Merge pull request #80 from saradickinson/update_config_file

Pre-release updates to the YAML config file. Update changelog, bump v…
getdnsapi · Feb 13, 2018 · 9657d0e · 9657d0e
2 parents 50638cb + f5b2d3b
commit 9657d0e
Show file tree

Hide file tree

Showing 3 changed files with 141 additions and 24 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,8 +1,9 @@
 * 2018-02-??: Version 0.2.2
- * Add manpage
- * Add -V version option to Stubby
- * Add output of basic config to the logs to aid debugging.
- * Corrected address of ns1.dnsprivacy.at in config file
+ * Fixes and updates to the stubby.yml.config file. Add separate entries for
+   servers that listen on port 443.
+ * Additional logging of basic config on startup
+ * -V option to show version
+ * Added a man page
 
 * 2017-12-18: Version 0.2.1
  * Fix use of logging on macos 10.11

diff --git a/README.md b/README.md
@@ -21,15 +21,14 @@ See [Stubby Homepage](https://dnsprivacy.org/wiki/x/JYAT) for more details
 
 Stubby uses [getdns](https://getdnsapi.net/) and requires the 1.2 release of getdns or later.
 
-It also requires that either
-* getdns was compiled with [yaml](http://pyyaml.org/wiki/LibYAML) support (using the --with-libyaml configure option)
-* or stubby is compiled with libyaml as a dependancy. 
-
+It also requires [yaml](http://pyyaml.org/wiki/LibYAML).
 
 # Installing Using a Package Manager
 
-Check to see if getdns, libyaml and Stubby are available via a package manager for your system.
+Check to see if stubby, getdns and yaml are available via a package manager for your system:
 https://repology.org/metapackage/stubby/versions
+https://repology.org/metapackage/getdns/versions
+https://repology.org/metapackage/libyaml/versions
 
 * A [Windows Installer](https://dnsprivacy.org/wiki/x/CoBn) is now available for Stubby.
 * A Homebrew package for stubby is now available (`brew install stubby`).

diff --git a/stubby.yml.example b/stubby.yml.example
@@ -14,6 +14,8 @@
 #   - yaml tags are not supported
 #   - IPv6 addresses ending in :: are not yet supported (use ::0)
 #
+# Note that we plan to introduce a more compact format for defining upstreams
+# in future: https://github.com/getdnsapi/stubby/issues/79
 
 # Logging is currently configured at runtime using command line arguments. See
 # > stubby -h
@@ -42,9 +44,9 @@ dns_transport_list:
 tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
 
 # EDNS0 option to pad the size of the DNS query to the given blocksize
-# 256 is currently recommended by 
-# https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-01
-tls_query_padding_blocksize: 256
+# 128 is currently recommended by 
+# https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-03
+tls_query_padding_blocksize: 128
 
 # EDNS0 option for ECS client privacy as described in Section 7.1.2 of
 # https://tools.ietf.org/html/rfc7871
@@ -149,39 +151,51 @@ upstream_recursive_servers:
       - digest: "sha256"
         value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
 
+
 # Additional servers
+
 # IPv4 addresses
-## Quad 9 service
+## Quad 9 'secure' service - Filters, does DNSSEC, doesn't send ECS
 #  - address_data: 9.9.9.9
 #    tls_auth_name: "dns.quad9.net"
+## Quad 9 'insecure' service - No filtering, does DNSSEC, may send ECS (it is 
+## unclear if it honours the edns_client_subnet_private request from stubby)
+#  - address_data: 9.9.9.10
+#    tls_auth_name: "dns.quad9.net"
 ## The Uncensored DNS servers
 #  - address_data: 89.233.43.71
 #    tls_auth_name: "unicast.censurfridns.dk"
 #    tls_pubkey_pinset:
 #      - digest: "sha256"
 #        value: wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=
-## A Surfnet/Sinodun server using Knot resolver. Warning - has issue when used for
-## DNSSEC
+## A Surfnet/Sinodun server supporting TLS 1.2 and 1.3
+#  - address_data: 145.100.185.18
+#    tls_auth_name: "dnsovertls3.sinodun.com"
+#    tls_pubkey_pinset:
+#      - digest: "sha256"
+#        value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8=
+## A Surfnet/Sinodun server using Knot resolver. Warning - has issue when used 
+## for DNSSEC
 #  - address_data: 145.100.185.17
 #    tls_auth_name: "dnsovertls2.sinodun.com"
 #    tls_pubkey_pinset:
 #      - digest: "sha256"
 #        value: NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=
 ## dns.cmrg.net server using Knot resolver. Warning - has issue when used for
-## DNSSEC. (This also listens on port 443)
+## DNSSEC.
 #  - address_data: 199.58.81.218
 #    tls_auth_name: "dns.cmrg.net"
 #    tls_pubkey_pinset:
 #      - digest: "sha256"
 #        value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
 #      - digest: "sha256"
 #        value: 5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=
-## dns1.darkmoon.is
+## dns.larsdebruin.net (formerly dns1.darkmoon.is)
 #  - address_data: 51.15.70.167
-#    tls_auth_name: "dns1.darkmoon.is"
+#    tls_auth_name: "dns.larsdebruin.net "
 #    tls_pubkey_pinset:
 #      - digest: "sha256"
-#        value: 8sx8niFUiJvMM3C1qLE9cH79TuQQztzMVDtbKjpD/IQ=
+#        value: AAT+rHoKx5wQkWhxlfrIybFocBu3RBrPD2/ySwIwmvA=
 ## securedns.eu
 #  - address_data: 146.185.167.43
 #    tls_auth_name: "securedns.eu"
@@ -206,11 +220,23 @@ upstream_recursive_servers:
 #    tls_pubkey_pinset:
 #      - digest: "sha256"
 #        value: s5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg=
-## Lorraine Data Network  (self-signed cert). Also listens on port 443.
+## dns.bitgeek.in 
+#  - address_data: 139.59.51.46
+#    tls_auth_name: "dns.bitgeek.in"
+#    tls_pubkey_pinset:
+#      - digest: "sha256"
+#        value: FndaG4ezEBQs4k0Ya3xt3z4BjFEyQHd7B75nRyP1nTs=
+## Lorraine Data Network  (self-signed cert).
 #  - address_data: 80.67.188.188
 #    tls_pubkey_pinset:
 #      - digest: "sha256"
 #        value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
+## dns.neutopia.org
+#  - address_data: 89.234.186.112
+#    tls_auth_name: "dns.neutopia.org"
+#    tls_pubkey_pinset:
+#      - digest: "sha256"
+#        value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
 ## NIC Chile (self-signed cert)
 #  - address_data: 200.1.123.46
 #    tls_pubkey_pinset:
@@ -222,22 +248,36 @@ upstream_recursive_servers:
 ##     tls_pubkey_pinset:
 ##       - digest: "sha256"
 ##         value: pOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI=
+
 #IPv6 addresses
+## Quad 9 'secure' service - Filters, does DNSSEC, doesn't send ECS
+#  - address_data: 2620:fe::fe
+#    tls_auth_name: "dns.quad9.net"
+## Quad 9 'insecure' service - No filtering, does DNSSEC, may send ECS (it is 
+## unclear if it honours the edns_client_subnet_private request from stubby)
+#  - address_data: 2620:fe::10
+#    tls_auth_name: "dns.quad9.net"
 ## The Uncensored DNS server
 #  - address_data: 2a01:3a0:53:53::0
 #    tls_auth_name: "unicast.censurfridns.dk"
 #    tls_pubkey_pinset:
 #      - digest: "sha256"
 #        value: wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=
-## A Surfnet/Sinodun server using Knot resolver. Warning - has issue when used for
-## DNSSEC
+## A Surfnet/Sinodun server supporting TLS 1.2 and 1.3
+#  - address_data: 2001:610:1:40ba:145:100:185:18
+#    tls_auth_name: "dnsovertls3.sinodun.com"
+#    tls_pubkey_pinset:
+#      - digest: "sha256"
+#        value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8=
+## A Surfnet/Sinodun server using Knot resolver. Warning - has issue when used 
+## for DNSSEC
 #  - address_data: 2001:610:1:40ba:145:100:185:17
 #    tls_auth_name: "dnsovertls2.sinodun.com"
 #    tls_pubkey_pinset:
 #      - digest: "sha256"
 #        value: NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=
 ## dns.cmrg.net server using Knot resolver. Warning - has issue when used for
-## DNSSEC. (This also listens on port 443)
+## DNSSEC.
 #  - address_data: 2001:470:1c:76d::53
 #    tls_auth_name: "dns.cmrg.net"
 #    tls_pubkey_pinset:
@@ -275,11 +315,17 @@ upstream_recursive_servers:
 #    tls_pubkey_pinset:
 #      - digest: "sha256"
 #        value: g5lqtwHia/plKqWU/Fe2Woh4+7MO3d0JYqYJpj/iYAw=
-## Lorraine Data Network  (self-signed cert). Also listens on port 443.
+## Lorraine Data Network  (self-signed cert). 
 #  - address_data: 2001:913::8
 #    tls_pubkey_pinset:
 #      - digest: "sha256"
 #        value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
+## dns.neutopia.org
+#  - address_data: 2a00:5884:8209::2
+#    tls_auth_name: "dns.neutopia.org"
+#    tls_pubkey_pinset:
+#      - digest: "sha256"
+#        value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
 ## NIC Chile (self-signed cert)
 #  - address_data: 2001:1398:1:0:200:1:123:46
 #    tls_pubkey_pinset:
@@ -298,3 +344,74 @@ upstream_recursive_servers:
 ##       - digest: "sha256"
 ##         value: pOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI=
 
