Re: [Sks-devel] keys.gnupg.net anomaly

2016-04-28 Thread Phil Pennock 
On 2016-04-28 at 16:22 +0200, Kiss Gabor (Bitman) wrote:
> I found requests for https://keys.gnupg.net/ in my Apache logs
> on keys.niif.hu. Of course they were unsuccessful because
> my HTTP daemon is not set up to provide this virtual site.

> Phil Pennock writes on http://sks.spodhuis.org/:
> | End-users should use a pool definition, such as keys.gnupg.net which will
> | alias into an operational pool.
> 
> So this seems to be a well known situation but I don't believe
> it would be a wise thing.

This is only required for port 11371 and is explicitly covered in
  https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering

} HTTP Performance
} [...]
} Beware that for port 11371 traffic, you *must* be able to handle
} requests with _any_ `Host:` header, for the various pools and CNAMEs
} which exist, and you *must* accept requests with no `User-Agent:`
} header set, as at least one major OpenPGP HKP client refuses to set a
} User-Agent field when talking to keyservers.

This is handled in all of the configuration examples provided.  SKS on
its own doesn't look at Host: headers and if you put a proxy in front of
it (as you should because of the single-request-at-a-time implementation
of SKS) then ideally you'll preserve this host-agnostic behaviour on
port 11371 if you wish to be a part of the public pools.

Ideally the pool DNS maintenance checks would enforce this.  The code is
available at:
  https://git.sumptuouscapital.com/
and I'm pretty sure that Kristian takes patches.

What hostnames you handle on 80/443 is a different matter.  For myself,
I prefer to avoid serving real content on arbitrary hostnames (DNS
rebinding attacks, etc) so always have a catchall dummy default with no
content.  For the SKS IP address though, the server configuration
includes the `/pks/` handling fragment even on that vhost, so that HKP
works.  I then have a vhost configuration for known pools which also
includes the `/pks/` config fragment, but has:

location / {
rewrite ^ $scheme://sks.spodhuis.org$request_uri redirect;
}

so that requests for any other resource will receive redirects; this
way, if someone browses to http://ha.pool.sks-keyservers.net/ and hits
my server, they'll get a redirect _before_ getting the HTML which
includes other page resources, so other server operators won't be hit
with arbitrary URI loads because of my site.

-Phil

___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] Running SKS keyserver on dynamic DNS

2016-04-28 Thread Kristian Fiskerstrand 
On 04/28/2016 03:47 PM, Pete Stephenson wrote:
> On Wed, Apr 27, 2016 at 9:46 AM, Kristian Fiskerstrand
>  wrote:
>> On 04/27/2016 09:42 AM, Pete Stephenson wrote:
>>> On Wed, Apr 27, 2016 at 9:32 AM, Kristian Fiskerstrand
>>>  wrote:
 On 04/27/2016 06:45 AM, Gabor Kiss wrote:
> Does IPv6 address also changes? If not you may own the the "First
> IPv6 Only Key Server". It's a challenge for Kristian too. :-)

 We've had those before, but it is explicitly restricted in the pool
>>>
>>> Restricted in what way?

it simplifies checking a bit as the initial status page request is
assured ipv4 being correct, and avoids a number of questions why status
pages doesn't work when linked from the status pages.. But important
thing is it is supported if deemed necessary (with 100 live servers
already, it is not currently)

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP key at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Aquila non capit muscas
The eagle does not hunt flies



signature.asc
Description: OpenPGP digital signature
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] keys.gnupg.net anomaly

2016-04-28 Thread Brian Minton 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

I generally just ignore the Host: header on port 11371.
-BEGIN PGP SIGNATURE-

iIAEAREKACghHEJyaWFuIE1pbnRvbiA8YnJpYW5AbWludG9uLm5hbWU+BQJXIjV8
AAoJEGuOs6Blz7qpWXgA/R3Wj2x2aSkoAKdwz7cBXdy9NVU+9cjA2xE1jn/aDWJO
AP9+/J12kXPtGUiMAIvBoT8IW/+HNQ3wTlXE2ibdA7o2CQ==
=nZET
-END PGP SIGNATURE-
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] keys.gnupg.net anomaly

2016-04-28 Thread Christoph Egger 
Christoph Egger  writes:
> AFAIR keys.gnupg.net has been discussed here and keyserver oeprators are
> expected to make this work -- at least for hkps.

sorry that was meant to read hkp / port 11371

-- 
9FED 5C6C E206 B70A 5857  70CA 9655 22B9 D49A E731
Debian Developer | Lisp Hacker | CaCert Assurer

___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] keys.gnupg.net anomaly

2016-04-28 Thread Andrew Gallagher 
On 28/04/16 16:45, Christoph Egger wrote:
> 
> AFAIR keys.gnupg.net has been discussed here and keyserver oeprators are
> expected to make this work -- at least for hkps.

