Hi Sebastian, On 04/01/18 13:37, Sebastian Schmidt via Unbound-users wrote: > Hello, > > I'm wondering if unbound has a method where a new certificate can be loaded > without restarting unbound. This would be helpful when loading for > short-lived (1 day) DNSCrypt certificates and potentially for TLS certs from > Let's Encrypt (3 Months). Ideally unbound would run forever without a restart > when deploying secure transport for DNS. > I've attempted to write a auto-renew script: > https://gist.github.com/publicarray/a246106b5a6821b69b86e8d05ee41896 > But the problem is that I haven't found a way to tell unbound of the new cert > without restarting the daemon. If there is a way I can't see it documented. > > Not related but can someone tell me if using `serve-expired: yes` has some > security risk? basically I'm trying to evaluate whether is better or worse > than setting `cache-min-ttl: 1800`. The server has low usage and is in > Australia. So on average the lookup time is around 350ms and I like to serve > more replies from the cache.
The issue is that it serves old data. Old data is the (potential) security problem. It also uses the old validation status, until the data and validation status are updated. The update mechanism is scheduled by the serve-expired option. > > Also may I ask on the progress on TLS-over-DNS? > https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status > Lists OOOR and EDNS0 Keepalive as WIP OOOP is on the roadmap (for this year). Best regards, Wouter > > Thanks, > Sebastian > > >
signature.asc
Description: OpenPGP digital signature
