Wednesday, December 1, 2010

Adding GPG public keys to your DNS

Recently I read a couple of interesting posts which outlined how to add GPG public keys to a zone file.

Reasons for wanting GPG key in DNS:

  • It's a nice way for people who wish to get your GPG key to obtain it.
  • It won't typically get blocked by firewalls, had major problems in past getting hkp etc. working through the firewall.
  • I prefer hosting the key myself as opposed to using or similar (lack of control).

There are three methods to do this - I'll go into detail on two:

  1. Use the pka record (TXT-type record) which gives a URI to the location of your key; http/finger etc.
  2. PGP Cert record.
  3. IPGP Cert Record (Won't go into much detail on this).

PKA Record:
This is the quickest/easiest method, however it is just a pointer to the cert, which I'm not keen on.
It can co-exist with the PGP Cert record, so I do it for completeness sake mostly.

Find your GPG key, export the public section & take note of the fingerprint.
gpg --list-keys
gpg --list-keys --fingerprint D4164694
gpg --export --armour D4164694 >
You need to make the .asc file available to the public (http), then construct your dns record:                             IN TXT  "v=pka1;fpr=B830A1A76A1A87C84C95B06C7476F7AFD4164694\;uri="
That's it!

PGP Cert Records:
You need the program 'make-dns-cert', which is not available on Debian/Ubuntu or CentOS, but is a .c program which is distributed with gnupg. I have made it available here (just requires you to do 'gcc make-dns-cert.c -o make-dns-cert').

Assuming you have a copy of your key from the previous step, you just need to type:
make-dns-cert -n -k
This will output a single (very long) line, which you can put directly into your zone file.
Note the above address I used '', when referring to email addresses in DNS zones, the @ is replaced by a period. To stop screwups with copy & paste, would suggest appending the above output into the zone directly & then manually modify the serial.

Once you reload DNS, you can test everything is working using the following comands:
dig +short TXT
dig +short CERT
Note, if you wish your gpg installation to automatically search DNS for GPG keys, you must make the following modification to gpg.conf (typically ~/.gnupg/gpg.conf):
auto-key-locate cert pka
This will ensure it attempts to ge tthe cert first, then fallback to pka, you can also add other methods (such as hkp:// for it to fall further back on.

Quick note about IPGP keys:
Since you can only have one cert record for an email address, and IPGP is similar to the PKA record, in so far as it's a pointer, I prefer going with the easy (TXT Record) PKA & PGP Cert Record.

Read various sites while setting this up, but I found ​ to be the most complete resource for the above.


  1. Note that I managed to rewrite the make-dns-cert tool as a shell script, as part of my howto, figuring that a not-compiled-by-default C program was too inaccessable.

    -Dan Mahoney

  2. The CERT key of is not working. You can try with auto-key-locate and verbose, the result is

    gpg: error retrieving `' via DNS CERT: Invalid keyring
    gpg: skipped: Invalid keyring