What is the biggest problem of PGP? The key distribution. This is well-known and not new at all. What is new is the OPENPGPKEY DNS resource record that delivers PGP public keys for mail addresses. If signed and verified with DNSSEC a mail sender can get the correct public key for his recipient. This solves both key distribution problems: 1) the delivery of the public key and 2) the authenticity of the key itself, i.e., that you’re using the correct key to encrypt a mail.
The “DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP” is specified in the experimental RFC 7929. Let’s have a look on how you can add your public key into the zone file of your DNS server.
The OPENPGPKEY Resource Record
The resource record stores the complete public key in the DNS zone file. Since common PGP keys are 2048 or even 4096 bits long, the resulting DNS answer is very big in size. This may result in DDoS amplification attacks. Hence the RFC states that “applications SHOULD use TCP — not UDP — to perform queries for the OPENPGPKEY resource record”. (Since amplification attacks are not possible with TCP due to its three-way handshake.) The mail address itself is stored as a SHA-256 hash, cut after 28 octets (56 characters), from the local-part of the address, i.e., the name before the @ sign.
Concerning the security the RFC states that “DNSSEC is not an alternative for the “web of trust” or for manual fingerprint verification by users. DANE for OpenPGP, as specified in this document, is a solution aimed to ease obtaining someone’s public key”. ;( This might be related to the fact that DNSSEC validating DNS servers are not running at a personal computer or even the mail software itself, but on a central (ISP) DNS server. Hence the absolute trust in the authenticity of the key cannot be guaranteed. Furthermore, currently (2017) no mail plugins support OPENPGPKEY in an easy manner. However, since I am generally interested in security features I gave it a try.
Generation of the OPENPGPKEY RR
Similar to DANE records for TLSA, Shumon Huque as an online tool for generating the appropriate OPENPGPKEY resource records. Simply paste in your mail address and your public key and you’re done. For my test mail address johannes@weberdns.de (NOT my real mail address!) this looks like the following:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
