From willem at nlnetlabs.nl Tue Oct 6 08:30:02 2015 From: willem at nlnetlabs.nl (Willem Toorop) Date: Tue, 6 Oct 2015 10:30:02 +0200 Subject: [getdns-users] vBSDcon 2015 presentation video online Message-ID: <5613868A.6010105@nlnetlabs.nl> Hi All, Half September, I gave an one hour overview presentation of the getdns API implementation. It was very nice to have a slot this large. It gave me the opportunity to give a complete overview of what we've done, (including surrounding research etc.) and where we stand (future plans). This is also the first time I've talked about and illustrated the - as of yet undocumented - feature of hooking getdns into your application's native event base (albeit a bit hasty). Last week I noticed the nice vBSDcon people have put the video online. So if you're interested... here it is: https://www.youtube.com/watch?v=73M7h56Dsas -- Willem PS. Sorry about me squinting so much... that happens sometimes when I'm a little tired... From gwiley at verisign.com Tue Oct 6 08:32:39 2015 From: gwiley at verisign.com (Wiley, Glen) Date: Tue, 6 Oct 2015 08:32:39 +0000 Subject: [getdns-users] vBSDcon 2015 presentation video online In-Reply-To: <5613868A.6010105@nlnetlabs.nl> References: <5613868A.6010105@nlnetlabs.nl> Message-ID: <2109CD82-B8A3-4C19-B568-E41B2FF76FED@verisign.com> It was an excellent talk Willem, thanks for being part of making vbsdcon such a great conference. Sent from my iPhone > On Oct 6, 2015, at 10:31, Willem Toorop wrote: > > Hi All, > > Half September, I gave an one hour overview presentation of the getdns > API implementation. It was very nice to have a slot this large. It > gave me the opportunity to give a complete overview of what we've done, > (including surrounding research etc.) and where we stand (future plans). > This is also the first time I've talked about and illustrated the - as > of yet undocumented - feature of hooking getdns into your application's > native event base (albeit a bit hasty). > > Last week I noticed the nice vBSDcon people have put the video online. > So if you're interested... here it is: > https://www.youtube.com/watch?v=73M7h56Dsas > > > -- Willem > > PS. Sorry about me squinting so much... that happens sometimes when I'm > a little tired... > _______________________________________________ > Users mailing list > Users at getdnsapi.net > http://getdnsapi.net/mailman/listinfo/users > From willem at nlnetlabs.nl Thu Oct 22 13:19:26 2015 From: willem at nlnetlabs.nl (Willem Toorop) Date: Thu, 22 Oct 2015 15:19:26 +0200 Subject: [getdns-users] October 2015 release of API Message-ID: <5628E25E.8000402@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear All, We have a new API October 2015 release which can be found here: https://getdnsapi.net/spec/ . This release adds JSON pointer arguments to getdns_dict_get_* and getdns_dict_set_* to dereference nested dicts and lists and the GETDNS_RETURN_NOT_IMPLEMENTED return code . For a comprehensive overview of all changes see: https://github.com/getdnsapi/spec/compare/bb71616d...october-2015 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWKOJeAAoJEOX4+CEvd6SYeasP/RB9yZHTh5IEqAFcYFBUXhRI WioIkrDG4XvU+2FNSWJTzOVywTyB9eIrrNdbMl/tegNvpbDyCSmZdxTZSmEpe9cL 9aWrllb30CJE++R9putSpfHcJ7jrrrpUb0LCwplwNaSla2Sx3i76nAGxWo6iqzw5 QWkL1Nd+1MYXBFI++7Ry/ndy+ZrquyJYuu09l2BRi3eGo35YmqZ/pVCyd6jMecPI Z9Swgam2hEbLsikcPW2iBtfc295beEZvOsJWyAjDDfKzI0Rdcxp5EqbXG1rX2QcL uH+8Uzoh1MbDwE5Rpypis24iPbSmHCDMzwiaZphWdC+l8Ee/pCTg8Y8BJOu+CJNq jhLmenRJzjcYzkd96JVEss5wWYkJU/EaVhzN6EnAfSkKXvwH1m+VzhyxMgXUoH5D mtYQ0XLXG6YfXY8w2pslnuN+7eBu2omWyn17xB2+cpgrJAGzGcCgNctbdI8dcI7a FS2yLoFik6jEQf5qm9cpiaUDP5tmwOm5Kde670GQMAecsTZ1AiDy3g+A4/hLexpL uBbhPq8mlSwDiOKatQO5/cF1LAvxrOfZ0yjp24FUeAcLl/G6LUwpnoPkUhO/q+9x IYInqTOxYAiY0aTe8g0e+TG+xAacYTCWCor4ipzequ08h/M61Rb/PofOuLZkU5ic l7+AEj+E2suqbHIhWIwV =Kudc -----END PGP SIGNATURE----- From willem at nlnetlabs.nl Thu Oct 22 17:59:34 2015 From: willem at nlnetlabs.nl (Willem Toorop) Date: Thu, 22 Oct 2015 19:59:34 +0200 Subject: [getdns-users] getdns 0.5.0 release candidate Message-ID: <56292406.10400@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear All, We have a release candidate for version 0.5.0 of getdns. This is mostly a new features release This release does all crypto operations using OpenSSL directly and has no longer a dependency on libldns. Note however that libldns is still used by the unit tests. Following the October 2015 release of the API specification, this library release now allows to accesses deeply embeded datastructure members in getdns_dicts by JSON Pointer RFC 6901. This works both for both the getter and setter functions. DNS over TLS now uses the default IANA assigned port number for domain-s: 853. This release includes an experimental implementation of upstream server hostname authentication for TLS connections in stub mode (note that the default behaviour has not changed compared to the 0.3 release). A new, non-standard function getdns_context_set_tls_authentication() can be used to set the authentication to GETDNS_AUTHENTICATION_ which requires that a server provides a valid certificate (validated using the default CA repository) and that the hostname specified in the "tls_auth_name" field of the upstream dict matches that in the certificate. The authentication setting is only enforced when the transport list contains only GETDNS_TRANSPORT_TLS and in this case if authentication fails for all upstreams, queries will fail. If the transport list contains other clear text transports then opportunistic TLS will be performed which does not require authentication of the TLS connection. Examples of usage using the getdns_query tool can be found in the tests_transports.sh script in the test directory. Please review this candidate carefully. If no issues arrise the actual release will follow Thursday the 29th of October 2015. link: https://getdnsapi.net/dist/getdns-0.5.0rc1.tar.gz md5 : 725bcde3bfd344ecd9e680aa535b4771 sha1: fe76fd6cff4e118da91c592ff76e99d9da1f311e pgp : https://getdnsapi.net/dist/getdns-0.5.0rc1.tar.gz.asc ChangeLog ========= * 2015-10-??: Version 0.5.0 * Native crypto. No ldns dependency anymore. (ldns still necessary to be able to run tests though) * JSON pointer arguments to getdns_dict_get_* and getdns_dict_set_* to dereference nested dicts and lists. * Bugfix: DNSSEC code finding zone cut with redirects + pursuing unsigned DS answers close to the root. Thanks Theogene Bucuti! * Default port for TLS changed to 853 * Unofficial extension to the API to allow TLS hostname verification to be required for stub mode when using only TLS as a transport. When required a hostname must be supplied in the 'hostname' field of the upstream_list dict and the TLS cipher suites are restricted to the 4 AEAD suites recommended in RFC7525. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWKSQGAAoJEOX4+CEvd6SYLrsQAKZeJxv6zaShKvcv2C6Dngjl Psmwvo9COyqR4p+Y5DZxZLfzDs2ZtEAUv2CGSBlhejXIGzt9tYZB4FXcKf/DxWtH 5Xx1Pj6jJ4GU7LUBV0s3LI/36sRS6nHXMdAOhpwd9Go3ysOscOVO/P9VUFYveeIx TUm61mfDR13xvHaoh0242PtElXQ+KltUzUVd5qm8ktXrceOA9tyZG33j7Nc/CetS 37eGM13SUjU9acLieayBgy8jPH7K+K4bPmUH2/t5qkiS0VoXOE8UkXmNIVVcWyAe 4V23fZRoij5bwGtnQRElVgEwm6BGLXR6c2I7sguMLZ6potK7o3a8MZS7Ds0gHyeA udiFMm5cqoqRb0Veu3RBdroIW1qSftQ/czO32xP+It/kqUxqJLiy8zjbXQph+Q5j mBqJcKZVh9JEuhH8uknuxv63QJEWszUiTDOvjUa6EoUAqW3wJkLkdULUU/GR43pe szr9Kn7Xj0KKSpFJasWxc4fc1at5d6GmyrFE0jLDLdLO3Z4ChgSbqFw2ZxNLeHCh XOUxnSuZyF+SDYe5hpZ+5HAjphuRXg9I7+2c/XmxanSl8u+O2CCfpJ35JMjRDnUj g0QaDN6NlYWuKSAfFaTom3jAKmjGs0jssaFAUPFP7auzJEI34heNpoRzNJspopQp +SaXhy/iJZ/PxEW6rQGj =j3tI -----END PGP SIGNATURE----- From shollenbeck at verisign.com Thu Oct 29 12:47:31 2015 From: shollenbeck at verisign.com (Hollenbeck, Scott) Date: Thu, 29 Oct 2015 12:47:31 +0000 Subject: [getdns-users] getdns 0.5.0 release candidate In-Reply-To: <56292406.10400@nlnetlabs.nl> References: <56292406.10400@nlnetlabs.nl> Message-ID: <831693C2CDA2E849A7D7A712B24E257F4A0CF8A2@BRN1WNEXMBX01.vcorp.ad.vrsn.com> > -----Original Message----- > From: Users [mailto:users-bounces at getdnsapi.net] On Behalf Of Willem > Toorop > Sent: Thursday, October 22, 2015 2:00 PM > To: libgetdns users list > Subject: [getdns-users] getdns 0.5.0 release candidate > > Dear All, > > We have a release candidate for version 0.5.0 of getdns. > > This is mostly a new features release > > This release does all crypto operations using OpenSSL directly and has > no longer a dependency on libldns. Note however that libldns is still > used by the unit tests. > > Following the October 2015 release of the API specification, this > library release now allows to accesses deeply embeded datastructure > members in getdns_dicts by JSON Pointer RFC 6901. This works both for > both the getter and setter functions. > > DNS over TLS now uses the default IANA assigned port number for > domain-s: 853. > > This release includes an experimental implementation of upstream > server