[getdns-users] getdns 0.3.0 released

Willem Toorop willem at nlnetlabs.nl
Fri Jul 17 17:02:33 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear All,

I am pleased to announce the special IETF93 edition release:
version 0.3.0 of our getdns API implementation.

Besides bugfixes and DNS parameter updates, this release follows the
July 2015 version of the API specification, which has a new function
to set a list of transports: getdns_context_set_dns_transport_list().

If only one transport value is specified, it will be the only
transport used. Should it not be available, basic resolution will
fail. Fallback transport options are specified by including multiple
values in the list. The values are GETDNS_TRANSPORT_UDP,
GETDNS_TRANSPORT_TCP, GETDNS_TRANSPORT_TLS, or
GETDNS_TRANSPORT_STARTTLS. The default is a list containing
GETDNS_TRANSPORT_UDP then GETDNS_TRANSPORT_TCP.

Connections for transport options TCP, TLS and STARTTLS will now
always be kept open and multiple queries will be pipelined over them.
We have a new API function, getdns_context_set_idle_timeout(), with
which you can specify how long a connection is kept open when there
are no pending queries. The default is 0 milliseconds.

Besides the transports list, this release has improved DNSSEC support.
Before, with stub resolution, libunbound was still used (in forwarding
mode) when one of the DNSSEC extensions was set. This release has
native stub DNSSEC validation on board, so all DNSSEC extensions can
now be combined with all features available with stub resolution mode,
such as the new transport options, cookies and fine grained control
over EDNS0 options.

In the process to realise native stub validation, both the
dnssec_return_validation_chain extension and the
getdns_validate_dnssec() function have been thoroughly improved.

Before the dnssec_return_validation_chain extension only returned the
chain of DS/DNSKEY's starting at the signers name of signatures. Now,
the extension will return support records needed to assess all DNSSEC
statuses. For example, it will also include the proof of non-existance
of a parent DS for INSECURE answers. But also for BOGUS answers, just
like with all DNSSEC statuses, everything needed to reassess that
DNSSEC status will be included.

The dnssec_return_validation_chain extension will now also try to
return a single RRSIG RR per RRset; The one that was used to validate
that RRset. This to maximally assist in reassessing the DNSSEC status
with the "validation_chain" as support records.

The latest improved behaviour can be viewed live on the "Do a query"
page of our website: https://getdnsapi.net/query.html

Complementary to this improvement, the getdns_validate_dnssec()
function can now also assess DNSSEC status for RRsets without
signatures and even empty replies when given such "validation_chain"
as the support_records. The function can now also validate complete
replies, taking into account everything that affects the validation
process, such as (but not limited to) NSEC3 opt-out evaluation and
handling of by DNAME synthesized CNAMEs.


link : https://getdnsapi.net/dist/getdns-0.3.0.tar.gz
md5 : 8f1e6b3bf6489d7e49fd1d18366a5ece
sha1 : 84e4a8c21ede346d8fcf3e73860679dd87c8e65f
pgp sig: https://getdnsapi.net/dist/getdns-0.3.0.tar.gz.asc


ChangeLog
=========
* 2015-07-17: Version 0.3.0
* Unit test for spurious execute bits. Thanks Paul Wouters.
* Added new transport list options in API. The option is now an
ordered list of GETDNS_TRANSPORT_UDP, GETDNS_TRANSPORT_TCP,
GETDNS_TRANSPORT_TLS, GETDNS_TRANSPORT_STARTTLS.
* Added new context setting for idle_timeout
* CSYNC RR type
* EDNS0 COOKIE option code set to 10
* dnssec_return_validation_chain for negative and insecure responses.
* dnssec_return_validation_chain return a single RRSIG on each RRSET
(whenever possible)
* getdns_validate_dnssec() accept replies from the replies_tree
* getdns_validate_dnssec() asses negative and insecure responses.
* Native stub dnssec validation
* Implemented getdns_context_set_dnssec_trust_anchors()
* Switch freely between stub and recursive mode
* getdns_query -k shows default trust anchors
* functions and defines to get library and API versions in string and
numeric values: getdns_get_version(), getdns_get_version_number(),
getdns_get_api_version() and getdns_get_api_version_number()
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVqTUoAAoJEOX4+CEvd6SYVigP/2WVjz8lOnljeaJnlFbxh18Q
qHMFgRwGaDtbKqhv4m3nWR7EbRAkY2yFybs2QEpHi+jFqTRILfQX+0EGbNb+J3S+
b/14bHilWie5gy1+YGrCu2Pbu+UGJyusStCcNjWVrqnVQDRNjVrI1L47sqek1v+e
9Jknl3evzRQtbSUw4aBAPC1XHZqccPCdDwFUk5m/cz7dekYzbik/sHcFDXEyMYLU
zQSLBKKrTyyQU901EyuNcwz5nbspAXLAlyHy94ZjtXasb489clfHSkXa2Kpuo0o9
f2w1axcFvHmS5R+qh2nyXaRj0hQ7b5wegr6js7yupATMA0PewJVLZJzxtI7UEB2V
jQTI+boPdtl7Oux7ctF0ZZ1u0BrPYixA8rt2X7eadm6+vQN5r3DR7ArIfxwAALJE
XGqxST+TqQzOrWEMg2xGJ9Wp75FYqiSOYDyJmJqYXzolafB1NtbptGgS9Mjiqak7
PJy0yGx+wkvesNRuiXehIQY/JxELOHh+eXH1NsleGJQ2BpEBhGIVFsCtUA91mA+W
BtJ9gPCtpyQC0sIRTGauIUrO9GjoFRghEMcc+T6hlpdvSTifRvxVnx4J2jqQKL8O
QkA2kqijpkSeJL5yQro7Tdx4addCbXcyyEkHAccWUKOjlKDlllpy2fbYbFKACIl+
C6ZWqM4QxhKMnNZ1+3Z0
=VwWv
-----END PGP SIGNATURE-----



More information about the Users mailing list