mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2025-09-24 22:48:36 -04:00
35ca9a2a19
This needs to be configured by specific services to have any effect. For now, we're only enabling it for the PowerDNS Authoritative Server and dnsdist since it's recommended by RFC 9210 and actively used by various recursive resolver servers when falling back to TCP. TCP Fast Open is rarely used from end user devices due to it enabling tracking and having issues with middleboxes. We aren't going to start using it anywhere in GrapheneOS but may have more server-side uses for it. This functionality is built into QUIC without the same downsides but QUIC support in the software we use is not ready for us to enable it, especially the very primitive support in nginx. For most servers, a new random TCP Fast Open key is created on a daily basis and the previous key continues to be accepted. For DNS servers, the new key is generated via a keyed hash of the current date in order to keep it consistent across servers providing an anycast IP without it needing regular synchronization.
7 lines
130 B
Desktop File
7 lines
130 B
Desktop File
[Unit]
|
|
Description=Rotate TCP Fast Open keys
|
|
|
|
[Service]
|
|
ExecStart=/usr/local/bin/tcp-fastopen-rotate-keys
|
|
Type=oneshot
|
|
UMask=0077
|