Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dnsdist: Add support for rotating certificates and keys #6764

Merged
merged 5 commits into from Jul 9, 2018

Conversation

@rgacogne
Copy link
Member

@rgacogne rgacogne commented Jun 29, 2018

Short description

This PR adds support for switching to a new set of DoT certificates and keys without restarting dnsdist. It also adds an option to completely disable TLS session resumption via tickets.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)
rgacogne added 2 commits Jun 28, 2018
@rgacogne rgacogne added this to the dnsdist-1.3.x milestone Jun 29, 2018
@rgacogne rgacogne requested a review from chbruyand Jun 29, 2018
@rgacogne rgacogne modified the milestones: dnsdist-1.3.x, dnsdist-1.3.1 Jul 4, 2018
@@ -112,6 +113,7 @@ Listen Sockets
* ``numberOfTicketsKeys``: int - The maximum number of tickets keys to keep in memory at the same time, if the provider supports it (GnuTLS doesn't, OpenSSL does). Only one key is marked as active and used to encrypt new tickets while the remaining ones can still be used to decrypt existing tickets after a rotation. Default to 5.
* ``ticketKeyFile``: str - The path to a file from where TLS tickets keys should be loaded, to support RFC 5077. These keys should be rotated often and never written to persistent storage to preserve forward secrecy. The default is to generate a random key. The OpenSSL provider supports several tickets keys to be able to decrypt existing sessions after the rotation, while the GnuTLS provider only supports one key.
* ``ticketsKeysRotationDelay``: int - Set the delay before the TLS tickets key is rotated, in seconds. Default is 43200 (12h).
* ``disableTickets``: bool - Disable the use of session resumption via session tickets. Default is false, meaning tickets are enabled.

This comment has been minimized.

@pieterlexis

pieterlexis Jul 6, 2018
Member

perhaps rename this to sessionTickets with a default value of true?

@rgacogne rgacogne merged commit fed6216 into PowerDNS:master Jul 9, 2018
4 checks passed
4 checks passed
LGTM analysis: C/C++ No alert changes
Details
LGTM analysis: JavaScript No alert changes
Details
LGTM analysis: Python No alert changes
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@rgacogne rgacogne deleted the rgacogne:dnsdist-rotate-certs branch Jul 9, 2018
@paddg
Copy link
Contributor

@paddg paddg commented Mar 13, 2019

Hello Remi, do you have plans to make this available directly on the command channel or API for all "TLSFrontend" indexes in one go? Currently I have only this workaround:

function TLSloadNewCertificatesAndKeys()
   for idx = 0,tlsfrontendidx do
      getTLSFrontend(idx):loadNewCertificatesAndKeys(dotpem,dotkey)
   end
end

which I can call with
dnsdist -e "TLSloadNewCertificatesAndKeys()"

@rgacogne
Copy link
Member Author

@rgacogne rgacogne commented Mar 13, 2019

Hello Winfried! So just to be sure I understand your needs, you would like to be able to reload all TLS certificates and associated keys in one go, without changing their locations, either from the console or the API? If so I believe that would be quite easy to implement in the next version, yes!

@paddg
Copy link
Contributor

@paddg paddg commented Mar 13, 2019

Yes that exactly right. All we'd need is a way to tell dnsdist that the certificates have changed. Thanks!

Edit: In a safe manner of course. In case of an error, dnsdist should stay on the previous certificates. That means also that if someone is using this feature, it's mandatory to monitor the validity of the certificates provided on the DoT port as well as the certificate files (with 3rd party tools).

@paddg
Copy link
Contributor

@paddg paddg commented May 27, 2019

Hello Winfried! So just to be sure I understand your needs, you would like to be able to reload all TLS certificates and associated keys in one go, without changing their locations, either from the console or the API? If so I believe that would be quite easy to implement in the next version, yes!

Hello Remi, are you planning this for the next release? Will it be 1.4.0 or rather later?

@rgacogne
Copy link
Member Author

@rgacogne rgacogne commented May 27, 2019

Hi Winfried! We implemented a reload from the console in #7676, which will be available in 1.4.0 since it was merged before the release of 1.4.0-alpha1.

@paddg
Copy link
Contributor

@paddg paddg commented May 27, 2019

Ok, thank you!

@paddg
Copy link
Contributor

@paddg paddg commented Jun 6, 2019

Hello Remi, I tested it with 1.4.0-alpha2 and it looks good to me. Thanks again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants