DNScrypt - lower the key validity period

[bertusdebruin]

As discussed over here: AdguardTeam/AdGuardHome#6131
Please lower the default days as the key validity period for this server is excessively long (365 days).

Of course, it can be adjusted manually afterwards.
It seems to me a good idea to reduce the number of days, by default already significantly.
Thanks.

[ameshkov]

This default was chosen because the current implementation does not have a certificate rotation mechanism, the cert is only changed when you restart the server. This in turn will cause some troubles for the DNS client as there's no clear signal for when the client needs to fetch the new certificate, basically now it does that on every timeout error.

All in all, the task is much more complex than just changing a single constant.

What for the original claim that it reduces forward secrecy, I'd argue that the threat is a bit exaggerated.

[bertusdebruin]

This default was chosen because the current implementation does not have a certificate rotation mechanism, the cert is only changed when you restart the server.

So, In other words those 365 are actually placebo, if the server runs for say 400 days the certificate will not have been replaced because it only does so on a server reboot. Is that correct?

[ameshkov]

If the server runs for longer than 365 days, the clients won't be able to establish connection with it since the cert will be expired.