3
0
Fork 0
forked from mirrors/nixpkgs

dnscrypt-proxy service: expose option to use ephemeral keys

Some users may wish to improve their privacy by using per-query
key pairs, which makes it more difficult for upstream resolvers to
track users across IP addresses.
This commit is contained in:
Joachim Fasting 2016-03-17 14:34:56 +01:00
parent cdef1cdd38
commit 12877098cb

View file

@ -10,6 +10,7 @@ let
daemonArgs =
[ "--local-address=${localAddress}"
(optionalString cfg.tcpOnly "--tcp-only")
(optionalString cfg.ephemeralKeys "-E")
]
++ resolverArgs;
resolverArgs = if (cfg.customResolver != null)
@ -116,6 +117,17 @@ in
TCP instead of UDP (on port 443). Use only if the UDP port is blocked.
'';
};
ephemeralKeys = mkOption {
default = false;
type = types.bool;
description = ''
Compute a new key pair for every query. Enabling this option
increases CPU usage, but makes it more difficult for the upstream
resolver to track your usage of their service across IP addresses.
The default is to re-use the public key pair for all queries, making
tracking trivial.
'';
};
};
};