Hi Kees,
> I want to make use of PKA, I saw a few blogs [1] where they did this in
> TXT DNS records. However, this seems to not work anymore. When I issue
> `gpg2 --export-options export-pka --export $keyid` I get an output. But
> it's unclear where I should put this output in DNS. A TXT record? Or a
> CERT record [2]? Something else? I would like to hear some comments
> about this.
>
> The TXT record method has my preference since I do not have CERT records
> at my registrar. Is there some official documentation about this?
Yes, it's a TXT record, such as this (for u...@example.com):
user._pka.example.com. TXT
"v=pka1;fpr=D2063054549295F3349037FFFBBE5A30624BB249;uri=http://example.com/key.asc";
see examples here:
http://www.gushi.org/make-dns-cert/HOWTO.html
Note that if you have your own domain and HTTPS set up it would be
better to utilize the Web Key Directory, that is enabled by default in
modern GnuPG and used by some e-mail clients automatically
(thunderbird/enigmail, outlook/gpgol).
Export your binary key (gpg --export u...@example.com > key.gpg) and get
the hash (gpg --list-keys --with-wkd u...@example.com) and copy your key
to https://example.com/.well-known/openpgpkey/hu/$hash, replace
example.com and $hash with your values. Then "gpg --locate-key
u...@example.com" will then download the key from your web server).
More details here: https://wiki.gnupg.org/WKD
Kind regards,
Wiktor
>
> [1] https://keyserver.mattrude.com/guides/public-key-association/
> [2] https://slxh.nl/blog/2016/pgp-and-dns/
>
>
> --
> Kind regards,
> Kees de Jong | OpenPGP fingerprint: 0x0E45C98AB51428E6
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
--
https://metacode.biz/@wiktor
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
