1[Christoph Berg's Blog](../index.html)/
2
3[2007](../2007.html)/
4
5</span>
6<span class="title">
7OpenPGP keys in DNS
8
9</span>
10</span>
11
12</div>
13
14<div class="actions">
15
16*   [RecentChanges](../recentchanges.html)
17*   [History](http://svn.df7cb.de/viewcvs.cgi/trunk/2007/openpgp-dns.mdwn?root=blog&view=log)
18</div>
19
20</div>
21
22<div id="pagebody">
23
24<div id="content">
25
26The latest addition to the mutt CVS tree is PKA support via gpgme. While trying
27to figure out how that works in mutt (I haven't yet...) I configured my DNS
28server for PKA and CERT records.
29
30## PKA
31
32PKA (public key association) puts a pointer where to obtain a key into a TXT
33record. At the same time that can be used to verify that a key belongs to a
34mail address. The documentation is at the
35[g10code website](http://www.g10code.de/docs/pka-intro.de.pdf)
36(only in German so far). I put the following into the df7cb.de zone:
37
38<p>
39cb._pka IN TXT "v=pka1;fpr=D224C8B07E63A6946DA32E07C5AF774A58510B5A;uri=finger:cb@df7cb.de"
40
41<pre>
42$ host -t TXT cb._pka.df7cb.de
43cb._pka.df7cb.de descriptive text "v=pka1\;fpr=D224C8B07E63A6946DA32E07C5AF774A58510B5A\;uri=finger:cb@df7cb.de"
44</pre>
45
46Now gpg can be told to use PKA to find the key:
47
48<pre>
49$ echo foo | gpg --auto-key-locate pka --recipient cb@df7cb.de --encrypt -a
50gpg: no keyserver known (use option --keyserver)
51gpg: requesting key 58510B5A from finger:cb@df7cb.de
52gpg: key 58510B5A: public key "Christoph Berg " imported
53gpg: Total number processed: 1
54gpg:               imported: 1
55gpg: automatically retrieved `cb@df7cb.de' via PKA
56</pre>
57
58## CERT
59
60CERT records work similarly. Records are generated by make-dns-cert (from the
61tools directory in the gnupg source). cb.gpg is a stripped-down gpg keyring
62(created with pgp-clean -s and converting from .asc to .gpg).
63
64<pre>
65$ ./make-dns-cert -f D224C8B07E63A6946DA32E07C5AF774A58510B5A -n cb
66cb      TYPE37  \# 26 0006 0000 00 14 D224C8B07E63A6946DA32E07C5AF774A58510B5A
67$ ./make-dns-cert -k cb.gpg -n cb
68cb      TYPE37  \# 1338 0003 0000 00 9901A20440 [...] 509C96D4BFF17B7
69</pre>
70
71With a new bind and host (backports.org!) the format looks a bit nicer, that's
72also what I copied into the zone file:
73
74<pre>
75$ host -t CERT cb.df7cb.de
76;; Truncated, retrying in TCP mode.
77cb.df7cb.de has CERT record PGP 0 0 mQGiBECBGdAR [...] UDlCcltS/8Xtw==
78cb.df7cb.de has CERT record 6 0 0 FNIkyLB+Y6aUbaMuB8Wvd0pYUQta
79</pre>
80
81Again, gpg can be told to use that:
82
83<pre>
84$ echo foo | gpg --auto-key-locate cert --recipient cb@df7cb.de --encrypt -a
85gpg: key 58510B5A: public key "Christoph Berg " imported
86gpg: Total number processed: 1
87gpg:               imported: 1
88gpg: automatically retrieved `cb@df7cb.de' via DNS CERT
89</pre>
90
91Thanks to weasel for some hints on using CERT.
92
93## SSHFP
94
95I'm also mentioning SSHFP records here since it fits in the topic - I have been
96using them for some months now:
97
98<pre>
99$ host -t SSHFP tesla.df7cb.de
100tesla.df7cb.de has SSHFP record 1 1 EE49B803541293656C33B86ECD781BD8F1D78AB5
101tesla.df7cb.de has SSHFP record 2 1 3E82FB5EE8AA0205305F0D0186F94D6FB3E0E744
102$ ssh -o 'VerifyHostKeyDNS yes' tesla.df7cb.de
103The authenticity of host 'tesla.df7cb.de (88.198.227.218)' can't be established.
104RSA key fingerprint is 5a:c9:38:ca:c0:2b:11:c1:c8:fb:f1:ad:73:a1:9c:8b.
105Matching host key fingerprint found in DNS.
106Are you sure you want to continue connecting (yes/no)?
107</pre>
108
109The records are generated with ssh-keygen -r.
110
111</div>
112
113</div>
114
115<div id="footer" class="pagefooter">
116
117<div id="pageinfo">
118
119<div class="tags">
120Tags:
121
122[debian](../tag/debian.html)
123
124</div>
125
126<div class="pagedate">
127Last edited <span class="date">Do 17 Feb 2011 13:21:52 CET</span>
128<!-- Created <span class="date">Do 01 Mär 2007 20:01:27 CET</span> -->
129</div>
130
131</div>
132
133<!-- from Christoph Berg's Blog -->
134