From willem at nlnetlabs.nl Thu Dec 14 14:19:20 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Thu, 14 Dec 2017 15:19:20 +0100 Subject: [getdns-users] First release candidate for getdns-1.2.2 Message-ID: Dear all, We have a first release candidate for the upcoming 1.2.2 bugfix release of getdns. Recently Stubby has seen increased interest. Already after the release of the Windows installer, but even more so after the introduction of Quad9 and the description of how to use DNS-over-TLS with Stubby by Alex Band and St?phane Borzmeyer. The increased install base has generated excellent feedback and has also revealed some bugs. This release has those bugs fixed, and also contains a few more configuration options to be able to adapt to more diverse situations. The bugs fixed with this release are: * A segfault with the native DNSSEC validation code when DS and DNSKEY queries timed out, * A non RFC compliant edns_client_subnet_private option that caused some upstream EDNS Client Subnet implementations (i.e. Unbound's) to return FORMERR, and * Doing the meta queries for Zero configuration DNSSEC with the resolvers from /etc/resolv.conf, which cause Stubby to query itself for this, effectively breaking the possibility to fetch the root trust-anchors and bootstrap DNSSEC. Besides these fixes, this release allows to configure a getdns_context to be initialized with resolv.conf and hosts at alternative locations, with the getdns_context_set_resolvconf() and getdns_context_set_hosts() functions. Also a specific location for the CA store, for authenticating DNS-over-TLS upstreams, can be specified with the getdns_context_set_CApath() and getdns_context_set_CAfile() functions. The getdns_context_get_api_information() function exposes more getdns_context settings, amongst which: * The default settings for extensions, * The paths for files that were used to initialize a getdns_context (resolv.conf, hosts and trust anchors), and * More information about the version, configuration and capabilities of the OpenSSL library in use. This release candidate includes a candidate for a 0.2.0 release of Stubby. The most prominent bugfix therein is to not do DNSSEC validation for queries with the CD bit set, when DNSSEC validation was not configured in the first place. This bug caused decreased performance for configurations with an unbound forwarding to Stubby. The Stubby release candidate also includes some additional auxiliary functionality which is used by the macOS prototype GUI that was just released: https://dnsprivacy.org/wiki/display/DP/Stubby+GUI+for+macOS Please review this release candidate carefully, if all is well, the actual release will follow Thursday the 21th of December. link : https://getdnsapi.net/dist/getdns-1.2.2-rc1.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.2.2-rc1.tar.gz.asc sha256: cebfad179d6b0db8e1f4875152caf788e870710f1c52c0a92ea10d4622d4438b ChangLog ======== * 2017-12-??: Version 1.2.2 * Bugfix #356: Do Zero configuration DNSSEC meta queries over on the context configured upstreams. * Report default extension settings with getdns_context_get_api_information() * Specify locations at which CA certificates for verification purposes are located: getdns_context_set_CApath() getdns_context_set_CAfile() * getdns_context_set_resolvconf() function to initialize a context upstreams and suffices with a resolv.conf file. getdns_context_get_resolvconf() to get the file used to initialize the context's upstreams and suffixes. getdns_context_set_hosts() function to initialize a context's LOCALNAMES namespace. getdns_context_get_hosts() function to get the file used to initialize the context's LOCALNAMES namespace. * get which version of OpenSSL was used at build time and at run time when available with getdns_context_get_api_information() * GETDNS_RETURN_IO_ERROR return error code * Bugfix #359: edns_client_subnet_private should set family Thanks Daniel Areiza * Bugfix getdnsapi/stubby#34: Segfault issue with native DNSSEC validation. Thanks Bruno Pagani Stubby ChangeLog ================ * 2017-12-?: Version 0.2.0 * Add files to support a separate macOS GUI application to manage stubby * Bugfix #48: Do not do native DNSSEC validation when cd bit was received (for example from an unbound forwarder), but DNSSEC validation was not enabled in the first place. * Bugfix getdnsapi/getdns#358: Parse config files given with the -C option that have an .yaml extension as YAML not JSON. Thanks Ollivier Robert -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From sca at andreasschulze.de Thu Dec 14 16:58:16 2017 From: sca at andreasschulze.de (A. Schulze) Date: Thu, 14 Dec 2017 17:58:16 +0100 Subject: [getdns-users] First release candidate for getdns-1.2.2 In-Reply-To: References: Message-ID: <0444adf8-142b-d841-79c7-37279a0cf1c9@andreasschulze.de> Am 14.12.2017 um 15:19 schrieb Willem Toorop: > We have a first release candidate for the upcoming 1.2.2 bugfix release > of getdns. > * Doing the meta queries for Zero configuration DNSSEC with the > resolvers from /etc/resolv.conf, which cause Stubby to query itself > for this, effectively breaking the possibility to fetch the root > trust-anchors and bootstrap DNSSEC. I can confirm bootstrapping works as expected now using the upstream servers only! Andreas From willem at nlnetlabs.nl Fri Dec 22 12:13:24 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 22 Dec 2017 13:13:24 +0100 Subject: [getdns-users] getdns-1.3.0 released Message-ID: <4fbccd60-093c-2c7b-9a85-80536a38dbc9@nlnetlabs.nl> Dear all, I am pleased to announce the new Christmas 2017 bugfix release, version 1.3.0 of getdns. Recently Stubby has seen increased interest. Already after the release of the Windows installer, but even more so after the introduction of Quad9 and the description of how to use DNS-over-TLS with Stubby by Alex Band[1] and St?phane Borzmeyer[2]. The increased install base has generated excellent feedback and has also revealed some bugs. This release has those bugs fixed, and also contains a few more configuration options to be able to adapt to more diverse situations. The bugs fixed with this release are: * A segfault with the native DNSSEC validation code when DS and DNSKEY queries timed out, * A non RFC compliant edns_client_subnet_private option that caused some upstream EDNS Client Subnet implementations (i.e. Unbound's) to return FORMERR, and * Doing the meta queries for Zero configuration DNSSEC with the resolvers from /etc/resolv.conf, which caused Stubby to query itself for this, effectively breaking the possibility to fetch the root trust-anchors and bootstrap DNSSEC. Besides these fixes, this release allows to configure a getdns_context to be initialized with resolv.conf and hosts at alternative locations, with the getdns_context_set_resolvconf() and getdns_context_set_hosts() functions. Also TLS parameters for DNS-over-TLS are more configurable: * The CA store, for authenticating DNS-over-TLS upstreams, can be specified with the getdns_context_set_tls_ca_path() and getdns_context_set_tls_ca_file() functions. * The default available ciphers are configurable with the getdns_context_set_tls_cipher_list() functions. The default available cipher list has been adapted to support TLS1.3 too linked with a TLS1.3 supporting version of OpenSSL (i.e. >= 1.1.1). Available ciphers can be set for specific upstreams to with getdns_context_set_upstream_recursive_servers(). The getdns_context_get_api_information() function exposes more getdns_context settings, amongst which: * The default settings for extensions, * The paths for files that were used to initialize a getdns_context (resolv.conf, hosts and trust anchors), and * More information about the version, configuration and capabilities of the OpenSSL library in use. This release includes the 0.2.1 release of Stubby. The most prominent bugfix therein is to not do DNSSEC validation for queries with the CD bit set, when DNSSEC validation was not configured in the first place. This bug caused decreased performance for configurations with an unbound forwarding to Stubby. The 0.2.1 release of Stubby also includes some additional auxiliary functionality which is used by the macOS prototype GUI that was just released: https://dnsprivacy.org/wiki/display/DP/Stubby+GUI+for+macOS This release has version number 1.3.0 and not 1.2.2, for which the release candidate was created, because we comply to the Semantic Versioning 2.0.0 scheme, and a few new functions are introduced into the API. The other change from the release candidate is that the Certificate Authority store location settings are now prepended with tls_, like all other setting influencing DNS-over-TLS. Merry Christmas & Happy New year from the getdns team! link : https://getdnsapi.net/dist/getdns-1.3.0.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.3.0.tar.gz.asc sha256: 920fa2e07c72fd0e5854db1820fa777108009fc5cb702f9aa5155ef58b12adb1 ChangeLog ========= * 2017-12-21: Version 1.3.0 * Bugfix #300: Detect dnsmasq and skip unit test that fails with it. Thanks Tim R?hsen and Konomi Kitten * Specify default available cipher suites for authenticated TLS upstreams with getdns_context_set_tls_ciphers_list() An upstream specific available cipher suite may also be given with the tls_cipher_list setting in the upstream dict with getdns_context_set_upstream_recursive_servers() * PR #366: Add support for TLS 1.3 and Chacha20-Poly1305 Thanks Pascal Ernster * Bugfix #356: Do Zero configuration DNSSEC meta queries over on the context configured upstreams. Thanks Andreas Schulze * Report default extension settings with getdns_context_get_api_information() * Specify locations at which CA certificates for verification purposes are located: getdns_context_set_tls_ca_path() getdns_context_set_tls_ca_file() * getdns_context_set_resolvconf() function to initialize a context upstreams and suffices with a resolv.conf file. getdns_context_get_resolvconf() to get the file used to initialize the context's upstreams and suffixes. getdns_context_set_hosts() function to initialize a context's LOCALNAMES namespace. getdns_context_get_hosts() function to get the file used to initialize the context's LOCALNAMES namespace. * get which version of OpenSSL was used at build time and at run time when available with getdns_context_get_api_information() * GETDNS_RETURN_IO_ERROR return error code * Bugfix #359: edns_client_subnet_private should set family Thanks Daniel Areiza & Andreas Schulze * Bugfix getdnsapi/stubby#34: Segfault issue with native DNSSEC validation. Thanks Bruno Pagani Stubby ChangeLog ================ * 2017-12-18: Version 0.2.1 * Fix use of logging on macos 10.11 * 2017-12-18: Version 0.2.0 * Add Powershell scripts for Windows 7 that will update the IPv4 DNS resolvers. * Add Windows scripts to enable a Scheduled task for stubby * Add files to support a separate macOS GUI application to manage stubby https://dnsprivacy.org/wiki/x/CIBn * Add Quad9 details to the configuration file * Bugfix #48: Do not do native DNSSEC validation when cd bit was received (for example from an unbound forwarder), but DNSSEC validation was not enabled in the first place. * Bugfix getdnsapi/getdns#358: Parse config files given with the -C option that have an .yaml extension as YAML not JSON. Thanks Ollivier Robert References ========== [1] https://medium.com/@alexander_band/privacy-using-dns-over-tls-with-the-new-quad9-dns-service-1ff2d2b687c5 [2] https://labs.ripe.net/Members/stephane_bortzmeyer/quad9-a-public-dns-resolver-with-security -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Thu Dec 14 14:19:23 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Thu, 14 Dec 2017 15:19:23 +0100 Subject: [getdns-api] First release candidate for getdns-1.2.2 Message-ID: <162bec20-d1a5-baf7-eeb3-bed4999cbd4b@nlnetlabs.nl> Dear all, We have a first release candidate for the upcoming 1.2.2 bugfix release of getdns. Recently Stubby has seen increased interest. Already after the release of the Windows installer, but even more so after the introduction of Quad9 and the description of how to use DNS-over-TLS with Stubby by Alex Band and St?phane Borzmeyer. The increased install base has generated excellent feedback and has also revealed some bugs. This release has those bugs fixed, and also contains a few more configuration options to be able to adapt to more diverse situations. The bugs fixed with this release are: * A segfault with the native DNSSEC validation code when DS and DNSKEY queries timed out, * A non RFC compliant edns_client_subnet_private option that caused some