[dnsdist] dnsdist v2.0..0 alpha1 error on cert rotation

Tue, 15 Apr 2025 18:40:02 -0700 



Hello, With dnsdist v2.0.0 alpha1 loading new certs fails in maintenance 
function using two dnscrypt binds. But works when loading new cert for a 
single dnscrypt bind.
This dnscrypt cert rotation config is derived from the dnsdist 
regression test example, which will also show the error when using two 
dnscrypt binds.

https://github.com/PowerDNS/pdns/blob/master/regression-tests.dnsdist/test_DNSCrypt.py
This configuration is working with dnsdist v1.9.8

systemctl status dnsdist.service

Apr 16 00:27:09 draco dnsdist[2530499]: Error during execution of 
maintenance function(s): [string "chunk"]:33: Caught exception: Error 
adding a new certificate: we already have a certificate with the same 
serial

Apr 16 00:27:09 draco dnsdist[2530499]: stack traceback:

Apr 16 00:27:09 draco dnsdist[2530499]:         [C]: in function 
'loadNewCertificate'
Apr 16 00:27:09 draco dnsdist[2530499]:         [string "chunk"]:33: in 
function <[string "chunk"]:27>



my dnsdist dnscrypt configuration: modified to issue certs every five 
seconds

I am using a vps running Debian 12 Bookworm

-- dnsdist 2.0.0 alpha1 testing dnscrypt config
-- mkdir /var/lib/dnsdist
-- set variable /var/lib/dnsdist/serial = 1
-- chown -R _dnsdist:_dnsdist /var/lib/dnsdist

local f = io.open("/var/lib/dnsdist/serial", "r")
local serial = f:read("*n")
f:close()

setLocal("127.0.0.1:5353")
addLocal('[::1]:5353')
setACL({'0.0.0.0/0', '::/0'})


generateDNSCryptProviderKeys("/var/lib/dnsdist/providerPublic.key", 
"/var/lib/dnsdist/providerPrivate.key")
generateDNSCryptCertificate("/var/lib/dnsdist/providerPrivate.key" 
,"/var/lib/dnsdist/resolver.cert","/var/lib/dnsdist/resolver.key" , 
serial, os.time() - 60, os.time() + 43200, 
DNSCryptExchangeVersion.VERSION2)



addDNSCryptBind("0.0.0.0:8443", "2.dnscrypt-cert.draco.plan9dns.com", 
"/var/lib/dnsdist/resolver.cert", "/var/lib/dnsdist/resolver.key", 
{maxConcurrentTCPConnections=250})
addDNSCryptBind("[::]:8443", "2.dnscrypt-cert.draco.plan9dns.com", 
"/var/lib/dnsdist/resolver.cert", "/var/lib/dnsdist/resolver.key", 
{maxConcurrentTCPConnections=250})


-- downstream resolver

newServer({address="127.0.0.1:53", name="pdns-recursor", qps=0, 
pool=""})
pc = newPacketCache(250000,{maxTTL=86400, minTTL=0, 
temporaryFailureTTL=60, staleTTL=60, dontAge=false,})

getPool(""):setCache(pc)

-- dnscrypt cert rotation
local last = 0
function maintenance()
local now = os.time()
    if ((now - last) > 5) then
        serial = serial + 1

        
generateDNSCryptCertificate("/var/lib/dnsdist/providerPrivate.key", 
"/var/lib/dnsdist/resolver.cert", "/var/lib/dnsdist/resolver.key", 
serial, os.time() - 60, os.time() + 43200, 
DNSCryptExchangeVersion.VERSION2)
        
getDNSCryptBind(0):loadNewCertificate("/var/lib/dnsdist/resolver.cert", 
"/var/lib/dnsdist/resolver.key")
        
getDNSCryptBind(1):loadNewCertificate("/var/lib/dnsdist/resolver.cert", 
"/var/lib/dnsdist/resolver.key")

        last = now
        local f = io.open("/var/lib/dnsdist/serial", "w")
        f:write(serial)
        f:close()
    end
end

-- enable local control socket
controlSocket('127.0.0.1:5199')
setKey("password=")

Best regards,
Jason Long
https://github.com/jlongua/plan9-dns
_______________________________________________
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist






















					Reply via email to