DNS OPENPGPKEY Shell Oneliner with GnuPG

To generate the DNS Zone entries for your OpenPGP/GnuPGP (GPG) public keys, you can use this shell script:

domains="example.com google.com"
for at in $domains ; do
    gpg -K | grep "$at" | sed 's/^.*<\(.*\)@.*>$/\1/' |\
    while read n ; do
        echo ";; $n@$at"
        echo -n "$n" | sha256sum | cut -c -56 | tr -d '\n'
        echo "._openpgpkey.$at. 7200 IN OPENPGPKEY ("
        gpg --export \
            --export-options export-minimal,no-export-attributes \
            $n@$at |\
            base64 |\
            sed 's/^/                /'
        echo ')'
    done
done

If you want to extend your existing zone files <domain>.zone with the entries, replace the 2nd last done with:

    done >> "$at.zone"

Of course you have to modify this to your zone filename.

Minimize the DNS Data

Don't use gpg --export --armor as there is more data exported than you need to use the PublicKey.

Testing for Success

With GnuPG dirmngr you can retrieve the PublicKey via the DANE OPENPGPKEY DNS request:

$ gpg --verbose --auto-key-locate dane --locate-external-keys <email-address>

RFC 7929

The official standard DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP.