Re: [Sks-devel] keys.gnupg.net anomaly
On 2016-04-28 at 16:22 +0200, Kiss Gabor (Bitman) wrote: > I found requests for https://keys.gnupg.net/ in my Apache logs > on keys.niif.hu. Of course they were unsuccessful because > my HTTP daemon is not set up to provide this virtual site. > Phil Pennock writes on http://sks.spodhuis.org/: > | End-users should use a pool definition, such as keys.gnupg.net which will > | alias into an operational pool. > > So this seems to be a well known situation but I don't believe > it would be a wise thing. This is only required for port 11371 and is explicitly covered in https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering } HTTP Performance } [...] } Beware that for port 11371 traffic, you *must* be able to handle } requests with _any_ `Host:` header, for the various pools and CNAMEs } which exist, and you *must* accept requests with no `User-Agent:` } header set, as at least one major OpenPGP HKP client refuses to set a } User-Agent field when talking to keyservers. This is handled in all of the configuration examples provided. SKS on its own doesn't look at Host: headers and if you put a proxy in front of it (as you should because of the single-request-at-a-time implementation of SKS) then ideally you'll preserve this host-agnostic behaviour on port 11371 if you wish to be a part of the public pools. Ideally the pool DNS maintenance checks would enforce this. The code is available at: https://git.sumptuouscapital.com/ and I'm pretty sure that Kristian takes patches. What hostnames you handle on 80/443 is a different matter. For myself, I prefer to avoid serving real content on arbitrary hostnames (DNS rebinding attacks, etc) so always have a catchall dummy default with no content. For the SKS IP address though, the server configuration includes the `/pks/` handling fragment even on that vhost, so that HKP works. I then have a vhost configuration for known pools which also includes the `/pks/` config fragment, but has: location / { rewrite ^ $scheme://sks.spodhuis.org$request_uri redirect; } so that requests for any other resource will receive redirects; this way, if someone browses to http://ha.pool.sks-keyservers.net/ and hits my server, they'll get a redirect _before_ getting the HTML which includes other page resources, so other server operators won't be hit with arbitrary URI loads because of my site. -Phil ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Running SKS keyserver on dynamic DNS
On 04/28/2016 03:47 PM, Pete Stephenson wrote: > On Wed, Apr 27, 2016 at 9:46 AM, Kristian Fiskerstrand >wrote: >> On 04/27/2016 09:42 AM, Pete Stephenson wrote: >>> On Wed, Apr 27, 2016 at 9:32 AM, Kristian Fiskerstrand >>> wrote: On 04/27/2016 06:45 AM, Gabor Kiss wrote: > Does IPv6 address also changes? If not you may own the the "First > IPv6 Only Key Server". It's a challenge for Kristian too. :-) We've had those before, but it is explicitly restricted in the pool >>> >>> Restricted in what way? it simplifies checking a bit as the initial status page request is assured ipv4 being correct, and avoids a number of questions why status pages doesn't work when linked from the status pages.. But important thing is it is supported if deemed necessary (with 100 live servers already, it is not currently) -- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk Public OpenPGP key at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 Aquila non capit muscas The eagle does not hunt flies signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] keys.gnupg.net anomaly
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I generally just ignore the Host: header on port 11371. -BEGIN PGP SIGNATURE- iIAEAREKACghHEJyaWFuIE1pbnRvbiA8YnJpYW5AbWludG9uLm5hbWU+BQJXIjV8 AAoJEGuOs6Blz7qpWXgA/R3Wj2x2aSkoAKdwz7cBXdy9NVU+9cjA2xE1jn/aDWJO AP9+/J12kXPtGUiMAIvBoT8IW/+HNQ3wTlXE2ibdA7o2CQ== =nZET -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] keys.gnupg.net anomaly
Christoph Eggerwrites: > AFAIR keys.gnupg.net has been discussed here and keyserver oeprators are > expected to make this work -- at least for hkps. sorry that was meant to read hkp / port 11371 -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] keys.gnupg.net anomaly