1d4b41c9db9172e5f151e4a5fe3c57ca3f98b8e6ba807450b10d1897._openpgpkey.weberdns.de. IN OPENPGPKEY ( mQENBFnVAMgBCADWXo3I9Vig02zCR8WzGVN4FUrexZh9OdVSjOeSSmXPH6V5 +sWRfgSvtUp77IWQtZU810EI4GgcEzg30SEdLBSYZAt/lRWSpcQWnql4LvPg oMqU+/+WUxFdnbIDGCMEwWzF2NtQwl4r/ot/q5SHoaA4AGtDarjA1pbTBxza /xh6VRQLl5vhWRXKslh/Tm4NEBD16Z9gZ1CQ7YlAU5Mg5Io4ghOnxWZCGJHV 5BVQTrzzozyILny3e48dIwXJKgcFt/DhE+L9JTrO4cYtkG49k7a5biMiYhKh LK3nvi5diyPyHYQfUaD5jO5Rfcgwk7L4LFinVmNllqL1mgoxadpgPE8xABEB AAG0MUpvaGFubmVzIFdlYmVyIChPTkxZLVRFU1QpIDxqb2hhbm5lc0B3ZWJl cmRucy5kZT6JATgEEwECACIFAlnVAMgCGwMGCwkIBwMCBhUIAgkKCwQWAgMB Ah4BAheAAAoJEOvytPeP0jpogccH/1IQNza/JPiQRFLWwzz1mxOSgRgubkOw +XgXAtvIGHQOF6/ZadQ8rNrMb3D+dS4bTkwpFemY59Bm3n12Ve2Wv2AdN8nK 1KLClA9cP8380CT53+zygV+mGfoRBLRO0i4QmW3mI6yg7T2E+U20j/i9IT1K ATg4oIIgLn2bSpxRtuSp6aJ2q91Y/lne7Af7KbKq/MirEDeSPrjMYxK9D74E ABLs4Ab4Rebg3sUga037yTOCYDpRv2xkyARoXMWYlRqME/in7aBtfo/fduJG qu2RlND4inQmV75V+s4/x9u+7UlyFIMbWX2rtdWHsO/t4sCP1hhTZxz7kvK7 1ZqLj9hVjdW5AQ0EWdUAyAEIAKxTR0AcpiDm4r4Zt/qGD9P9jasNR0qkoHjr 9tmkaW34Lx7wNTDbSYQwn+WFzoT1rxbpge+IpjMn5KabHc0vh13vO1zdxvc0 LSydhjMI1Gfey+rsQxhT4p5TbvKpsWiNykSNryl1LRgRvcWMnxvYfxdyqIF2 3+3pgMipXlfJHX4SoAuPn4Bra84y0ziljrptWf4U78+QonX9dwwZ/SCrSPfQ rGwpQcHSbbxZvxmgxeweHuAEhUGVuwkFsNBSk4NSi+7Y1p0/oD7tEM17WjnO NuoGCFh1anTS7+LE0f3Mp0A74GeJvnkgdnPHJwcZpBf5Jf1/6Nw/tJpYiP9v Fu1nF9EAEQEAAYkBHwQYAQIACQUCWdUAyAIbDAAKCRDr8rT3j9I6aDZrB/9j 2sgCohhDBr/Yzxlg3OmRwnvJlHjs//57XV99ssWAg142HxMQt87s/AXpIuKH tupEAClN/knrmKubO3JUkoi3zCDkFkSgrH2Mos75KQbspUtmzwVeGiYSNqyG pEzh5UWYuigYx1/a5pf3EhXCVVybIJwxDEo6sKZwYe6CRe5fQpY6eqZNKjkl 4xDogTMpsrty3snjZHOsQYlTlFWFsm1KA43Mnaj7Pfn35+8bBeNSgiS8R+EL f66Ymcl9YHWHHTXjs+DvsrimYbs1GXOyuu3tHfKlZH19ZevXbycpp4UFWsOk Sxsb3CZRnPxuz+NjZrOk3UNI6RxlaeuAQOBEow50 ) |
Note that the name of the resource record comes from the SHA-256 hash of “johannes”, the local-part of the mail address. Verified with standard Linux commands you can see that the hash is correct, but cut after 28 octets = 56 chars. (Note the “-n” option to not output a newline since this would change the hash.):
1 2 |
weberjoh@nb12-lxold:~$ echo -n johannes | sha256sum 1d4b41c9db9172e5f151e4a5fe3c57ca3f98b8e6ba807450b10d1897c84ce72b - |
Another method for generating the resource record is the openpgpkey tool out of the hash-slinger package. Note: If you are using a hash-slinger version installed via apt-get install hash-slinger on a Ubuntu machine, you will probably use an outdated version such as version 2.6. This encodes the mail address with SHA-224 and not SHA-256. You must use at least version 2.7 to get correct resource records out of it ( git clone https://github.com/letoams/hash-slinger.git , cd hash-slinger/ , ./openpgpkey --version ). When your public key resides on the same machine, the generation happens as follows:
1 2 3 |
weberjoh@nb15-lx:~/hash-slinger$ ./openpgpkey --create johannes@weberdns.de ; keyid: EBF2B4F78FD23A68 1d4b41c9db9172e5f151e4a5fe3c57ca3f98b8e6ba807450b10d1897._openpgpkey.weberdns.de. IN OPENPGPKEY mQENBFnVAMgBCADWXo3I9Vig02zCR8WzGVN4FUrexZh9OdVSjOeSSmXPH6V5+sWRfgSvtUp77IWQtZU810EI4GgcEzg30SEdLBSYZAt/lRWSpcQWnql4LvPgoMqU+/+WUxFdnbIDGCMEwWzF2NtQwl4r/ot/q5SHoaA4AGtDarjA1pbTBxza/xh6VRQLl5vhWRXKslh/Tm4NEBD16Z9gZ1CQ7YlAU5Mg5Io4ghOnxWZCGJHV5BVQTrzzozyILny3e48dIwXJKgcFt/DhE+L9JTrO4cYtkG49k7a5biMiYhKhLK3nvi5diyPyHYQfUaD5jO5Rfcgwk7L4LFinVmNllqL1mgoxadpgPE8xABEBAAG0MUpvaGFubmVzIFdlYmVyIChPTkxZLVRFU1QpIDxqb2hhbm5lc0B3ZWJlcmRucy5kZT6JATgEEwECACIFAlnVAMgCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOvytPeP0jpogccH/1IQNza/JPiQRFLWwzz1mxOSgRgubkOw+XgXAtvIGHQOF6/ZadQ8rNrMb3D+dS4bTkwpFemY59Bm3n12Ve2Wv2AdN8nK1KLClA9cP8380CT53+zygV+mGfoRBLRO0i4QmW3mI6yg7T2E+U20j/i9IT1KATg4oIIgLn2bSpxRtuSp6aJ2q91Y/lne7Af7KbKq/MirEDeSPrjMYxK9D74EABLs4Ab4Rebg3sUga037yTOCYDpRv2xkyARoXMWYlRqME/in7aBtfo/fduJGqu2RlND4inQmV75V+s4/x9u+7UlyFIMbWX2rtdWHsO/t4sCP1hhTZxz7kvK71ZqLj9hVjdW5AQ0EWdUAyAEIAKxTR0AcpiDm4r4Zt/qGD9P9jasNR0qkoHjr9tmkaW34Lx7wNTDbSYQwn+WFzoT1rxbpge+IpjMn5KabHc0vh13vO1zdxvc0LSydhjMI1Gfey+rsQxhT4p5TbvKpsWiNykSNryl1LRgRvcWMnxvYfxdyqIF23+3pgMipXlfJHX4SoAuPn4Bra84y0ziljrptWf4U78+QonX9dwwZ/SCrSPfQrGwpQcHSbbxZvxmgxeweHuAEhUGVuwkFsNBSk4NSi+7Y1p0/oD7tEM17WjnONuoGCFh1anTS7+LE0f3Mp0A74GeJvnkgdnPHJwcZpBf5Jf1/6Nw/tJpYiP9vFu1nF9EAEQEAAYkBHwQYAQIACQUCWdUAyAIbDAAKCRDr8rT3j9I6aDZrB/9j2sgCohhDBr/Yzxlg3OmRwnvJlHjs//57XV99ssWAg142HxMQt87s/AXpIuKHtupEAClN/knrmKubO3JUkoi3zCDkFkSgrH2Mos75KQbspUtmzwVeGiYSNqyGpEzh5UWYuigYx1/a5pf3EhXCVVybIJwxDEo6sKZwYe6CRe5fQpY6eqZNKjkl4xDogTMpsrty3snjZHOsQYlTlFWFsm1KA43Mnaj7Pfn35+8bBeNSgiS8R+ELf66Ymcl9YHWHHTXjs+DvsrimYbs1GXOyuu3tHfKlZH19ZevXbycpp4UFWsOkSxsb3CZRnPxuz+NjZrOk3UNI6RxlaeuAQOBEow50 |
Check It
Now you can use dig or any other DNS tool to query the name. Again, note that you need the hashed version of your name, cut after 56 chars, plus the “_openpgpkey” keyword such as the following for “johannes”:
