blob: 56cb542b95bdf83477f22fed69eedd3582da7b55 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
[Christoph Berg's Blog](../index.html)/
[2007](../2007.html)/
</span>
<span class="title">
OpenPGP keys in DNS
</span>
</span>
</div>
<div class="actions">
* [RecentChanges](../recentchanges.html)
* [History](http://svn.df7cb.de/viewcvs.cgi/trunk/2007/openpgp-dns.mdwn?root=blog&view=log)
</div>
</div>
<div id="pagebody">
<div id="content">
The latest addition to the mutt CVS tree is PKA support via gpgme. While trying
to figure out how that works in mutt (I haven't yet...) I configured my DNS
server for PKA and CERT records.
## PKA
PKA (public key association) puts a pointer where to obtain a key into a TXT
record. At the same time that can be used to verify that a key belongs to a
mail address. The documentation is at the
[g10code website](http://www.g10code.de/docs/pka-intro.de.pdf)
(only in German so far). I put the following into the df7cb.de zone:
<p>
cb._pka IN TXT "v=pka1;fpr=D224C8B07E63A6946DA32E07C5AF774A58510B5A;uri=finger:cb@df7cb.de"
<pre>
$ host -t TXT cb._pka.df7cb.de
cb._pka.df7cb.de descriptive text "v=pka1\;fpr=D224C8B07E63A6946DA32E07C5AF774A58510B5A\;uri=finger:cb@df7cb.de"
</pre>
Now gpg can be told to use PKA to find the key:
<pre>
$ echo foo | gpg --auto-key-locate pka --recipient cb@df7cb.de --encrypt -a
gpg: no keyserver known (use option --keyserver)
gpg: requesting key 58510B5A from finger:cb@df7cb.de
gpg: key 58510B5A: public key "Christoph Berg " imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: automatically retrieved `cb@df7cb.de' via PKA
</pre>
## CERT
CERT records work similarly. Records are generated by make-dns-cert (from the
tools directory in the gnupg source). cb.gpg is a stripped-down gpg keyring
(created with pgp-clean -s and converting from .asc to .gpg).
<pre>
$ ./make-dns-cert -f D224C8B07E63A6946DA32E07C5AF774A58510B5A -n cb
cb TYPE37 \# 26 0006 0000 00 14 D224C8B07E63A6946DA32E07C5AF774A58510B5A
$ ./make-dns-cert -k cb.gpg -n cb
cb TYPE37 \# 1338 0003 0000 00 9901A20440 [...] 509C96D4BFF17B7
</pre>
With a new bind and host (backports.org!) the format looks a bit nicer, that's
also what I copied into the zone file:
<pre>
$ host -t CERT cb.df7cb.de
;; Truncated, retrying in TCP mode.
cb.df7cb.de has CERT record PGP 0 0 mQGiBECBGdAR [...] UDlCcltS/8Xtw==
cb.df7cb.de has CERT record 6 0 0 FNIkyLB+Y6aUbaMuB8Wvd0pYUQta
</pre>
Again, gpg can be told to use that:
<pre>
$ echo foo | gpg --auto-key-locate cert --recipient cb@df7cb.de --encrypt -a
gpg: key 58510B5A: public key "Christoph Berg " imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: automatically retrieved `cb@df7cb.de' via DNS CERT
</pre>
Thanks to weasel for some hints on using CERT.
## SSHFP
I'm also mentioning SSHFP records here since it fits in the topic - I have been
using them for some months now:
<pre>
$ host -t SSHFP tesla.df7cb.de
tesla.df7cb.de has SSHFP record 1 1 EE49B803541293656C33B86ECD781BD8F1D78AB5
tesla.df7cb.de has SSHFP record 2 1 3E82FB5EE8AA0205305F0D0186F94D6FB3E0E744
$ ssh -o 'VerifyHostKeyDNS yes' tesla.df7cb.de
The authenticity of host 'tesla.df7cb.de (88.198.227.218)' can't be established.
RSA key fingerprint is 5a:c9:38:ca:c0:2b:11:c1:c8:fb:f1:ad:73:a1:9c:8b.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?
</pre>
The records are generated with ssh-keygen -r.
</div>
</div>
<div id="footer" class="pagefooter">
<div id="pageinfo">
<div class="tags">
Tags:
[debian](../tag/debian.html)
</div>
<div class="pagedate">
Last edited <span class="date">Do 17 Feb 2011 13:21:52 CET</span>
<!-- Created <span class="date">Do 01 Mär 2007 20:01:27 CET</span> -->
</div>
</div>
<!-- from Christoph Berg's Blog -->
|