[messaging] keys.gnupg.net returns random pages
adi at hexapodia.org
Sun Oct 19 20:04:01 PDT 2014
On Sun, Oct 19, 2014 at 07:24:31PM -0700, Daniel Roesler wrote:
> Thanks for the response! During the cryptoparty, I learned a lot about HKP.
> First, you're right that the DNS entry for updates often with
> different A and AAAA Records, and that makes sense for the
> volunteer-operated, multi-organizational infrastructure.
> Second, this thread was initiated by a UX misunderstanding. When I
> publish my public key, I ran the following command:
> $ gpg --send-key 72EFEE3D
> gpg: sending key 72EFEE3D to hkp server keys.gnupg.net
> I was curious about keys.gnupg.net, so I copied the domain into a
> browser, and was met with a scary landing page. As to be expected,
> I was concerned and started asking around, and others confirmed
> something strange was happening.
Yep, definitely is confusing and scary! I didn't mean for my long
technical-historical explanation to be as dismissive of user
expectations as it turned out to be. :)
> The big thing that we were missing was that HKP operates over port
> 11371. If we were to have visited http://keys.gnupg.net:11371/, it
> would have been the standard keyserver interface. Most servers mirror
> that interface on port 80, but some servers have entirely different
> webservers listening to port 80 (like the one with the scary landing
Nice, I didn't know about the in-browser HTTP UI available on the
> I don't think that there's anything particularly insecure with this
> DNS round robin setup, but it is very confusing for new users and
> comes off as pretty sketchy. I know we can't and shouldn't enforce
> that the keyserver should have a port 80 mirror, so how about changing
> the UX to set expectations better?
> Would the experience be better if "gpg: sending key 72EFEE3D to hkp
> server keys.gnupg.net" was changed to "gpg: sending key 72EFEE3D to
> hkp server keys.gnupg.net:11371"? Would it be better to show the IP of
> the particular server that was used (e.g. "184.108.40.206:11371")?
That sounds like a really good idea, I like it! Further discussion
probably belongs on the gnupg-devel mailing list,
looks like a patch like the following (against
git://git.gnupg.org/gnupg.git master) should do the trick.
(warning, not even test compiled.)
diff --git a/g10/keyserver.c b/g10/keyserver.c
index 1b2e128..48d0e07 100644
@@ -1746,9 +1746,10 @@ keyserver_put (ctrl_t ctrl, strlist_t keyspecs,
- log_info (_("sending key %s to %s server %s\n"),
+ log_info (_("sending key %s to %s server %s:%s\n"),
- keyserver->scheme, keyserver->host);
+ keyserver->scheme, keyserver->host,
+ keyserver->port ? keyserver->port : "");
log_info (_("sending key %s to %s\n"),
More information about the Messaging