DNS record for finding a key from an e-mail address

Andrew Gallagher andrewg at andrewg.com
Tue Mar 15 17:47:06 CET 2016

On 15/03/16 14:56, Mire, John wrote:
> DNS is distributed from a hierarchical model from the top down, in it's
> nature it's siloed.  So, for example john.doe.com, doug.barton.com and
> john.mire.com, each site has its pgp key info in it's dns server(s), no
> one else would have that info.  If your site was DDS'd, I could'nt
> automatically get your public key from dns.john.mire.com or
> dns.john.doe.com and vice versa unless we setup secondary zones, it's
> not automatic and it has very little redundancy. 

"Secondary zones"? If you mean secondary nameservers, you must enjoy
living on the edge if you don't have them set up already. Your hosting
provider will often give them to you for free. I have five.

DNS is a distributed cache, so it's much more difficult to DDOS your DNS
records than it is to DDOS your website. And if you're being DDOSed you
have bigger problems.

The advantage of putting a key in DNS is that it can make use of the
DNSSEC chain of trust. A user may wish to configure their client to
regard such keys as valid in the absence of a traditional PGP trust path
(yes, there are important caveats with the DNSSEC security model, but
it's nowhere near as broken as X509). This contrasts with the
keyservers, where the presence of a key implies no validation whatsoever.

But. DNS typically has a very high latency (often measured in hours), so
one should probably also check the keyservers for revocations before
placing any trust in a DNSSEC-validated key. So the keyservers and
DNSSEC each provide features that the other does not, and can be
regarded as complementary.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160315/d4d1bca6/attachment-0001.sig>

More information about the Gnupg-users mailing list