[getdns-users] where is the "ad" bit?
Willem Toorop
willem at nlnetlabs.nl
Wed Jul 5 21:13:03 UTC 2017
Op 05-07-17 om 19:41 schreef A. Schulze:
> Hello,
>
> I try to replace a validating unbound-resolver with stubby (DNS-via-TLS to this unbound-resolver) and found dnssec validation differences.
>
> how should I configure stubby to make
> "dig @stubby dnssec-failed.org." return SERVFAIL and "dig @stubby getdnsapi.net." return data with AD bit set?
Hi Andreas,
You have to adapt your stubby.conf file to include
dnssec_return_status: GETDNS_EXTENSION_TRUE
For example here is the start of the stubby.conf file with that
extension set.
{ dnssec_return_status: GETDNS_EXTENSION_TRUE
, resolution_type: GETDNS_RESOLUTION_STUB
, dns_transport_list: [ GETDNS_TRANSPORT_TLS ]
, tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
, tls_query_padding_blocksize: 256
, edns_client_subnet_private : 1
, listen_addresses: [ 127.0.0.1, 0::1 ]
, idle_timeout: 10000
, round_robin_upstreams: 1
, upstream_recursive_servers:
[ { address_data: 145.100.185.15
, tls_auth_name: "dnsovertls.sinodun.com"
, tls_pubkey_pinset:
[ { digest: "sha256"
, value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
} ]
},
Cheers,
-- Willem
>
> Andreas
> _______________________________________________
> Users mailing list
> Users at getdnsapi.net
> https://getdnsapi.net/mailman/listinfo/users
>
More information about the Users
mailing list