diff options
| author | Kali Kaneko <kali@futeisha.org> | 2015-06-08 17:00:40 -0400 |
|---|---|---|
| committer | Kali Kaneko <kali@futeisha.org> | 2015-06-08 17:00:40 -0400 |
| commit | 28ec72ebe2aac0829b11e016ab21ec52308c0854 (patch) | |
| tree | 1ddeb46cbc0af8ba57ec29c81c43ae39b52d953f /docs/OpenPGP-keys-in-DNS.md | |
| parent | 3408b93ee630e01b0905b9bfa849d611bdc52c0a (diff) | |
| parent | 18b6361d66518b5c413c5b893676b87503545274 (diff) | |
Merge branch 'release-2.0.2'
Diffstat (limited to 'docs/OpenPGP-keys-in-DNS.md')
| -rw-r--r-- | docs/OpenPGP-keys-in-DNS.md | 133 |
1 files changed, 0 insertions, 133 deletions
diff --git a/docs/OpenPGP-keys-in-DNS.md b/docs/OpenPGP-keys-in-DNS.md deleted file mode 100644 index 56cb542..0000000 --- a/docs/OpenPGP-keys-in-DNS.md +++ /dev/null @@ -1,133 +0,0 @@ -[Christoph Berg's Blog](../index.html)/ - -[2007](../2007.html)/ - -</span> -<span class="title"> -OpenPGP keys in DNS - -</span> -</span> - -</div> - -<div class="actions"> - -* [RecentChanges](../recentchanges.html) -* [History](http://svn.df7cb.de/viewcvs.cgi/trunk/2007/openpgp-dns.mdwn?root=blog&view=log) -</div> - -</div> - -<div id="pagebody"> - -<div id="content"> - -The latest addition to the mutt CVS tree is PKA support via gpgme. While trying -to figure out how that works in mutt (I haven't yet...) I configured my DNS -server for PKA and CERT records. - -## PKA - -PKA (public key association) puts a pointer where to obtain a key into a TXT -record. At the same time that can be used to verify that a key belongs to a -mail address. The documentation is at the -[g10code website](http://www.g10code.de/docs/pka-intro.de.pdf) -(only in German so far). I put the following into the df7cb.de zone: - -<p> -cb._pka IN TXT "v=pka1;fpr=D224C8B07E63A6946DA32E07C5AF774A58510B5A;uri=finger:cb@df7cb.de" - -<pre> -$ host -t TXT cb._pka.df7cb.de -cb._pka.df7cb.de descriptive text "v=pka1\;fpr=D224C8B07E63A6946DA32E07C5AF774A58510B5A\;uri=finger:cb@df7cb.de" -</pre> - -Now gpg can be told to use PKA to find the key: - -<pre> -$ echo foo | gpg --auto-key-locate pka --recipient cb@df7cb.de --encrypt -a -gpg: no keyserver known (use option --keyserver) -gpg: requesting key 58510B5A from finger:cb@df7cb.de -gpg: key 58510B5A: public key "Christoph Berg " imported -gpg: Total number processed: 1 -gpg: imported: 1 -gpg: automatically retrieved `cb@df7cb.de' via PKA -</pre> - -## CERT - -CERT records work similarly. Records are generated by make-dns-cert (from the -tools directory in the gnupg source). cb.gpg is a stripped-down gpg keyring -(created with pgp-clean -s and converting from .asc to .gpg). - -<pre> -$ ./make-dns-cert -f D224C8B07E63A6946DA32E07C5AF774A58510B5A -n cb -cb TYPE37 \# 26 0006 0000 00 14 D224C8B07E63A6946DA32E07C5AF774A58510B5A -$ ./make-dns-cert -k cb.gpg -n cb -cb TYPE37 \# 1338 0003 0000 00 9901A20440 [...] 509C96D4BFF17B7 -</pre> - -With a new bind and host (backports.org!) the format looks a bit nicer, that's -also what I copied into the zone file: - -<pre> -$ host -t CERT cb.df7cb.de -;; Truncated, retrying in TCP mode. -cb.df7cb.de has CERT record PGP 0 0 mQGiBECBGdAR [...] UDlCcltS/8Xtw== -cb.df7cb.de has CERT record 6 0 0 FNIkyLB+Y6aUbaMuB8Wvd0pYUQta -</pre> - -Again, gpg can be told to use that: - -<pre> -$ echo foo | gpg --auto-key-locate cert --recipient cb@df7cb.de --encrypt -a -gpg: key 58510B5A: public key "Christoph Berg " imported -gpg: Total number processed: 1 -gpg: imported: 1 -gpg: automatically retrieved `cb@df7cb.de' via DNS CERT -</pre> - -Thanks to weasel for some hints on using CERT. - -## SSHFP - -I'm also mentioning SSHFP records here since it fits in the topic - I have been -using them for some months now: - -<pre> -$ host -t SSHFP tesla.df7cb.de -tesla.df7cb.de has SSHFP record 1 1 EE49B803541293656C33B86ECD781BD8F1D78AB5 -tesla.df7cb.de has SSHFP record 2 1 3E82FB5EE8AA0205305F0D0186F94D6FB3E0E744 -$ ssh -o 'VerifyHostKeyDNS yes' tesla.df7cb.de -The authenticity of host 'tesla.df7cb.de (88.198.227.218)' can't be established. -RSA key fingerprint is 5a:c9:38:ca:c0:2b:11:c1:c8:fb:f1:ad:73:a1:9c:8b. -Matching host key fingerprint found in DNS. -Are you sure you want to continue connecting (yes/no)? -</pre> - -The records are generated with ssh-keygen -r. - -</div> - -</div> - -<div id="footer" class="pagefooter"> - -<div id="pageinfo"> - -<div class="tags"> -Tags: - -[debian](../tag/debian.html) - -</div> - -<div class="pagedate"> -Last edited <span class="date">Do 17 Feb 2011 13:21:52 CET</span> -<!-- Created <span class="date">Do 01 Mär 2007 20:01:27 CET</span> --> -</div> - -</div> - -<!-- from Christoph Berg's Blog --> |