Releases: getdnsapi/getdns
Second release candidate for getdns-1.1.0
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead: |
|
---|---|
tarball | https://getdnsapi.net/dist/getdns-1.1.0-rc2.tar.gz |
pgp sig | https://getdnsapi.net/dist/getdns-1.1.0-rc2.tar.gz.asc |
sha256 | 5b58ce061cea83344bdd85a9e9129a45cb785de887ebe670f99a0f5c09e169a0 |
Dear all,
We have a second release candidate for the new feature release version 1.1.0 of getdns.
The first release has been extensively tested and used in the IETF98 Hackathon, which has let to some great hacks!, and also revealed some improvement potentials and even some bugs.
This second release candidate addresses those things:
- The
return_call_reporting
extension now also returns the remote end's certificate if the interaction was over TLS. - Statefull connections with and
idle_timeout
> 0 will not be closed after doing a synchronous request anymore. This also involved a bugfix for naked timeout events with Windows. - Stability of the dnssec extensions in combination with statefull transports have been improved (and a bugfix in which this combination hang).
- A default edns0 padding policy contributed by DKG.
- A new function
getdns_context_unset_edns_maximum_udp_payload_size()
to reset to the default behaviour to have a maximum UDP payload size dependent on the address family; 1432 for IPv4 and 1232 for IPv6 to maximize receptivity.
Please review this release candidate carefully, if all is well, the actual release will follow Thursday the 13th of April.
ChangeLog
* 2017-04-??: Version 1.1.0
* bugfix: Reschedule request timeout when getting the DNSSEC chain.
* getdns_context_unset_edns_maximum_udp_payload_size() to reset
to default IPv4/IPv6 dependent edns max udp payload size.
* Implement sensible default edns0 padding policy. Thanks DKG.
* Keep connections open with sync requests too.
* Fix of event loops so they do not give up with naked timers with
windows. Thanks Christian Huitema.
* Include peer certificate with DNS-over-TLS in combination with
the return_call_reporting extension.
* 2017-03-23: Version 1.1.0-rc1
* More fine grained control over TLS upstream retry and back off
behaviour with getdns_context_set_tls_backoff_time() and
getdns_context_set_tls_connection_retries().
* New round robin over the available upstreams feaure.
Enable with getdns_context_set_round_robin_upstreams()
* Bugfix: Queue requests when no sockets available for outgoing queries.
* Obey the outstanding query limit with STUB resolution mode too.
* Updated stubby config file
* Draft MDNS client implementation by Christian Huitema.
Enable with --enable-draft-mdns-support to configure
* bugfix: Let synchronous queries use fds > MAX_FDSETSIZE;
By moving default eventloop from select to poll
Thanks Neil Cook
* bugfix: authentication failure for self signed cert + only pinset
* bugfix: issue with session re-use making authentication appear to fail
* 2016-10-19: Version 1.1.0-a2
* Improved TLS connection management
* OpenSSL 1.1 support
* Stubby, Server version of getdns_query that by default listens
on 127.0.0.1 and ::1 and reads config from /etc/stubby.conf
and $HOME/.stubby.conf
* 2016-07-14: Version 1.1.0a1
* Conversion functions from text strings to getdns native types:
getdns_str2dict(), getdns_str2list(), getdns_str2bindata() and
getdns_str2int()
* A getdns_context_config() function that configures a context
with settings given in a getdns_dict
* A a getdns_context_set_listen_addresses() function and companion
getdns_reply() function to construct simple name servers.
* Relocate getdns_query to src/tools and build by default
* Enhancements to the logic used to select connection based upstream
transports (TCP, TLS) to improve robustness and re-use of
connections/upstreams.
First release candidate for getdns-1.1.0
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead: |
|
---|---|
tarball | https://getdnsapi.net/dist/getdns-1.1.0-rc1.tar.gz |
pgp sig | https://getdnsapi.net/dist/getdns-1.1.0-rc1.tar.gz.asc |
sha256 | d91ec104b33880ac901f36b8cc01b22f9086fcf7d4ab94c0cbc56336d1f6bec0 |
Dear all,
We are pleased to announce the special, IETF98 hackathon, first release candidate for the new feature release version 1.1.0 of getdns.
This version comes with the DNS Privacy stub resolver Stubby. Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy. Stubby is in the early stages of development but is suitable for technical/advanced users. A more generally user-friendly version is on the way! More information about Stubby is here:
Stubby will be build by default and will be installed in the ${PREFIX}/bin
directory. Also the getdns_query
test tool will be build and installed by default now. If you want the library only, you can disable building and installation of those programs with the --without-stubby
and --without-getdns_query
options to configure
.
getdns_query
(and Stubby) have had functionality added which was not part of the original API specification, but which we think is useful for other applications as well. This includes functions that have been added to deal with parsing and configuring getdns with a configuration file, and functions to serve DNS requests.
To handle configuration files, functions were added to convert strings to getdns native types, getdns_str2dict()
, getdns_str2list()
, getdns_str2bindata()
and getdns_str2int()
; A getdns_context
can then be configured with a resulting getdns_dict
with the new getdns_context_config()
function. This can reduce the amount of code needed to setup a context in a C program.
