Skip to content
Snippets Groups Projects
Select Git revision
  • manager-api-config-fix
  • tls-authority-whitelist
  • rfc-list
  • defer-hard-timeout
  • master default protected
  • nightly protected
  • root-fallback-addresses
  • ci-jobs-reorganization
  • manager-files-watchdog
  • dname_limiting
  • tmp/test-deckard
  • forward-tls-insecure
  • module-tunnel-filter
  • doh-stuck-status
  • module-filter
  • coverity protected
  • ci-docker-tests-update
  • kresctl-comp-config-levels
  • ci-pkg-suse
  • master-5 protected
  • v6.0.11 protected
  • v6.0.10 protected
  • v6.0.9 protected
  • v6.0.8 protected
  • v5.7.4 protected
  • v5.7.3 protected
  • v6.0.7 protected
  • v5.7.2 protected
  • v6.0.6 protected
  • v5.7.1 protected
  • v6.0.5 protected
  • v6.0.4 protected
  • v6.0.3 protected
  • v6.0.2 protected
  • v5.7.0 protected
  • v6.0.1 protected
  • v6.0.0a1 protected
  • v5.6.0 protected
  • v5.5.3 protected
  • v5.5.2 protected
40 results
Search by author
  • Any Author
  • Aleš Mrázek Aleš Mrázek amrazek
  • Anbang Wen Anbang Wen anb
  • Daniel Kahn Gillmor Daniel Kahn Gillmor dkg
  • Daniel Salzman Daniel Salzman dsalzman
  • David Vasek David Vasek dvasek
  • Frantisek Tobias Frantisek Tobias ftobias
  • Hynek Šabacký Hynek Šabacký hsabacky
  • Jakub Ružička Jakub Ružička jruzicka
  • Jan Hák Jan Hák jhak
  • Jan Pavlinec Jan Pavlinec jpavlinec
  • Jan Včelák Jan Včelák jvcelak
  • Josef Schlehofer Josef Schlehofer jschlehofer
  • Karel Koci Karel Koci kkoci
  • **** **** project_147_bot_77ab1cef2fcb058144e515dcc77e07a3
  • Ladislav Lhotka Ladislav Lhotka llhotka
  • Libor Peltan Libor Peltan lpeltan
  • Lukáš Ondráček Lukáš Ondráček londracek
  • Marek Vavrusa Marek Vavrusa vavrusam
  • Michal Hrusecky Michal Hrusecky mhrusecky
  • **** **** project_147_bot
20 authors
  1. Jan 06, 2017
    • Daniel Kahn Gillmor's avatar
      Use ephemeral X.509 credentials if none are configured · a405b874
      Daniel Kahn Gillmor authored 
      If kresd is configured to listen using TLS, but it has no credentials,
it should fall back to generating ephemeral credentials and using
them.

It stores the ephemerally-generated secret key in the same directory
as the cache, using the name "ephemeral_key.pem".  If the cache
persists, then the key will too, even if the daemon dies.  This means
that any set of daemons that share a cache will also share an
ephemeral secret key.

The ephemeral X.509 certificate that corresponds to the key will be
automatically generated (self-signed), will have a lifetime of about
90 days (matching Let's Encrypt policy).  The ephemeral cert is
never written to disk; it is always dynamically-generated by kresd.

This should make it very easy to get DNS-over-TLS working in
opportunistic mode.
      a405b874