Wednesday, December 1, 2010

Adding GPG public keys to your DNS

Recently I read a couple of interesting posts which outlined how to add GPG public keys to a zone file.

Reasons for wanting GPG key in DNS:

  • It's a nice way for people who wish to get your GPG key to obtain it.
  • It won't typically get blocked by firewalls, had major problems in past getting hkp etc. working through the firewall.
  • I prefer hosting the key myself as opposed to using or similar (lack of control).

There are three methods to do this - I'll go into detail on two:

  1. Use the pka record (TXT-type record) which gives a URI to the location of your key; http/finger etc.
  2. PGP Cert record.
  3. IPGP Cert Record (Won't go into much detail on this).

PKA Record:
This is the quickest/easiest method, however it is just a pointer to the cert, which I'm not keen on.
It can co-exist with the PGP Cert record, so I do it for completeness sake mostly.

Find your GPG key, export the public section & take note of the fingerprint.
gpg --list-keys
gpg --list-keys --fingerprint D4164694
gpg --export --armour D4164694 >
You need to make the .asc file available to the public (http), then construct your dns record:                             IN TXT  "v=pka1;fpr=B830A1A76A1A87C84C95B06C7476F7AFD4164694\;uri="
That's it!

PGP Cert Records:
You need the program 'make-dns-cert', which is not available on Debian/Ubuntu or CentOS, but is a .c program which is distributed with gnupg. I have made it available here (just requires you to do 'gcc make-dns-cert.c -o make-dns-cert').

Assuming you have a copy of your key from the previous step, you just need to type:
make-dns-cert -n -k
This will output a single (very long) line, which you can put directly into your zone file.
Note the above address I used '', when referring to email addresses in DNS zones, the @ is replaced by a period. To stop screwups with copy & paste, would suggest appending the above output into the zone directly & then manually modify the serial.

Once you reload DNS, you can test everything is working using the following comands:
dig +short TXT
dig +short CERT
Note, if you wish your gpg installation to automatically search DNS for GPG keys, you must make the following modification to gpg.conf (typically ~/.gnupg/gpg.conf):
auto-key-locate cert pka
This will ensure it attempts to ge tthe cert first, then fallback to pka, you can also add other methods (such as hkp:// for it to fall further back on.

Quick note about IPGP keys:
Since you can only have one cert record for an email address, and IPGP is similar to the PKA record, in so far as it's a pointer, I prefer going with the easy (TXT Record) PKA & PGP Cert Record.

Read various sites while setting this up, but I found ​ to be the most complete resource for the above.


  1. Note that I managed to rewrite the make-dns-cert tool as a shell script, as part of my howto, figuring that a not-compiled-by-default C program was too inaccessable.

    -Dan Mahoney

  2. The CERT key of is not working. You can try with auto-key-locate and verbose, the result is

    gpg: error retrieving `' via DNS CERT: Invalid keyring
    gpg: skipped: Invalid keyring

  3. I was impressed with this blog, although the material is simple but the results are extraordinary

    cara menggugurkan kandungan
    obat aborsi
    kalkulator kehamilan

  4. Kohler has actually marketed this shower head to be a family enjoyment. From a mobile Link speaker to a silicone face plate that wipes Is your daily shower Heads making you sick? clean to avoid mineral accumulate.

  5. but for yards bigger compared to a quarter acre, we 'd recommend Get from Here investing a little bit a lot more on Ego Snow Blower Review – 56v Power a machine that's up to the job.