[getdns-users] A question on stubby
Sara Dickinson
sara at sinodun.com
Wed Apr 19 08:34:42 UTC 2017
> On 19 Apr 2017, at 07:54, xmgao at biigroup.cn wrote:
>
> Hello everyone,
> I’m Xiaomin, a young engineer in this field. I’m trying to setup a DNS-over-TLS demo using Stubby recently. Now it works in opportunistic mode, but failed in strict mode with 'tls_authentication: GETDNS_AUTHENTICATION_REQUIRED' field. AFAIK, the server are using Let's encrypt cert, What should I do on client side(stubby) to verify the cert? Do I need make extra configuration on Stubby or openssl?
Hi Xiaomin,
Thanks for your question. Can you let me know which version of Stubby you are using? I would recommend using the recent 1.1.0 release.
To validate a nameserver Stubby needs one of
- an authentication domain name or
- a SPKI pin
The easiest way to set up strict authentication is to use the default configuration file that is in the getdns source code in src/tools/stubby.conf which has this information in for several servers. Then tell Stubby where to find this file by using the ‘-C’ flag on the command line. I’ve attached the stubby.conf file here for reference. This configuration will run in Strict mode, using all the servers listed.
If you want a simple demo then I suggest just using a single server that has a Let’s Encrypt certificate. I’ve created a file for that too using the getdns nameserver and attached it (stubby_one_server.conf).
Hope this helps
Regards
Sara.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.getdnsapi.net/pipermail/users/attachments/20170419/e32b05f9/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stubby.conf
Type: application/octet-stream
Size: 2149 bytes
Desc: not available
URL: <http://lists.getdnsapi.net/pipermail/users/attachments/20170419/e32b05f9/attachment.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.getdnsapi.net/pipermail/users/attachments/20170419/e32b05f9/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stubby_one_server.conf
Type: application/octet-stream
Size: 535 bytes
Desc: not available
URL: <http://lists.getdnsapi.net/pipermail/users/attachments/20170419/e32b05f9/attachment-0001.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.getdnsapi.net/pipermail/users/attachments/20170419/e32b05f9/attachment-0002.htm>
More information about the Users
mailing list