mirror of
https://github.com/hickory-dns/hickory-dns.git
synced 2026-04-25 11:15:54 +03:00
[GH-ISSUE #2718] Feature Request: Allow live change of certificates #1047
Labels
No labels
blocked
breaking-change
bug
bug:critical
bug:tests
cleanup
compliance
compliance
compliance
crate:all
crate:client
crate:native-tls
crate:proto
crate:recursor
crate:resolver
crate:resolver
crate:rustls
crate:server
crate:util
dependencies
docs
duplicate
easy
easy
enhance
enhance
enhance
feature:dns-over-https
feature:dns-over-quic
feature:dns-over-tls
feature:dnsssec
feature:global_lb
feature:mdns
feature:tsig
features:edns
has workaround
ops
perf
platform:WASM
platform:android
platform:fuchsia
platform:linux
platform:macos
platform:windows
pull-request
question
test
tools
tools
trust
unclear
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/hickory-dns#1047
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @msrd0 on GitHub (Jan 11, 2025).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2718
Is your feature request related to a problem? Please describe.
I am running a
crab-holeserver that useshickory-serverfor its DNS server. Yesterday my phone refused to connect to my DNS and the reason turned out to be that the certificate that was loaded during startup had expired and the server had not loaded the updated certificate from the file.Looking at the API of
ServerFuture, it seems the certificate and private key are passed to the server during startup and are immutable thereafter.Describe the solution you'd like
I would like to have a way to update the certificates used by the running server. This could either be done by having the
register_xxx_listenerfunctions taking something that can be mutated, e.g. anArc<Mutex<_>>or a trait that can accept either the current type or a mutable type, or by adding functions that can be called after the server has started to provide new certificates for a certain listener.Describe alternatives you've considered
The alternative is restarting the whole server, thereby stopping unaffected listeners as well, so less ideal.
@djc commented on GitHub (Jan 11, 2025):
It looks we have API to provide a ServerConfig directly at least for DoT (but not DoH2/3 and DoQ). That could be used to implement a custom rustls ResolvesServerCert impl which holds a PathBuf and an RwLock. However, I don't think it would necessarily make sense for such an impl to live in HickoryDNS. Maybe the way forward is to contribute a utility impl to rustls and extend the ServerFuture configuration to allow ServerConfigs for all 4 protocols? Would you be able to contribute some of this stuff?
@msrd0 commented on GitHub (Jan 11, 2025):
So if I understand you correctly, you suggest that we add the option to hickory to specify the
cert_resolver: Arc<dyn ResolvesServerCert>for rustlsServerConfigfor all the supported listeners? Which part exactly do you think should live in rustls?@msrd0 commented on GitHub (Jan 11, 2025):
I've implemented a basic solution based on a trait for the tls listener here:
github.com/msrd0/trust-dns@0475cfcf36Does this look roughly like what you had in mind?
@djc commented on GitHub (Jan 11, 2025):
Not really.
I think it could make sense to pass
Arc<dyn ResolvesServerCert>to the listeners, instead of just the(Vec<CertificateDer<'_>>, PrivateKeyDer<'_>). We don't need to keep compatibility, so I'd prefer to avoid the indirection and just change the registration methods directly.An implementation of
ResolvesServerCertthat contains twoPathBufs and periodically refreshes the certificate chain and private key from disk.