I do not have a phone. I do use Teams. I have apple iMessage on an iPad, which I use to communicate with a couple people. I use Facebook Messenger. My preferred method of communication is Email. For a short time, I used S/Mime with email but there were issues. After years of thinking about this, decades really, I am back where I was originally, with PGP. I have always had my doubts about standards-based encryption. I am not a mathematician or cryptographer. I find it hard to believe that I can trust a standards body who is quite likely knee deep in intelligence assets who may endorse a breakable standard and deride security through obscurity, which I think might be the best after all. However, the reason I like email is that it is a standard. Never mind that only Google and Microsoft seem to be the only ones who can implement it.
Even though OpenPGP is now a standard (RFC 4880 and 9580) and primarily uses RSA encryption, there is one aspect of it that depends on security through obscurity. Where do you keep your private key? It is true that you can protect your private key with a passphrase. If you have a good passphrase it's going to be hard to crack. However, it is very much harder to break the encryption if you don't have the private key at all. That is why you are encouraged to hide it away somewhere. That somewhere, is obscured because it could really be anywhere. Of course you could hide it somewhere that requires authorization, and I would say there is still an element of obscurity in that. Layers of security that are not the same for everyone. Not a predictable standard, not a known task of predictable difficulty.
Some even argue that you should not publish your public key, that you should give it only on request. More security through obscurity. But I am embracing Email and PGP as the default secure way to communicate to the world. I am going to have to compromise. Email and PGP are so not the fashion (I am talking to you Signal users) that it could almost be considered security through obscurity.
There is a not all that new DNS record type called OPENPGPKEY (RFC 7929), which is not really very supported by Windows tooling, but for some reason it appeals to me.
OPENPGPKEY Record for DNS
635182503015583645345345cff61b6a91254a0458537072a1b26a._openpgpkey 10800 IN OPENPGPKEY mQGNBGiku8QBDADVufvn4/YGFVn4sElF...=
The first part of this string is a normalized UTF8 SHA2-256 hashed and truncated in hexadecimal.
Using DIG to query for an OPENPGPKEY Record in DNS
dig OPENPGPKEY 635182503015583645345345cff61b6a91254a0458537072a1b26a._openpgpkey.internetsellout.com
output
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43995
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1224
;; QUESTION SECTION:
;635182503015583645345345cff61b6a91254a0458537072a1b26a._openpgpkey.internetsellout.com. IN OPENPGPKEY
;; ANSWER SECTION:
635182503015583645345345cff61b6a91254a0458537072a1b26a._openpgpkey.internetsellout.com. 1800 IN OPENPGPKEY mQGNBGiku8QBDADVufvn4/YGFVn4sElF...=
The part before _openpgpkey and the public key has been obfuscated by me for the purpose of making a blog entry to protect me. Why should I care? I suppose I don't want to be the lowest of low hanging fruit. I'm the kind of asshole other assholes enjoy taking down. The main concern I can think of is that using PGP encryption is going to get past any content filters, making it easier to spam you (in plain text).
One thing very much still confuses me though. In a few examples on the web the dig example is:
A very pointless DIG Query
dig OPENPGPKEY internetsellout.com
output
; <<>> DiG 9.20.11-4-Debian <<>> OPENPGPKEY internetsellout.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11965
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;internetsellout.com. IN OPENPGPKEY
;; AUTHORITY SECTION:
internetsellout.com. 299 IN SOA ns1.gandi.net. hostmaster.gandi.net. 1756254233 10800 3600 604800 10800
;; Query time: 72 msec
;; SERVER: 10.255.255.254#53(10.255.255.254) (UDP)
;; WHEN: Tue Aug 26 17:31:44 PDT 2025
;; MSG SIZE rcvd: 97
I don't see the point of this dig query and I don't know what it gets you. There is no Answer Section. Possibly this is a case of the blind leading the blind or possibly I'm in over my head!
PowerShell Command
function Get-OpenPGPKeyRecord {
param (
[Parameter(Mandatory=$true)]
[string]$Email
)
# Split email into local part and domain
if ($Email -notmatch '^(?<local>[^@]+)@(?<domain>.+)$') {
Write-Error "Invalid email format."
return
}
$local = $matches['local'].ToLower()
$domain = $matches['domain']
# Compute SHA-256 hash of local part
$sha256 = [System.Security.Cryptography.SHA256]::Create()
$bytes = [System.Text.Encoding]::UTF8.GetBytes($local)
$hash = $sha256.ComputeHash($bytes)
# Truncate to 28 bytes (224 bits) per RFC 7929
$truncated = $hash[0..27]
# Convert to lowercase hex
$hexLabel = ($truncated | ForEach-Object { $_.ToString("x2") }) -join ""
# Construct full DNS name
$dnsName = "$hexLabel._openpgpkey.$domain"
Write-Host "Querying: dig $dnsName OPENPGPKEY"
# Use dig to query the OPENPGPKEY record
$cmd = "dig $dnsName OPENPGPKEY"
bash -c $cmd
}
Save that to a file and load it into PowerShell then issue this command:
Get-OpenPGPKeyRecord -Email "notme@internetsellout.com"
You will need "dig" for it to work.