diff options
Diffstat (limited to 'network/dnscrypt-wrapper/README.Slackware')
-rw-r--r-- | network/dnscrypt-wrapper/README.Slackware | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/network/dnscrypt-wrapper/README.Slackware b/network/dnscrypt-wrapper/README.Slackware index 0c162404a3e14..b302317d46091 100644 --- a/network/dnscrypt-wrapper/README.Slackware +++ b/network/dnscrypt-wrapper/README.Slackware @@ -24,10 +24,28 @@ keys, and a provider certificate. These can all be generated manually (see automatically by configuring /etc/default/dnscrypt-wrapper and running /etc/rc.d/rc.dnscrypt-wrapper generate-keys + /etc/rc.d/rc.dnscrypt-wrapper generate-cryptkeys /etc/rc.d/rc.dnscrypt-wrapper generate-cert -You will need to note the provider key fingerprint(s) when running that -command, since clients will need it for verification. +You will need to note the provider key fingerprint(s) and/or stamp(s) when +running that command, since clients will need them for +identification/verification. Automatically generated keys have a 24-hour expiry +period by default. Unless you change this to something longer in +/etc/default/dnscrypt-wrapper, you will almost certainly need a key rotation +mechanism to automatically update the encryption key and certificate. This can +be done by running + + /etc/rc.d/rc.dnscrypt-wrapper rotate-keys + +This command backs up the old key/cert, creates a new key/cert, and restarts a +running server to support both old and new key/cert. Since clients typically +fetch new certificates hourly, support for the old key/cert should be removed +an hour after the keys are rotated by restarting the server: + + /etc/rc.d/rc.dnscrypt-wrapper restart + +Typically one cron job, run daily, would rotate the keys, and another, run an +hour later, would restart the server. In order for clients to forward queries through dnscrypt-wrapper, they will need to run dnscrypt-proxy configured to connect to the server running |