hostname authentication for TLS connections in stub mode (note > that the default behaviour has not changed compared to the 0.3 > release). A new, non-standard function > getdns_context_set_tls_authentication() can be used to set the > authentication to GETDNS_AUTHENTICATION_ which requires that a server > provides a valid certificate (validated using the default CA > repository) and that the hostname specified in the "tls_auth_name" > field of the upstream dict matches that in the certificate. The > authentication setting is only enforced when the transport list > contains only GETDNS_TRANSPORT_TLS and in this case if authentication > fails for all upstreams, queries will fail. If the transport list > contains other clear text transports then opportunistic TLS will be > performed which does not require authentication of the TLS connection. > Examples of usage using the getdns_query tool can be found in the > tests_transports.sh script in the test directory. Willem, I had some time to look at the release this morning to see what needs to be done with the PHP language bindings. I did a git pull and checked out the v0.5.0 branch. I see that a new constant (GETDNS_RETURN_NOT_IMPLEMENTED) has been added, but I don't see any changes to the getdns_dict_get_* and getdns_dict_set_* functions. I don't see getdns_context_set_tls_authentication(). What did I miss? Scott From gvisweswaran at verisign.com Thu Oct 29 13:02:00 2015 From: gvisweswaran at verisign.com (Visweswaran, Gowri) Date: Thu, 29 Oct 2015 13:02:00 +0000 Subject: [getdns-users] getdns 0.5.0 release candidate In-Reply-To: <831693C2CDA2E849A7D7A712B24E257F4A0CF8A2@BRN1WNEXMBX01.vcorp.ad.vrsn.com> References: <56292406.10400@nlnetlabs.nl> <831693C2CDA2E849A7D7A712B24E257F4A0CF8A2@BRN1WNEXMBX01.vcorp.ad.vrsn.com> Message-ID: The changes have been added to getdns_extra.h Scott. I did a compare of the files vs V030 To change the node bindings. Gowri On 10/29/15, 8:47 AM, "Hollenbeck, Scott" wrote: >> -----Original Message----- >> From: Users [mailto:users-bounces at getdnsapi.net] On Behalf Of Willem >> Toorop >> Sent: Thursday, October 22, 2015 2:00 PM >> To: libgetdns users list >> Subject: [getdns-users] getdns 0.5.0 release candidate >> >> Dear All, >> >> We have a release candidate for version 0.5.0 of getdns. >> >> This is mostly a new features release >> >> This release does all crypto operations using OpenSSL directly and has >> no longer a dependency on libldns. Note however that libldns is still >> used by the unit tests. >> >> Following the October 2015 release of the API specification, this >> library release now allows to accesses deeply embeded datastructure >> members in getdns_dicts by JSON Pointer RFC 6901. This works both for >> both the getter and setter functions. >> >> DNS over TLS now uses the default IANA assigned port number for >> domain-s: 853. >> >> This release includes an experimental implementation of upstream >> server hostname authentication for TLS connections in stub mode (note >> that the default behaviour has not changed compared to the 0.3 >> release). A new, non-standard function >> getdns_context_set_tls_authentication() can be used to set the >> authentication to GETDNS_AUTHENTICATION_ which requires that a server >> provides a valid certificate (validated using the default CA >> repository) and that the hostname specified in the "tls_auth_name" >> field of the upstream dict matches that in the certificate. The >> authentication setting is only enforced when the transport list >> contains only GETDNS_TRANSPORT_TLS and in this case if authentication >> fails for all upstreams, queries will fail. If the transport list >> contains other clear text transports then opportunistic TLS will be >> performed which does not require authentication of the TLS connection. >> Examples of usage using the getdns_query tool can be found in the >> tests_transports.sh script in the test directory. > >Willem, I had some time to look at the release this morning to see what >needs to be done with the PHP language bindings. I did a git pull and >checked out the v0.5.0 branch. I see that a new constant >(GETDNS_RETURN_NOT_IMPLEMENTED) has been added, but I don't see any >changes to the getdns_dict_get_* and getdns_dict_set_* functions. I don't >see getdns_context_set_tls_authentication(). What did I miss? > >Scott > >_______________________________________________ >Users mailing list >Users at getdnsapi.net >http://getdnsapi.net/mailman/listinfo/users From shollenbeck at verisign.com Thu Oct 29 13:07:10 2015 From: shollenbeck at verisign.com (Hollenbeck, Scott) Date: Thu, 29 Oct 2015 13:07:10 +0000 Subject: [getdns-users] getdns 0.5.0 release candidate In-Reply-To: References: <56292406.10400@nlnetlabs.nl> <831693C2CDA2E849A7D7A712B24E257F4A0CF8A2@BRN1WNEXMBX01.vcorp.ad.vrsn.com> Message-ID: <831693C2CDA2E849A7D7A712B24E257F4A0CF99D@BRN1WNEXMBX01.vcorp.ad.vrsn.com> > -----Original Message----- > From: Users [mailto:users-bounces at getdnsapi.net] On Behalf Of > Visweswaran, Gowri > Sent: Thursday, October 29, 2015 9:02 AM > To: libgetdns users list > Subject: Re: [getdns-users] getdns 0.5.0 release candidate > > The changes have been added to getdns_extra.h Scott. I did a compare of > the files vs V030 > To change the node bindings. Well, then I definitely did something wrong when I re-built getdns from the v0.5.0 branch. This is what I see in getdns_extra.h: #define GETDNS_VERSION "0.3.3" #define GETDNS_NUMERIC_VERSION 0x00030300 #define GETDNS_API_VERSION "July 2015" #define GETDNS_API_NUMERIC_VERSION 0x07df0700 Scott From gvisweswaran at verisign.com Thu Oct 29 13:32:45 2015 From: gvisweswaran at verisign.com (Visweswaran, Gowri) Date: Thu, 29 Oct 2015 13:32:45 +0000 Subject: [getdns-users] getdns 0.5.0 release candidate In-Reply-To: <831693C2CDA2E849A7D7A712B24E257F4A0CF99D@BRN1WNEXMBX01.vcorp.ad.vrsn.com> References: <56292406.10400@nlnetlabs.nl> <831693C2CDA2E849A7D7A712B24E257F4A0CF8A2@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <831693C2CDA2E849A7D7A712B24E257F4A0CF99D@BRN1WNEXMBX01.vcorp.ad.vrsn.com> Message-ID: Oh ok, I did my build on the Mac. Default configure and I see a working getdns_extra.h with the tls methods. I used the git diff on the git website to isolate differences in getdns.h.in and getdns_extra.h.in. Gowri On 10/29/15, 9:07 AM, "Hollenbeck, Scott" wrote: >> -----Original Message----- >> From: Users [mailto:users-bounces at getdnsapi.net] On Behalf Of >> Visweswaran, Gowri >> Sent: Thursday, October 29, 2015 9:02 AM >> To: libgetdns users list >> Subject: Re: [getdns-users] getdns 0.5.0 release candidate >> >> The changes have been added to getdns_extra.h Scott. I did a compare of >> the files vs V030 >> To change the node bindings. > >Well, then I definitely did something wrong when I re-built getdns from >the v0.5.0 branch. This is what I see in getdns_extra.h: > >#define GETDNS_VERSION "0.3.3" >#define GETDNS_NUMERIC_VERSION 0x00030300 >#define GETDNS_API_VERSION "July 2015" >#define GETDNS_API_NUMERIC_VERSION 0x07df0700 > >Scott > >_______________________________________________ >Users mailing list >Users at getdnsapi.net >http://getdnsapi.net/mailman/listinfo/users From gvisweswaran at verisign.com Thu Oct 29 13:33:03 2015 From: gvisweswaran at verisign.com (Visweswaran, Gowri) Date: Thu, 29 Oct 2015 13:33:03 +0000 Subject: [getdns-users] getdns 0.5.0 release candidate In-Reply-To: References: <56292406.10400@nlnetlabs.nl> <831693C2CDA2E849A7D7A712B24E257F4A0CF8A2@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <831693C2CDA2E849A7D7A712B24E257F4A0CF99D@BRN1WNEXMBX01.vcorp.ad.vrsn.com> Message-ID: https://github.com/getdnsapi/getdns/compare/v0.3.0...v0.5.0 On 10/29/15, 9:32 AM, "Visweswaran, Gowri" wrote: >Oh ok, I did my build on the Mac. Default configure and I see a working >getdns_extra.h with the tls methods. >I used the git diff on the git website to isolate differences in >getdns.h.in and >getdns_extra.h.in. > >Gowri > >On 10/29/15, 9:07 AM, "Hollenbeck, Scott" >wrote: > >>> -----Original Message----- >>> From: Users [mailto:users-bounces at getdnsapi.net] On Behalf Of >>> Visweswaran, Gowri >>> Sent: Thursday, October 29, 2015 9:02 AM >>> To: libgetdns users list >>> Subject: Re: [getdns-users] getdns 0.5.0 release candidate >>> >>> The changes have been added to getdns_extra.h Scott. I did a compare of >>> the files vs V030 >>> To change the node bindings. >> >>Well, then I definitely did something wrong when I re-built getdns from >>the v0.5.0 branch. This is what I see in getdns_extra.h: >> >>#define GETDNS_VERSION "0.3.3" >>#define GETDNS_NUMERIC_VERSION 0x00030300 >>#define GETDNS_API_VERSION "July 2015" >>#define GETDNS_API_NUMERIC_VERSION 0x07df0700 >> >>Scott >> >>_______________________________________________ >>Users mailing list >>Users at getdnsapi.net >>http://getdnsapi.net/mailman/listinfo/users > From shollenbeck at verisign.com Thu Oct 29 14:06:34 2015 From: shollenbeck at verisign.com (Hollenbeck, Scott) Date: Thu, 29 Oct 2015 14:06:34 +0000 Subject: [getdns-users] getdns 0.5.0 release candidate In-Reply-To: References: <56292406.10400@nlnetlabs.nl> <831693C2CDA2E849A7D7A712B24E257F4A0CF8A2@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <831693C2CDA2E849A7D7A712B24E257F4A0CF99D@BRN1WNEXMBX01.vcorp.ad.vrsn.com> Message-ID: <831693C2CDA2E849A7D7A712B24E257F4A0CFC44@BRN1WNEXMBX01.vcorp.ad.vrsn.com> > -----Original Message----- > From: Users [mailto:users-bounces at getdnsapi.net] On Behalf Of > Visweswaran, Gowri > Sent: Thursday, October 29, 2015 9:33 AM > To: libgetdns users list > Subject: Re: [getdns-users] getdns 0.5.0 release candidate > > https://github.com/getdnsapi/getdns/compare/v0.3.0...v0.5.0 Understood, but I'm still not sure of what broke when I rebuilt getdns. Here's what I did: $ git pull $ git checkout v0.5.0 (git status shows "On branch v0.5.0") $ make clean $ libtoolize -ci $ autoreconf -fi $ ./configure --enable-draft-edns-cookies --enable-tcp-fastopen $ make $ sudo make install ...and what I see in getdns_extra.h says GETDNS_VERSION "0.3.3". Scott From willem at nlnetlabs.nl Thu Oct 29 14:39:58 2015 From: willem at nlnetlabs.nl (Willem Toorop) Date: Thu, 29 Oct 2015 15:39:58 +0100 Subject: [getdns-users] getdns 0.5.0 release candidate In-Reply-To: <831693C2CDA2E849A7D7A712B24E257F4A0CFC44@BRN1WNEXMBX01.vcorp.ad.vrsn.com> References: <56292406.10400@nlnetlabs.nl> <831693C2CDA2E849A7D7A712B24E257F4A0CF8A2@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <831693C2CDA2E849A7D7A712B24E257F4A0CF99D@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <831693C2CDA2E849A7D7A712B24E257F4A0CFC44@BRN1WNEXMBX01.vcorp.ad.vrsn.com> Message-ID: <56322FBE.8040104@nlnetlabs.nl> Op 29-10-15 om 15:06 schreef Hollenbeck, Scott: >> -----Original Message----- >> From: Users [mailto:users-bounces at getdnsapi.net] On Behalf Of >> Visweswaran, Gowri >> Sent: Thursday, October 29, 2015 9:33 AM >> To: libgetdns users list >> Subject: Re: [getdns-users] getdns 0.5.0 release candidate >> >> https://github.com/getdnsapi/getdns/compare/v0.3.0...v0.5.0 > > Understood, but I'm still not sure of what broke when I rebuilt getdns. Here's what I did: > > $ git pull > $ git checkout v0.5.0 (git status shows "On branch v0.5.0") > $ make clean > $ libtoolize -ci > $ autoreconf -fi > $ ./configure --enable-draft-edns-cookies --enable-tcp-fastopen > $ make > $ sudo make install > > ...and what I see in getdns_extra.h says GETDNS_VERSION "0.3.3". Hi Scott, That is strange. What do you see if you do: grep VERSION src/getdns/getdns_extra.h I see: #define GETDNS_VERSION "0.5.0rc1" #define GETDNS_NUMERIC_VERSION 0x00040001 #define GETDNS_API_VERSION "October 2015" #define GETDNS_API_NUMERIC_VERSION 0x07df0a00 Where are your include files installed? I see this after make install: /usr/bin/install -c -m 644 getdns/getdns.h /usr/local/include/getdns/getdns.h /usr/bin/install -c -m 644 ./getdns/getdns_extra.h /usr/local/include/getdns/getdns_extra.h What do you see if you do grep VERSION /usr/local/include/getdns/getdns_extra.h I have the same as above. -- Willem > > Scott > > _______________________________________________ > Users mailing list > Users at getdnsapi.net > http://getdnsapi.net/mailman/listinfo/users > From shollenbeck at verisign.com Thu Oct 29 14:56:26 2015 From: shollenbeck at verisign.com (Hollenbeck, Scott) Date: Thu, 29 Oct 2015 14:56:26 +0000 Subject: [getdns-users] getdns 0.5.0 release candidate In-Reply-To: <56322FBE.8040104@nlnetlabs.nl> References: <56292406.10400@nlnetlabs.nl> <831693C2CDA2E849A7D7A712B24E257F4A0CF8A2@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <831693C2CDA2E849A7D7A712B24E257F4A0CF99D@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <831693C2CDA2E849A7D7A712B24E257F4A0CFC44@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <56322FBE.8040104@nlnetlabs.nl> Message-ID: <831693C2CDA2E849A7D7A712B24E257F4A0CFD45@BRN1WNEXMBX01.vcorp.ad.vrsn.com> > -----Original Message----- > From: Users [mailto:users-bounces at getdnsapi.net] On Behalf Of Willem > Toorop > Sent: Thursday, October 29, 2015 10:40 AM > To: users at getdnsapi.net > Subject: Re: [getdns-users] getdns 0.5.0 release candidate > > Op 29-10-15 om 15:06 schreef Hollenbeck, Scott: > >> -----Original Message----- > >> From: Users [mailto:users-bounces at getdnsapi.net] On Behalf Of > >> Visweswaran, Gowri > >> Sent: Thursday, October 29, 2015 9:33 AM > >> To: libgetdns users list > >> Subject: Re: [getdns-users] getdns 0.5.0 release candidate > >> > >> https://github.com/getdnsapi/getdns/compare/v0.3.0...v0.5.0 > > > > Understood, but I'm still not sure of what broke when I rebuilt > getdns. Here's what I did: > > > > $ git pull > > $ git checkout v0.5.0 (git status shows "On branch v0.5.0") > > $ make clean > > $ libtoolize -ci > > $ autoreconf -fi > > $ ./configure --enable-draft-edns-cookies --enable-tcp-fastopen > > $ make > > $ sudo make install > > > > ...and what I see in getdns_extra.h says GETDNS_VERSION "0.3.3". > > Hi Scott, > > That is strange. What do you see if you do: > > grep VERSION src/getdns/getdns_extra.h > > I see: > > #define GETDNS_VERSION "0.5.0rc1" > #define GETDNS_NUMERIC_VERSION 0x00040001 > #define GETDNS_API_VERSION "October 2015" > #define GETDNS_API_NUMERIC_VERSION 0x07df0a00 Here's what I see: sah62 at sah-vb:~/projects/getdns$ grep VERSION src/getdns/getdns_extra.h #define GETDNS_VERSION "0.3.3" #define GETDNS_NUMERIC_VERSION 0x00030300 #define GETDNS_API_VERSION "July 2015" #define GETDNS_API_NUMERIC_VERSION 0x07df0700 sah62 at sah-vb:~/projects/getdns$ ls -l src/getdns/getdns_extra.h -rw-rw-r-- 1 sah62 sah62 13616 Oct 29 10:03 src/getdns/getdns_extra.h sah62 at sah-vb:~/projects/getdns$ > Where are your include files installed? I see this after make install: > > /usr/bin/install -c -m 644 getdns/getdns.h > /usr/local/include/getdns/getdns.h > /usr/bin/install -c -m 644 ./getdns/getdns_extra.h > /usr/local/include/getdns/getdns_extra.h > > What do you see if you do > > grep VERSION /usr/local/include/getdns/getdns_extra.h The include files are in /usr/local/include/getdns: sah62 at sah-vb:~/projects/getdns$ grep VERSION /usr/local/include/getdns/getdns_extra.h #define GETDNS_VERSION "0.3.3" #define GETDNS_NUMERIC_VERSION 0x00030300 #define GETDNS_API_VERSION "July 2015" #define GETDNS_API_NUMERIC_VERSION 0x07df0700 sah62 at sah-vb:~/projects/getdns$ git status On branch v0.5.0 nothing to commit, working directory clean sah62 at sah-vb:~/projects/getdns$ Scott From willem at nlnetlabs.nl Thu Oct 29 15:06:51 2015 From: willem at nlnetlabs.nl (Willem Toorop) Date: Thu, 29 Oct 2015 16:06:51 +0100 Subject: [getdns-users] getdns 0.5.0 release candidate In-Reply-To: <831693C2CDA2E849A7D7A712B24E257F4A0CFC44@BRN1WNEXMBX01.vcorp.ad.vrsn.com> References: <56292406.10400@nlnetlabs.nl> <831693C2CDA2E849A7D7A712B24E257F4A0CF8A2@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <831693C2CDA2E849A7D7A712B24E257F4A0CF99D@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <831693C2CDA2E849A7D7A712B24E257F4A0CFC44@BRN1WNEXMBX01.vcorp.ad.vrsn.com> Message-ID: <5632360B.1010009@nlnetlabs.nl> Op 29-10-15 om 15:06 schreef Hollenbeck, Scott: >> -----Original Message----- >> From: Users [mailto:users-bounces at getdnsapi.net] On Behalf Of >> Visweswaran, Gowri >> Sent: Thursday, October 29, 2015 9:33 AM >> To: libgetdns users list >> Subject: Re: [getdns-users] getdns 0.5.0 release candidate >> >> https://github.com/getdnsapi/getdns/compare/v0.3.0...v0.5.0 > > Understood, but I'm still not sure of what broke when I rebuilt getdns. Here's what I did: > > $ git pull > $ git checkout v0.5.0 (git status shows "On branch v0.5.0") Maybe those commands are done in the wrong order. How about doing "git checkout v0.5.0" first and then "git pull"? Then again "make megaclean; libtoolize -ci; autoreconf -fi" etc. If that doesn't work, then you might not have the correct remote/tracking branch. What does this command say with you?: git branch -vv |grep v0.5.0 With me is says: * v0.5.0 d691973 [origin/v0.5.0: ahead 1] Bumb versions for 0.5.0 release -- Willem > $ make clean > $ libtoolize -ci > $ autoreconf -fi > $ ./configure --enable-draft-edns-cookies --enable-tcp-fastopen > $ make > $ sudo make install > > ...and what I see in getdns_extra.h says GETDNS_VERSION "0.3.3". > > Scott > > _______________________________________________ > Users mailing list > Users at getdnsapi.net > http://getdnsapi.net/mailman/listinfo/users > From shollenbeck at verisign.com Thu Oct 29 15:38:20 2015 From: shollenbeck at verisign.com (Hollenbeck, Scott) Date: Thu, 29 Oct 2015 15:38:20 +0000 Subject: [getdns-users] getdns 0.5.0 release candidate In-Reply-To: <5632360B.1010009@nlnetlabs.nl> References: <56292406.10400@nlnetlabs.nl> <831693C2CDA2E849A7D7A712B24E257F4A0CF8A2@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <831693C2CDA2E849A7D7A712B24E257F4A0CF99D@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <831693C2CDA2E849A7D7A712B24E257F4A0CFC44@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <5632360B.1010009@nlnetlabs.nl> Message-ID: <831693C2CDA2E849A7D7A712B24E257F4A0CFE0C@BRN1WNEXMBX01.vcorp.ad.vrsn.com> > -----Original Message----- > From: Users [mailto:users-bounces at getdnsapi.net] On Behalf Of Willem > Toorop > Sent: Thursday, October 29, 2015 11:07 AM > To: users at getdnsapi.net > Subject: Re: [getdns-users] getdns 0.5.0 release candidate > > Op 29-10-15 om 15:06 schreef Hollenbeck, Scott: > >> -----Original Message----- > >> From: Users [mailto:users-bounces at getdnsapi.net] On Behalf Of > >> Visweswaran, Gowri > >> Sent: Thursday, October 29, 2015 9:33 AM > >> To: libgetdns users list > >> Subject: Re: [getdns-users] getdns 0.5.0 release candidate > >> > >> https://github.com/getdnsapi/getdns/compare/v0.3.0...v0.5.0 > > > > Understood, but I'm still not sure of what broke when I rebuilt > getdns. Here's what I did: > > > > $ git pull > > $ git checkout v0.5.0 (git status shows "On branch v0.5.0") > > > Maybe those commands are done in the wrong order. > How about doing "git checkout v0.5.0" first and then "git pull"? > > Then again "make megaclean; libtoolize -ci; autoreconf -fi" etc. > > If that doesn't work, then you might not have the correct > remote/tracking branch. What does this command say with you?: > > git branch -vv |grep v0.5.0 > > With me is says: > > * v0.5.0 d691973 [origin/v0.5.0: ahead 1] Bumb versions for 0.5.0 > release Well, this is interesting: sah62 at sah-vb:~/projects/getdns$ git branch -vv |grep v0.5.0 * v0.5.0 dbc53e7 0.3.3 quickfix release sah62 at sah-vb:~/projects/getdns$ Scott From willem at nlnetlabs.nl Thu Oct 29 15:58:57 2015 From: willem at nlnetlabs.nl (Willem Toorop) Date: Thu, 29 Oct 2015 16:58:57 +0100 Subject: [getdns-users] getdns 0.5.0 release candidate In-Reply-To: <831693C2CDA2E849A7D7A712B24E257F4A0CFE0C@BRN1WNEXMBX01.vcorp.ad.vrsn.com> References: <56292406.10400@nlnetlabs.nl> <831693C2CDA2E849A7D7A712B24E257F4A0CF8A2@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <831693C2CDA2E849A7D7A712B24E257F4A0CF99D@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <831693C2CDA2E849A7D7A712B24E257F4A0CFC44@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <5632360B.1010009@nlnetlabs.nl> <831693C2CDA2E849A7D7A712B24E257F4A0CFE0C@BRN1WNEXMBX01.vcorp.ad.vrsn.com> Message-ID: <56324241.9010106@nlnetlabs.nl> Scott, I'm currently also keeping develop up-to-date (because of the forthcoming release). Perhaps it is easiest to checkout and pull from there for the moment. git checkout develop git pull Op 29-10-15 om 16:38 schreef Hollenbeck, Scott: >> -----Original Message----- >> From: Users [mailto:users-bounces at getdnsapi.net] On Behalf Of Willem >> Toorop >> Sent: Thursday, October 29, 2015 11:07 AM >> To: users at getdnsapi.net >> Subject: Re: [getdns-users] getdns 0.5.0 release candidate >> >> Op 29-10-15 om 15:06 schreef Hollenbeck, Scott: >>>> -----Original Message----- >>>> From: Users [mailto:users-bounces at getdnsapi.net] On Behalf Of >>>> Visweswaran, Gowri >>>> Sent: Thursday, October 29, 2015 9:33 AM >>>> To: libgetdns users list >>>> Subject: Re: [getdns-users] getdns 0.5.0 release candidate >>>> >>>> https://github.com/getdnsapi/getdns/compare/v0.3.0...v0.5.0 >>> >>> Understood, but I'm still not sure of what broke when I rebuilt >> getdns. Here's what I did: >>> >>> $ git pull >>> $ git checkout v0.5.0 (git status shows "On branch v0.5.0") >> >> >> Maybe those commands are done in the wrong order. >> How about doing "git checkout v0.5.0" first and then "git pull"? >> >> Then again "make megaclean; libtoolize -ci; autoreconf -fi" etc. >> >> If that doesn't work, then you might not have the correct >> remote/tracking branch. What does this command say with you?: >> >> git branch -vv |grep v0.5.0 >> >> With me is says: >> >> * v0.5.0 d691973 [origin/v0.5.0: ahead 1] Bumb versions for 0.5.0 >> release > > Well, this is interesting: > > sah62 at sah-vb:~/projects/getdns$ git branch -vv |grep v0.5.0 > * v0.5.0 dbc53e7 0.3.3 quickfix release > sah62 at sah-vb:~/projects/getdns$ > > Scott > > _______________________________________________ > Users mailing list > Users at getdnsapi.net > http://getdnsapi.net/mailman/listinfo/users > From shollenbeck at verisign.com Thu Oct 29 16:43:55 2015 From: shollenbeck at verisign.com (Hollenbeck, Scott) Date: Thu, 29 Oct 2015 16:43:55 +0000 Subject: [getdns-users] getdns 0.5.0 release candidate In-Reply-To: <56324241.9010106@nlnetlabs.nl> References: <56292406.10400@nlnetlabs.nl> <831693C2CDA2E849A7D7A712B24E257F4A0CF8A2@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <831693C2CDA2E849A7D7A712B24E257F4A0CF99D@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <831693C2CDA2E849A7D7A712B24E257F4A0CFC44@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <5632360B.1010009@nlnetlabs.nl> <831693C2CDA2E849A7D7A712B24E257F4A0CFE0C@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <56324241.9010106@nlnetlabs.nl> Message-ID: <831693C2CDA2E849A7D7A712B24E257F4A0CFEB7@BRN1WNEXMBX01.vcorp.ad.vrsn.com> > -----Original Message----- > From: Users [mailto:users-bounces at getdnsapi.net] On Behalf Of Willem > Toorop > Sent: Thursday, October 29, 2015 11:59 AM > To: users at getdnsapi.net > Subject: Re: [getdns-users] getdns 0.5.0 release candidate > > Scott, I'm currently also keeping develop up-to-date (because of the > forthcoming release). Perhaps it is easiest to checkout and pull from > there for the moment. > > git checkout develop > git pull That worked - thanks. Scott From edmonds at debian.org Thu Oct 29 18:06:34 2015 From: edmonds at debian.org (Robert Edmonds) Date: Thu, 29 Oct 2015 14:06:34 -0400 Subject: [getdns-users] getdns 0.5.0 release candidate In-Reply-To: <5632360B.1010009@nlnetlabs.nl> References: <56292406.10400@nlnetlabs.nl> <831693C2CDA2E849A7D7A712B24E257F4A0CF8A2@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <831693C2CDA2E849A7D7A712B24E257F4A0CF99D@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <831693C2CDA2E849A7D7A712B24E257F4A0CFC44@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <5632360B.1010009@nlnetlabs.nl> Message-ID: <20151029180634.GA26064@mycre.ws> Willem Toorop wrote: > Maybe those commands are done in the wrong order. > How about doing "git checkout v0.5.0" first and then "git pull"? Yes -- "git pull" will do a "git fetch", but it will only merge into the current branch. > Then again "make megaclean; libtoolize -ci; autoreconf -fi" etc. > > If that doesn't work, then you might not have the correct > remote/tracking branch. What does this command say with you?: > > git branch -vv |grep v0.5.0 > > With me is says: > > * v0.5.0 d691973 [origin/v0.5.0: ahead 1] Bumb versions for 0.5.0 release "git reflog" will probably reveal exactly what went wrong. However, I'm *really* confused by the branch naming scheme in the getdns repository. It looks like you create a branch named after the release version number (e.g. "v0.3.3"), but you also create a tag with the exact same name (e.g., "v0.3.3")? That means your ref names are ambiguous, which is really bad, because different git tools use different rules when resolving an ambiguous ref name :-( See e.g. this post: http://programmers.stackexchange.com/questions/230438/in-git-is-it-a-bad-idea-to-create-a-tag-with-the-same-name-as-a-deleted-branch If you used separate branch and tag naming schemes (maybe "branches/v0.5.0" + "tags/v0.5.0", or "branches/v0.5" + "v0.5.0") it would make it impossible to do something like "git checkout v0.5.0" and get anything other than a release tag. -- Robert Edmonds edmonds at debian.org From willem at nlnetlabs.nl Thu Oct 29 18:46:58 2015 From: willem at nlnetlabs.nl (Willem Toorop) Date: Thu, 29 Oct 2015 19:46:58 +0100 Subject: [getdns-users] getdns 0.5.0 release candidate In-Reply-To: <20151029180634.GA26064@mycre.ws> References: <56292406.10400@nlnetlabs.nl> <831693C2CDA2E849A7D7A712B24E257F4A0CF8A2@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <831693C2CDA2E849A7D7A712B24E257F4A0CF99D@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <831693C2CDA2E849A7D7A712B24E257F4A0CFC44@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <5632360B.1010009@nlnetlabs.nl> <20151029180634.GA26064@mycre.ws> Message-ID: <563269A2.6010306@nlnetlabs.nl> Hmmm... yes I see this is confusing. I will rename the release branches into release/v0.3.0 etc. Thanks, -- Willem Op 29-10-15 om 19:06 schreef Robert Edmonds: > Willem Toorop wrote: >> Maybe those commands are done in the wrong order. >> How about doing "git checkout v0.5.0" first and then "git pull"? > > Yes -- "git pull" will do a "git fetch", but it will only merge into the > current branch. > >> Then again "make megaclean; libtoolize -ci; autoreconf -fi" etc. >> >> If that doesn't work, then you might not have