OpenPGP DANE - Tester

RFC 7929 defines a method for storing OpenPGP public keys in DNS using the OPENPGPKEY resource record (TYPE 61). This allows key discovery using only DNS, secured by DNSSEC.

Given an e-mail address, the DNS name is constructed by:

  • Taking the local-part of the e-mail address (left of @) and converting it to lowercase
  • Computing the SHA-256 hash and truncating to 28 octets (224 bits)
  • Hex-encoding the result (56 characters)

The final DNS name is:
<56-char-hex>._openpgpkey.
For example, for hugh@example.com:
c93f1e400f26708f98cb19d936620da35eec8f72e57f9eec01c1afd6._openpgpkey.example.com

The RDATA of the OPENPGPKEY record contains the binary OpenPGP Transferable Public Key. DNSSEC validation is required for trust.

Lookup

Zero Trust Mode - Email never leaves your browser

🔒 Privacy & Compliance: Your email is encrypted (SHA-256 hashed) client-side in your browser before any data is sent to the server.

This ensures:

  • GDPR Compliance: Privacy by Design - PII (email) is minimized by design (Art. 25) and data minimization (Art. 5)
  • Security: Zero Trust architecture - assume breach mitigated
  • Privacy: Email never leaves your device, never logged, never stored
  • Transparency: Only the hash (56 hex chars) and domain are transmitted

ℹī¸ A legacy mode is available if client-side hashing fails. See API documentation for details.

For testing purposes, you can use the following form to look up OPENPGPKEY DNS records for a given e-mail address:

API usage

Zero Trust Mode (Recommended): /api/lookup/hash?email_hash=...&domain=...
Email is hashed client-side. Server only receives hash + domain.

Legacy Mode: /api/lookup?email=hugh@example.com
Email is sent to server in plain text. Use only if necessary.

You can find the OpenAPI specification and Swagger UI at /api-docs/ui/