Rotating key and cert in dnscrypt setup
Maciej Sołtysiak
maciej at soltysiak.com
Sun Aug 18 17:51:31 UTC 2019
Hi,
I'm looking to run unbound acting as a dnscrypt server. My intention is to generate a new key and certificate say every 12 or 24 hours in order to maintain forward secrecy.
If I configure:
dnscrypt-secret-key: 1.key
dnscrypt-secret-key: 2.key
dnscrypt-provider-cert: 1.cert
dnscrypt-provider-cert: 2.cert
I get 2 key/cert pairs, but when the times comes to generate a new one (be it again 1.key or even 3.key) how can I make unbound use the new one?
I tried:
unbound-control set_option dnscrypt-secret-key: 3.key
unbound-control set_option dnscrypt-provider-cert: 3.cert
But that doesn't seem to look for the files and advertise them.
unbound-control flush is not so good either.
It seems to reread the key/cert files, but it flushes the cache.
Unless I'm missing something we may be missing a feature.
If we are I'm ok to try to write something. I've done some unbound coding before.
Thanks,
Maciej
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190818/822e16c8/attachment.htm>
More information about the Unbound-users
mailing list