OpenPGP keys in DNS

Christoph Berg

February 17, 2007

The latest addition to the mutt CVS tree is PKA support via gpgme. While trying to figure out how that works in mutt (I haven’t yet…) I configured my DNS server for PKA and CERT records.

PKA

PKA (public key association) puts a pointer where to obtain a key into a TXT record. At the same time that can be used to verify that a key belongs to a mail address. The documentation is at the g10code website (only in German so far). I put the following into the df7cb.de zone:

cb._pka IN TXT "v=pka1;fpr=D224C8B07E63A6946DA32E07C5AF774A58510B5A;uri=finger:cb@df7cb.de"

$ host -t TXT cb._pka.df7cb.de
cb._pka.df7cb.de descriptive text "v=pka1\;fpr=D224C8B07E63A6946DA32E07C5AF774A58510B5A\;uri=finger:cb@df7cb.de"

Now gpg can be told to use PKA to find the key:

$ echo foo | gpg --auto-key-locate pka --recipient cb@df7cb.de --encrypt -a
gpg: no keyserver known (use option --keyserver)
gpg: requesting key 58510B5A from finger:cb@df7cb.de
gpg: key 58510B5A: public key "Christoph Berg " imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: automatically retrieved `cb@df7cb.de' via PKA

CERT

CERT records work similarly. Records are generated by make-dns-cert (from the tools directory in the gnupg source). cb.gpg is a stripped-down gpg keyring (created with pgp-clean -s and converting from .asc to .gpg).

$ ./make-dns-cert -f D224C8B07E63A6946DA32E07C5AF774A58510B5A -n cb
cb      TYPE37  \# 26 0006 0000 00 14 D224C8B07E63A6946DA32E07C5AF774A58510B5A
$ ./make-dns-cert -k cb.gpg -n cb
cb      TYPE37  \# 1338 0003 0000 00 9901A20440 [...] 509C96D4BFF17B7

With a new bind and host (backports.org!) the format looks a bit nicer, that’s also what I copied into the zone file:

$ host -t CERT cb.df7cb.de
;; Truncated, retrying in TCP mode.
cb.df7cb.de has CERT record PGP 0 0 mQGiBECBGdAR [...] UDlCcltS/8Xtw==
cb.df7cb.de has CERT record 6 0 0 FNIkyLB+Y6aUbaMuB8Wvd0pYUQta

Again, gpg can be told to use that:

$ echo foo | gpg --auto-key-locate cert --recipient cb@df7cb.de --encrypt -a
gpg: key 58510B5A: public key "Christoph Berg " imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: automatically retrieved `cb@df7cb.de' via DNS CERT

Thanks to weasel for some hints on using CERT.

SSHFP

I’m also mentioning SSHFP records here since it fits in the topic - I have been using them for some months now:

$ host -t SSHFP tesla.df7cb.de
tesla.df7cb.de has SSHFP record 1 1 EE49B803541293656C33B86ECD781BD8F1D78AB5
tesla.df7cb.de has SSHFP record 2 1 3E82FB5EE8AA0205305F0D0186F94D6FB3E0E744
$ ssh -o 'VerifyHostKeyDNS yes' tesla.df7cb.de
The authenticity of host 'tesla.df7cb.de (88.198.227.218)' can't be established.
RSA key fingerprint is 5a:c9:38:ca:c0:2b:11:c1:c8:fb:f1:ad:73:a1:9c:8b.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?

The records are generated with ssh-keygen -r.

Debian