Is cert-bundle loaded and kept before chroot?

Eric_Luehrsen · October 27, 2020, 2:06am

Just for clarity, I want to ask if Unbound loads the cert-bundle once before chroot? Or, is it reread or polled for updates? Is the current implementation the desired behavior? The documentation does not say what is done, or what the design intent should be:
  tls-cert-bundle: <file>
    If null or "", no file is used. Set it to the
    certificate bundle file, for example
    "/etc/pki/tls/certs/ca-bundle.crt". These certificates
    are used for authenticating connections made to
    outside peers. For example auth-zone urls, and also
    DNS over TLS connections.

Thank You
Eric

Wouter · October 27, 2020, 8:03am

Hi Eric,

Just for clarity, I want to ask if Unbound loads the cert-bundle once
before chroot? Or, is it reread or polled for updates? Is the current
implementation the desired behavior? The documentation does not say what
is done, or what the design intent should be:

It is read before permission drop and chroot. The cert bundle is read
once at start up of the server.

Also adjusted the man page,
https://github.com/NLnetLabs/unbound/commit/d104727c911cc6147bdec458831c606ecc853da6

Best regards, Wouter