[Sks-devel] New GPGTools release & reliance on SRV records

[Todd Fleisher]

Hi Kristian & other SKS operators,

The team @ GPGTools.Org released their latest version (2019.1) last week on August 22nd. New installations of this release use keys.openpgp.org as the default key server & upgrades to this release prompt users to switch. This was known in advanced & therefore expected. However, I am noticing another issue that seems to have taken hold sometime between release 2018.5 2506n and the current version that may require some action on our part to provide continuity for users who are upgrading but opting to continue using the SKS key servers.

What I am seeing happen is when attempting to use (or switch back to) an SKS key server, the GPGTools clients will claim the server is invalid. Under the hood, I can see queries for DNS SRV records being made and returning NXDOMAIN. So one of 2 things is required to restore service:

1) DNS SRV records must be published for the hostname in order for GPGTools to determine what port number to use:

HKP:

_pgpkey-http._tcp.sks.pod02.fleetstreetops.com has SRV record 0 5 11371 sks.pod02.fleetstreetops.com.

_pgpkey-http._tcp.sks.pod01.fleetstreetops.com has SRV record 0 5 11371 sks.pod01.fleetstreetops.com.

HKPS:

_pgpkey-https._tcp.sks.pod01.fleetstreetops.com has SRV record 0 5 443 sks.pod01.fleetstreetops.com.

_pgpkey-https._tcp.sks.pod02.fleetstreetops.com has SRV record 0 5 443 sks.pod02.fleetstreetops.com.

2) The port number must be specified in the entry. In the past, hkps://hkps.pool.sks-keyservers.net worked fine. However, now that same entry appears to be invalid unless I edit it to read: hkps://hkps.pool.sks-keyservers.net:443

I’d advise everyone still in the pool to add the appropriate SRV records & especially Kristian as the DNS operator for sks-keyservers.net to do the same for all of the main pool entries.

-T

signature.asc
Description: Message signed with OpenPGP