Reminder to ensure keys can be exported on HTTP port
We've had a few occurances lately where keyservers have been hoarding
keys, i.e. they are able to receive keys in synchronization, but other
servers are not able to fetch keys from these instances during recon
process and as such keys added to this server does not replicate to
the rest of the network.
In these cases it has been somewhat obvious due comparison of key
counts (resulting in increasing delta of the pool cutoff), but please
keep in mind this can also go un-noticed for updates of keys rather
than additions, so it is important to monitor for server administrators.
The reason for the issues has mainly been mis-configuration of the
reverse proxy vs sks server config. In particular a few servers have
been using a http port for SKS of 11372 as seen in
/pks/lookup?op=stats but not allowed its peers to access this port,
causing the above issues issues. Please keep in mind that the http
port is reported during recon and is used by peers to fetch keys they
That said, issues can also happen if binding SKS to 127.0.0.1 on port
11371, so this will also have to be checked when setting up a server,
When setting up a new server; please ensure that requests from peers
are going through in both directions.
Thank you, and I hope everyone have a nice holiday season!