Re: gpg: keyserver receive failed: No name - for gpg --keyserver hkp://pool.sks-keyservers.net

[Malte Gell via Gnupg-users]

Am 25.06.21 um 00:14 schrieb Brandon Anderson via Gnupg-users:
> 
>> The keyserver situation seems a bit difficult currently, maybe
>> https://keys.openpgp.org/ is the best (easiest) workaround for now.
>>
>> But WKD is really worth looking at!
>>
> 
> My understanding is the Ubuntu Key-server is staying up, I could be
> wrong, but https://keyserver.ubuntu.com/ seems to be functioning. It is
> worth noting that the keys.openpgp.org keyserver is not web of trust but
> explicitly trusting that keyserver to validate a person's identity.

I think it´s good to distribute a key thru several channels,
keys.openpgp.org is a good way to establish some trust in a key when
fetching it for the first time. Afterwards you can still get the same
key from a different source with WoT signatures added.

If you have no fountain at all for a key to establish a chain(web) of
trust, keys.openpgp.org is the only way to have some trust in a key. The
WoT works only if you have some fountain for the trust.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: keyserver receive failed: No name - for gpg --keyserver hkp://pool.sks-keyservers.net

[Andrew Gallagher via Gnupg-users]

On 24/06/2021 22:39, Brandon Anderson via Gnupg-users wrote:



$ host pool.sks-keyservers.net 

Host pool.sks-keyservers.net  not 
found: 3(NXDOMAIN)


Did these names get permanently deleted? Any workarounds or 
suggestions would be appreciated.


Hey Alex,

From what I can tell a lot of the keyservers are being shutdown. Take a 


look at the message on the SKS site (the SSL cert is expired) 
https://sks-keyservers.net/.


The keyserver *pools* at sks-keyservers.net are no longer maintained for 
legal reasons. sks-keyservers.net was receiving GDPR requests, e.g. for 
RTBF, that it could not satisfy because the pools had no formal 
structure that could compel individual operators to comply with legal 
requests. While sks-keyservers.net did not host personal data, it was 
providing a DNS round-robin service for keyservers that did, and the 
distinction was poorly understood.


Most of the individual keyservers that used to be in the pools are still 
working, however. There is a service at https://sks-status.gwolf.org/ 
that monitors the known keyservers. Scroll to the bottom and click on 
the latest "Success" link to see a graph of keyservers that are 
currently responsive.


What to do next depends on your use case. If your CI is searching for a 
key that is under your own control, then you have more freedom of 
choice. If it is searching for someone else's key then you may need to 
use whatever keyserver they use.


keys.openpgp.org is the default keyserver for most new installs, and 
many long-time users have also switched to it. If you don't have a 
particular reason to choose one, this is probably the safest bet. The 
main caveat is that it does not serve third-party sigs, and so you won't 
be able to verify a downloaded key by its signatures.


keyserver.ubuntu.com is reliable, but is not widely used outside the 
Ubuntu developer community. It doesn't get key updates particularly 
often, so you may find yourself with a stale copy of your 
correspondent's key.


If you need continuity of dataset with the sks-keyservers pool, then you 
may prefer to use a Hockeypuck server that was formerly part of the 
pool, such as pgpkeys.eu, keyserver.trifence.ch or keys.andreas-puls.de 
(other keyservers are available, see https://sks-status.gwolf.org/). 
Note that Hockeypuck is generally more reliable than SKS due to 
limitations in SKS's design.


Due to the fragmented nature of the keyserver ecosystem at the moment, 
you may want to try all of the above. And as mentioned in an earlier 
reply, you should probably also search WKD.


--
Andrew Gallagher



OpenPGP_signature
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: keyserver receive failed: No name - for gpg --keyserver hkp://pool.sks-keyservers.net

[Brandon Anderson via Gnupg-users]

The keyserver situation seems a bit difficult currently, maybe
https://keys.openpgp.org/ is the best (easiest) workaround for now.

But WKD is really worth looking at!



My understanding is the Ubuntu Key-server is staying up, I could be 
wrong, but https://keyserver.ubuntu.com/ seems to be functioning. It is 
worth noting that the keys.openpgp.org keyserver is not web of trust but 
explicitly trusting that keyserver to validate a person's identity.




OpenPGP_0x255837AEF812E87E.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: keyserver receive failed: No name - for gpg --keyserver hkp://pool.sks-keyservers.net

[mailinglisten--- via Gnupg-users]

Am 24.06.21 um 19:19 schrieb Alexander Polcyn via Gnupg-users:
> ()
> Host ipv4.pool.sks-keyservers.net 
> not found: 3(NXDOMAIN)
> ()
> Did these names get permanently deleted? Any workarounds or suggestions
> would be appreciated.

One alternative could be https://keys.openpgp.org/

This keyserver has one big advantage, when you upload a key there, this
server verifies the email address associated with that key is valid and
you have actual access to this email address. Fake keys have no chance
there.

Now, it also has one big disadvantage, this keyserver strips *all*
signatures associated to that key. All signatures will bw removed when
you upload a key there.

And GnuPG seems to have issues to fetch keys from there directly, using
e.g. gpg --recv-keys, it may be better to use wget to fetch keys from there.

If you have control over your own domain you may learn how to use WKD
web key directory, this way your key(s) is stored on your very own host.

The keyserver situation seems a bit difficult currently, maybe
https://keys.openpgp.org/ is the best (easiest) workaround for now.

But WKD is really worth looking at!



OpenPGP_signature
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: keyserver receive failed: No name - for gpg --keyserver hkp://pool.sks-keyservers.net

[Brandon Anderson via Gnupg-users]

Starting on the morning of June 21 between ~6am and 9am PDT, one of 
our CI jobs which fetches gpg keys with:


gpg --keyserver hkp://pool.sks-keyservers.net 
 --recv-keys ...
 started failing because of what looks like a failure to resolve 
the pool name.


FWIW the following also fails in the same way:

gpg --keyserver hkp://ipv4.pool.sks-keyservers.net 
 --recv-keys ...


And testing from my machine, it looks like these names now get 
NXDOMAIN when attempting to resolve in DNS:


$ host ipv4.pool.sks-keyservers.net 

Host ipv4.pool.sks-keyservers.net 
 not found: 3(NXDOMAIN)



$ host pool.sks-keyservers.net 

Host pool.sks-keyservers.net  not 
found: 3(NXDOMAIN)





Did these names get permanently deleted? Any workarounds or 
suggestions would be appreciated.





Hey Alex,

From what I can tell a lot of the keyservers are being shutdown. Take a 
look at the message on the SKS site (the SSL cert is expired) 
https://sks-keyservers.net/.


You can read about some of whats going on from here 
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f.


Sincerely,

Brandon Anderson



OpenPGP_0x255837AEF812E87E.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users