Page MenuHome GnuPG
Create Task
Maniphest T5751

Please remove pgp.surf.nl from default dirmngr config
Closed, ResolvedPublic
Actions

Description

I notice that the latest version of the dirmngr code [1] still refers to pgp.surf.nl as a default keyserver for non-SSL connections. As can be seen from [2], pgp.surf.nl has been out of sync with other keyservers for several months now. In particular, it does not sync with keyserver.ubuntu.com which is the default for SSL connections, meaning that in the default configuration a key uploaded via HKPS will not be downloadable via HKP, and vice versa.

Please either configure the same default keyserver for both HKP and HKPS, or if overloading is a concern, use two or more keyservers that are in good sync with each other.

[1] https://dev.gnupg.org/source/gnupg/browse/master/dirmngr/server.c
[2] https://spider.pgpkeys.eu/graphs

Revisions and Commits

rG GnuPG
rGd445e1936526 dirmngr: Map all gnupg.net addresses to the Ubuntu keyserver.

Related Objects

Event Timeline

andrewgdotcom created this task.Dec 22 2021, 6:46 PM
andrewgdotcom created this object in space S1 Public.
werner added a subscriber: werner.Dec 22 2021, 7:54 PM

The problem is just that there are not that much keyservers left and thus I added those running by large organisations. I really don't want to overload your servers. I would also trust nlnet more than canoncial which is why I started with them.
Its all a mess. Maybe no keyserver should be the default.

andrewgdotcom added a comment.Dec 23 2021, 1:29 AM

Do you have a ballpark figure for the install base (not including variants such as debian with modified defaults)? That might help us decide what counts as "overloading".

I think part of the problem is the idea that we should have to pick a single "keyserver", rather than a list of keyservers that can be tried in some rotation. Compare with the DNS roots (of which there are ~13). Any single default provider or hostname becomes a single point of failure.

bernhard added a subscriber: bernhard.Dec 23 2021, 12:42 PM
werner added a commit: rGd445e1936526: dirmngr: Map all gnupg.net addresses to the Ubuntu keyserver..Jan 10 2022, 9:17 AM
werner added a comment.Jan 10 2022, 9:20 AM

For the next release I'll change the gnupg.net mappings to use the Ubuntu server also for non-TLS connections.

werner changed the task status from Open to Testing.Jan 10 2022, 9:20 AM
werner triaged this task as Normal priority.
bernhard added a comment.Jan 10 2022, 11:55 AM

Why the Ubuntu server? AFAIU it does not sync with other servers and it has some tained pubkeys (which is both fine as a choice of this service, it just does not seem to fit the purposes best).

andrewgdotcom added a comment.Jan 10 2022, 12:00 PM

Ubuntu have been syncing since 7th December: https://www.mail-archive.com/sks-devel@nongnu.org/msg07174.html

bernhard added a comment.Jan 10 2022, 12:06 PM

Ubuntu have been syncing since 7th December: https://www.mail-archive.com/sks-devel@nongnu.org/msg07174.html

Oh, cool, thanks for the update! (My info was old then)

werner mentioned this in T5743: Release GnuPG 2.3.5.Apr 21 2022, 5:59 PM
werner closed this task as Resolved.Apr 28 2022, 8:50 AM
werner claimed this task.