aboutsummaryrefslogtreecommitdiff
path: root/network/dnscrypt-wrapper/README.Slackware
diff options
context:
space:
mode:
Diffstat (limited to 'network/dnscrypt-wrapper/README.Slackware')
-rw-r--r--network/dnscrypt-wrapper/README.Slackware22
1 files changed, 20 insertions, 2 deletions
diff --git a/network/dnscrypt-wrapper/README.Slackware b/network/dnscrypt-wrapper/README.Slackware
index 0c162404a3e14..b302317d46091 100644
--- a/network/dnscrypt-wrapper/README.Slackware
+++ b/network/dnscrypt-wrapper/README.Slackware
@@ -24,10 +24,28 @@ keys, and a provider certificate. These can all be generated manually (see
automatically by configuring /etc/default/dnscrypt-wrapper and running
/etc/rc.d/rc.dnscrypt-wrapper generate-keys
+ /etc/rc.d/rc.dnscrypt-wrapper generate-cryptkeys
/etc/rc.d/rc.dnscrypt-wrapper generate-cert
-You will need to note the provider key fingerprint(s) when running that
-command, since clients will need it for verification.
+You will need to note the provider key fingerprint(s) and/or stamp(s) when
+running that command, since clients will need them for
+identification/verification. Automatically generated keys have a 24-hour expiry
+period by default. Unless you change this to something longer in
+/etc/default/dnscrypt-wrapper, you will almost certainly need a key rotation
+mechanism to automatically update the encryption key and certificate. This can
+be done by running
+
+ /etc/rc.d/rc.dnscrypt-wrapper rotate-keys
+
+This command backs up the old key/cert, creates a new key/cert, and restarts a
+running server to support both old and new key/cert. Since clients typically
+fetch new certificates hourly, support for the old key/cert should be removed
+an hour after the keys are rotated by restarting the server:
+
+ /etc/rc.d/rc.dnscrypt-wrapper restart
+
+Typically one cron job, run daily, would rotate the keys, and another, run an
+hour later, would restart the server.
In order for clients to forward queries through dnscrypt-wrapper, they will
need to run dnscrypt-proxy configured to connect to the server running