Load a certificate without restart

manu tman chantr4 at gmail.com
Thu Jan 4 18:22:56 UTC 2018


Hi Sebastian,

There is currently no easy way to rotate the certificates without
restarting unbound.

You can gracefully rotate certs by using
https://github.com/NLnetLabs/unbound/commit/52e2331dd495ca820c631d9aab6649455cb0c6e5#diff-47ddff7bf6b45ab98520775e2a29b9fd
to advertise new certs while still handling the connections with the old
ones, or more broadly if you have multiple servers that may receive queries:
- start priming the new cert in (-rotated) mode so all servers could handle
the new cert while not necessarily advertising it
- once all servers have the new cert, move the old cert to -rotated, and
remove the new one from -rotated after restarting, the new cert will be
advertised while clients still using the old cert, will be able to query
until they refresh their cert.

This does not solve the restart issue and the flushing of the cache, but if
you have a way to gracefully take servers in and out of the pool, this will
allow you to gracefully rotate the certs.

Manu

On Thu, Jan 4, 2018 at 4:37 AM, Sebastian Schmidt via Unbound-users <
unbound-users at unbound.net> wrote:

> Hello,
>
> I'm wondering if unbound has a method where a new certificate can be
> loaded without restarting unbound. This would be helpful when loading for
> short-lived (1 day) DNSCrypt certificates and potentially for TLS certs
> from Let's Encrypt (3 Months). Ideally unbound would run forever without a
> restart when deploying secure transport for DNS.
> I've attempted to write a auto-renew script: https://gist.github.
> com/publicarray/a246106b5a6821b69b86e8d05ee41896
> But the problem is that I haven't found a way to tell unbound of the new
> cert without restarting the daemon. If there is a way I can't see it
> documented.
>
> Not related but can someone tell me if using `serve-expired: yes` has some
> security risk? basically I'm trying to evaluate whether is better or worse
> than setting `cache-min-ttl: 1800`. The server has low usage and is in
> Australia. So on average the lookup time is around 350ms and I like to
> serve more replies from the cache.
>
> Also may I ask on the progress on TLS-over-DNS? https://
> dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status Lists
> OOOR and EDNS0 Keepalive as WIP
>
> Thanks,
> Sebastian
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180104/dbd0a624/attachment.htm>


More information about the Unbound-users mailing list