[dnsdist] dnscrypt key rotation runtime

Maciej Soltysiak maciej at soltysiak.com
Sun Apr 16 20:55:12 UTC 2017


Hi,

The preferred way to run a dnscrypt server is to maintain short-term
cert/key pairs, e.g. less than 86400 seconds. This is to improve Forward
Secrecy by reducing the time window in which a compromised key is effective.

To facilitate that dnscrypt-wrapper implementation of DNSCrypt allows to
specify multiple certs and keys. That is because the client implementation
(e.g. dnscrypt-proxy) will fetch the cert only once a few minutes,
therefore it is possible for the client to send a request for the old
certificate when it just become invalid and the new one is in place.

Now, in dnsdist, there's advice in the docs to rotate regularly, but from
what I see, you'd have to restart dnsdist and, if, you're like me, lose a
nice, warm cache.

Am I missing something or there is a way to add a cert/key pair at runtime?

Best regards,
Maciej
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20170416/dd89e74a/attachment.html>


More information about the dnsdist mailing list