Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
dnssec, openpgpkey, dane, sshfp

this is a short run-down of setting up dnssec, openpgpkey, dane and sshfp records if you already have a working bind installation

if you need a secondary DNS server that supports DNSSEC (the chances are high if you are not hosting two DNS servers yourself), take a look at - it's free for basic usage (which is absolutely enough) and works like a charm!


there are quite a lot of tools out there to generate dane records.

I like hash-slinger - the only downside is that if you are using SNI or something like smtp with STARTTLS, you have to specify the cert on the command-line. but as most other generators will completely fail this task in the case of SNI, this might be a good idea anyways.

if you have a few services that share the same cert, you can make it short:

echo -n 25,587,143,993,443 | xargs -n1 -I{} -d, tlsa --create --output rfc --usage 3 --selector 1 --mtype 1 --port {} --certificate /path/to/your/cert.crt

one thing to remember:

for port 443, you will want to create additional records for subdomains you might be using (www?)

warning: if you add a www. TLSA record, you have to create a specific A record for www. too! a wildcard record does not seem to work any more at that point.

also: if you are using SNI, you should specify the cert of the domain you enter in the browser, not the default apache certificate. many validators currently fail on SNI.

this validator will fail on SNI: []

this one works with SNI: []

this one can validate smtp: []


just run

ssh-keygen -r your-host-name.

this will give you the necessary records for your zone file.

on your host then run

ssh-keygen -r

just to validate if the keys match - just as a precaution that you haven't been MITM'ed while generating the keys ;)

when connecting to your host, you should use the ssh option VerifyHostKeyDNS yes from now on


the script published with this file will generate a DNS record for the key specified (I recommend specifying by key id, but email should work, too).

./ your-key-id

just paste it to your zone file, run zonesigner and republish the zone

if you are on an old bind version that does not support OPENPGPKEY-records: this is possible with TYPE61 records, too. you can use the generator at []

MAIL=$(gpg2 -k "$1" | grep uid | head -n1 | sed -E 's,^.*<(.*)>.*$,\1,')
USER=$(echo "${MAIL}" | sed 's,@.*$,,')
DOMAIN=$(echo "${MAIL}" | sed 's,^.*@,,')
FQDN="$(echo -n ${USER} | openssl dgst -sha224 | cut -d "=" -f 2 | sed 's,^\s*,,')._openpgpkey.${DOMAIN}."
KEYDATA=$( gpg --export --export-options export-minimal --armor $1 | head -n-2 | tail -n+4 | sed 's,^, ,')
cat <<EOF
; OPENPGPKEY record for key $1 (${USER}@${DOMAIN})
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment