Re: Hostname of key server pool disappeared? hkps.pool.sks-keyservers.net

Tue, 19 Mar 2019 00:24:01 -0700 

On Mon, 18 Mar 2019 23:09, ml-gnupg-xix....@linuxwan.net said:

> keys.gnupg.net is just a CNAME for hkps.pool.sks-keyservers.net. This
> host appears to be the default for GNUpg configs.

FWIW, keys.gnupg.net is a hardcoded alias in dirmngr since 2.2.7 and
thus the CNAME is not used since that version of GnuPG.  For details see
https://dev.gnupg.org/T3755 or the code snippet below.



Shalom-Salam,

   Werner


--8<---------------cut here---------------start------------->8---
  /* We used to have DNS CNAME redirection from the URLs below to
   * sks-keyserver pools.  The idea was to allow for a quick way to
   * switch to a different set of pools.  The problem with that
   * approach is that TLS needs to verify the hostname and - because
   * DNS is not secured - it can only check the user supplied hostname
   * and not a hostname from a CNAME RR.  Thus the final servers all
   * need to have certificates with the actual pool name as well as
   * for keys.gnupg.net - that would render the advantage of
   * keys.gnupg.net useless and so we better give up on this.  Because
   * the keys.gnupg.net URL are still in widespread use we do a static
   * mapping here.
   */
  if (!strcmp (uri, "hkps://keys.gnupg.net")
      || !strcmp (uri, "keys.gnupg.net"))
    uri = "hkps://hkps.pool.sks-keyservers.net";
  else if (!strcmp (uri, "https://keys.gnupg.net";))
    uri = "https://hkps.pool.sks-keyservers.net";;
  else if (!strcmp (uri, "hkp://keys.gnupg.net"))
    uri = "hkp://hkps.pool.sks-keyservers.net";
  else if (!strcmp (uri, "http://keys.gnupg.net";))
    uri = "http://hkps.pool.sks-keyservers.net";;
  else if (!strcmp (uri, "hkps://http-keys.gnupg.net")
           || !strcmp (uri, "http-keys.gnupg.net"))
    uri = "hkps://ha.pool.sks-keyservers.net";
  else if (!strcmp (uri, "https://http-keys.gnupg.net";))
    uri = "https://ha.pool.sks-keyservers.net";;
  else if (!strcmp (uri, "hkp://http-keys.gnupg.net"))
    uri = "hkp://ha.pool.sks-keyservers.net";
  else if (!strcmp (uri, "http://http-keys.gnupg.net";))
    uri = "http://ha.pool.sks-keyservers.net";;
--8<---------------cut here---------------end--------------->8---


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to