From willem at nlnetlabs.nl Mon Mar 5 16:21:13 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Mon, 5 Mar 2018 17:21:13 +0100 Subject: [getdns-api] First release candidate for getdns-1.4.1 Message-ID: <33400f27-162c-01e2-bc0d-3a503172f2f2@nlnetlabs.nl> Dear all, We have a first release candidate for the upcoming 1.4.1 quick-fix release of getdns. This release has a fix for a DNSSEC validation failure for insecure NODATA responses, which was introduced in getdns-1.2.1. Besides this DNSSEC bugfix getdns can now also determine the DNSSEC validation status of zone's with missing SOA records. This sometimes occurs with sloppily implemented CDNs. Besides these DNSSEC fixes, this release also contains a few upstream management improvements, mainly contributed by Robert Groenenberg: * Before, when a UDP query for a specific upstream failed, is was marked to back off for a certain number of queries. The number of queries to let pass before giving it another go, increased exponentially on each successive failure. This exponential back off increase is now limited. The default maximum UDP back off value is 1000. This means that when an UDP upstream is down, it will always at least retry one every 1000 queries. * When all UDP upstreams are failing (for example because the WiFi is temporarily down), the back off scheme described above will be abandoned, and all failing upstreams will be retried equally. This speeds up DNS availability reestablishment when upstream become functional again (WiFi is up!). * For each individual query, every upstream will be tried only once. This resolves a nasty bug in which failing TCP upstreams are retried over and over again with the same failing query, because TCP upstreams lack the time based back off mechanisms that TLS upstreams have. A few more issues are addressed with this release. For a complete overview see the ChangeLog section below. Please review this release candidate carefully, if all is well, the actual release will follow Monday the 12th of March. link : https://getdnsapi.net/dist/getdns-1.4.1-rc1.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.4.1-rc1.tar.gz.asc sha256: e1540d289ec82a752f0d4046d59c2445b76dcdc74a8653b90d7e530e6b2bec19 ChangeLog ========= * 2018-03-??: Version 1.4.1 * Bugfix #388: Prevent fallback to an earlier tried upstream within a single query. Thanks Robert Groenenberg * PR #387: Compile with OpenSSL with deprecated APIs disabled. Thanks Rosen Penev * PR #386: UDP failover improvements: - When all UDP upstreams fail, retry them (more or less) equally - Limit maximum UDP backoff (default to 1000) This is configurable with the --with-max-udp-backoff configure option. Thanks Robert Groenenberg * Bugfix: Find zonecut with DS queries (instead of SOA queries). Thanks Elmer Lastdrager * Bugfix #385: Verifying insecure NODATA answers (broken since 1.2.1). Thanks hanvinke * PR #384: Fix minor spelling and formatting. Thanks dkg. * Bugfix #382: Parallel install of getdns_query and getdns_server_mon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Mon Mar 12 12:36:07 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Mon, 12 Mar 2018 13:36:07 +0100 Subject: [getdns-api] getdns-1.4.1 released Message-ID: Dear all, I am pleased to announce the new bugfix release, version 1.4.1 of getdns. This release has a fix for a DNSSEC validation failure for insecure NODATA responses, which was introduced in getdns-1.2.1. Besides this DNSSEC bugfix getdns can now also determine the DNSSEC validation status of zone's with missing SOA records. This sometimes occurs with sloppily implemented CDNs. Besides these DNSSEC fixes, this release also contains a few upstream management improvements, mainly contributed by Robert Groenenberg: * Before, when a UDP query for a specific upstream failed, is was marked to back off for a certain number of queries. The number of queries to let pass before giving it another go, increased exponentially on each successive failure. This exponential back off increase is now limited. The default maximum UDP back off value is 1000. This means that when an UDP upstream is down, it will always at least retry one every 1000 queries. * When all UDP upstreams are failing (for example because the WiFi is temporarily down), the back off scheme described above will be abandoned, and all failing upstreams will be retried equally. This speeds up DNS availability reestablishment when upstream become functional again (WiFi is up!). * For each individual query, every upstream will be tried only once. This resolves a nasty bug in which failing TCP upstreams are retried over and over again with the same failing query, because TCP upstreams lack the time based back off mechanisms that TLS upstreams have. A few more issues are addressed with this release. For a complete overview see the ChangeLog section below. link : https://getdnsapi.net/dist/getdns-1.4.1.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.4.1.tar.gz.asc sha256: 245233dc780f615b6ab1472f2b9cdcd957a451a736f3036717d0da466ab1c51e ChangeLog ========= * 2018-03-12: Version 1.4.1 * Bugfix #388: Prevent fallback to an earlier tried upstream within a single query. Thanks Robert Groenenberg * PR #387: Compile with OpenSSL with deprecated APIs disabled. Thanks Rosen Penev * PR #386: UDP failover improvements: - When all UDP upstreams fail, retry them (more or less) equally - Limit maximum UDP backoff (default to 1000) This is configurable with the --with-max-udp-backoff configure option. Thanks Robert Groenenberg * Bugfix: Find zonecut with DS queries (instead of SOA queries). Thanks Elmer Lastdrager * Bugfix #385: Verifying insecure NODATA answers (broken since 1.2.1). Thanks hanvinke * PR #384: Fix minor spelling and formatting. Thanks dkg. * Bugfix #382: Parallel install of getdns_query and getdns_server_mon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: