named reload and HTTPS certs

Richard T.A. Neal richard at richardneal.com
Sat Jun 5 09:41:08 UTC 2021 

Hi Eric,

When I initially looked at this I was using “rndc reload” whenever changing the the cert. Artem Boldariev (Lead Developer for DoH at the ISC) suggested that actually “rndc reconfig” would be the better way to do this since we only need named to re-read the config file, we *do not* need it to needlessly re-read the zone files if they haven’t been changed.

You can confirm this by running the following command against your BIND DoH server (obviously replace “your.server.net” with your name server’s FQDN):

$ openssl s_client -showcerts -connect your.server.net:443

Now edit named.conf.options to reference a different certificate, and then run “rndc reconfig”

Run the openssl command again and you will see that the certificate has indeed changed to the new one you specified in named.conf.options.

Best,

Richard.

From: bind-users <bind-users-bounces at lists.isc.org> On Behalf Of Eric Germann via bind-users
Sent: 05 June 2021 3:00 am
To: bind-users at lists.isc.org
Subject: named reload and HTTPS certs

There’s been some great discussion lately on enabling DoH with LetsEncrypt certs.

My question is this:  If I renew the cert while named is running and do a reload on it, is that enough to pick up the new certs or do I need to stop/start the named process?

Basically, does reload only reload the zones or the entire config and subordinate files?

Thanks

---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Twitter: @ekgermann
Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210605/9f73f45e/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 849 bytes
Desc: Message signed with OpenPGP.asc
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210605/9f73f45e/attachment-0001.bin>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00001.txt
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210605/9f73f45e/attachment-0001.txt>

More information about the bind-users mailing list