1 |
1d4b41c9db9172e5f151e4a5fe3c57ca3f98b8e6ba807450b10d1897._openpgpkey.weberdns.de |
Here is an example. Note the “ad” flag in line 7 which shows that the answer is verified by DNSSEC. And, of course, the resulting output is quite long, not only for the RRSIG (as always) but even longer for the OPENPGPKEY itself:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 |
weberjoh@nb15-lx:~$ dig 1d4b41c9db9172e5f151e4a5fe3c57ca3f98b8e6ba807450b10d1897._openpgpkey.weberdns.de openpgpkey +multi +dnssec +noadditional +noauthority ; <<>> DiG 9.10.3-P4-Ubuntu <<>> 1d4b41c9db9172e5f151e4a5fe3c57ca3f98b8e6ba807450b10d1897._openpgpkey.weberdns.de openpgpkey +multi +dnssec +noadditional +noauthority ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4200 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 9 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;1d4b41c9db9172e5f151e4a5fe3c57ca3f98b8e6ba807450b10d1897._openpgpkey.weberdns.de. IN OPENPGPKEY ;; ANSWER SECTION: 1d4b41c9db9172e5f151e4a5fe3c57ca3f98b8e6ba807450b10d1897._openpgpkey.weberdns.de. 3586 IN OPENPGPKEY ( mQENBFnVAMgBCADWXo3I9Vig02zCR8WzGVN4FUrexZh9 OdVSjOeSSmXPH6V5+sWRfgSvtUp77IWQtZU810EI4Ggc Ezg30SEdLBSYZAt/lRWSpcQWnql4LvPgoMqU+/+WUxFd nbIDGCMEwWzF2NtQwl4r/ot/q5SHoaA4AGtDarjA1pbT Bxza/xh6VRQLl5vhWRXKslh/Tm4NEBD16Z9gZ1CQ7YlA U5Mg5Io4ghOnxWZCGJHV5BVQTrzzozyILny3e48dIwXJ KgcFt/DhE+L9JTrO4cYtkG49k7a5biMiYhKhLK3nvi5d iyPyHYQfUaD5jO5Rfcgwk7L4LFinVmNllqL1mgoxadpg PE8xABEBAAG0MUpvaGFubmVzIFdlYmVyIChPTkxZLVRF U1QpIDxqb2hhbm5lc0B3ZWJlcmRucy5kZT6JATgEEwEC ACIFAlnVAMgCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4B AheAAAoJEOvytPeP0jpogccH/1IQNza/JPiQRFLWwzz1 mxOSgRgubkOw+XgXAtvIGHQOF6/ZadQ8rNrMb3D+dS4b TkwpFemY59Bm3n12Ve2Wv2AdN8nK1KLClA9cP8380CT5 3+zygV+mGfoRBLRO0i4QmW3mI6yg7T2E+U20j/i9IT1K ATg4oIIgLn2bSpxRtuSp6aJ2q91Y/lne7Af7KbKq/Mir EDeSPrjMYxK9D74EABLs4Ab4Rebg3sUga037yTOCYDpR v2xkyARoXMWYlRqME/in7aBtfo/fduJGqu2RlND4inQm V75V+s4/x9u+7UlyFIMbWX2rtdWHsO/t4sCP1hhTZxz7 kvK71ZqLj9hVjdW5AQ0EWdUAyAEIAKxTR0AcpiDm4r4Z t/qGD9P9jasNR0qkoHjr9tmkaW34Lx7wNTDbSYQwn+WF zoT1rxbpge+IpjMn5KabHc0vh13vO1zdxvc0LSydhjMI 1Gfey+rsQxhT4p5TbvKpsWiNykSNryl1LRgRvcWMnxvY fxdyqIF23+3pgMipXlfJHX4SoAuPn4Bra84y0ziljrpt Wf4U78+QonX9dwwZ/SCrSPfQrGwpQcHSbbxZvxmgxewe HuAEhUGVuwkFsNBSk4NSi+7Y1p0/oD7tEM17WjnONuoG CFh1anTS7+LE0f3Mp0A74GeJvnkgdnPHJwcZpBf5Jf1/ 