Hi Sebastian, There is currently no easy way to rotate the certificates without restarting unbound.
You can gracefully rotate certs by using https://github.com/NLnetLabs/unbound/commit/52e2331dd495ca820c631d9aab6649455cb0c6e5#diff-47ddff7bf6b45ab98520775e2a29b9fd to advertise new certs while still handling the connections with the old ones, or more broadly if you have multiple servers that may receive queries: - start priming the new cert in (-rotated) mode so all servers could handle the new cert while not necessarily advertising it - once all servers have the new cert, move the old cert to -rotated, and remove the new one from -rotated after restarting, the new cert will be advertised while clients still using the old cert, will be able to query until they refresh their cert. This does not solve the restart issue and the flushing of the cache, but if you have a way to gracefully take servers in and out of the pool, this will allow you to gracefully rotate the certs. Manu On Thu, Jan 4, 2018 at 4:37 AM, Sebastian Schmidt via Unbound-users < [email protected]> wrote: > Hello, > > I'm wondering if unbound has a method where a new certificate can be > loaded without restarting unbound. This would be helpful when loading for > short-lived (1 day) DNSCrypt certificates and potentially for TLS certs > from Let's Encrypt (3 Months). Ideally unbound would run forever without a > restart when deploying secure transport for DNS. > I've attempted to write a auto-renew script: https://gist.github. > com/publicarray/a246106b5a6821b69b86e8d05ee41896 > But the problem is that I haven't found a way to tell unbound of the new > cert without restarting the daemon. If there is a way I can't see it > documented. > > Not related but can someone tell me if using `serve-expired: yes` has some > security risk? basically I'm trying to evaluate whether is better or worse > than setting `cache-min-ttl: 1800`. The server has low usage and is in > Australia. So on average the lookup time is around 350ms and I like to > serve more replies from the cache. > > Also may I ask on the progress on TLS-over-DNS? https:// > dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status Lists > OOOR and EDNS0 Keepalive as WIP > > Thanks, > Sebastian > > > > >
