Where to put "export-pka" output in DNS?

Wiktor Kwapisiewicz wiktor at metacode.biz
Wed Oct 3 22:12:15 CEST 2018


Hi Kees,

> I want to make use of PKA, I saw a few blogs [1] where they did this in
> TXT DNS records. However, this seems to not work anymore. When I issue
> `gpg2 --export-options export-pka --export $keyid` I get an output. But
> it's unclear where I should put this output in DNS. A TXT record? Or a
> CERT record [2]? Something else? I would like to hear some comments
> about this.
> 
> The TXT record method has my preference since I do not have CERT records
> at my registrar. Is there some official documentation about this?

Yes, it's a TXT record, such as this (for user at example.com):

user._pka.example.com.  TXT
"v=pka1;fpr=D2063054549295F3349037FFFBBE5A30624BB249;uri=http://example.com/key.asc"

see examples here:
http://www.gushi.org/make-dns-cert/HOWTO.html

Note that if you have your own domain and HTTPS set up it would be
better to utilize the Web Key Directory, that is enabled by default in
modern GnuPG and used by some e-mail clients automatically
(thunderbird/enigmail, outlook/gpgol).

Export your binary key (gpg --export user at example.com > key.gpg) and get
the hash (gpg --list-keys --with-wkd user at example.com) and copy your key
to https://example.com/.well-known/openpgpkey/hu/$hash, replace
example.com and $hash with your values. Then "gpg --locate-key
user at example.com" will then download the key from your web server).

More details here: https://wiki.gnupg.org/WKD

Kind regards,
Wiktor

> 
> [1] https://keyserver.mattrude.com/guides/public-key-association/
> [2] https://slxh.nl/blog/2016/pgp-and-dns/
> 
> 
> --
> Kind regards,
> Kees de Jong  |  OpenPGP fingerprint: 0x0E45C98AB51428E6
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 


-- 
https://metacode.biz/@wiktor



More information about the Gnupg-users mailing list