[dnsdist] Dns over TLS, and certificates that expire

Remi Gacogne remi.gacogne at powerdns.com
Fri Jun 29 10:27:14 UTC 2018

Hi Kai,

On 06/07/2018 05:04 PM, Kai Storbeck wrote:
>> Neither OpenSSL nor GnuTLS APIs make it easy to switch the certificate,
>> but we could create a new TLSContext and switch to it at run-time. We
>> would need to be careful to keep the current ticket keys around, and we
>> would loose existing ticket-less TLS sessions but I don't see any major
>> issue preventing us from implementing that feature.
>> That's still quite some work so I wouldn't expect it before 1.4.0.
> Thanks!

The change was actually more self-contained than I expected, so I just
opened a PR [1] that is scheduled for the next 1.3.x release unless we
discover some issue with it.
I hope it's enough for your needs, but please let me know otherwise.

> You mention tickets. You're referring to these:
>> Session Tickets, specified in RFC 5077, are a technique to resume TLS sessions by storing key material encrypted on the clients. In TLS 1.2 they speed up the handshake from two to one round-trips.
>> (from https://blog.filippo.io/we-need-to-talk-about-session-tickets/)
> Do we (I) really need that? In our anycast setup that's already
> breaking. I know it saves a roundtrip, but meh, if that means 1 extra
> roundtrip fixes to fix it, it's not exactly bad. Especially if those
> statements on that blog are true.

If you don't want to bother with distributing the same ticket keys to
your various anycast instances, then no. In that case you might want to
disable session tickets once this new PR has been merged, since there is
no use sending them if you know you won't be able to use them.

> The key stays the same, only the certificate signature(?) changes, would
> that invalidate any ssl tickets?

In theory it would not, but this PR will generate new ticket keys when
the certificates are reloaded unless the ticket keys are loaded from a file.

[1]: https://github.com/PowerDNS/pdns/pull/6764

Best regards,
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20180629/80eeee1f/attachment.sig>

More information about the dnsdist mailing list