gpg: Add new --auto-key-locate mechanism "dane".

* g10/call-dirmngr.c (gpg_dirmngr_dns_cert): Allow fetching via DANE.
* g10/keyserver.c (keyserver_import_cert): Add arg "dane_mode".
* g10/options.h (AKL_DANE): New.
* g10/getkey.c (get_pubkey_byname): Implement AKL_DANE.
(parse_auto_key_locate): Ditto.
--

To test this use

  gpg --auto-key-locate clear,dane,local --locate-key -v [email protected]

Signed-off-by: Werner Koch <[email protected]>

1 files changed, 5 insertions, 2 deletions

diff --git a/g10/call-dirmngr.c b/g10/call-dirmngr.c
index 75cd51d4e..10dcb2009 100644
--- a/g10/call-dirmngr.c
+++ b/g10/call-dirmngr.c
@@ -1103,7 +1103,10 @@ dns_cert_status_cb (void *opaque, const char *line)
    CERT record found with a supported type; it is expected that only
    one CERT record is used.  If CERTTYPE is one of the supported
    certtypes, only records with this certtype are considered and the
-   first one found is returned.  All R_* args are optional. */
+   first one found is returned.  All R_* args are optional.
+
+   If CERTTYPE is NULL the DANE method is used to fetch the key.
+ */
 gpg_error_t
 gpg_dirmngr_dns_cert (ctrl_t ctrl, const char *name, const char *certtype,
                       estream_t *r_key,
@@ -1129,7 +1132,7 @@ gpg_dirmngr_dns_cert (ctrl_t ctrl, const char *name, const char *certtype,
   if (err)
     return err;
 
-  line = es_bsprintf ("DNS_CERT %s %s", certtype, name);
+  line = es_bsprintf ("DNS_CERT %s %s", certtype? certtype : "--dane", name);
   if (!line)
     {
       err = gpg_error_from_syserror ();