Re: [Sks-devel] Unusual traffic for key 0x69D2EAD9 and 0xB33B4659
With your suggestions: load average below 1 Traffic: ~150G/day Best, Rolf Am 2019-02-04 12:52, schrieb Martin Dobrev: Hi, I've spent last week trying to optimize configuration as much as possible. Following advise from a previous mail I've added: command_timeout: 600 wserver_timeout: 30 max_recover: 150 to my sksconf and it seems this fixed majority of the EventLoop failures. I've added DB_CONFIG in KDB/PTree folders to get rid of DB archive logs that were causing plenty of IO load too. My clusters are now happily responding to queries and load-average is bellow one. Traffic wise things look better too, ~20GB/day. Kind regards, Martin Dobrev P.S. Adding/changing DB_CONFIG might cause an error in the databases that you can easily fix by running db_recover -e -v -h /{KDB,PTree} On 04/02/2019 09:49, Rolf Wuerdemann wrote: Hi, Don't get me wrong, but within three days I've got 450G traffic which can be assigned to sks by 99.9%. Estimated to 30 days this means 4.5T (which is in good agreement of your 2+T/Key for these two poison keys). With this amount of traffic and the possibility to get more of this keys (thus more traffic) every moment, I think it's only a question of time until the network with the current implementation will vanish. Traffic increased roughly a factor of 300 (15G->4.5T) within twelve months, nodes within the network decreased by a factor of two at least for the same time. So: where to go and how? Just my 2ct, rowue Am 2019-01-30 22:09, schrieb Martin Dobrev: Hi, My observations so far show that both keys generate 2+ TB/month traffic on average for all my clustered nodes. I'm running nginx + Varnish in-memory cache tuned at 5 minutes TTL which gives plenty of CPU cycles for the never-ending EventLoop alarm loops. The latter cause load-average spikes of up to 10 with just 4 Docker containers running on a 12 core system. Don't get me wrong. The throttling penalty is something I'd swallow-up as long as we keep the network running. Regards, Martin keyserver.dobrev.eu | pgp.dobrev.it Original message From: Kristian Fiskerstrand Date: 30/01/2019 20:18 (GMT+00:00) To: Shengjing Zhu , sks-devel@nongnu.org Subject: Re: [Sks-devel] Unusual traffic for key 0x69D2EAD9 and 0xB33B4659 On 1/12/19 8:15 PM, Shengjing Zhu wrote: I think these requests are quite unusual. Does anyone know what happens to these two keys? Just to add a comment on this, adding a cache on the load-balancer is really a nice way to slow down hits on the underlying SKS nodes, I keep cache for 10 minutes in nginx, which really makes life more pleasant. -- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 "Action is the foundational key to all success" (Pablo Picasso) ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel -- Security is an illusion - Datasecurity twice Rolf Würdemann - ro...@digitalis.org - DL9ROW GnuPG fingerprint:EEDC BEA9 EFEA 54A9 E1A9 2D54 69CC 9F31 6C64 206A xmpp: ro...@digitalis.org E1189573 6B4A150C A0C2BF5A 5553F865 0B9CBF7A ro...@jabber.ccc.de 64CBBB68 0A3514A4 026FC1E7 5328CE87 AEE2185F ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Unusual traffic for key 0x69D2EAD9 and 0xB33B4659
