Adding keyserver proxy with pinning and DNS support
21 views
Skip to first unread message
Özgür Kesim
Jul 16, 2025, 6:16:13 AMJul 16
to Upspin
Hello upspiners,
with the decommissioning of the upspin.io servers,
we lost the central key repository. Of course,
everybody can run their own keyserver, but without
discovery mechanism, those remain isolated islands.
As a first step towards an unified namespace, at least for
self-hosted domains, I had already suggested in my post in
Feb 2024¹ to use DNS for the discovery of keyservers, that
is: a domain can point to its keyserver by SRV record, like
`_upspin._tcp.kesim.org. 86400 IN SRV 10 60 443 keyserver.kesim.org.`
My plan is now to implement this as a proxy service, maybe
`upspin.io/cmd/proxy-keyserver` or so, which serves as the
keyserver for some clients, and consults the local
configuration for (in that order)
a) a curated directory of upspin.User entries ("pinned" users),
b) a curated list of (domain,keyserver) pairs ("pinned" domains),
c) also does DNS lookups to find other keyservers for domains.
d) maybe later: lookup a handle in the fediverse and find a
keyserver entry in the profile?
Any thoughts?
Cheers,
Özgür
¹) see https://groups.google.com/g/upspin/c/jATa7V4lg3o/m/lWYGgUohAQAJ
with the decommissioning of the upspin.io servers,
we lost the central key repository. Of course,
everybody can run their own keyserver, but without
discovery mechanism, those remain isolated islands.
As a first step towards an unified namespace, at least for
self-hosted domains, I had already suggested in my post in
Feb 2024¹ to use DNS for the discovery of keyservers, that
is: a domain can point to its keyserver by SRV record, like
`_upspin._tcp.kesim.org. 86400 IN SRV 10 60 443 keyserver.kesim.org.`
My plan is now to implement this as a proxy service, maybe
`upspin.io/cmd/proxy-keyserver` or so, which serves as the
keyserver for some clients, and consults the local
configuration for (in that order)
a) a curated directory of upspin.User entries ("pinned" users),
b) a curated list of (domain,keyserver) pairs ("pinned" domains),
c) also does DNS lookups to find other keyservers for domains.
d) maybe later: lookup a handle in the fediverse and find a
keyserver entry in the profile?
Any thoughts?
Cheers,
Özgür
¹) see https://groups.google.com/g/upspin/c/jATa7V4lg3o/m/lWYGgUohAQAJ
Albert-Jan de Vries
Aug 7, 2025, 2:52:21 PMAug 7
to Upspin
Hi Özgür,
I like the idea and approach. So let's go for it. I didn't get to the point to run a public key server, but if I have the opportunity I will do it.
Regards,
-- AJ
Op woensdag 16 juli 2025 om 12:16:13 UTC+2 schreef Özgür Kesim:
Reply all
Reply to author
Forward
0 new messages