New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dnsdist: Add support for rotating certificates and keys #6764

merged 5 commits into from Jul 9, 2018


None yet
2 participants

rgacogne commented Jun 29, 2018

Short description

This PR adds support for switching to a new set of DoT certificates and keys without restarting dnsdist. It also adds an option to completely disable TLS session resumption via tickets.


I have:

  • read the document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

rgacogne added some commits Jun 28, 2018

@rgacogne rgacogne added this to the dnsdist-1.3.x milestone Jun 29, 2018

@rgacogne rgacogne requested a review from chbruyand Jun 29, 2018

@rgacogne rgacogne modified the milestones: dnsdist-1.3.x, dnsdist-1.3.1 Jul 4, 2018

@@ -112,6 +113,7 @@ Listen Sockets
* ``numberOfTicketsKeys``: int - The maximum number of tickets keys to keep in memory at the same time, if the provider supports it (GnuTLS doesn't, OpenSSL does). Only one key is marked as active and used to encrypt new tickets while the remaining ones can still be used to decrypt existing tickets after a rotation. Default to 5.
* ``ticketKeyFile``: str - The path to a file from where TLS tickets keys should be loaded, to support RFC 5077. These keys should be rotated often and never written to persistent storage to preserve forward secrecy. The default is to generate a random key. The OpenSSL provider supports several tickets keys to be able to decrypt existing sessions after the rotation, while the GnuTLS provider only supports one key.
* ``ticketsKeysRotationDelay``: int - Set the delay before the TLS tickets key is rotated, in seconds. Default is 43200 (12h).
* ``disableTickets``: bool - Disable the use of session resumption via session tickets. Default is false, meaning tickets are enabled.

This comment has been minimized.


pieterlexis Jul 6, 2018


perhaps rename this to sessionTickets with a default value of true?

@rgacogne rgacogne merged commit fed6216 into PowerDNS:master Jul 9, 2018

4 checks passed

LGTM analysis: C/C++ No alert changes
LGTM analysis: JavaScript No alert changes
LGTM analysis: Python No alert changes
continuous-integration/travis-ci/pr The Travis CI build passed

@rgacogne rgacogne deleted the rgacogne:dnsdist-rotate-certs branch Jul 9, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment