Skip to content

Document that 'rndc reconfig' will regenerate ephemeral TLS keys (whilst not recreating sockets and listeners entirely)

Summary

There's nowhere in the 9.18 ARM where it is documented what happens to TLS listening sockets when rndc reconfig is applied to a running server. Per engineering, a reconfig does recreate TLS contexts (as the certs/keys could have changed on disk). Thus, all ephemeral data provided for us by OpenSSL is changed.

BIND version used

BIND 9.18+

Steps to reproduce

N/A (just search the ARM...)

What is the current bug behavior?

What happens is not documented anywhere.

What is the expected correct behavior?

Please document this. I would suggest as an addendum here to this paragraph:

There are two built-in TLS connection configurations: ephemeral, uses a temporary key and certificate created for the current named session only, and none, which can be used when setting up an HTTP listener with no encryption.

Relevant configuration files

N/A

Relevant logs and/or screenshots

N/A

Possible fixes

See above

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information