Skip to content

Instantly share code, notes, and snippets.

@montvid

montvid/dns_over_tls_pubkey_value.md

Forked from normoes/dns_over_tls_pubkey_value.md
Created January 26, 2021 20:38
Show Gist options
  • Save montvid/e35429b6b4bc1ee8b5a6cd9ae7a192bd to your computer and use it in GitHub Desktop.
Save montvid/e35429b6b4bc1ee8b5a6cd9ae7a192bd to your computer and use it in GitHub Desktop.
Download ZIP
getting tls pubkey value for DNS over TLS certificates
Raw
dns_over_tls_pubkey_value.md

Getting the tls pubkey for a DNS over TLS address

I added cloudflare-dns.com to my stubby.yml and couldn't find any information on the value of the tls_pubkey_pinset

tls_pubkey_pinset:
  - digest: "sha256"
    value: MISSING

Although I could find some examples, the value seemed to be wrong.

This issue helped me a lot eventually (specifically t5k6's comment on Apr 2, 2018).

It pointed me to the following command:

echo | openssl s_client -connect '1.0.0.1:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

It returns exactly the value I was searching for.

As of writing this, the following configuration can be applied:

# The cloudflare
  - address_data: 1.1.1.1
    tls_port: 853
    tls_auth_name: "cloudflare-dns.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment