dshaw at jabberwocky.com
Thu Apr 2 14:56:48 CEST 2009
On Apr 2, 2009, at 8:43 AM, Werner Koch wrote:
> On Thu, 2 Apr 2009 13:26, dshaw at jabberwocky.com said:
>> for all the problems. Some sites can *only* connect over 443 because
>> of firewalling rules. I'm rather liking Phil's SRV suggestion at the
> We have port 80 keyservers as well but they are not the default.
> keyservers exists because of the firewall problems.
> What about round robin DNS names: We could put the port 443 keyservers
> into http-keys.gnupg.net - they are used by people with firewall
> problems and thus we can be quite sure that those firewalls will also
> allow port 443. I think this is a less surprising way than to
> another list of https-keys.gnupg.net with the hkps servers which can't
> be bound to port 443.
I think this is a good idea and should be the standard practice.
> I have no problems with the SRV record suggestion, either.
Ideally, curl would support SRV internally. It can do a better job
than we can do as a wrapper from outside, as it can properly walk the
list of returned servers until one answers. The best we can do is do
a SRV lookup, run the selection algorithm, and then hope that the best
choice is actually running. Still, it is better than nothing. If I
had more spare time, I'd just write SRV for curl and donate it to them.
More information about the Gnupg-devel