From willem at nlnetlabs.nl  Thu Dec 24 15:13:52 2015
From: willem at nlnetlabs.nl (Willem Toorop)
Date: Thu, 24 Dec 2015 16:13:52 +0100
Subject: [getdns-api] December 2015 release of API
Message-ID: <567C0BB0.4080507@nlnetlabs.nl>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear All,

We have a new API December 2015 release which can be found here:
https://getdnsapi.net/spec/ .  This release removes the STARTTLS
transport, has the return_call_debugging renamed in
return_call_reporting and it's behaviour specified more precisely, and
has the absence of a parameter to specify the name of a TSIG key fixed.

For a comprehensive overview of all changes see:

https://github.com/getdnsapi/spec/compare/october-2015...release/december-2015
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWfAuwAAoJEOX4+CEvd6SYsoYP/RGGgLp+vvvUHTcsw8tQJDIw
qbKtmOWrNOFSJIK+IkzjAZDEYMvGbuChj2IXahvN59f6Rj8FRAs6/WaIwlQKjXRv
8r2MZoCkY2rg7+bDmWsKx4QqgxW9ZWCWiZqpUF4k7/iTn0+KqDF4oLBRPEIBZ6WJ
5rJsTm11+5wxmBWHC0gtb8eU7aPIPGSHasm7GNEwHXDJINANGwhot5ooBjc2f3Ox
gSETyviKv5gzjp7Py3HbQVzkIHQSjUahoJJUlDTp8RZNzJwfGF22nAwlwAitnL2P
ovmH3xzhj3VbUELEvDdLWoTTWXCS+753DpWviVBe6EG3qrSznhNaQGzx628cUg41
E0LXT90orLp5MVi3OlO3EAcRcQCxn63+AmsOvktGSouJXrG1vgq9vYIF4IQeCJcz
De29LTng9Cd07N0KetI433QEumvkDStVVzdmerAKVBBLWOS41RA9bHUUvr48gcKg
pWLf6qYpd3MRmsn347nipEUrpttkBw9/2Wgk1dJAyxyodJ6+B8lNENuks2gTFW/G
MAbMjvjzvETb39C4f/01VUpmWRgyG+iH7b09lHYuV8w63adxJDOsPKkupygUrpk1
LLab0ncG8n9rUZSOlzFZAR8/S2WtQ215kocEZEwfH7AzJT5cQrGFRQPCIUdhfnSE
myUKG7Jq70OCBBoxgBR/
=Yuoc
-----END PGP SIGNATURE-----


From willem at nlnetlabs.nl  Thu Dec 24 17:07:53 2015
From: willem at nlnetlabs.nl (Willem Toorop)
Date: Thu, 24 Dec 2015 18:07:53 +0100
Subject: [getdns-api] getdns 0.9.0 release candidate
Message-ID: <567C2669.1090005@nlnetlabs.nl>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear All,

We have a candidate for the special Christmas and New Years eve
release, version 0.9.0rc1 of getdns.

This release brings the implementation on par with the December 2015
version of the specification and has (almost) all of the still
remaining functionality from the specification implemented. This
includes respecting the given dns root servers in recursive resolution
modus and TSIG authentication.

Other new features and noteworthy improvements are:

  - Functions to convert getdns_dicts representing resource records to
    and from wire- and zone file format. Also zone files can be read
    into a getdns_list of getdns_dicts representing the resource
    records in that zone file. These lists can then conventiently be
    used with (for example) getdns_context_set_dns_root_servers() and
    getdns_context_set_dnssec_trust_anchors().
  - TCP Fast Open support whenever available on the platform
    (including Mac-OS X (new)).
  - Client side edns-tcp-keepalice support
  - Pinning of upstream certificate's public keys with pinsets
    (with TLS transport)
  - Initial support for Windows

Besides these new functionalities, a few bugs have been fixed.
For a complete overview see the ChangeLog below.

Please review this candidate carefully. If no issues arise the actual
release will follow Thursday the 31th of December 2015.

Marry Christmas!


link: https://getdnsapi.net/dist/getdns-0.9.0rc1.tar.gz
md5 : b5525667b35a0a1b013abe5c49b2b2c1
sha1: 5fe50d706949da22d8c0635b4345ad1a98c4872e
pgp : https://getdnsapi.net/dist/getdns-0.9.0rc1.tar.gz.asc


ChangeLog
=========
  * Update of unofficial extension to the API that supports stub mode
    TLS verification. GETDNS_AUTHENTICATION_ is replaced by
    GETDNS_AUTHENTICATION_REQUIRED (but remains available as an alias).
    Upstreams can now be configured with either a hostname or a SPKI
    pinset for TLS authentication (or both). If the
    GETDNS_AUTHENTICATION_REQUIRED option is used at least one piece of
    authentication information must be configured for each upstream,
    and all the configured authentication
    information for an upstream must validate.
  * Remove STARTTLS implementation (no change to SPEC)
  * Enable TCP Fast Open when possible. Add OSX support for TFO.
  * Rename return_call_debugging to return_call_reporting
  * Bugfix: configure problem with getdns-0.5.1 on OpenBSD
    Thanks Claus Assmann.
  * pkg-config support.  Thanks Neil Cook.
  * Functions to convert from RR dicts to wireformat and text format
    and vice versa.  Including a function that builds a getdns_list
    of RR dicts from a zonefile.
  * Use the with the getdns_context_set_dns_root_servers() function
    provided root servers in recursing resolution modus.
  * getdns_query option (-f) to read a DNSSEC trust anchor from file.
  * getdns_query option (-R) to read a "root hints" file.
  * Bugfix: Detect and prevent duplicate NSEC(3)s to be returned with
    dnssec_return_validation_chain.
  * Bugfix: Remove duplicate RRs from RRsets when DNSSEC verifying
  * Client side edns-tcp-keepalive support
  * TSIG support
  * Verify upstream TLS pubkeys with pinsets; A getdns_query option
    (-K) to attach pinsets to getdns_contexts.
    Thanks Daniel Kahn Gillmor
  * Initial support for Windows.  Thanks Gowri Visweswaran
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWfCZpAAoJEOX4+CEvd6SYWNAP/2jqaFbyZ1safY6mi/H4NFOf
JrFR38URam5zWouvalATxmy/Pxw99A23uVaGamLIemUlB7ARUkLL0NYL+e7R8W7g
TUNIS6ndulVUdb4cgVtfi47wKO/eEicULMHyelFSpXdF6UrCFzUeuzW5wx2fSa8O
zdEdaU+fh0DRpP2j35WDnQ3s0HFkFszR6DGcKqiSTZHlMUWQV7EJpowmuo34CJQl
ih+cHu46qF46sSpXh+Eqc+Xl5ai09CvP7Q8WcgXTTwbNb3SBYZMU5hOKz/o9jseV
PekUFsx3/L4nlsCbRzbGZeTVC25z382I/I/yQOcPQdawY/fHJx3PVHbWt4P0/QlH
YsWTrmFj0q0aPn9zeHf8OnduEkgXJCJgSl/m+OAfSZhslBHRmKHncA529aiBC2KV
fLvBzNfdbxIyWTqDULAMUlprQxQHUYPDrMBs9KT0FS8KHQF4kHRIqWic6NVid5z/
j2Rx8wadIxajzvl8cqP/fJ5L6w9NYmLWt0iDFbosfnNfrF0V82nISeups9rJs9ip
2HDNlZhalOUgQGrvcagpZhSRyKSun8NRYaV8wndHClVWEvl4x8aDC2IBjzZUMlR+
LVjSLubnQF++/4ly4Kf1EDureQwabXtDu62qZO6TktRfy7dSyTjirAIbCEdLMJNV
T6+JGdTd6qcE9W8nZu+r
=Btc8
-----END PGP SIGNATURE-----


From willem at nlnetlabs.nl  Thu Dec 31 13:47:31 2015
From: willem at nlnetlabs.nl (Willem Toorop)
Date: Thu, 31 Dec 2015 14:47:31 +0100
Subject: [getdns-api] getdns 0.9.0 released
Message-ID: <568531F3.8020909@nlnetlabs.nl>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear All,

We have a special New Year's Eve release, version 0.9.0 of getdns.

This release brings the implementation on par with the December 2015
version of the specification and has (almost) all of the still
remaining functionality from the specification implemented.
These include:

  * Respecting the given dns root servers in recursive resolution
    modus

    See this in action with getdns_query, for example with the root
    servers of the Yeti DNS Project (https://yeti-dns.org/):

        getdns_query -f yeti.key -R yeti.hints getdnsapi.net A \
                     +dnssec_return_status

    Where yeti.key came from:
    https://github.com/BII-Lab/Yeti-Project/raw/master/domain/KSK.pub
    and yeti.hints came from:
    https://github.com/BII-Lab/Yeti-Project/raw/master/domain/named.cache


  * TSIG authentication.

    Specification of upstreams with getdns_query has been extended
    to configure a TSIG name and secret.
    From the getdns_query help text:

    getdns_query [<option> ...] \
        [@<upstream> ...] [+<extension> ...] [<name>] [<type>]
    upstreams: @<ip>[%<scope_id>][@<port>][^<tsig spec>]
    tsig spec: [<algorithm>:]<name>:<secret in Base64>

    For example:

    getdns_query -s \
        @185.49.141.37^hmac-md5.tsigs.getdnsapi.net:16G69OTeXW6xSQ== \
        getdnsapi.net SOA

    You can check the query was TSIG authenticated by looking for
    the tsig_status key in the replies in the replies_tree.


  * Operation of suffixes and the "append_name" setting.

    Options have been added to getdns_query to try this out too.
    A list of suffixes to be tried can be given with the -Z option,
    so that this query:

        getdns_query -Z getdnsapi.net,com -A www.verisignlabs

    Will first try to get the addresses for
    www.verisignlabs.getdnsapi.net and will then try and return the
    successfull lookup of the addresses for www.verisignlabs.com.


  * The add_warning_for_bad_dns extension.

    For example, this query:

        getdns_query +add_warning_for_bad_dns \
                     _443._tcp.www.nlnetlabs.nl TXT

    will result in having the following "bad dns" list in the reply
    in the replies_tree:

        "bad_dns": [ GETDNS_BAD_DNS_CNAME_RETURNED_FOR_OTHER_TYPE
                   , GETDNS_BAD_DNS_ALL_NUMERIC_LABEL ]

Other new features and noteworthy improvements are:

  * Functions to convert getdns_dicts representing resource records
    to and from wire- and zone file format.
    Also zone files can be read into a getdns_list of getdns_dicts
    representing the resource records in that zone file. These lists
    can then conventiently be used with (for example)
    getdns_context_set_dns_root_servers() and
    getdns_context_set_dnssec_trust_anchors().

    There is brief doxygen documentation for the conversion
    functions here: https://getdnsapi.net/rr_dict2wire.

    Example usage can be found in the unit test package:
    https://getdnsapi.net/260-conversion-functions.c

    The output produced by this example program:
    https://getdnsapi.net/260-conversion-functions.good


  * TCP Fast Open support whenever available on the platform
    (including Mac-OS X (new)).

  * Client side edns-tcp-keepalive support

  * Pinning of upstream certificate's public keys with pinsets
    (with TLS transport)

    Configuration is done per-upstream, with an additional member of
    the upstream object, tls_pubkey_pinset. This is a list of dicts,
    each of which describes a public key pin, which looks like this:

        {
          "address_data": <bindata for 185.49.141.38>,
          "address_type": <bindata of "IPv4">,
          "tls_pubkey_pinset":
          [
            {
              "digest": <bindata of "sha256">,
              "value": <bindata of 0x17d099f483436ddfb6791428...>
            },
            {
              "digest": <bindata of "sha256">,
              "value": <bindata of 0x7e8c59467221f606695a797e...>
            }
          ]
        }

    There is a new argument for getdns_query, -K, to specify pins.
    All pins are applied to all upstreams. For example:

        getdns_query -s @185.49.141.38~getdnsapi.net -L -m \
    -K 'pin-sha256="foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S="'\

  * Initial support for Windows

Besides these new functionalities, a few bugs have been fixed.
For a complete overview see the ChangeLog below.

Happy New Year!


link: https://getdnsapi.net/dist/getdns-0.9.0.tar.gz
md5 : 155d9a8a98185740cdd0050f5b230cdd
sha1: 609886ce30d2654c10a1537a5101b8e4a5ff81d7
pgp : https://getdnsapi.net/dist/getdns-0.9.0.tar.gz.asc


* 2015-12-31: Version 0.9.0
  * Update of unofficial extension to the API that supports stub
    mode TLS verification. GETDNS_AUTHENTICATION_ is replaced by
    GETDNS_AUTHENTICATION_REQUIRED (but remains available as an
    alias).  Upstreams can now be configured with either a hostname
    or a SPKI pinset for TLS authentication (or both). If the
    GETDNS_AUTHENTICATION_REQUIRED option is used at least one piece
    of authentication information must be configured for each
    upstream, and all the configured authentication information for
    an upstream must validate.
  * Remove STARTTLS implementation (no change to SPEC)
  * Enable TCP Fast Open when possible. Add OSX support for TFO.
  * Rename return_call_debugging to return_call_reporting
  * Bugfix: configure problem with getdns-0.5.1 on OpenBSD
    Thanks Claus Assmann.
  * pkg-config support.  Thanks Neil Cook.
  * Functions to convert from RR dicts to wireformat and text format
    and vice versa.  Including a function that builds a getdns_list
    of RR dicts from a zonefile.
  * Use the with the getdns_context_set_dns_root_servers() function
    provided root servers in recursing resolution modus.
  * getdns_query option (-f) to read a DNSSEC trust anchor from file.
  * getdns_query option (-R) to read a "root hints" file.
  * Bugfix: Detect and prevent duplicate NSEC(3)s to be returned with
    dnssec_return_validation_chain.
  * Bugfix: Remove duplicate RRs from RRsets when DNSSEC verifying
  * Client side edns-tcp-keepalive support
  * TSIG support + getdns_query syntax to specify TSIG parameters
    per upstream: @[^[:]:]
  * Bugfix: Allow truncated answers to be returned in case of missing
    fallback transport.
  * Verify upstream TLS pubkeys with pinsets; A getdns_query option
    (-K) to attach pinsets to getdns_contexts.
    Thanks Daniel Kahn Gillmor
  * Initial support for Windows.  Thanks Gowri Visweswaran
  * add_warning_for_bad_dns extension
  * Try and retry with suffixes giving with getdns_context_set_suffix()
    following directions given by getdns_context_set_append_name()
    getdns_query options to set suffixes and append_name directions:
    '-W' to append suffix always (default)
    '-1' to append suffix only to single label after failure
    '-M' to append suffix only to multi label name after failure
    '-N' to never append a suffix
    '-Z ' to set suffixes with the given comma separed list
  * Better help text for getdns_query (printed with the '-h' option)
  * Setting the +specify_class extension with getdns_query
  * Return NOT_IMPLEMENTED for not implemented namespaces, and the
    not implemented getdns_context_set_follow_redirects() function.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWhTHzAAoJEOX4+CEvd6SYAxcP/jHb+LH3JkyAaI+1uCCupj5A
RZI8+fXpxhRZiWy7NBLsoZI3S8wjrKmKya9cQGntZsSMQMkvGeioY8cE4/qGP7TP
J6blWCf9sO4PxRipDINq+UkAFJwwUtFesEpIBXKx6bdbcrciHq4DjL5wwrURX3Yd
iZzY9jGVgdwJoZmoGbWbUPkKKLb1AIV0QbfFfStGYDkP7Eyz+e1EmWsjpVpewA0z
xK+f1xEpqlzxUk9QXWHZWKrFQaPKKaskjeq0v3pVIv41MxJP7g4Sn7X2N8fAzsjJ
6TPL6oe+DKbgJdBRVva4btYnheXX8LedKuazZ48oEvb7mSndX85J2o7wmyPlpbc3
6v0jSUeSf5PVLyBKGrssQfHAoGjwDJgQP2l5goaekkNRGZK5RVl5Ll5NDfEvuJci
qe6wpHGG/zE/NGM/kmSaZcpLxm8mTHVkPt9a11afo+6LzT7PnygVwHuVw34c81SZ
j78YfB4bfcY6dYJQFSVwTDppRD06mCAMLcZt3hay6MIT/gBmzDD7OAq73gefB738
TSU8fRe/i8Ck1HaHpUv+cgbgyT9HqTFhu7xNN7fz3AUG6u290vnBO8T6QL/St81t
Ibsv3tjLQJsymc2W2ZYhAA/2awDVEoJgJ8G4C801Fq/gBc5WrJ8U1BKmD1Jz5K3E
RtKVApcYMicZj6rg1B3l
=re+F
-----END PGP SIGNATURE-----