Skip to content

Releases: getdnsapi/getdns

Second release candidate for getdns-1.1.0

28 Dec 11:10
Compare
Choose a tag to compare
 
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead:
tarball https://getdnsapi.net/dist/getdns-1.1.0-rc2.tar.gz
pgp sig https://getdnsapi.net/dist/getdns-1.1.0-rc2.tar.gz.asc
sha256 5b58ce061cea83344bdd85a9e9129a45cb785de887ebe670f99a0f5c09e169a0

Dear all,

We have a second release candidate for the new feature release version 1.1.0 of getdns.

The first release has been extensively tested and used in the IETF98 Hackathon, which has let to some great hacks!, and also revealed some improvement potentials and even some bugs.

This second release candidate addresses those things:

  • The return_call_reporting extension now also returns the remote end's certificate if the interaction was over TLS.
  • Statefull connections with and idle_timeout > 0 will not be closed after doing a synchronous request anymore. This also involved a bugfix for naked timeout events with Windows.
  • Stability of the dnssec extensions in combination with statefull transports have been improved (and a bugfix in which this combination hang).
  • A default edns0 padding policy contributed by DKG.
  • A new function getdns_context_unset_edns_maximum_udp_payload_size() to reset to the default behaviour to have a maximum UDP payload size dependent on the address family; 1432 for IPv4 and 1232 for IPv6 to maximize receptivity.

Please review this release candidate carefully, if all is well, the actual release will follow Thursday the 13th of April.

ChangeLog

* 2017-04-??: Version 1.1.0
  * bugfix: Reschedule request timeout when getting the DNSSEC chain.
  * getdns_context_unset_edns_maximum_udp_payload_size() to reset
    to default IPv4/IPv6 dependent edns max udp payload size.
  * Implement sensible default edns0 padding policy.  Thanks DKG.
  * Keep connections open with sync requests too.
  * Fix of event loops so they do not give up with naked timers with
    windows.  Thanks Christian Huitema.
  * Include peer certificate with DNS-over-TLS in combination with
    the return_call_reporting extension.

* 2017-03-23: Version 1.1.0-rc1
  * More fine grained control over TLS upstream retry and back off
    behaviour with getdns_context_set_tls_backoff_time() and
    getdns_context_set_tls_connection_retries().
  * New round robin over the available upstreams feaure.
    Enable with getdns_context_set_round_robin_upstreams()
  * Bugfix: Queue requests when no sockets available for outgoing queries.
  * Obey the outstanding query limit with STUB resolution mode too.
  * Updated stubby config file
  * Draft MDNS client implementation by Christian Huitema.
    Enable with --enable-draft-mdns-support to configure
  * bugfix: Let synchronous queries use fds > MAX_FDSETSIZE;
            By moving default eventloop from select to poll
    Thanks Neil Cook
  * bugfix: authentication failure for self signed cert + only pinset
  * bugfix: issue with session re-use making authentication appear to fail

* 2016-10-19: Version 1.1.0-a2
  * Improved TLS connection management
  * OpenSSL 1.1 support
  * Stubby, Server version of getdns_query that by default listens
    on 127.0.0.1 and ::1 and reads config from /etc/stubby.conf
    and $HOME/.stubby.conf

* 2016-07-14: Version 1.1.0a1
  * Conversion functions from text strings to getdns native types:
    getdns_str2dict(), getdns_str2list(), getdns_str2bindata() and
    getdns_str2int()
  * A getdns_context_config() function that configures a context
    with settings given in a getdns_dict
  * A a getdns_context_set_listen_addresses() function and companion
    getdns_reply() function to construct simple name servers.
  * Relocate getdns_query to src/tools and build by default
  * Enhancements to the logic used to select connection based upstream
    transports (TCP, TLS) to improve robustness and re-use of
    connections/upstreams.

First release candidate for getdns-1.1.0

28 Dec 11:10
Compare
Choose a tag to compare
 
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead:
tarball https://getdnsapi.net/dist/getdns-1.1.0-rc1.tar.gz
pgp sig https://getdnsapi.net/dist/getdns-1.1.0-rc1.tar.gz.asc
sha256 d91ec104b33880ac901f36b8cc01b22f9086fcf7d4ab94c0cbc56336d1f6bec0

Dear all,

We are pleased to announce the special, IETF98 hackathon, first release candidate for the new feature release version 1.1.0 of getdns.

This version comes with the DNS Privacy stub resolver Stubby. Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy. Stubby is in the early stages of development but is suitable for technical/advanced users. A more generally user-friendly version is on the way! More information about Stubby is here:

Stubby will be build by default and will be installed in the ${PREFIX}/bin directory. Also the getdns_query test tool will be build and installed by default now. If you want the library only, you can disable building and installation of those programs with the --without-stubby and --without-getdns_query options to configure.

getdns_query (and Stubby) have had functionality added which was not part of the original API specification, but which we think is useful for other applications as well. This includes functions that have been added to deal with parsing and configuring getdns with a configuration file, and functions to serve DNS requests.

