DNScrypt - lower the key validity period

Question

DNScrypt - lower the key validity period

bertusdebruin opened this issue 10 months ago · 3 comments

As discussed over here: AdguardTeam/AdGuardHome#6131
Please lower the default days as the key validity period for this server is excessively long (365 days).

Of course, it can be adjusted manually afterwards.
It seems to me a good idea to reduce the number of days, by default already significantly.
Thanks.

Answer 1 · 2023-08-25T09:18:45.000Z

This default was chosen because the current implementation does not have a certificate rotation mechanism, the cert is only changed when you restart the server. This in turn will cause some troubles for the DNS client as there's no clear signal for when the client needs to fetch the new certificate, basically now it does that on every timeout error.

All in all, the task is much more complex than just changing a single constant.

What for the original claim that it reduces forward secrecy, I'd argue that the threat is a bit exaggerated.

Answer 2 · 2023-09-13T14:04:44.000Z

This default was chosen because the current implementation does not have a certificate rotation mechanism, the cert is only changed when you restart the server.

So, In other words those 365 are actually placebo, if the server runs for say 400 days the certificate will not have been replaced because it only does so on a server reboot. Is that correct?

Answer 3 · 2023-09-13T15:11:31.000Z

If the server runs for longer than 365 days, the clients won't be able to establish connection with it since the cert will be expired.