-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/18/2014 10:37 PM, Simon Lange wrote: > Ive been told that it is required to allow ALL incoming traffic to > the IP of my keyserver for port 11371 no matter what hostname is > requested. that would - of course - allow everyone on this planet > to pinpoint his FQDN to my server using my service. > > usually i use hostname directives. e.g. keys.s-l-c.biz or > keys.bundes.it or (.*)pool.sks-keyservers.net i prefer that because > that way i can avoid that ppl use my services with their fqdn i > dont like (like raccists facists and other bad ppl).
You of course can (should?) limit the HTTP host names to whatever you expect, but I've never heard of a requirement to answer ALL host names. A response to the raw IP address would be probably good, but are you really required to answer http://blablabla/ on tcp/11371? I've never heard about such a requirement. Not beyond answering requests for the pool host name if you wish to participate in a pool. Answering ALL host names just makes you willing to participate in any pool by default, without extra maintenance. But again, AFAIK this isn't a requirement. Am I misinformed? How would bad people benefit from your key-server responding to http://very.bad.com:11731/ anyway? AFAIK today the key server doesn't serve arbitrary pictures, when it will this will be an issue, more because of spam I expect than on account of nasty web sites. Does lighthttpd (which you seem to be using) expose some kind of a forward proxy? Martin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTUYaMAAoJELsEaSRwbVYrXEAQALUBEBCbREvfHQ5DdZ8ZPrc/ H+kiZ88CBoPiMVL/RtZGW7hfgKg5A3b/4VcxtHrqgABPEwmUNoDKRuG9VBtR/Xjd BU4/5/Wxkw0cXgrFT8MeUXpRQIbeq7PT0R2RyM3wDGhLmeh9TtW6EEDrhtVcgVJo MC2VCLwbz6STSYOlMxUD1epecFLsZLVXPSHVS3bH89As3H1MfK2V7vofk8Z7cEhZ dhBOlY8F198N9E+meF9C+vWinjHMFSCSvNWnS8RkhFj7TLKKUOdBetVtiYndm8fO o7Ij+srvT3uITjbHBVJN4L1JAuUh6WDurmHPVNwwIWEVqFH2joeoHDCmUaLvZmUp 170cM5ym9weDNJVJFipA2W0CkFG9x+KZBK6PyeDB/+KSrthCZSsCRw3/VNCzXKr8 xwSawnmdnyoJTf3iPbWD8sHKo4Q3TC4lhlNDV6k+roFroZTgLS+vhHxRz9tzTmou c3X/yyENwqByoR326RybXRUE3j8hGHgrBkmUM6MTAzWGQRfnzWd9I1ERIP36GY20 OKNmt4qbHWpsRdy1Mj3JD34vslTraqoSG9SAm5Qjh+tPQwRjPL6zaQ9RSQ0k1bqe xQOkpqOmSDx0eKxkggU9OtqTbScFIEqMR8iW2oAfUVnQsVaMEV2Gy+aZXXDCgGLR 3XYwG6DRlT3DaQn6unk5 =Dc7u -----END PGP SIGNATURE----- _______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel