Maintained by: NLnet Labs

Load a certificate without restart

W.C.A. Wijngaards
Fri Jan 19 13:27:01 CET 2018


Hi Sebastian,

On 04/01/18 13:37, Sebastian Schmidt via Unbound-users wrote:
> Hello, 
> 
> I'm wondering if unbound has a method where a new certificate can be loaded without restarting unbound. This would be helpful when loading for short-lived (1 day) DNSCrypt certificates and potentially for TLS certs from Let's Encrypt (3 Months). Ideally unbound would run forever without a restart when deploying secure transport for DNS.
> I've attempted to write a auto-renew script: https://gist.github.com/publicarray/a246106b5a6821b69b86e8d05ee41896
> But the problem is that I haven't found a way to tell unbound of the new cert without restarting the daemon. If there is a way I can't see it documented.
> 
> Not related but can someone tell me if using `serve-expired: yes` has some security risk? basically I'm trying to evaluate whether is better or worse than setting `cache-min-ttl: 1800`. The server has low usage and is in Australia. So on average the lookup time is around 350ms and I like to serve more replies from the cache.

The issue is that it serves old data.  Old data is the (potential)
security problem.  It also uses the old validation status, until the
data and validation status are updated.  The update mechanism is
scheduled by the serve-expired option.

> 
> Also may I ask on the progress on TLS-over-DNS? https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status Lists OOOR and EDNS0 Keepalive as WIP

OOOP is on the roadmap (for this year).

Best regards, Wouter

> 
> Thanks,
> Sebastian
> 
> 
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20180119/41a99420/attachment.sig>