Hostname of key server pool disappeared? hkps.pool.sks-keyservers.net

Werner Koch wk at gnupg.org
Tue Mar 19 08:18:43 CET 2019 

On Mon, 18 Mar 2019 23:09, ml-gnupg-xix.iii at linuxwan.net said:

> keys.gnupg.net is just a CNAME for hkps.pool.sks-keyservers.net. This
> host appears to be the default for GNUpg configs.

FWIW, keys.gnupg.net is a hardcoded alias in dirmngr since 2.2.7 and
thus the CNAME is not used since that version of GnuPG.  For details see
https://dev.gnupg.org/T3755 or the code snippet below.



Shalom-Salam,

   Werner


--8<---------------cut here---------------start------------->8---
  /* We used to have DNS CNAME redirection from the URLs below to
   * sks-keyserver pools.  The idea was to allow for a quick way to
   * switch to a different set of pools.  The problem with that
   * approach is that TLS needs to verify the hostname and - because
   * DNS is not secured - it can only check the user supplied hostname
   * and not a hostname from a CNAME RR.  Thus the final servers all
   * need to have certificates with the actual pool name as well as
   * for keys.gnupg.net - that would render the advantage of
   * keys.gnupg.net useless and so we better give up on this.  Because
   * the keys.gnupg.net URL are still in widespread use we do a static
   * mapping here.
   */
  if (!strcmp (uri, "hkps://keys.gnupg.net")
      || !strcmp (uri, "keys.gnupg.net"))
    uri = "hkps://hkps.pool.sks-keyservers.net";
  else if (!strcmp (uri, "https://keys.gnupg.net"))
    uri = "https://hkps.pool.sks-keyservers.net";
  else if (!strcmp (uri, "hkp://keys.gnupg.net"))
    uri = "hkp://hkps.pool.sks-keyservers.net";
  else if (!strcmp (uri, "http://keys.gnupg.net"))
    uri = "http://hkps.pool.sks-keyservers.net";
  else if (!strcmp (uri, "hkps://http-keys.gnupg.net")
           || !strcmp (uri, "http-keys.gnupg.net"))
    uri = "hkps://ha.pool.sks-keyservers.net";
  else if (!strcmp (uri, "https://http-keys.gnupg.net"))
    uri = "https://ha.pool.sks-keyservers.net";
  else if (!strcmp (uri, "hkp://http-keys.gnupg.net"))
    uri = "hkp://ha.pool.sks-keyservers.net";
  else if (!strcmp (uri, "http://http-keys.gnupg.net"))
    uri = "http://ha.pool.sks-keyservers.net";
--8<---------------cut here---------------end--------------->8---


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190319/94b4bb86/attachment.sig>

More information about the Gnupg-users mailing list