Hi,
I’m running unbound with a TLS certificate with IP addresses in the Subject Alternate Names list. And… we are using the ACME protocol to renew the certificate, which means that the validity period for the certificate is capped at 6.5 days or thereabout. Obviously, this pushes us to fully automate the certificate renewal, and I’m not completely finished with that action at the time of writing.
I’m currently using unbound 1.24.2 for this setup.
Unbound-control has various “methods” for reload / reconfiguration:
- reload_keep_cache (can keep cache if certain conditions are met)
- fast_reload (experimental, keeps cache)
- reload (flushes the cache)
and there’s of course also the operating system “restart unbound” operation.
To me it appears as if neither of the three “reload” operations provided by unbound-control will re-configure to use a new TLS certificate, at least that is what ssllabs.com’s TLS tester tells me, so I am left with the only remaining operation, “restart unbound”. Obviously, this tosses any cache which has been built in the current process uptime. To my mind, running a good DNS recursor is to a large degree about “building a cache”, so having to do a full restart defeats that purpose.
So … this may be a “feature request”: is there any chance this operation of “start using a new TLS certificate” can be made to happen without having to toss the entire cache in the running unbound process?
Best regards,
Håvard