Non-blocking connect for dirmngr

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Jun 8 21:55:43 CEST 2017


On Thu 2017-06-08 18:28:18 +0200, Werner Koch wrote:
> When using --auto-key-retrieve or --auto-key-locate to automagically
> retrieve keys from the Web Key Directory (WKD) or keyservers it often
> happens that a server does not respond timely.
>
> Keyservers may be down and dirmngr would then select another keyserver.
> However, it may take several minutes until the connect call returns an
> error.  Annoying.

thanks for working on fixing this, Werner!  It's definitely important if
GnuPG is going to be making these queries.

> Even more annoying are WKD queries to servers which don't support this
> service and - worse - don't run a web server at all at the expected
> address.  For example one of our core hackers has an address at iki.fi.
> Now when dirmngr want to lookup an address it tries
> https://iki.fi/foo/bar and hangs (plain http redirects to www.iki.fo and
> works).  After it times out the code tries the next server listed for
> that address, until that one times out as well.  Finally after 3 times
> the default timeout you get an error message back.  That can be 15
> minutes or more.  Clearly not acceptable.

Another approach could be "happy eyeballs" -- if the name resolves to 2
IP addresses, connect to both of them concurrently and take the first
connection that completes.  You wouldn't want to do this if there was a
hundred IP addresses, but there's probably a reasonable middle-ground
that gets you both resiliency when one host is down, and avoids flodding
the network.  perhaps up to 4 outstanding concurrent connections?  And
as they fail, if there are as-yet-untried addresses, they could launch
them.

that'd allow you to keep a reasonable timeout so that sluggish servers
have a chance to respond, while not having responsive servers get stuck
behind sluggish servers if they exist.

     --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170608/bc5517e2/attachment.sig>


More information about the Gnupg-devel mailing list