Reasons for wanting GPG key in DNS:
- It's a nice way for people who wish to get your GPG key to obtain it.
- It won't typically get blocked by firewalls, had major problems in past getting hkp etc. working through the firewall.
- I prefer hosting the key myself as opposed to using subkeys.pgp.net or similar (lack of control).
There are three methods to do this - I'll go into detail on two:
- Use the pka record (TXT-type record) which gives a URI to the location of your key; http/finger etc.
- PGP Cert record.
- IPGP Cert Record (Won't go into much detail on this).
This is the quickest/easiest method, however it is just a pointer to the cert, which I'm not keen on.
It can co-exist with the PGP Cert record, so I do it for completeness sake mostly.
Find your GPG key, export the public section & take note of the fingerprint.
gpg --list-keysYou need to make the .asc file available to the public (http), then construct your dns record:
gpg --list-keys --fingerprint D4164694
gpg --export --armour D4164694 > D4164694.pub.asc
seanos._pka.seanos.net. IN TXT "v=pka1;fpr=B830A1A76A1A87C84C95B06C7476F7AFD4164694\;uri=http://elk.red-hat.eu/keys/D4164694.pub.asc"That's it!
PGP Cert Records:
You need the program 'make-dns-cert', which is not available on Debian/Ubuntu or CentOS, but is a .c program which is distributed with gnupg. I have made it available here (just requires you to do 'gcc make-dns-cert.c -o make-dns-cert').
Assuming you have a copy of your key from the previous step, you just need to type:
make-dns-cert -n seanos.seanos.net. -k D4164694.pub.ascThis will output a single (very long) line, which you can put directly into your zone file.
Note the above address I used 'seanos.seanos.net', when referring to email addresses in DNS zones, the @ is replaced by a period. To stop screwups with copy & paste, would suggest appending the above output into the zone directly & then manually modify the serial.
Once you reload DNS, you can test everything is working using the following comands:
dig +short seanos._pka.seanos.net. TXTNote, if you wish your gpg installation to automatically search DNS for GPG keys, you must make the following modification to gpg.conf (typically ~/.gnupg/gpg.conf):
dig +short seanos.seanos.net CERT
auto-key-locate cert pkaThis will ensure it attempts to ge tthe cert first, then fallback to pka, you can also add other methods (such as hkp://subkeys.pgp.net) for it to fall further back on.
Quick note about IPGP keys:
Since you can only have one cert record for an email address, and IPGP is similar to the PKA record, in so far as it's a pointer, I prefer going with the easy (TXT Record) PKA & PGP Cert Record.
Read various sites while setting this up, but I found http://www.gushi.org/make-dns-cert/HOWTO.html to be the most complete resource for the above.