-10-19 [expires: 2009-10-19]

Looks like your subkey that I'd use to encrypt to you has expired, and
thus my GPG didn't import it.



--

"Man, this is such a trip"

-Dan Mahoney, October 25, 1997

--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------


ciprian.craciun at gmail

Oct 30, 2009, 2:55 AM

Post #4 of 5 (883 views)
Permalink
Re: Howto For DNS Key publishing. [In reply to]
On Fri, Oct 30, 2009 at 11:31 AM, Dan Mahoney, System Admin
<danm [at] prime> wrote:
> On Thu, 29 Oct 2009, Ciprian Dorin, Craciun wrote:
>
>> On Thu, Oct 29, 2009 at 7:52 AM, Dan Mahoney, System Admin
>> <danm [at] prime> wrote:
>>>
>>> All,
>>>
>>> I've written a pretty conclusive howto on how to publish keys in DNS,
>>> including detailing the advantages and disadvantages of each method, with
>>> full examples, details on testing, and real-world output.
>>>
>>> I've also re-implemented make-dns-cert as a shell script, so that it's
>>> more
>>> easily available to people who don't have the source, but who installed
>>> via
>>> a binary package (that's most people), including comments, cleaner record
>>> handling, auto-fingerprinting, etc.  One command, three arguments, and
>>> you
>>> get all three record types.
>>>
>>> I cited credit where possible, but if I missed your name, let me know.
>>>
>>> Suggestions, feedback, requests, corrections, are all welcome.
>>>
>>> Initial publishing is to my livejournal, but I'm planning to wrap the
>>> whole
>>> thing to my webpage during a revamp.
>>>
>>> http://gushi.livejournal.com/524199.html
>>>
>>> Regards,
>>>
>>> -Dan Mahoney
>>
>>   Hello!
>>
>>   Nice tutorial! I've tried to apply your methods (for now I'm just
>> at the PKA method).
>>
>>   But it seems that there is a problem with auto-key-locate option.
>> For example for the following command:
>> ~~~~
>>       mkdir /tmp/gpg-test
>>       gpg2 --homedir /tmp/gpg-test --auto-key-locate pka --recipient
>> ciprian [at] volution --encrypt /dev/null
>> ~~~~
>>
>>   it gives me the following error:
>> ~~~~
>> gpg: requesting key A6FD8839 from http server stores.volution.ro
>> gpg: /tmp/gpg-test/trustdb.gpg: trustdb created
>> gpg: key A6FD8839: public key "Ciprian Dorin Craciun
>> <ciprian [at] volution>" imported
>> gpg: no ultimately trusted keys found
>> gpg: Total number processed: 1
>> gpg:               imported: 1
>> gpg: error retrieving `ciprian [at] volution' via PKA: Unusable public key
>> gpg: ciprian [at] volution: skipped: No public key
>> gpg: /dev/null: encryption failed: No public key
>> ~~~~
>>
>>   Now, searching on the net for a solution, I've stumbled upon the
>> following thread:
>>       http://lists.gnupg.org/pipermail/gnupg-users/2006-May/028637.html
>>
>>   It seems that there was a bug in GnuPG. So the question is:
>>   * am I doing something wrong?
>>   * or is the bug still present in GnuPG?
>>
>>   Thanks,
>>   Ciprian.
>
> Okay, so here's what I've learned.  I've manually retrieved your key, and
> imported it manually to my machine with gpg --import < file
>
> And I then get this:
>
> dmahoney [at] dmahoney-lapto:~/Desktop$ echo "foo" | gpg --encrypt -r
> ciprian [at] volution
> gpg: ciprian [at] volution: skipped: unusable public key
> gpg: [stdin]: encryption failed: unusable public key
>
> So it's not the PKA record.  Upon examining it a little further, I see this:
>
> dmahoney [at] dmahoney-lapto:~/Desktop$ gpg --list-keys ciprian [at] volution
> pub   3072D/A6FD8839 2008-10-19 [expires: 2009-11-21]
> uid                  Ciprian Dorin Craciun <ciprian [at] volution>
> uid                  Ciprian Dorin Craciun <ccraciun [at] cci>
> uid                  Ciprian Dorin Craciun <ciprian.craciun [at] gmail>
> uid                  Ciprian Dorin Craciun <ccraciun [at] info>
>
> dmahoney [at] dmahoney-lapto:~/Desktop$ gpg <ciprian [at] volution
> pub  3072D/A6FD8839 2008-10-19 Ciprian Dorin Craciun <ciprian [at] volution>
> uid                            Ciprian Dorin Craciun <ccraciun [at] cci>
> uid                            Ciprian Dorin Craciun
> <ciprian.craciun [at] gmail>
> uid                            Ciprian Dorin Craciun <ccraciun [at] info>
> sub  4096g/15F68B01 2008-10-19 [expires: 2009-10-19]
>
> Looks like your subkey that I'd use to encrypt to you has expired, and thus
> my GPG didn't import it.
>
> --
>
> "Man, this is such a trip"
>
> -Dan Mahoney, October 25, 1997


Ops! Sorry!

Yesterday evening I came upon the same conclusion and prolonged
the expiration date... (But I didn't connect the dots with my
report..)
Sorry for wasting time! :)

Anyway, good tutorial! Thanks!

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


danm at prime

Jan 6, 2010, 11:37 PM

Post #5 of 5 (666 views)
Permalink
Re: Howto For DNS Key publishing. [In reply to]
On Thu, 29 Oct 2009, Dan Mahoney, System Admin wrote:

> All,
>
> I've written a pretty conclusive howto on how to publish keys in DNS,
> including detailing the advantages and disadvantages of each method, with
> full examples, details on testing, and real-world output.
>
> I've also re-implemented make-dns-cert as a shell script, so that it's more
> easily available to people who don't have the source, but who installed via a
> binary package (that's most people), including comments, cleaner record
> handling, auto-fingerprinting, etc. One command, three arguments, and you
> get all three record types.

David,

Would it be possible to include my make-dns-cert.sh shell script with GPG?
It solves both the problems of the existing tool being a
not-built-by-default binary, as well as modernizes the DNS record formats
used, heavily, and is easily used by people who have installed GPG via a
package.

-Dan Mahoney

--

--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.