[getdns-users] Does stubby honor TLSA records when verifying tls_auth_name?

Christoph cm at appliedprivacy.net
Wed Apr 17 11:26:00 UTC 2019


Hello!

we created TLSA records for our public resolvers [1]
as recommended by [2].
Now we were wondering whether stubby takes TLSA records [3] into
account when verifying the TLS connection to the
server (tls_auth_name) - in addition to PKIX [4]?

We didn't publish SPKI pins because we rotate keys - which makes
SPKI less practical.
The TLSA record is only on the CA level (requires the CA to be Let's
Encrypt).

thanks,
Christoph

[1] https://github.com/getdnsapi/stubby/pull/177/files
[2]
https://datatracker.ietf.org/doc/draft-ietf-dprive-bcp-op/?include_text=1
[3] https://tools.ietf.org/html/rfc8310#section-8.2
[4] https://tools.ietf.org/html/rfc8310#section-8.1




More information about the Users mailing list