From jad at sinodun.com Sun Nov 1 04:18:37 2015 From: jad at sinodun.com (John Dickinson) Date: Sun, 01 Nov 2015 13:18:37 +0900 Subject: [getdns-api] call_debugging extension Message-ID: <1C678789-D9D0-4947-BB4A-1E7EBFFDC80B@sinodun.com> I have implemented the call_debugging extension. It raised a couple of issues with the API: 1. Added a tls_auth_status field to tell you if the server was authenticated 2. Added a transport field to tell you what transport was actually used 3. removed start_time and end_time as these are defined as uint64_t?s but the dict can only handle 32 bit ints. 4. Added run_time field to contain end_time - start_time as a uint32_t entire_reply and dnssec_result have not yet been implemented. regards John From jad at sinodun.com Sun Nov 1 04:22:38 2015 From: jad at sinodun.com (John Dickinson) Date: Sun, 01 Nov 2015 13:22:38 +0900 Subject: [getdns-api] call_debugging extension In-Reply-To: <1C678789-D9D0-4947-BB4A-1E7EBFFDC80B@sinodun.com> References: <1C678789-D9D0-4947-BB4A-1E7EBFFDC80B@sinodun.com> Message-ID: <9F1E533F-CA9A-4909-9585-33C038A49A01@sinodun.com> Forgot to say that the code is currently in my fork at https://github.com/johndickinson/getdns/tree/feature/call_debug On 1 Nov 2015, at 13:18, John Dickinson wrote: > I have implemented the call_debugging extension. It raised a couple of > issues with the API: > > 1. Added a tls_auth_status field to tell you if the server was > authenticated > 2. Added a transport field to tell you what transport was actually > used > 3. removed start_time and end_time as these are defined as > uint64_t?s but the dict can only handle 32 bit ints. > 4. Added run_time field to contain end_time - start_time as a > uint32_t > > entire_reply and dnssec_result have not yet been implemented. > > regards > John > _______________________________________________ > spec mailing list > spec at getdnsapi.net From willem at nlnetlabs.nl Wed Nov 11 13:55:46 2015 From: willem at nlnetlabs.nl (Willem Toorop) Date: Wed, 11 Nov 2015 14:55:46 +0100 Subject: [getdns-api] Candidate for the IETF94 hackathon results release version 0.5.1 of getdns Message-ID: <564348E2.2090809@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear All, We have a candidate for the special IETF94 hackathon results release; version 0.5.1 of getdns. This release contains all contributions added during the hackathon helt at the IETF94 in Yokahama. The included contributions are: * EDNS(0) padding option With this option, the query size will be padded to be a multiple of a block size when queried over GETDNS_TRANSPORT_TLS transport, to eliminate guessing the query by analyzing query sizes. The block size can be set with getdns_context_set_tls_query_padding_blocksize() function. * An EDNS client subnet private option With this option EDNS client subnet aware upstreams are asked to not reveal the originating network of the query. * The return_call_debugging extensions This extension was already in the API, but had not been implemented yet. It returns "meta" information about a query in the response dict (under the name "call_debugging". On top of the returned information which was already described in the API spec, this version also returns information about the transport eventually used to perform the query, and (if applicable) whether authentication succeeded. * A dnssec_roadblock_avoidance extension When set, the library will work in stub resolution mode and try to get a by DNSSEC validation assessed answer. On BOGUS answers the library will retry recursive resolution mode. This is the simplest form of passive roadblock detection and avoidance. For a very extensive overview of the types of roadblock, see: draft- ietf-dnsop-dnssec-roadblock-avoidance. Use the --enable-draft- dnssec-roadblock-avoidance option to configure to compile with this extension. Please review this candidate carefully. If no issues arrise the actual release will follow Wednesday the 18th of November 2015. link: https://getdnsapi.net/dist/getdns-0.5.1rc1.tar.gz md5 : cf4fa710cb733b90ae7d512dbb31c7d1 sha1: f3ca92884a9b0b5cd401b57ad9c5fa1c1646e9b6 pgp : https://getdnsapi.net/dist/getdns-0.5.1rc1.tar.gz.asc ChangeLog ========= * Bugfix: growing upstreams arrow. * Bugfix: Segfault on timeout in specific conditions * Bugfix: install getdns_extra.h from build location * Bugfix: Don't let cookies overwrite existing EDNS0 options * Don't link libdl * The EDNS(0) Padding Option (draft-mayrhofer-edns0-padding). When using DNS over TLS, query sizes will be padded to multiples of a block size given with: getdns_context_set_tls_query_padding_blocksize() * An EDNS client subnet private option, that will ask a EDNS client subnet aware resolver to not reveal any details about the originating network. See: draft-ietf-dnsop-edns-client-subnet Set with: getdns_context_set_edns_client_subnet_private() * The return_call_debugging extension. The extension will also return the transport used on top of the information about the request which is described in the API spec. * A dnssec_roadblock_avoidance extension. When set, the library will work in stub resolution mode and try to get a by DNSSEC validation assessed answer. On BOGUS answers the library will retry rescursive resolution mode. This is the simplest form of passive roadblock detection and avoidance: draft-ietf-dnsop-dnssec-roadblock- avoidance. Use the --enable-draft-dnssec-roadblock-avoidance option to configure to compile with this extension. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWQ0jiAAoJEOX4+CEvd6SYCEwQAJzG1DSn4KO/BLfAqTDsVisQ a3UDjHZ8doVMUQo8KW5MVgdYgPCSqFxWcb1UUGOf+tAXOeUV8ZTzumNZObLvXuNq ywvH9Vrb74l2jRGuBI4p1suO3BVOby2Go8mKpfEJqJv/yZACZtnDRD+6nHxNhnHj mXqRP7IdkTg8aKe6ogVWmchoQZvjdEUBU+e7F1P/dk7p5S0r7y4purcMyLo/VeVV ifMODjZ2xTZvksUzAYrUSl339kg1/NcJO+s8rH8YCBkgPyZWApvTLGM2DVYk/d8F 1calTcthxOpCNxjLmP0nCPLGvdtnwHrnaKpM0G2u2XY6Qs6EX4KH1OJan381NWDt 80DdBZNyDXRs4JJbo1gKnBZx5MCmwIck/QBr0DAhzWIbHpLHSL7hNaK+DogTl+4M GgdCT3RAXKN9Xm5vSiz+ihNHi4hqGwomVVMn19zLU02J6imBI9xKGDLgbEsxnIOK 5EIb26kR2YxjkD3Jtk21Vl1zNP/33INOAAodH3ylC8LOB183jVy81d3bKkJTUx6q gXscoRwmN+mWtQs4SmliynmgZwzvhKK9A9iERpIsJzbgGMYWAlzsuZClQ0UjQXXw o+RP5iMuqTbkN7WPyZiE8QhtIWh7/uLvyIeiKyWlQV1hs3uwNtRd8IquUGxNRfaU TdtTkLppCS6UyRnjKY0B =wqAU -----END PGP SIGNATURE----- From sara at sinodun.com Fri Nov 13 15:52:24 2015 From: sara at sinodun.com (Sara Dickinson) Date: Fri, 13 Nov 2015 15:52:24 +0000 Subject: [getdns-api] call_debugging extension Message-ID: <5DF25849-1BE4-49F4-B6DC-B0F757247187@sinodun.com> > On 1 Nov 2015, at 04:18, John Dickinson > wrote: > > I have implemented the call_debugging extension. It raised a couple of issues with the API: > > 1. Added a tls_auth_status field to tell you if the server was authenticated > 2. Added a transport field to tell you what transport was actually used > 3. removed start_time and end_time as these are defined as uint64_t?s but the dict can only handle 32 bit ints. > 4. Added run_time field to contain end_time - start_time as a uint32_t Hi All, As a follow up to this I wanted to clarify what changes are being proposed to the official API at this time: 1) Following the implementation in the hackathon there was consensus among the developers that this is very useful general information (not only for debugging purposes) and that a different name e.g. ?return_call_reporting? would be more appropriate. 2) The getdns dict cannot represent uint64_t values and therefore the start_time and end_time will be replaced by a single field called ?run_time? which will be the 'end_time - start_time as a uint32_t? Suggested new text including these changes is below. We would like to agree these changes for the next release, so please voice any objections asap. The ?transport? and ?tis_auth_status? fields mentioned above have been added to the getdns implementation as experimental fields at this point in time, but it would be useful to hear if there is support for adding them to the official API. Regards Sara. 3.6 Extensions Relating to the API An application might want to see additional information for queries such as the length of time it takes for each query to return to the API. Use the return_call_reporting extension. The extension's value (an int) is set toGETDNS_EXTENSION_TRUE to add the name call_reporting (a list) to the top level of the response object. Each member of the list is a dict that represents one call made for the call to the API. Each member has the following names: query_name (a bindata) is the name that was sent query_type (an int) is the type that was queried for query_to (a bindata) is the address to which the query was sent run_time (a bindata) is the difference between the time the successful query started and ended in milliseconds since the epoch, represented as a uint32_t (this does not include time taken for connection set up or transport fallback) entire_reply (a bindata) is the entire response received dnssec_result (an int) is the DNSSEC status, or GETDNS_DNSSEC_NOT_PERFORMED if DNSSEC validation was not performed -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkg at fifthhorseman.net Fri Nov 13 16:12:28 2015 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 13 Nov 2015 11:12:28 -0500 Subject: [getdns-api] call_debugging extension In-Reply-To: <5DF25849-1BE4-49F4-B6DC-B0F757247187@sinodun.com> References: <5DF25849-1BE4-49F4-B6DC-B0F757247187@sinodun.com> Message-ID: <87mvuhlvyr.fsf@alice.fifthhorseman.net> Hi Sara-- this all sounds reasonable to me, except: On Fri 2015-11-13 10:52:24 -0500, Sara Dickinson wrote: > run_time (a bindata) is the difference between the time the successful > query started and ended in milliseconds since the epoch, represented > as a uint32_t (this does not include time taken for connection set up > or transport fallback) I think you can remove "since the epoch" here. It seems possible that users might want to also measure transport fallback or connection setup, but we should be able to add that information to the dict in future revisions if we get requests for it. --dkg From sara at sinodun.com Fri Nov 13 16:14:45 2015 From: sara at sinodun.com (Sara Dickinson) Date: Fri, 13 Nov 2015 16:14:45 +0000 Subject: [getdns-api] call_debugging extension In-Reply-To: <87mvuhlvyr.fsf@alice.fifthhorseman.net> References: <5DF25849-1BE4-49F4-B6DC-B0F757247187@sinodun.com> <87mvuhlvyr.fsf@alice.fifthhorseman.net> Message-ID: <4EE05237-6235-4887-9FD2-B242699233BE@sinodun.com> > On 13 Nov 2015, at 16:12, Daniel Kahn Gillmor wrote: > > Hi Sara-- > > this all sounds reasonable to me, except: > > On Fri 2015-11-13 10:52:24 -0500, Sara Dickinson wrote: >> run_time (a bindata) is the difference between the time the successful >> query started and ended in milliseconds since the epoch, represented >> as a uint32_t (this does not include time taken for connection set up >> or transport fallback) > > I think you can remove "since the epoch" here. Quite right, a hangover from the previous text?. will remove. Sara. From willem at nlnetlabs.nl Wed Nov 18 23:41:00 2015 From: willem at nlnetlabs.nl (Willem Toorop) Date: Thu, 19 Nov 2015 01:41:00 +0200 Subject: [getdns-api] getdns 0.5.1 released Message-ID: <564D0C8C.9050406@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear All, We have special RIPE71 release, version 0.5.1 of getdns. This release contains all contributions added during the hackathon helt at the IETF94 in Yokahama; carefully reviewed and polished. The included contributions are: * EDNS(0) padding option With this option, the query size will be padded to be a multiple of a block size when queried over GETDNS_TRANSPORT_TLS transport, to eliminate guessing the query by analyzing query sizes. The block size can be set with getdns_context_set_tls_query_padding_blocksize() function. * An EDNS client subnet private option With this option EDNS client subnet aware upstreams are asked to not reveal the originating network of the query. * The return_call_debugging extensions This extension was already in the API, but had not been implemented yet. It returns "meta" information about a query in the response dict (under the name "call_debugging". On top of the returned information which was already described in the API spec, this version also returns information about the transport eventually used to perform the query, and (if applicable) whether authentication succeeded. * A dnssec_roadblock_avoidance extension When set, the library will work in stub resolution mode and try to get a by DNSSEC validation assessed answer. On BOGUS answers the library will retry recursive resolution mode. This is the simplest form of passive roadblock detection and avoidance. For a very extensive overview of the types of roadblock, see: draft- ietf-dnsop-dnssec-roadblock-avoidance. Use the --enable-draft- dnssec-roadblock-avoidance option to configure to compile with this extension. Besides these additions contains a few bugfixes too. For an complete overview see the ChangeLog. link: https://getdnsapi.net/dist/getdns-0.5.1.tar.gz md5 : 1be0a47ff0877d4cef19161a8b9f8daa sha1: 9383e7f2f2cfbeaa60e46cd0d7b566b4e9b3db13 pgp : https://getdnsapi.net/dist/getdns-0.5.1.tar.gz.asc ChangeLog ========= * 2015-11-18: Version 0.5.1 * Bugfix: growing upstreams arrow. * Bugfix: Segfault on timeout in specific conditions * Bugfix: install getdns_extra.h from build location * Bugfix: Don't let cookies overwrite existing EDNS0 options * Don't link libdl * The EDNS(0) Padding Option (draft-mayrhofer-edns0-padding). When using DNS over TLS, query sizes will be padded to multiples of a block size given with: getdns_context_set_tls_query_padding_blocksize() * An EDNS client subnet private option, that will ask a EDNS client subnet aware resolver to not reveal any details about the originating network. See: draft-ietf-dnsop-edns-client-subnet Set with: getdns_context_set_edns_client_subnet_private() * The return_call_debugging extension. The extension will also return the transport used on top of the information about the request which is described in the API spec. * A dnssec_roadblock_avoidance extension. When set, the library will work in stub resolution mode and try to get a by DNSSEC validation assessed answer. On BOGUS answers the library will retry rescursive resolution mode. This is the simplest form of passive roadblock detection and avoidance: draft-ietf-dnsop-dnssec-roadblock- avoidance. Use the --enable-draft-dnssec-roadblock-avoidance option to configure to compile with this extension. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWTQyLAAoJEOX4+CEvd6SY61QQAICyt8vp4VQD8SK5Q1iAYd8M eOUevS3ZXcwy0rocOnY6m9mznefxKJ1Mi975cpz7txn2sV9Shtv9fTzzLeZEkHqc 6/kp58S4vQUO7380BcS7+i/YLrw1cqQ90XdWzyYkyQOCEXWMgoj+NISzh/XdR2jJ tAKH8+fcIf9to58hguKLn890XyO7Q4lDGLC8WpipweELVdcEa+sxlU2gbicQRPSA L2LsHkwziYh0u85ErGcyhSgWdH0ebpclzNPQtB0icU7prkiJItU1IKInFCWd6op+ gUcxLGV0sVkRS5oNkBtwAMGiLIOkSiaO336C37w/0khI0yX2NnHaEyzuBXyzCU2V 1G0KtsbO4PykrGMZo89WUYkUP8zpretpt/amGGx/dZTToI+6NDsf2V8tSUstzeAa jxvTPSORWQjXSH/97eyExHGObVHmwCkRw/lBjpk1wJLasw6oAIg55s9zF/MNCw0c E4M1ydAMwZHE/TVPP4amVDRiCd45+GMK0DaLTtC5Ozq/MBCKMAJpES+pBCHan59/ bxOFuhY+YOnlbyoMt/aOhXLV0PHDe+K8SzKHbAg6EIuVRxnR9cOuqVO/HI+9+wcx ShRUXGY++dzwwROeeHNLYHHWNCzuyGVyHWvOs5aQjCHrRb1rI61Yf2P4M+lqVsSY EZlQHlMIqu/esmOFiQ/1 =ad5H -----END PGP SIGNATURE-----