[getdns-users] getdns 0.9.0 released
Willem Toorop
willem at nlnetlabs.nl
Thu Dec 31 13:46:26 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear All,
We have a special New Year's Eve release, version 0.9.0 of getdns.
This release brings the implementation on par with the December 2015
version of the specification and has (almost) all of the still
remaining functionality from the specification implemented.
These include:
* Respecting the given dns root servers in recursive resolution
modus
See this in action with getdns_query, for example with the root
servers of the Yeti DNS Project (https://yeti-dns.org/):
getdns_query -f yeti.key -R yeti.hints getdnsapi.net A \
+dnssec_return_status
Where yeti.key came from:
https://github.com/BII-Lab/Yeti-Project/raw/master/domain/KSK.pub
and yeti.hints came from:
https://github.com/BII-Lab/Yeti-Project/raw/master/domain/named.cache
* TSIG authentication.
Specification of upstreams with getdns_query has been extended
to configure a TSIG name and secret.
From the getdns_query help text:
getdns_query [<option> ...] \
[@<upstream> ...] [+<extension> ...] [<name>] [<type>]
upstreams: @<ip>[%<scope_id>][@<port>][^<tsig spec>]
tsig spec: [<algorithm>:]<name>:<secret in Base64>
For example:
getdns_query -s \
@185.49.141.37^hmac-md5.tsigs.getdnsapi.net:16G69OTeXW6xSQ== \
getdnsapi.net SOA
You can check the query was TSIG authenticated by looking for
the tsig_status key in the replies in the replies_tree.
* Operation of suffixes and the "append_name" setting.
Options have been added to getdns_query to try this out too.
A list of suffixes to be tried can be given with the -Z option,
so that this query:
getdns_query -Z getdnsapi.net,com -A www.verisignlabs
Will first try to get the addresses for
www.verisignlabs.getdnsapi.net and will then try and return the
successfull lookup of the addresses for www.verisignlabs.com.
* The add_warning_for_bad_dns extension.
For example, this query:
getdns_query +add_warning_for_bad_dns \
_443._tcp.www.nlnetlabs.nl TXT
will result in having the following "bad dns" list in the reply
in the replies_tree:
"bad_dns": [ GETDNS_BAD_DNS_CNAME_RETURNED_FOR_OTHER_TYPE
, GETDNS_BAD_DNS_ALL_NUMERIC_LABEL ]
Other new features and noteworthy improvements are:
* Functions to convert getdns_dicts representing resource records
to and from wire- and zone file format.
Also zone files can be read into a getdns_list of getdns_dicts
representing the resource records in that zone file. These lists
can then conventiently be used with (for example)
getdns_context_set_dns_root_servers() and
getdns_context_set_dnssec_trust_anchors().
There is brief doxygen documentation for the conversion
functions here: https://getdnsapi.net/rr_dict2wire.
Example usage can be found in the unit test package:
https://getdnsapi.net/260-conversion-functions.c
The output produced by this example program:
https://getdnsapi.net/260-conversion-functions.good
* TCP Fast Open support whenever available on the platform
(including Mac-OS X (new)).
* Client side edns-tcp-keepalive support
* Pinning of upstream certificate's public keys with pinsets
(with TLS transport)
Configuration is done per-upstream, with an additional member of
the upstream object, tls_pubkey_pinset. This is a list of dicts,
each of which describes a public key pin, which looks like this:
{
"address_data": <bindata for 185.49.141.38>,
"address_type": <bindata of "IPv4">,
"tls_pubkey_pinset":
[
{
"digest": <bindata of "sha256">,
"value": <bindata of 0x17d099f483436ddfb6791428...>
},
{
"digest": <bindata of "sha256">,
"value": <bindata of 0x7e8c59467221f606695a797e...>
}
]
}
There is a new argument for getdns_query, -K, to specify pins.
All pins are applied to all upstreams. For example:
getdns_query -s @185.49.141.38~getdnsapi.net -L -m \
-K 'pin-sha256="foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S="'\
* Initial support for Windows
Besides these new functionalities, a few bugs have been fixed.
For a complete overview see the ChangeLog below.
Happy New Year!
link: https://getdnsapi.net/dist/getdns-0.9.0.tar.gz
md5 : 155d9a8a98185740cdd0050f5b230cdd
sha1: 609886ce30d2654c10a1537a5101b8e4a5ff81d7
pgp : https://getdnsapi.net/dist/getdns-0.9.0.tar.gz.asc
* 2015-12-31: Version 0.9.0
* Update of unofficial extension to the API that supports stub
mode TLS verification. GETDNS_AUTHENTICATION_ is replaced by
GETDNS_AUTHENTICATION_REQUIRED (but remains available as an
alias). Upstreams can now be configured with either a hostname
or a SPKI pinset for TLS authentication (or both). If the
GETDNS_AUTHENTICATION_REQUIRED option is used at least one piece
of authentication information must be configured for each
upstream, and all the configured authentication information for
an upstream must validate.
* Remove STARTTLS implementation (no change to SPEC)
* Enable TCP Fast Open when possible. Add OSX support for TFO.
* Rename return_call_debugging to return_call_reporting
* Bugfix: configure problem with getdns-0.5.1 on OpenBSD
Thanks Claus Assmann.
* pkg-config support. Thanks Neil Cook.
* Functions to convert from RR dicts to wireformat and text format
and vice versa. Including a function that builds a getdns_list
of RR dicts from a zonefile.
* Use the with the getdns_context_set_dns_root_servers() function
provided root servers in recursing resolution modus.
* getdns_query option (-f) to read a DNSSEC trust anchor from file.
* getdns_query option (-R) to read a "root hints" file.
* Bugfix: Detect and prevent duplicate NSEC(3)s to be returned with
dnssec_return_validation_chain.
* Bugfix: Remove duplicate RRs from RRsets when DNSSEC verifying
* Client side edns-tcp-keepalive support
* TSIG support + getdns_query syntax to specify TSIG parameters
per upstream: @[^[:]:]
* Bugfix: Allow truncated answers to be returned in case of missing
fallback transport.
* Verify upstream TLS pubkeys with pinsets; A getdns_query option
(-K) to attach pinsets to getdns_contexts.
Thanks Daniel Kahn Gillmor
* Initial support for Windows. Thanks Gowri Visweswaran
* add_warning_for_bad_dns extension
* Try and retry with suffixes giving with getdns_context_set_suffix()
following directions given by getdns_context_set_append_name()
getdns_query options to set suffixes and append_name directions:
'-W' to append suffix always (default)
'-1' to append suffix only to single label after failure
'-M' to append suffix only to multi label name after failure
'-N' to never append a suffix
'-Z ' to set suffixes with the given comma separed list
* Better help text for getdns_query (printed with the '-h' option)
* Setting the +specify_class extension with getdns_query
* Return NOT_IMPLEMENTED for not implemented namespaces, and the
not implemented getdns_context_set_follow_redirects() function.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWhTGyAAoJEOX4+CEvd6SYPkEP/1mcJW9tOi+uhrvAT3Kpu7BO
kDGUpFgaoKAjfxRUjbTujYj8rY8XgQANDtkxJa75rwBRNxKSLW9qIECbKM7c+X79
kQTVbTvu55gAcWN0m6EcPeHo7J7jJXLIrgN3/CycKl1ktUQrH/rytz4kMzd11CXF
TjRJFkewB3fyvFzZo234K82HzjAdcPCLgZFcHokcUMGzGuRtc59vABT5b6RtN761
ObeoaP3/GSrAyrBxbjesDN6YFx/JP0mnV/kGz8AqENAzMnLcESsN2Lytki4YhFT1
IKcT+dn8614CA8TEVhh8RN0dR8Fmu+sdp2DJn7Mikk3wTMII9bXCZ/wi5TCvluOV
+qrawswcxKG0y6tq30+MO+wyatemyOCkp053v9nGVgVuA0iSwPpFzTO3YUCxt6LK
/s6/1xY1pqp3kUigZwyppxz4ZdX5tw1X5XlHOvQ1OXXGvpW/zxHRS265UqCOUT2M
kjq0nXU5QZUpRpY3YGrMxHwG/HI2hclX8ZXhFbImJ6+de+R4BADwhaGxo/lmfwUj
AxSgeENeS5Tg5MrQqLWvdXvqumf/ec/RQn3RcyGXnMuVe+9+UygrFDJh9kGNEaGn
S/oMaDN8e1TK9gudaWjQS4K0giJ4lSmfMQjKbT1tprZfRlPNLtWrkDVvCg+VEpEo
UcyEAOPa5s4k4KXRNHSw
=rF6q
-----END PGP SIGNATURE-----
More information about the Users
mailing list