gpg: keyserver receive failed: No name - for gpg --keyserver hkp://pool.sks-keyservers.net

Andrew Gallagher andrewg at andrewg.com
Fri Jun 25 00:59:32 CEST 2021 

On 24/06/2021 22:39, Brandon Anderson via Gnupg-users wrote:
> 
>> $ host pool.sks-keyservers.net <http://pool.sks-keyservers.net>
>>
>> Host pool.sks-keyservers.net <http://pool.sks-keyservers.net> not 
>> found: 3(NXDOMAIN)
>>
>> Did these names get permanently deleted? Any workarounds or 
>> suggestions would be appreciated.
>
> Hey Alex,
> 
> From what I can tell a lot of the keyservers are being shutdown. Take a 

> look at the message on the SKS site (the SSL cert is expired) 
> https://sks-keyservers.net/.

The keyserver *pools* at sks-keyservers.net are no longer maintained for 
legal reasons. sks-keyservers.net was receiving GDPR requests, e.g. for 
RTBF, that it could not satisfy because the pools had no formal 
structure that could compel individual operators to comply with legal 
requests. While sks-keyservers.net did not host personal data, it was 
providing a DNS round-robin service for keyservers that did, and the 
distinction was poorly understood.

Most of the individual keyservers that used to be in the pools are still 
working, however. There is a service at https://sks-status.gwolf.org/ 
that monitors the known keyservers. Scroll to the bottom and click on 
the latest "Success" link to see a graph of keyservers that are 
currently responsive.

What to do next depends on your use case. If your CI is searching for a 
key that is under your own control, then you have more freedom of 
choice. If it is searching for someone else's key then you may need to 
use whatever keyserver they use.

keys.openpgp.org is the default keyserver for most new installs, and 
many long-time users have also switched to it. If you don't have a 
particular reason to choose one, this is probably the safest bet. The 
main caveat is that it does not serve third-party sigs, and so you won't 
be able to verify a downloaded key by its signatures.

keyserver.ubuntu.com is reliable, but is not widely used outside the 
Ubuntu developer community. It doesn't get key updates particularly 
often, so you may find yourself with a stale copy of your 
correspondent's key.

If you need continuity of dataset with the sks-keyservers pool, then you 
may prefer to use a Hockeypuck server that was formerly part of the 
pool, such as pgpkeys.eu, keyserver.trifence.ch or keys.andreas-puls.de 
(other keyservers are available, see https://sks-status.gwolf.org/). 
Note that Hockeypuck is generally more reliable than SKS due to 
limitations in SKS's design.

Due to the fragmented nature of the keyserver ecosystem at the moment, 
you may want to try all of the above. And as mentioned in an earlier 
reply, you should probably also search WKD.

-- 
Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210624/81144a5e/attachment-0001.sig>

More information about the Gnupg-users mailing list