[getdns-users] A question on stubby
Sara Dickinson
sara at sinodun.com
Wed Apr 19 09:50:34 UTC 2017
Hi Xiaomin,
Thanks for the reply and the log output. I suspect that the version of OpenSSL you are using is quite old? You need version 1.0.1 or later for TLS support and version 1.0.2 or later is required for TLS hostname authentication. This message is output if the version is less than 1.0.2.
Regards
Sara.
> On 19 Apr 2017, at 10:36, xmgao at biigroup.cn wrote:
>
> Hi Sara,
>
> Thanks for your advice. I followed your instructions : update stubby to 1.1.0 version and rebuild it. I use the stubby_one_server.conf as you suggested. But I still encounter the same problem. I print the error msg as follows:
>
> [09:29:08.290308] => ENTRY: _getdns_submit_stub_request : MSG: 0x9122658 TYPE: 1
> [09:29:08.290426] --- SETUP: upstream_select_stateful : Testing upstreams 0 0
> [09:29:08.290436] --- SETUP: upstream_select_stateful : Testing upstreams 1 0
> [09:29:08.290443] --- SETUP: upstream_connect : Getting upstream connection: 0x9121fec
> [09:29:08.290448] --- SETUP: tcp_connect : Creating TCP connection: 0x9121fec
> [09:29:08.290776] --- SETUP(TLS): tls_create_object : Hostname verification requested for: getdnsapi.net <http://getdnsapi.net/>
> [09:29:08.290790] --- SETUP(TLS): tls_create_object : ERROR: TLS Authentication functionality not available
> [09:29:08.290802] --- CLEANUP: upstream_failed : FD: 5 Failure during connection setup = 1
> [09:29:08.290822] --- SETUP: upstream_select_stateful : Testing upstreams 0 0
> [09:29:08.290827] --- SETUP: upstream_select_stateful : Testing upstreams 1 3
> [09:29:08.290832] ----- SCHEDULE: upstream_find_for_netreq : MSG: 0x9122658 No valid upstream!
> [09:29:08.290840] GETDNS_DAEMON: *FAILURE* no valid transports or upstreams available!
> Could not schedule query: None of the configured upstreams could be used to send queries on the specified transports
>
> Regards,
> Xiaomin
>
>
> xmgao at biigroup.cn <mailto:xmgao at biigroup.cn>
>
> From: Sara Dickinson <mailto:sara at sinodun.com>
> Date: 2017-04-19 16:34
> To: libgetdns users list <mailto:users at getdnsapi.net>
> Subject: Re: [getdns-users] A question on stubby
>
>> On 19 Apr 2017, at 07:54, xmgao at biigroup.cn <mailto:xmgao at biigroup.cn> wrote:
>>
>> Hello everyone,
>> I’m Xiaomin, a young engineer in this field. I’m trying to setup a DNS-over-TLS demo using Stubby recently. Now it works in opportunistic mode, but failed in strict mode with 'tls_authentication: GETDNS_AUTHENTICATION_REQUIRED' field. AFAIK, the server are using Let's encrypt cert, What should I do on client side(stubby) to verify the cert? Do I need make extra configuration on Stubby or openssl?
>
> Hi Xiaomin,
>
> Thanks for your question. Can you let me know which version of Stubby you are using? I would recommend using the recent 1.1.0 release.
>
> To validate a nameserver Stubby needs one of
> - an authentication domain name or
> - a SPKI pin
>
> The easiest way to set up strict authentication is to use the default configuration file that is in the getdns source code in src/tools/stubby.conf which has this information in for several servers. Then tell Stubby where to find this file by using the ‘-C’ flag on the command line. I’ve attached the stubby.conf file here for reference. This configuration will run in Strict mode, using all the servers listed.
>
> If you want a simple demo then I suggest just using a single server that has a Let’s Encrypt certificate. I’ve created a file for that too using the getdns nameserver and attached it (stubby_one_server.conf).
>
> Hope this helps
>
> Regards
>
> Sara.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.getdnsapi.net/pipermail/users/attachments/20170419/f0a1e9ea/attachment.htm>
More information about the Users
mailing list