Open raelinasndah opened 8 years ago
Nawala doesn't seem to support the dnscrypt protocol any more.
thnks for your respond @jedisct1 . i wanna ask a little bit more. im running our own dns server (nawala) that i used on compiling above. should i update our dnscrypt sertificate? i tought it doesn't have an expiry date. if i must to, how can i do that?
Hi,
There is a long-term key pair, that never expires (usually stored as public.key
and
secret.key
), which is only used to sign the certificates.
The certificates themselves do have an expiration date.
For forward secrecy (the inability to decrypt previously recorded communications, even if the secret key is known), the protocol specification recommends rotating the certificates every 24 hours. By default, dnscrypt-wrapper makes them valid for a year, though.
If you still have the signing key (secret.key
), the public key required to connect to your server doesn't have to change. You just need to issue a new ephemeral key and its certificate signed with the same long-term key:
dnscrypt-wrapper --gen-crypt-keypair --crypt-secretkey-file=1.key
dnscrypt-wrapper --gen-cert-file --crypt-secretkey-file=1.key --provider-cert-file=1.cert
The, restart dnscrypt-wrapper with this ephemeral key and cert:
dnscrypt-wrapper ... --crypt-secretkey-file=1.key --provider-cert-file=1.cert
Alternatively, take a look at the DNSCrypt server Docker image, which automatically performs key rotation (every 12 hour).
dnscrypt-proxy (the client) also has an option to alert you if a certificate is going to expire.
Ex:
dnscrypt-proxy --test 60 -R dnscrypt.org-fr
Is going to check if the certificate will remain valid for the next 60 minutes, and return an appropriate exit code. You can have a cron job that runs this periodically and sends you an alert if a certificate is about to expire.
I keep found this error when i run my dnscrypt-proxy.
dnscrypt-proxy -a 127.0.0.1:55 -r 0.0.0.0:5334 --provider-name=2.dnscrypt-cert.nawala.org --provider-key=D421:E4B0:496A:28D7:8DB5:4CF2:18EA:931D:3D78:A5B9:9602:A612:AD2B:95C9:EE6E:6004
[NOTICE] Starting dnscrypt-proxy 1.4.1 [INFO] Initializing libsodium for optimal performance [INFO] Generating a new key pair [INFO] Done [ERROR] Unable to retrieve server certificates [INFO] Refetching server certificates
Which sertificate should i updated?