To handle configuration files, functions were added to convert strings to getdns native types, getdns_str2dict(), getdns_str2list(), getdns_str2bindata() and getdns_str2int(); A getdns_context can then be configured with a resulting getdns_dict with the new getdns_context_config() function. This can reduce the amount of code needed to setup a context in a C program.

It also provides default values for extensions and allows the trust anchor and root hints files to be directly specified. For example, the following piece of C code would configure the context to do DNSSEC roadblock avoidance (i.e. validate DNSSEC as stub, fallback to full recursive with hampering middleboxes), with alternative trust-anchor and root-hints.

if (GETDNS_RETURN_GOOD == getdns_str2dict("
    { dnssec_roadblock_avoidance: GETDNS_EXTENSION_TRUE
    , dns_root_servers: \"/etc/yeti.root.hints\"
    , dnssec_trust_anchors: \"/etc/yeti.key\"
    }", &config_dict))
        getdns_context_config(context, config_dict);

More detailed (doxygen) documentation about the string to getdns data structure functions, and about configuring getdns_contexts with getdns_dicts is here:

The getdns_context_set_listen_addresses() function, allows the user to register a request handler function and list of addresses that will be listened on when the eventloop is run. The request handler function will be called when a DNS requests arrives, with the request in getdns reply dict format. The request handler may construct a response to the request and eventually has to call getdns_reply() with that response to answer the request (or NULL to cancel).

I will try to provide and example blog post on the website for this functionality with the actual getdns-1.1.0 release announcement. For now, we have the doxygen documentation and the IETF97 hackathon project delaydns which was using this functionality:

Besides these new functions, we have much improved and more stable and robust scheduling of requests:

  • The default event loop, which is also used for synchronous requests, is now based on poll() instead of select() and does not inherit select()'s limits any more.
  • The limit on number of outstanding queries, set with the getdns_context_limit_outstanding_queries() function, will now also be obeyed in stub mode. This was an ommision from the 1.0.0 release.
  • getdns will now queue up requests that could not be scheduled because of resource limitations, to be rescheduled when resources become available again.

We now also have:

Finally, we have a new draft MDNS-client implementation by Christian Huitema. To enable it, use the --enable-draft-mdns-client option to configure.

Please review (and possibly use at the IETF98 hackathon) this release candidate carefully, if all is well, the actual release will follow Thursday the 6th of April.

ChangeLog

* 2017-04-??: Version 1.1.0
  * More fine grained control over TLS upstream retry and back off
    behaviour with getdns_context_set_tls_backoff_time() and
    getdns_context_set_tls_connection_retries().
  * New round robin over the available upstreams feaure.
    Enable with getdns_context_set_round_robin_upstreams()
  * Bugfix: Queue requests when no sockets available for outgoing queries.
  * Obey the outstanding query limit with STUB resolution mode too.
  * Updated stubby config file
  * Draft MDNS client implementation by Christian Huitema.
    Enable with --enable-draft-mdns-support to configure
  * bugfix: Let synchronous queries use fds > MAX_FDSETSIZE;
            By moving default eventloop from select to poll
    Thanks Neil Cook
  * bugfix: authentication failure for self signed cert + only pinset
  * bugfix: issue with session re-use making authentication appear to fail

* 2016-10-19: Version 1.1.0-a2
  * Improved TLS connection management
  * OpenSSL 1.1 support
  * Stubby, Server version of getdns_query that by default listens
    on 127.0.0.1 and ::1 and reads config from /etc/stubby.conf
    and $HOME/.stubby.conf

* 2016-07-14: Version 1.1.0a1
  * Conversion functions from text strings to getdns native types:
    getdns_str2dict(), getdns_str2list(), getdns_str2bindata() and
    getdns_str2int()
  * A getdns_context_config() function that configures a context
    with settings given in a getdns_dict
  * A a getdns_context_set_listen_addresses() function and companion
    getdns_reply() function to construct simple name servers.
  * Relocate getdns_query to src/tools and build by default
  * Enhancements to the logic used to select connection based upstream
    transports (TCP, TLS) to improve robustness and re-use of
    connections/upstreams.

getdns-1.0.0 release

28 Dec 11:09
Compare
Choose a tag to compare
 
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead:
tarball https://getdnsapi.net/dist/getdns-1.0.0.tar.gz
pgp sig https://getdnsapi.net/dist/getdns-1.0.0.tar.gz.asc
sha256 a0460269c6536501a7c0af9bc97f9339e05a012f8191d5c10f79042aa62f9e96

Dear All,

We are pleased to announce release 1.0.0 of our library implementation of the getdns API. This release implements the "December 2015" specification of the API. With the exception of namespaces (i.e. mDNS), everything in the API specification is implemented in this release. This for us was a clear marker for a 1.0.0 release.

getdns is a modern asynchronous DNS API. It implements DNS entry points from a design developed and vetted by application developers, in an API specification. With the implementation of this API, we intend to offer application developers a modernized and flexible way to access DNS security (DNSSEC) and other powerful new DNS features; a particular hope is to inspire application developers towards innovative security solutions in their applications. The open source C implementation of getdns is developed and maintained in collaboration by NLnet Labs, Sinodun, No Mountain Software and others. This implementation is licensed under the New BSD License.

Since the second beta release of 1.0.0, last July, new functionality has not been added in this branch. All efforts for the 1.0.0 release have been focussed towards testing stability and robustness and proper operation on different platforms.

Alongside this release, we have refactored our website and updated it with an example.
It is our intention to add more examples illustrating how to use getdns for common use cases in the future.

Note that this does not mean that we have not worked on new features and functionality. Also in this time we have worked on new features and functionality in the develop branch. A new feature release of getdns will follow shortly (early 2017). It will also contain all the robustness updates that went into 1.0.0, but will introduce only new functionality not in the API specification, primarily enhancements of our implementation of newer DNS specifications such as RFC 7858. and that perhaps has been less thoroughly tested and covered in our unit tests.

Note: if you are a package maintainer, we recommend that you not pick up release 1.0.0 but wait for the first non-beta release of 1.1 in early 2017.

Happy new year!

ChangeLog

* 2017-01-13: Version 1.0.0
  * edns0_cookies extension enabled by default (per RFC7873)
  * dnssec_roadblock_avoidance enabled by default (per RFC8027)
  * bugfix: DSA support with OpenSSL 1.1.0
  * Initialize OpenSSL just once in a thread safe way
  * Thread safety with arc4random function
  * Improvements that came from Visual Studio static analysis
    Thanks Christian Huitema
  * Conventional RFC3986 IPv6 [address]:port parsing from getdns_query
  * bugfix: OpenSSL 1.1.0 style crypto locking
    Thanks volkommenheit
  * configure tells *which* dependency is missing
  * bugfix: Exclude terminating '\0' from bindata's returned by
    getdns_get_suffix(). Thanks Jim Hague
  * Better README.md.  Thanks Andrew Sullivan

* 2016-07-14: Version 1.0.0b2
  * Collect coverage information from the unit tests
    Thanks Shane Kerr
  * pkg-config for the getdns_ext_event library
    Thanks Tom Pusateri
  * Bugfix: Multiple requests on the same upstream with a transport 
    that keeps connections open in synchronous stub mode.
  * Canonicalized DNSSEC chain with dnssec_return_validation_chain
    (when validated)
  * A dnssec_return_full_validation_chain extension which includes
    then validated resource records.
  * Bugfix: Callbacks fired while scheduling (answer from cache)
    with the unbound plugable event API
  * header extension to set opcode and flags in stub mode
  * Unit tests that cover more code
  * Static checking with the clang analyzer
  * getdns_pretty_print_dict prints dname's as primitives
  * Accept just bindata's instead of address dicts.
    Allow misshing "address_type" in address dicts.
  * TLS session resumption
  * -C <config file> option to getdns_query to configure context 
    from a json like formated file.  The output of -i (print API
    information) can be used as config file directly.
    Settings may also be given in this format as arguments of
    the getdns_query command directly.
  * DNS server mode for getdns_query.  Enable by providing addresses
    to listen on, either by giving "-z <listen address>" options or by
    providing "listen_addresses" in the config file or settings.
  * Bugfixes from deckard testing: CNAME loop protection.
  * "srv_addresses" in response dict with getdns_service()
  * use libbsd when available
    Thanks Guillem Jover
  * Bugfix: DNSSEC wildcard validation issue
  * Bugfix: TLS timeouts not re-using a connection
  * A getdns_context_get_eventloop(), to get the current
    (pluggable) eventloop from context
  * getdns_query now uses the default event loop (instead of custom)
  * Return call_reporting info in case of timeout
    Thanks Robert Groenenberg
  * Bugfix: Build fails with autoconf 2.63, works with 2.68.
    Thanks Robert Groenenberg
  * Doxygen output for getdns.h and getdns_extra.h only
  * Do not call SSL_library_init() from getdns_context_create() when
    the second bit from the set_from_os parameter is set.

* 2016-03-31: Version 1.0.0b1
  * openssl 1.1.0 support
  * GETDNS_APPEND_NAME_TO_SINGLE_LABEL_FIRST default suffix handling
  * getdns_context_set_follow_redirects()
  * Read suffix list from registry on Windows
  * A dnssec_return_all_statuses extension
  * Set root servers without temporary file (libunbound >= 1.5.8 needed)
  * Eliminate unit test's ldns dependency
  * pkts wireformat <-> getdns_dict <-> string
    conversion functions
  * Eliminate all side effects when doing sync requests
    (libunbound >= 1.5.9 needed)
  * Bugfix: Load gost algorithm if digest is seen before key algorithm
    Thanks Jelte Janssen
  * Bugfix: Respect DNSSEC skew.
  * Offline dnssec validation for any given point in time
  * Correct return value in documentation for getdns_pretty_print_dict().
    Thanks Linus Nordberg
  * Bugfix: Don't treat "domain" or "search" as a nameserver.
    Thanks Linus Nordberg
  * Use the default CA trust store on Windows (for DNS over TLS).
  * Propagate eventloop to unbound when unbound has pluggable event loops
    (libunbound >= 1.5.9 needed)
  * Replace mini_event extension by default_eventloop
  * Bugfix: Segfault on NULL pin
  * Bugfix: Correct output of get_api_settings
  * Bugfix: Memory leak with getdns_get_api_information() 
    Thanks Robert Groenenberg.

Second alpha release for getdns-1.1.0

28 Dec 11:09
Compare
Choose a tag to compare
 
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead:
tarball https://getdnsapi.net/dist/getdns-1.1.0-a2.tar.gz
pgp sig https://getdnsapi.net/dist/getdns-1.1.0-a2.tar.gz.asc
sha256 b805a30753a8c7cd3d6c5363a74a3e45e19043a92d33bc1062ff561d81d1e210

We have a special NANOG68 second alpha release of getdns 1.1.0 available for early testing of a subset of features planned for this release.

This release introduces Stubby, a version of getdns_query that listens on the loopback interface and acts as a local stub resolver daemon. Stubby reads configuration files from /etc/stubby.conf and $HOME/.stubby.conf. Here is an example stubby configuration that configures Stubby to use the DNS-OARC TLS resolvers as its upstream:

{ dns_transport_list: [ GETDNS_TRANSPORT_TLS ]
, upstream_recursive_servers: [ 184.105.193.78, 2620:ff:c000:0:1::64:25 ]
}

For more information, see the NANOG68 presentation: https://www.nanog.org/sites/default/files/3_stubby-nanog68.pdf

Documentation is available at:

Beware that this documentation is not on par with Stubby operation yet.
Expect an updated announcement on the website as soon as we have updated the documentation.

ChangeLog

* 2016-10-19: Version 1.1.0-a2
  * Improved TLS connection management
  * OpenSSL 1.1 support
  * Stubby, Server version of getdns_query that by default listens
    on 127.0.0.1 and ::1 and reads config from /etc/stubby.conf
    and $HOME/.stubby.conf

* 2016-07-14: Version 1.1.0a1
  * Conversion functions from text strings to getdns native types:
    getdns_str2dict(), getdns_str2list(), getdns_str2bindata() and
    getdns_str2int()
  * A getdns_context_config() function that configures a context
    with settings given in a getdns_dict
  * A a getdns_context_set_listen_addresses() function and companion
    getdns_reply() function to construct simple name servers.
  * Relocate getdns_query to src/tools and build by default
  * Enhancements to the logic used to select connection based upstream
    transports (TCP, TLS) to improve robustness and re-use of
    connections/upstreams.

First alpha release for getdns-1.1.0

28 Dec 11:11
Compare
Choose a tag to compare
 
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead:
tarball https://getdnsapi.net/dist/getdns-1.1.0a1.tar.gz
pgp sig https://getdnsapi.net/dist/getdns-1.1.0a1.tar.gz.asc
sha256 dce41ecfef9097c9d33384fbaf1d594fb174a94ccf1e04c1718e26d9fc9e279a

We are please to announce an alpha release of getdns 1.1.0 is being made available for early testing of a subset of features planned for this release.

Updates:

  • getdns_query is promoted to be a a first class citizen of the getdns suite and it is relocated to src/tools and built by default.
  • The 1.1 release exposes several function prototypes (prototyped in getdns_query) to the library user. Details can be found in the 1.1 doxygen documentation for:
  • functions to convert text strings to the getdns native types:
    getdns_str2dict(), getdns_str2dict(), getdns_str2bindata() and getdns_str2int()
    (Note that the expected input is similar, but not precisely JSON)
  • a getdns_context_config() function that configures a context with settings provided in a getdns_dict.
    This can reduce the amount of code needed to setup a context in a C program dramatically.
    It also provides default values for extensions and allows the trust anchor files to be directly specified.
  • a getdns_context_set_listen_addresses() function, that allows the user to register a request handler function and list of addresses that will be listened on when the eventloop is run.
    The request handler function will be called when a DNS requests arrives, with the request in getdns reply dict format.
    The request handler may construct a response to the request and eventually has to call getdns_reply() with that response (or NULL to cancel) to answer the request.
  • Enhancements to the logic used to select connection based upstream transports (TCP, TLS) to improve robustness and re-use of connections/upstreams. This facilitates using getdns locally as a DNS-over-TLS stub resolver.

Documentation is available at:

ChangeLog

* 2016-07-14: Version 1.1.0a1
  * Conversion functions from text strings to getdns native types:
    getdns_str2dict(), getdns_str2list(), getdns_str2bindata() and
    getdns_str2int()
  * A getdns_context_config() function that configures a context
    with settings given in a getdns_dict
  * A a getdns_context_set_listen_addresses() function and companion
    getdns_reply() function to construct simple name servers.
  * Relocate getdns_query to src/tools and build by default
  * Enhancements to the logic used to select connection based upstream
    transports (TCP, TLS) to improve robustness and re-use of
    connections/upstreams.

Second beta release for getdns-1.0.0

28 Dec 11:08
Compare
Choose a tag to compare
 
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead:
tarball https://getdnsapi.net/dist/getdns-1.0.0b2.tar.gz
pgp sig https://getdnsapi.net/dist/getdns-1.0.0b2.tar.gz.asc
sha256 67e9935704fa8f5ed5da020c241ef1bf10bb2fbe6691e5118130b69945f6bbc2

Updates:

  • RFC2782 style ordering of SRV resource records after a call to getdns_service() is now implemented (was missing from the previous beta release).
  • The DNSSEC authentication chain returned by using the dnssec_return_validation_chain extension, will now be in canonicalized from and order
  • A new extension dnssec_return_full_validation_chain that will return the DNSSEC authentication chain in canonicalized form and order, including the authenticated resource record set.
  • The return_call_reporting extension will also report on tried upstreams with timeouts
  • A new getdns_context_get_eventloop() companion function to the already existing getdns_context_set_evenloop() function, that will allow applications postpone the choice for a specific event library or use the getdns default eventloop for their own I/O.
  • More leniency in what to accept as an representation for IP and IPv6 addresses (i.e. missing address_type keys in the dict, or just the bindate without the dict container).
  • Significant improvements to the getdns_query test tool including option to use as a daemon listening on a specified address and option to configure getdns_query via a configuration file. For more details see https://getdnsapi.net/blog/getdns_query/
  • API and Additional API information for this implementation is now available in doxygen format which can be generated using make doc.

Bugfixes:

  • An issue with DNSSEC wildcard validation
  • An issue with CNAME loop protection in generating the response dicts
  • Correct processing of callbacks that are fired before the scheduling call has returned
  • Correct processing of multiple requests on an open state-full transport
  • Correctly reusing a TLS transport after a request on it timed out

Documentation is available at:

We would kindly ask that you review and try out this beta release thoroughly. Depending on feedback, we hope to have a production release available in early October.

ChangeLog

* Collect coverage information from the unit tests
    Thanks Shane Kerr
  * pkg-config for the getdns_ext_event library
    Thanks Tom Pusateri
  * Bugfix: Multiple requests on the same upstream with a transport 
    that keeps connections open in synchronous stub mode.
  * Canonicalized DNSSEC chain with dnssec_return_validation_chain
    (when validated)
  * A dnssec_return_full_validation_chain extension which includes
    then validated resource records.
  * Bugfix: Callbacks fired while scheduling (answer from cache)
    with the unbound plugable event API
  * header extension to set opcode and flags in stub mode
  * Unit tests that cover more code
  * Static checking with the clang analyzer
  * getdns_pretty_print_dict prints dname's as primitives
  * Accept just bindata's instead of address dicts.
    Allow misshing "address_type" in address dicts.
  * TLS session resumption
  * -C <config file> option to getdns_query to configure context 
    from a json like formated file.  The output of -i (print API
    information) can be used as config file directly.
    Settings may also be given in this format as arguments of
    the getdns_query command directly.
  * DNS server mode for getdns_query.  Enable by providing addresses
    to listen on, either by giving "-z <listen address>" options or by
    providing "listen_addresses" in the config file or settings.
  * Bugfixes from deckard testing: CNAME loop protection.
  * "srv_addresses" in response dict with getdns_service()
  * use libbsd when available
    Thanks Guillem Jover
  * Bugfix: DNSSEC wildcard validation issue
  * Bugfix: TLS timeouts not re-using a connection
  * A getdns_context_get_eventloop(), to get the current
    (pluggable) eventloop from context
  * getdns_query now uses the default event loop (instead of custom)
  * Return call_reporting info in case of timeout
    Thanks Robert Groenenberg
  * Bugfix: Build fails with autoconf 2.63, works with 2.68.
    Thanks Robert Groenenberg
  * Do not call SSL_library_init() from getdns_context_create() when
    the second bit from the set_from_os parameter is set.

First beta release for getdns-1.0.0

28 Dec 11:08
Compare
Choose a tag to compare
 
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead:
tarball https://getdnsapi.net/dist/getdns-1.0.0b1.tar.gz
pgp sig https://getdnsapi.net/dist/getdns-1.0.0b1.tar.gz.asc
sha256 01ca30b4642762e268e2b7b48ff6835212bfc99e0a6f79b57e0fc801f30e776a

Dear All,

I am very pleased to announce that we have a beta release for version 1.0.0 of getdns

We are now 100% spec complete. The last remaining function from the specification, getdns_context_set_follow_redirects(), is functional with this release. This release also contains the following improvements and non-spec features:

  • A dnssec_return_all_statuses extension

    Use this extension if you want to know about DNSSEC status, but you don't want the DNSSEC protection. When this extension is set, all replies will always be included in the response dict, regardless their dnssec status.
    When used on its own or in combination with just dnssec_return_status, it will return BOGUS replies, but those replies will have "dnssec_status": GETDNS_DNSSEC_BOGUS. The response dict "status" will be GETDNS_RESPSTATUS_GOOD then.
    When used on in combination with dnssec_return_only_secure, it will return BOGUS and INSECURE replies (shown in their "dnssec_status"). The response dict "status" can be any of the status that the dnssec_return_only_secure extenstion returns, so GETDNS_RESPSTATUS_GOOD when at least one reply was secure, GETDNS_RESPSTATUS_NO_SECURE_ANSWERS when all replies were insecure, or GETDNS_RESPSTATUS_ALL_BOGUS_ANSWERS when all replies were bogus.

  • Conversion functions for DNS messages.

    With these the unit tests could be adapted so they are not dependent on ldns anymore

  • GETDNS_APPEND_NAME_TO_SINGLE_LABEL_FIRST default suffix handling

    This makes suffix handling more like what is conventional with system stub behaviour. Suffixes are appended to a name before trying it without suffixes, but only if the name consists of a single label.

  • MS Windows version in 100% working order

    • The default event loop, that is also used for synchronous calls, has been renewed. With it, TCP and TLS transports are now also possible on MS Windows.
    • The event loop extension (custom or not) will now also be used in recursive lookups (libunbound >= 1.5.9 is needed for this). Because of this it is now also possible to do recursive requests in MS Windows.
    • The MS Windows native certificate store will be used with TLS transport and also suffixes are initialized as the system stub is.

Besides these new features and improvements, a few bugs have been fixed. For a complete overview see the ChangeLog below.

We would kindly ask you to review and try out this bete release thoroughly. The 1.0.0 release will follow as soon as we are confident we haven't missed anything and it is ready for production

ChangeLog

* openssl 1.1.0 support
  * GETDNS_APPEND_NAME_TO_SINGLE_LABEL_FIRST default suffix handling
  * getdns_context_set_follow_redirects()
  * Read suffix list from registry on Windows
  * A dnssec_return_all_statuses extension
  * Set root servers without temporary file (libunbound >= 1.5.8 needed)
  * Eliminate unit test's ldns dependency
  * pkts wireformat <-> getdns_dict <-> string
    conversion functions
  * Eliminate all side effects when doing sync requests
    (libunbound >= 1.5.9 needed)
  * Bugfix: Load gost algorithm if digest is seen before key algorithm
    Thanks Jelte Janssen
  * Bugfix: Respect DNSSEC skew.
  * Offline dnssec validation for any given point in time
  * Correct return value in documentation for getdns_pretty_print_dict().
    Thanks Linus Nordberg
  * Bugfix: Don't treat "domain" or "search" as a nameserver.
    Thanks Linus Nordberg
  * Use the default CA trust store on Windows (for DNS over TLS).
  * Propagate eventloop to unbound when unbound has pluggable event loops
    (libunbound >= 1.5.9 needed)
  * Replace mini_event extension by default_eventloop
  * Bugfix: Segfault on NULL pin
  * Bugfix: Correct output of get_api_settings
  * Bugfix: Memory leak with getdns_get_api_information() 
    Thanks Robert Groenenberg.

getdns-0.9.0 release

28 Dec 11:30
Compare
Choose a tag to compare
 
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead:
tarball https://getdnsapi.net/dist/getdns-0.9.0.tar.gz
pgp sig https://getdnsapi.net/dist/getdns-0.9.0.tar.gz.asc
sha256 b6b73a501ee79c0fafb0721023eb3a5d0e1bfa047fbe65302db278cb956bd1fe

Dear All,

We have a special New Year's Eve release, version 0.9.0 of getdns.

This release brings the implementation on par with the December 2015 version of the specification and has (almost) all of the still remaining functionality from the specification implemented. These include:

  • Respecting the given dns root servers in recursive resolution modus

    See this in action with getdns_query, for example with the root servers of the Yeti DNS Project (https://yeti-dns.org/):

    getdns_query -f yeti.key -R yeti.hints getdnsapi.net A +dnssec_return_status
    

    Where yeti.key came from:
    https://github.com/BII-Lab/Yeti-Project/raw/master/domain/KSK.pub
    and yeti.hints came from:
    https://github.com/BII-Lab/Yeti-Project/raw/master/domain/named.cache

  • TSIG authentication.

    Specification of upstreams with getdns_query has been extended to configure a TSIG name and secret. From the getdns_query help text:

    getdns_query [<option> ...] [@<upstream> ...] [+<extension> ...] [<name>] [<type>]
    upstreams: @<ip>[%<scope_id>][@<port>][#<tls port>][~<tls name>][^<tsig spec>]
    tsig spec: [<algorithm>:]<name>:<secret in Base64>
    

    For example:

    getdns_query -s @185.49.141.37^hmac-md5.tsigs.getdnsapi.net:16G69OTeXW6xSQ== getdnsapi.net SOA
    

    You can check the query was TSIG authenticated by looking for the tsig_status key in the replies in the replies_tree.

  • Operation of suffixes and the "append_name" setting.

    Options have been added to getdns_query to try this out too. A list of suffixes to be tried can be given with the -Z option, so that this query:

    getdns_query -Z getdnsapi.net,com -A www.verisignlabs
    

    Will first try to get the addresses for www.verisignlabs.getdnsapi.net and will then try and return the successfull lookup of the addresses for www.verisignlabs.com

  • The add_warning_for_bad_dns extension.

    For example, this query:

    getdns_query +add_warning_for_bad_dns _443._tcp.www.nlnetlabs.nl TXT
    

    will result in having the following "bad dns" list in the reply in the replies_tree:

    "bad_dns": [ GETDNS_BAD_DNS_CNAME_RETURNED_FOR_OTHER_TYPE
               , GETDNS_BAD_DNS_ALL_NUMERIC_LABEL ]
    

Other new features and noteworthy improvements are:

Besides these new functionalities, a few bugs have been fixed. For a complete overview see the ChangeLog below.

ChangeLog

* Update of unofficial extension to the API that supports stub mode 
    TLS verification. GETDNS_AUTHENTICATION_HOSTNAME is replaced by 
    GETDNS_AUTHENTICATION_REQUIRED (but remains available as an alias). 
    Upstreams can now be configured with either a hostname or a SPKI pinset 
    for TLS authentication (or both). If the GETDNS_AUTHENTICATION_REQUIRED
    option is used at least one piece of authentication information must be 
    configured for each upstream, and all the configured authentication 
    information for an upstream must validate.
  * Remove STARTTLS implementation (no change to SPEC)
  * Enable TCP Fast Open when possible. Add OSX support for TFO.
  * Rename return_call_debugging to return_call_reporting
  * Bugfix: configure problem with getdns-0.5.1 on OpenBSD
    Thanks Claus Assmann.
  * pkg-config support.  Thanks Neil Cook.
  * Functions to convert from RR dicts to wireformat and text format
    and vice versa.  Including a function that builds a getdns_list
    of RR dicts from a zonefile.
  * Use the with the getdns_context_set_dns_root_servers() function
    provided root servers in recursing resolution modus.
  * getdns_query option (-f) to read a DNSSEC trust anchor from file.
  * getdns_query option (-R) to read a "root hints" file.
  * Bugfix: Detect and prevent duplicate NSEC(3)s to be returned with
    dnssec_return_validation_chain.
  * Bugfix: Remove duplicate RRs from RRsets when DNSSEC verifying
  * Client side edns-tcp-keepalive support
  * TSIG support + getdns_query syntax to specify TSIG parameters
    per upstream: @<ip>[^[<algorithm>:]<name>:<secret in Base64>]
  * Bugfix: Allow truncated answers to be returned in case of missing
    fallback transport.
  * Verify upstream TLS pubkeys with pinsets; A getdns_query option
    (-K) to attach pinsets to getdns_contexts.
    Thanks Daniel Kahn Gillmor
  * Initial support for Windows.  Thanks Gowri Visweswaran
  * add_warning_for_bad_dns extension
  * Try and retry with suffixes giving with getdns_context_set_suffix()
    following directions given by getdns_context_set_append_name()
    getdns_query options to set suffixes and append_name directions:
    '-W' to append suffix always (default)
    '-1' to append suffix only to single label after failure
    '-M' to append suffix only to multi label name after failure
    '-N' to never append a suffix
    '-Z <suffixes>' to set suffixes with the given comma separed list
  * Better help text for getdns_query (printed with the '-h' option)
  * Setting the +specify_class extension with getdns_query
  * Return NOT_IMPLEMENTED for not implemented namespaces, and the
    not implemented getdns_context_set_follow_redirects() function.

getdns-0.5.1 release

28 Dec 11:39
Compare
Choose a tag to compare
 
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead:
tarball https://getdnsapi.net/dist/getdns-0.5.1.tar.gz
pgp sig https://getdnsapi.net/dist/getdns-0.5.1.tar.gz.asc
sha256 273659b3a9236e8f9ae1e69dd37cd2f11554b156f33162c952f40221c1feeaa3

We have special RIPE71 release, version 0.5.1 of getdns.

This release contains all contributions added during the hackathon helt at the IETF94 in Yokahama; carefully reviewed and polished.

The included contributions are:

  • EDNS(0) padding option

    With this option, the query size will be padded to be a multiple of a block size when queried over GETDNS_TRANSPORT_TLS transport, to eliminate guessing the query by analyzing query sizes.
    The block size can be set with getdns_context_set_tls_query_padding_blocksize() function.

  • An EDNS client subnet private option

    With this option EDNS client subnet aware upstreams are asked to not reveal the originating network of the query.

  • The return_call_debugging extensions

    This extension was already in the API, but had not been implemented yet.
    It returns "meta" information about a query in the response dict (under the name "call_debugging".
    On top of the returned information which was already described in the API spec, this version also returns information about the transport eventually used to perform the query, and (if applicable) whether authentication succeeded.

  • A dnssec_roadblock_avoidance extension

    When set, the library will work in stub resolution mode and try to get a by DNSSEC validation assessed answer.
    On BOGUS answers the library will retry recursive resolution mode.
    This is the simplest form of passive roadblock detection and avoidance.
    For a very extensive overview of the types of roadblock, see: draft-ietf-dnsop-dnssec-roadblock-avoidance.
    Use the --enable-draft-dnssec-roadblock-avoidance option to configure to compile with this extension.

Besides these additions contains a few bugfixes too. For an complete overview see the ChangeLog.

ChangeLog

* Bugfix: growing upstreams arrow.
  * Bugfix: Segfault on timeout in specific conditions
  * Bugfix: install getdns_extra.h from build location
  * Bugfix: Don't let cookies overwrite existing EDNS0 options
  * Don't link libdl
  * The EDNS(0) Padding Option (draft-mayrhofer-edns0-padding).
    When using DNS over TLS, query sizes will be padded to multiples
    of a block size given with:
    getdns_context_set_tls_query_padding_blocksize()
  * An EDNS client subnet private option, that will ask a EDNS client
    subnet aware resolver to not reveal any details about the 
    originating network.  See: draft-ietf-dnsop-edns-client-subnet
    Set with: getdns_context_set_edns_client_subnet_private()
  * The return_call_debugging extension.  The extension will also return
    the transport used on top of the information about the request which
    is described in the API spec.
  * A dnssec_roadblock_avoidance extension.  When set, the library will
    work in stub resolution mode and try to get a by DNSSEC validation
    assessed answer.  On BOGUS answers the library will retry rescursive
    resolution mode.  This is the simplest form of passive roadblock
    detection and avoidance: draft-ietf-dnsop-dnssec-roadblock-avoidance.
    Use the --enable-draft-dnssec-roadblock-avoidance option to configure
    to compile with this extension.

getdns-0.5.0 release

28 Dec 11:40
Compare
Choose a tag to compare
 
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead:
tarball https://getdnsapi.net/dist/getdns-0.5.0.tar.gz
pgp sig https://getdnsapi.net/dist/getdns-0.5.0.tar.gz.asc
sha256 b0680170249ba9987b8af4c7f2bc64833fe6396ecd66565c991b33775f78ccdb

Dear All,

We have a new release version 0.5.0 of getdns.

This is mostly a new features release

This release does all crypto operations using OpenSSL directly and has no longer a dependency on libldns. Note however that libldns is still used by the unit tests.

Following the October 2015 release of the API specification, the library can now access deeply embedded data structure members in getdns_dicts by using JSON Pointers as the name to be accessed (RFC 6901). This works for the getter and setter functions (getdns_dict_get_* and getdns_dict_set_*).

DNS over TLS now uses the default IANA assigned port number for domain-s: 853.

This release includes an experimental implementation of upstream server hostname authentication for TLS connections in stub mode (note that the default behaviour has not changed compared to the 0.3 release). A new, non-standard function getdns_context_set_tls_authentication() can be used to set the authentication to GETDNS_AUTHENTICATION_HOSTNAME which requires that a server provides a valid certificate (validated using the default CA repository) and that the hostname specified in the "tls_auth_name" field of the upstream dict matches that in the certificate. The authentication setting is only enforced when the transport list contains only GETDNS_TRANSPORT_TLS and in this case if authentication fails for all upstreams, queries will fail. If the transport list contains other clear text transports then opportunistic TLS will be performed which does not require authentication of the TLS connection. Examples of usage using the getdns_query tool can be found in the tests_transports.sh script in the test directory.

ChangeLog

* 2015-10-29: Version 0.5.0
  * Native crypto.  No ldns dependency anymore.
    (ldns still necessary to be able to run tests though)
  * JSON pointer arguments to getdns_dict_get_* and getdns_dict_set_* 
    to dereference nested dicts and lists.
  * Bugfix: DNSSEC code finding zone cut with redirects + pursuing unsigned
    DS answers close to the root.  Thanks Theogene Bucuti!
  * Default port for TLS changed to 853
  * Unofficial extension to the API to allow TLS hostname verification to be
    required for stub mode when using only TLS as a transport. 
    When required a hostname must be supplied in the
    'hostname' field of the upstream_list dict and the TLS cipher suites are
    restricted to the 4 AEAD suites recommended in RFC7525.