Stubby Error in Strict Mode: "TLS - *Failure* - Pinset validation failure" #353
Description
Error Description
I started getting the following error when using Google as an upstream server:
[16:22:36.958590] STUBBY: 8.8.4.4 : Verify failed : TLS - *Failure* - Pinset validation failure
The Stubby.yml configuration file points to Google as follows:
- address_data: 8.8.8.8
tls_auth_name: "dns.google"
tls_pubkey_pinset:
- digest: "sha256"
value: wZGKu+C6/8gA05573BdMlKGkJ5xKQPMWTH6RV7PVCRo=
- address_data: 8.8.4.4
tls_auth_name: "dns.google"
tls_pubkey_pinset:
- digest: "sha256"
value: wZGKu+C6/8gA05573BdMlKGkJ5xKQPMWTH6RV7PVCRo=
When in this error state, no resolutions through Google can take place.
FIX 1: Turn off authentication
The problem goes away when using the following configuration setting:
tls_authentication: GETDNS_AUTHENTICATION_NONE
The default value is GETDNS_AUTHENTICATION_REQUIRED and I'd prefer a solution that allows me to keep this authentication mechanism turned on.
FIX 2: Manually obtain a public key
I can temporarily solve the problem via the following steps:
- Navigate to the DNS server in question with my browser. e.g. https://8.8.4.4
- Examine the certificate and export its public key
- Convert the public key from hex-encoded to base64-encoded using this site.
- Paste the base64-encoded string into the
tls_pubkey_pinset.valuefield corresponding to the Google server in question in the stubby.yml file. - Restart Stubby
This works for a time, maybe for a month tops, and then needs to be repeated. Perhaps Google changes their public key periodically? I don't have the technical expertise to say one way or the other.
Question
What's a reliable way to keep Stubby authentication turned on without having to manually maintain and update these public key values in the stubby.yml file?