[dnsdist] dnsdist v2.0..0 alpha1 error on cert rotation
jlongua at wagonut.com
jlongua at wagonut.com
Wed Apr 16 01:39:46 UTC 2025
Hello, With dnsdist v2.0.0 alpha1 loading new certs fails in maintenance
function using two dnscrypt binds. But works when loading new cert for a
single dnscrypt bind.
This dnscrypt cert rotation config is derived from the dnsdist
regression test example, which will also show the error when using two
dnscrypt binds.
https://github.com/PowerDNS/pdns/blob/master/regression-tests.dnsdist/test_DNSCrypt.py
This configuration is working with dnsdist v1.9.8
systemctl status dnsdist.service
Apr 16 00:27:09 draco dnsdist[2530499]: Error during execution of
maintenance function(s): [string "chunk"]:33: Caught exception: Error
adding a new certificate: we already have a certificate with the same
serial
Apr 16 00:27:09 draco dnsdist[2530499]: stack traceback:
Apr 16 00:27:09 draco dnsdist[2530499]: [C]: in function
'loadNewCertificate'
Apr 16 00:27:09 draco dnsdist[2530499]: [string "chunk"]:33: in
function <[string "chunk"]:27>
my dnsdist dnscrypt configuration: modified to issue certs every five
seconds
I am using a vps running Debian 12 Bookworm
-- dnsdist 2.0.0 alpha1 testing dnscrypt config
-- mkdir /var/lib/dnsdist
-- set variable /var/lib/dnsdist/serial = 1
-- chown -R _dnsdist:_dnsdist /var/lib/dnsdist
local f = io.open("/var/lib/dnsdist/serial", "r")
local serial = f:read("*n")
f:close()
setLocal("127.0.0.1:5353")
addLocal('[::1]:5353')
setACL({'0.0.0.0/0', '::/0'})
generateDNSCryptProviderKeys("/var/lib/dnsdist/providerPublic.key",
"/var/lib/dnsdist/providerPrivate.key")
generateDNSCryptCertificate("/var/lib/dnsdist/providerPrivate.key"
,"/var/lib/dnsdist/resolver.cert","/var/lib/dnsdist/resolver.key" ,
serial, os.time() - 60, os.time() + 43200,
DNSCryptExchangeVersion.VERSION2)
addDNSCryptBind("0.0.0.0:8443", "2.dnscrypt-cert.draco.plan9dns.com",
"/var/lib/dnsdist/resolver.cert", "/var/lib/dnsdist/resolver.key",
{maxConcurrentTCPConnections=250})
addDNSCryptBind("[::]:8443", "2.dnscrypt-cert.draco.plan9dns.com",
"/var/lib/dnsdist/resolver.cert", "/var/lib/dnsdist/resolver.key",
{maxConcurrentTCPConnections=250})
-- downstream resolver
newServer({address="127.0.0.1:53", name="pdns-recursor", qps=0,
pool=""})
pc = newPacketCache(250000,{maxTTL=86400, minTTL=0,
temporaryFailureTTL=60, staleTTL=60, dontAge=false,})
getPool(""):setCache(pc)
-- dnscrypt cert rotation
local last = 0
function maintenance()
local now = os.time()
if ((now - last) > 5) then
serial = serial + 1
generateDNSCryptCertificate("/var/lib/dnsdist/providerPrivate.key",
"/var/lib/dnsdist/resolver.cert", "/var/lib/dnsdist/resolver.key",
serial, os.time() - 60, os.time() + 43200,
DNSCryptExchangeVersion.VERSION2)
getDNSCryptBind(0):loadNewCertificate("/var/lib/dnsdist/resolver.cert",
"/var/lib/dnsdist/resolver.key")
getDNSCryptBind(1):loadNewCertificate("/var/lib/dnsdist/resolver.cert",
"/var/lib/dnsdist/resolver.key")
last = now
local f = io.open("/var/lib/dnsdist/serial", "w")
f:write(serial)
f:close()
end
end
-- enable local control socket
controlSocket('127.0.0.1:5199')
setKey("password=")
Best regards,
Jason Long
https://github.com/jlongua/plan9-dns
More information about the dnsdist
mailing list