-
Notifications
You must be signed in to change notification settings - Fork 261
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Multiple Public DNS Resolvers' Certificate Hashes Not Found #941
Comments
same. I think that quad 9 changed certs a few days ago. |
I'll update them shortly. |
Ahh thanks for the tip. I have moved my quad 9 servers to DNSCrypt. I now have 4 separate DNS providers (2 DOH,2 DNSCrypt) working properly. I think this is better for resiliency anyway. Thanks again! Discussions about this: |
Found a similar issue with quad9 doh stamps a few days ago... Loaded quad9 cert chain, grabbed PEM format of IntCA used for signing host cert for quad9 ( https://9.9.9.9/dns-query or dns9.quad9.net/ ) , openssl to convert to DER, then openssl asn1parse, to find offset to sequence for what would be the equivalent to a "TBS certificate" for that IntCA, extracted based on asn1parse offset (sequence) to then sha256sum that to get b01920744bbb76c9ab053e01e07b7e050e473d20f79f7bea435fafe43c9d242f Used https://dnscrypt.info/stamps-specifications/ to see field formatting of base64url content of the stamp for the quad9 DOH is use, then piped the stamp through base64_url decode, then piped through xxd to go from 8-bit to hex stream, and then piped through sed to replace old "TBS Cert" sha256 hash 2a15f5d6acb6e7c0901ade4ebbc743b2ccd489032b46e1642f0693683001258a with b01920744bbb76c9ab053e01e07b7e050e473d20f79f7bea435fafe43c9d242f, then pipe back back to xxd to reverse hex to 8-bit, then piped that through base64_url encode to get me a new stamp with the new cert hash for quad9 DOH. Then saved these as "static" entries under '[static]' in the config file with a"-workaround" suffix for key/label, so I can remove them later. Kludgy, but seems to work well enough until an official update is provided. I too assumed that https://github.com/Quad9DNS/dnscrypt-settings/tree/main/dnscrypt might be updated, but nope. Basic summary of steps provided above for any command-line people that know what they are doing to see what can be done, but I'm not pasting in the resulting quad9 doh stamps; bad idea for people to blindly use stamps without trusting the creator of them, and I am a nobody. Thanks for you hard work on this project. |
Following @TCMBC I wrote a little go program that outputs the new sdns records given the old sdns records, |
@jedisct1 : I just realized that it is recommended to hash in sdns stamps the certificate that signed the certificate provided by the DNS server rather than directly the certificate provided by the DNS server. Wouldn't it be more secure to hash the latter rather than the former? What is the rationale for the current recommendation? (Is it just to avoid the hassle with constantly changing certificates?) |
@wwwrando the latter can change very frequently, and can differ between servers and locations. |
The public resolvers list should be fixed, but not the actual source. The first thing to do would have been to notify @Quad9DNS |
@jedisct1 : Thanks! Reverted config to use what were previously working keyed entries to stamps in public-resolvers.md before qud9 change. Once config was restored using new public-resolvers.md, dnscrypt-proxy was restarted and it is working fine. (confirmation it is working.) My boss notified someone he knew at quad9 I think last Friday. Since my boss notified someone at quad9, I didn't. They (quad9) are still lagging: (as of this reply date/time) Thanks again for your hard work! |
using the latest configuration as of now, server_names = [ [2024-08-07 11:21:53] [NOTICE] Advertised cert: [CN=dns.quad9.net,O=Quad9,L=Zurich,ST=Zurich,C=CH] [e3e13daef1fd3012db80b3b002b5d2a7f24a7c8bb82b318694bdcaf061d1ba02] the new configuration file from quad9 is not usable, [2024-08-07 11:09:33] [NOTICE] dnscrypt-proxy 2.1.5 [sources.quad9-resolvers] |
In https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
DnsCrypt log: [dns.sb] Certificate hash [9a3a34f727deb9bca51003d9ce9c39f8f27dd9c5242901c2bab1a44e635a0219] not found
DnsCrypt log: Certificate hash not found
DnsCrypt log: [dnsfilter] may be a lying resolver
DnsCrypt log: [dnsfilter] Certificate hash [444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce] not found
DnsCrypt log: Certificate hash not found
DnsCrypt log: [quad9-doh-ip4-port443-filter-pri] Certificate hash [2a15f5d6acb6e7c0901ade4ebbc743b2ccd489032b46e1642f0693683001258a] not found
DnsCrypt log: Certificate hash not found
DnsCrypt log: [quad9-doh-ip4-port443-filter-ecs-pri] Certificate hash [2a15f5d6acb6e7c0901ade4ebbc743b2ccd489032b46e1642f0693683001258a] not found
DnsCrypt log: Certificate hash not found
DnsCrypt log: [quad9-doh-ip4-port443-nofilter-pri] Certificate hash [2a15f5d6acb6e7c0901ade4ebbc743b2ccd489032b46e1642f0693683001258a] not found
DnsCrypt log: Certificate hash not found
DnsCrypt log: [quad9-doh-ip4-port443-nofilter-ecs-pri] Certificate hash [2a15f5d6acb6e7c0901ade4ebbc743b2ccd489032b46e1642f0693683001258a] not found
DnsCrypt log: Certificate hash not found
DnsCrypt log: [rethinkdns-doh] Certificate hash [2aae3fb7bf05e4c81c4194dca44511d4f9af304786ec1ae7218409cf62a08355] not found
DnsCrypt log: Certificate hash not found
The text was updated successfully, but these errors were encountered: