DNS Records

A Record

AAAA Record

AFSDB Record

CAA Record

CNAME Record

DNSSEC

DNSKEY Record

DS Record

HINFO Record

HTTPS Record

KEY Record

LOC Record

MX Record

NAPTR Record

NS Record

OPENPGPKEY Record

PTR Record

RP Record

SMIMEA Record

SOA Record

SMIMEA Record

SRV Record

SVCB Record

TLSA Record

TXT Record

URI Record

What is an OPENPGPKEY record?

An OPENPGPKEY record is a DNS record type used to store and distribute OpenPGP public keys via the Domain Name System. It allows email clients and other applications to automatically discover and retrieve a user's PGP public key by looking up their email address in DNS, enabling encrypted and authenticated email communication without requiring manual key exchange or a separate key server lookup.

OPENPGPKEY record format

A typical OPENPGPKEY record looks like the following in standard BIND format:

$ORIGIN example.com.
c93f1e400f26708f98cb19d936620da35eec8f72e57f9eec01c1afd6._openpgpkey 3600 IN OPENPGPKEY mQINBFRUAGoBEAC2GtK/YPEMbnHlAMcFkc1oBNQM...

An anatomy of the OPENPGPKEY Record looks like the below:

Host Label	TTL	Record Class	Record Type	Public Key Data
c93f1e400f26708f98cb19d936620da35eec8f72e57f9eec01c1afd6._openpgpkey.example.com.	3600	IN	OPENPGPKEY	mQINBFRUAGoBEAC2GtK/YPEMbnHlAMcFkc1oBNQM...

Host Label
The host label for an OPENPGPKEY record is composed of two parts separated by a period (.). These parts are the SHA-256 Hash and the Underscore Label in the format of hash._openpgpkey.

• SHA-256 Hash is the left-most 28 octets (56 hexadecimal characters) of the SHA-256 hash of the local part (username) of the email address, encoded in lowercase hexadecimal. This is used to look up the key for a specific user at a domain.
• Underscore Label is the fixed string _openpgpkey, which identifies this as an OPENPGPKEY DNS record and prevents collisions with other DNS labels.

TTL
The time-to-live in seconds. It specifies how long a resolver is supposed to cache or remember the DNS query before the query expires and a new one needs to be done.

Record Class
Mainly 3 classes of DNS records exist:

• IN (Internet) – default and generally what internet uses.
• CH (Chaosnet) – used for querying DNS server versions.
• HS (Hesiod) – uses DNS functionality to provide access to databases of information that change infrequently.

Record Type
The record format is defined using this field. Common record types are A, AAAA, CNAME, CAA, TXT etc. In the case of an OPENPGPKEY record, the record type is OPENPGPKEY.

Public Key Data
The transferable public key of the user, as defined in RFC 4880, encoded in Base64. This is the raw binary representation of the OpenPGP public key without the ASCII armor headers (i.e., without the -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK----- lines). Only the public key portion should be stored; private keys must never be published in DNS.

How to add an OPENPGPKEY record?

For instructions on how to add an OPENPGPKEY record with us, you may refer to the tutorial here.

OPENPGPKEY record glossary

OpenPGP
OpenPGP is a standard for encrypting and signing data, most commonly used for email encryption. It is defined in RFC 4880 and is the open standard upon which the well-known PGP (Pretty Good Privacy) software is based.

DANE (DNS-Based Authentication of Named Entities)
DANE is a protocol that allows the binding of cryptographic keys to domain names using DNSSEC. OPENPGPKEY is part of the DANE family of DNS record types, enabling secure key discovery through DNS.

DNSSEC
Domain Name System Security Extensions - a suite of extensions that add security to the DNS protocol by enabling DNS responses to be validated cryptographically. DNSSEC is strongly recommended when publishing OPENPGPKEY records to protect against spoofing or tampering of key material in transit.

SHA-256
Secure Hash Algorithm 256-bit - a cryptographic hash function used to derive the owner label of an OPENPGPKEY record from the local part (username) of an email address. Only the first 28 octets (56 hex characters) of the resulting hash are used in the DNS label.

Base64
A binary-to-text encoding scheme that represents binary data using a set of 64 printable ASCII characters. The OpenPGP public key is stored in the OPENPGPKEY record as a Base64-encoded binary value.

BIND
Berkeley Internet Name Daemon - is the most commonly used DNS software on the Internet and Dynu observes BIND format.