On 24/06/2021 22:39, Brandon Anderson via Gnupg-users wrote:
$ host pool.sks-keyservers.net <http://pool.sks-keyservers.net>Host pool.sks-keyservers.net <http://pool.sks-keyservers.net> not found: 3(NXDOMAIN)Did these names get permanently deleted? Any workarounds or suggestions would be appreciated.Hey Alex,From what I can tell a lot of the keyservers are being shutdown. Take a
look at the message on the SKS site (the SSL cert is expired) https://sks-keyservers.net/.
The keyserver *pools* at sks-keyservers.net are no longer maintained for legal reasons. sks-keyservers.net was receiving GDPR requests, e.g. for RTBF, that it could not satisfy because the pools had no formal structure that could compel individual operators to comply with legal requests. While sks-keyservers.net did not host personal data, it was providing a DNS round-robin service for keyservers that did, and the distinction was poorly understood.
Most of the individual keyservers that used to be in the pools are still working, however. There is a service at https://sks-status.gwolf.org/ that monitors the known keyservers. Scroll to the bottom and click on the latest "Success" link to see a graph of keyservers that are currently responsive.
What to do next depends on your use case. If your CI is searching for a key that is under your own control, then you have more freedom of choice. If it is searching for someone else's key then you may need to use whatever keyserver they use.
keys.openpgp.org is the default keyserver for most new installs, and many long-time users have also switched to it. If you don't have a particular reason to choose one, this is probably the safest bet. The main caveat is that it does not serve third-party sigs, and so you won't be able to verify a downloaded key by its signatures.
keyserver.ubuntu.com is reliable, but is not widely used outside the Ubuntu developer community. It doesn't get key updates particularly often, so you may find yourself with a stale copy of your correspondent's key.
If you need continuity of dataset with the sks-keyservers pool, then you may prefer to use a Hockeypuck server that was formerly part of the pool, such as pgpkeys.eu, keyserver.trifence.ch or keys.andreas-puls.de (other keyservers are available, see https://sks-status.gwolf.org/). Note that Hockeypuck is generally more reliable than SKS due to limitations in SKS's design.
Due to the fragmented nature of the keyserver ecosystem at the moment, you may want to try all of the above. And as mentioned in an earlier reply, you should probably also search WKD.
-- Andrew Gallagher
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
