Re: [Sks-devel] sks-keyservers.net New HKPS subpool added

[Kristian Fiskerstrand]

On 10/06/2012 12:23 AM, Phil Pennock wrote:

> I get results from:
>   dig -t a hkps.pool.sks-keyservers.net
>   dig -t srv _pgpkey-https._tcp.hkps.pool.sks-keyservers.net
> but not from:
>   dig -t aaaa hkps.pool.sks-keyservers.net
> (NOERROR, with AUTHORITY section, so just looks as though there are no
> AAAA records configured).
>
> Is this just the pool being size-limited in records and happening to
> currently only include A records?

Hi Phil,

No, it was a temporary issue with my IPv6 connectivity[0], so no server
was recorded as having IPv6 capability.


>> This pool likely need the keyserver option set to no-check-cert to
>> function as expected.
> Speaking for myself, I only use TLSv1+ and my nginx is built with SNI
> support, so if you want to figure out a policy for handing out certs, I
> can add a new cert for SNI hostnames in *.pool.sks-keyservers.net.
>

Let me think a bit more about this one :)


[0] https://www.sixxs.net/tickets/?msg=tickets-7961722

-- 
----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Varitatio delectat
Change pleases
----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An 
introduction to OpenPGP security is 
available in both Amazon Kindle and Paperback 
format at
http://www.amazon.com/dp/B006RSG1S4/
----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/

signature.asc
Description: OpenPGP digital signature