Maintained by: NLnet Labs

Load a certificate without restart

Sebastian Schmidt
Thu Jan 4 13:37:07 CET 2018


I'm wondering if unbound has a method where a new certificate can be loaded without restarting unbound. This would be helpful when loading for short-lived (1 day) DNSCrypt certificates and potentially for TLS certs from Let's Encrypt (3 Months). Ideally unbound would run forever without a restart when deploying secure transport for DNS.
I've attempted to write a auto-renew script:
But the problem is that I haven't found a way to tell unbound of the new cert without restarting the daemon. If there is a way I can't see it documented.

Not related but can someone tell me if using `serve-expired: yes` has some security risk? basically I'm trying to evaluate whether is better or worse than setting `cache-min-ttl: 1800`. The server has low usage and is in Australia. So on average the lookup time is around 350ms and I like to serve more replies from the cache.

Also may I ask on the progress on TLS-over-DNS? Lists OOOR and EDNS0 Keepalive as WIP