How much load are keyservers willing to handle?

adrelanos adrelanos at riseup.net
Thu Dec 19 04:42:31 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Jason Harris:
> On Wed, Dec 18, 2013 at 10:20:26PM +0000, adrelanos wrote:
> 
>> I am planing to write a script, which will refresh the apt
>> signing key before updating using "apt-get update". The script
>> might get accepted in Debian. [1] With my Whonix hat on, it's
>> safe to say, that this script will be added to Whonix (which is a
>> derivative of Debian).
>> 
>> Writing that script would be much simpler if it could re-use the 
>> existing keyserver infrastructure. Now imagine if this gets added
>> to Debian, that all users of Debian and all its derivatives will
>> always refresh their signing key against keyservers? Could
>> keyservers cope up with the load?
>> 
>> The legal question would be interesting, but don't worry, if you
>> ask me not to use keyservers for this, I'll use a mechanism
>> outside of keyservers.
> 
>> [1]
>> http://lists.debian.org/debian-security/2013/12/msg00031.html
> 
> 1) setup your own DNS so you can shut things off if anything goes
> wrong! (you can use dyn.com or others, no servers required)

Interesting idea. I guess in that case I'll got with what I wrote
under 3).

> 2) probably best discussed on the sks-devel list, Reply-To set
> accordingly

Okay, I'll repost there.

> 3) try running your own keyserver(s), SKS is easy enough to deploy

I don't have a lot servers with bandwidth available. And rather than
spending money on that, in case keyservers decline, I am probably
re-using sourceforge.net's infrastructure. I already asked them once
about a similar thing [they're willing to host our project news files
(comparable small files with comparable load)], they'll most likely
accept that as well. I don't know how they or some others manage it,
but their traffic comes virtually for free.

-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJSsmskXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5QjE1NzE1MzkyNUMzMDNBNDIyNTNBRkI5
QzEzMUFEMzcxM0FBRUVGAAoJEJwTGtNxOq7vRloP/i0vZRFCyQY7NBc1ZxPuVJpA
PPiKuXODo/+jG/VX8krkYWaAIL9otCwrUMFlS0LxFYHvtfx03NaISaGG1WV3mWJA
1KiqODX+5RszCf/By4tW9JE1EdNeOjZM+XhPZ6oRMQogpmtVAe1EFIscQ84H3k0T
SOcd4I//Q+7qkomhEu+C0crSogzzyvYRhG52a7IGDUCLRrhAc+CX0WbYqc5OZj5c
qHGdDMPbhpa0/Z514pYuewUu4tQDc3NLZ1fpZGd6GeY3zC/grrLEtnbQogkjeiwB
nIu90TC5yYGw8B9reJlfb6lq6s+QG/bs6yweHVg4oaa/i7Lfe9O6/WMshshuu62z
sMt3eyAeXTyKFYPv9kugSFNkqGHWlDome3PJzYOqRE3BkxYU21qegzTfNUD50jpH
pNVX5I7wSecpvNa3yIEE9000FDOdwvx/sJrEhmlY90J12BHZATJHQgcgq04GAPQT
OL+kYRhifdS6BE7VXT2eHepQzviGScPZ09n+5ZpkX6nn/pcW84McUYg3qpam8OoU
hGmcoJ0V5dnGNJjmzdMfeej1TsYKjE+uWpAod/lPnXHry/4FYTTSxrdfyfaRQOJx
yd2DkcjZ0EzP/13DS8GxgH53FKiqxIQxjDhVyBNeSVnjB/f6TbuMJH3ZEl0FL3gn
/ex0cwPRQ6lVxLtcpg8f
=/K1w
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list