Question about offline key management

[dapphp]

Hi Frank,

Thank you for this software first of all! Your hard work on dnscrypt, dnscrypt-proxy, and encrypted-dns-server are much appreciated.

I am considering switching to encrypted-dns-server from other solutions but would like to have the ability to generate the short term keys from a remote system and push them to the resolver and then tell the resolver to reload the keys.

Key generation now looks to be coupled with the server itself and then written to the state file. I don't see any options to use the server to generate and manage keys independently of running a server.

Are there any plans to implement this feature? Currently we use dnsdist with addDNSCryptBind to run a dnscrypt resolver and then custom scripts on a key server to generate certs, push them, and then use some commands to have dnsdist load the new keys.

Thanks for any information you can provide on this subject!

[jedisct1]

Hi!

Indeed, key generation is directly handled by the server. The intent was to make it as simple as possible to use, as certificate management can be quite complicated to properly set up.

Adding an option to avoid keys from being generated/rotated would be trivial.

But what mechanism are you thinking of in order to import keys?

State files are not machine-specific. A machine can run the server without accepting any connections, just to update the state file. For such a use case, an option to simply update that file and immediately quit can also be added, so you can run that as a cron job.

Then, the state file can be periodically copied to the actual resolver. Right now, the proxy needs to be restarted to read the new file, but that can be avoided, either by sending a signal or by watching the file for changes (if writes are guaranteed to always be atomic).

Another way can be to leverage the fact that we already have a minimal built-in HTTP server, currently used for the Prometheus metrics API. And add an API to store a new key, only accessible from a predefined IP address.

What do you think? Any other idea?

[dapphp]

Key management is indeed a bit tricky! I believe much of my code is from your old Docker bash script to do key rotation with dnscrypt-wrapper but I can't find the initial reference anymore (so if it was, thank you again!).

My main concern and desire for having this is because I keep wanting to spin up VPS to run this for the community, but I don't trust that anything (especially the server keys) are safe on a VPS. I wouldn't really call it a secure or trusted server if at any time, the VPS provider could snapshot the system and extract keys from disk or memory.

I hadn't thought too much about different ways to update the server with the keys but wasn't expecting anything too "fancy".

A first pass might simply be getting the server to reload certs through a signal, which may mean updating the state file externally, and then supplying it to the server.

Question: I tried to read the code a bit to understand but couldn't quite get it, are there still short term keys in use that are generated from long term keys? Generating the state file offline and transferring to the server is fine, but it defeats the purpose if the state file also has long term signing keys that we don't want to transfer to the server.

To better understand, does encrypted-dns-server still rotate keys periodically (if so how often)? Also, does it ever keep more than one cert in memory to allow for rotation issues and clients to switch to new keys?

My current setup generates a key every 12 hours, that's good for 24 hours and keeps at least 2 of those key/certs active in the dnsdist server at any given time. I'm not sure that encrypted-dns-server works the old way anymore, esp since this does more than just DNSCrypt.

[ibksturm]

To better understand, does encrypted-dns-server still rotate keys periodically (if so how often)? Also, does it ever keep more than one cert in memory to allow for rotation issues and clients to switch to new keys?

@jedisct1
thats a good question, so does encrypted-dns generate 2 keys (example 24h, 1 week)? how can we configure it in the .toml file?

greets

[jedisct1]

@ibksturm A new key is generated every 8 hour, and is valid for 24 hours.

After a new key has been generated, the previous ones are not served any more, but queries using them are still accepted until they expire.

The TTL and rotation times are hardcoded here.

[NeutralGround]

Hi @jedisct1,

First of all, thank you for your time and effort on this wonderful software.

Would like to understand if there is anyway I could check the keys are rotated. Reason being I am not sure if I have configured the file permission correctly for the .state file and if the keys are indeed rotated.

[jedisct1]

Hi @NeutralGround

The easiest way would be to look at the timestamp of the .state file. If should change every 8 hour.

[NeutralGround]

Thanks @jedisct1, fixed the issue with file permission and nobody user privilege, now it is working fine :)