sks-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] sks-keyservers.net New HKPS subpool added


From: Phil Pennock
Subject: Re: [Sks-devel] sks-keyservers.net New HKPS subpool added
Date: Fri, 5 Oct 2012 18:23:43 -0400

On 2012-10-05 at 20:48 +0200, Kristian Fiskerstrand wrote:
> Just to inform that I've added a new hkps subpool to the list of options.
> 
> Regular A and AAAA and SRV records are included for port 443 servers,
> and a lookup is performed for _pgpkey-https._tcp on the individual
> servers to determine if a hkps enabled service is listening on another
> port, in which case this is included as a SRV record also in the pool
> (but not as an A or AAAA record).

I get results from:
  dig -t a hkps.pool.sks-keyservers.net
  dig -t srv _pgpkey-https._tcp.hkps.pool.sks-keyservers.net
but not from:
  dig -t aaaa hkps.pool.sks-keyservers.net
(NOERROR, with AUTHORITY section, so just looks as though there are no
AAAA records configured).

Is this just the pool being size-limited in records and happening to
currently only include A records?

> This pool likely need the keyserver option set to no-check-cert to
> function as expected.

Speaking for myself, I only use TLSv1+ and my nginx is built with SNI
support, so if you want to figure out a policy for handing out certs, I
can add a new cert for SNI hostnames in *.pool.sks-keyservers.net.

-Phil

Attachment: pgppt7vUTqQKL.pgp
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]