Hi, while testing the latest NGINX source code around ~1.21.7, I’ve observed that enabling "ssl_stapling" without configuring a “resolver”, makes NGINX cache the OCSP responder IP indefinitely, so, if the CA later changes the OCSP responder IP, NGINX is still going to try to get OCSP queries from the old IP (possibly inoperative now), irrespective of the DNS record TTL.
Now, I'm aware of https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling saying: > For a resolution of the OCSP responder hostname, the resolver directive should also be specified. And effectively, using the “resolver” directive, OCSP DNS records are refreshed, but it is not obvious at all what is going to happen if a "resolver" is not configured. Is there any documentation on this? Additionally, what is the reason to not use the default system DNS resolvers in the standard way (i.e. respecting DNS TTLs) instead of performing the resolution only once when no "resolver" is configured? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293525,293525#msg-293525 _______________________________________________ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
