2025-08-08T02:39:04  <matrix-o-o> <Firstyear (Firstyear)> acidsys: 1.7.1 was accepted so you should be able to update
2025-08-08T12:21:57  *** teepee_ is now known as teepee
2025-08-08T16:18:13  <acidsys> cboltz: I think 3 out of the 4 OPENPGPKEY in opensuse.org might just be invalid, I found one of the four to parse just fine and correspond to "openSUSE Project Signing Key <opensuse@opensuse.org>" - however to the one which expired in 2024
2025-08-08T16:19:02  <cboltz> oh, nice[tm]
2025-08-08T16:19:41  <acidsys> so I have my doubts that people are actually [still] using this for DANE with @opensuse.org .. it's a nice to have but the people who have their keys in the zone should then also keep track and ask for them to be updated
2025-08-08T16:20:19  <acidsys> I submitted https://github.com/StackExchange/dnscontrol/pull/3718 to support it but I think it is fine to drop all of them in the meanwhile
2025-08-08T16:22:10  <cboltz> I slightly doubt that these keys are used for DANE - I'm not too familiar with DANE, but AFAIK it would use a TLSA record in _25._tcp.opensuse.org
2025-08-08T16:22:38  <cboltz> they are probably meant for people who want to get the key into their gpg keyring
2025-08-08T16:23:25  <cboltz> (and: yes, dropping outdated and invalid keys makes sense)
2025-08-08T16:23:28  <cboltz> BTW: did you find a sane way to "download" and decode these keys?
2025-08-08T16:24:49  <acidsys> yes for discovery of keys, but according https://datatracker.ietf.org/doc/html/rfc7929 that method is also called DANE (and it's how one calls it in gpg --auto-key-locate too)
2025-08-08T16:28:11  <cboltz> so there are two different things called DANE? Could be from the "how to confuse people" manual... ;-)
2025-08-08T16:29:03  <acidsys> well to properly "download" the key one can use gpg but needs to know the email address behind the hash, if I add the RR for the project signing key in my test server with a fake email address it "discovers" it using `gpg --auto-key-locate clear,nodefault,dane --locate-keys` but complains "gpg: key B88B2FD43DBDC284: new key but contains no user ID - skipped" which I assume is because my
2025-08-08T16:29:05  <acidsys> fake email address does not match the uid. I did not spend more time to try setting up a fake opensuse@opensuse.org zone
2025-08-08T16:29:43  <acidsys> but if you `gpg --auto-key-locate dane --locate-keys opensuse@opensuse.org` on the inernet you will get it
2025-08-08T16:30:10  <matrix-o-o> <knurpht - Gertjan> cboltz: Yes, there is the type of DOG, and a person from DANMARK 🤣
2025-08-08T16:31:11  <cboltz> DOG? It's international _cat_ day today!
2025-08-08T16:31:24  <cboltz> (the animal, not the linux command)
2025-08-08T16:31:44  <acidsys> it's not really two different things (all are "DNS-based Authentication of Named Entities"), from my understanding just the same technology used for multiple purposes
2025-08-08T16:32:57  <acidsys> oh, it's really the international cat day
2025-08-08T16:33:24  <cboltz> the difference is at least that one does lookups based on the network protocol and port, and the other is based on the (hashed) mail address
2025-08-08T16:49:43  <acidsys> sent an email for good measure
2025-08-08T23:46:14  <matrix-o-o> <Firstyear (Firstyear)> acidsys: Yeah, but it relies on DNSSEC which is .... yeah. Questionable.