Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Accept a list of certs/keys in addDNSCryptBind() and reload them with reloadAllCertificates() #8020

Closed
paddg opened this issue Jul 3, 2019 · 1 comment

Comments

@paddg
Copy link
Contributor

@paddg paddg commented Jul 3, 2019

  • Program: dnsdist
  • Issue type: Feature request

Short description

It would be handy if we had the possibility to load a list of cert/keys with addDNSCryptBind() and reloadAllCertificates(). This way we could load validity-time-overlapping cert/keys on startup and runtime.

IRC quote:

<winfried> Hi, wouldn't it make sense to have the possibility to load a "list" of cert/keys with addDNSCryptBind()?
<winfried> As addTLSLocal and addDOHLocal do?
<winfried> And with then also with reloadAllCertificates()?
<rgacogne> winfried: in theory I agree, although DNSCrypt handles certificates a bit differently than DoT/DoH, notably because it has the notion of active and inactives certificates, so I'll have to take a good look to know if it really makes sense
<winfried> rgacogne: I'm not sure if this is a good idea, I'm trying a setup where always two cert/keys for dnscrypt lay around. With overlapping validity time period. But how to load/reload them?
<rgacogne> it's possible to add a new certificate to a dnscrypt context at configuration or runtime via something like getDNSCryptBind(0):loadNewCertificate('DNSCryptResolver.cert.2', 'DNSCryptResolver.key.2')
<rgacogne> do your certificates use the same serial?
<winfried> no in increases. Should they?
<rgacogne> they should increase, yes :)
<winfried> With getDNSCryptBind() I have to do it for each bind
<rgacogne> at a quick glance I think it would make sense to accept a list, and to add dnscrypt to the global cert reloading function
<rgacogne> yes, I agree it would be better to handle DNSCrypt in reloadAllCertificates()
<winfried> There are a lot of methods, objects and function regarding DNSCrypt in dnsdist, I just wonder why?
<rgacogne> mostly because there are a lot more things to handle with DNSCrypt because there the way certificates are handled is quite different
<rgacogne> perhaps I should not have exposed all that to the end user, though :-/
<winfried> rgacogne: I got scared :-) Would it be okay for you if I write a feature request on github and quote you?
<rgacogne> sure :)

Usecase

I'm trying to load a list of DNSCrypt cert/keys on startup and runtime. But I've not really an idea how.

Description

dnsdist accepts a list of certs/keys in addDNSCryptBind() and reload them with reloadAllCertificates()

@paddg
Copy link
Contributor Author

@paddg paddg commented Jul 8, 2019

Thanks! I'll try it as soon as possible

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

2 participants