[getdns-api] getdns-1.5.0 released

Willem Toorop willem at nlnetlabs.nl
Fri Dec 21 19:55:35 UTC 2018

Dear all,

I am pleased to announce the new Christmas 2018 bugfix and maintenance
release, version 1.5.0 of getdns.

Maintenance work included bringing getdns up to par with OpenSSL 1.1.1.

For the DNS-over-TLS capability this means TLS1.3 support.

  - TLS1.3 cipher suites can now be configured, either at context level
    with the getdns_context_set_tls_ciphersuites() function, or at
    upstream level by specifying a tls_ciphersuites entry.

    For example:

      getdns_query -s -L '{ upstream_recursive_servers:
        [ { address_data    :
          , tls_ciphersuites: "TLS_AES_256_GCM_SHA384" } ] }'

    For TLS1.2 and earlier the (not new)
    getdns_context_set_tls_cipher_list() function, or tls_cipher_list
    entry at upstream level needs to be used, analogous to the
    SSL_CTX_set_ciphersuites() and SSL_CTX_set_cipher_list() functions
    in OpenSSL.

  - The minimum & maximum TLS version to be used per upstream can be
    specified now at context level with the
    getdns_context_set_tls_min_version() and the
    getdns_context_set_tls_max_version() functions, or at upstream level
    by specifying an tls_min_version or a tls_max_version.

    For example:

      getdns_query -s -L '{ upstream_recursive_servers:
        [ { address_data   :
          , tls_max_version: GETDNS_TLS1_2 } ] }'

    An example that requires TLS1.3 support at context level:

      getdns_query -sL '{tls_min_version:GETDNS_TLS1_3}' \
        @ @ +return_call_reporting

    Because does not yet support TLS1.3, this will result
    in queries to only, as can be seen under "call_reporting" in
    the response dict.


  - Compiling with OpenSSL 1.1.1 means Ed25519 and Ed448 DNSKEY
    algorithm support.

  - A new extension named dnssec, which requires that DNSSEC
    verification is performed. Answers with DNSSEC status INDETERMINATE
    will no longer return answers with this extension. Only INSECURE and
    SECURE answers will be returned. One benefit of this mode is that
    getdns will hard fail if it does not have, or cannot fetch a valid
    trust anchor and perform validation.

  - Automatic fetching of trust anchors à la Zero configuration DNSSEC,
    will now be retried after failure, after a certain amount of
    milliseconds that can be specified with

This release has a bit more specific error return codes, and in addition
logs much more messages using the logging system, in error conditions.
Further more, this release adds a few extra logging systems:

  - GETDNS_LOG_SYS_STUB      (0x2000) for logging about non upstream
                                      specific stub resolving

  - GETDNS_LOG_SYS_RECURSING (0x4000) for logging about recursive

  - GETDNS_LOG_SYS_ANCHOR    (0x8000) for logging about fetching trust
                                      anchors à la Zero conf DNSSEC

A few more issues are resolved with this release. For a complete
overview see the ChangeLog section below.

This release has the 0.2.4 release of Stubby included, with:

  - Updated stubby.yml.example that uses the dnssec extension to enable
    DNSSEC with explanation of its consequences.

  - A better stubby.service file, that will only start Stubby after the
    network came up.

Note that Stubby now has a dependency on getdns-1.5.0 because of the
dnssec extension

Merry Christmas & Happy New year from the getdns team!

link  : https://getdnsapi.net/dist/getdns-1.5.0.tar.gz
pgp   : https://getdnsapi.net/dist/getdns-1.5.0.tar.gz.asc
sha256: 577182c3ace919ee70cee5629505581a10dc530bd53fe5c241603ea91c84fa84
web   : https://getdnsapi.net/releases/getdns-1-5-0/

* 2018-12-21: Version 1.5.0
  * RFE getdnsapi/stubby#121 log re-instantiating TLS
    upstreams (because they reached tls_backoff_time) at
    log level 4 (WARNING)
  * ZONEMD rr-type
  * getdns_query queries for addresses when a query name
    without a type is given.
  * RFE #408: Fetching of trust anchors will be retried
    after failure, after a certain backoff time. The time
    can be configured with
  * RFE #408: A "dnssec" extension that requires DNSSEC
    verification.  When this extension is set, Indeterminate
    DNSSEC status will not be returned.
  * Issue #410: Unspecified ownership of get_api_information()
  * Fix for DNSSEC bug in finding most specific key when
    trust anchor proves non-existance of one of the labels
    along the authentication chain other than the non-
    existance of a DS record on a zonecut.
  * Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130:
    Configurable minimum and maximum TLS versions with
    getdns_context_set_tls_min_version() and
    getdns_context_set_tls_max_version() functions and
    tls_min_version and tls_max_version configuration parameters
    for upstreams.
  * Configurable TLS1.3 ciphersuites with the
    getdns_context_set_tls_ciphersuites() function and
    tls_ciphersuites config parameter for upstreams.
  * Bugfix in upstream string configurations: tls_cipher_list and
  * Bugfix finding signer for validating NSEC and NSEC3s, which
    caused trouble with the partly tracing DNSSEC from the root
    up, introduced in 1.4.2.  Thanks Philip Homburg

Stubby ChangeLog
* 2018-12-21: Version 0.2.4
 * DNSSEC required with dnssec extension in example config
 * Removed the yeti servers from stubby.yml.example
 * Added the Foundation RESTENA servers in stubby.yml.example
 * Bugfix: only start Stubby when network is up
   Thanks Bruno Pagani

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.getdnsapi.net/pipermail/spec/attachments/20181221/7578b6b3/attachment.bin>

More information about the spec mailing list