[getdns-users] where is the "ad" bit?

Willem Toorop willem at nlnetlabs.nl
Wed Jul 5 21:13:03 UTC 2017


Op 05-07-17 om 19:41 schreef A. Schulze:
> Hello,
> 
> I try to replace a validating unbound-resolver with stubby (DNS-via-TLS to this unbound-resolver) and found dnssec validation differences.
> 
> how should I configure stubby to make
> "dig @stubby  dnssec-failed.org." return SERVFAIL and "dig @stubby getdnsapi.net." return data with AD bit set?

Hi Andreas,

You have to adapt your stubby.conf file to include

	dnssec_return_status: GETDNS_EXTENSION_TRUE

For example here is the start of the stubby.conf file with that
extension set.

{ dnssec_return_status: GETDNS_EXTENSION_TRUE
, resolution_type: GETDNS_RESOLUTION_STUB
, dns_transport_list: [ GETDNS_TRANSPORT_TLS ]
, tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
, tls_query_padding_blocksize: 256
, edns_client_subnet_private : 1
, listen_addresses: [ 127.0.0.1, 0::1 ]
, idle_timeout: 10000
, round_robin_upstreams: 1
, upstream_recursive_servers:
  [ { address_data: 145.100.185.15
    , tls_auth_name: "dnsovertls.sinodun.com"
    , tls_pubkey_pinset:
      [ { digest: "sha256"
        , value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
      } ]
    },

Cheers,
-- Willem
> 
> Andreas
> _______________________________________________
> Users mailing list
> Users at getdnsapi.net
> https://getdnsapi.net/mailman/listinfo/users
> 




More information about the Users mailing list