policy.TLS_FORWARD should hold open a connection
I have an example kresd
instance configured with the following policy:
policy.add(policy.all(policy.TLS_FORWARD({{'9.9.9.9', hostname="dns.quad9.net", ca_file="/etc/ssl/certs/ca-certificates.crt"}})))
If i make one request to this local kresd
instance, it sets up the TLS session to quad9
, exchanges traffic with it, and then (about 2 seconds later) it tears down the connection to quad9
. TLS session creation and teardown is pretty high overhead, and the quad9
servers tolerate significantly longer periods of idle time.
Barring a good reason for early teardown, a forwarding client should hold open a session for at least 20 seconds -- but this should probably also be an adjustable configuration for a forwarder as different forwarders may have different policies.
Note that the configuration choice for timeout for kresd
as a client forwarding over TLS should be distinct from the configuration choice for the delay tolerated by kresd
when operating as a TLS listener.