1. 25 Jan, 2017 1 commit
  2. 16 Jan, 2017 1 commit
  3. 06 Jan, 2017 3 commits
    • Ondřej Surý's avatar
    • Ondřej Surý's avatar
      Kill if (0) { construct · 15a57ea3
      Ondřej Surý authored
    • Daniel Kahn Gillmor's avatar
      Use ephemeral X.509 credentials if none are configured · a405b874
      Daniel Kahn Gillmor authored
      If kresd is configured to listen using TLS, but it has no credentials,
      it should fall back to generating ephemeral credentials and using
      It stores the ephemerally-generated secret key in the same directory
      as the cache, using the name "ephemeral_key.pem".  If the cache
      persists, then the key will too, even if the daemon dies.  This means
      that any set of daemons that share a cache will also share an
      ephemeral secret key.
      The ephemeral X.509 certificate that corresponds to the key will be
      automatically generated (self-signed), will have a lifetime of about
      90 days (matching Let's Encrypt policy).  The ephemeral cert is
      never written to disk; it is always dynamically-generated by kresd.
      This should make it very easy to get DNS-over-TLS working in
      opportunistic mode.