Saturday, December 4, 2010

Part II: Adding SSH Public Keys to DNS

Fairly quick one, you'll need sshfp (available in EPEL for CentOS) installed.

Just need to type:
sshfp -s
which should give the response: IN SSHFP 1 1 c4d55ccbc4fdd2f4304586d6cdc4ad6fca5c743e IN SSHFP 2 1 7b504855c13277490992dea7091537d0f9bfdb1d
You just need to add these lines to your DNS zone for

To get SSH to check these keys, you'll need to modify your /etc/ssh/ssh_config or ~/.ssh/config to include
VerifyHostKeyDNS true

Wednesday, December 1, 2010

Adding GPG public keys to your DNS

Recently I read a couple of interesting posts which outlined how to add GPG public keys to a zone file.

Reasons for wanting GPG key in DNS:

  • It's a nice way for people who wish to get your GPG key to obtain it.
  • It won't typically get blocked by firewalls, had major problems in past getting hkp etc. working through the firewall.
  • I prefer hosting the key myself as opposed to using or similar (lack of control).

There are three methods to do this - I'll go into detail on two:

  1. Use the pka record (TXT-type record) which gives a URI to the location of your key; http/finger etc.
  2. PGP Cert record.
  3. IPGP Cert Record (Won't go into much detail on this).

PKA Record:
This is the quickest/easiest method, however it is just a pointer to the cert, which I'm not keen on.
It can co-exist with the PGP Cert record, so I do it for completeness sake mostly.

Find your GPG key, export the public section & take note of the fingerprint.
gpg --list-keys
gpg --list-keys --fingerprint D4164694
gpg --export --armour D4164694 >
You need to make the .asc file available to the public (http), then construct your dns record:                             IN TXT  "v=pka1;fpr=B830A1A76A1A87C84C95B06C7476F7AFD4164694\;uri="
That's it!

PGP Cert Records:
You need the program 'make-dns-cert', which is not available on Debian/Ubuntu or CentOS, but is a .c program which is distributed with gnupg. I have made it available here (just requires you to do 'gcc make-dns-cert.c -o make-dns-cert').

Assuming you have a copy of your key from the previous step, you just need to type:
make-dns-cert -n -k
This will output a single (very long) line, which you can put directly into your zone file.
Note the above address I used '', when referring to email addresses in DNS zones, the @ is replaced by a period. To stop screwups with copy & paste, would suggest appending the above output into the zone directly & then manually modify the serial.

Once you reload DNS, you can test everything is working using the following comands:
dig +short TXT
dig +short CERT
Note, if you wish your gpg installation to automatically search DNS for GPG keys, you must make the following modification to gpg.conf (typically ~/.gnupg/gpg.conf):
auto-key-locate cert pka
This will ensure it attempts to ge tthe cert first, then fallback to pka, you can also add other methods (such as hkp:// for it to fall further back on.

Quick note about IPGP keys:
Since you can only have one cert record for an email address, and IPGP is similar to the PKA record, in so far as it's a pointer, I prefer going with the easy (TXT Record) PKA & PGP Cert Record.

Read various sites while setting this up, but I found ​ to be the most complete resource for the above.