pmeerw's blog

Sat, 17 Dec 2022

PGP Key Distribution via DNSSEC: OPENPGPKEY

RFC7929 describes a way to put OpenPGP public keys into DNS using DANE. Here's an article which I shamelessly condense here...

There is a DNS resource record that stores the complete public key. I'm using ECC to bring down key size. It looks like this: 

c746aa6d791946caf1aade6dc6c5e720e6e79d650e5b882dc11a2078._openpgpkey.pmeerw.net. IN OPENPGPKEY (
                  mDMEY54vtRYJKwYBBAHaRw8BAQdAmhK78RNv+Azsrrcgnb4Ijf4JwEOfHM8D
                  paY2yy1w0oG0KlBldGVyIE1lZXJ3YWxkLVN0YWRsZXIgPHBtZWVyd0BwbWVl
                  cncubmV0PoiQBBMWCAA4FiEE5u5nS8lBNCYy5igrw5J6UWK+XtEFAmOeL7UC
                  GwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQw5J6UWK+XtE+dAD/dZAp
                  If2WWK2fAQgGIxOepBr6Nj2g6Z78W25wyYiSxvIA/1VtCuCsveRGmKZ0wnuQ
                  kJP4z3v+r/XdjRJeingYSnsKuDgEY54vtRIKKwYBBAGXVQEFAQEHQPCrzg3G
                  IRhYWFdUkps1DSqmLEZ5xQX6D96jYpq28Lp1AwEIB4h4BBgWCAAgFiEE5u5n
                  S8lBNCYy5igrw5J6UWK+XtEFAmOeL7UCGwwACgkQw5J6UWK+XtGQyQD/RD1d
                  zIk/Kjnb1yKcW+GAIHkpahgEQzpk7Bcxk38ReaAA/j2ZoXGMeMNVlJdOIv7d
                  gr/Hw9ygwxInPg9Nth2wpKoB
)
The name part is the SHA-256 hash of "pmeerw". You can use the command openpgpkey --create pmeerw@pmeerw.net to create the record (install the Debian/Ubuntu hash-slinger package).

Try openpgpkey.info to query a PGP public key!

posted at: 22:49 | path: /configuration | permanent link

Made with PyBlosxom