Page MenuHome GnuPG

Please remove from default dirmngr config
Closed, ResolvedPublic


I notice that the latest version of the dirmngr code [1] still refers to as a default keyserver for non-SSL connections. As can be seen from [2], has been out of sync with other keyservers for several months now. In particular, it does not sync with which is the default for SSL connections, meaning that in the default configuration a key uploaded via HKPS will not be downloadable via HKP, and vice versa.

Please either configure the same default keyserver for both HKP and HKPS, or if overloading is a concern, use two or more keyservers that are in good sync with each other.


Related Objects

Event Timeline

The problem is just that there are not that much keyservers left and thus I added those running by large organisations. I really don't want to overload your servers. I would also trust nlnet more than canoncial which is why I started with them.
Its all a mess. Maybe no keyserver should be the default.

Do you have a ballpark figure for the install base (not including variants such as debian with modified defaults)? That might help us decide what counts as "overloading".

I think part of the problem is the idea that we should have to pick a single "keyserver", rather than a list of keyservers that can be tried in some rotation. Compare with the DNS roots (of which there are ~13). Any single default provider or hostname becomes a single point of failure.

For the next release I'll change the mappings to use the Ubuntu server also for non-TLS connections.

werner changed the task status from Open to Testing.Jan 10 2022, 9:20 AM
werner triaged this task as Normal priority.

Why the Ubuntu server? AFAIU it does not sync with other servers and it has some tained pubkeys (which is both fine as a choice of this service, it just does not seem to fit the purposes best).

Ubuntu have been syncing since 7th December:

Oh, cool, thanks for the update! (My info was old then)

werner claimed this task.