Since I’ve been rolling these myself, I didn’t know a 3 node cluster was best.
As for the 3, if either putting them behind a LB or doing round-robin, how would the LB or the client know there was a failure on one and move on in the cluster. Most I’ve seen with multiple (??) boxes use two IP’s behind a CNAME doing RR DNS. FWIW, no one has complained, so not too sure it’s an issue, at least for now. I do notice I frequently end up with a significant number of them in the hkp pool. They do run hkps on LetsEncrypt certs and seem to sync fine, at least to GPGSuite. Do you have a best-practices deployment doc, because it’s pretty much been trial by fire. For example, killing the daemon gives you about a 50% chance of blowing up the db. For the longest time I rebuilt, not knowing an “sks cleandb” would fix it 99% of the time. Docs seem a bit thin. I was trying to up pool count since a lot seem to have gone by the wayside, adding some geo-diversity and running one in Africa. Not sure if there are any others down there. It’s an interesting experiment. If it’s an issue let me know and I will shut some/it down. EKG > On Aug 23, 2018, at 9:49 AM, Kristian Fiskerstrand > <kristian.fiskerstr...@sumptuouscapital.com> wrote: > > On 08/20/2018 03:26 PM, Eric Germann wrote: >> I’ve reworked the keyserver fleet we’d previously deployed and made a blog >> post [1] about it. > > Are the servers clustered in any way? In my experience each site needs > at least 3 nodes to ensure proper operation (mainly if A and B are > gossipping C can still respond to requests, depending on the amount of > traffic / speed of the node to return more is better) > > So clustered setup is more important than large number of individual > servers, as there is no retry functionality in dirmngr. > > I'm still looking for more clustered setups to include into hkps pool, > in particular since noticing an interesting feature if only one server > is included, which disables pool behavior in dirmngr and results in TLS > error / generic error due to CA pem not being loaded... > > -- > ---------------------------- > Kristian Fiskerstrand > Blog: https://blog.sumptuouscapital.com > Twitter: @krifisk > ---------------------------- > Public OpenPGP keyblock at hkp://pool.sks-keyservers.net > fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 > ---------------------------- > "We all die. The goal isn't to live forever, the goal is to create > something that will." > (Chuck Palahniuk) >
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel