Comments (4)
Hi!
The state file is essentially a backup of the in-memory state. Keys are rotated in memory, then dumped to disk; the file is never loaded except at startup time.
So, if multiple instances share the same file, this is still not going to make them use the same ephemeral keys. Which is actually totally fine, if and only if a given client is always going to hit the same container.
Using a K8S secret the same way would have the same limitation.
But that can be fixed, and I have a plan for it, that is not going to require synchronization. Generate the ephemeral key pairs using a forward-only rolling state instead of them being completely non-deterministic. That way, assuming that the rotation interval is constant (8 hours, as you correctly found), any node can compute the current key pair from any previous state.
And this will still provide forward security, up to the previously known state.
This may require a bit of changes, but I'll look into it. Even beyond K8S, that can be very useful for people running multiple servers for load-balancing or failover.
from encrypted-dns-server.
So currently it's not possible to have multiple containers with the same sdns stamp, ist that correct?
from encrypted-dns-server.
It is!
The stamp only includes long-term keys.
These long-term keys are used to sign short-term keys, that are rotated every 8 hours.
Multiple servers can have the same stamp. But since short-term keys are maintained by individual instances, if a client retrieves a certificate from a container, and then sends queries to a different container, shared keys won't match.
from encrypted-dns-server.
This still require testing, but these changes have been made.
Now, you can start the server once just to create an initial state, then copy that state on as many nodes as you want, and they will all be computing the same ephemeral keys, without explicit synchronization.
The state file can be shared, or each node can have its own.
Still, the state file should not be read-only. Always starting from the original state would work, but the startup time is proportional to how old the previously saved state is.
from encrypted-dns-server.
Related Issues (20)
- Error after adding ipv6 HOT 1
- Using encrypted-dns-server behind a reverse proxy HOT 2
- Unable to disable built in DNS cache HOT 1
- Error on runtime
- Discussion for some criterias. HOT 2
- Whats the best dns for android samsung HOT 1
- Cannot connect when running in the background HOT 1
- No useable certificate found HOT 5
- Mem leak? HOT 1
- Updated glibc dependency for 0.9.1 HOT 1
- Forced EDNS Client Subnet HOT 2
- Latest pre-built binary has .bz2 extension but uses XZ HOT 1
- No useable certificate found (part 2) HOT 3
- Killed??? HOT 1
- Server killed randomly on starting HOT 1
- Memory problem ? HOT 15
- RR HA / LB multiple upstreams, i.e., DNSCrypt ? HOT 4
- Add Cargo.lock to repository (remove from gitignore) HOT 3
- Mem issue HOT 4
- Is there a Windows or Docker version? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from encrypted-dns-server.