DNSPGP: Frequently Asked Questions (FAQ)


What is PGP?
What is DNS?
How does DNSPGP work?
Why would I want to use DNSPGP?
How is DNSPGP different from SPF or DKIM?
How is DNSPGP different from PKA or IPGP?
Will DNSPGP help prevent spam, viruses, etc?
What software makes use of DNSPGP?
What license is DNSPGP released under?

Q: What is PGP?
A: See Pretty Good Privacy.

Q: What is DNS?
A: See Domain Name System.

Q: How does DNSPGP work?
A: We believe PGP is a great technology. As such we designed DNSPGP to retain as much of PGP as makes sense. So DNSPGP starts out the same way as PGP does by an individual email user creating a PGP public/private key pair. Hopefully this will be facilitated by user's email program or web user interface (MUA).

The administrator of the organization's DNS domain name will also need to configure a webserver to receive HTTP GET requests at a specific URL (http://pgp.example.com/pubkey.php). These requests will contain a key/value pair querying the email address of an account within the domain (?addr=user@example.com). The webserver will then be expected to return the associated PGP public key or an appropriate error message.

Remote parties will discover the URL by performing a DNS lookup of a TXT record that contains 'dnspgp' followed by an HTTP URL. As such, the public DNS zone will need to be modified to include the TXT record.

The most convenience will be found if support for DNSPGP is integrated into the MUA such as the Enigmail extension for Mozilla Thunderbird or the webmail programs SquirrelMail or RoundCube. If public email operators such as Yahoo, Microsoft, or Google featured DNSPGP functionality PGP adoption would become common overnight.

The URL GET key/value syntax and the contents of the TXT record are really the only two parts of DNSPGP that will need to be specified and followed by all implementors. All other components should determined by standard PGP.

Q: Why would I want to use DNSPGP?
A: The deficiency of traditional PGP key distribution is the reliance on key servers, the "web of trust," or some manual method. All require the potential receiver of another's public key to have retrieved the key prior to needing it or knowing of a collection of key servers that might hold the desired public key.

DNSPGP removes these obstacles by allowing email account holders to distribute their own public key on a webserver of their choice and publishing that URL address in DNS. As such, PGP becomes much more practical for everyday use, especially with correspondants one has not previously communicated with.

Q: Will DNSPGP help prevent spam, viruses, etc?
A: DNSPGP doesn't provide any additional protection benefits over standard PGP. Theoretically PGP signed messages are likely not to be spoofed as one would be able to tell fairly quickly if the message is indeed signed by the supposed sender. There are spam prevention technologies that share common implementation characteristics with DNSPGP (the use of DNS to publish authoritive information) but specifically address spam. PGP's primary concern is ensuring the integrity and privacy of legitimate email messages.

Q: How is DNSPGP different from SPF or DKIM?
A: SPF and DKIM are specifically anti-spam technologies intended to be implemented as part of internet's global email delivery infrastructure. The technologies help organizations that operate email services prevent spam from entering into their networks at the points where they attach to the internet.

DNSPGP is concerned with protecting email messages between individual users rather than entire organizations. That being said, PGP distribution webservers will likely be operated at the organization level. And as a part of those implementation considerations DNSPGP shares an important configuration similiarity in the inclusion of a special DNS record.

Q: How is DNSPGP different from PKA or IPGP?
A: Like DNSPGP PKA and IPGP store a record in DNS that refers to an internet location where the public key can be retrieved. However, both PKA and IPGP require that each email address has its own record in DNS. For small or personal use domains that requirement is not unreasonable, but for large corporate or service provider networks DNS zones would become unmanageable. Further, if DNSSEC is in use everytime a key is updated the zone would need to be resigned. Zones with many email addresses are sure to be in constant flux limiting the benefit of zone signing.

DNSPGP requires only one record for the entire domain. This minimizes the impact on the zone from updates due to DNSPGP. The only time the record need be changed is if the distribution URL needs to be updated.

Q: What software makes use of DNSPGP?
A: At this point, none. We are planning to release some simple diagnostic tools and perhaps a reference implementation, but we're hoping existing programs, projects, and operators will be inspired by DNSPGP to add support to their own code. Users should advocate for DNSPGP in order to spread the word and build demand. Any and all help is greatly appreciated.

Q: What license is DNSPGP released under?
A: As no copyrighted source code exists nor is DNSPGP patented no license is required to use or implement DNSPGP. Our hope is that DNSPGP will increase interest in PGP and we do not want to erect any barriers that might inhibit adoption.