Load a certificate without restart

[Sebastian Schmidt via Unbound-users]

Hello, 

I'm wondering if unbound has a method where a new certificate can be loaded 
without restarting unbound. This would be helpful when loading for short-lived 
(1 day) DNSCrypt certificates and potentially for TLS certs from Let's Encrypt 
(3 Months). Ideally unbound would run forever without a restart when deploying 
secure transport for DNS.
I've attempted to write a auto-renew script: 
https://gist.github.com/publicarray/a246106b5a6821b69b86e8d05ee41896
But the problem is that I haven't found a way to tell unbound of the new cert 
without restarting the daemon. If there is a way I can't see it documented.

Not related but can someone tell me if using `serve-expired: yes` has some 
security risk? basically I'm trying to evaluate whether is better or worse than 
setting `cache-min-ttl: 1800`. The server has low usage and is in Australia. So 
on average the lookup time is around 350ms and I like to serve more replies 
from the cache.

Also may I ask on the progress on TLS-over-DNS? 
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status Lists 
OOOR and EDNS0 Keepalive as WIP

Thanks,
Sebastian

Re: Load a certificate without restart

[manu tman via Unbound-users]

Hi Sebastian,

There is currently no easy way to rotate the certificates without
restarting unbound.

You can gracefully rotate certs by using
https://github.com/NLnetLabs/unbound/commit/52e2331dd495ca820c631d9aab6649455cb0c6e5#diff-47ddff7bf6b45ab98520775e2a29b9fd
to advertise new certs while still handling the connections with the old
ones, or more broadly if you have multiple servers that may receive queries:
- start priming the new cert in (-rotated) mode so all servers could handle
the new cert while not necessarily advertising it
- once all servers have the new cert, move the old cert to -rotated, and
remove the new one from -rotated after restarting, the new cert will be
advertised while clients still using the old cert, will be able to query
until they refresh their cert.

This does not solve the restart issue and the flushing of the cache, but if
you have a way to gracefully take servers in and out of the pool, this will
allow you to gracefully rotate the certs.

Manu

On Thu, Jan 4, 2018 at 4:37 AM, Sebastian Schmidt via Unbound-users <
unbound-users@unbound.net> wrote:

> Hello,
>
> I'm wondering if unbound has a method where a new certificate can be
> loaded without restarting unbound. This would be helpful when loading for
> short-lived (1 day) DNSCrypt certificates and potentially for TLS certs
> from Let's Encrypt (3 Months). Ideally unbound would run forever without a
> restart when deploying secure transport for DNS.
> I've attempted to write a auto-renew script: https://gist.github.
> com/publicarray/a246106b5a6821b69b86e8d05ee41896
> But the problem is that I haven't found a way to tell unbound of the new
> cert without restarting the daemon. If there is a way I can't see it
> documented.
>
> Not related but can someone tell me if using `serve-expired: yes` has some
> security risk? basically I'm trying to evaluate whether is better or worse
> than setting `cache-min-ttl: 1800`. The server has low usage and is in
> Australia. So on average the lookup time is around 350ms and I like to
> serve more replies from the cache.
>
> Also may I ask on the progress on TLS-over-DNS? https://
> dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status Lists
> OOOR and EDNS0 Keepalive as WIP
>
> Thanks,
> Sebastian
>
>
>
>
>