6Nw/tJpYiP9vFu1nF9EAEQEAAYkBHwQYAQIACQUCWdUA yAIbDAAKCRDr8rT3j9I6aDZrB/9j2sgCohhDBr/Yzxlg 3OmRwnvJlHjs//57XV99ssWAg142HxMQt87s/AXpIuKH tupEAClN/knrmKubO3JUkoi3zCDkFkSgrH2Mos75KQbs pUtmzwVeGiYSNqyGpEzh5UWYuigYx1/a5pf3EhXCVVyb IJwxDEo6sKZwYe6CRe5fQpY6eqZNKjkl4xDogTMpsrty 3snjZHOsQYlTlFWFsm1KA43Mnaj7Pfn35+8bBeNSgiS8 R+ELf66Ymcl9YHWHHTXjs+DvsrimYbs1GXOyuu3tHfKl ZH19ZevXbycpp4UFWsOkSxsb3CZRnPxuz+NjZrOk3UNI 6RxlaeuAQOBEow50 ) 1d4b41c9db9172e5f151e4a5fe3c57ca3f98b8e6ba807450b10d1897._openpgpkey.weberdns.de. 3586 IN RRSIG OPENPGPKEY 8 4 3600 ( 20171103154507 20171004144507 32058 weberdns.de. sZrO5X6FIuRTMw1UdQ2IOTWxNjUH+VfO0Ho5xel+fMD5 tIYm2bQO5jsBdKRsGia+UfuMkmWSA+e+GHDsPlUKlDj7 ZEGyiXXjtirvHIoQ/rRxwHIspdPFsHFd8xb1ZhAkCM1e SwwrPKVfIZV10euxb7ejoQSkPf4u6zNCMBh2pPQ= ) ;; Query time: 2 msec ;; SERVER: 2003:de:2016:120::a08:53#53(2003:de:2016:120::a08:53) ;; WHEN: Fri Oct 06 16:09:43 CEST 2017 ;; MSG SIZE rcvd: 2477 |
And this was just a 2048 bit PGP key. ;) I have another one with 4096 bit for the test mail address ludwig@weberdns.de which looks like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 |
weberjoh@nb15-lx:~$ dig faae1b97e57e3e121216948b8dda2a429ea72d6dd81c164f227dc6a1._openpgpkey.weberdns.de openpgpkey +multi +dnssec +noadditional +noauthority ; <<>> DiG 9.10.3-P4-Ubuntu <<>> faae1b97e57e3e121216948b8dda2a429ea72d6dd81c164f227dc6a1._openpgpkey.weberdns.de openpgpkey +multi +dnssec +noadditional +noauthority ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9434 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 9 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;faae1b97e57e3e121216948b8dda2a429ea72d6dd81c164f227dc6a1._openpgpkey.weberdns.de. IN OPENPGPKEY ;; ANSWER SECTION: faae1b97e57e3e121216948b8dda2a429ea72d6dd81c164f227dc6a1._openpgpkey.weberdns.de. 3600 IN OPENPGPKEY ( mQINBFnWqkYBEAC7zGWHvK87anwlSTpx7L3R80IQ0op3 flxXE9R30fNywqG4hYlcbinROq7TEeyjxsPtJopn5oGO ZX9yUSB20B5GKSfifETVIjVZmWI/pi0s70VDL4ekJJqF vucGVMw/yT/kwJsTjMN/7zyhId7lqZOLyUS53SBwbD6p 8ef+qyj/8mfv0bMJLiYjTyN23NSLsEe2mNJVRaIKueJv TIkht+yOQHRve8FtOFX3NSIun//PPu1u4KYSc1Ydcc2z nwplGtBGKP3/bmq/KsdhElcTxdyAY4H1U1nEqg+jw7bG iPstBdzcO24j3I+bDIqQbS/lcnaPywsI9UxB4d2rgWTM VcMjxibV9pYRoYOHMhd3ZF0F7xImFjk8ZEp5mSqMz99z BWCqayHBcQT8KIi3mAQ30paKK78Gmi+KvMA2+KvXDn/0 x5N8vYvRia7bNJFDHdry6MyMTb8mzh6AvF9uTBeDOwYz r3fQy6COyg5B6XUquzGxIjTKFXUaS8LWIx0OtepKsDw5 