hannes/hannes.robur.coop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

.

Browse source
This commit is contained in:
Hannes Mehnert 2019-12-23 22:59:18 +01:00
parent 05af012c49
commit 6dd54168e4
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Posts/DnsServer
View file

@ -319,7 +319,7 @@ For encoding of certificates, the DANE working group specified [TLSA](https://to
9. The primary pushes the certificate to git, notifies secondaries (which transfer the zone) 9. The primary pushes the certificate to git, notifies secondaries (which transfer the zone)
10. The service polls TLSA records for the hostname, and use it upon retrieval 10. The service polls TLSA records for the hostname, and use it upon retrieval
Note that neither the signing request nor the certificate contain private key material, thus it is fine to serve them publically. Note that neither the signing request nor the certificate contain private key material, thus it is fine to serve them publically. Please also note, that the service polls for the certificate for the hostname in DNS, which is valid (start and end date) certificate and uses the same public key, this certificate is used and steps 3-10 are not done.
The let's encrypt unikernel does not serve anything, it is a reactive system which acts upon notification from the primary. Thus, it can be executed in a private address space (with a NAT). Since the OCaml DNS server stack needs to push notifications to it, it preserves all incoming signed SOA requests as candidates for notifications on update. The let's encrypt unikernel ensures to always have a connection to the primary to receive notifications. The let's encrypt unikernel does not serve anything, it is a reactive system which acts upon notification from the primary. Thus, it can be executed in a private address space (with a NAT). Since the OCaml DNS server stack needs to push notifications to it, it preserves all incoming signed SOA requests as candidates for notifications on update. The let's encrypt unikernel ensures to always have a connection to the primary to receive notifications.