[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Unusual traffic for key 0x69D2EAD9 and 0xB33B4659
|
From: |
Jeremy T. Bouse |
|
Subject: |
Re: [Sks-devel] Unusual traffic for key 0x69D2EAD9 and 0xB33B4659 |
|
Date: |
Wed, 20 Mar 2019 16:44:40 -0400 |
|
User-agent: |
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 3/20/2019 2:42 PM, Andrew Nagy wrote:
> All,
>
> Looking to figure out a solution here. A Maintainer on the Ubuntu
> Key server informed me about discussion of the following keys
> 0x69D2EAD9 and 0xB33B4659 here:
> https://lists.nongnu.org/archive/html/sks-devel/2019-01/msg00003.html
>
>
>
>
>
Unfortunately the email address address@hidden
> <mailto:address@hidden> is just a black hole and so the email
> that was sent there from Brent Saner was lost forever.
>
> I currently run the FreePBX project which uses the GPG network to
> sign modules. Unfortunately due to:
> https://bitbucket.org/skskeyserver/sks-keyserver/issues/57/anyone-can-
make-any-pgp-key-unimportable
>
>
>
>
>
Someone poisoned our master key that we use to sign all other
> keys. This has caused issues on the sks network for a while.
> However since January we've noticed more and more sks servers are
> now just timing out and not returning back our requests for
> 0xB33B4659. I assume that is probably because of the message
> thread from January.
>
> The way FreePBX software works is that it checks nightly against a
> list of key servers to redownload 0x69D2EAD9 and 0xB33B4659 and
> re-verify. However it appears that for many of you the bandwidth
> this causes is much too high. Internally we need to recreate our
> master key without the poison but I am afraid it will just as
> easily be re-poisoned again. Also even if we put a new key out you
> will notice traffic increase from those keys over time and well and
> we will be back to the bandwidth issue.
>
> Perhaps we should be using GPG locally instead of through the GPG
> key network. Let me know what you guys think,
>
> Thank you
>
I don't speak for all SKS server operators, but I do have a
configuration block in my NGINX configuration that specifically
identifies those keys and simply returns a 444 status code.
I've been trying to get a handle on the instability of my server
which has been running the CPU at 100% at times so I enabled an access
log rule to idenitfy the query strings and upstream times but not the
requesting IP address... According to my status page my server only
spent 61.924% of yesterday in the pool or roughly 14.86 hours, during
that same period of time my server saw 12436 requests for those 2 keys
for an average of 836.86 requests per hour or nearly 14 per minute.
During most times that wouldn't be a lot but when the system is under
load that volume adds up and is non-trivial.
One opption the FreePBX team could do is self-publish their key using
WKD or PKA. WKD you would store the file on your own web server
that no one else could touch (presumably if setup properly anyway) and
PKA you would publish within DNS records. GPG has the ability to
retrieve from both methods without needing to use a keyserver.
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEakJ0F+CHS9VzhSFg6lYpTv4TPXUFAlySpigACgkQ6lYpTv4T
PXU3aAwAve2kSUqxiXkg74zoO+l0lL1sD1cPiok4i6i9+D+nre+g4awR/sJdcVal
yGmIgYJa4HpuXKrCBUD9oX+n4HDjjekJpHdbqYOUYI5mx6+T5YKPLtP0hUmhe4Jv
P4hSnX4tppsQADJo4Ms4txHkmHqPis3Khjnr92+nGG7Xq98tHgOmu67jjoNmTsAG
0ADZ1+Lkd9V7UTBMy7+jkbqrda7/v65+3YgYfyoSQIYg7DCRp6Rg+jwGyrzRD/Vh
ZRRu+1McPrw2dKMksRabZHm8efkyDdpkFldvR9+bDR7EC70axZ+zWb8iKTIr7qLY
huiu9x/wVvTxw3mpVCN1Ii5Vj9qe3SfuiVYtHws8vqmaoOf/h9QGLIK+KcPgf0sj
Y8jKz7obltc29RyyfqblDtEJXNOrKD5OpSLptOUpa/6sm+F6MRT0DQKEIsHq4BRR
nCi2aLldat0ojZwkFTqNzD+M6mCBSI3FgCPzGlSITVRiLDdatO/R+wmy1hAgT3Hv
k5GG4CBt
=en3K
-----END PGP SIGNATURE-----