You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It would be handy if we had the possibility to load a list of cert/keys with addDNSCryptBind() and reloadAllCertificates(). This way we could load validity-time-overlapping cert/keys on startup and runtime.
<winfried> Hi, wouldn't it make sense to have the possibility to load a "list" of cert/keys with addDNSCryptBind()? <winfried> As addTLSLocal and addDOHLocal do? <winfried> And with then also with reloadAllCertificates()? <rgacogne> winfried: in theory I agree, although DNSCrypt handles certificates a bit differently than DoT/DoH, notably because it has the notion of active and inactives certificates, so I'll have to take a good look to know if it really makes sense <winfried> rgacogne: I'm not sure if this is a good idea, I'm trying a setup where always two cert/keys for dnscrypt lay around. With overlapping validity time period. But how to load/reload them? <rgacogne> it's possible to add a new certificate to a dnscrypt context at configuration or runtime via something like getDNSCryptBind(0):loadNewCertificate('DNSCryptResolver.cert.2', 'DNSCryptResolver.key.2') <rgacogne> do your certificates use the same serial? <winfried> no in increases. Should they? <rgacogne> they should increase, yes :) <winfried> With getDNSCryptBind() I have to do it for each bind <rgacogne> at a quick glance I think it would make sense to accept a list, and to add dnscrypt to the global cert reloading function <rgacogne> yes, I agree it would be better to handle DNSCrypt in reloadAllCertificates() <winfried> There are a lot of methods, objects and function regarding DNSCrypt in dnsdist, I just wonder why? <rgacogne> mostly because there are a lot more things to handle with DNSCrypt because there the way certificates are handled is quite different <rgacogne> perhaps I should not have exposed all that to the end user, though :-/ <winfried> rgacogne: I got scared :-) Would it be okay for you if I write a feature request on github and quote you? <rgacogne> sure :)
I'm trying to load a list of DNSCrypt cert/keys on startup and runtime. But I've not really an idea how.
dnsdist accepts a list of certs/keys in addDNSCryptBind() and reload them with reloadAllCertificates()
The text was updated successfully, but these errors were encountered: