IETF Logo Mail Archive

Re: [dane] Start of WGLC for draft-ietf-dane-openpgpkey - *please* review.

Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 21 February 2015 00:34 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 975A61A044F for <dane@ietfa.amsl.com>; Fri, 20 Feb 2015 16:34:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZeKmZ4Wv9o9f for <dane@ietfa.amsl.com>; Fri, 20 Feb 2015 16:34:41 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34AF41A0439 for <dane@ietf.org>; Fri, 20 Feb 2015 16:34:41 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 9149A282D5F; Sat, 21 Feb 2015 00:34:39 +0000 (UTC)
Date: Sat, 21 Feb 2015 00:34:39 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20150221003439.GM1260@mournblade.imrryr.org>
References: <CAHw9_iJPuG23Aok7V_wcAMirua_DPDLHy01tnd+DaUqEeK3NZA@mail.gmail.com> <m3zj88872f.fsf@carbon.jhcloos.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <m3zj88872f.fsf@carbon.jhcloos.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/jMiF_R0uz9ZnSl5zqOPue35KMlw>
Subject: Re: [dane] Start of WGLC for draft-ietf-dane-openpgpkey - *please* review.
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Feb 2015 00:34:43 -0000

On Fri, Feb 20, 2015 at 07:03:04PM -0500, James Cloos wrote:

> >>>>> "WK" == Warren Kumari <warren@kumari.net> writes:
> 
> WK> Also, a cute trick: dig type61 $(echo -n pwouters| sha224sum | sed "s/
> WK> ..$//")._openpgpkey.fedoraproject.org |grep TYPE61 | sed
> WK> "s/^.*TYPE61.*\\\#[0-9]* //" | grep -v ";" | sed "s/ //g" | xxd -r -p
> WK> | gpg --import --dry-run
> 
> FWIW, that does not work here.

What works for me is:

    $ dig +short -t type61 $(
	printf "%s._openpgpkey.fedoraproject.org" $(
	    printf "%s" pwouters |
	    openssl dgst -sha224  -binary |
	    hexdump -ve '/1 "%02x"'
	    )
	) |
	perl -ane '
	    ($escape_sharp, $len) = splice(@F, 0, 2);
	    next if ($escape_sharp ne q{\#}); 
	    ($rdata = join("", @F)) =~ s/(..)/chr(hex($1))/eg;
	    next if (length($rdata) != $len);
	    print $rdata;
	    last;
	    ' |
	gpg --import --dry-run --verbose
    gpg: pub  4096R/E0FD94D2 2014-12-11  Paul Wouters <paul@nohats.ca>
    gpg: using classic trust model
    gpg: key E0FD94D2: public key "[User ID not found]" imported
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)

Of course this ignores the DNSSEC validation status.  A better
approach is to do it all in Perl with Net::DNS and either trusted
(AD-bit) local resolver, or DNSSEC validation support in Net::DNS.

Python with the getdns api is another attractive option.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email