[dnsdist] Dns over TLS, and certificates that expire
kai at xs4all.net
Thu Jun 7 13:30:11 UTC 2018
On 31-05-18 16:20, David wrote:
> On 2018-05-31 6:55 AM, Kai Storbeck wrote:
>> Hello all,
>> It seems to work wonderfully, or at least, "kdig" thinks it works.
>> Getting it by default in my
>> We will probably try to launch this soon, using a certificate from Lets
>> Encrypt. Those certificates live for 3 months, and I'd like to automate
>> the refreshing of this cert in dnsdist.
>> Now, my point:
>> As far as I know, hot reloading (or graceful reloading) is not supported
>> right now, or is it?
> This is not supported in dnsdist, but going by how quick it restarts
> fully is it really an issue?
I don't know. (digging with dnsgram) ...
About 490ms the dnsdist process is not answering. This will drop ~5k
questions on the floor in our current setup. I find that quite a lot.
I tried this:
dnsdist -c cannot update the TLS listener (addTLSLocal cannot be used at
I've tried using a hot restarter wrapper around the daemon, but the
second instance gets these errors:
> jun 07 15:25:24 resolver-beta.xs4all.net hot-restarter.py: Unable to bind to control socket on 0.0.0.0:5199: binding socket to 0.0.0.0:5199: Address already in use
> jun 07 15:25:24 resolver-beta.xs4all.net hot-restarter.py: Unable to bind to webserver socket on 0.0.0.0:8083: binding socket to 0.0.0.0:8083: Address already in use
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the dnsdist