Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for multiple keys / seamless key rotation #49

Merged
merged 6 commits into from
Jul 5, 2015
Merged

Support for multiple keys / seamless key rotation #49

merged 6 commits into from
Jul 5, 2015

Commits on Jul 5, 2015

  1. Add the ability to load multiple crypt secret keys

    @jedisct1
    jedisct1 committed Jul 5, 2015
    Configuration menu
    Copy the full SHA
    1e63dd7 View commit details
    Browse the repository at this point in the history

  2. Accept multiple keys. 

    Here is how to seamlessly switch to a new key:

1) Create the first key and its related certificate:

$ dnscrypt-wrapper --gen-crypt-keypair --crypt-secretkey-file=1.key
$ dnscrypt-wrapper --gen-cert-file --crypt-secretkey-file=1.key --provider-cert-file=1.cert

Run the server:

$ dnscrypt-wrapper --resolver-address=114.114.114.114 \
                   --provider-name=2.dnscrypt-example.org \
                   --listen-address=0.0.0.0:443 \
                   --crypt-secretkey-file=1.key \
                   --provider-cert-file=1.cert

2) Before 1.key expires, create a fresh new key and a certificate for it:

$ dnscrypt-wrapper --gen-crypt-keypair --crypt-secretkey-file=2.key
$ dnscrypt-wrapper --gen-cert-file --crypt-secretkey-file=2.key --provider-cert-file=2.cert

Run a new instance of the server, which is going to publish the certificate
for the new key, but still accept queries using the previous key in addition
to the new one (notice the --crypt-secretkey-file= line, which can now include
an arbitrary number of keys):

$ dnscrypt-wrapper --resolver-address=114.114.114.114 \
                   --provider-name=2.dnscrypt-example.org \
                   --listen-address=0.0.0.0:443 \
                   --crypt-secretkey-file=1.key,2.key \
                   --provider-cert-file=2.cert

3) Wait 1 hour and remove the old key:

$ dnscrypt-wrapper --resolver-address=114.114.114.114 \
                   --provider-name=2.dnscrypt-example.org \
                   --listen-address=0.0.0.0:443 \
                   --crypt-secretkey-file=2.key \
                   --provider-cert-file=2.cert
    @jedisct1
    jedisct1 committed Jul 5, 2015
    Configuration menu
    Copy the full SHA
    7a03627 View commit details
    Browse the repository at this point in the history

  3. Use sodium_malloc() for keypairs, even when generating them

    @jedisct1
    jedisct1 committed Jul 5, 2015
    Configuration menu
    Copy the full SHA
    f3d45d6 View commit details
    Browse the repository at this point in the history

  4. Tell the user when a key is not saved.

    @jedisct1
    jedisct1 committed Jul 5, 2015
    Configuration menu
    Copy the full SHA
    04fb20d View commit details
    Browse the repository at this point in the history

  5. Compatibility with very old versions of Sodium (as on Travis, sigh)

    @jedisct1
    jedisct1 committed Jul 5, 2015
    Configuration menu
    Copy the full SHA
    c53d814 View commit details
    Browse the repository at this point in the history

  6. Travis build: Sodium 0.4.1 is very old. Use at least 1.0.0. 

    Which is old as well, but what Debian-stable has.
Also make sure that everything works with a minimal Sodium build.
    @jedisct1
    jedisct1 committed Jul 5, 2015
    Configuration menu
    Copy the full SHA
    097f09a View commit details
    Browse the repository at this point in the history