An interesting conversation on the GPG mailing list that’s been ongoing for months. This info should help us choose a good set of default keyservers for user protection from fake signatures and/or DoS against the WoT.
/etc/skel/.gnupg/gpg.conf doesn’t define any currently.
The keystore trilemma is not yet solved. You can have two out of three
of decentralisation, universality, and abuse-resistance. WKD is
decentralised and abuse-resistant but is not universal. keys.openpgp.org
is universal and abuse-resistant but highly centralised (and
functionally limited). Synchronising keyservers (SKS and Hockeypuck) are
decentralised and universal but abuse-prone.
Signature attestations will help tackle many of the abuse (and
functional limitation) issues, if we can get them standardised in a
future openpgp update (rfc4880tris?). But we will probably have to live
with more than one system for the foreseeable future, given the
different compromises required.
Hockeypuck is an alternative keyserver implementation written in Go. It’s being extended to verify sigs to stop key spam.
Here are the hockeypuck servers I could find, all synchronizing properly and apparently exchanging data (minus the unwanted packets) with the SKS servers that are synchronized:
http://keys.andreas-puls.de/pks/lookup?op=stats http://keys2.andreas-puls.de/pks/lookup?op=stats http://keys3.andreas-puls.de/pks/lookup?op=stats http://pgp.cyberbits.eu/pks/lookup?op=stats http://pgp.re:11371/pks/lookup?op=stats https://pgpkeys.eu/pks/lookup?op=stats https://keybath.trifence.ch/pks/lookup?op=stats https://keyserver.trifence.ch/pks/lookup?op=stats
A dev put together a live graph classifying keyserver types and status. This could serve as a source for new entries in case the list becomes obsolete with time.