If support for keys.gnupg.net is a condition for being a pool keyserver,
then shouldn't it be an enforced condition?

A



signature.asc
Description: OpenPGP digital signature
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] keys.gnupg.net anomaly

2016-04-28 Thread Christoph Egger 
Christoph Egger  writes:
> of course -- if people use keys.gnupg.net with https, this advice should
> probably be fixed and/or the cname be moved to the "right" pool

Note that https://pool-sks-keyservers.net/ is also expected to not
work -- there's the hkps pool for that.

-- 
9FED 5C6C E206 B70A 5857  70CA 9655 22B9 D49A E731
Debian Developer | Lisp Hacker | CaCert Assurer

___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] keys.gnupg.net anomaly

2016-04-28 Thread Christoph Egger 
Hi!

"Kiss Gabor (Bitman)"  writes:
> I found requests for https://keys.gnupg.net/ in my Apache logs
> on keys.niif.hu. Of course they were unsuccessful because
> my HTTP daemon is not set up to provide this virtual site.
>
> In the DNS we can see this:
> keys.gnupg.net  CNAME   pool.sks-keyservers.net
>
> Phil Pennock writes on http://sks.spodhuis.org/:
> | End-users should use a pool definition, such as keys.gnupg.net which will
> | alias into an operational pool.
>
> So this seems to be a well known situation but I don't believe
> it would be a wise thing.
> Google is full of complaints about "unreachable" or "non functional"
> keys.gnupg.net. The reason is above.
>
> What do you think, folks?

AFAIR keys.gnupg.net has been discussed here and keyserver oeprators are
expected to make this work -- at least for hkps.

of course -- if people use keys.gnupg.net with https, this advice should
probably be fixed and/or the cname be moved to the "right" pool

  Christoph

-- 
9FED 5C6C E206 B70A 5857  70CA 9655 22B9 D49A E731
Debian Developer | Lisp Hacker | CaCert Assurer

___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

[Sks-devel] keys.gnupg.net anomaly

2016-04-28 Thread Kiss Gabor (Bitman) 
I found requests for https://keys.gnupg.net/ in my Apache logs
on keys.niif.hu. Of course they were unsuccessful because
my HTTP daemon is not set up to provide this virtual site.

In the DNS we can see this:
keys.gnupg.net  CNAME   pool.sks-keyservers.net

Phil Pennock writes on http://sks.spodhuis.org/:
| End-users should use a pool definition, such as keys.gnupg.net which will
| alias into an operational pool.

So this seems to be a well known situation but I don't believe
it would be a wise thing.
Google is full of complaints about "unreachable" or "non functional"
keys.gnupg.net. The reason is above.

What do you think, folks?

Gabor

___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] Running SKS keyserver on dynamic DNS

2016-04-28 Thread Brian Minton 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

I've had an ipv6 only one for a long time, but it was hockeypuck and so not
eligible for pool membership anyway.
-BEGIN PGP SIGNATURE-

iIAEAREKACghHEJyaWFuIE1pbnRvbiA8YnJpYW5AbWludG9uLm5hbWU+BQJXIhgx
AAoJEGuOs6Blz7qpEjsA/A6bWoI9FHZ9S3MGwQyxAmh8/Op6JBy9j7w1RNtrkLCL
AP49RY1MuEh9RzOH+IbCEpwdPwLhXMwclvURBI/OofYhug==
=fXPd
-END PGP SIGNATURE-
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] Running SKS keyserver on dynamic DNS

2016-04-28 Thread Pete Stephenson 
On Wed, Apr 27, 2016 at 9:46 AM, Kristian Fiskerstrand
 wrote:
> On 04/27/2016 09:42 AM, Pete Stephenson wrote:
>> On Wed, Apr 27, 2016 at 9:32 AM, Kristian Fiskerstrand
>>  wrote:
>>> On 04/27/2016 06:45 AM, Gabor Kiss wrote:
 Does IPv6 address also changes? If not you may own the the "First
 IPv6 Only Key Server". It's a challenge for Kristian too. :-)
>>>
>>> We've had those before, but it is explicitly restricted in the pool
>>
>> Restricted in what way?
>>
>> Do you mean that IPv6-only servers are specifically limited to the
>> ipv6 pool, or that they're flatly prohibited from membership in any
>> pool?
>
> The latter

Out of curiosity, why?

I would think that IPv6-only hosts could be limited to the IPv6 pool,
and thus not cause any issues to IPv4-only or dual-stack users.

I know several VPS hosting companies that charge extra for IPv4
addresses (or, on occasion, charge less if one opts not to get an IPv4
address), so having a system with IPv6-only connectivity may
potentially become more of a thing going forward.

Cheers!
-Pete

-- 
Pete Stephenson

___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel