keyserver pools using SRV records for HKP and HKPS [Was: Re: hkps port]

David Shaw dshaw at jabberwocky.com
Tue Apr 21 04:23:14 CEST 2009


On Apr 2, 2009, at 6:54 PM, David Shaw wrote:

> On Apr 2, 2009, at 10:45 AM, Daniel Kahn Gillmor wrote:
>
>> On 04/02/2009 08:56 AM, David Shaw wrote:
>>> Ideally, curl would support SRV internally.  It can do a better  
>>> job than
>>> we can do as a wrapper from outside, as it can properly walk the  
>>> list of
>>> returned servers until one answers.  The best we can do is do a SRV
>>> lookup, run the selection algorithm, and then hope that the best  
>>> choice
>>> is actually running.  Still, it is better than nothing.  If I had  
>>> more
>>> spare time, I'd just write SRV for curl and donate it to them.
>>
>> I agree that using SRV records is a good idea for HKP and HKPS.  And
>> David's suggestion here is structurally the right way to go, even if
>> we're not there yet.
>>
>> But i also note that i don't see any keyserver pools publishing their
>> pool as SRV records at the moment -- only A records.  If we're  
>> going to
>> say that we're making a least-unhappy choice (which is bound to make
>> some operators unhappy), and that SRV records will be the mitigating
>> factor, we should probably clearly encourage keyserver pool  
>> operators to
>> publish their pool as SRV records directly in addition to A records.
>>
>> Or are they already doing this, and i'm just querying the wrong way?
>>
>> dig -t SRV _hkp._tcp.pool.sks-keyservers.net
>> dig -t SRV _hkp._tcp.keys.gnupg.net
>
> Some pools have SRV already and some don't.  Try  
> "_hkp._tcp.subkeys.pgp.net".

I just committed the last bit for re-enabling SRV for hkp (which gives  
us hkps as well).  Sorry for the delay.  I just started a new job, and  
it's been a wee bit busy around here.

If anyone who is tracking the 1.4 branch from svn wants to give it a  
whirl (especially for hkps), please do, and let me know how it works  
for you.  Once I get a response or two, I'll integrate it over to the  
2.0 branch.

David




More information about the Gnupg-devel mailing list