How key rotation is automated

2 Comments

Here’s a follow-up to the post about dnscrypt key rotation, the fact that some people have asked me about it, as well as this dnscrypt-proxy warning:

The key rotation period for this server may exceed the recommended value.
This is bad for forward secrecy.

First fact is that dnscrypt-proxy will warn if the certificate expiry is more than 24h (86400 seconds) from now. This is value is hardcoded as CERT_RECOMMENDED_MAX_KEY_ROTATION_PERIOD. The reasoning is that if the certificate is long lived it is easier for an adversary to record DNSCrypt traffic, crack or obtain the secret key material and ultimately decrypt your traffic. This means that the gain from that is limited to the lifetime of the certificate, therefore it’s best to limit exposure in worst case to a much smaller, yet, still reasonable time span. Sadly, dnscrypt-wrapper by default generates certificate for 360 days.

Anyway, the guidance for dnscrypt-proxy service maintainers is as follows:

  1. When generating your cert file use –cert-file-expire-days=1
  2. Run your daemons, but automate rotation of keys using a script. There is a very handy script in the docker image:
    https://github.com/jedisct1/dnscrypt-server-docker/blob/master/dnscrypt-wrapper.sh
  3. Ensuring the paths are correct, I invoke the above script from another script I have which find out the PIDs of all running dnscrypt-proxy daemons, starts the wrapper, and when that is done, kills the previous daemons.
cd /opt/dnscrypt-wrapper/sbin
pids=`ps ax|egrep "dnscrypt-wrapper.*provider-name" | grep -v grep | awk ' { print $1 }'`
echo Starting a new Wrapper
./dnscrypt-wrapper.sh
echo Sleeping
sleep 6
echo Killing
if [ "$pids" != "" ]; then
        kill -9 $pids
        echo Done! Result: $?
else
        echo Done! Starting
fi

2 Responses to “How key rotation is automated”

  1. Yon

    You forgot a “fi” at the end.

    Thanks for the guide.

  2. Maciej Soltysiak

    Corrected, thanks and you’re welcome :-)

Leave a Reply