Hi, Don't get me wrong, but within three days I've got 450G traffic which can be assigned to sks by 99.9%. Estimated to 30 days this means 4.5T (which is in good agreement of your 2+T/Key for these two poison keys). With this amount of traffic and the possibility to get more of this keys (thus more traffic) every moment, I think it's only a question of time until the network with the current implementation will vanish. Traffic increased roughly a factor of 300 (15G->4.5T) within twelve months, nodes within the network decreased by a factor of two at least for the same time. So: where to go and how? Just my 2ct, rowue Am 2019-01-30 22:09, schrieb Martin Dobrev: Hi, My observations so far show that both keys generate 2+ TB/month traffic on average for all my clustered nodes. I'm running nginx + Varnish in-memory cache tuned at 5 minutes TTL which gives plenty of CPU cycles for the never-ending EventLoop alarm loops. The latter cause load-average spikes of up to 10 with just 4 Docker containers running on a 12 core system. Don't get me wrong. The throttling penalty is something I'd swallow-up as long as we keep the network running. Regards, Martin keyserver.dobrev.eu | pgp.dobrev.it Original message From: Kristian Fiskerstrand Date: 30/01/2019 20:18 (GMT+00:00) To: Shengjing Zhu , sks-devel@nongnu.org Subject: Re: [Sks-devel] Unusual traffic for key 0x69D2EAD9 and 0xB33B4659 On 1/12/19 8:15 PM, Shengjing Zhu wrote: I think these requests are quite unusual. Does anyone know what happens to these two keys? Just to add a comment on this, adding a cache on the load-balancer is really a nice way to slow down hits on the underlying SKS nodes, I keep cache for 10 minutes in nginx, which really makes life more pleasant. -- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 "Action is the foundational key to all success" (Pablo Picasso) ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel -- Security is an illusion - Datasecurity twice Rolf Würdemann - ro...@digitalis.org - DL9ROW GnuPG fingerprint:EEDC BEA9 EFEA 54A9 E1A9 2D54 69CC 9F31 6C64 206A xmpp: ro...@digitalis.org E1189573 6B4A150C A0C2BF5A 5553F865 0B9CBF7A ro...@jabber.ccc.de 64CBBB68 0A3514A4 026FC1E7 5328CE87 AEE2185F ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] sks 1.6 in wheezy-backports?
Hi, are there plans to bring sks 1.6 to wheezy-backports? Best, Rolf -- Security is an illusion - Datasecurity twice Rolf Würdemann - ro...@digitalis.org GnuPG fingerprint: 7383 348F 67D1 CD27 C90F DDD0 86A3 31B6 67F0 D02F jabber: ro...@digitalis.org ECF127C7 EAB85F87 BC75ACB5 2EC646D4 9211A31 ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] IPv6 crawler DNS zone offline?
Hi, I don't get IPv6 checks since last night and my machine is listed as not supporting IPv6 - which is not true (checked by telnet a view seconds ago) I can even ping 2001:16d8:ee00:58::2. Kristian, can you please check the crawler. Kind regards, Rolf On 22.09.2014 01:47, Pete Stephenson wrote: Hi all, There appears to be something wrong with the IPv6 pool crawler: https://sks-keyservers.net/status/ reports that no servers support IPv6 (although many do). The DNS zone ipv6.pool.sks-keyservers.net is returning NXDOMAIN. Kristian, can you kick the crawler to get it working again? Cheers! -Pete ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel -- Security is an illusion - Datasecurity twice Rolf Würdemann - ro...@digitalis.org GnuPG fingerprint:EEDC BEA9 EFEA 54A9 E1A9 2D54 69CC 9F31 6C64 206A xmpp: ro...@digitalis.org E1189573 6B4A150C A0C2BF5A 5553F865 0B9CBF7A ro...@jabber.ccc.de 64CBBB68 0A3514A4 026FC1E7 5328CE87 AEE2185F signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Seeking peers for pgp.archreactor.org
Am 2014-06-13 15:56, schrieb Travis: [...] Rolf, Added you back. Thanks! Perhaps you like to set up a reverse proxy in front of the key-server as in https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering (HTTP Performance) You won't get into the official pools if you don't do this, because sks can only handle one connection a time and it would be easy to dos your sks instance. Kind regards, Rolf [...] -- Security is an illusion - Datasecurity twice Rolf Würdemann - ro...@digitalis.org GnuPG fingerprint: 7383 348F 67D1 CD27 C90F DDD0 86A3 31B6 67F0 D02F jabber: ro...@digitalis.org ECF127C7 EAB85F87 BC75ACB5 2EC646D4 9211A31 ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Seeking peers for pgp.archreactor.org
Am 2014-06-13 17:17, schrieb Travis: Rolf, I appreciate you bearing with me as I get this set up properly. I've configured the reverse proxy and it appears to be working. As the time of my writing you server was listed as without proxy on the status page (https://sks-keyservers.net/status/) which is updated one per hour - so there seems to be an overlap. Kind regards, Rolf [...] -- Security is an illusion - Datasecurity twice Rolf Würdemann - ro...@digitalis.org GnuPG fingerprint: 7383 348F 67D1 CD27 C90F DDD0 86A3 31B6 67F0 D02F jabber: ro...@digitalis.org ECF127C7 EAB85F87 BC75ACB5 2EC646D4 9211A31 ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Seeking peers for pgp.archreactor.org
Am 2014-06-13 18:08, schrieb Travis: Yes, I updated the configuration based on the instructions in your email and it looks we're showing up with a proxy now. Thanks for your help. Welcome. Kind regards, Rolf [...] -- Security is an illusion - Datasecurity twice Rolf Würdemann - ro...@digitalis.org GnuPG fingerprint: 7383 348F 67D1 CD27 C90F DDD0 86A3 31B6 67F0 D02F jabber: ro...@digitalis.org ECF127C7 EAB85F87 BC75ACB5 2EC646D4 9211A31 ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] 1.1.5 is in wheezy-backports
Am 2014-06-04 18:00, schrieb Daniel Kahn Gillmor: Hi folks-- I built SKS 1.1.5 against debian wheezy, tested it, and it is now in wheezy-backports. [...] Updated yesterday - works like a charm. Thanks to everyone who worked on the 1.1.5 release. Also from my side thanks to everyone who worked on sks ... happy hacking, --dkg Best, rowue [...] -- Security is an illusion - Datasecurity twice Rolf Würdemann - ro...@digitalis.org GnuPG fingerprint: 7383 348F 67D1 CD27 C90F DDD0 86A3 31B6 67F0 D02F jabber: ro...@digitalis.org ECF127C7 EAB85F87 BC75ACB5 2EC646D4 9211A31 ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] seeking peers for keys.digitalis.org
Am 2014-06-04 13:02, schrieb Karl Schmitz: Hi Rolf, Hi Karl, Am 26.05.2014 09:07, schrieb Rolf Wuerdemann: keys.digitalis.org 11370 added (in it's complete form). Please add [...] to your server's membership file. Added Thanks in advance, Karl Thanks a lot, Rolf -- Security is an illusion - Datasecurity twice Rolf Würdemann - ro...@digitalis.org GnuPG fingerprint: 7383 348F 67D1 CD27 C90F DDD0 86A3 31B6 67F0 D02F jabber: ro...@digitalis.org ECF127C7 EAB85F87 BC75ACB5 2EC646D4 9211A31 ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
Am 27.05.2014 17:41, schrieb Kristian Fiskerstrand: On 05/27/2014 05:00 PM, Daniel Kahn Gillmor wrote: On 05/27/2014 09:27 AM, Dmitry Yu Okunev (pks.mephi.ru) wrote: BTW, is it right that our server is not in the HKPS pool [pools and zone-entries] To check the inclusion of your server in the hkps pool, look at the HKPS column of: https://sks-keyservers.net/status/ Could you please explain the color-codes (on the page?). Red/green is obvious, but I don't know where this orange color for hkps sites comes from (SNI?) Indeed, or the meta page for the server in question. Best, rowue [...] -- Security is an illusion - Datasecurity twice Rolf Würdemann - ro...@digitalis.org GnuPG fingerprint:EEDC BEA9 EFEA 54A9 E1A9 2D54 69CC 9F31 6C64 206A xmpp: ro...@digitalis.org E1189573 6B4A150C A0C2BF5A 5553F865 0B9CBF7A ro...@jabber.ccc.de 64CBBB68 0A3514A4 026FC1E7 5328CE87 AEE2185F signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel