[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] keyserver.gingerbear.net: Dynamic IP Update didn't
|
From: |
Daniel Kahn Gillmor |
|
Subject: |
Re: [Sks-devel] keyserver.gingerbear.net: Dynamic IP Update didn't |
|
Date: |
Fri, 13 Mar 2009 13:00:42 -0400 |
|
User-agent: |
Mozilla-Thunderbird 2.0.0.19 (X11/20090103) |
On 03/13/2009 12:00 PM, John Clizbe wrote:
> Everything should now be squared away. I checked several DNS servers and
> they are showing the new address for keyserver.gingerbear.net,
> 70.123.107.38.
>
> If a nslookup shows your DNS server to be updated, would you do me a
> favor and touch membership to update SKS' cache? It'd be nice to have
> gossip peers again.
I've done this on zimmermann.mayfirst.org, so that peering arrangement
should be back for you now.
I'm confident in this instance that your message is correct and
reasonable. But in combination with the recently-raised concerns about
misbehaving peers being able to cause massive memory overconsumption for
sks instances, and the well-known frailties of DNS, this sort of
situation starts making me nervous.
I'd prefer to peer with well-authenticated remote hosts, and i also
wouldn't particularly mind if the gossip traffic itself were
cryptographically integrity-checked and/or private.
Given our discussions about wrapping HKP client-server connections in
TLS, this suggests that it might be worthwhile to consider using TLS
(even with a NULL cipher suite if people decide they don't care about
privacy) for gossip connections. Has anyone considered or implemented this?
I've just asked (over on address@hidden) to see if there are ocaml
bindings for gnutls (which is GPL'ed, and supports RFC 5081-style
OpenPGP certificates for TLS), to see if bringing that sort of support
into sks is possible.
Does anyone on this list have experience creating ocaml bindings for
libraries, or know of ocaml bindings for gnutls?
Regards,
--dkg
signature.asc
Description: OpenPGP digital signature