[getdns-users] A question on stubby

A. Schulze sca at andreasschulze.de
Wed Apr 19 12:37:12 UTC 2017


xmgao:

> Thanks. But you do not include the 'tls_authentication:  
> GETDNS_AUTHENTICATION_REQUIRED' field in the stubby.conf file.

you're right!

without "tls_authentication: GETDNS_AUTHENTICATION_REQUIRED"
I may provide wrong tls_auth_name or tls_pubkey_pinset/value
and stubby still will answer my queries!

unfortunately stubby do not complain about authentication failures.

for the archive: the better stubby.conf:

      { resolution_type: GETDNS_RESOLUTION_STUB
      , dns_transport_list: [ GETDNS_TRANSPORT_TLS ]
      , tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
      , upstream_recursive_servers:
        [ { address_data: 2a00:e50:f15c:1000::2:53
          , tls_auth_name: "yeti-rr.datev.net"
          , tls_pubkey_pinset:
            [ { digest: "sha256"
              , value: QFWn+jgr2FfkRjCw8J77QJbChem3FUGwi9Ntp67SnVg=
            } ]
         } ]
      , idle_timeout: 10000
      }

$ man stubby.conf
No manual entry for stubby.conf

without documentation such errors may happen ...

Andreas




More information about the Users mailing list