For several years I've been running Stubby as a DoT proxy with configs recommended in this forum from @directnupe and it's been working fine except the routine problem of SPKI 'pinset' values expiring because the server certificates get routinely renewed by the provider.
At the time I didn't understand the purpose/point of using the 'pinset' directive so blindly followed the instructions assuming it to be an additional security feature but in an effort to remove this ongoing need to replace pinset values for upstream certificates I dug a little deeper.
If I understand correctly, having the SPKI digest in the Stubby config file actually implicitly tells Stubby to trust a server presenting that certificate without resolving the full trust chain? You're essentially saying, I have pre-validated the certificate from "XYZ.com" domain with SPKI digest "ABC" and trust it (and won't trust a server presenting any other certificate, even if it's valid for that domain).
Then I read further that the reason this is recommended for routers is because the root CA certificate bundle on router hardware may not be up to date, or on some devices there may not be enough flash to store the full trusted root CA bundle. There is also a small performance advantage to trusting the certificate via the SPKI digest and not having to follow the whole trust chain.
If all the above is accurate, then is it fair to assume that for a router platform with essentially unlimited resources (read - x86 system with server-grade processor, 64GB ram and 256GB+ storage) there is no need to use the pinset so long as the root CA bundle is kept up to date, which can be done with opkg update ca-certificates and this provides an equally secure setup without the need to constantly update pinset values?