dirmngr: dane key location doesn't validate DNSSEC

Uwe Kleine-König Tue, 30 Jun 2020 12:09:27 -0700

Package: dirmngr
Version: 2.2.20-1
Severity: normal
File: /usr/bin/dirmngr

Hello,


        user@host:~$ rm -rf .gnupg/
        user@host:~$ gpg --locate-keys --auto-key-locate clear,dane 
u...@kleine-koenig.org
        gpg: directory '/home/test/.gnupg' created
        gpg: keybox '/home/test/.gnupg/pubring.kbx' created
        gpg: /home/test/.gnupg/trustdb.gpg: trustdb created
        gpg: key E2DCDD9132669BD6: public key "Uwe Kleine-König 
<u...@kleine-koenig.org>" imported
        gpg: Total number processed: 1
        gpg:               imported: 1
        pub   rsa4096 2010-06-15 [SC] [expires: 2024-06-21]
              0D2511F322BFAB1C1580266BE2DCDD9132669BD6
        uid           [ unknown] Uwe Kleine-König <u...@kleine-koenig.org>
        sub   rsa2048 2015-01-11 [S] [expires: 2022-01-09]
        sub   rsa2048 2015-01-11 [E] [expires: 2022-01-09]
        sub   rsa2048 2015-01-11 [A] [expires: 2022-01-09]

My expectation is that a key retrieval method called "dane" verifies
DNSSEC, but that is not the case here. See
https://dnsviz.net/d/kleine-koenig.org/dnssec/, the zone has a key, but
it is not anchored in .org.

According to
https://tools.ietf.org/html/draft-ietf-dane-openpgpkey-05#section-5 "The
lookup result MUST pass DNSSEC validation". (Thanks to Jakub Wilk for
finding the relevant documentation.)

Best regards
Uwe

-- System Information:
Debian Release: 10.4
  APT prefers stable
  APT policy: (700, 'stable'), (600, 'unstable'), (500, 'unstable-debug'), 
(500, 'testing-debug'), (500, 'stable-updates'), (500, 'stable-debug'), (500, 
'oldstable-updates'), (500, 'testing'), (500, 'oldstable'), (499, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.7.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages dirmngr depends on:
ii  adduser              3.118
ii  gpgconf              2.2.20-1
ii  init-system-helpers  1.56+nmu1
ii  libassuan0           2.5.2-1
ii  libc6                2.30-4
ii  libgcrypt20          1.8.4-5
ii  libgnutls30          3.6.14-2
ii  libgpg-error0        1.35-1
ii  libksba8             1.3.5-2
ii  libldap-2.4-2        2.4.47+dfsg-3+deb10u2
ii  libnpth0             1.6-1
ii  lsb-base             10.2019051400

Versions of packages dirmngr recommends:
ii  gnupg  2.2.20-1

Versions of packages dirmngr suggests:
ii  dbus-user-session  1.12.16-1
ii  libpam-systemd     241-7~deb10u4
ii  pinentry-gnome3    1.1.0-2
ii  tor                0.3.5.10-1

-- no debconf information

Bug#964033: /usr/bin/dirmngr: dane key location doesn't validate DNSSEC

Reply via email to