Stubby Not Enforcing Strict Mode?

[HarryMuscle]

I'm working on setting up extra stubby instances which made me take a look at the /etc/stubby/stubby.yml config file on my router (RT-AC66U B1 running 386.7_2) and I noticed a possible bug. I have DNS-over-TLS Profile set to Strict on the WAN -> Internet Connection page which according to the Stubby documentation should set the tls_authentication setting in the stubby.yml file to GETDNS_AUTHENTICATION_REQUIRED, but instead the stubby.yml file has this setting set to GETDNS_AUTHENTICATION_NONE which I believe is considered Opportunistic, not Strict. Also, the stubby.yml file lists both GETDNS_TRANSPORT_UDP and GETDNS_TRANSPORT_TCP in the dns_transport_list setting, which again I believe is for Opportunistic mode only to allow falling back to unencrypted communication if necessary. Could someone confirm if their stubby.yml also contains these "issues"? Is this on purpose or is this actually a bug?

Thanks,
Harry

 

[dave14305]

It will not enforce Strict mode until NTP is synced. Check the value of nvram get ntp_ready

 

[HarryMuscle]

It will not enforce Strict mode until NTP is synced. Check the value of nvram get ntp_ready

That was it. Thanks.