+## Servers that listen on port 443 (IPv4 and IPv6)
+## Surfnet/Sinodun servers
+#  - address_data: 145.100.185.15
+#    tls_port: 443
+#    tls_auth_name: "dnsovertls.sinodun.com"
+#    tls_pubkey_pinset:
+#      - digest: "sha256"
+#        value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
+#  - address_data: 145.100.185.16
+#    tls_port: 443
+#    tls_auth_name: "dnsovertls1.sinodun.com"
+#    tls_pubkey_pinset:
+#      - digest: "sha256"
+#        value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
+## dns.cmrg.net server using Knot resolver
+#  - address_data: 199.58.81.218
+#    tls_port: 443
+#    tls_auth_name: "dns.cmrg.net"
+#    tls_pubkey_pinset:
+#      - digest: "sha256"
+#        value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
+#      - digest: "sha256"
+#        value: 5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=
+## Lorraine Data Network  (self-signed cert)
+#  - address_data: 80.67.188.188
+#    tls_port: 443
+#    tls_pubkey_pinset:
+#      - digest: "sha256"
+#        value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
+## dns.neutopia.org
+#  - address_data: 89.234.186.112
+#    tls_port: 443
+#    tls_auth_name: "dns.neutopia.org"
+#    tls_pubkey_pinset:
+#      - digest: "sha256"
+#        value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
+## The Surfnet/Sinodun servers
+#  - address_data: 2001:610:1:40ba:145:100:185:15
+#    tls_port: 443
+#    tls_auth_name: "dnsovertls.sinodun.com"
+#    tls_pubkey_pinset:
+#      - digest: "sha256"
+#        value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
+#  - address_data: 2001:610:1:40ba:145:100:185:16
+#    tls_port: 443
+#    tls_auth_name: "dnsovertls1.sinodun.com"
+#    tls_pubkey_pinset:
+#      - digest: "sha256"
+#        value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
+## dns.cmrg.net server using Knot resolver
+#  - address_data: 2001:470:1c:76d::53
+#    tls_port: 443
+#    tls_auth_name: "dns.cmrg.net"
+#    tls_pubkey_pinset:
+#      - digest: "sha256"
+#        value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
+#      - digest: "sha256"
+#        value: 5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=
+## Lorraine Data Network (self-signed cert)
+#  - address_data: 2001:913::8
+#    tls_port: 443
+#    tls_pubkey_pinset:
+#      - digest: "sha256"
+#        value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
+## dns.neutopia.org
+#  - address_data: 2a00:5884:8209::2
+#    tls_port: 443
+#    tls_auth_name: "dns.neutopia.org"
+#    tls_pubkey_pinset:
+#      - digest: "sha256"
+#        value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=