It also provides default values for extensions and allows the trust anchor and root hints files to be directly specified. For example, the following piece of C code would configure the context to do DNSSEC roadblock avoidance (i.e. validate DNSSEC as stub, fallback to full recursive with hampering middleboxes), with alternative trust-anchor and root-hints.
if (GETDNS_RETURN_GOOD == getdns_str2dict("
{ dnssec_roadblock_avoidance: GETDNS_EXTENSION_TRUE
, dns_root_servers: \"/etc/yeti.root.hints\"
, dnssec_trust_anchors: \"/etc/yeti.key\"
}", &config_dict))
getdns_context_config(context, config_dict);
More detailed (doxygen) documentation about the string to getdns data structure functions, and about configuring getdns_context
s with getdns_dict
s is here:
- https://getdnsapi.net/doxygen/group__Ustring2getdns__data.html
- https://getdnsapi.net/functions/getdns_context_config.html
The getdns_context_set_listen_addresses()
function, allows the user to register a request handler function and list of addresses that will be listened on when the eventloop is run. The request handler function will be called when a DNS requests arrives, with the request in getdns reply dict format. The request handler may construct a response to the request and eventually has to call getdns_reply()
with that response to answer the request (or NULL
to cancel).
I will try to provide and example blog post on the website for this functionality with the actual getdns-1.1.0 release announcement. For now, we have the doxygen documentation and the IETF97 hackathon project delaydns which was using this functionality:
- https://getdnsapi.net/doxygen/group__UServerFunctions.html
- https://github.com/IETF-Hackathon/delaydns
Besides these new functions, we have much improved and more stable and robust scheduling of requests:
- The default event loop, which is also used for synchronous requests, is now based on
poll()
instead ofselect()
and does not inheritselect()
's limits any more. - The limit on number of outstanding queries, set with the
getdns_context_limit_outstanding_queries()
function, will now also be obeyed in stub mode. This was an ommision from the 1.0.0 release. - getdns will now queue up requests that could not be scheduled because of resource limitations, to be rescheduled when resources become available again.
We now also have:
- a new modus for stub resolving in which queries are scheduled round robin over the upstreams. This can be enabled with the
getdns_context_set_round_robin_upstreams()
function. - more fine grained control over how TLS upstreams are retried with the
getdns_context_set_tls_backoff_time()
and thegetdns_context_set_tls_connection_retries()
function.
Finally, we have a new draft MDNS-client implementation by Christian Huitema. To enable it, use the --enable-draft-mdns-client
option to configure
.
Please review (and possibly use at the IETF98 hackathon) this release candidate carefully, if all is well, the actual release will follow Thursday the 6th of April.
ChangeLog
* 2017-04-??: Version 1.1.0
* More fine grained control over TLS upstream retry and back off
behaviour with getdns_context_set_tls_backoff_time() and
getdns_context_set_tls_connection_retries().
* New round robin over the available upstreams feaure.
Enable with getdns_context_set_round_robin_upstreams()
* Bugfix: Queue requests when no sockets available for outgoing queries.
* Obey the outstanding query limit with STUB resolution mode too.
* Updated stubby config file
* Draft MDNS client implementation by Christian Huitema.
Enable with --enable-draft-mdns-support to configure
* bugfix: Let synchronous queries use fds > MAX_FDSETSIZE;
By moving default eventloop from select to poll
Thanks Neil Cook
* bugfix: authentication failure for self signed cert + only pinset
* bugfix: issue with session re-use making authentication appear to fail
* 2016-10-19: Version 1.1.0-a2
* Improved TLS connection management
* OpenSSL 1.1 support
* Stubby, Server version of getdns_query that by default listens
on 127.0.0.1 and ::1 and reads config from /etc/stubby.conf
and $HOME/.stubby.conf
* 2016-07-14: Version 1.1.0a1
* Conversion functions from text strings to getdns native types:
getdns_str2dict(), getdns_str2list(), getdns_str2bindata() and
getdns_str2int()
* A getdns_context_config() function that configures a context
with settings given in a getdns_dict
* A a getdns_context_set_listen_addresses() function and companion
getdns_reply() function to construct simple name servers.
* Relocate getdns_query to src/tools and build by default
* Enhancements to the logic used to select connection based upstream
transports (TCP, TLS) to improve robustness and re-use of
connections/upstreams.
getdns-1.0.0 release
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead: |
|
---|---|
tarball | https://getdnsapi.net/dist/getdns-1.0.0.tar.gz |
pgp sig | https://getdnsapi.net/dist/getdns-1.0.0.tar.gz.asc |
sha256 | a0460269c6536501a7c0af9bc97f9339e05a012f8191d5c10f79042aa62f9e96 |
Dear All,
We are pleased to announce release 1.0.0 of our library implementation of the getdns API. This release implements the "December 2015" specification of the API. With the exception of namespaces (i.e. mDNS), everything in the API specification is implemented in this release. This for us was a clear marker for a 1.0.0 release.
getdns is a modern asynchronous DNS API. It implements DNS entry points from a design developed and vetted by application developers, in an API specification. With the implementation of this API, we intend to offer application developers a modernized and flexible way to access DNS security (DNSSEC) and other powerful new DNS features; a particular hope is to inspire application developers towards innovative security solutions in their applications. The open source C implementation of getdns is developed and maintained in collaboration by NLnet Labs, Sinodun, No Mountain Software and others. This implementation is licensed under the New BSD License.
Since the second beta release of 1.0.0, last July, new functionality has not been added in this branch. All efforts for the 1.0.0 release have been focussed towards testing stability and robustness and proper operation on different platforms.
Alongside this release, we have refactored our website and updated it with an example.
It is our intention to add more examples illustrating how to use getdns for common use cases in the future.
Note that this does not mean that we have not worked on new features and functionality. Also in this time we have worked on new features and functionality in the develop branch. A new feature release of getdns will follow shortly (early 2017). It will also contain all the robustness updates that went into 1.0.0, but will introduce only new functionality not in the API specification, primarily enhancements of our implementation of newer DNS specifications such as RFC 7858. and that perhaps has been less thoroughly tested and covered in our unit tests.
Note: if you are a package maintainer, we recommend that you not pick up release 1.0.0 but wait for the first non-beta release of 1.1 in early 2017.
Happy new year!
ChangeLog
* 2017-01-13: Version 1.0.0
* edns0_cookies extension enabled by default (per RFC7873)
* dnssec_roadblock_avoidance enabled by default (per RFC8027)
* bugfix: DSA support with OpenSSL 1.1.0
* Initialize OpenSSL just once in a thread safe way
* Thread safety with arc4random function
* Improvements that came from Visual Studio static analysis
Thanks Christian Huitema
* Conventional RFC3986 IPv6 [address]:port parsing from getdns_query
* bugfix: OpenSSL 1.1.0 style crypto locking
Thanks volkommenheit
* configure tells *which* dependency is missing
* bugfix: Exclude terminating '\0' from bindata's returned by
getdns_get_suffix(). Thanks Jim Hague
* Better README.md. Thanks Andrew Sullivan
* 2016-07-14: Version 1.0.0b2
* Collect coverage information from the unit tests
Thanks Shane Kerr
* pkg-config for the getdns_ext_event library
Thanks Tom Pusateri
* Bugfix: Multiple requests on the same upstream with a transport
that keeps connections open in synchronous stub mode.
* Canonicalized DNSSEC chain with dnssec_return_validation_chain
(when validated)
* A dnssec_return_full_validation_chain extension which includes
then validated resource records.
* Bugfix: Callbacks fired while scheduling (answer from cache)
with the unbound plugable event API
* header extension to set opcode and flags in stub mode
* Unit tests that cover more code
* Static checking with the clang analyzer
* getdns_pretty_print_dict prints dname's as primitives
* Accept just bindata's instead of address dicts.
Allow misshing "address_type" in address dicts.
* TLS session resumption
* -C <config file> option to getdns_query to configure context
from a json like formated file. The output of -i (print API
information) can be used as config file directly.
Settings may also be given in this format as arguments of
the getdns_query command directly.
* DNS server mode for getdns_query. Enable by providing addresses
to listen on, either by giving "-z <listen address>" options or by
providing "listen_addresses" in the config file or settings.
* Bugfixes from deckard testing: CNAME loop protection.
* "srv_addresses" in response dict with getdns_service()
* use libbsd when available
Thanks Guillem Jover
* Bugfix: DNSSEC wildcard validation issue
* Bugfix: TLS timeouts not re-using a connection
* A getdns_context_get_eventloop(), to get the current
(pluggable) eventloop from context
* getdns_query now uses the default event loop (instead of custom)
* Return call_reporting info in case of timeout
Thanks Robert Groenenberg
* Bugfix: Build fails with autoconf 2.63, works with 2.68.
Thanks Robert Groenenberg
* Doxygen output for getdns.h and getdns_extra.h only
* Do not call SSL_library_init() from getdns_context_create() when
the second bit from the set_from_os parameter is set.
* 2016-03-31: Version 1.0.0b1
* openssl 1.1.0 support
* GETDNS_APPEND_NAME_TO_SINGLE_LABEL_FIRST default suffix handling
* getdns_context_set_follow_redirects()
* Read suffix list from registry on Windows
* A dnssec_return_all_statuses extension
* Set root servers without temporary file (libunbound >= 1.5.8 needed)
* Eliminate unit test's ldns dependency
* pkts wireformat <-> getdns_dict <-> string
conversion functions
* Eliminate all side effects when doing sync requests
(libunbound >= 1.5.9 needed)
* Bugfix: Load gost algorithm if digest is seen before key algorithm
Thanks Jelte Janssen
* Bugfix: Respect DNSSEC skew.
* Offline dnssec validation for any given point in time
* Correct return value in documentation for getdns_pretty_print_dict().
Thanks Linus Nordberg
* Bugfix: Don't treat "domain" or "search" as a nameserver.
Thanks Linus Nordberg
* Use the default CA trust store on Windows (for DNS over TLS).
* Propagate eventloop to unbound when unbound has pluggable event loops
(libunbound >= 1.5.9 needed)
* Replace mini_event extension by default_eventloop
* Bugfix: Segfault on NULL pin
* Bugfix: Correct output of get_api_settings
* Bugfix: Memory leak with getdns_get_api_information()
Thanks Robert Groenenberg.
Second alpha release for getdns-1.1.0
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead: |
|
---|---|
tarball | https://getdnsapi.net/dist/getdns-1.1.0-a2.tar.gz |
pgp sig | https://getdnsapi.net/dist/getdns-1.1.0-a2.tar.gz.asc |
sha256 | b805a30753a8c7cd3d6c5363a74a3e45e19043a92d33bc1062ff561d81d1e210 |
We have a special NANOG68 second alpha release of getdns 1.1.0 available for early testing of a subset of features planned for this release.
This release introduces Stubby, a version of getdns_query
that listens on the loopback interface and acts as a local stub resolver daemon. Stubby reads configuration files from /etc/stubby.conf
and $HOME/.stubby.conf
. Here is an example stubby configuration that configures Stubby to use the DNS-OARC TLS resolvers as its upstream:
{ dns_transport_list: [ GETDNS_TRANSPORT_TLS ]
, upstream_recursive_servers: [ 184.105.193.78, 2620:ff:c000:0:1::64:25 ]
}
For more information, see the NANOG68 presentation: https://www.nanog.org/sites/default/files/3_stubby-nanog68.pdf
Documentation is available at:
- getdns API documentation: https://getdnsapi.net/documentation/spec/
- getdns doxygen: https://getdnsapi.net/doxygen/
- getdns as a DNS-over-TLS local stub resolver: https://portal.sinodun.com/wiki/display/TDNS/DNS+Privacy+daemon+-+Stubby
Beware that this documentation is not on par with Stubby operation yet.
Expect an updated announcement on the website as soon as we have updated the documentation.
ChangeLog
* 2016-10-19: Version 1.1.0-a2
* Improved TLS connection management
* OpenSSL 1.1 support
* Stubby, Server version of getdns_query that by default listens
on 127.0.0.1 and ::1 and reads config from /etc/stubby.conf
and $HOME/.stubby.conf
* 2016-07-14: Version 1.1.0a1
* Conversion functions from text strings to getdns native types:
getdns_str2dict(), getdns_str2list(), getdns_str2bindata() and
getdns_str2int()
* A getdns_context_config() function that configures a context
with settings given in a getdns_dict
* A a getdns_context_set_listen_addresses() function and companion
getdns_reply() function to construct simple name servers.
* Relocate getdns_query to src/tools and build by default
* Enhancements to the logic used to select connection based upstream
transports (TCP, TLS) to improve robustness and re-use of
connections/upstreams.
First alpha release for getdns-1.1.0
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead: |
|
---|---|
tarball | https://getdnsapi.net/dist/getdns-1.1.0a1.tar.gz |
pgp sig | https://getdnsapi.net/dist/getdns-1.1.0a1.tar.gz.asc |
sha256 | dce41ecfef9097c9d33384fbaf1d594fb174a94ccf1e04c1718e26d9fc9e279a |
We are please to announce an alpha release of getdns 1.1.0 is being made available for early testing of a subset of features planned for this release.
Updates:
getdns_query
is promoted to be a a first class citizen of the getdns suite and it is relocated tosrc/tools
and built by default.- The 1.1 release exposes several function prototypes (prototyped in getdns_query) to the library user. Details can be found in the 1.1 doxygen documentation for:
- functions to convert text strings to the getdns native types:
getdns_str2dict()
,getdns_str2dict()
,getdns_str2bindata()
andgetdns_str2int()
(Note that the expected input is similar, but not precisely JSON) - a
getdns_context_config()
function that configures a context with settings provided in a getdns_dict.
This can reduce the amount of code needed to setup a context in a C program dramatically.
It also provides default values for extensions and allows the trust anchor files to be directly specified. - a
getdns_context_set_listen_addresses()
function, that allows the user to register a request handler function and list of addresses that will be listened on when the eventloop is run.
The request handler function will be called when a DNS requests arrives, with the request in getdns reply dict format.
The request handler may construct a response to the request and eventually has to callgetdns_reply()
with that response (orNULL
to cancel) to answer the request. - Enhancements to the logic used to select connection based upstream transports (TCP, TLS) to improve robustness and re-use of connections/upstreams. This facilitates using getdns locally as a DNS-over-TLS stub resolver.
Documentation is available at:
- getdns API documentation: https://getdnsapi.net/documentation/spec/
- getdns doxygen: https://getdnsapi.net/doxygen/
- getdns as a DNS-over-TLS local stub resolver: https://portal.sinodun.com/wiki/display/TDNS/DNS+Privacy+daemon+-+Stubby
ChangeLog
* 2016-07-14: Version 1.1.0a1
* Conversion functions from text strings to getdns native types:
getdns_str2dict(), getdns_str2list(), getdns_str2bindata() and
getdns_str2int()
* A getdns_context_config() function that configures a context
with settings given in a getdns_dict
* A a getdns_context_set_listen_addresses() function and companion
getdns_reply() function to construct simple name servers.
* Relocate getdns_query to src/tools and build by default
* Enhancements to the logic used to select connection based upstream
transports (TCP, TLS) to improve robustness and re-use of
connections/upstreams.
Second beta release for getdns-1.0.0
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead: |
|
---|---|
tarball | https://getdnsapi.net/dist/getdns-1.0.0b2.tar.gz |
pgp sig | https://getdnsapi.net/dist/getdns-1.0.0b2.tar.gz.asc |
sha256 | 67e9935704fa8f5ed5da020c241ef1bf10bb2fbe6691e5118130b69945f6bbc2 |
Updates:
- RFC2782 style ordering of SRV resource records after a call to
getdns_service()
is now implemented (was missing from the previous beta release). - The DNSSEC authentication chain returned by using the
dnssec_return_validation_chain
extension, will now be in canonicalized from and order - A new extension
dnssec_return_full_validation_chain
that will return the DNSSEC authentication chain in canonicalized form and order, including the authenticated resource record set. - The
return_call_reporting
extension will also report on tried upstreams with timeouts - A new
getdns_context_get_eventloop()
companion function to the already existinggetdns_context_set_evenloop()
function, that will allow applications postpone the choice for a specific event library or use the getdns default eventloop for their own I/O. - More leniency in what to accept as an representation for IP and IPv6 addresses (i.e. missing
address_type
keys in the dict, or just the bindate without the dict container). - Significant improvements to the getdns_query test tool including option to use as a daemon listening on a specified address and option to configure
getdns_query
via a configuration file. For more details see https://getdnsapi.net/blog/getdns_query/ - API and Additional API information for this implementation is now available in doxygen format which can be generated using
make doc
.
Bugfixes:
- An issue with DNSSEC wildcard validation
- An issue with CNAME loop protection in generating the response dicts
- Correct processing of callbacks that are fired before the scheduling call has returned
- Correct processing of multiple requests on an open state-full transport
- Correctly reusing a TLS transport after a request on it timed out
Documentation is available at:
- getdns API documentation: https://getdnsapi.net/documentation/spec/
- getdns doxygen: https://getdnsapi.net/doxygen/
- getdns_query documentation: https://getdnsapi.net/blog/getdns_query/
We would kindly ask that you review and try out this beta release thoroughly. Depending on feedback, we hope to have a production release available in early October.
ChangeLog
* Collect coverage information from the unit tests
Thanks Shane Kerr
* pkg-config for the getdns_ext_event library
Thanks Tom Pusateri
* Bugfix: Multiple requests on the same upstream with a transport
that keeps connections open in synchronous stub mode.
* Canonicalized DNSSEC chain with dnssec_return_validation_chain
(when validated)
* A dnssec_return_full_validation_chain extension which includes
then validated resource records.
* Bugfix: Callbacks fired while scheduling (answer from cache)
with the unbound plugable event API
* header extension to set opcode and flags in stub mode
* Unit tests that cover more code
* Static checking with the clang analyzer
* getdns_pretty_print_dict prints dname's as primitives
* Accept just bindata's instead of address dicts.
Allow misshing "address_type" in address dicts.
* TLS session resumption
* -C <config file> option to getdns_query to configure context
from a json like formated file. The output of -i (print API
information) can be used as config file directly.
Settings may also be given in this format as arguments of
the getdns_query command directly.
* DNS server mode for getdns_query. Enable by providing addresses
to listen on, either by giving "-z <listen address>" options or by
providing "listen_addresses" in the config file or settings.
* Bugfixes from deckard testing: CNAME loop protection.
* "srv_addresses" in response dict with getdns_service()
* use libbsd when available
Thanks Guillem Jover
* Bugfix: DNSSEC wildcard validation issue
* Bugfix: TLS timeouts not re-using a connection
* A getdns_context_get_eventloop(), to get the current
(pluggable) eventloop from context
* getdns_query now uses the default event loop (instead of custom)
* Return call_reporting info in case of timeout
Thanks Robert Groenenberg
* Bugfix: Build fails with autoconf 2.63, works with 2.68.
Thanks Robert Groenenberg
* Do not call SSL_library_init() from getdns_context_create() when
the second bit from the set_from_os parameter is set.
First beta release for getdns-1.0.0
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead: |
|
---|---|
tarball | https://getdnsapi.net/dist/getdns-1.0.0b1.tar.gz |
pgp sig | https://getdnsapi.net/dist/getdns-1.0.0b1.tar.gz.asc |
sha256 | 01ca30b4642762e268e2b7b48ff6835212bfc99e0a6f79b57e0fc801f30e776a |
Dear All,
I am very pleased to announce that we have a beta release for version 1.0.0 of getdns
We are now 100% spec complete. The last remaining function from the specification, getdns_context_set_follow_redirects()
, is functional with this release. This release also contains the following improvements and non-spec features:
-
A
dnssec_return_all_statuses
extensionUse this extension if you want to know about DNSSEC status, but you don't want the DNSSEC protection. When this extension is set, all replies will always be included in the response dict, regardless their dnssec status.
When used on its own or in combination with justdnssec_return_status
, it will return BOGUS replies, but those replies will have"dnssec_status": GETDNS_DNSSEC_BOGUS
. The response dict"status"
will beGETDNS_RESPSTATUS_GOOD
then.
When used on in combination withdnssec_return_only_secure,
it will return BOGUS and INSECURE replies (shown in their"dnssec_status"
). The response dict"status"
can be any of the status that thednssec_return_only_secure
extenstion returns, soGETDNS_RESPSTATUS_GOOD
when at least one reply was secure,GETDNS_RESPSTATUS_NO_SECURE_ANSWERS
when all replies were insecure, orGETDNS_RESPSTATUS_ALL_BOGUS_ANSWERS
when all replies were bogus. -
Conversion functions for DNS messages.
With these the unit tests could be adapted so they are not dependent on ldns anymore
-
GETDNS_APPEND_NAME_TO_SINGLE_LABEL_FIRST
default suffix handlingThis makes suffix handling more like what is conventional with system stub behaviour. Suffixes are appended to a name before trying it without suffixes, but only if the name consists of a single label.
-
MS Windows version in 100% working order
- The default event loop, that is also used for synchronous calls, has been renewed. With it, TCP and TLS transports are now also possible on MS Windows.
- The event loop extension (custom or not) will now also be used in recursive lookups (libunbound >= 1.5.9 is needed for this). Because of this it is now also possible to do recursive requests in MS Windows.
- The MS Windows native certificate store will be used with TLS transport and also suffixes are initialized as the system stub is.
Besides these new features and improvements, a few bugs have been fixed. For a complete overview see the ChangeLog below.
We would kindly ask you to review and try out this bete release thoroughly. The 1.0.0 release will follow as soon as we are confident we haven't missed anything and it is ready for production
ChangeLog
* openssl 1.1.0 support
* GETDNS_APPEND_NAME_TO_SINGLE_LABEL_FIRST default suffix handling
* getdns_context_set_follow_redirects()
* Read suffix list from registry on Windows
* A dnssec_return_all_statuses extension
* Set root servers without temporary file (libunbound >= 1.5.8 needed)
* Eliminate unit test's ldns dependency
* pkts wireformat <-> getdns_dict <-> string
conversion functions
* Eliminate all side effects when doing sync requests
(libunbound >= 1.5.9 needed)
* Bugfix: Load gost algorithm if digest is seen before key algorithm
Thanks Jelte Janssen
* Bugfix: Respect DNSSEC skew.
* Offline dnssec validation for any given point in time
* Correct return value in documentation for getdns_pretty_print_dict().
Thanks Linus Nordberg
* Bugfix: Don't treat "domain" or "search" as a nameserver.
Thanks Linus Nordberg
* Use the default CA trust store on Windows (for DNS over TLS).
* Propagate eventloop to unbound when unbound has pluggable event loops
(libunbound >= 1.5.9 needed)
* Replace mini_event extension by default_eventloop
* Bugfix: Segfault on NULL pin
* Bugfix: Correct output of get_api_settings
* Bugfix: Memory leak with getdns_get_api_information()
Thanks Robert Groenenberg.
getdns-0.9.0 release
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead: |
|
---|---|
tarball | https://getdnsapi.net/dist/getdns-0.9.0.tar.gz |
pgp sig | https://getdnsapi.net/dist/getdns-0.9.0.tar.gz.asc |
sha256 | b6b73a501ee79c0fafb0721023eb3a5d0e1bfa047fbe65302db278cb956bd1fe |
Dear All,
We have a special New Year's Eve release, version 0.9.0 of getdns.
This release brings the implementation on par with the December 2015 version of the specification and has (almost) all of the still remaining functionality from the specification implemented. These include:
-
Respecting the given dns root servers in recursive resolution modus
See this in action with
getdns_query
, for example with the root servers of the Yeti DNS Project (https://yeti-dns.org/):getdns_query -f yeti.key -R yeti.hints getdnsapi.net A +dnssec_return_status
Where
yeti.key
came from:
https://github.com/BII-Lab/Yeti-Project/raw/master/domain/KSK.pub
andyeti.hints
came from:
https://github.com/BII-Lab/Yeti-Project/raw/master/domain/named.cache -
TSIG authentication.
Specification of upstreams with
getdns_query
has been extended to configure a TSIG name and secret. From thegetdns_query
help text:getdns_query [<option> ...] [@<upstream> ...] [+<extension> ...] [<name>] [<type>] upstreams: @<ip>[%<scope_id>][@<port>][#<tls port>][~<tls name>][^<tsig spec>] tsig spec: [<algorithm>:]<name>:<secret in Base64>
For example:
getdns_query -s @185.49.141.37^hmac-md5.tsigs.getdnsapi.net:16G69OTeXW6xSQ== getdnsapi.net SOA
You can check the query was
TSIG
authenticated by looking for thetsig_status
key in the replies in thereplies_tree
. -
Operation of suffixes and the "
append_name
" setting.Options have been added to
getdns_query
to try this out too. A list of suffixes to be tried can be given with the-Z
option, so that this query:getdns_query -Z getdnsapi.net,com -A www.verisignlabs
Will first try to get the addresses for
www.verisignlabs.getdnsapi.net
and will then try and return the successfull lookup of the addresses forwww.verisignlabs.com
-
The
add_warning_for_bad_dns
extension.For example, this query:
getdns_query +add_warning_for_bad_dns _443._tcp.www.nlnetlabs.nl TXT
will result in having the following
"bad dns"
list in the reply in thereplies_tree
:"bad_dns": [ GETDNS_BAD_DNS_CNAME_RETURNED_FOR_OTHER_TYPE , GETDNS_BAD_DNS_ALL_NUMERIC_LABEL ]
Other new features and noteworthy improvements are:
-
Functions to convert
getdns_dict
s representing resource records to and from wire- and zone file format.Also zone files can be read into a
getdns_list
ofgetdns_dict
s representing the resource records in that zone file. These lists can then conveniently be used with (for example)getdns_context_set_dns_root_servers()
andgetdns_context_set_dnssec_trust_anchors()
.
There is brief doxygen documentation for the conversion functions here:- https://getdnsapi.net/functions/getdns_rr_dict2wire.html.
Example usage can be found in the unit test package for these functions: - https://github.com/getdnsapi/getdns/blob/release/v0.9.0/src/test/tpkg/260-conversion-functions.tpkg/260-conversion-functions.c
The output produced by this example program: - https://github.com/getdnsapi/getdns/blob/release/v0.9.0/src/test/tpkg/260-conversion-functions.tpkg/260-conversion-functions.good
- https://getdnsapi.net/functions/getdns_rr_dict2wire.html.
-
TCP Fast Open support whenever available on the platform (including Mac-OS X (new)).
-
Client side
edns-tcp-keepalive
support -
Pinning of upstream certificate's public keys with pinsets (with TLS transport)
Configuration is done per-upstream, with an additional member of the upstream object,
tls_pubkey_pinset
. This is a list of dicts, each of which describes a public key pin, which looks like this:{ "address_data": <bindata for 185.49.141.38>, "address_type": <bindata of "IPv4">, "tls_pubkey_pinset": [ { "digest": <bindata of "sha256">, "value": <bindata of 0x17d099f483436ddfb6791428cd8aaa6d...> }, { "digest": <bindata of "sha256">, "value": <bindata of 0x7e8c59467221f606695a797ecc488a6b...> } ] }
There is a new argument for
getdns_query
,-K
, to specify pins.
All pins are applied to all upstreams. For example:getdns_query -s -K 'pin-sha256="foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S="' @185.49.141.38~getdnsapi.net -L -m
-
Initial support for Windows
Besides these new functionalities, a few bugs have been fixed. For a complete overview see the ChangeLog below.
ChangeLog
* Update of unofficial extension to the API that supports stub mode
TLS verification. GETDNS_AUTHENTICATION_HOSTNAME is replaced by
GETDNS_AUTHENTICATION_REQUIRED (but remains available as an alias).
Upstreams can now be configured with either a hostname or a SPKI pinset
for TLS authentication (or both). If the GETDNS_AUTHENTICATION_REQUIRED
option is used at least one piece of authentication information must be
configured for each upstream, and all the configured authentication
information for an upstream must validate.
* Remove STARTTLS implementation (no change to SPEC)
* Enable TCP Fast Open when possible. Add OSX support for TFO.
* Rename return_call_debugging to return_call_reporting
* Bugfix: configure problem with getdns-0.5.1 on OpenBSD
Thanks Claus Assmann.
* pkg-config support. Thanks Neil Cook.
* Functions to convert from RR dicts to wireformat and text format
and vice versa. Including a function that builds a getdns_list
of RR dicts from a zonefile.
* Use the with the getdns_context_set_dns_root_servers() function
provided root servers in recursing resolution modus.
* getdns_query option (-f) to read a DNSSEC trust anchor from file.
* getdns_query option (-R) to read a "root hints" file.
* Bugfix: Detect and prevent duplicate NSEC(3)s to be returned with
dnssec_return_validation_chain.
* Bugfix: Remove duplicate RRs from RRsets when DNSSEC verifying
* Client side edns-tcp-keepalive support
* TSIG support + getdns_query syntax to specify TSIG parameters
per upstream: @<ip>[^[<algorithm>:]<name>:<secret in Base64>]
* Bugfix: Allow truncated answers to be returned in case of missing
fallback transport.
* Verify upstream TLS pubkeys with pinsets; A getdns_query option
(-K) to attach pinsets to getdns_contexts.
Thanks Daniel Kahn Gillmor
* Initial support for Windows. Thanks Gowri Visweswaran
* add_warning_for_bad_dns extension
* Try and retry with suffixes giving with getdns_context_set_suffix()
following directions given by getdns_context_set_append_name()
getdns_query options to set suffixes and append_name directions:
'-W' to append suffix always (default)
'-1' to append suffix only to single label after failure
'-M' to append suffix only to multi label name after failure
'-N' to never append a suffix
'-Z <suffixes>' to set suffixes with the given comma separed list
* Better help text for getdns_query (printed with the '-h' option)
* Setting the +specify_class extension with getdns_query
* Return NOT_IMPLEMENTED for not implemented namespaces, and the
not implemented getdns_context_set_follow_redirects() function.
getdns-0.5.1 release
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead: |
|
---|---|
tarball | https://getdnsapi.net/dist/getdns-0.5.1.tar.gz |
pgp sig | https://getdnsapi.net/dist/getdns-0.5.1.tar.gz.asc |
sha256 | 273659b3a9236e8f9ae1e69dd37cd2f11554b156f33162c952f40221c1feeaa3 |
We have special RIPE71 release, version 0.5.1 of getdns.
This release contains all contributions added during the hackathon helt at the IETF94 in Yokahama; carefully reviewed and polished.
The included contributions are:
-
EDNS(0) padding option
With this option, the query size will be padded to be a multiple of a block size when queried over
GETDNS_TRANSPORT_TLS
transport, to eliminate guessing the query by analyzing query sizes.
The block size can be set withgetdns_context_set_tls_query_padding_blocksize()
function. -
An EDNS client subnet private option
With this option EDNS client subnet aware upstreams are asked to not reveal the originating network of the query.
-
The
return_call_debugging
extensionsThis extension was already in the API, but had not been implemented yet.
It returns "meta" information about a query in the response dict (under the name "call_debugging
".
On top of the returned information which was already described in the API spec, this version also returns information about the transport eventually used to perform the query, and (if applicable) whether authentication succeeded. -
A
dnssec_roadblock_avoidance
extensionWhen set, the library will work in stub resolution mode and try to get a by DNSSEC validation assessed answer.
On BOGUS answers the library will retry recursive resolution mode.
This is the simplest form of passive roadblock detection and avoidance.
For a very extensive overview of the types of roadblock, see: draft-ietf-dnsop-dnssec-roadblock-avoidance.
Use the--enable-draft-dnssec-roadblock-avoidance
option to configure to compile with this extension.
Besides these additions contains a few bugfixes too. For an complete overview see the ChangeLog.
ChangeLog
* Bugfix: growing upstreams arrow.
* Bugfix: Segfault on timeout in specific conditions
* Bugfix: install getdns_extra.h from build location
* Bugfix: Don't let cookies overwrite existing EDNS0 options
* Don't link libdl
* The EDNS(0) Padding Option (draft-mayrhofer-edns0-padding).
When using DNS over TLS, query sizes will be padded to multiples
of a block size given with:
getdns_context_set_tls_query_padding_blocksize()
* An EDNS client subnet private option, that will ask a EDNS client
subnet aware resolver to not reveal any details about the
originating network. See: draft-ietf-dnsop-edns-client-subnet
Set with: getdns_context_set_edns_client_subnet_private()
* The return_call_debugging extension. The extension will also return
the transport used on top of the information about the request which
is described in the API spec.
* A dnssec_roadblock_avoidance extension. When set, the library will
work in stub resolution mode and try to get a by DNSSEC validation
assessed answer. On BOGUS answers the library will retry rescursive
resolution mode. This is the simplest form of passive roadblock
detection and avoidance: draft-ietf-dnsop-dnssec-roadblock-avoidance.
Use the --enable-draft-dnssec-roadblock-avoidance option to configure
to compile with this extension.
getdns-0.5.0 release
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead: |
|
---|---|
tarball | https://getdnsapi.net/dist/getdns-0.5.0.tar.gz |
pgp sig | https://getdnsapi.net/dist/getdns-0.5.0.tar.gz.asc |
sha256 | b0680170249ba9987b8af4c7f2bc64833fe6396ecd66565c991b33775f78ccdb |
Dear All,
We have a new release version 0.5.0 of getdns.
This is mostly a new features release
This release does all crypto operations using OpenSSL directly and has no longer a dependency on libldns. Note however that libldns is still used by the unit tests.
Following the October 2015 release of the API specification, the library can now access deeply embedded data structure members in getdns_dict
s by using JSON Pointers as the name to be accessed (RFC 6901). This works for the getter and setter functions (getdns_dict_get_*
and getdns_dict_set_*
).
DNS over TLS now uses the default IANA assigned port number for domain-s: 853.
This release includes an experimental implementation of upstream server hostname authentication for TLS connections in stub mode (note that the default behaviour has not changed compared to the 0.3 release). A new, non-standard function getdns_context_set_tls_authentication()
can be used to set the authentication to GETDNS_AUTHENTICATION_HOSTNAME
which requires that a server provides a valid certificate (validated using the default CA repository) and that the hostname specified in the "tls_auth_name
" field of the upstream dict matches that in the certificate. The authentication setting is only enforced when the transport list contains only GETDNS_TRANSPORT_TLS
and in this case if authentication fails for all upstreams, queries will fail. If the transport list contains other clear text transports then opportunistic TLS will be performed which does not require authentication of the TLS connection. Examples of usage using the getdns_query
tool can be found in the tests_transports.sh
script in the test
directory.
ChangeLog
* 2015-10-29: Version 0.5.0
* Native crypto. No ldns dependency anymore.
(ldns still necessary to be able to run tests though)
* JSON pointer arguments to getdns_dict_get_* and getdns_dict_set_*
to dereference nested dicts and lists.
* Bugfix: DNSSEC code finding zone cut with redirects + pursuing unsigned
DS answers close to the root. Thanks Theogene Bucuti!
* Default port for TLS changed to 853
* Unofficial extension to the API to allow TLS hostname verification to be
required for stub mode when using only TLS as a transport.
When required a hostname must be supplied in the
'hostname' field of the upstream_list dict and the TLS cipher suites are
restricted to the 4 AEAD suites recommended in RFC7525.