RE: named reload and HTTPS certs

Sat, 05 Jun 2021 02:42:04 -0700 

Hi Eric,

When I initially looked at this I was using “rndc reload” whenever changing the 
the cert. Artem Boldariev (Lead Developer for DoH at the ISC) suggested that 
actually “rndc reconfig” would be the better way to do this since we only need 
named to re-read the config file, we *do not* need it to needlessly re-read the 
zone files if they haven’t been changed.

You can confirm this by running the following command against your BIND DoH 
server (obviously replace “your.server.net” with your name server’s FQDN):

$ openssl s_client -showcerts -connect your.server.net:443

Now edit named.conf.options to reference a different certificate, and then run 
“rndc reconfig”

Run the openssl command again and you will see that the certificate has indeed 
changed to the new one you specified in named.conf.options.

Best,

Richard.

From: bind-users <bind-users-boun...@lists.isc.org> On Behalf Of Eric Germann 
via bind-users
Sent: 05 June 2021 3:00 am
To: bind-users@lists.isc.org
Subject: named reload and HTTPS certs

There’s been some great discussion lately on enabling DoH with LetsEncrypt 
certs.

My question is this:  If I renew the cert while named is running and do a 
reload on it, is that enough to pick up the new certs or do I need to 
stop/start the named process?

Basically, does reload only reload the zones or the entire config and 
subordinate files?

Thanks

---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Twitter: @ekgermann
Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1

Attachment: signature.asc
Description: Message signed with OpenPGP.asc

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to