Hi Alex, On 09/10/2023 16:21, Alex Pavlov via Pdns-users wrote:
Meanwhile have one question about DoH & DoT implementation in DNSDIST 1.5 and higher. Is written in documentation "...like CertBot, set permissions assuming that services are started as root, which is no longer true for dnsdist as of 1.5.0. For that particular case, making a copy of the necessary files in the /etc/dnsdist directory is advised, using for example CertBot’s --deploy-hook feature to copy the files with the right permissions after a renewal."So I set my CertBot with --deploy-hook which copy certs in to /etc/dnsdist and than do proper chmod and chown for files so dnsdist be able to read it. That is done and works fine... however rising one more question: When certs expired (after each 90 days period) and my CertBot do "certbot renew" it replaces the certs files in /etc/dnsdist and changes permissions. Does DNSDIST process detects that files changed and serves DoH|DoT from new cert files ? Or need to add one more command in --deploy-hook to restart DNSDIST if certs changed (like: "systemctl restart dnsdist") ?
No, dnsdist doesn't monitor whether the certificate file changes on disk. You can either use the console to issue a 'reloadAllCertificates()' command which will reload all certificates and keys without interruption, or restart dnsdist.
Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
