Rather than wait to get hit with GPDR stuff to do with running a
keyserver, I'm doing the saner thing, as an American: I'm moving my
instance to the USA, so that it is not in EU jurisdiction. It's a free
service, provided as a public good, and it's not worth the risk to me.
If there's anyone who would like to de-peer, please let me know.
Otherwise, tomorrow evening (I think) I'll uncomment the membership
entries on the new host and repoint spodhuis.org DNS, then take down the
old instance a bit later (after a DNS TTL or so).
The new instance can currently be reached at:
http://sks-ohio.pennock.tech:11371/pks/lookup?op=stats but it will "be" sks-peer.spodhuis.org/sks.spodhuis.org for continuity.
It's running in AWS, us-east-2 (Ohio), from AMIs built under my control,
same as the sks-paris instance (but a little more automated).
sks-ohio should be fully up-to-date before anyone else peers with
it; I snapshotted the /srv/sks EBS volume from sks-paris, copied it to
us-east-2, and used it as /srv/sks on the new server after modifying
only membership and sksconf; sks-paris and sks-ohio are peering with
each other and exchanging keys fine. If any problems crop up, I'll
delay peering with anyone else while I fix those problems.
On 2018-05-21 at 02:46 -0400, Phil Pennock wrote:
> If there's anyone who would like to de-peer, please let me know.
No complaints, that's nice. :)
> Otherwise, tomorrow evening (I think) I'll uncomment the membership
> entries on the new host and repoint spodhuis.org DNS, then take down the
> old instance a bit later (after a DNS TTL or so).
As expected, some clients held onto DNS for longer than others. There
are still some clients using the old IP, although that may well be pool
inclusion. I do not expect any peers to be stuck though. It's been 24½
hours on a 5 minute TTL. I'm about to take down sks-paris.
Today I re-deployed sks-ohio with a fresh image containing the latest
Ubuntu kernel today's security fixes (Spectre Variant 4, mostly) and
the outage lasted longer than the expected 1 minute, because I hadn't
updated the image to pull from the correct encrypted repository of TLS
keys, so it was missing the key/cert for sks-ohio and nginx didn't
start. Oops! Fixed.
FWIW, to better track this down in future, I'm now generating _some_
logs for HKP requests. This does not include IP address. I'll follow
up with a second email to not bury a privacy change deep in this mail.