On Tue, Feb 15, 2022 at 12:32:50PM -0800, "Dan Mahoney (Gushi) via Gnupg-users" <gnupg-users@gnupg.org> wrote:
> Hey all, > > A long time ago I wrote a doc on a blog about putting PGP keys in the DNS, > which has been linked to quite a bit. I also recoded make-dns-cert as a > shell script so that people who want to do this but don't have access to the > make-dns-cert tool (which is not built by default on some OS packages) had > an option to do this. > > At the day job, we have a script that we use to push gpg-signed releases to > our FTP server, and as part of that job, it verifies the signatures on the > tarball, and will try to auto-key-locate those keys if it can't find them. > > Since the debacle a few years ago with the SKS keyserver denial-of-service > attack, the keyservers are kind of a non-starter. And because GPG searches > for keys on a tarball by keyid, not by user@domain, a keyserver is the only > real retrieval method available to look up a key by keyid, which is now a > non-starter. > > Worse still, if you know a key exists via something like DANE (dayjob makes > DNS software, we like the idea of it being available via DANE), there's no > way to do gpg --search via DANE, only via a keyserver. > > Thus, using that as a prefetch method to grab the current version of our > codesign@ key into our keyring is not helpful either, unless we "faked it" > by attempting to encrypt a message to that address, then discarded it. > > Is there another way forward? The normal things for auto-key-locate don't > seem to help here. I'm open to ideas. > > -Dan > > (PS: on gnupg.org, the documentation for auto-key-locate dane says "Locate a > key using DANE, as specified in draft-ietf-dane-openpgpkey-05.txt." It > should probably say RFC7929 rather than referring to an I-D.) > > -- > > --------Dan Mahoney-------- > Techie, Sysadmin, WebGeek > Gushi on efnet/undernet IRC > FB: fb.com/DanielMahoneyIV > LI: linkedin.com/in/gushi > Site: http://www.gushi.org > --------------------------- Hi, Recently, I asked for dane to be added to --auto-key-retrieve when dane was in the auto-key-locate list (https://dev.gnupg.org/T5586), but the outcome was: "Wontfix: DANE has been an experimental thing and is imho dead". I think that experiment might have taken place at a time when DNSSEC was too much effort to implement. That's not longer the case, so maybe the experiment should be allowed to continue. But maybe it is dead. I don't really need it. My only interest was that I'd written software that manages dane records (including openpgpkey), but I don't know if anyone else is using that feature. Probably not. cheers, raf _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
