Rotating key and cert in dnscrypt setup

A. Schulze sca at
Sun Aug 18 19:57:35 UTC 2019

Am 18.08.19 um 19:51 schrieb Maciej Sołtysiak via Unbound-users:
> Hi,
> I'm looking to run unbound acting as a dnscrypt server. My intention is to generate a new key and certificate say every 12 or 24 hours in order to maintain forward secrecy.
> If I configure:
>    dnscrypt-secret-key: 1.key
>    dnscrypt-secret-key: 2.key
>    dnscrypt-provider-cert: 1.cert
>    dnscrypt-provider-cert: 2.cert
> I get 2 key/cert pairs, but when the times comes to generate a new one (be it again 1.key or even 3.key) how can I make unbound use the new one?
> I tried:
> unbound-control set_option  dnscrypt-secret-key: 3.key
> unbound-control set_option  dnscrypt-provider-cert: 3.cert
> But that doesn't seem to look for the files and advertise them.
> unbound-control flush is not so good either.
> It seems to reread the key/cert files, but it flushes the cache.

Hello Maciej,

this sounds like a similar problem:


More information about the Unbound-users mailing list