1[Christoph Berg's Blog](../index.html)/ 2 3[2007](../2007.html)/ 4 5</span> 6<span class="title"> 7OpenPGP keys in DNS 8 9</span> 10</span> 11 12</div> 13 14<div class="actions"> 15 16* [RecentChanges](../recentchanges.html) 17* [History](http://svn.df7cb.de/viewcvs.cgi/trunk/2007/openpgp-dns.mdwn?root=blog&view=log) 18</div> 19 20</div> 21 22<div id="pagebody"> 23 24<div id="content"> 25 26The latest addition to the mutt CVS tree is PKA support via gpgme. While trying 27to figure out how that works in mutt (I haven't yet...) I configured my DNS 28server for PKA and CERT records. 29 30## PKA 31 32PKA (public key association) puts a pointer where to obtain a key into a TXT 33record. At the same time that can be used to verify that a key belongs to a 34mail address. The documentation is at the 35[g10code website](http://www.g10code.de/docs/pka-intro.de.pdf) 36(only in German so far). I put the following into the df7cb.de zone: 37 38<p> 39cb._pka IN TXT "v=pka1;fpr=D224C8B07E63A6946DA32E07C5AF774A58510B5A;uri=finger:cb@df7cb.de" 40 41<pre> 42$ host -t TXT cb._pka.df7cb.de 43cb._pka.df7cb.de descriptive text "v=pka1\;fpr=D224C8B07E63A6946DA32E07C5AF774A58510B5A\;uri=finger:cb@df7cb.de" 44</pre> 45 46Now gpg can be told to use PKA to find the key: 47 48<pre> 49$ echo foo | gpg --auto-key-locate pka --recipient cb@df7cb.de --encrypt -a 50gpg: no keyserver known (use option --keyserver) 51gpg: requesting key 58510B5A from finger:cb@df7cb.de 52gpg: key 58510B5A: public key "Christoph Berg " imported 53gpg: Total number processed: 1 54gpg: imported: 1 55gpg: automatically retrieved `cb@df7cb.de' via PKA 56</pre> 57 58## CERT 59 60CERT records work similarly. Records are generated by make-dns-cert (from the 61tools directory in the gnupg source). cb.gpg is a stripped-down gpg keyring 62(created with pgp-clean -s and converting from .asc to .gpg). 63 64<pre> 65$ ./make-dns-cert -f D224C8B07E63A6946DA32E07C5AF774A58510B5A -n cb 66cb TYPE37 \# 26 0006 0000 00 14 D224C8B07E63A6946DA32E07C5AF774A58510B5A 67$ ./make-dns-cert -k cb.gpg -n cb 68cb TYPE37 \# 1338 0003 0000 00 9901A20440 [...] 509C96D4BFF17B7 69</pre> 70 71With a new bind and host (backports.org!) the format looks a bit nicer, that's 72also what I copied into the zone file: 73 74<pre> 75$ host -t CERT cb.df7cb.de 76;; Truncated, retrying in TCP mode. 77cb.df7cb.de has CERT record PGP 0 0 mQGiBECBGdAR [...] UDlCcltS/8Xtw== 78cb.df7cb.de has CERT record 6 0 0 FNIkyLB+Y6aUbaMuB8Wvd0pYUQta 79</pre> 80 81Again, gpg can be told to use that: 82 83<pre> 84$ echo foo | gpg --auto-key-locate cert --recipient cb@df7cb.de --encrypt -a 85gpg: key 58510B5A: public key "Christoph Berg " imported 86gpg: Total number processed: 1 87gpg: imported: 1 88gpg: automatically retrieved `cb@df7cb.de' via DNS CERT 89</pre> 90 91Thanks to weasel for some hints on using CERT. 92 93## SSHFP 94 95I'm also mentioning SSHFP records here since it fits in the topic - I have been 96using them for some months now: 97 98<pre> 99$ host -t SSHFP tesla.df7cb.de 100tesla.df7cb.de has SSHFP record 1 1 EE49B803541293656C33B86ECD781BD8F1D78AB5 101tesla.df7cb.de has SSHFP record 2 1 3E82FB5EE8AA0205305F0D0186F94D6FB3E0E744 102$ ssh -o 'VerifyHostKeyDNS yes' tesla.df7cb.de 103The authenticity of host 'tesla.df7cb.de (88.198.227.218)' can't be established. 104RSA key fingerprint is 5a:c9:38:ca:c0:2b:11:c1:c8:fb:f1:ad:73:a1:9c:8b. 105Matching host key fingerprint found in DNS. 106Are you sure you want to continue connecting (yes/no)? 107</pre> 108 109The records are generated with ssh-keygen -r. 110 111</div> 112 113</div> 114 115<div id="footer" class="pagefooter"> 116 117<div id="pageinfo"> 118 119<div class="tags"> 120Tags: 121 122[debian](../tag/debian.html) 123 124</div> 125 126<div class="pagedate"> 127Last edited <span class="date">Do 17 Feb 2011 13:21:52 CET</span> 128<!-- Created <span class="date">Do 01 Mär 2007 20:01:27 CET</span> --> 129</div> 130 131</div> 132 133<!-- from Christoph Berg's Blog --> 134