diff --git a/bin/named/server.c b/bin/named/server.c
index f7db73faf9..8943ce7e17 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -6933,7 +6933,7 @@ interface_timer_tick(isc_task_t *task, isc_event_t *event) {
 	UNUSED(task);
 
 	isc_event_free(&event);
-	ns_interfacemgr_scan(server->interfacemgr, false);
+	ns_interfacemgr_scan(server->interfacemgr, false, false);
 }
 
 static void
@@ -8933,7 +8933,7 @@ load_configuration(const char *filename, named_server_t *server,
 	 * to configure the query source, since the dispatcher we use might
 	 * be shared with an interface.
 	 */
-	result = ns_interfacemgr_scan(server->interfacemgr, true);
+	result = ns_interfacemgr_scan(server->interfacemgr, true, true);
 
 	/*
 	 * Check that named is able to TCP listen on at least one
@@ -10411,7 +10411,7 @@ named_server_scan_interfaces(named_server_t *server) {
 		      NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
 		      "automatic interface rescan");
 
-	ns_interfacemgr_scan(server->interfacemgr, true);
+	ns_interfacemgr_scan(server->interfacemgr, true, false);
 }
 
 /*
diff --git a/lib/ns/include/ns/interfacemgr.h b/lib/ns/include/ns/interfacemgr.h
index c52392156a..2331fc63e3 100644
--- a/lib/ns/include/ns/interfacemgr.h
+++ b/lib/ns/include/ns/interfacemgr.h
@@ -131,12 +131,15 @@ ns_interfacemgr_islistening(ns_interfacemgr_t *mgr);
  */
 
 isc_result_t
-ns_interfacemgr_scan(ns_interfacemgr_t *mgr, bool verbose);
+ns_interfacemgr_scan(ns_interfacemgr_t *mgr, bool verbose, bool config);
 /*%<
  * Scan the operatings system's list of network interfaces
  * and create listeners when new interfaces are discovered.
  * Shut down the sockets for interfaces that go away.
  *
+ * When 'config' is true, also shut down and recreate any existing TLS and HTTPS
+ * interfaces in order to use their new configuration.
+ *
  * This should be called once on server startup and then
  * periodically according to the 'interface-interval' option
  * in named.conf.
diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c
index 38de7cfe23..4c3eef92f9 100644
--- a/lib/ns/interfacemgr.c
+++ b/lib/ns/interfacemgr.c
@@ -98,7 +98,7 @@ scan_event(isc_task_t *task, isc_event_t *event) {
 
 	UNUSED(task);
 
-	ns_interfacemgr_scan(mgr, false);
+	ns_interfacemgr_scan(mgr, false, false);
 	isc_event_free(&event);
 }
 
@@ -851,7 +851,7 @@ clearlistenon(ns_interfacemgr_t *mgr) {
 }
 
 static isc_result_t
-do_scan(ns_interfacemgr_t *mgr, bool verbose) {
+do_scan(ns_interfacemgr_t *mgr, bool verbose, bool config) {
 	isc_interfaceiter_t *iter = NULL;
 	bool scan_ipv4 = false;
 	bool scan_ipv6 = false;
@@ -919,10 +919,10 @@ do_scan(ns_interfacemgr_t *mgr, bool verbose) {
 			if (ifp != NULL) {
 				/*
 				 * We need to recreate the TLS/HTTPS listeners
-				 * because the certificates could have been
-				 * changed on reconfiguration.
+				 * during reconfiguration because the
+				 * certificates could have been changed.
 				 */
-				if (le->sslctx != NULL) {
+				if (config && le->sslctx != NULL) {
 					INSIST(NS_INTERFACE_VALID(ifp));
 					LOCK(&mgr->lock);
 					ISC_LIST_UNLINK(ifp->mgr->interfaces,
@@ -1104,10 +1104,10 @@ do_scan(ns_interfacemgr_t *mgr, bool verbose) {
 			if (ifp != NULL) {
 				/*
 				 * We need to recreate the TLS/HTTPS listeners
-				 * because the certificates could have been
-				 * changed on reconfiguration.
+				 * during a reconfiguration because the
+				 * certificates could have been changed.
 				 */
-				if (le->sslctx != NULL) {
+				if (config && le->sslctx != NULL) {
 					INSIST(NS_INTERFACE_VALID(ifp));
 					LOCK(&mgr->lock);
 					ISC_LIST_UNLINK(ifp->mgr->interfaces,
@@ -1207,7 +1207,7 @@ cleanup_iter:
 }
 
 static isc_result_t
-ns_interfacemgr_scan0(ns_interfacemgr_t *mgr, bool verbose) {
+ns_interfacemgr_scan0(ns_interfacemgr_t *mgr, bool verbose, bool config) {
 	isc_result_t result;
 	bool purge = true;
 
@@ -1215,7 +1215,7 @@ ns_interfacemgr_scan0(ns_interfacemgr_t *mgr, bool verbose) {
 
 	mgr->generation++; /* Increment the generation count. */
 
-	result = do_scan(mgr, verbose);
+	result = do_scan(mgr, verbose, config);
 	if ((result != ISC_R_SUCCESS) && (result != ISC_R_ADDRINUSE)) {
 		purge = false;
 	}
@@ -1249,7 +1249,7 @@ ns_interfacemgr_islistening(ns_interfacemgr_t *mgr) {
 }
 
 isc_result_t
-ns_interfacemgr_scan(ns_interfacemgr_t *mgr, bool verbose) {
+ns_interfacemgr_scan(ns_interfacemgr_t *mgr, bool verbose, bool config) {
 	isc_result_t result;
 	bool unlock = false;
 
@@ -1263,7 +1263,7 @@ ns_interfacemgr_scan(ns_interfacemgr_t *mgr, bool verbose) {
 		unlock = true;
 	}
 
-	result = ns_interfacemgr_scan0(mgr, verbose);
+	result = ns_interfacemgr_scan0(mgr, verbose, config);
 
 	if (unlock) {
 		isc_task_endexclusive(mgr->excl);
diff --git a/lib/ns/tests/nstest.c b/lib/ns/tests/nstest.c
index 15614e1059..3c458ca1d6 100644
--- a/lib/ns/tests/nstest.c
+++ b/lib/ns/tests/nstest.c
@@ -211,7 +211,7 @@ static void
 scan_interfaces(isc_task_t *task, isc_event_t *event) {
 	UNUSED(task);
 
-	ns_interfacemgr_scan(interfacemgr, true);
+	ns_interfacemgr_scan(interfacemgr, true, false);
 	isc_event_free(&event);
 }