Mailing List Archive: GnuPG: devel

keyserver pools using SRV records for HKP and HKPS [Was: Re: hkps port]

Index | Next | Previous | View Threaded

dkg at fifthhorseman

Apr 2, 2009, 7:45 AM

Post #1 of 4 (865 views)
Permalink

keyserver pools using SRV records for HKP and HKPS [Was: Re: hkps port]

On 04/02/2009 08:56 AM, David Shaw wrote:
> Ideally, curl would support SRV internally. It can do a better job than
> we can do as a wrapper from outside, as it can properly walk the list of
> returned servers until one answers. The best we can do is do a SRV
> lookup, run the selection algorithm, and then hope that the best choice
> is actually running. Still, it is better than nothing. If I had more
> spare time, I'd just write SRV for curl and donate it to them.

I agree that using SRV records is a good idea for HKP and HKPS. And
David's suggestion here is structurally the right way to go, even if
we're not there yet.

But i also note that i don't see any keyserver pools publishing their
pool as SRV records at the moment -- only A records. If we're going to
say that we're making a least-unhappy choice (which is bound to make
some operators unhappy), and that SRV records will be the mitigating
factor, we should probably clearly encourage keyserver pool operators to
publish their pool as SRV records directly in addition to A records.

Or are they already doing this, and i'm just querying the wrong way?

dig -t SRV _hkp._tcp.pool.sks-keyservers.net
dig -t SRV _hkp._tcp.keys.gnupg.net

both return empty sets.

--dkg

Attachments:

signature.asc (0.87 KB)

gnupg-devel at spodhuis

Apr 2, 2009, 8:07 AM

Post #2 of 4 (807 views)
Permalink

Re: keyserver pools using SRV records for HKP and HKPS [Was: Re: hkps port] [In reply to]

On 2009-04-02 at 10:45 -0400, Daniel Kahn Gillmor wrote:
> On 04/02/2009 08:56 AM, David Shaw wrote:
> > Ideally, curl would support SRV internally. It can do a better job than
> > we can do as a wrapper from outside, as it can properly walk the list of
> > returned servers until one answers. The best we can do is do a SRV
> > lookup, run the selection algorithm, and then hope that the best choice
> > is actually running. Still, it is better than nothing. If I had more
> > spare time, I'd just write SRV for curl and donate it to them.
>
> I agree that using SRV records is a good idea for HKP and HKPS. And
> David's suggestion here is structurally the right way to go, even if
> we're not there yet.
>
> But i also note that i don't see any keyserver pools publishing their
> pool as SRV records at the moment -- only A records. If we're going to
> say that we're making a least-unhappy choice (which is bound to make
> some operators unhappy), and that SRV records will be the mitigating
> factor, we should probably clearly encourage keyserver pool operators to
> publish their pool as SRV records directly in addition to A records.
>
> Or are they already doing this, and i'm just querying the wrong way?
>
> dig -t SRV _hkp._tcp.pool.sks-keyservers.net
> dig -t SRV _hkp._tcp.keys.gnupg.net
>
> both return empty sets.

Well, there's already a well-established port for 11371 so there's been
no need to, really; sure, port numbers can be published but there's no
point if most clients won't actually use the port number. The issue was
what to do with hkps.

At the moment, hkps *can* be done with a reverse proxy in front of the
KHP service providing the SSL stuff (and probably query-logging too).
So it's plausible to develop a client which can be tested in use.

Developing native SSL support in the servers could do with client
support to test against. And since David has kindly written this for
us, we just need to wait for the next release to test.

While I don't run any public pools I do know what's involved, as for
self-education I maintain a pool name (under a deliberately long DNS
name to discourage use); really, exporting hostnames as well as IPs
would be trivial and once hkps support is in SKS, including the port on
the stats page and including that in the results will also be trivial.

Of course, I don't issue SSL certs so probably shouldn't publish hkps
records. ;-)

-Phil

dshaw at jabberwocky

Apr 2, 2009, 3:54 PM

Post #3 of 4 (797 views)
Permalink

Re: keyserver pools using SRV records for HKP and HKPS [Was: Re: hkps port] [In reply to]

On Apr 2, 2009, at 10:45 AM, Daniel Kahn Gillmor wrote:

> On 04/02/2009 08:56 AM, David Shaw wrote:
>> Ideally, curl would support SRV internally. It can do a better job
>> than
>> we can do as a wrapper from outside, as it can properly walk the
>> list of
>> returned servers until one answers. The best we can do is do a SRV
>> lookup, run the selection algorithm, and then hope that the best
>> choice
>> is actually running. Still, it is better than nothing. If I had
>> more
>> spare time, I'd just write SRV for curl and donate it to them.
>
> I agree that using SRV records is a good idea for HKP and HKPS. And
> David's suggestion here is structurally the right way to go, even if
> we're not there yet.
>
> But i also note that i don't see any keyserver pools publishing their
> pool as SRV records at the moment -- only A records. If we're going
> to
> say that we're making a least-unhappy choice (which is bound to make
> some operators unhappy), and that SRV records will be the mitigating
> factor, we should probably clearly encourage keyserver pool
> operators to
> publish their pool as SRV records directly in addition to A records.
>
> Or are they already doing this, and i'm just querying the wrong way?
>
> dig -t SRV _hkp._tcp.pool.sks-keyservers.net
> dig -t SRV _hkp._tcp.keys.gnupg.net

Some pools have SRV already and some don't. Try
"_hkp._tcp.subkeys.pgp.net".

David

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

dshaw at jabberwocky

Apr 20, 2009, 7:23 PM

Post #4 of 4 (733 views)
Permalink

Re: keyserver pools using SRV records for HKP and HKPS [Was: Re: hkps port] [In reply to]

On Apr 2, 2009, at 6:54 PM, David Shaw wrote:

> On Apr 2, 2009, at 10:45 AM, Daniel Kahn Gillmor wrote:
>
>> On 04/02/2009 08:56 AM, David Shaw wrote:
>>> Ideally, curl would support SRV internally. It can do a better
>>> job than
>>> we can do as a wrapper from outside, as it can properly walk the
>>> list of
>>> returned servers until one answers. The best we can do is do a SRV
>>> lookup, run the selection algorithm, and then hope that the best
>>> choice
>>> is actually running. Still, it is better than nothing. If I had
>>> more
>>> spare time, I'd just write SRV for curl and donate it to them.
>>
>> I agree that using SRV records is a good idea for HKP and HKPS. And
>> David's suggestion here is structurally the right way to go, even if
>> we're not there yet.
>>
>> But i also note that i don't see any keyserver pools publishing their
>> pool as SRV records at the moment -- only A records. If we're
>> going to
>> say that we're making a least-unhappy choice (which is bound to make
>> some operators unhappy), and that SRV records will be the mitigating
>> factor, we should probably clearly encourage keyserver pool
>> operators to
>> publish their pool as SRV records directly in addition to A records.
>>
>> Or are they already doing this, and i'm just querying the wrong way?
>>
>> dig -t SRV _hkp._tcp.pool.sks-keyservers.net
>> dig -t SRV _hkp._tcp.keys.gnupg.net
>
> Some pools have SRV already and some don't. Try
> "_hkp._tcp.subkeys.pgp.net".

I just committed the last bit for re-enabling SRV for hkp (which gives
us hkps as well). Sorry for the delay. I just started a new job, and
it's been a wee bit busy around here.

If anyone who is tracking the 1.4 branch from svn wants to give it a
whirl (especially for hkps), please do, and let me know how it works
for you. Once I get a response or two, I'll integrate it over to the
2.0 branch.

David

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads