Hi Eric, When I initially looked at this I was using “rndc reload” whenever changing the the cert. Artem Boldariev (Lead Developer for DoH at the ISC) suggested that actually “rndc reconfig” would be the better way to do this since we only need named to re-read the config file, we *do not* need it to needlessly re-read the zone files if they haven’t been changed.
You can confirm this by running the following command against your BIND DoH server (obviously replace “your.server.net” with your name server’s FQDN): $ openssl s_client -showcerts -connect your.server.net:443 Now edit named.conf.options to reference a different certificate, and then run “rndc reconfig” Run the openssl command again and you will see that the certificate has indeed changed to the new one you specified in named.conf.options. Best, Richard. From: bind-users <bind-users-boun...@lists.isc.org> On Behalf Of Eric Germann via bind-users Sent: 05 June 2021 3:00 am To: bind-users@lists.isc.org Subject: named reload and HTTPS certs There’s been some great discussion lately on enabling DoH with LetsEncrypt certs. My question is this: If I renew the cert while named is running and do a reload on it, is that enough to pick up the new certs or do I need to stop/start the named process? Basically, does reload only reload the zones or the entire config and subordinate files? Thanks --- Eric Germann ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com LinkedIn: https://www.linkedin.com/in/ericgermann Twitter: @ekgermann Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712 GPG Fingerprint: 89ED 36B3 515A 211B 6390 60A9 E30D 9B9B 3EBF F1A1
signature.asc
Description: Message signed with OpenPGP.asc
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users