Synchronization of TLS session ticket keys between instances¶
Defender can automatically synchronize TLS session ticket keys (STEKs) between DNSdist instances in a cluster, making sure that all instances can properly reuse TLS sessions generated by another instance.
This feature requires DNSdist >= 1.9.8 and the presence of a NATS server. NATS is an secure, high performance and open-source messaging system. It supports clustering to provide high-availability.
Once the NATS server has been set up, at least one DNSdist instance must be configured to publish the STEKs it generates, periodically or not, to the NATS bus:
---
servers:
main-nats:
host: "192.0.2.1"
tls: true
username: foo
password: bar
tls_ca_path: "path/to/ca/certificates/"
tls_certificate: "path/to/certificate.crt"
tls_key "path/to/key.pem"
syncs:
- type: stek
publish: true
channel: 'steks'
server: main-nats
-- create a new defender sync object, using the configuration
-- from sync.yml
local defenderSync = defender:newSync('sync.yml')
-- register the defender object, it will register itself in
-- the necessary dnsdist hooks
defenderSync:setup()
Other DNSdist instances that should be synchronized will have to be configured to do so:
---
servers:
main-nats:
host: "192.0.2.1"
tls: true
username: foo
password: bar
tls_ca_path: "path/to/ca/certificates/"
tls_certificate: "path/to/certificate.crt"
tls_key "path/to/key.pem"
syncs:
- type: stek
publish: false
channel: 'steks'
server: main-nats
Please refer to the STEK settings reference for the complete description of the settings.