DNS keyserver (was Re: gnupg-1.0.7: keyserver subdir?)

Simon Josefsson jas@extundo.com
Wed Jul 10 18:33:01 2002

David Shaw <dshaw@jabberwocky.com> writes:

> On Wed, Jul 10, 2002 at 01:55:07PM +0200, Simon Josefsson wrote:
>> David Shaw <dshaw@jabberwocky.com> writes:
>> > The performance issue I'm actually concerned about is that the current
>> > keyserver code in GnuPG does a fork/exec for each retrieval.  That is
>> > pretty heavyweight compared to the UDP DNS protocol.  If we are to use
>> > this for a lightweight key revocation check, I will revise the
>> > keyserver code to keep the pipe to the subprocess open for multiple
>> > queries.
>> Communicating via a socket might be the way to go.  Btw, if you use
>> several key servers, are they called asynchronous?  I'd like to add
>> lots of keyservers and have gpg use the answer from the first one.
>> Right now it seems that if one of the keyservers are down, gpg stalls.
> That's an interesting idea.  The current behavior takes one (the last
> specified) keyserver and uses it.  If that keyserver is wedged, GnuPG
> will block until it times out.
> Are you suggesting querying multiple keyservers at once and taking the
> first answer, or suggesting having a list of keyservers and quering
> them in order until one answers.  I rather like the second idea, but
> not the first for load reasons.

I'm not sure which one is the best, my concern is only from the user
side of things where it hangs.  It would be nice to somehow be able to
specify several servers and have gpg continue to work when some of
them are down.

> Another way to implement the second idea would be to treat keyservers
> with multiple IP addresses as multiple keyservers
> (i.e. wwwkeys.pgp.net, which is made up of several different
> keyservers).