Skip to content

Commit 42a8806

Browse files
ignoramousignoramous
committed
readme: psk setup instr
1 parent f3441df commit 42a8806

1 file changed

Lines changed: 24 additions & 1 deletion

File tree

README.md

Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -160,6 +160,29 @@ curl 'https://max.rethinkdns.com/genaccesskey?key='"$msgkey"'&dom='"$domain"
160160
# {"accesskey":["my-serverless-dns-domain.tld|deadbeefd3adb33fa2bb33fd3eadf084beef3b152beefdead49bbb2b33fdead83d3adbeefdeadb33f"],"context":"sdns-public-auth-info"}
161161
```
162162

163+
serverless-dns also support TLS PSK ciphersuites when env var `TLS_PSK` is set to hex or base64 of randomly generated 64 bytes. Works only on cloud deployments that terminate their own TLS (like on Fly.io).
164+
165+
#### TLS PSK
166+
167+
The PSK server-hint sent to the TLS 1.2 clients is [psk.js:serverid (`888811119999`)](https://github.com/serverless-dns/serverless-dns/blob/1c75b95c2ab6/src/core/psk.js#L11).
168+
169+
*Static PSK*: TLS 1.2 clients must set client-hint to [psk.js:fixedID64 (`790bb453...ffae2452`)](https://github.com/serverless-dns/serverless-dns/blob/1c75b95c2ab6/src/core/psk.js#L14-L20). The static pre-shared key is then derived from `hkdf(key, id)` where `key` is itself `hkdf(seed, ctx, salt)`:
170+
- `seed` is env var `TLS_PSK` converted to bytes from base64 or hex.
171+
- `ctx` is utf-8 encoding of string `pskkeyfixedderivationcontext`.
172+
- `salt` is fixed to [`44f402e7...91a6e3ce`](https://github.com/serverless-dns/serverless-dns/blob/1c75b95c2ab6/src/core/psk.js#L21-L27) converted to bytes.
173+
- `id` is the static client-hint (`790bb453...ffae2452`) converted to bytes.
174+
175+
*Dynamic PSK*: To dynamically generate PSK identity and key (derived from env var `TLS_PSK`), invoke `<my-domain.tld>/gentlspsk`. The returned credentials are valid as long as `TLS_PSK` is unchanged:
176+
177+
```js
178+
{
179+
// 64 hex chars; id is to be used as-is as the psk client identity.
180+
"id":"43dc2df4...6d332545",
181+
// 128 hex chars; convert to 64-length byte array to use as psk shared secret.
182+
"psk":"ebc9ab07...03629dd4"
183+
}
184+
```
185+
163186
#### Logs and Analytics
164187

165188
serverless-dns can be setup to upload logs via Cloudflare *Logpush*.
@@ -226,7 +249,7 @@ TLS_OFFLOAD="true"
226249
# OR: base64 representation of both key (private) and cert (public chain)
227250
TLS_CERTKEY="KEY=b64_key_content\nCRT=b64_cert_content"
228251
# OPTIONALLY: use TLS with PSK ciphers (also permits domain fronting)
229-
TLS_PSK="random-hex-or-base64(64bytes)"
252+
TLS_PSK="hex-or-base64(cryptographically-secure-random-64bytes)"
230253
# OPTIONALLY: set TLS_ALLOW_ANY_SNI to true to permit domain fronting
231254
TLS_ALLOW_ANY_SNI="true"
232255
```

0 commit comments

Comments
 (0)