> On 23 Jun 2022, at 12:01, Steffen Kaiser <ska...@infcs.de> wrote: > > I did not found any references about such feature in hockeypuck, but > does somebody has a solution for a one-way sync between hockeypuck servers? > > So, the internal server may pull changes from the outside one, but the > outside one does never ever pull changes from the internal one?
There is no such feature, but you could crudely simulate it by blocking port 11371 in the inwards direction only; that way the key servers would be able to build a difference set over port 11370 but only the inner one would be able to pull key updates over 11371. This would have a similar degrading effect on sync as blacklisting; the unwanted differences would grow over time and gradually dominate the recon process, however the inner server would not experience as much excess load as with blacklisting, since the unwanted key queries would be dropped at the network layer. To implement one-way sync efficiently would require a complete reworking of the recon protocol (see my earlier “fake recon” proposal on this list). A
signature.asc
Description: Message signed with OpenPGP