the correct >> remote/tracking branch. What does this command say with you?: >> >> git branch -vv |grep v0.5.0 >> >> With me is says: >> >> * v0.5.0 d691973 [origin/v0.5.0: ahead 1] Bumb versions for 0.5.0 release > > "git reflog" will probably reveal exactly what went wrong. > > However, I'm *really* confused by the branch naming scheme in the getdns > repository. It looks like you create a branch named after the release > version number (e.g. "v0.3.3"), but you also create a tag with the exact > same name (e.g., "v0.3.3")? > > That means your ref names are ambiguous, which is really bad, because > different git tools use different rules when resolving an ambiguous ref > name :-( See e.g. this post: > > http://programmers.stackexchange.com/questions/230438/in-git-is-it-a-bad-idea-to-create-a-tag-with-the-same-name-as-a-deleted-branch > > If you used separate branch and tag naming schemes (maybe > "branches/v0.5.0" + "tags/v0.5.0", or "branches/v0.5" + "v0.5.0") it > would make it impossible to do something like "git checkout v0.5.0" and > get anything other than a release tag. > From willem at nlnetlabs.nl Thu Oct 29 19:29:22 2015 From: willem at nlnetlabs.nl (Willem Toorop) Date: Thu, 29 Oct 2015 20:29:22 +0100 Subject: [getdns-users] getdns 0.5.0 release Message-ID: <56327392.6060502@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear All, We have a new release version 0.5.0 of getdns. This is mostly a new features release This release does all crypto operations using OpenSSL directly and has no longer a dependency on libldns. Note however that libldns is still used by the unit tests. Following the October 2015 release of the API specification, the library can now access deeply embedded data structure members in getdns_dicts by using JSON Pointers as the name to be accessed (RFC 6901). This works for the getter and setter functions (getdns_dict_get_* and getdns_dict_set_*). DNS over TLS now uses the default IANA assigned port number for domain-s: 853. This release includes an experimental implementation of upstream server hostname authentication for TLS connections in stub mode (note that the default behaviour has not changed compared to the 0.3 release). A new, non-standard function getdns_context_set_tls_authentication() can be used to set the authentication to GETDNS_AUTHENTICATION_ which requires that a server provides a valid certificate (validated using the default CA repository) and that the hostname specified in the "tls_auth_name" field of the upstream dict matches that in the certificate. The authentication setting is only enforced when the transport list contains only GETDNS_TRANSPORT_TLS and in this case if authentication fails for all upstreams, queries will fail. If the transport list contains other clear text transports then opportunistic TLS will be performed which does not require authentication of the TLS connection. Examples of usage using the getdns_query tool can be found in the tests_transports.sh script in the test directory. link: https://getdnsapi.net/dist/getdns-0.5.0.tar.gz md5 : b0458582455c8e1be9de1a41ac4fa889 sha1: 67aafdd6566bd3c99b51524191a036710819c7cd pgp : https://getdnsapi.net/dist/getdns-0.5.0.tar.gz.asc ChangeLog ========= * 2015-10-29: Version 0.5.0 * Native crypto. No ldns dependency anymore. (ldns still necessary to be able to run tests though) * JSON pointer arguments to getdns_dict_get_* and getdns_dict_set_* to dereference nested dicts and lists. * Bugfix: DNSSEC code finding zone cut with redirects + pursuing unsigned DS answers close to the root. Thanks Theogene Bucuti! * Default port for TLS changed to 853 * Unofficial extension to the API to allow TLS hostname verification to be required for stub mode when using only TLS as a transport. When required a hostname must be supplied in the 'hostname' field of the upstream_list dict and the TLS cipher suites are restricted to the 4 AEAD suites recommended in RFC7525. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWMnOSAAoJEOX4+CEvd6SY2f0QAKkoPf6fe5/OASODT8j06JOc e5bgMR2bpn2/q+764xR3LpKpOUNrcaIaGEj690pP2KsUzGZiMzCShHCfTnfGO+iu q5sQBBIsoDxiK7jtL9oWELHDmsc5WYAO6WbnR0w/zIPImkcXCYeMtRH4RXvpD13x E+SujVji7DUfM0HEZOJkbPyww3zfgy6cPBYKdmz7sCFc2PceoKIXKcsgsaqKy+aB YB15/YxUu2iYqjB0Y2bqNs+f19eZyzEyr77PaEedgtJVQWqYca5bIOk47/T8Hrqt FE3UcxOz/vgDuP3ANF4w9PAaLdhISoMRRhL6B/CU+dp6PzxkTyAHHaqPQVQLiV4J bFaH4HadjfJL0NlUoBslRtF23RrV2F1qAyt3Wb0U9WOISdaBB3E4hOQBWcOuP4Ut C2JsIg/qwMVUpVAnHOEJgWHzuYvNGhIHkjS4b0CperGYUgOa7TVBQoF5HCycIBDV W88zgDoBRfNWAROSQN+6++BVIyIcU/Moqtzu21MSBaSF3qt0gtWYRvbn2p/aZbgU qNHdV/R3mpupbhBczQ7TxQuMVKYgZZS9Aear3vkPm04vY57+1y4ziQGcoSrX9bgB efuIthpTuJLhc2Wa6sxyu1SxAbAumL/c5Tadq7zBm7mRTMiU3acH3hTtD1WHLSqy sijpeR4h7mPoVZkENlE1 =olws -----END PGP SIGNATURE----- From willem at nlnetlabs.nl Mon Oct 5 13:07:06 2015 From: willem at nlnetlabs.nl (Willem Toorop) Date: Mon, 5 Oct 2015 15:07:06 +0200 Subject: [getdns-api] Getting from dicts by subscript operator In-Reply-To: References: <55FBD5B9.1020706@nlnetlabs.nl> <67E636A7-12E7-467D-B14A-E04A8C1690BF@verisign.com>

<20150923133725.3983027b@casual> Message-ID: <561275FA.7040401@nlnetlabs.nl> Op 23-09-15 om 21:37 schreef Joe Hildebrand (jhildebr): > On 9/23/15, 7:37 AM, "Shane Kerr" wrote: >> I think that the last one is "correct" JSON Pointer syntax if I >> understand the RFC, but I confess that the one above it looks easier to >> read to me. :) > > The last one. I know it's slightly strange to a C programmer, but to a JavaScript programmer, it's not *too* strange, where a['foo'] === a.foo. The advantage here is that in a getdns wrapper that is treating the results as JSON, you could use an existing json-pointer implementation. Also, you don't have to worry about specifying the BNF for the query syntax, thinking about the edge cases, and worrying about the security consequences quite as much. Good point. Since it has to become part of the spec, it is easier to reference an existing syntax (especially since it is standardized) than to describe a new one. I have come up with the following wording, to append to the first subsection of section 2. (so just before 2.1. starts) When the name parameter to the getdns_dict_get_ functions, starts with a '/' (%x2F) character, it is interpreted as a JSON Pointer as described in RFC6901, and will then be used to dereference the nested data structures to get to the requested data type. And at the end of section 2.1. When the name parameter to the getdns_dict_set_ functions, starts with a '/' (%x2F) character, it is interpreted as a JSON Pointer as described in RFC6901, and will then be used to dereference the nested data structures to get to the requested data type. Comments or better wordings are welcome. I think the examples in the spec could also benefit from using JSON Pointer syntax. They are likely to become much shorter and therefor more readable and easier to digest. Take for example this alternative for the example in section 6.4 (I started with the shortest): https://github.com/getdnsapi/getdns/blob/features/json-pointers/spec/example/synchronous-json-pointer.c What do you think? -- Willem From willem at nlnetlabs.nl Mon Oct 5 13:15:11 2015 From: willem at nlnetlabs.nl (Willem Toorop) Date: Mon, 5 Oct 2015 15:15:11 +0200 Subject: [getdns-api] Getting from dicts by subscript operator In-Reply-To: <561275FA.7040401@nlnetlabs.nl> References: <55FBD5B9.1020706@nlnetlabs.nl> <67E636A7-12E7-467D-B14A-E04A8C1690BF@verisign.com>

<20150923133725.3983027b@casual> <561275FA.7040401@nlnetlabs.nl> Message-ID: <561277DF.2020607@nlnetlabs.nl> Op 05-10-15 om 15:07 schreef Willem Toorop: > Op 23-09-15 om 21:37 schreef Joe Hildebrand (jhildebr): >> On 9/23/15, 7:37 AM, "Shane Kerr" wrote: >>> I think that the last one is "correct" JSON Pointer syntax if I >>> understand the RFC, but I confess that the one above it looks easier to >>> read to me. :) >> >> The last one. I know it's slightly strange to a C programmer, but to a JavaScript programmer, it's not *too* strange, where a['foo'] === a.foo. The advantage here is that in a getdns wrapper that is treating the results as JSON, you could use an existing json-pointer implementation. Also, you don't have to worry about specifying the BNF for the query syntax, thinking about the edge cases, and worrying about the security consequences quite as much. > > Good point. Since it has to become part of the spec, it is easier to > reference an existing syntax (especially since it is standardized) than > to describe a new one. I have come up with the following wording, to > append to the first subsection of section 2. (so just before 2.1. starts) > > When the name parameter to the getdns_dict_get_ functions, starts with > a '/' (%x2F) character, it is interpreted as a JSON Pointer as described > in RFC6901, and will then be used to dereference the nested data > structures to get to the requested data type. > > > And at the end of section 2.1. > > > When the name parameter to the getdns_dict_set_ functions, starts with > a '/' (%x2F) character, it is interpreted as a JSON Pointer as described > in RFC6901, and will then be used to dereference the nested data > structures to get to the requested data type. Sorry, I copy pasted but forgot to alter. So I propose this paragraph the the spot: When the name parameter to the getdns_dict_set_ functions, starts with a '/' (%x2F) character, it is interpreted as a JSON Pointer as described in RFC6901, and will then be used to dereference the nested data structures to set the given value at the specified name or list index. > > > Comments or better wordings are welcome. > > I think the examples in the spec could also benefit from using JSON > Pointer syntax. They are likely to become much shorter and therefor > more readable and easier to digest. Take for example this alternative > for the example in section 6.4 (I started with the shortest): > > https://github.com/getdnsapi/getdns/blob/features/json-pointers/spec/example/synchronous-json-pointer.c > > What do you think? > > -- Willem > _______________________________________________ > spec mailing list > spec at getdnsapi.net > From willem at nlnetlabs.nl Tue Oct 6 08:30:02 2015 From: willem at nlnetlabs.nl (Willem Toorop) Date: Tue, 6 Oct 2015 10:30:02 +0200 Subject: [getdns-api] vBSDcon 2015 presentation video online Message-ID: <5613868A.6010105@nlnetlabs.nl> Hi All, Half September, I gave an one hour overview presentation of the getdns API implementation. It was very nice to have a slot this large. It gave me the opportunity to give a complete overview of what we've done, (including surrounding research etc.) and where we stand (future plans). This is also the first time I've talked about and illustrated the - as of yet undocumented - feature of hooking getdns into your application's native event base (albeit a bit hasty). Last week I noticed the nice vBSDcon people have put the video online. So if you're interested... here it is: https://www.youtube.com/watch?v=73M7h56Dsas -- Willem PS. Sorry about me squinting so much... that happens sometimes when I'm a little tired... From gwiley at verisign.com Tue Oct 6 08:32:39 2015 From: gwiley at verisign.com (Wiley, Glen) Date: Tue, 6 Oct 2015 08:32:39 +0000 Subject: [getdns-api] [getdns-users] vBSDcon 2015 presentation video online In-Reply-To: <5613868A.6010105@nlnetlabs.nl> References: <5613868A.6010105@nlnetlabs.nl> Message-ID: <2109CD82-B8A3-4C19-B568-E41B2FF76FED@verisign.com> It was an excellent talk Willem, thanks for being part of making vbsdcon such a great conference. Sent from my iPhone > On Oct 6, 2015, at 10:31, Willem Toorop wrote: > > Hi All, > > Half September, I gave an one hour overview presentation of the getdns > API implementation. It was very nice to have a slot this large. It > gave me the opportunity to give a complete overview of what we've done, > (including surrounding research etc.) and where we stand (future plans). > This is also the first time I've talked about and illustrated the - as > of yet undocumented - feature of hooking getdns into your application's > native event base (albeit a bit hasty). > > Last week I noticed the nice vBSDcon people have put the video online. > So if you're interested... here it is: > https://www.youtube.com/watch?v=73M7h56Dsas > > > -- Willem > > PS. Sorry about me squinting so much... that happens sometimes when I'm > a little tired... > _______________________________________________ > Users mailing list > Users at getdnsapi.net > http://getdnsapi.net/mailman/listinfo/users > From willem at nlnetlabs.nl Tue Oct 6 21:18:53 2015 From: willem at nlnetlabs.nl (Willem Toorop) Date: Tue, 6 Oct 2015 23:18:53 +0200 Subject: [getdns-api] Getting from dicts by subscript operator In-Reply-To: <561277DF.2020607@nlnetlabs.nl> References: <55FBD5B9.1020706@nlnetlabs.nl> <67E636A7-12E7-467D-B14A-E04A8C1690BF@verisign.com>

<20150923133725.3983027b@casual> <561275FA.7040401@nlnetlabs.nl> <561277DF.2020607@nlnetlabs.nl> Message-ID: <56143ABD.5000706@nlnetlabs.nl> Here are the other examples from the spec, rewritten to use json pointers, and extended to deal and report all fail cases. For section 6.1: Get Both IPv4 and IPv6 Addresses for a Domain Name Using Quick Results: https://github.com/getdnsapi/getdns/blob/features/json-pointers/spec/example/simple-json-pointer.c For section 6.2: Get IPv4 and IPv6 Addresses for a Domain Name: https://github.com/getdnsapi/getdns/blob/features/json-pointers/spec/example/tree-json-pointer.c For section 6.4: Using the API Synchronously: https://github.com/getdnsapi/getdns/blob/features/json-pointers/spec/example/synchronous-json-pointer.c For section 6.5: Getting Names from the Reverse Tree: https://github.com/getdnsapi/getdns/blob/features/json-pointers/spec/example/reverse-json-pointer.c -- Willem Op 05-10-15 om 15:15 schreef Willem Toorop: > Op 05-10-15 om 15:07 schreef Willem Toorop: >> Op 23-09-15 om 21:37 schreef Joe Hildebrand (jhildebr): >>> On 9/23/15, 7:37 AM, "Shane Kerr" wrote: >>>> I think that the last one is "correct" JSON Pointer syntax if I >>>> understand the RFC, but I confess that the one above it looks easier to >>>> read to me. :) >>> >>> The last one. I know it's slightly strange to a C programmer, but to a JavaScript programmer, it's not *too* strange, where a['foo'] === a.foo. The advantage here is that in a getdns wrapper that is treating the results as JSON, you could use an existing json-pointer implementation. Also, you don't have to worry about specifying the BNF for the query syntax, thinking about the edge cases, and worrying about the security consequences quite as much. >> >> Good point. Since it has to become part of the spec, it is easier to >> reference an existing syntax (especially since it is standardized) than >> to describe a new one. I have come up with the following wording, to >> append to the first subsection of section 2. (so just before 2.1. starts) >> >> When the name parameter to the getdns_dict_get_ functions, starts with >> a '/' (%x2F) character, it is interpreted as a JSON Pointer as described >> in RFC6901, and will then be used to dereference the nested data >> structures to get to the requested data type. >> >> >> And at the end of section 2.1. >> >> >> When the name parameter to the getdns_dict_set_ functions, starts with >> a '/' (%x2F) character, it is interpreted as a JSON Pointer as described >> in RFC6901, and will then be used to dereference the nested data >> structures to get to the requested data type. > > > Sorry, I copy pasted but forgot to alter. So I propose this paragraph > the the spot: > > When the name parameter to the getdns_dict_set_ functions, starts with > a '/' (%x2F) character, it is interpreted as a JSON Pointer as described > in RFC6901, and will then be used to dereference the nested data > structures to set the given value at the specified name or list index. > > >> >> >> Comments or better wordings are welcome. >> >> I think the examples in the spec could also benefit from using JSON >> Pointer syntax. They are likely to become much shorter and therefor >> more readable and easier to digest. Take for example this alternative >> for the example in section 6.4 (I started with the shortest): >> >> https://github.com/getdnsapi/getdns/blob/features/json-pointers/spec/example/synchronous-json-pointer.c >> >> What do you think? >> >> -- Willem >> _______________________________________________ >> spec mailing list >> spec at getdnsapi.net >> > > _______________________________________________ > spec mailing list > spec at getdnsapi.net > From willem at nlnetlabs.nl Wed Oct 7 15:26:12 2015 From: willem at nlnetlabs.nl (Willem Toorop) Date: Wed, 7 Oct 2015 17:26:12 +0200 Subject: [getdns-api] Spec repo at https://github.com/getdnsapi/spec Message-ID: <56153994.9010708@nlnetlabs.nl> Hi ALl, I hadn't told you yet, but at IETF93 in Prague, besides migrating the spec mailing-list, we have also migrated the specification repository from Paul's private svn repo to public github, here: https://github.com/getdnsapi/spec It contains all commits since we started editing it (7 November 2013). This is convenient, because now I can reference a specific development branch for you to review. For example to compare the develop branch with the json-pointers branch, see: https://github.com/getdnsapi/spec/compare/develop...json-pointers The json-pointer examples I wanted you to review are now in the json-pointers branch of the spec repo only. The resulting document (including examples) can be viewed here: https://getdnsapi.net/json-pointers/ -- Willem From willem at nlnetlabs.nl Wed Oct 7 15:27:36 2015 From: willem at nlnetlabs.nl (Willem Toorop) Date: Wed, 7 Oct 2015 17:27:36 +0200 Subject: [getdns-api] Removing "the_" prefexis Message-ID: <561539E8.1050406@nlnetlabs.nl> Would any of you mind if I would remove the "the_" prefixes in variable and