Rotating key and cert in dnscrypt setup
sca at andreasschulze.de
Sun Aug 18 19:57:35 UTC 2019
Am 18.08.19 um 19:51 schrieb Maciej Sołtysiak via Unbound-users:
> I'm looking to run unbound acting as a dnscrypt server. My intention is to generate a new key and certificate say every 12 or 24 hours in order to maintain forward secrecy.
> If I configure:
> dnscrypt-secret-key: 1.key
> dnscrypt-secret-key: 2.key
> dnscrypt-provider-cert: 1.cert
> dnscrypt-provider-cert: 2.cert
> I get 2 key/cert pairs, but when the times comes to generate a new one (be it again 1.key or even 3.key) how can I make unbound use the new one?
> I tried:
> unbound-control set_option dnscrypt-secret-key: 3.key
> unbound-control set_option dnscrypt-provider-cert: 3.cert
> But that doesn't seem to look for the files and advertise them.
> unbound-control flush is not so good either.
> It seems to reread the key/cert files, but it flushes the cache.
this sounds like a similar problem: https://nlnetlabs.nl/pipermail/unbound-users/2019-April/011527.html
More information about the Unbound-users