On 28/04/16 16:45, Christoph Egger wrote: > > AFAIR keys.gnupg.net has been discussed here and keyserver oeprators are > expected to make this work -- at least for hkps. If support for keys.gnupg.net is a condition for being a pool keyserver, then shouldn't it be an enforced condition? A signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] keys.gnupg.net anomaly
Christoph Eggerwrites: > of course -- if people use keys.gnupg.net with https, this advice should > probably be fixed and/or the cname be moved to the "right" pool Note that https://pool-sks-keyservers.net/ is also expected to not work -- there's the hkps pool for that. -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] keys.gnupg.net anomaly
Hi! "Kiss Gabor (Bitman)"writes: > I found requests for https://keys.gnupg.net/ in my Apache logs > on keys.niif.hu. Of course they were unsuccessful because > my HTTP daemon is not set up to provide this virtual site. > > In the DNS we can see this: > keys.gnupg.net CNAME pool.sks-keyservers.net > > Phil Pennock writes on http://sks.spodhuis.org/: > | End-users should use a pool definition, such as keys.gnupg.net which will > | alias into an operational pool. > > So this seems to be a well known situation but I don't believe > it would be a wise thing. > Google is full of complaints about "unreachable" or "non functional" > keys.gnupg.net. The reason is above. > > What do you think, folks? AFAIR keys.gnupg.net has been discussed here and keyserver oeprators are expected to make this work -- at least for hkps. of course -- if people use keys.gnupg.net with https, this advice should probably be fixed and/or the cname be moved to the "right" pool Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] keys.gnupg.net anomaly
I found requests for https://keys.gnupg.net/ in my Apache logs on keys.niif.hu. Of course they were unsuccessful because my HTTP daemon is not set up to provide this virtual site. In the DNS we can see this: keys.gnupg.net CNAME pool.sks-keyservers.net Phil Pennock writes on http://sks.spodhuis.org/: | End-users should use a pool definition, such as keys.gnupg.net which will | alias into an operational pool. So this seems to be a well known situation but I don't believe it would be a wise thing. Google is full of complaints about "unreachable" or "non functional" keys.gnupg.net. The reason is above. What do you think, folks? Gabor ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Running SKS keyserver on dynamic DNS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I've had an ipv6 only one for a long time, but it was hockeypuck and so not eligible for pool membership anyway. -BEGIN PGP SIGNATURE- iIAEAREKACghHEJyaWFuIE1pbnRvbiA8YnJpYW5AbWludG9uLm5hbWU+BQJXIhgx AAoJEGuOs6Blz7qpEjsA/A6bWoI9FHZ9S3MGwQyxAmh8/Op6JBy9j7w1RNtrkLCL AP49RY1MuEh9RzOH+IbCEpwdPwLhXMwclvURBI/OofYhug== =fXPd -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Running SKS keyserver on dynamic DNS
On Wed, Apr 27, 2016 at 9:46 AM, Kristian Fiskerstrandwrote: > On 04/27/2016 09:42 AM, Pete Stephenson wrote: >> On Wed, Apr 27, 2016 at 9:32 AM, Kristian Fiskerstrand >> wrote: >>> On 04/27/2016 06:45 AM, Gabor Kiss wrote: Does IPv6 address also changes? If not you may own the the "First IPv6 Only Key Server". It's a challenge for Kristian too. :-) >>> >>> We've had those before, but it is explicitly restricted in the pool >> >> Restricted in what way? >> >> Do you mean that IPv6-only servers are specifically limited to the >> ipv6 pool, or that they're flatly prohibited from membership in any >> pool? > > The latter Out of curiosity, why? I would think that IPv6-only hosts could be limited to the IPv6 pool, and thus not cause any issues to IPv4-only or dual-stack users. I know several VPS hosting companies that charge extra for IPv4 addresses (or, on occasion, charge less if one opts not to get an IPv4 address), so having a system with IPv6-only connectivity may potentially become more of a thing going forward. Cheers! -Pete -- Pete Stephenson ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel