Load a certificate without restart
Sebastian Schmidt
publicarray at posteo.net
Thu Jan 4 12:37:07 UTC 2018
Hello,
I'm wondering if unbound has a method where a new certificate can be loaded without restarting unbound. This would be helpful when loading for short-lived (1 day) DNSCrypt certificates and potentially for TLS certs from Let's Encrypt (3 Months). Ideally unbound would run forever without a restart when deploying secure transport for DNS.
I've attempted to write a auto-renew script: https://gist.github.com/publicarray/a246106b5a6821b69b86e8d05ee41896
But the problem is that I haven't found a way to tell unbound of the new cert without restarting the daemon. If there is a way I can't see it documented.
Not related but can someone tell me if using `serve-expired: yes` has some security risk? basically I'm trying to evaluate whether is better or worse than setting `cache-min-ttl: 1800`. The server has low usage and is in Australia. So on average the lookup time is around 350ms and I like to serve more replies from the cache.
Also may I ask on the progress on TLS-over-DNS? https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status Lists OOOR and EDNS0 Keepalive as WIP
Thanks,
Sebastian
More information about the Unbound-users
mailing list