Comments (7)
Thanks @jedisct1, fixed the issue with file permission and nobody user privilege, now it is working fine :)
from encrypted-dns-server.
Hi!
Indeed, key generation is directly handled by the server. The intent was to make it as simple as possible to use, as certificate management can be quite complicated to properly set up.
Adding an option to avoid keys from being generated/rotated would be trivial.
But what mechanism are you thinking of in order to import keys?
State files are not machine-specific. A machine can run the server without accepting any connections, just to update the state file. For such a use case, an option to simply update that file and immediately quit can also be added, so you can run that as a cron job.
Then, the state file can be periodically copied to the actual resolver. Right now, the proxy needs to be restarted to read the new file, but that can be avoided, either by sending a signal or by watching the file for changes (if writes are guaranteed to always be atomic).
Another way can be to leverage the fact that we already have a minimal built-in HTTP server, currently used for the Prometheus metrics API. And add an API to store a new key, only accessible from a predefined IP address.
What do you think? Any other idea?
from encrypted-dns-server.
Key management is indeed a bit tricky! I believe much of my code is from your old Docker bash script to do key rotation with dnscrypt-wrapper but I can't find the initial reference anymore (so if it was, thank you again!).
My main concern and desire for having this is because I keep wanting to spin up VPS to run this for the community, but I don't trust that anything (especially the server keys) are safe on a VPS. I wouldn't really call it a secure or trusted server if at any time, the VPS provider could snapshot the system and extract keys from disk or memory.
I hadn't thought too much about different ways to update the server with the keys but wasn't expecting anything too "fancy".
A first pass might simply be getting the server to reload certs through a signal, which may mean updating the state file externally, and then supplying it to the server.
Question: I tried to read the code a bit to understand but couldn't quite get it, are there still short term keys in use that are generated from long term keys? Generating the state file offline and transferring to the server is fine, but it defeats the purpose if the state file also has long term signing keys that we don't want to transfer to the server.
To better understand, does encrypted-dns-server still rotate keys periodically (if so how often)? Also, does it ever keep more than one cert in memory to allow for rotation issues and clients to switch to new keys?
My current setup generates a key every 12 hours, that's good for 24 hours and keeps at least 2 of those key/certs active in the dnsdist server at any given time. I'm not sure that encrypted-dns-server works the old way anymore, esp since this does more than just DNSCrypt.
from encrypted-dns-server.
To better understand, does encrypted-dns-server still rotate keys periodically (if so how often)? Also, does it ever keep more than one cert in memory to allow for rotation issues and clients to switch to new keys?
@jedisct1
thats a good question, so does encrypted-dns generate 2 keys (example 24h, 1 week)? how can we configure it in the .toml file?
greets
from encrypted-dns-server.
@ibksturm A new key is generated every 8 hour, and is valid for 24 hours.
After a new key has been generated, the previous ones are not served any more, but queries using them are still accepted until they expire.
The TTL and rotation times are hardcoded here.
from encrypted-dns-server.
Hi @jedisct1,
First of all, thank you for your time and effort on this wonderful software.
Would like to understand if there is anyway I could check the keys are rotated. Reason being I am not sure if I have configured the file permission correctly for the .state file and if the keys are indeed rotated.
from encrypted-dns-server.
The easiest way would be to look at the timestamp of the .state
file. If should change every 8 hour.
from encrypted-dns-server.
Related Issues (20)
- Error after adding ipv6 HOT 1
- Using encrypted-dns-server behind a reverse proxy HOT 2
- Unable to disable built in DNS cache HOT 1
- Error on runtime
- Discussion for some criterias. HOT 2
- Whats the best dns for android samsung HOT 1
- 0.9.14 missing pre-built artifacts HOT 2
- No useable certificate found HOT 5
- Mem leak? HOT 1
- Updated glibc dependency for 0.9.1 HOT 1
- Forced EDNS Client Subnet HOT 2
- Latest pre-built binary has .bz2 extension but uses XZ HOT 1
- No useable certificate found (part 2) HOT 3
- Killed??? HOT 1
- Server killed randomly on starting HOT 1
- Memory problem ? HOT 15
- RR HA / LB multiple upstreams, i.e., DNSCrypt ? HOT 4
- Add Cargo.lock to repository (remove from gitignore) HOT 3
- Mem issue HOT 4
- Is there a Windows or Docker version? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from encrypted-dns-server.