Re: [Sks-devel] pool.sks-keyservers.net having trouble?

[Daniel Kahn Gillmor]

Hi Ryan--

On 04/01/2010 12:45 AM, Ryan wrote:
> Couple thoughts, first of all if you have several
> machines doing regular queries you might look into running
> a local keyserver for your servers to sync off of.. if thats
> not a possibility you might locate your closest server and
> point it at them.

I actually co-administer zimmermann.mayfirst.org (though it's not local
to the hosts i'm talking about), which has been in the pool for a while.
 I hadn't thought about routing issues causing failures, though i would
have hoped that the client-side tools would have used the DNS failover
to work around such a failure.

> Another idea might be run your own DNS pool to your select
> servers, give you the benefits of hitting multiple servers
> but still the control over which actual servers get hit. If
> you doing a TON of queries to a single server you might let
> the admin know your intentions before hand.

i'm curious where most keyserver admins draw that line, actually.  where
do you draw it?  How do you think it should be drawn if a pool is in use?

I'm willing to entertain setting up another DNS pool, but if i go
through that trouble, i'd like to set it up for people other than
myself.  i'd also like to help make sure that pool.sks-keyservers is
healthy and responsive -- running/using my own pool would make me less
aware of problems in the main pool which i'd like everyone to be able to
take advantage of.

> You can use many external tools such as netstat to see your
> local/remote socket connections, just look for something
> hitting a remote hkp port.

yes, true -- perhaps i need to stage such an intervention on the next
failure.  that kind of timing seems awkward and race-y, though.

i suppose i could also make a fakeout wrapper in
/usr/lib/gnupg/gpgkeys_something that would strace and log relevant
system calls used by the fetching process.

> I serve on average ~16.5k keys a day but I haven't been in the
> sks-keyservers.net pool for some time now.. I am running 2 keyservers
> and load balancing across the both of them, this is mainly for
> high-avability as the load impact of a single keyserver is minimal.

Why aren't your keyservers in the pool?  is that a deliberate choice to
keep them out somehow?

Regards,

        --dkg

signature.asc
Description: OpenPGP digital signature