OPENPGPKEY Record

Hello,

I found this service, and had for me the advantage of providing OPENPGPGKEY records. I tried to add one but i’m stuck with a 500 characters limit ( my PGP key is 4096 bits long ).

I hope there is a solution :smiley:

Romain.

Hi Romain,

Thank you for your question, and welcome to deSEC!

On our public frontend servers which answer DNS queries from clients, we use PowerDNS with the LMDB storage module. This is by far the fastest solution, as many queries can be answered from memory without any overhead. (We tried other backends before and had performance issues.)

Unfortunately, the LMDB backend implementation in PowerDNS currently has a length limitation for DNS record contents plus their lookup key attributes (e.g. record type); the combined limit is 512 bytes per entry. They have an upstream issue for that, but fixing it requires significant changes, so it may take a while (I estimate at least a few months) until the limitation is dropped.

Now, you can say that a 4096 bit key is exactly 512 bytes, but the problem is that the lookup key also takes a few bytes. So, it’s a close call, but unfortunately it does not fit within the limit.

We are definitely planning to lift this restriction as soon as PowerDNS has fixed the upstream issue. You can track our progress here: https://github.com/desec-io/desec-stack/issues/334

Note that the limit is per record, not per record set. You can, for example, have two OPENPGPKEY records for the same subdomain, and each has to fit into the limit separately.

Stay secure,
Peter

I read the issues on github, but i don’t understand : can i split the OPENPGPKEY record into chunks ?
( Another alternative is the SRV record for the WKD system https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=88dc3af3d4ae1afe1d5e136bc4c38bc4e7d4cd10 )

can i split the OPENPGPKEY record into chunks ?

No. Chunking has to do with some internal DNS format, but our API hides it from users. It has nothing to do with the length limit.

Another alternative is the SRV record for the WKD system https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=88dc3af3d4ae1afe1d5e136bc4c38bc4e7d4cd10

Yep, that looks like a viable alternative! But it requires running a web server, of course.

Stay secure,
Peter

1 Like

Hi,

I found a new workaround : keys.openpgp.org can act as a wkd server , with a CNAME record for the subdomain ‘openpgpkey’ to their server and it works like a charm !

Hello,

i’m watching your github repo and i saw that the 500chars problem issue has been resolved

So i tried to add OPENPGPKEY record but it doesn’t work.
Is there any plan to fix it soon as the upstream issue is resolved ?

Thank you again for all the work on desec.io

Hi NewRedsquare,

Yes, the issue was solved upstream, but the fix has not been released yet. It is going to be part of PowerDNS Authoritative server 4.4.0, which is currently in development version alpha3.

We are also awaiting the release eagerly; we’d like to use the feature ourselves! My best guess is that pdns-auth 4.4.0 will be released some time this winter. Unfortunately, I don’t have any other more accurate information.

Stay secure,
Peter

1 Like

Hi @NewRedsquare,

The length restriction has finally been lifted! Please let us know how it’s working for you.

Stay secure,
Peter