[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sks-devel] Reminder to ensure keys can be exported on HTTP port
|
From: |
Kristian Fiskerstrand |
|
Subject: |
[Sks-devel] Reminder to ensure keys can be exported on HTTP port |
|
Date: |
Sat, 19 Dec 2015 14:04:29 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi all,
We've had a few occurances lately where keyservers have been hoarding
keys, i.e. they are able to receive keys in synchronization, but other
servers are not able to fetch keys from these instances during recon
process and as such keys added to this server does not replicate to
the rest of the network.
In these cases it has been somewhat obvious due comparison of key
counts (resulting in increasing delta of the pool cutoff), but please
keep in mind this can also go un-noticed for updates of keys rather
than additions, so it is important to monitor for server administrators.
The reason for the issues has mainly been mis-configuration of the
reverse proxy vs sks server config. In particular a few servers have
been using a http port for SKS of 11372 as seen in
/pks/lookup?op=stats but not allowed its peers to access this port,
causing the above issues issues. Please keep in mind that the http
port is reported during recon and is used by peers to fetch keys they
are missing.
That said, issues can also happen if binding SKS to 127.0.0.1 on port
11371, so this will also have to be checked when setting up a server,
so...
When setting up a new server; please ensure that requests from peers
are going through in both directions.
Thank you, and I hope everyone have a nice holiday season!
- --
- ----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
"Knowing is not enough; we must apply. Willing is not enough; we must do
."
(Johann Wolfgang von Goethe)
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCgAGBQJWdVXXAAoJECULev7WN52FBc8H/3so7La3oosJeDTq7BW543aD
d60pslLdolGhQqmuQgbOuQO6B3O1DHcxGwl9jlJw5vItEJefxhJ9cltEBefzDtEM
Wl9ySUbWOfm+p4tOjzkqFFojF7YhCPCYlDg5W7WAUJoWewgaw74E2ts8dWheMK1q
XjdcV8nl9beT0rAVxlPX5YLQF0DeUDz01txDD2fr63KNS7+ZSXuxRlpFmURlkXP6
1FJ6J3B0gaXAWUBR00fKyC9+vht+pzZ3mxu8avJvj54BC8rEKsd1ERgiOMuODOdm
7Pv2YfJFPWZ56zFATfKVlit3RVmxgM70TBDo0a8rBBzQXWN6IJ0MRMEkVD+Q1qc=
=ZBB0
-----END PGP SIGNATURE-----
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Sks-devel] Reminder to ensure keys can be exported on HTTP port,
Kristian Fiskerstrand <=