<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><style>body { line-height: 1.5; }blockquote { margin-top: 0px; margin-bottom: 0px; margin-left: 0.5em; }body { font-size: 10.5pt; font-family: 'Microsoft YaHei UI'; color: rgb(0, 0, 0); line-height: 1.5; }</style></head><body>
<div style="font-size: 13px;">Thanks. But you do not include <span style="color: rgb(51, 51, 51); font-family: Arial, sans-serif; orphans: 2; widows: 2; line-height: 1.5; background-color: window;">the 'tls_authentication: GETDNS_AUTHENTICATION_REQUIRED' field in the stubby.conf file.</span></div>
<div style="font-size: 13px;"><br></div><div style="font-size: 13px;">-Xiaomin</div><hr style="width: 210px; height: 1px;" color="#b5c4df" size="1" align="left">
<div><span><div style="MARGIN: 10px; FONT-FAMILY: verdana; FONT-SIZE: 10pt"><div>xmgao@biigroup.cn</div></div></span></div>
<blockquote style="margin-top: 0px; margin-bottom: 0px; margin-left: 0.5em;"><div> </div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"><div style="PADDING-RIGHT: 8px; PADDING-LEFT: 8px; FONT-SIZE: 12px;FONT-FAMILY:tahoma;COLOR:#000000; BACKGROUND: #efefef; PADDING-BOTTOM: 8px; PADDING-TOP: 8px"><div><b>From:</b> <a href="mailto:sca@andreasschulze.de">A. Schulze</a></div><div><b>Date:</b> 2017-04-19 16:25</div><div><b>To:</b> <a href="mailto:users@getdnsapi.net">libgetdns users list</a></div><div><b>Subject:</b> Re: [getdns-users] A question on stubby</div></div></div><div><div> </div>
<div>xmgao:</div>
<div> </div>
<div>> Hello everyone,</div>
<div>> I’m Xiaomin, a young engineer in this field. I’m trying to setup a </div>
<div>> DNS-over-TLS demo using Stubby recently. Now it works in </div>
<div>> opportunistic mode, but failed in strict mode with </div>
<div>> 'tls_authentication: GETDNS_AUTHENTICATION_REQUIRED' field. AFAIK, </div>
<div>> the server are using Let's encrypt cert, What should I do on client </div>
<div>> side(stubby) to verify the cert? Do I need make extra configuration </div>
<div>> on Stubby or openssl?</div>
<div> </div>
<div>Hello,</div>
<div> </div>
<div>I use this configuration:</div>
<div> </div>
<div> $ cat /etc/resolv.conf</div>
<div> nameserver ::1</div>
<div> </div>
<div> $ cat /etc/stubby.conf</div>
<div> { resolution_type: GETDNS_RESOLUTION_STUB</div>
<div> , dns_transport_list: [ GETDNS_TRANSPORT_TLS ]</div>
<div> , upstream_recursive_servers:</div>
<div> [ { address_data: 2a00:e50:f15c:1000::2:53</div>
<div> , tls_auth_name: "yeti-rr.datev.net"</div>
<div> , tls_pubkey_pinset:</div>
<div> [ { digest: "sha256"</div>
<div> , value: QFWn+jgr2FfkRjCw8J77QJbChem3FUGwi9Ntp67SnVg=</div>
<div> } ]</div>
<div> } ]</div>
<div> , idle_timeout: 10000</div>
<div> }</div>
<div> </div>
<div> $ stubby -C /etc/stubby.conf</div>
<div> </div>
<div> $ dig hostname.bind. txt chaos +short</div>
<div> "see https://yeti-rr.datev.net"</div>
<div> </div>
<div> </div>
<div>This forward all requests to the Yeti-DNS Resolver. The Resolver use </div>
<div>the same LE certificate</div>
<div>on https/443 and domain-s/853. The Resolver is IPv6 only but capable </div>
<div>to reach name servers via IPv4</div>
<div>So it /should/ reach the whole internet...</div>
<div> </div>
<div>BTW.</div>
<div>stubby.conf was created (guessing) using information on </div>
<div>https://getdnsapi.net/blog/dns-privacy-daemon-stubby/</div>
<div>The example file (src/tools/stubby.conf) mentioned there don't exist </div>
<div>in the current release.</div>
<div> </div>
<div>Any formal documentation on stubby.conf is really required!</div>
<div> </div>
<div>Andreas</div>
<div> </div>
<div>_______________________________________________</div>
<div>Users mailing list</div>
<div>Users@getdnsapi.net</div>
<div>https://getdnsapi.net/mailman/listinfo/users</div>
</div></blockquote>
</body></html>