DNS keyserver (was Re: gnupg-1.0.7: keyserver subdir?)

David Shaw dshaw@jabberwocky.com
Wed Jul 10 16:48:02 2002


On Wed, Jul 10, 2002 at 01:55:07PM +0200, Simon Josefsson wrote:
> David Shaw <dshaw@jabberwocky.com> writes:

> > The performance issue I'm actually concerned about is that the current
> > keyserver code in GnuPG does a fork/exec for each retrieval.  That is
> > pretty heavyweight compared to the UDP DNS protocol.  If we are to use
> > this for a lightweight key revocation check, I will revise the
> > keyserver code to keep the pipe to the subprocess open for multiple
> > queries.
> 
> Communicating via a socket might be the way to go.  Btw, if you use
> several key servers, are they called asynchronous?  I'd like to add
> lots of keyservers and have gpg use the answer from the first one.
> Right now it seems that if one of the keyservers are down, gpg stalls.

That's an interesting idea.  The current behavior takes one (the last
specified) keyserver and uses it.  If that keyserver is wedged, GnuPG
will block until it times out.

Are you suggesting querying multiple keyservers at once and taking the
first answer, or suggesting having a list of keyservers and quering
them in order until one answers.  I rather like the second idea, but
not the first for load reasons.

Another way to implement the second idea would be to treat keyservers
with multiple IP addresses as multiple keyservers
(i.e. wwwkeys.pgp.net, which is made up of several different
keyservers).

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson