On 03/24/2009 11:39 AM, Kristian Fiskerstrand wrote: > But I'm always open for suggestions. As for now I already have blacklist > on aliases/ips, but there is an RFE to block certain versions?
I'd like to propose blacklisting SKS version 1.0.10 from the main pool, because of that version's misbehavior in the face of searches by keyid. It reflects poorly on the entire pool (and makes the pool significantly less useful) if these queries intermittently fail. > Its a set of PHP and bash scripts updating mine at least, and yes, I > would have the ability to block by version. Are these scripts published? (this is out of curiosity more than anything else) > For now I created subset.pool.sks-keyservers.net which should include > only keys that are reporting version to be 1.1.0 , so please test this out. Thanks for this prompt action. I just tested it out, and this pool is clean w.r.t. querying by keyid in ways that the main pool is not: > 0 d...@pip:~$ gpg --keyserver pool.sks-keyservers.net --search d21739e9 > gpg: searching for "d21739e9" from hkp server pool.sks-keyservers.net > gpg: key "d21739e9" not found on keyserver > 0 d...@pip:~$ gpg --keyserver subset.pool.sks-keyservers.net --search d21739e9 > gpg: searching for "d21739e9" from hkp server subset.pool.sks-keyservers.net > (1) Daniel Kahn Gillmor <d...@openflows.com> > Daniel Kahn Gillmor <d...@fifthhorseman.net> > Daniel Kahn Gillmor <d...@astro.columbia.edu> > Daniel Kahn Gillmor <dkg-debian....@fifthhorseman.net> > 4096 bit RSA key D21739E9, created: 2007-06-02 > Keys 1-1 of 1 for "d21739e9". Enter number(s), N)ext, or Q)uit > q > 0 d...@pip:~$ I also ran a more intensive check against all reported IP addresses, and i got this: > 0 d...@pip:~$ test_ks() { wget -q -O- > 'http://'$1':11371/pks/lookup?options=mr&search=0xD21739E9&exact=on' > >/dev/null; } > 0 d...@pip:~$ for foo in $(dig +short pool.sks-keyservers.net); do test_ks > $foo || echo $foo $(dig +short -x $foo) ; done > 62.48.35.100 lorien.prato.linux.it. > 195.22.207.161 161.160/29.207.22.195.in-addr.arpa. trider-g7.fabbione.net. > 0 d...@pip:~$ for foo in $(dig +short subset.pool.sks-keyservers.net); do > test_ks $foo || echo $foo $(dig +short -x $foo) ; done > 0 d...@pip:~$ So it looks like your filter technique is working to me. --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel