Load a certificate without restart

Unbound
1

Hello,

I'm wondering if unbound has a method where a new certificate can be loaded without restarting unbound. This would be helpful when loading for short-lived (1 day) DNSCrypt certificates and potentially for TLS certs from Let's Encrypt (3 Months). Ideally unbound would run forever without a restart when deploying secure transport for DNS.
I've attempted to write a auto-renew script: https://gist.github.com/publicarray/a246106b5a6821b69b86e8d05ee41896
But the problem is that I haven't found a way to tell unbound of the new cert without restarting the daemon. If there is a way I can't see it documented.

Not related but can someone tell me if using `serve-expired: yes` has some security risk? basically I'm trying to evaluate whether is better or worse than setting `cache-min-ttl: 1800`. The server has low usage and is in Australia. So on average the lookup time is around 350ms and I like to serve more replies from the cache.

Also may I ask on the progress on TLS-over-DNS? https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status Lists OOOR and EDNS0 Keepalive as WIP

Thanks,
Sebastian

2

Hi Sebastian,

There is currently no easy way to rotate the certificates without restarting unbound.

You can gracefully rotate certs by using https://github.com/NLnetLabs/unbound/commit/52e2331dd495ca820c631d9aab6649455cb0c6e5#diff-47ddff7bf6b45ab98520775e2a29b9fd to advertise new certs while still handling the connections with the old ones, or more broadly if you have multiple servers that may receive queries:

  • start priming the new cert in (-rotated) mode so all servers could handle the new cert while not necessarily advertising it
  • once all servers have the new cert, move the old cert to -rotated, and remove the new one from -rotated after restarting, the new cert will be advertised while clients still using the old cert, will be able to query until they refresh their cert.

This does not solve the restart issue and the flushing of the cache, but if you have a way to gracefully take servers in and out of the pool, this will allow you to gracefully rotate the certs.

Manu

3

Hi Sebastian,

Hello,

I'm wondering if unbound has a method where a new certificate can be loaded without restarting unbound. This would be helpful when loading for short-lived (1 day) DNSCrypt certificates and potentially for TLS certs from Let's Encrypt (3 Months). Ideally unbound would run forever without a restart when deploying secure transport for DNS.
I've attempted to write a auto-renew script: https://gist.github.com/publicarray/a246106b5a6821b69b86e8d05ee41896
But the problem is that I haven't found a way to tell unbound of the new cert without restarting the daemon. If there is a way I can't see it documented.

Not related but can someone tell me if using `serve-expired: yes` has some security risk? basically I'm trying to evaluate whether is better or worse than setting `cache-min-ttl: 1800`. The server has low usage and is in Australia. So on average the lookup time is around 350ms and I like to serve more replies from the cache.

The issue is that it serves old data. Old data is the (potential)
security problem. It also uses the old validation status, until the
data and validation status are updated. The update mechanism is
scheduled by the serve-expired option.

Also may I ask on the progress on TLS-over-DNS? https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status Lists OOOR and EDNS0 Keepalive as WIP

OOOP is on the roadmap (for this year).

Best regards, Wouter