David Benfell | 27 Aug 11:29 2014

sks.disunitedstates.com returns to IPv6

Hello all,

I'm finally getting the final kinks out of the new installation. I'd
nearly forgotten about getting sks back onto IPv6.

Sometime later this morning, after my daily dump,
sks.disunitedstates.com should start working on IPv6 at
2001:470:67:119::9. The DNS has pointed that way for a few days now
(once I finally gave up on trying to follow the documentation for
configuring the IPv6 tunnel), but I hadn't modified the sks
configuration to use the IPv6 for recon as well as the IPv4 address.

hkp should have worked automatically as I modified the Apache
configuration for IPv6 earlier.

It won't be ideal. Comcast Business doesn't do IPv6 yet, so I had to
get a tunnel from he.net in Fremont. (Hence the joy of trying to make
sense of FreeBSD documentation on setting these tunnels up. Clue: The
documentation is *WRONG* and is, as near as I can tell, completely
broken.)

But it is there.

--

-- 
David Benfell <benfell@...>
See https://parts-unknown.org/node/2 if you don't understand the
attachment.
Hello all,
(Continue reading)

Chris Boot | 22 Aug 16:25 2014
Picon

seeking peers for sks.bootc.eu

Hi,

I am looking for peers for a new SKS key server installation.

I am running SKS version 1.1.5-1 (from Debian), on sks.bootc.eu. This is
a private machine located in Devon UK, is connected via a fast bonded
VDSL setup, and has IPv6 connectivity.

I have loaded a key dump from keyserver.secretresearchfacility.com,
dated 2014-08-21. I see 3700039 keys loaded.

For operational issues, please contact me directly.

sks.bootc.eu 11370 # Chris Boot <sks@...> 0xD9CEEEEE

Stats are available from: http://sks.bootc.eu:11371/pks/lookup?op=stats

Thanks in advance,
Chris

--

-- 
Chris Boot
bootc@...

Hi,

I am looking for peers for a new SKS key server installation.

(Continue reading)

Horváth Dávid | 22 Aug 10:18 2014
Picon

Fwd: Re: PTree corrupted


Sorry,

* (stop sks, delete PTree folder, start sks)

:)

David

2014-08-22 10:10 időpontban Horváth Dávid ezt írta:
> Hi,
> 
> 
> PTree often crash in my server.
> Log:
> 
> 2014-08-18 14:27:38 Requesting 2 missing keys from <ADDR_INET
> [80.241.60.3]:11371>, starting with 1AFFB478E0DC9C6F6A3BEB58E5E6EED4
> 2014-08-18 14:27:38 2 keys received
> 2014-08-18 14:27:38 setting synctime to 1408372058.589961
> 2014-08-18 14:27:38 Added 3 hash-updates. Caught up to 
> 1408372058.589961
> 2014-08-18 14:27:38 Enabling gossip
> 2014-08-18 14:27:39 Raising Sys.Break -- PTree may be corrupted:
> Failure("remove_from_node: attempt to delete non-existant element from
> prefix tree")
> 2014-08-18 14:27:39 <further catchup> callback interrupted by break.
> 2014-08-18 14:27:39 DB closed
> 
> I use a workaround (delete stop sks, delet PTree forled, start sks)
(Continue reading)

Horváth Dávid | 22 Aug 10:10 2014
Picon

PTree corrupted

Hi,

PTree often crash in my server.
Log:

2014-08-18 14:27:38 Requesting 2 missing keys from <ADDR_INET 
[80.241.60.3]:11371>, starting with 1AFFB478E0DC9C6F6A3BEB58E5E6EED4
2014-08-18 14:27:38 2 keys received
2014-08-18 14:27:38 setting synctime to 1408372058.589961
2014-08-18 14:27:38 Added 3 hash-updates. Caught up to 1408372058.589961
2014-08-18 14:27:38 Enabling gossip
2014-08-18 14:27:39 Raising Sys.Break -- PTree may be corrupted: 
Failure("remove_from_node: attempt to delete non-existant element from 
prefix tree")
2014-08-18 14:27:39 <further catchup> callback interrupted by break.
2014-08-18 14:27:39 DB closed

I use a workaround (delete stop sks, delet PTree forled, start sks) but 
this is not a good solution.
My disk is OK, memory healt is OK.

Can you help me?

Regards,
David Horvath

Jonathon Weiss | 19 Aug 23:39 2014
Picon

redirect http to https?


So, a user suggested that we should redirect all http connections to
https.  The user was clearly confused in a number of ways about how the
keyservers worked, and his specific examples of why it was important
were incorrect.  That said, there's clearly at least a little value in
pushing people toward encryption.

So, I was wondering.  Has anyone done this?  Are there concerns about
(non-browser) clients using hkp but not supporting re-directs or hkps,
who would then be unable to use our server?  I suppose I could consider
leaving port 11371 as is, but force re-directs on port 80.  That would
probably satisfy the clueless masses on the internet, but would it
eliminate any risk of breakage?

	Jonathon

	Jonathon Weiss <jweiss@...>
	MIT/IS&T/O&I  Server Operations

Eddie Cornejo | 16 Aug 09:23 2014
Picon

Seeking peers for keyserver.eddiecornejo.com


Hi all,

I've recently decided to run a public keyserver and I'm looking for peers.

In the interest of diversity, and trying new things, I'm trying
Hockeypuck instead of SKS. If it's not appropriate to seek peers on this
forum then please let me know and excuse the intrusion.

The server is also running on a dedicated CloudAtCost server (Canada).
Although they're not known for their uptime I'll endeavour to keep it up
an running as best as I can. Note I'm in Australia, in case that makes
any difference.

The DNS and reverse proxy should be setup correctly. Please inform if
you find this isn't the case. Note the machine does not have IPv6
connectivity.

I currently have 3694545 keys loaded from a dump taken on Friday.

keyserver.eddiecornejo.com 11730 # Eddie Cornejo <cornejo@...>
0x8532A538

I'm currently winging the configuration as there doesn't appear to be
much information available out there on Hockeypuck. If I encounter any
issues that I'm unable to rectify I'll switch to SKS. One way or another
there will be a keyserver at that address! :)

--

-- 
Eddie Cornejo
(Continue reading)

Anthony Papillion | 15 Aug 03:15 2014

SKS peering request [pgp.cajuntechie.org]

Hi All,

I have a new keyserver running and would like to peer with other
servers. Please add me to your 'membership' file with the following
entry and provide your details in return so I can do the same:

pgp.cajuntechie.org 11370 # Anthony Papillion 0x53B04B15

Thanks,
Anthony

Anthony Papillion | 15 Aug 01:22 2014

Problem with SKS on Ubuntu

Hello Everyone,

I've installed sks on Ubuntu 14.04 from the repositories and I'm getting
an error when trying to import keys to do the initial seeding.

When I run ./sks_build.sh and select fastbuild I am told that the KeyDB
directory already exists and the script. Problem is, I can't actually
/find/ the KeyDB directory to delete.

How can I get around this?

Thanks!
Anthony

Matthias Schreiber | 14 Aug 00:33 2014
Picon

"quality" of keyservers offering hkps


Hi everyone,

after reading the posts related to protocols and cipher suites started
by Pete last week [1] I wanted to check the settings of the keyservers
in the hkps pool using the SSL Server Test from Qualys [2] in order to
evaluate the "quality" of the applied settings.

Ignoring the "untrusted certificate" warnings, these are the compact
results of the test using Qualys' grade system:

A- or better	23 servers
B		2 servers
C		1 server
F		9 servers

So, from the total of 35 servers (of which 3 aren't currently in the
hkps pool due to missing keys) basically 2/3 show secure and robust
settings.

5 servers (grades B and C as well as 2 from the F group) have lower
standards on different levels by either not supporting modern
protocols like TLS 1.1 & 1.2 and/or allowing weak or even insecure
cipher suites. Here, an improvement would be to apply a more secure
configuration [3] as e.g. already suggested in the aforementioned
thread [1].

In case of the last remaining 7 servers (= every 5th server) the test
showed an exploit opportunity related to CVE-2014-0224 [4], which can
be eliminated by simply updating the OpenSSL package on these systems.
(Continue reading)

David Benfell | 13 Aug 17:24 2014

sks.disunitedstates.com is down, possibly for the count

Hello all,

It now seems clear that I am currently unable to keep sks running. I
continue to have issues with system crashes. And sks does not recover,
even with a burp procedure.

I am waiting for replacement memory from the vendor. Everything else I
run recovers properly from these crashes. But not sks. I don't know
why. But I can't even get through a dump properly now. So I'm putting
this aside.

I'll give it another try after I have more reliable memory.

--

-- 
David Benfell <benfell@...>
See https://parts-unknown.org/node/2 if you don't understand the
attachment.
Hello all,

It now seems clear that I am currently unable to keep sks running. I
continue to have issues with system crashes. And sks does not recover,
even with a burp procedure.

I am waiting for replacement memory from the vendor. Everything else I
run recovers properly from these crashes. But not sks. I don't know
why. But I can't even get through a dump properly now. So I'm putting
this aside.

(Continue reading)

David Benfell | 13 Aug 03:21 2014

more sks.disunitedstates.com trouble

Hi all,

I attempted a dump this morning and got way too many files. I think my
database is still screwed up and the sks burp script isn't repairing
all the damage.

I have downloaded yet another dump and am trying again.
sks.disunitedstates.com will be going back down shortly.

-- 
David Benfell <benfell@...>
See https://parts-unknown.org/node/2 if you don't understand the
attachment.
Hi all,

I attempted a dump this morning and got way too many files. I think my
database is still screwed up and the sks burp script isn't repairing
all the damage.

I have downloaded yet another dump and am trying again.
sks.disunitedstates.com will be going back down shortly.

--

-- 
David Benfell <benfell@...>
See https://parts-unknown.org/node/2 if you don't understand the
attachment.

Gmane