parameter names in the spec? -- Willem From willem at nlnetlabs.nl Wed Oct 7 15:31:58 2015 From: willem at nlnetlabs.nl (Willem Toorop) Date: Wed, 7 Oct 2015 17:31:58 +0200 Subject: [getdns-api] Correction: Removing "this_" prefexis In-Reply-To: <561539E8.1050406@nlnetlabs.nl> References: <561539E8.1050406@nlnetlabs.nl> Message-ID: <56153AEE.4030408@nlnetlabs.nl> Sorry, I meant the "this_" prefixes of course! Op 07-10-15 om 17:27 schreef Willem Toorop: > Would any of you mind if I would remove the "the_" prefixes in variable > and parameter names in the spec? > > -- Willem > _______________________________________________ > spec mailing list > spec at getdnsapi.net > From sara at sinodun.com Fri Oct 16 17:56:07 2015 From: sara at sinodun.com (sara) Date: Fri, 16 Oct 2015 18:56:07 +0100 Subject: [getdns-api] Removing STARTTLS from the API Message-ID: <3D4F16EB-FB2A-4A7A-BC25-FDD61D35ED15@sinodun.com> Hi All, STARTTLS was removed as a mechanism for DNS privacy in the latest version of this draft: http://tools.ietf.org/html/draft-ietf-dprive-dns-over-tls-01 Therefore, if there are no objections, I would like to propose that STARTTLS is removed from the list of values that can be specified via the getdns_transport_list_t * transports list in the next version of the API spec. Regards Sara. -------------- next part -------------- An HTML attachment was scrubbed... URL: From shane at time-travellers.org Fri Oct 16 18:00:33 2015 From: shane at time-travellers.org (Shane Kerr) Date: Fri, 16 Oct 2015 20:00:33 +0200 Subject: [getdns-api] Removing STARTTLS from the API In-Reply-To: <3D4F16EB-FB2A-4A7A-BC25-FDD61D35ED15@sinodun.com> References: <3D4F16EB-FB2A-4A7A-BC25-FDD61D35ED15@sinodun.com> Message-ID: <20151016200033.404d5dc2@pallas.home.time-travellers.org> Sara, On Fri, 16 Oct 2015 18:56:07 +0100 sara wrote: > STARTTLS was removed as a mechanism for DNS privacy in the latest > version of this draft: > http://tools.ietf.org/html/draft-ietf-dprive-dns-over-tls-01 > > > Therefore, if there are no objections, I would like to propose that > STARTTLS is removed from the list of values that can be specified via > the getdns_transport_list_t * transports list in the next version of > the API spec. Please do! The less (unneeded) functionality the better. :) Cheers, -- Shane From asullivan at dyn.com Fri Oct 16 20:20:23 2015 From: asullivan at dyn.com (Andrew Sullivan) Date: Fri, 16 Oct 2015 16:20:23 -0400 Subject: [getdns-api] Removing STARTTLS from the API In-Reply-To: <3D4F16EB-FB2A-4A7A-BC25-FDD61D35ED15@sinodun.com> References: <3D4F16EB-FB2A-4A7A-BC25-FDD61D35ED15@sinodun.com> Message-ID: <4C39FA49-A5FB-4CE3-9ECA-D1173AE3979D@dyn.com> It seems a little premature to assume that's permanent. Rather than changing now, could we wait until the wg decides for good? (I think this is how it'll go, but why hurry?) -- Andrew Sullivan Please excuse my clumbsy thums. > On Oct 16, 2015, at 13:56, sara wrote: > > Hi All, > > STARTTLS was removed as a mechanism for DNS privacy in the latest version of this draft: http://tools.ietf.org/html/draft-ietf-dprive-dns-over-tls-01 > > Therefore, if there are no objections, I would like to propose that STARTTLS is removed from the list of values that can be specified via the > getdns_transport_list_t * transports > list in the next version of the API spec. > > Regards > > Sara. > _______________________________________________ > spec mailing list > spec at getdnsapi.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From shane at time-travellers.org Mon Oct 19 11:38:48 2015 From: shane at time-travellers.org (Shane Kerr) Date: Mon, 19 Oct 2015 12:38:48 +0100 Subject: [getdns-api] Removing STARTTLS from the API In-Reply-To: <4C39FA49-A5FB-4CE3-9ECA-D1173AE3979D@dyn.com> References: <3D4F16EB-FB2A-4A7A-BC25-FDD61D35ED15@sinodun.com> <4C39FA49-A5FB-4CE3-9ECA-D1173AE3979D@dyn.com> Message-ID: <20151019123848.1bf00aa8@pallas.home.time-travellers.org> Andrew, In one sense you are correct, but the longer functionality is around the harder it is to get rid of. Perhaps it should be marked as "scheduled for removal" now in the documentation and via comments in the code, and the actual removal deferred until the magical day in the distant future when drafts become RFCs? Cheers, -- Shane On Fri, 16 Oct 2015 16:20:23 -0400 Andrew Sullivan wrote: > It seems a little premature to assume that's permanent. Rather than > changing now, could we wait until the wg decides for good? (I think > this is how it'll go, but why hurry?) > > -- > Andrew Sullivan > Please excuse my clumbsy thums. > > > On Oct 16, 2015, at 13:56, sara wrote: > > > > Hi All, > > > > STARTTLS was removed as a mechanism for DNS privacy in the latest > > version of this draft: > > http://tools.ietf.org/html/draft-ietf-dprive-dns-over-tls-01 > > > > Therefore, if there are no objections, I would like to propose that > > STARTTLS is removed from the list of values that can be specified > > via the getdns_transport_list_t * transports list in the next > > version of the API spec. > > > > Regards > > > > Sara. > > _______________________________________________ > > spec mailing list > > spec at getdnsapi.net From sara at sinodun.com Mon Oct 19 13:45:14 2015 From: sara at sinodun.com (Sara Dickinson) Date: Mon, 19 Oct 2015 14:45:14 +0100 Subject: [getdns-api] Removing STARTTLS from the API In-Reply-To: <20151019123848.1bf00aa8@pallas.home.time-travellers.org> References: <3D4F16EB-FB2A-4A7A-BC25-FDD61D35ED15@sinodun.com> <4C39FA49-A5FB-4CE3-9ECA-D1173AE3979D@dyn.com> <20151019123848.1bf00aa8@pallas.home.time-travellers.org> Message-ID: Hi, I made an argument to the core development team that the STARTTLS functionality adds some complexity to the code. I didn?t feel the effort to maintain and test it moving forward (as various authentication mechanisms are added, code is re-factored, etc.) was warranted given the consensus in the WG to remove the mechanism from the draft. This was accepted, but if there are strong feelings that this shouldn?t be done now please speak to that. On the separate question of updating the Official API, of course it could be handled as Shane suggests. But I felt that now the mechanism is no longer described in an active IETF draft it seemed a reasonable time to ask the question. Regards Sara. > On 19 Oct 2015, at 12:38, Shane Kerr wrote: > > Andrew, > > In one sense you are correct, but the longer functionality is around the > harder it is to get rid of. > > Perhaps it should be marked as "scheduled for removal" now in the > documentation and via comments in the code, and the actual removal > deferred until the magical day in the distant future when drafts become > RFCs? > > Cheers, > > -- > Shane > > On Fri, 16 Oct 2015 16:20:23 -0400 > Andrew Sullivan wrote: > >> It seems a little premature to assume that's permanent. Rather than >> changing now, could we wait until the wg decides for good? (I think >> this is how it'll go, but why hurry?) >> >> -- >> Andrew Sullivan >> Please excuse my clumbsy thums. >> >>> On Oct 16, 2015, at 13:56, sara wrote: >>> >>> Hi All, >>> >>> STARTTLS was removed as a mechanism for DNS privacy in the latest >>> version of this draft: >>> http://tools.ietf.org/html/draft-ietf-dprive-dns-over-tls-01 >>> >>> Therefore, if there are no objections, I would like to propose that >>> STARTTLS is removed from the list of values that can be specified >>> via the getdns_transport_list_t * transports list in the next >>> version of the API spec. >>> >>> Regards >>> >>> Sara. >>> _______________________________________________ >>> spec mailing list >>> spec at getdnsapi.net > > _______________________________________________ > spec mailing list > spec at getdnsapi.net From asullivan at dyn.com Mon Oct 19 14:05:20 2015 From: asullivan at dyn.com (Andrew Sullivan) Date: Mon, 19 Oct 2015 10:05:20 -0400 Subject: [getdns-api] Removing STARTTLS from the API In-Reply-To: <20151019123848.1bf00aa8@pallas.home.time-travellers.org> References: <3D4F16EB-FB2A-4A7A-BC25-FDD61D35ED15@sinodun.com> <4C39FA49-A5FB-4CE3-9ECA-D1173AE3979D@dyn.com> <20151019123848.1bf00aa8@pallas.home.time-travellers.org> Message-ID: <20151019140518.GA14027@dyn.com> On Mon, Oct 19, 2015 at 12:38:48PM +0100, Shane Kerr wrote: > Perhaps it should be marked as "scheduled for removal" now in the > documentation and via comments in the code, and the actual removal > deferred until the magical day in the distant future when drafts become > RFCs? No objection to that. A -- Andrew Sullivan Dyn asullivan at dyn.com From willem at nlnetlabs.nl Thu Oct 22 13:19:23 2015 From: willem at nlnetlabs.nl (Willem Toorop) Date: Thu, 22 Oct 2015 15:19:23 +0200 Subject: [getdns-api] October 2015 release of API Message-ID: <5628E25B.1050008@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear All, We have a new API October 2015 release which can be found here: https://getdnsapi.net/spec/ . This release adds JSON pointer