From d1955bd267a132c24d9e64dde7a1cdb8bd9fe9c5 Mon Sep 17 00:00:00 2001 From: Kali Kaneko Date: Wed, 2 Jul 2014 11:38:15 -0500 Subject: Imported Upstream version 1.2.6 --- docs/OpenPGP-keys-in-DNS.md | 133 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 133 insertions(+) create mode 100644 docs/OpenPGP-keys-in-DNS.md (limited to 'docs/OpenPGP-keys-in-DNS.md') diff --git a/docs/OpenPGP-keys-in-DNS.md b/docs/OpenPGP-keys-in-DNS.md new file mode 100644 index 0000000..56cb542 --- /dev/null +++ b/docs/OpenPGP-keys-in-DNS.md @@ -0,0 +1,133 @@ +[Christoph Berg's Blog](../index.html)/ + +[2007](../2007.html)/ + + + +OpenPGP keys in DNS + + + + + + +
+ +* [RecentChanges](../recentchanges.html) +* [History](http://svn.df7cb.de/viewcvs.cgi/trunk/2007/openpgp-dns.mdwn?root=blog&view=log) +
+ + + +
+ +
+ +The latest addition to the mutt CVS tree is PKA support via gpgme. While trying +to figure out how that works in mutt (I haven't yet...) I configured my DNS +server for PKA and CERT records. + +## PKA + +PKA (public key association) puts a pointer where to obtain a key into a TXT +record. At the same time that can be used to verify that a key belongs to a +mail address. The documentation is at the +[g10code website](http://www.g10code.de/docs/pka-intro.de.pdf) +(only in German so far). I put the following into the df7cb.de zone: + +

+cb._pka IN TXT "v=pka1;fpr=D224C8B07E63A6946DA32E07C5AF774A58510B5A;uri=finger:cb@df7cb.de" + +

+$ host -t TXT cb._pka.df7cb.de
+cb._pka.df7cb.de descriptive text "v=pka1\;fpr=D224C8B07E63A6946DA32E07C5AF774A58510B5A\;uri=finger:cb@df7cb.de"
+
+ +Now gpg can be told to use PKA to find the key: + +
+$ echo foo | gpg --auto-key-locate pka --recipient cb@df7cb.de --encrypt -a
+gpg: no keyserver known (use option --keyserver)
+gpg: requesting key 58510B5A from finger:cb@df7cb.de
+gpg: key 58510B5A: public key "Christoph Berg " imported
+gpg: Total number processed: 1
+gpg:               imported: 1
+gpg: automatically retrieved `cb@df7cb.de' via PKA
+
+ +## CERT + +CERT records work similarly. Records are generated by make-dns-cert (from the +tools directory in the gnupg source). cb.gpg is a stripped-down gpg keyring +(created with pgp-clean -s and converting from .asc to .gpg). + +
+$ ./make-dns-cert -f D224C8B07E63A6946DA32E07C5AF774A58510B5A -n cb
+cb      TYPE37  \# 26 0006 0000 00 14 D224C8B07E63A6946DA32E07C5AF774A58510B5A
+$ ./make-dns-cert -k cb.gpg -n cb
+cb      TYPE37  \# 1338 0003 0000 00 9901A20440 [...] 509C96D4BFF17B7
+
+ +With a new bind and host (backports.org!) the format looks a bit nicer, that's +also what I copied into the zone file: + +
+$ host -t CERT cb.df7cb.de
+;; Truncated, retrying in TCP mode.
+cb.df7cb.de has CERT record PGP 0 0 mQGiBECBGdAR [...] UDlCcltS/8Xtw==
+cb.df7cb.de has CERT record 6 0 0 FNIkyLB+Y6aUbaMuB8Wvd0pYUQta
+
+ +Again, gpg can be told to use that: + +
+$ echo foo | gpg --auto-key-locate cert --recipient cb@df7cb.de --encrypt -a
+gpg: key 58510B5A: public key "Christoph Berg " imported
+gpg: Total number processed: 1
+gpg:               imported: 1
+gpg: automatically retrieved `cb@df7cb.de' via DNS CERT
+
+ +Thanks to weasel for some hints on using CERT. + +## SSHFP + +I'm also mentioning SSHFP records here since it fits in the topic - I have been +using them for some months now: + +
+$ host -t SSHFP tesla.df7cb.de
+tesla.df7cb.de has SSHFP record 1 1 EE49B803541293656C33B86ECD781BD8F1D78AB5
+tesla.df7cb.de has SSHFP record 2 1 3E82FB5EE8AA0205305F0D0186F94D6FB3E0E744
+$ ssh -o 'VerifyHostKeyDNS yes' tesla.df7cb.de
+The authenticity of host 'tesla.df7cb.de (88.198.227.218)' can't be established.
+RSA key fingerprint is 5a:c9:38:ca:c0:2b:11:c1:c8:fb:f1:ad:73:a1:9c:8b.
+Matching host key fingerprint found in DNS.
+Are you sure you want to continue connecting (yes/no)?
+
+ +The records are generated with ssh-keygen -r. + +
+ +
+ +