https://dns.nextdns.io/ uses a short-lived certificate

Over the last couple of days I learned the downside the hard way of relying on DNS-over-HTTPS when said service uses a short-lived certificate that is only valid for a couple of months...

My router is configured to use NextDNS' DNS-over-HTTPS solution and that generally works great. But the problem occurs when upgrading the router... A router upgrade resets the system time back to 2026-01-01, and attempts to resolve the configured NTP server using NextDNS' DNS-over-HTTPS endpoint so that it can retrieve the current time...

And the NextDNS DNS-over-HTTPS endpoint just so happens to use a certificate that was issued at 2026-04-15... meaning a certificate that is not yet valid from the perspective of the router's local 2026-01-01 time...

Subsequently, as NextDNS' DNS-over-HTTPS endpoint couldn't be contacted, and the NTP server couldn't be resolved, and the local system time could not be properly updated, all future DNS queries failed as did various other features on the router that relies on valid HTTPS connections.

So, the "bug" here, from a NextDNS perspective, is that using a short-lived certificate for a DNS-over-HTTPS connection seems like quite the... short-lived idea (*ba dum tss*) since it means core functionality can fail if the local device time gets reset for any reason. If possible, I would recommend using a certificate that is valid for at least a year or two back, to allow traffic from devices with a potentially outdated local time.