vvkZQp7b266EUtJ9uPFDSTNMJVxFNAc/mnl0uP8UJWOv Q65g7mTQRHC6qVuUEgwfwSQKNhgAQqUTlD9Y7CoI7kq3 z9IVC0KQOCD0P2wiIZIODKJ1SilwHGICvl2zyXIhuiUt 8EwLvs6lgeYSqwIfmIOG5Y/zcMilcdU5H9oSIwARAQAB tCFMdWR3aWcgV2ViZXIgPGx1ZHdpZ0B3ZWJlcmRucy5k ZT6JAjgEEwECACIFAlnWqkYCGwMGCwkIBwMCBhUIAgkK CwQWAgMBAh4BAheAAAoJECPSdZ+7KPOAw3QP/1j7FrhU /oj+LFqef94gDHg5FInoSr0Q6GG1+k1q950x0UKqR2Fx xR2fzbN+YQs9v+xDDyXque7HqiGmqFTarHsA33JPt3Hd DBupRhKlZ1x4ObfsOsXY4T8uS0gauPdzAK2mtJDs/lfA dwFP5ycMgPwlmF/u1H3deKKMWVmsRmPv4zK4UNIH2ixg wawenv8z/2xW1dhv6Da/RX3+8OsfDTXZM1lbQEBC6/zd sHSViGiKMjC4LiUGll0eg8wPn9OYoQX8Ukv/I+LJygqA yGjj8hzE/3t9rxZtUPLck6Cj4S3pGJbhl8x3D0RjVQ2H tK6BR5U6svq0KuKmZLaXKrw7V/L/vFYPCa1Bf6Pw6iUq Gu06CS3yknIMPro+bSsK89c+Kj86IgsztucKOq1WrcPR 0WYe2lQCHwK73jCxua/MugUyEFhm65wB/f8bxX3oQ07I HWo0Ry4bwcWAgSMkUOkzhh1C2GfIX8JeqJERvuN9W0Ge bWrLdPI9bKed2Y6W3kHiteSs2+DjxJ+mcmssS6oBTOPv +RcI+3qL/GnWGzyGjgWXUme4IEvw/2P17k3guZ3lT78l e7iS0ui8+C7HMND6PQK/as2N8EbjWIH5fWyIXzXIezt8 jxcKiXtQUBWheLQajlccA8rJ9GDi65B67KWkt+3XE9L6 O1aaBI9vbHmIRzqEuQINBFnWqkYBEAC3GyOdhX0ZV8ld dH4MON7dgkEIEMqv1sRxQU28f8/jDn2HKoJynekYKpJF /zBG5CR5QaULnu4ov2JzZAZwu1p1MfPD/glBZUbJ+Bon CJbLXk/YhCP17Z0Kv9lRgXZMMzSFOkyN9PkPqG2MkEiE H8lEYb/Tvffa2TU3kVjLy944UTuxcMIwi2yi9RRkl2U9 cFmF6sPqfLXmsgfBCnN1/TlrgYWmZ0/iyAuZj62XDm2O TouVvPGtx8nf4p+vvvm3M13KLh83jlUU+dZLstW/QKPe qMiFvmHKMkev0ikWzl0wuaXdTyFgatuPtUgvO6hmPKiN poWP8roFf/DjS3EtlJYEM7tGPQxtEBnvHSUOZIqFVZ9k Y9ksvAKPpWJ1M2tAMkxELSdYkXoAPk4plibo965DYBgB u3O2SYUpMVg5sxyxlzkHFj2/Hjr46/VpdwgAtjIXkUoJ KaHKwog0XTfZovskWSZNrXazqvBxfvwvDUQfChTa1pp+ RbX0cd5i6+XNGUvIiHfHj63ws8Utmn5TeWFCWK0X6vto t7ieEmmzE/wYsj9mwviE0gb4a7GlceQMyw2zl0TL6gI0 GNmakLg52CJTXDkJVd00+RwmgUR3KeSRkLoWCqDSLva6 cPs9A+wobYe75RabuI4bnzfg047CXO2BYU9cTcs6UtOr QQMjT2yGRwARAQABiQIfBBgBAgAJBQJZ1qpGAhsMAAoJ ECPSdZ+7KPOA8LAP/1m4asSR3iFvGk1puj0UY/93QioG vTyqwQv7foGGME1gsU48rEsJe39zHtkK+8nTg9byRf/B BtUEG92BPlO93gebiBFYcqU9KVGH+afR9yLDHSyAC76O bo/extEJ/0AouPS/PVfOmy1RhWl6se6w8+JACDoJXRMX kRVH5GGdxzSrc07VoHxUp48dQ76UBBoB4eySi4keJ+Z5 dwpkOV6cFDX2tlGH2yUeOtUt4Wq+GxFUSkIMsQyeUhAt +ytF5bGeBS11oqHPgtSBJz67YzH7p27twanFbKOj9AxT vGy31R42DTcZJ/NUfxKAEr3oBEcwiy/ilHXPp+5ak7Bw CucSW9ydxX8u8wsOHStZmoWQ94NhPBvRzd2SM4mvMPHy 6kz6jWLzlU/aIMIQH45m/QMPCF2Qxhe6yf9m+0kKFmOk yzQdv3fgpEVWyW3mMTT0TbStaLGFgzh1kBu3L+F26goC 4xBAkXC1fh1FuTAOAngvrnsrzy4mLGozTMn8YtuccmyW WW/ggvC3ZJSDutJXLyHSa+2abock8YfSH7D2NUamOeUQ dkG1SSzPeaHLcqyiRdwVqMLwM955ol4nvyxNgKcW1QJ2 1VD2HDTPjRd31Vh3uRafR/AnicxN0K1lwNYJhuJlBUBI 9yUFVvvDpb02XMRXo2VoVgs1dxktJ2ENCwlaor8w ) faae1b97e57e3e121216948b8dda2a429ea72d6dd81c164f227dc6a1._openpgpkey.weberdns.de. 3600 IN RRSIG OPENPGPKEY 8 4 3600 ( 20171104220234 20171005210234 32058 weberdns.de. Ko5DPyizB0OXadVmM/mHODr9sob3tTumoSQxIOnSrDbP vvODX9wbli6S1YNE9NqALdupWxDWR3YFO6WNDfXtwE6H +9cDezvMIT55aUW6vaKJ1FPD34KoGCWSdMu17ey5h+Vq q/kxHq6cSG87iNseNzl6l0Y8/3aZeCJsq0I3m24= ) ;; Query time: 6 msec ;; SERVER: 2003:de:2016:120::a08:53#53(2003:de:2016:120::a08:53) ;; WHEN: Fri Oct 06 16:14:12 CEST 2017 ;; MSG SIZE rcvd: 3485 |
If you’re searching for an online tool you can use openpgpkey.info. After entering a valid mail address you’ll get its public PGP key:
Conclusion
It seems to be a nice feature for solving the key distribution problem for OpenPGP. At least for delivering the keys though not fully trustworthy in its authenticity. However, as long as no big player mail programs will support the OPENPGPKEY record, PGP will still only be used from a few individuals.
(I am using the Enigma plugin for roundcube webmail. I have added a feature request for it. If someone has coding skills and some free time … ;))
Links
Some German articles covering OPENPGPKEY:
- Golem.de – Domain Name System speichert PGP-Schlüssel
- sys4.de – PGP-Schlüssel einfach und sicher verteilen
- sys4.de – OPENPGPKEY mit Unix Bordmitteln
Featured image “Der letzte macht das Licht aus 359/365” by Dennis Skley is licensed under CC BY-ND 2.0.
Just want to note that you don’t need to use extra software or a special website to generate the DNS record, if you already use GnuPG (GPG) on you computer.
All you need to do is to run
gpg2 --export-options export-dane --export
and the output will be the DNS record.However, you might need to replace “TYPE61 \# 894” with “OPENPGPKEY” since GPG’s implementation was written when the RR-type didn’t exist yet. ;-)
*PS: Put your key-id after
--export
(the blog software cut that off ;-) )Two of the links don’t work, here are the correct links:
https://sys4.de/blog/pgp-schluessel-einfach-und-sicher-verteilen/
https://sys4.de/blog/openpgpkey-mit-unix-bordmitteln/
Thank you for this post! It was the only resource I could find on the internet to help complete one of my school’s programming assignments. You provided some very clear and concise background on how the entire process worked.