FAQ: which keyserver to use? keys.gnupg.org
gnupg-devel at spodhuis.org
Sat Jul 4 22:35:16 CEST 2015
On 2015-07-03 at 10:54 +0200, Bernhard Reiter wrote:
> BTW: It would be cool to have a page to link to that explains
> how the service keys.gnupg.net is run. (There is only
> a small section in
> that I've found )
(I can't speak for anyone but me; my position is as a keyserver operator
who debugs problems for others; I also wrote the main doc on what's
needed to get up and running with a keyserver which peers with others)
The `keys.gnupg.net` hostname is an alias maintained by the GnuPG
developers, so that they can point it at any service of their choosing
and have clients which use the defaults be updated. This way, they have
maximum flexibility to do what they think best for their user-base.
At this time, the alias (DNS CNAME) points to a pool hostname maintained
by Kristian Fiskerstrand, with DNS secondarying provided by volunteers.
You can find more information about this pool at:
The main PGP keyserver implementation "peers" with others, to spread
keys via a gossip system, and exports information to let you see which
others it talks to, so it's possible to spider across all the keyservers
in a mutually-reachable set. Pool software does just this, collecting
public information and including the keyservers run by volunteers and
filtering according to various criteria. Kristian lists the various
pools and the criteria for each, for the pools he runs. Anyone can run
their own pool: it's only a collection of DNS entries pointing to
servers. (Exclusion from public pools currently requires manual
requests, there's a proposal to have an exported status flag to request
to be excluded automatically).
If you want more chance of having each key request be answered without
error, use `ha.pool.sks-keyservers.net` which requires that each
keyserver IP be a cluster of servers with a reverse proxy in front.
More information about the Gnupg-devel