2021-02-13 17:42:02

How to generate OpenPGP record for DNS (TYPE61)

Yesterday, I wrote how you could verify packages using GPG stored in DNS. You may wonder how you can store it in DNS?

Easy but least secure way

Take the armored GPG keys. E.g., RPM-GPG-KEY-fedora-35-primary and you can copy it into this service. You will need to add the email associated with the key as well. Use: fedora-35-primary@fedoraproject.org. Click Generate, and you have your DNS record ready.

Hey, how should I know that email address? That is easy. Run:

$ gpg2 RPM-GPG-KEY-fedora-35-primary
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096 2021-02-04 [SCE]
      787EA6AE1147EEE56C40B30CDB4639719867C58F
uid           Fedora (35) 

Hmm, I had to use the command-line anyway. Can I somehow generate it from the command-line, without using 3rd party service? Sure:

From Command Line

First, import the key:

$  gpg2 --import RPM-GPG-KEY-fedora-35-primary 
gpg: key DB4639719867C58F: public key "Fedora (35) " imported
gpg: Total number processed: 1
gpg:               imported: 1

And then export it:

$ gpg2  --export-options export-dane --export fedora-35-primary@fedoraproject.org
$ORIGIN _openpgpkey.fedoraproject.org.
; 787EA6AE1147EEE56C40B30CDB4639719867C58F
; Fedora (35) 
e27f1efe21ae589b7796e61af3ac4a4c1c2428615daca70d8f1c9e96 TYPE61 \# 1172 (
        99020d04601c49ca011000cb7fc60791ecc9e9a765318c3b6861889496a5b7c2
        63db1fc1d8afa121f22ec46b69563ede2d180353bea3693e69543e6614c277a6
        47a7791fdc4e6aaa42437242c857da8417c04cd449bd4234c09f0868245fc436
        cd992b21c0ab174436c2b29b95ab9d854fa255a9c00ec9b5f1812ab1be40537e
        ddb54accdd061d5a0f51f9788f7d5f112818d3d37bd504e74c4ac637f4b6829f
        a229d4ebe9f08128fc8784558d6a98238f01a2b46c91f7b9f8380ae7a4b3e4d2
        c105937822f1b992fa38c5e838f2b0bcc41fc5b8355c3f2fb99d0ab63fdc347d
        b16aed319ac02ef472697a4bce3d1c65caab63c997eba1589e172a70660bd0c2
        d9e733cfe0484bbf2554eb634e76984513ec271bef891c1c54c57cc9259e41bf
        d1f5380116b9d381f7c63d24b5b7b7bca70f5e83ceb8a055b074afd34506600c
        8f7aecbef3b714fd812133b9374952a3e9e21983288c3b4c25d5818344a72e97
        092cf40fae964835a136f8b37ce666f3f4ec6a13c56e368da2b9592f8d85979e
        f3ad17a1585b7352a94be8df6688ecac4b59f0f6d467e62f17c469add580ae31
        db264d89a51280c53871b1002c0611b5d0bbb1d9668c0748362393dc31d27f72
        a8e8d3c71cae3057ba2c56ae2e62bbd317a7ca93fdf4b3366b1d2209fcfea64a
        8bc42e95fbbbeeeaa15bfc2dd9bb678ad811b2a8e1c4cba3614e196f8864b45f
        21294fd75fbe36aa12f92b0011010001b4314665646f72612028333529203c66
        65646f72612d33352d7072696d617279406665646f726170726f6a6563742e6f
        72673e89024e041301080038162104787ea6ae1147eee56c40b30cdb46397198
        67c58f0502601c49ca021b0f050b0908070206150a09080b020416020301021e
        01021780000a0910db4639719867c58f8d600ffb058a609724806581e18f22a1
        ffe7faccf7d5bdb1f6d04ab7908ece1413749cb5fe054d66baf4bea93b92dd62
        eb0779b71ae96da4a44424a2ed9b9103d6b1b35c0a13d72a7d608f0b00374c08
        23b28c08eca1653ced852e0befdb9e3ad3791d8b44e09fc8f0bbe96f7ce62395
        9b94be6ec403c3b0b62eb95d00ce0c0eea326754a2b46699e0a40b56df9311ad
        788ac6121828f3a3b3d8f15dc93a4e7482a5a0f3637f6e6d84cd2ed3f375840d
        bd65be3e0896fc6022a29e835d735d8c66ad849924909fbf37fe94d4babb1807
        8f1fc9d32959d8b89b1abe86000c8ef545ab0194b048cd047234fcc040a7c644
        83bb2aa65b056f3415ee10857c39edd83225357c937cb1dec3a6c171e4cf9776
        7327412f87ae34cf283de65ab94076711385d615f23664a56843cacdfff7d78e
        864d2b2e7cb48cdc246ae7ff894f0e73a5ef3248cb44c260e54f552b226e596b
        73c179e330de5644506a2b8b19a2630c7ed6d31f5fb9c9b456fc0def05b6b145
        6daded4ccd8dccde91264489a2cdf4bfc7709088475405f3af360dd025105f5d
        93681089849001a689d09240cc7bd191124b2e02b66106221cd572daddc9c857
        ecada9b9c1209639f84f788c8b053649beba4d94f6de7ec4fde7b4dfd81348ba
        0cd9ac2e55c4348a919811875546bd22109c2cb3910cba114daa3e9896e7d1bf
        84f21766b2a870adca2d2f7f8b32504d196d8cc0
        )

And voilà, this your DNS record which you can copy'n'paste to your zone. In this case, to _openpgpkey.fedoraproject.org..

Remember, if the email associated with the GPG key is foo@bar.com then the generated record has to go to _openpgpkey.bar.com. zone.

And do not forget - all this has a sense only if your domain is signed using DNSSEC. Otherwise, anyone can falsify these records.


Posted by Miroslav Suchý | Permanent link
Comments
comments powered by Disqus