arguments to getdns_dict_get_* and getdns_dict_set_* to dereference nested dicts and lists and the GETDNS_RETURN_NOT_IMPLEMENTED return code . For a comprehensive overview of all changes see: https://github.com/getdnsapi/spec/compare/bb71616d...october-2015 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWKOJbAAoJEOX4+CEvd6SYK5oP/1+NnhRk87VodE+uOUwBVcGW m7oqAlPNF0sduwNSpoH6PDtSsoqSKKnNrip+xQp3ey/hDDAWZfeWgC636Jo8aFY+ PoUEB63hPEho2btYJkR4Zty9AWK76guJkF6FtnNBAWt99M/BrTQO9SmZ5OB4k5EA 4mxXumh2RV/Vdv5mkbz4fE/LcKafj0Y8d0q8J/BYlgQMWJ+BYRFfXJRE0ymNPAed YWbR4cdkoGhSfsP3pFzCNeXdpqPEgr8EVl2HKopoeBszn+xfkdPrXiWVc73GVsZP 7Iv/b6WM4RRx3IvQIrEnPtIlg6S757rKt7OC7HMoPCdsCGRVDabHTQNX+SbrhPdp +exD2BGcMQUB2TBXbqEh280B812g9d33OYGDLnhco2Eo4F4tQQaRkz1/4V3f7Lms UQEezdgN4Z/Vf5zHhaiJFdzETZMmc9JBXkNAHOVPwAwdqwbkh2HfaZGt7VVco7RL d5Nu5CWD4uyl9uq4SQtQszx1yKUKF7sB2isfveHLd6Dbkr6oAkeWlOoPDRBlVk9B 31LGK8XMF7RgOZXW+aQMXFE5/TEKMfVPtq/8xGUwhg5J+Lohoq4m1Aup6CznEpCn HKeD4OdaTOPZeXHGHhaSoRHFxG49QFDaFkgE8T4cBcPSbp+GjBCL717eJCvLdOT6 4IYgnC/OCl0kppwjcLQk =W7Gh -----END PGP SIGNATURE----- From willem at nlnetlabs.nl Thu Oct 22 17:59:31 2015 From: willem at nlnetlabs.nl (Willem Toorop) Date: Thu, 22 Oct 2015 19:59:31 +0200 Subject: [getdns-api] getdns 0.5.0 release candidate Message-ID: <56292403.7050005@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear All, We have a release candidate for version 0.5.0 of getdns. This is mostly a new features release This release does all crypto operations using OpenSSL directly and has no longer a dependency on libldns. Note however that libldns is still used by the unit tests. Following the October 2015 release of the API specification, this library release now allows to accesses deeply embeded datastructure members in getdns_dicts by JSON Pointer RFC 6901. This works both for both the getter and setter functions. DNS over TLS now uses the default IANA assigned port number for domain-s: 853. This release includes an experimental implementation of upstream server hostname authentication for TLS connections in stub mode (note that the default behaviour has not changed compared to the 0.3 release). A new, non-standard function getdns_context_set_tls_authentication() can be used to set the authentication to GETDNS_AUTHENTICATION_ which requires that a server provides a valid certificate (validated using the default CA repository) and that the hostname specified in the "tls_auth_name" field of the upstream dict matches that in the certificate. The authentication setting is only enforced when the transport list contains only GETDNS_TRANSPORT_TLS and in this case if authentication fails for all upstreams, queries will fail. If the transport list contains other clear text transports then opportunistic TLS will be performed which does not require authentication of the TLS connection. Examples of usage using the getdns_query tool can be found in the tests_transports.sh script in the test directory. Please review this candidate carefully. If no issues arrise the actual release will follow Thursday the 29th of October 2015. link: https://getdnsapi.net/dist/getdns-0.5.0rc1.tar.gz md5 : 725bcde3bfd344ecd9e680aa535b4771 sha1: fe76fd6cff4e118da91c592ff76e99d9da1f311e pgp : https://getdnsapi.net/dist/getdns-0.5.0rc1.tar.gz.asc ChangeLog ========= * 2015-10-??: Version 0.5.0 * Native crypto. No ldns dependency anymore. (ldns still necessary to be able to run tests though) * JSON pointer arguments to getdns_dict_get_* and getdns_dict_set_* to dereference nested dicts and lists. * Bugfix: DNSSEC code finding zone cut with redirects + pursuing unsigned DS answers close to the root. Thanks Theogene Bucuti! * Default port for TLS changed to 853 * Unofficial extension to the API to allow TLS hostname verification to be required for stub mode when using only TLS as a transport. When required a hostname must be supplied in the 'hostname' field of the upstream_list dict and the TLS cipher suites are restricted to the 4 AEAD suites recommended in RFC7525. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWKSQCAAoJEOX4+CEvd6SYq98P/34BXNi5+3DXe90GCskg6nCu bNaVwIg8J/VnevHZtM83+hhp837TI+F/TaAZz6vfYYXRBJ6tsU6J5q201J/DkgYm Y3nPYRgHLRQ9lSNJ9+3qQvLZvMN0uyosDBkCCw7eoLYdQH22PrUUwDiyi8DxG5r3 MneVw00N4qS66FAF+fyA/wtH3zGqBImMhP4ENaGx4RCwH/UMUeSGcJEEIul+xrxT 3TpmLu1bS0JQyaJXXvEPe0q0kEU7CbTyDbyUvre/hwQdQw1lmF2IdGyZMdf7oLx7 7IGpCLwhLl8NumeF7Nr5MZ2uPiqVU9qMYIIFx5aUFsdRu0vlnE9vB4hsPNi/LE1c vwVOcRsjoMUuZLRc07f75VXnbMNfgwCLWCn4nYaMv62CwGE5Ft+Ioo5X0+hAkYzI V57D9ulo9ZwRoPLKXz/BI7SP1Z43e/gcbP1HzIiQ7iZXr5fTcbEqTsYvlwxOYawM J3YOiUUtbs0uh5s1u1pAnuiheFy6mpDhVKjuLpcww/fddASVM5ovvjn7FMByxXWE XmIKJnUvyG0YGn9bOnISKfeCjEopTvu0CvR3anMNWVkJF+8KfeLMyUDZPsaXNEqg Jtw6n2J8dKA8f+B0USllkka5yT8HaGiEkYmKr+D1WnpVAdBc5W6tSSF5JK+VqIcz 6SI0wu1kmsOtat8gLQ09 =1u7/ -----END PGP SIGNATURE----- From willem at nlnetlabs.nl Thu Oct 29 19:29:28 2015 From: willem at nlnetlabs.nl (Willem Toorop) Date: Thu, 29 Oct 2015 20:29:28 +0100 Subject: [getdns-api] getdns 0.5.0 release Message-ID: <56327398.4030105@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear All, We have a new release version 0.5.0 of getdns. This is mostly a new features release This release does all crypto operations using OpenSSL directly and has no longer a dependency on libldns. Note however that libldns is still used by the unit tests. Following the October 2015 release of the API specification, the library can now access deeply embedded data structure members in getdns_dicts by using JSON Pointers as the name to be accessed (RFC 6901). This works for the getter and setter functions (getdns_dict_get_* and getdns_dict_set_*). DNS over TLS now uses the default IANA assigned port number for domain-s: 853. This release includes an experimental implementation of upstream server hostname authentication for TLS connections in stub mode (note that the default behaviour has not changed compared to the 0.3 release). A new, non-standard function getdns_context_set_tls_authentication() can be used to set the authentication to GETDNS_AUTHENTICATION_ which requires that a server provides a valid certificate (validated using the default CA repository) and that the hostname specified in the "tls_auth_name" field of the upstream dict matches that in the certificate. The authentication setting is only enforced when the transport list contains only GETDNS_TRANSPORT_TLS and in this case if authentication fails for all upstreams, queries will fail. If the transport list contains other clear text transports then opportunistic TLS will be performed which does not require authentication of the TLS connection. Examples of usage using the getdns_query tool can be found in the tests_transports.sh script in the test directory. link: https://getdnsapi.net/dist/getdns-0.5.0.tar.gz md5 : b0458582455c8e1be9de1a41ac4fa889 sha1: 67aafdd6566bd3c99b51524191a036710819c7cd pgp : https://getdnsapi.net/dist/getdns-0.5.0.tar.gz.asc ChangeLog ========= * 2015-10-29: Version 0.5.0 * Native crypto. No ldns dependency anymore. (ldns still necessary to be able to run tests though) * JSON pointer arguments to getdns_dict_get_* and getdns_dict_set_* to dereference nested dicts and lists. * Bugfix: DNSSEC code finding zone cut with redirects + pursuing unsigned DS answers close to the root. Thanks Theogene Bucuti! * Default port for TLS changed to 853 * Unofficial extension to the API to allow TLS hostname verification to be required for stub mode when using only TLS as a transport. When required a hostname must be supplied in the 'hostname' field of the upstream_list dict and the TLS cipher suites are restricted to the 4 AEAD suites recommended in RFC7525. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWMnOYAAoJEOX4+CEvd6SYVu0P/3os+8LtcsFMYPEjbuEFsReH PtrchypJb8rp/UK/uZGH7r+jxsQcFCxURqE7qkXArw+RF5JTwxAWF44y7HLMZhbT JPgJjSV7nafgzkXYBfRxZaO4b8VmOdYbjBu8N561i/nrHUF3teow+NK7IouXq8SU 3u8mPrvERhaaJq4/7iwb2uUFr3innhwEBdaTKy3f4Mib9nfKUW7gIQBFXAd6z9xp pq+je+d2yfVk7bltggek5/oQhMb+cvCQP6iyhgvulenwYREm21HZElr/ECiTI4Oo sHiEXmyG87WMiZoJQlIsWLyFCy3kJ2QaoOpl3sMH2is/LjPn9MazVztXw+O+wvPj 0uvcgQY+Gc3V5sejnMIEq0aMe2VqXFVeKKT2AZ8NFkInzvqEKCXmaJ2Di7zYonEH d+RJCnYf3tFE7V6l5JzXfYScRZbidMALc1e99xCTdz/PcoCzFWgzFOIJqQRbkI9S VevD3XCI1op/JJywzbJtnns5CMKOWsjX15exNzCGH3jHJgEFWArhwuLsr0yXsNfv rDnFB0uwc6aCylDrSOj3Dl87vs4dq/zFymZkHQmtudLCP/kuWfs1zXaBBqcJ3BY5 rWfXhrnnQPBLwNxAW4As+2DNxPNtkWQyG049JLjOakAUsSs4neHnDcr8px0pZPWk L73kzTzL7LG3VnOLDbS5 =DtbJ -----END PGP SIGNATURE----- From dkg at fifthhorseman.net Fri Oct 30 22:33:07 2015 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sat, 31 Oct 2015 07:33:07 +0900 Subject: [getdns-api] getdns 0.5.0 release In-Reply-To: <56327398.4030105@nlnetlabs.nl> References: <56327398.4030105@nlnetlabs.nl> Message-ID: <87wpu4rnq4.fsf@alice.fifthhorseman.net> On Fri 2015-10-30 04:29:28 +0900, Willem Toorop wrote: > We have a new release version 0.5.0 of getdns. This is now available in debian unstable. --dkg