Rotating key and cert in dnscrypt setup

Maciej Sołtysiak maciej at
Sun Aug 18 17:51:31 UTC 2019


I'm looking to run unbound acting as a dnscrypt server. My intention is to generate a new key and certificate say every 12 or 24 hours in order to maintain forward secrecy.

If I configure:
   dnscrypt-secret-key: 1.key
   dnscrypt-secret-key: 2.key
   dnscrypt-provider-cert: 1.cert
   dnscrypt-provider-cert: 2.cert

I get 2 key/cert pairs, but when the times comes to generate a new one (be it again 1.key or even 3.key) how can I make unbound use the new one?
I tried:
unbound-control set_option  dnscrypt-secret-key: 3.key
unbound-control set_option  dnscrypt-provider-cert: 3.cert

But that doesn't seem to look for the files and advertise them.

unbound-control flush is not so good either.
It seems to reread the key/cert files, but it flushes the cache.

Unless I'm missing something we may be missing a feature.
If we are I'm ok to try to write something. I've done some unbound coding before.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Unbound-users mailing list