[getdns-users] A question on stubby

xmgao at biigroup.cn xmgao at biigroup.cn
Wed Apr 19 09:39:03 UTC 2017


Thanks. But you do not include the 'tls_authentication: GETDNS_AUTHENTICATION_REQUIRED' field in the stubby.conf file.

-Xiaomin


xmgao at biigroup.cn
 
From: A. Schulze
Date: 2017-04-19 16:25
To: libgetdns users list
Subject: Re: [getdns-users] A question on stubby
 
xmgao:
 
> Hello everyone,
> I’m Xiaomin, a young engineer in this field.  I’m trying to setup a  
> DNS-over-TLS demo using Stubby recently. Now it works in  
> opportunistic mode, but failed in strict mode with   
> 'tls_authentication: GETDNS_AUTHENTICATION_REQUIRED' field. AFAIK,  
> the server are using Let's encrypt cert, What should I do on client  
> side(stubby) to verify the cert? Do I need make extra configuration  
> on Stubby or openssl?
 
Hello,
 
I use this configuration:
 
     $ cat /etc/resolv.conf
     nameserver ::1
 
     $ cat /etc/stubby.conf
     { resolution_type: GETDNS_RESOLUTION_STUB
     , dns_transport_list: [ GETDNS_TRANSPORT_TLS ]
     , upstream_recursive_servers:
       [ { address_data: 2a00:e50:f15c:1000::2:53
         , tls_auth_name: "yeti-rr.datev.net"
         , tls_pubkey_pinset:
           [ { digest: "sha256"
             , value: QFWn+jgr2FfkRjCw8J77QJbChem3FUGwi9Ntp67SnVg=
           } ]
        } ]
     , idle_timeout: 10000
     }
 
     $ stubby -C /etc/stubby.conf
 
     $ dig hostname.bind. txt chaos +short
     "see https://yeti-rr.datev.net"
 
 
This forward all requests to the Yeti-DNS Resolver. The Resolver use  
the same LE certificate
on https/443 and domain-s/853. The Resolver is IPv6 only but capable  
to reach name servers via IPv4
So it /should/ reach the whole internet...
 
BTW.
stubby.conf was created (guessing) using information on  
https://getdnsapi.net/blog/dns-privacy-daemon-stubby/
The example file (src/tools/stubby.conf) mentioned there don't exist  
in the current release.
 
Any formal documentation on stubby.conf is really required!
 
Andreas
 
_______________________________________________
Users mailing list
Users at getdnsapi.net
https://getdnsapi.net/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.getdnsapi.net/pipermail/users/attachments/20170419/5f898697/attachment.htm>


More information about the Users mailing list