-
If kresd is configured to listen using TLS, but it has no credentials, it should fall back to generating ephemeral credentials and using them. It stores the ephemerally-generated secret key in the same directory as the cache, using the name "ephemeral_key.pem". If the cache persists, then the key will too, even if the daemon dies. This means that any set of daemons that share a cache will also share an ephemeral secret key. The ephemeral X.509 certificate that corresponds to the key will be automatically generated (self-signed), will have a lifetime of about 90 days (matching Let's Encrypt policy). The ephemeral cert is never written to disk; it is always dynamically-generated by kresd. This should make it very easy to get DNS-over-TLS working in opportunistic mode.
a405b874