Re: Seeking peers for keys.dryusdan.net
On Sun, Mar 31, 2024 at 04:37:03PM +0200, Dryusdan wrote: > Hi (again), > > > Finally, gpg.4n0ny.me is finaly operational earlier than expected. > > So I looking for peers for gpg.4n0ny.me too. > > Same description as keys.dryusdan.fr, I get keydyump from Cyberbits > (|rsync.cyberbits.eu/sks/dump/)|, dated 2024-03-25. > > I see 6587450 keys loaded. > > But I have IPv6 connectivity :D > > So I have : > > - keys.dryusdan.net 11370 # Dryusdan 0x87d8c67ee79958e6 > (https://pgpkeys.eu:11371/pks/lookup?search=0x87d8c67ee79958e6=on=index) > > > - gpg.4n0ny.me 11370 # Dryusdan 0x87d8c67ee79958e6 > > Thank you, > > Dryusdan Do you have protections against flooding attacks in place on your keyservers(appropriately configured rate limiting proxy)? William > > Le 31/03/2024 à 12:25, Dryusdan a écrit : > > Hi, > > > > I am looking for peers for a new Hockeypuck installation. > > > > I am running Hockeypuck 2.1.2, on keys.dryusdan.net. > > I am Dryusdan, a tech and privacy lover. In the past, I was part of the > > collective CHATONS (https://www.chatons.org/en), launch by Framasoft (for > > french here who know who there are)). > > This server run on my self hosted server (actually under my TV). > > The server is physically located in Nantes (FR). > > The machine haven't IPv6 connectivity (my ISP block all incomming IPv6 > > trafic :( ). > > > > I have loaded a keydump from Cyberbits (|rsync.cyberbits.eu/sks/dump/)|, > > dated 2024-03-25. > > I see 6587450 keys loaded. > > > > I try to launch also another server, hosted in Helsinki (on Hetzner's ARM > > vps), called gpg.4n0ny.me but it not ready yet (key import is very long). > > (And I write a tech article for openpgp keyserver but it's not important) > > > > For operational issues, please contact me directly. > > > > keys.dryusdan.net 11370 # Dryusdan 0x87d8c67ee79958e6 > > (https://pgpkeys.eu:11371/pks/lookup?search=0x87d8c67ee79958e6=on=index) > > (new key, maded specialy for my GPG card) > > > > Thank you, > > Dryusdan signature.asc Description: PGP signature
Seeking Peers
I am replacing my old key-server sks.srv.dumain.com with a new one: key-server.org. It is behind a rate limiting haproxy and has been loaded with a dump purged of keys from the flooding attack. Details as follows: [hockeypuck.conflux.recon.partner.key_server_org] #0xA0B31F88E8123356 William Hay httpAddr="key-server.org:80" reconAddr="key-server.org:11370" Thanks William signature.asc Description: PGP signature
Re: keyserver.insect.com GDRP takedown request
Thus spake Ced: > --Sig_/FtuskvMchbl4eEa6+GkKc25 > Content-Type: text/plain; charset=US-ASCII > Content-Transfer-Encoding: quoted-printable > > On Thu, 26 May 2022 16:53:31 -0400 > Jason John Schwarz via SKS development and deployment list > wrote: > > > We have received the same take down request from Mr. Puerto as > > several other keyservers under GDRP. As we are running > > keyserver.insect.com as a free service we can not afford to deal with > > legal costs on this request, and therefore are shutting down > > keyserver.insect.com effective today. > > We have received the same takedown request from that Mr. Puerto. We run > Hockeypuck at pgp.cyberbits.eu. Sadly there doesn't seem to be an easy > way to somehow blacklist his key. We could return 404 when the query > parameters contains his key ID but the key would still be available > through the search form and possibly other paths. IIRC Hockeypuck has a size limit on keys somewhere in it. Would it be possible to replace Mr Puerto's keys with a dummy key that is already at the size limit to prevent merging of further data? William
Non-existent entries and negative keys
My recon server spent most of yesterday falling over mostly with this message: Raising Sys.Break -- PTree may be corrupted: Failure("remove_from_node: attempt to delete non-existant element from prefix tree") I've run db_recover on the main database and rebuilt the PTree from scratch many times over to no avail. This morning checking the stats page http://sks.srv.dumain.com/pks/lookup?op=stats I find that the server managed to add a negative nuber of new keys twice (-1 @ 2021-12-17 09 and -2 2021-12-17 15) which is a bit odd given that we keep telling people we can't delete keys from the network. Has anyone seen this before and know a solution short of removing the database and reimporting from scratch? William signature.asc Description: PGP signature
Re: State of the graph
On Mon, Dec 13, 2021 at 10:38:22AM +, Andrew Gallagher wrote: > Hi, all. > > You may wish to check your own keyserver and contact any of your peers that > have fallen out of sync with you. > > Thanks, > A > > -- > Andrew Gallagher > Looks like I had a corrupt PTree database that was breaking the recon service. Rebuilding. Also a lot of my peers are semi-defunct. Adding a few working ones would be good: sks.srv.dumain.com 11370 # William Hay 0xA0B31F88E8123356 signature.asc Description: PGP signature
Re: seeking peers for sks.ygrek.org
On Thu, May 07, 2020 at 12:01:55AM -0400, ygrek wrote: > Hi, > > I am looking for peers for a new SKS keyserver installation. > > I am running SKS from git master, on sks.ygrek.org > The server is physically located in Falkenstein, Germany, hosted in > Hetzner. The machine has IPv6 connectivity. > > I have loaded a keydump from https://keyserver.mattrude.com/dump/, > dated 2020-05-05. I see 6008615 keys loaded. > > For operational issues, please contact me directly. > > sks.ygrek.org 11370 # ygrek > A34C49DD3DB8B78DFAEBE0FA6346B945708D5A0C > Added. My details are: sks.srv.dumain.com 11370 #William Hay 0xA0B31F88E8123556 signature.asc Description: PGP signature
Re: Analyzing dumps (Was: 6 million)
Thus spake "Kiss Gabor (Bitman)": > I cannot imagine how this dump could be created. > Could the attacker upload broken packets or is it "sks dump" > who garbled the dump file? Or file became bad during > compression/decompression? I don't think sks does much validation of packets so anything could be uploaded. I've found in the past with broken dumps that hkt from hopenpgp-tools works fairly well as a filter. It manages to skip broken keys and carry on while GnuPG just aborts at the first badly broken key. William
Re: [Sks-devel] searching for new peers
On Sun, Sep 08, 2019 at 11:42:27AM +0200, Iñaki Arenaza wrote: > In any case I have just added your servers as peers to our server: > > keyserver.escomposlinux.org 113710 # > 0x9494EB8D619AFE032AD1C2DCBE84550A2578867D PGP Key Server Administrator > > > And I kindly request other servers in the pool to add our server as a > peer. Done. Please reciprocate. sks.srv.dumain.com 11370 # 0xA0B31F88E8123356 William Hay William signature.asc Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] seeking peers for keyserver.aktronic.de
Thus spake "Kruschwitz, Michael": > keyserver.aktronic.de 11370 # Michael Kruschwitz ic.de> 0x050340C03E3D1AF2 Added to my keyserver sks.srv.dumain.com 11370 # William Hay /0xA0B31F88E8123356 ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] dump_new_only and modified keys
Does the -dump_new_only option dump keys that are in an existing keydump file but have changed (eg new sigs since it was dumped the first time)? Thanks in advance Bill signature.asc Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] One Way replication (for test environments)
Thus spake Hendrik Visage: > I=E2=80=99m considering setting up some test environments for the = > =E2=80=9Cresearchers=E2=80=9D to test the SKS keyservers, but I was = > wondering about one way replication, ie. one server that will only sent = > out to the test server(s), but not receive from them. > > What=E2=80=99s the easiest to set that up? > Never tried it but might not the old e-mail based replication method work for this? William ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Planned outages and automating removal from pool
It occurred to me that if I were anticipating an outage of my key server I could configure my reverse proxy to remove rather than add Via: headers which would presumably cause Kristian's probes to take my server out of the pool thereby preventing people using the pool addresses from hitting my server during the downtime. From the frequency of the updates on sks-keyserversi.net it looks like at least one hours warning would be necessary for this to work. Do people think doing this would be worthwhile? If it is worthwhile in general is there a minimum anticipated length of outage for which it is worthwhile? William signature.asc Description: Digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] keyserver.globale-gruppe.de is gone! / two new Keyserver / Update Membership file
On Mon, Nov 28, 2016 at 03:02:03PM +0100, Ramón Goeden wrote: > Dear keyserver operators, > my keyserver "keyserver.globale-gruppe.de" is gone. (Shutdown 31.10.2016) > Please de-peer the server! > > BUT: > I am running two new keyserver and would like to peer with other servers. > Please add me to your 'membership': > > key1.dock23.de 11370 # Ramón Goeden <ra...@internetsenat.de> 0xb7c51fd6 > key2.dock23.de 11370 # Ramón Goeden <ra...@internetsenat.de> 0xb7c51fd6 > > Thanks! > > Regards, > Ramón Done. Please reciprocate: sks.srv.dumain.com 11370 # William Hay <w...@dumain.com> 0xA0B31F88E8123356 William signature.asc Description: Digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Debian Jessie package for sks-1.1.6 was: [Announcement] SKS 1.1.6 Released
On Wed, Aug 31, 2016 at 05:23:13PM -0400, Daniel Kahn Gillmor wrote: > On Wed 2016-08-31 15:44:20 -0400, Jeremy T. Bouse wrote: > > > Is the package still forcing the backup and re-import on upgrade? I > > know that is what took one of my servers out when I upgraded as they > > don't have the space to do so. I'd rather just blow away the DB and > > let my SaltStack deployment re-import a fresh keydump. > > I believe it only does that if the underlying bdb version has changed, > in which case it's really necessary. If it's forcing an upgrade on you > when it shouldn't need to, please report it as a bug in the debian BTS. > > Regards, > > --dkg 1.Thanks for the nice jessie-backports package. 2.AFAICT the package postinst performs a backup unless the file /var/lib/sks/berkeley_db.active is present and the contents match those of /usr/lib/sks/berkeley_db.txt in the package. If the .active file is missing but the sks server is working then preventing the backup may be possible by copying the .txt file to the .active file before upgrading if the old and new packages use the same database version. 3.Debian's file command seems to have a fair idea of what sort of file the /var/lib/sks/DB/key file is (including a version number). I wonder if the output of file could be used to determine if a database upgrade and backup is needed rather than using a text file as a proxy (which seems to get lost rather easily). William signature.asc Description: Digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Debian Jessie package for sks-1.1.6 was: [Announcement] SKS 1.1.6 Released
