Quad9 potentially broken?

[Diniboy1123]

Hey,

I use only quad9 as my DoH resolver. Here is my interesting config bit:

server_names = ['quad9-doh-ip4-port443-filter-ecs-pri', 'quad9-doh-ip4-port443-filter-pri']

[sources]
  [sources.'public-resolvers']
  url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'
  cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

[sources.quad9-resolvers]
  urls = ["https://quad9.net/dnscrypt/quad9-resolvers.md", "https://raw.githubusercontent.com/Quad9DNS/dnscrypt-settings/main/dnscrypt/quad9-resolvers.md"]
  minisign_key = "RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN"
  cache_file = "quad9-resolvers.md"
  refresh_delay = 72
  prefix = "quad9-"

It can fetch the md files just fine, however I get

Jan 30 13:47:35 homeserver dnscrypt-proxy[2152]: [2022-01-30 13:47:35] [CRITICAL] [quad9-doh-ip4-port443-filter-ecs-pri] Certificate hash [eb7525f88f0d9458f81a995019bfd34cb89ccdc957e7b0ef315f10f897638118] not found
Jan 30 13:47:36 homeserver dnscrypt-proxy[2152]: [2022-01-30 13:47:36] [CRITICAL] [quad9-doh-ip4-port443-filter-pri] Certificate hash [eb7525f88f0d9458f81a995019bfd34cb89ccdc957e7b0ef315f10f897638118] not found
Jan 30 13:47:47 homeserver dnscrypt-proxy[2152]: [2022-01-30 13:47:47] [CRITICAL] [quad9-doh-ip4-port443-filter-ecs-pri] Certificate hash [eb7525f88f0d9458f81a995019bfd34cb89ccdc957e7b0ef315f10f897638118] not found
Jan 30 13:47:48 homeserver dnscrypt-proxy[2152]: [2022-01-30 13:47:48] [CRITICAL] [quad9-doh-ip4-port443-filter-pri] Certificate hash [eb7525f88f0d9458f81a995019bfd34cb89ccdc957e7b0ef315f10f897638118] not found
Jan 30 13:47:58 homeserver dnscrypt-proxy[2152]: [2022-01-30 13:47:58] [CRITICAL] [quad9-doh-ip4-port443-filter-ecs-pri] Certificate hash [eb7525f88f0d9458f81a995019bfd34cb89ccdc957e7b0ef315f10f897638118] not found
Jan 30 13:47:59 homeserver dnscrypt-proxy[2152]: [2022-01-30 13:47:59] [CRITICAL] [quad9-doh-ip4-port443-filter-pri] Certificate hash [eb7525f88f0d9458f81a995019bfd34cb89ccdc957e7b0ef315f10f897638118] not found
Jan 30 13:48:10 homeserver dnscrypt-proxy[2152]: [2022-01-30 13:48:10] [CRITICAL] [quad9-doh-ip4-port443-filter-ecs-pri] Certificate hash [eb7525f88f0d9458f81a995019bfd34cb89ccdc957e7b0ef315f10f897638118] not found
Jan 30 13:48:11 homeserver dnscrypt-proxy[2152]: [2022-01-30 13:48:11] [CRITICAL] [quad9-doh-ip4-port443-filter-pri] Certificate hash [eb7525f88f0d9458f81a995019bfd34cb89ccdc957e7b0ef315f10f897638118] not found
Jan 30 13:48:22 homeserver dnscrypt-proxy[2152]: [2022-01-30 13:48:22] [CRITICAL] [quad9-doh-ip4-port443-filter-ecs-pri] Certificate hash [eb7525f88f0d9458f81a995019bfd34cb89ccdc957e7b0ef315f10f897638118] not found
Jan 30 13:48:22 homeserver dnscrypt-proxy[2152]: [2022-01-30 13:48:22] [CRITICAL] [quad9-doh-ip4-port443-filter-pri] Certificate hash [eb7525f88f0d9458f81a995019bfd34cb89ccdc957e7b0ef315f10f897638118] not found

It was working before, all I did was a reboot... Anyone else experiencing something similar?

[jedisct1]

DoH entries in the list downloaded from Quad9's repository are a bit out of date. They changed to a new certificate provider but the stamps for their servers hasn't been updated.

You can remove the entire [sources.quad9-resolvers] section and use the quad9 entries from public-resolvers.md instead; they have the correct certificate hash.

[Diniboy1123]

Thank you so much, that solved the issue.