?: keys.gnupg.net: Host not found

Antony Prince antony at blazrsoft.com
Thu Oct 8 21:26:39 CEST 2015

On 10/08/2015 02:39 PM, Yuri Kanivetsky wrote:
> Hi,
> First, the domain name resolves to a bunch of IPs:
> And the list of IPs is not fixed (changes over time), so it must be some
> kind of pool (as the name suggests). Then, not all of them ping:

It is a pool. keys.gnupg.net is just an alias for the SKS server
pool[1], IIRC. I host a server in this pool and it is set to drop all
IPv4 ICMP packets, so will not respond to a ping even though the server
is online. It will respond to ICMPv6 pings however.

> Then, can't it pick the first IP that works? And what's wrong with this
> keyserver? Is it an official one? If such a thing exists, that is. Can
> you recommend any other, that have better uptime. AFAICS, there is at
> least one IP that doesn't work. And finally, why can't I reproduce it on
> the host machine, running Arch Linux with gnupg-2.1.8? The tests in the
> email I did on Ubuntu Vivid.

Only servers running SKS 1.1.5 or higher are allowed in the pool.
Inclusion in the pool is voluntary, so there aren't any "official"
servers, so to speak, but there are criteria for being included in the
main pool. These include having a reverse proxy in front of the sks
server, the hostname of the server must resolve properly, and the server
cannot be missing more than a certain percentage of keys compared to
other servers in the pool. The pool is checked every hour and only
servers meeting the criteria are included. Using a specific keyserver is
generally frowned upon since the pool was created to help distribute the
load evenly over the servers. As far as uptime, if the server did not
respond during the last check of the pool, it will not be included. So,
in rare cases, there may be one or two servers in the pool that are not
currently responding, but did so during the last check of the pool. If
they do not respond at the next check, they are removed from the main pool.

I am also NOT able to reproduce this error on XUbuntu 14.04 x64:

gpg (GnuPG) 2.1.8
libgcrypt 1.7.0-beta261
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

antony at 050415:~/Desktop$ gpg2 --keyserver hkp://keys.gnupg.net
--recv-key 0x409B6B1796C275462A1703113804BB82D39DC0E3
gpg: key D39DC0E3: public key "Michal Papis (RVM signing)
<mpapis at gmail.com>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1  valid:   2  signed:   0  trust: 1-, 0q, 0n, 0m, 1f, 0u
gpg: next trustdb check due at 2016-10-28
gpg: Total number processed: 1
gpg:               imported: 1



Antony Prince

Key ID: 0xAF3D4087301B1B19
Fingerprint: 591FF17F7A4AA8D0F659C482AF3D4087301B1B19
URL: https://keyserver.blazrsoft.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20151008/058aa9c6/attachment.sig>

More information about the Gnupg-users mailing list