[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] New Keyservers and Dumps

From: Eric Germann
Subject: Re: [Sks-devel] New Keyservers and Dumps
Date: Thu, 23 Aug 2018 17:49:54 -0400

Since I’ve been rolling these myself, I didn’t know a 3 node cluster was best.

As for the 3, if either putting them behind a LB or doing round-robin, how 
would the LB or the client know there was a failure on one and move on in the 
cluster.  Most I’ve seen with multiple (??) boxes use two IP’s behind a CNAME 
doing RR DNS.

FWIW, no one has complained, so not too sure it’s an issue, at least for now.

I do notice I frequently end up with a significant number of them in the hkp 
pool.  They do run hkps on LetsEncrypt certs and seem to sync fine, at least to 

Do you have a best-practices deployment doc, because it’s pretty much been 
trial by fire.  For example, killing the daemon gives you about a 50% chance of 
blowing up the db.  For the longest time I rebuilt, not knowing an “sks 
cleandb” would fix it 99% of the time.

Docs seem a bit thin.  I was trying to up pool count since a lot seem to have 
gone by the wayside, adding some geo-diversity and running one in Africa.  Not 
sure if there are any others down there.

It’s an interesting experiment.  If it’s an issue let me know and I will shut 
some/it down.


> On Aug 23, 2018, at 9:49 AM, Kristian Fiskerstrand <address@hidden> wrote:
> On 08/20/2018 03:26 PM, Eric Germann wrote:
>> I’ve reworked the keyserver fleet we’d previously deployed and made a blog 
>> post [1] about it.
> Are the servers clustered in any way? In my experience each site needs
> at least 3 nodes to ensure proper operation (mainly if A and B are
> gossipping C can still respond to requests, depending on the amount of
> traffic / speed of the node to return more is better)
> So clustered setup is more important than large number of individual
> servers, as there is no retry functionality in dirmngr.
> I'm still looking for more clustered setups to include into hkps pool,
> in particular since noticing an interesting feature if only one server
> is included, which disables pool behavior in dirmngr and results in TLS
> error / generic error due to CA pem not being loaded...
> --
> ----------------------------
> Kristian Fiskerstrand
> Blog:
> Twitter: @krifisk
> ----------------------------
> Public OpenPGP keyblock at hkp://
> fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
> ----------------------------
> "We all die. The goal isn't to live forever, the goal is to create
> something that will."
> (Chuck Palahniuk)

Attachment: signature.asc
Description: Message signed with OpenPGP

reply via email to

[Prev in Thread] Current Thread [Next in Thread]