Page MenuHome GnuPG

Please remove pgp.surf.nl from default dirmngr config
Testing, NormalPublic

Description

I notice that the latest version of the dirmngr code [1] still refers to pgp.surf.nl as a default keyserver for non-SSL connections. As can be seen from [2], pgp.surf.nl has been out of sync with other keyservers for several months now. In particular, it does not sync with keyserver.ubuntu.com which is the default for SSL connections, meaning that in the default configuration a key uploaded via HKPS will not be downloadable via HKP, and vice versa.

Please either configure the same default keyserver for both HKP and HKPS, or if overloading is a concern, use two or more keyservers that are in good sync with each other.

[1] https://dev.gnupg.org/source/gnupg/browse/master/dirmngr/server.c
[2] https://spider.pgpkeys.eu/graphs

Event Timeline

The problem is just that there are not that much keyservers left and thus I added those running by large organisations. I really don't want to overload your servers. I would also trust nlnet more than canoncial which is why I started with them.
Its all a mess. Maybe no keyserver should be the default.

Do you have a ballpark figure for the install base (not including variants such as debian with modified defaults)? That might help us decide what counts as "overloading".

I think part of the problem is the idea that we should have to pick a single "keyserver", rather than a list of keyservers that can be tried in some rotation. Compare with the DNS roots (of which there are ~13). Any single default provider or hostname becomes a single point of failure.

For the next release I'll change the gnupg.net mappings to use the Ubuntu server also for non-TLS connections.

werner changed the task status from Open to Testing.Mon, Jan 10, 9:20 AM
werner triaged this task as Normal priority.

Why the Ubuntu server? AFAIU it does not sync with other servers and it has some tained pubkeys (which is both fine as a choice of this service, it just does not seem to fit the purposes best).

Ubuntu have been syncing since 7th December: https://www.mail-archive.com/sks-devel@nongnu.org/msg07174.html

Oh, cool, thanks for the update! (My info was old then)