[getdns-users] A question on stubby

xmgao at biigroup.cn xmgao at biigroup.cn
Wed Apr 19 09:36:26 UTC 2017 

Hi Sara,

Thanks for your advice. I followed your instructions : update stubby to 1.1.0 version and rebuild it. I use the stubby_one_server.conf as you suggested. But I still encounter the same problem. I print the error msg as follows:

[09:29:08.290308] => ENTRY:        _getdns_submit_stub_request        : MSG: 0x9122658 TYPE: 1
[09:29:08.290426] --- SETUP:       upstream_select_stateful           : Testing upstreams  0 0
[09:29:08.290436] --- SETUP:       upstream_select_stateful           : Testing upstreams  1 0
[09:29:08.290443] --- SETUP:       upstream_connect                   : Getting upstream connection:  0x9121fec
[09:29:08.290448] --- SETUP:       tcp_connect                        : Creating TCP connection:      0x9121fec
[09:29:08.290776] --- SETUP(TLS):  tls_create_object                  : Hostname verification requested for: getdnsapi.net
[09:29:08.290790] --- SETUP(TLS):  tls_create_object                  : ERROR: TLS Authentication functionality not available
[09:29:08.290802] --- CLEANUP:     upstream_failed                    : FD:  5 Failure during connection setup = 1
[09:29:08.290822] --- SETUP:       upstream_select_stateful           : Testing upstreams  0 0
[09:29:08.290827] --- SETUP:       upstream_select_stateful           : Testing upstreams  1 3
[09:29:08.290832] ----- SCHEDULE:  upstream_find_for_netreq           : MSG: 0x9122658 No valid upstream! 
[09:29:08.290840] GETDNS_DAEMON:   *FAILURE* no valid transports or upstreams available!
Could not schedule query: None of the configured upstreams could be used to send queries on the specified transports

Regards,
Xiaomin




xmgao at biigroup.cn
 
From: Sara Dickinson
Date: 2017-04-19 16:34
To: libgetdns users list
Subject: Re: [getdns-users] A question on stubby

On 19 Apr 2017, at 07:54, xmgao at biigroup.cn wrote:

Hello everyone, 
I’m Xiaomin, a young engineer in this field.  I’m trying to setup a DNS-over-TLS demo using Stubby recently. Now it works in opportunistic mode, but failed in strict mode with  'tls_authentication: GETDNS_AUTHENTICATION_REQUIRED' field. AFAIK, the server are using Let's encrypt cert, What should I do on client side(stubby) to verify the cert? Do I need make extra configuration on Stubby or openssl?

Hi Xiaomin,

Thanks for your question. Can you let me know which version of Stubby you are using? I would recommend using the recent 1.1.0 release.

To validate a nameserver Stubby needs one of
- an authentication domain name or
- a SPKI pin

The easiest way to set up strict authentication is to use the default configuration file that is in the getdns source code in src/tools/stubby.conf which has this information in for several servers. Then tell Stubby where to find this file by using the ‘-C’ flag on the command line. I’ve attached the stubby.conf file here for reference. This configuration will run in Strict mode, using all the servers listed. 

If you want a simple demo then I suggest just using a single server that has a Let’s Encrypt certificate. I’ve created a file for that too using the getdns nameserver and attached it (stubby_one_server.conf). 

Hope this helps

Regards

Sara. 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.getdnsapi.net/pipermail/users/attachments/20170419/d6a681c3/attachment.htm>

More information about the Users mailing list