On Mon, Aug 08, 2016 at 03:45:12PM -0400, Daniel Kahn Gillmor wrote: > I've prepared a jessie-backports package that i'm running on > zimmermann.mayfirst.org as well. As soon as 1.1.6-1 makes it into > testing, i'll push it into jessie-backports. Hi, I'm sure you're busy but the above makes it sound like the process of getting 1.1.6 into jessie-backports would be fairly quick and simple. It's been in testing for a while now but still no sign of it in jessie-backports. Is there any particular reason for the delay? Thanks William signature.asc Description: Digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Pools & HSTS header
On Fri, Jun 03, 2016 at 04:49:57PM +0200, Christoph Egger wrote: > Well. > > http://pool.sks-keyservers.net(:11371)? --redirect--> > https://keyserver.siccegge.de > > And if keyserver.siccegge.de present a valid certificate + HSTS would be > a problem no? (and potentially undetected if the pool script mainly > checks API pages) You don't specify what hostname keyserver.siccegge.net presents a valid for which is kind of key. If it does an http redirect to https://keyserver.siccegge.de which presents a certificate for keyserver.siccegge.de then it is keyserver.sicegge.de that will go into the https only list which is fine since keyserver.siccegge.de supports https. If it does an http redirect to https://pool.sks-keyservers.net then unless keyserver.siccege.de has a certificate in that name the browser will start complaining loudly and won't even see the HSTS header. William signature.asc Description: Digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Pools & HSTS header
On Thu, May 26, 2016 at 12:47:57AM +0200, Valentin Sundermann wrote: > Hi, > > I enforce HTTPS on all my domains by sending the HSTS header to my > visitors. HSTS forces the browser to use in future only secure > connections to this domain. More info on Wikipedia[1] :) > Since my keyserver could be added to pools of keyservers without any > notice to me. It could be possible that some servers will send these > kind of headers on pool domains too. > > Did I miss there something or could this really lead to problems? :) AIUI HSTS only works if the header is received over an https connection not an http one. Unless you have a cert in the name of one of the pools then anyone trying to connect to the pool who ends up connecting to your server will not get far enough to see the HSTS header because of a name mismatch. I believe the only pool Kristian issues certs for is the hkps pool where https is required and said certs are not recognised by most browsers in any case. You presumably won't have asked other CAs for certs to pools you have been added to without your knowledge. The only risk I can see is if you explicitly configure the pools on your web server then request a cert from your CA on autopilot (say ACME protocol) and the CA grants it (unlikely with ACME as the attempt to check for proof will likely go to another server). William signature.asc Description: Digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Seeking peers for sks.srv.dumain.com
Hi, I'm seeking additional peers for my keyeserver sks.srv.dumain.com. It is running sks 1.1.5 (debian wheezy backports), located in the UK and has IPv6 connectivity. I already peer with keyserver.mattrude.com and sjs.mj2.uk so my database is up to date (4044638 keys at last count). For operational issues contact me directly. sks.srv.dumain.com 11370 # William Hay <w...@dumain.com> 0xA0B31F88E8123356 Thanks William Hay signature.asc Description: Digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Joining hkps.pool.sks-keyservers.net
So having acquired a whole bunch of peers for my keyserver I'm now thinking about adding hkps support and becoming part of hkps.pool.sks-servers.net. I've got a couple of queries though. 1.I'll probably want to share the port 443 with other sites. Can one assume that SNI is supported by hkps clients or is there another mechanism recommended for hkps sharing a port? 2.Presumably I need to create a CSR for hkps.pool.sks-servers.net rather than my own server name since that is what people will be trying to connect to. Is there any preference with regard to SubjectAltName vs CommonName or both? The modern practice seems to be to use SubjectAltName but backward compatibility seems to be an important part of the keyserver world. 3.Are there any conventions regarding what should go into other fields of the DN when creating one's CSR? 4.Assuming I want to turn on HSTS I presumably need to install and configure sslh to front port 443. Anything else that might catch me out? William signature.asc Description: Digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel