On Oct 20, 2009, at 10:55 PM, Dan Mahoney, System Admin wrote:
On Thu, 15 Oct 2009, David Shaw wrote:
On Oct 15, 2009, at 9:37 PM, Dan Mahoney, System Admin wrote:
I'm running:
echo foo | gpg -v -v --auto-key-locate cert --recipient gu...@gushi.org
--encrypt -a
And get gpg: error retrieving `gu...@gushi.org' via DNS CERT: No
fingerprint
I exported my key with:
gpg --export --export-options minimal > file; and make-dns-cert -n
gushi.gushi.org -f file
It works fine for me. What version of GPG are you using?
I tried this again, after I nuked the "fingerprint" cert record.
Oddly, running on gpg2 on an older debian system, I get:
# echo "foo" | gpg2 -v -v --auto-key-locate cert --encrypt -r gu...@gushi.org
gpg: no keyserver known (use option --keyserver)
gpg: error retrieving `gu...@gushi.org' via DNS CERT: General error
gpg: gu...@gushi.org: skipped: General error
gpg: [stdin]: encryption failed: General error
That first line specifically makes me scratch my head a bit.
You didn't give an actual version number (run gpg2 --version), so I
can only make an educated guess, but I do think I see your problem.
You don't have one key in your CERT - you have two (309C17C5 and
624BB249) combined into one DNS record. That doesn't work - it's a
one-name-one-key mapping. We should give a better error message in
this case.
Can you try again with a single key in your CERT? Alternately, if you
want both of your keys, you could use 2 different CERT records for the
gushi.gushi.org. name, each with one of your keys (rather than 1 CERT
record with a payload containing two keys). Note that this will
usually result in round-robining for those people who don't have your
key, which may or may not be what you want.
At least using gpg 2.0.13, and a single key in the CERT, this works
properly for me. I can't speak for an earlier version.
All of that said, I think it's worth pointing out that IPGP (the
fingerprint+URL variation of CERT) is far more useful that PGP (the
full key). Not all systems are going to be able to pass a 1718-byte
DNS message, as yours is.
I suspect strongly that this feature doesn't get the most broad
platform testing. Let me know if you'd like to help.
Please do! More testing is always welcome.
David
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users