[messaging] keys.gnupg.net returns random pages

Andy Isaacson adi at hexapodia.org
Sun Oct 19 20:04:01 PDT 2014

On Sun, Oct 19, 2014 at 07:24:31PM -0700, Daniel Roesler wrote:
> Thanks for the response! During the cryptoparty, I learned a lot about HKP.
> First, you're right that the DNS entry for updates often with
> different A and AAAA Records, and that makes sense for the
> volunteer-operated, multi-organizational infrastructure.
> Second, this thread was initiated by a UX misunderstanding. When I
> publish my public key, I ran the following command:
> $ gpg --send-key 72EFEE3D
> gpg: sending key 72EFEE3D to hkp server keys.gnupg.net
> I was curious about keys.gnupg.net, so I copied the domain into a
> browser, and was met with a scary landing page[1]. As to be expected,
> I was concerned and started asking around, and others confirmed
> something strange was happening[2].

Yep, definitely is confusing and scary!  I didn't mean for my long
technical-historical explanation to be as dismissive of user
expectations as it turned out to be. :)

> The big thing that we were missing was that HKP operates over port
> 11371. If we were to have visited http://keys.gnupg.net:11371/, it
> would have been the standard keyserver interface. Most servers mirror
> that interface on port 80, but some servers have entirely different
> webservers listening to port 80 (like the one with the scary landing
> page).

Nice, I didn't know about the in-browser HTTP UI available on the
keyserver port!

> I don't think that there's anything particularly insecure with this
> DNS round robin setup, but it is very confusing for new users and
> comes off as pretty sketchy. I know we can't and shouldn't enforce
> that the keyserver should have a port 80 mirror, so how about changing
> the UX to set expectations better?
> Would the experience be better if "gpg: sending key 72EFEE3D to hkp
> server keys.gnupg.net" was changed to "gpg: sending key 72EFEE3D to
> hkp server keys.gnupg.net:11371"? Would it be better to show the IP of
> the particular server that was used (e.g. "")?

That sounds like a really good idea, I like it!  Further discussion
probably belongs on the gnupg-devel mailing list,


looks like a patch like the following (against
git://git.gnupg.org/gnupg.git master) should do the trick.

(warning, not even test compiled.)

diff --git a/g10/keyserver.c b/g10/keyserver.c
index 1b2e128..48d0e07 100644
--- a/g10/keyserver.c
+++ b/g10/keyserver.c
@@ -1746,9 +1746,10 @@ keyserver_put (ctrl_t ctrl, strlist_t keyspecs,
           if (keyserver->host)
-            log_info (_("sending key %s to %s server %s\n"),
+            log_info (_("sending key %s to %s server %s:%s\n"),
                       keystr (keyblock->pkt->pkt.public_key->keyid),
-                      keyserver->scheme, keyserver->host);
+                      keyserver->scheme, keyserver->host,
+                      keyserver->port ? keyserver->port : "");
             log_info (_("sending key %s to %s\n"),
                       keystr (keyblock->pkt->pkt.public_key->keyid),


More information about the Messaging mailing list