Planned Service Outage for Certificate Regeneration on 21-OCT-2014 (completed)

Leave a comment

UPDATE (21-OCT-2014 04:06 CEST, 02:06 UTC): The certificate has now been renewed and services restarted in less than 1 minute. Restart your clients or let them wait up to 1 hour to pick up the change. In case of issues write to support@dnscrypt.pl or tweet at @dnscryptpl

Current DNSCrypt Poland certificate expires on 22-OCT-2014. I have already recreated a new certificate with a 5-year expiration and will switch to the new one on 21-OCT-2014, 04:00 CEST (+02:00 UTC), however you should read on carefully because it will involve outage.

Although this means the actual outage will be brief (< 1 minute), depending on other circumstances you may see up to 1 hours of outage. It’s not me, it’s how dnscrypt-proxy works. I got in touch with Frank Denis (@jedisct1) about making this as smooth as possible and it seems it’s not feasible to make it a non-issue at this moment.

When I switch to the new certificate, your client software (dnscrypt-proxy) may still be expecting the old certificate and thus sending requests which would be rejected by us. Luckily dnscrypt-proxy refetches the server certificate every 60 minutes, therefore depending where you are in your 60 minute cycle, your waiting time will range from 1 second to 60 minutes. You can check the minute when your dnscrypt-proxy was started to know at what time it refeteches the certifiactes, e.g.:

$ ps aux | grep dnscrypt-proxy
dc        6588  0.0  0.0  25352  1792 ?        SLs   Oct17   8:37 dnscrypt-proxy -d -a [::1]:2053 -R soltysiak

This means this one will have a 60-37 = 23 minute outage. Unless you simply restart it, which will make it fetch the new certificate straight away.

If you have servers or users that will not tolerate outage I encourage you to schedule a one-time restart of the daemon for 22-OCT-2014 +02:05 UTC. 5 minutes after, or use a different provider for the time of the switch.

TL;DR

DNSCrypt certificate will change to a 5-year one on 21-OCT-2014 04:00 CEST (02:00 UTC). The public provider key remains the same.

It will be during a period of lowest traffic and your servers, routers and users should pick it up within 60 minutes of the change.

If you can’t tolerate DNS outage, schedule a restart on 21-OCT-2014 at 04:05 CEST (02:05 UTC) or use a different provider forthe time being and switch back.

UPDATE: Completed Successfully!

Leave a Reply