openpgpkey - Man Page

Create and verify RFC-TBD OPENPGPKEY DNS records


openpgpkey [--fetch | --verify] [--insecure] [--resolv.conf /PATH/TO/RESOLV.CONF] user@domain

openpgpkey [--create] [--insecure] [--resolv.conf /PATH/TO/RESOLV.CONF] [--output {rfc,generic,both}] [--uid <uid>] [--keyid <keyid>] user@domain


openpgpkey generates RFC-7929 OPENPGPKEY DNS records. To generate these records for older nameserver implementations that do not yet support the OPENPGPKEY record, specify --output generic to output the openpgpkey data in Generic Record (RFC-3597) format. Records are generated by taking all keys with the specified email address associated with it from the user's local GnuPG keychain.

Verification of OPENPGPKEY records is done by comparing the keyid and fingerprint of the OPENPGPKEY obtained from DNS with the version in the local GnuPG keychain.



Fetch an OPENPGPKEY public key record from DNS


Create an OPENPGPKEY DNS record


Verify a public key from the local GPG keyring with the OPENPGPKEY DNS record

--resolvconf FILE

Specify a custom resolv.conf file (default: /etc/resolv.conf)

--output rfc | generic | both

Output format of OPENPGPKEY record. "OPENPGPKEY" for rfc, "TYPE61" for generic (default: generic)

If neither create or verify is specified, create is used.


openpgpkey requires the following python libraries: unbound, gnupg and argparse. It also requires gnupg which provides the gpg command.


none known


typical usage:

openpgpkey --fetch > paul.pubkey

openpgpkey --verify

openpgpkey --create

See Also



Paul Wouters <>


December 30, 2013 Paul Wouters Internet / DNS