-
-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question about offline key management #24
Comments
Hi! Indeed, key generation is directly handled by the server. The intent was to make it as simple as possible to use, as certificate management can be quite complicated to properly set up. Adding an option to avoid keys from being generated/rotated would be trivial. But what mechanism are you thinking of in order to import keys? State files are not machine-specific. A machine can run the server without accepting any connections, just to update the state file. For such a use case, an option to simply update that file and immediately quit can also be added, so you can run that as a cron job. Then, the state file can be periodically copied to the actual resolver. Right now, the proxy needs to be restarted to read the new file, but that can be avoided, either by sending a signal or by watching the file for changes (if writes are guaranteed to always be atomic). Another way can be to leverage the fact that we already have a minimal built-in HTTP server, currently used for the Prometheus metrics API. And add an API to store a new key, only accessible from a predefined IP address. What do you think? Any other idea? |
Key management is indeed a bit tricky! I believe much of my code is from your old Docker bash script to do key rotation with dnscrypt-wrapper but I can't find the initial reference anymore (so if it was, thank you again!). My main concern and desire for having this is because I keep wanting to spin up VPS to run this for the community, but I don't trust that anything (especially the server keys) are safe on a VPS. I wouldn't really call it a secure or trusted server if at any time, the VPS provider could snapshot the system and extract keys from disk or memory. I hadn't thought too much about different ways to update the server with the keys but wasn't expecting anything too "fancy". A first pass might simply be getting the server to reload certs through a signal, which may mean updating the state file externally, and then supplying it to the server. Question: I tried to read the code a bit to understand but couldn't quite get it, are there still short term keys in use that are generated from long term keys? Generating the state file offline and transferring to the server is fine, but it defeats the purpose if the state file also has long term signing keys that we don't want to transfer to the server. To better understand, does encrypted-dns-server still rotate keys periodically (if so how often)? Also, does it ever keep more than one cert in memory to allow for rotation issues and clients to switch to new keys? My current setup generates a key every 12 hours, that's good for 24 hours and keeps at least 2 of those key/certs active in the dnsdist server at any given time. I'm not sure that encrypted-dns-server works the old way anymore, esp since this does more than just DNSCrypt. |
@jedisct1 greets |
Hi @jedisct1, First of all, thank you for your time and effort on this wonderful software. Would like to understand if there is anyway I could check the keys are rotated. Reason being I am not sure if I have configured the file permission correctly for the .state file and if the keys are indeed rotated. |
The easiest way would be to look at the timestamp of the |
Thanks @jedisct1, fixed the issue with file permission and nobody user privilege, now it is working fine :) |
Hi Frank,
Thank you for this software first of all! Your hard work on dnscrypt, dnscrypt-proxy, and encrypted-dns-server are much appreciated.
I am considering switching to encrypted-dns-server from other solutions but would like to have the ability to generate the short term keys from a remote system and push them to the resolver and then tell the resolver to reload the keys.
Key generation now looks to be coupled with the server itself and then written to the state file. I don't see any options to use the server to generate and manage keys independently of running a server.
Are there any plans to implement this feature? Currently we use dnsdist with addDNSCryptBind to run a dnscrypt resolver and then custom scripts on a key server to generate certs, push them, and then use some commands to have dnsdist load the new keys.
Thanks for any information you can provide on this subject!
The text was updated successfully, but these errors were encountered: