DNS record for finding a key from an e-mail address

Mire, John jmire at lsuhsc.edu
Tue Mar 15 15:56:36 CET 2016

On 3/14/2016 20:18, Doug Barton wrote:
> On 03/14/2016 03:25 PM, Mire, John wrote:
>> On 3/14/2016 15:38, Doug Barton wrote:
>> I think there is a system in place that works pretty well, keys are
>> not 'siloed' in one place but are distributed to every keyserver for
>> the public to see, its the sks openpgp keyservers.
> I'm having trouble understanding your response, sorry. Are you saying 
> that the DNS method involving the fingerprint and retrieval from the key 
> server is better, or are you saying that no DNS method is necessary at all?
DNS is distributed from a hierarchical model from the top down, in it's
nature it's siloed.  So, for example john.doe.com, doug.barton.com and
john.mire.com, each site has its pgp key info in it's dns server(s), no
one else would have that info.  If your site was DDS'd, I could'nt
automatically get your public key from dns.john.mire.com or
dns.john.doe.com and vice versa unless we setup secondary zones, it's
not automatic and it has very little redundancy.  In the keyserver
world, if your keyserver was DDS'd, you could get your info from
keyserver.john.mire.com or keyserver.john.doe.com or any other
keyserver, if you knew the address.  Also, as far as DR(disaster
recovery) is concerned, if you didn't bring your keyserver(s) backup,
your info would still be available and you could move forward unlike
your dns, unless you offloaded it.
This view is from my experience from my work, we have about 8500 people,
that's a lot of entries already into dns for the machines, we are
authoritative for our domain and don't have secondary zones, we have one
keyserver but if it goes down, we can just use the keyserver pool.



More information about the Gnupg-users mailing list