diff options
| author | Tony Ambardar <itugrok@yahoo.com> | 2018-08-07 03:11:19 -0700 |
|---|---|---|
| committer | guidosarducci <guidosarducci@users.noreply.github.com> | 2018-09-23 21:55:03 -0700 |
| commit | 1170686cbab9a017d49cb532918a4e4c4a9c490d (patch) | |
| tree | a4d3acc559682a8bee42dd536610e3c988f37c45 /net | |
| parent | 8b2de594de0219681ba9630b8390738a1afb7e4e (diff) | |
stubby: add SPKI pin set for Cloudflare cert
Add an SPKI pin for Cloudflare to help prevent MITM and downgrade attacks,
as described in RFC7858 (DNS over TLS). The setup of SPKI and the specific
SHA256 certificate hash are taken from Cloudflare's DoT configuration guide
published at https://developers.cloudflare.com/1.1.1.1/dns-over-tls/.
Note that the certificate is valid to March 25th 2020, 13:00 CET, which
provides ample time for issuance of a backup pin to support future key
rollover.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Diffstat (limited to 'net')
| -rw-r--r-- | net/stubby/files/stubby.yml | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/net/stubby/files/stubby.yml b/net/stubby/files/stubby.yml index 71af185b2..012b1d6fb 100644 --- a/net/stubby/files/stubby.yml +++ b/net/stubby/files/stubby.yml @@ -24,8 +24,14 @@ upstream_recursive_servers: # # Cloudflare IPv6 - address_data: 2606:4700:4700::1111 tls_auth_name: "cloudflare-dns.com" + tls_pubkey_pinset: + - digest: "sha256" + value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= - address_data: 2606:4700:4700::1001 tls_auth_name: "cloudflare-dns.com" + tls_pubkey_pinset: + - digest: "sha256" + value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= # # Quad 9 IPv6 # - address_data: 2620:fe::10 @@ -35,8 +41,14 @@ upstream_recursive_servers: # # Cloudflare servers - address_data: 1.1.1.1 tls_auth_name: "cloudflare-dns.com" + tls_pubkey_pinset: + - digest: "sha256" + value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= - address_data: 1.0.0.1 tls_auth_name: "cloudflare-dns.com" + tls_pubkey_pinset: + - digest: "sha256" + value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= # Quad 9 service # - address_data: 9.9.9.10 |