As I now have secured my DNS server with DNSSEC, I was able to publish my public PGP key also via DNS. There are two different possibilities to do that:
PKA (public key association)
This puts a pointer where to obtain a key into a TXT record. At the same time that can be used to verify that a key belongs to a mail address. You can find more about that here (only in German).
My DNS TXT record looks like that:
1 |
michael._pka.urspringer.de TXT "v=pka1;fpr=7F3F203B94F85C3B7969BF58C5F5860FF6160414;uri=http://www.urspringer.de/media/Michael_Urspringer.asc" |
The part before “._pka.” is the local part of my mail address (“michael”) and the part after “._pka.” is the domain name “urspringer.de”. The “v=pka;” specifies the version of PKA (currently V1). The value “fpr=7F3F203B94F85C3B7969BF58C5F5860FF6160414” is the finger print of my PGP key. The value “uri=http://www.urspringer.de/media/Michael_Urspringer.asc” specifies the URL where my PGP public key can be downloaded.
You can test if it is working e.g. with gpg like that:
1 |
echo "foo" | gpg --no-default-keyring --keyring /tmp/gpg-$$ --encrypt --armor --auto-key-locate pka -r michael@urspringer.de |
OPENPGPKEY
With an OPENPGPKEY resource record the complete key is stored in DNS. You need to have a Bind9 version of 9.9.7 or 9.10.2 and newer.
The name under which the record is located is built up as described below:
- the local part of the email address associated with the key, hashed with the SHA2-256 hash function and truncated to the first 28 octets;
- the _openpgpkey label;
- the domain part of the email address.
- The record data is the PGP public key
It looks something like that:
1 |
34550715062af006ac4fab288de67ecb44793c3a05c475227241535f._openpgpkey IN OPENPGPKEY (mQINBFWs.....QR5d) |
To create that record you can use the tool on this website. Just put in your PGP public key, select “Standard (OPENPGPKEY)” as output format and click on “Generate”.
You can test if it is working with OPENPGPKEY.info.