Request: --export-options export-dane-modern

raf gnupg at
Wed Sep 1 08:20:05 CEST 2021


Is there any chance that a new export option could be
added (alongside or instead of export-dane) to output
"modern" Bind9 zonefile syntax (i.e. "OPENPGPKEY" rather
than "TYPE61 \# 2193", and base64 rather than hexadecimal)?

I suppose it's not important. It's just prettier.

But since DNS query tools like host and dig output
OPENPGPKEY records in base64, it would make it easier
to compare their output against gpg's output.

The reason I'm asking is that DNSSEC is so easy to
implement these days (at least with the new debian-11
which has bind-9.16+), and I've just written a DANE
management tool that makes DANE easy to implement.
So far it only handles TLSA and SSHFP. I'd like to add
support for OPENPGPKEY (i.e. calling gpg to produce the
record, and calling host to check that it's published).
I could (and probably will) get it to transform gpg's
output itself, but I thought I'd ask.


More information about the Gnupg-users mailing list