[dnsdist] Dns over TLS, and certificates that expire

Kai Storbeck kai at xs4all.net
Thu Jun 7 13:30:11 UTC 2018


Hi,

On 31-05-18 16:20, David wrote:
> On 2018-05-31 6:55 AM, Kai Storbeck wrote:
>> Hello all,
>>
>> It seems to work wonderfully, or at least, "kdig" thinks it works.
>> Getting it by default in my
>>
>> We will probably try to launch this soon, using a certificate from Lets
>> Encrypt. Those certificates live for 3 months, and I'd like to automate
>> the refreshing of this cert in dnsdist.
>>
>> Now, my point:
>>
>> As far as I know, hot reloading (or graceful reloading) is not supported
>> right now, or is it?
> 
> This is not supported in dnsdist, but going by how quick it restarts
> fully is it really an issue?

I don't know. (digging with dnsgram) ...

About 490ms the dnsdist process is not answering. This will drop ~5k
questions on the floor in our current setup. I find that quite a lot.

I tried this:

dnsdist -c cannot update the TLS listener (addTLSLocal cannot be used at
runtime!).

I've tried using a hot restarter wrapper around the daemon, but the
second instance gets these errors:
> jun 07 15:25:24 resolver-beta.xs4all.net hot-restarter.py[8561]: Unable to bind to control socket on 0.0.0.0:5199: binding socket to 0.0.0.0:5199: Address already in use
> jun 07 15:25:24 resolver-beta.xs4all.net hot-restarter.py[8561]: Unable to bind to webserver socket on 0.0.0.0:8083: binding socket to 0.0.0.0:8083: Address already in use

Thoughts?

Regards,
Kai

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20180607/1280e4ef/attachment.sig>


More information about the dnsdist mailing list