Comments (6)
from dnscrypt-wrapper.
Seems reasonable. I will update docs first suggesting user to generate short-term key pairs and use key-rotation mechanism.
from dnscrypt-wrapper.
Use of ephemeral keys could possibly be used as a template as seen here: https://dnscrypt.is (d0wn's Icelandic servers).
from dnscrypt-wrapper.
Docs was updated in #113. I am not going to change the default value of --cert-file-expire-days
, because it may violate user expectation.
from dnscrypt-wrapper.
@cofyc User expectation is safe default settings. The protocol specification has always recommended to keep/use a key for no more than 24 hours comment here. The problem is between you and the people who created dnscrypt - not the users. The creators of dnscrypt put a warning into the code you choose to ignore. You think you know better than the creators of dnscrypt? Users depend on your default settings to be safe so if something bad happens they will blame you not dnscrypt as you don't use recommended defaults!!! I will definitely not use a service that has 1 key for 365 days because if it is compromised all the data of <=365 days is harvested!
Wikipedia article
@X8716e ephemeral keys use too much cpu on a standard openwrt router and https://dnscrypt.is does not have a 24h key rotation so I am not going to use it.
from dnscrypt-wrapper.
Thanks a lot. Now lets hope more of the servers will implement it. Nice that jedisct1 is running one in France.
from dnscrypt-wrapper.
Related Issues (20)
- CLOSE_WAIT HOT 3
- Support for Raspberry Pi / Raspbian? HOT 2
- 请教:在使用dnscrypt-proxy 2.x版本中,如果使用非443端口。 HOT 2
- Log entry "Received a suspicious query from the client" HOT 2
- After success run one or two days, get following error message and not work HOT 5
- Support for xchacha20: no HOT 2
- undefind sodium_bin2base64 HOT 6
- Default expiration days is 1? HOT 2
- [ERROR] Invalid provider key HOT 3
- Suspicious certificate received HOT 1
- 关于创建密钥对时的问题:创建密钥对时一定要使用域名吗?只使用IP是否可以? HOT 2
- dnscrypt-wrapper make pihole random crash?
- How to have each client connect to a different resolver HOT 1
- How to generate TXT record for DNS for protocol version 2? HOT 1
- FreeBSD 12 - No chacha support? HOT 1
- 在客户机器(比如mac上)怎么使用Stamp? HOT 2
- SEGV when passing the same key twice
- Provide a tool/option to verify certificates
- dnscrypt-wrapper --gen-provider-keypair have bug
- Unable to build on aarch64-apple-darwin (Apple Silicon) HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dnscrypt-wrapper.