[getdns-users] A question on stubby

[A. Schulze]

xmgao:

> Hello everyone,
> I’m Xiaomin, a young engineer in this field.  I’m trying to setup a  
> DNS-over-TLS demo using Stubby recently. Now it works in  
> opportunistic mode, but failed in strict mode with   
> 'tls_authentication: GETDNS_AUTHENTICATION_REQUIRED' field. AFAIK,  
> the server are using Let's encrypt cert, What should I do on client  
> side(stubby) to verify the cert? Do I need make extra configuration  
> on Stubby or openssl?

Hello,

I use this configuration:

     $ cat /etc/resolv.conf
     nameserver ::1

     $ cat /etc/stubby.conf
     { resolution_type: GETDNS_RESOLUTION_STUB
     , dns_transport_list: [ GETDNS_TRANSPORT_TLS ]
     , upstream_recursive_servers:
       [ { address_data: 2a00:e50:f15c:1000::2:53
         , tls_auth_name: "yeti-rr.datev.net"
         , tls_pubkey_pinset:
           [ { digest: "sha256"
             , value: QFWn+jgr2FfkRjCw8J77QJbChem3FUGwi9Ntp67SnVg=
           } ]
        } ]
     , idle_timeout: 10000
     }

     $ stubby -C /etc/stubby.conf

     $ dig hostname.bind. txt chaos +short
     "see https://yeti-rr.datev.net"


This forward all requests to the Yeti-DNS Resolver. The Resolver use  
the same LE certificate
on https/443 and domain-s/853. The Resolver is IPv6 only but capable  
to reach name servers via IPv4
So it /should/ reach the whole internet...

BTW.
stubby.conf was created (guessing) using information on  
https://getdnsapi.net/blog/dns-privacy-daemon-stubby/
The example file (src/tools/stubby.conf) mentioned there don't exist  
in the current release.

Any formal documentation on stubby.conf is really required!

Andreas