Creating an OPENPGPKEY DNS record allows you to publish your public OpenPGP key in DNS, making it easy for others to find and verify your email. Here’s a step-by-step guide to creating the data you need to set up this type of DNS record.
1. Generate or Get Your Public OpenPGP Key
You can skip this step if you already have an OpenPGP key pair (like one created with GnuPG). If not, generate one:
bash: gpg --full-generate-key
Follow the prompts to create your key, choosing a secure passphrase and email address. This email should match the one you're setting up for the DNS record.
2. Export the Public Key in ASCII-Armored Format
Export the Public Key in ASCII-Armored Format:
bash: gpg --export-options export-minimal --export <your-email@example.com> | gpg --enarmor
This command exports your key with minimal options to keep it as compact as possible, and enarmor converts it to ASCII text.
3. Extract the Fingerprint of Your Public Key
You’ll need to calculate a hashed version of your email address. First, check the fingerprint of your public key:
bash: gpg --fingerprint <your-email@example.com>
The fingerprint will be something like 0123 4567 89AB CDEF 0123 4567 89AB CDEF 0123 4567.
4. Hash the Email Address
The DNS record will store the key with a hashed version of your email address. Hash your email address in lowercase with SHA-256:
bash: echo -n "your-email@example.com" | sha256sum
Take the first 28 hexadecimal characters from the result. This will be the "hash part" in the record name.
5. Create the OPENPGPKEY record
Create a new OPENPGPKEY or TXT record. The name will be: <28-char-hash>._openpgpkey.<yourdomain.com>,
the value will be Your ASCII-armored public key, for example: mQENBF7q8t4BCAC9ZjOE1NE2UOeHlKHZyE1bJv4fsj5UN+Y59Fz4zZG5oqrfkQZj7jkEF66cggS4RYV84g5gOvmyc6Y06zZdLT7Lf3giT8HyksQ6Ux0/9J0rRmc/V9D6DkpjkGsfTCaNvggsJ9tbES9qgfZm93P8R+E5sbRe76DsQaAA8v4T9dEH/aDH27q5.
