Hi Kees, > I want to make use of PKA, I saw a few blogs [1] where they did this in > TXT DNS records. However, this seems to not work anymore. When I issue > `gpg2 --export-options export-pka --export $keyid` I get an output. But > it's unclear where I should put this output in DNS. A TXT record? Or a > CERT record [2]? Something else? I would like to hear some comments > about this. > > The TXT record method has my preference since I do not have CERT records > at my registrar. Is there some official documentation about this?
Yes, it's a TXT record, such as this (for u...@example.com): user._pka.example.com. TXT "v=pka1;fpr=D2063054549295F3349037FFFBBE5A30624BB249;uri=http://example.com/key.asc"; see examples here: http://www.gushi.org/make-dns-cert/HOWTO.html Note that if you have your own domain and HTTPS set up it would be better to utilize the Web Key Directory, that is enabled by default in modern GnuPG and used by some e-mail clients automatically (thunderbird/enigmail, outlook/gpgol). Export your binary key (gpg --export u...@example.com > key.gpg) and get the hash (gpg --list-keys --with-wkd u...@example.com) and copy your key to https://example.com/.well-known/openpgpkey/hu/$hash, replace example.com and $hash with your values. Then "gpg --locate-key u...@example.com" will then download the key from your web server). More details here: https://wiki.gnupg.org/WKD Kind regards, Wiktor > > [1] https://keyserver.mattrude.com/guides/public-key-association/ > [2] https://slxh.nl/blog/2016/pgp-and-dns/ > > > -- > Kind regards, > Kees de Jong | OpenPGP fingerprint: 0x0E45C98AB51428E6 > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- https://metacode.biz/@wiktor _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
