I found out today that it’s possible to publish your public PGP key in the DNS. There is a really good guide at http://www.gushi.org/make-dns-cert/HOWTO.html which explains the three different methods in detail. It’s really simple though, so I’ll explain how I did it. I’m going to replace my email address with a fake address to avoid feeding the spambots.

First of all, you need to export your public key and place it somewhere where it can be served via HTTP:

gpg - a --export mike@example .com > /var/www/pgp .pub .asc

In this example, that places the key up at http://example.com/pgp.pub.asc Next, you need to find out your public keys fingerprint (highlighted):

mike@ server:~$ gpg --fingerprint --list-keys mike@ example.com pub 4096 R/ 0018461 F 2010 -11 -02 [expires: 2015 -11 -01 ] Key fingerprint = * 35 BC AF1D 3 AA2 1 F84 3 DC3 B0CF 70 A5 F512 0018 461 F* uid Mike Cardwell (Personal mail) < mike@ example.com> sub 4096 R/ 01 DE408F 2010 -11 -02 [expires: 2015 -11 -01 ] mike@ server:~$

Then you simply create a DNS TXT record. The hostname is “mike._pka.example.com” ie, “local_part._pka.domain“ and the value looks like this:

v =pka1; f p r =35BCAF1D3AA21F843DC3B0CF70A5F5120018461F; u r i =http://example.com/pgp.pub.asc

“fpr” is the upper-case value of the keys fingerprint without the spaces, and “uri” is the location of the public key.

So what’s the point of this? This command will automatically fetch the public key of mike@example.com and start encrypting with it:

gpg -- auto -key-locate pka -ea -r mike@ example.com

If you put “auto-key-locate pka” in your gpg.conf you don’t even need to specify it on the command line. It will automatically look up missing keys in the DNS when it needs to. No need for keyservers.