dnscrypt icon indicating copy to clipboard operation
dnscrypt copied to clipboard

Published 20 hours ago verified publisher icon ameshkov

DNScrypt - lower the key validity period

Open bertusdebruin opened this issue 1 year ago • 3 comments

As discussed over here: https://github.com/AdguardTeam/AdGuardHome/issues/6131 Please lower the default days as the key validity period for this server is excessively long (365 days).

Of course, it can be adjusted manually afterwards. It seems to me a good idea to reduce the number of days, by default already significantly. Thanks.

bertusdebruin avatar Aug 23 '23 14:08 bertusdebruin

This default was chosen because the current implementation does not have a certificate rotation mechanism, the cert is only changed when you restart the server. This in turn will cause some troubles for the DNS client as there's no clear signal for when the client needs to fetch the new certificate, basically now it does that on every timeout error.

All in all, the task is much more complex than just changing a single constant.

What for the original claim that it reduces forward secrecy, I'd argue that the threat is a bit exaggerated.

ameshkov avatar Aug 25 '23 09:08 ameshkov

This default was chosen because the current implementation does not have a certificate rotation mechanism, the cert is only changed when you restart the server.

So, In other words those 365 are actually placebo, if the server runs for say 400 days the certificate will not have been replaced because it only does so on a server reboot. Is that correct?

bertusdebruin avatar Sep 13 '23 14:09 bertusdebruin

If the server runs for longer than 365 days, the clients won't be able to establish connection with it since the cert will be expired.

ameshkov avatar Sep 13 '23 15:09 ameshkov