Hi Eric,

When I initially looked at this I was using “rndc reload” whenever changing the the cert. Artem Boldariev (Lead Developer for DoH at the ISC) suggested that actually “rndc reconfig” would be the better way to do this since we only need named to re-read the config file, we *do not* need it to needlessly re-read the zone files if they haven’t been changed.

You can confirm this by running the following command against your BIND DoH server (obviously replace “your.server.net” with your name server’s FQDN):

$ openssl s_client -showcerts -connect your.server.net:443

Now edit named.conf.options to reference a different certificate, and then run “rndc reconfig”

Run the openssl command again and you will see that the certificate has indeed changed to the new one you specified in named.conf.options.

Best,

Richard.

From: bind-users <bind-users-***@lists.isc.org> On Behalf Of Eric Germann via bind-users
Sent: 05 June 2021 3:00 am
To: bind-***@lists.isc.org
Subject: named reload and HTTPS certs

There’s been some great discussion lately on enabling DoH with LetsEncrypt certs.

My question is this: If I renew the cert while named is running and do a reload on it, is that enough to pick up the new certs or do I need to stop/start the named process?

Basically, does reload only reload the zones or the entire config and subordinate files?

Thanks

---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Twitter: @ekgermann
Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390 60A9 E30D 9B9B 3EBF F1A1