- Version: for TLS forwarding you need knot-resolver >= 2.0.0. Stable Omnia has 1.5.x ATM, if I look correctly, but Omnia RC should have new enough already.
- Pin: it’s something like a hash of the TLS key. The service may publish it, but you’ll have to update it on key rotations. You probably want to use certificates instead, like regular https.
-
hostname
must correspond to the name in certificate (if using certificate authentication). That seems to be without the final dot in current practice.
This config works for me:
policy.add(policy.all(
policy.TLS_FORWARD({
{'1.1.1.1', hostname='cloudflare-dns.com', ca_file='/etc/ssl/certs/ca-certificates.crt' }
})
))
Well, I only tried it on my desktop, but these things tend not to differ.