DoT: complete unbound restart required on certificate renew

[andreasschulze]

in case one use Let's Encrypt certificates to run unbound as DoT Server, after 2-3 months a certificate renew will happen. In this case unbound has to be restarted to make the new certificate will be used.

It would be nice if unbound (same problem exist for NSD) could use new certificate + private key files on disk over time.

Postfix, for example, has a process model where an SMTP Server life only for a limited amount of transactions and time. So new certificates files on disk will be used automaticly while postfix master process create new smtp server.

[wcawijngaards]

I don't see this as easy in the code. Both Unbound and NSD read the secrets while priviledged right now, and they drop it after. And it needs some sort of reload to move the SSL contexts in different workers. So it would be a reload anyway, which also clears the cache, so I don't see it as a really big difference? Is it more a quality of life issue, where you want it to 'just pick it up by itself'? (Even though I don't really know now how to do that easily)