upstream EDNS Client Subnet implementations (i.e. Unbound's) to return FORMERR, and * Doing the meta queries for Zero configuration DNSSEC with the resolvers from /etc/resolv.conf, which cause Stubby to query itself for this, effectively breaking the possibility to fetch the root trust-anchors and bootstrap DNSSEC. Besides these fixes, this release allows to configure a getdns_context to be initialized with resolv.conf and hosts at alternative locations, with the getdns_context_set_resolvconf() and getdns_context_set_hosts() functions. Also a specific location for the CA store, for authenticating DNS-over-TLS upstreams, can be specified with the getdns_context_set_CApath() and getdns_context_set_CAfile() functions. The getdns_context_get_api_information() function exposes more getdns_context settings, amongst which: * The default settings for extensions, * The paths for files that were used to initialize a getdns_context (resolv.conf, hosts and trust anchors), and * More information about the version, configuration and capabilities of the OpenSSL library in use. This release candidate includes a candidate for a 0.2.0 release of Stubby. The most prominent bugfix therein is to not do DNSSEC validation for queries with the CD bit set, when DNSSEC validation was not configured in the first place. This bug caused decreased performance for configurations with an unbound forwarding to Stubby. The Stubby release candidate also includes some additional auxiliary functionality which is used by the macOS prototype GUI that was just released: https://dnsprivacy.org/wiki/display/DP/Stubby+GUI+for+macOS Please review this release candidate carefully, if all is well, the actual release will follow Thursday the 21th of December. link : https://getdnsapi.net/dist/getdns-1.2.2-rc1.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.2.2-rc1.tar.gz.asc sha256: cebfad179d6b0db8e1f4875152caf788e870710f1c52c0a92ea10d4622d4438b ChangLog ======== * 2017-12-??: Version 1.2.2 * Bugfix #356: Do Zero configuration DNSSEC meta queries over on the context configured upstreams. * Report default extension settings with getdns_context_get_api_information() * Specify locations at which CA certificates for verification purposes are located: getdns_context_set_CApath() getdns_context_set_CAfile() * getdns_context_set_resolvconf() function to initialize a context upstreams and suffices with a resolv.conf file. getdns_context_get_resolvconf() to get the file used to initialize the context's upstreams and suffixes. getdns_context_set_hosts() function to initialize a context's LOCALNAMES namespace. getdns_context_get_hosts() function to get the file used to initialize the context's LOCALNAMES namespace. * get which version of OpenSSL was used at build time and at run time when available with getdns_context_get_api_information() * GETDNS_RETURN_IO_ERROR return error code * Bugfix #359: edns_client_subnet_private should set family Thanks Daniel Areiza * Bugfix getdnsapi/stubby#34: Segfault issue with native DNSSEC validation. Thanks Bruno Pagani Stubby ChangeLog ================ * 2017-12-?: Version 0.2.0 * Add files to support a separate macOS GUI application to manage stubby * Bugfix #48: Do not do native DNSSEC validation when cd bit was received (for example from an unbound forwarder), but DNSSEC validation was not enabled in the first place. * Bugfix getdnsapi/getdns#358: Parse config files given with the -C option that have an .yaml extension as YAML not JSON. Thanks Ollivier Robert -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Fri Dec 22 12:13:22 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 22 Dec 2017 13:13:22 +0100 Subject: [getdns-api] getdns-1.3.0 released Message-ID: <6ca5e341-f8fd-1f5f-887e-1262c96c66eb@nlnetlabs.nl> Dear all, I am pleased to announce the new Christmas 2017 bugfix release, version 1.3.0 of getdns. Recently Stubby has seen increased interest. Already after the release of the Windows installer, but even more so after the introduction of Quad9 and the description of how to use DNS-over-TLS with Stubby by Alex Band[1] and St?phane Borzmeyer[2]. The increased install base has generated excellent feedback and has also revealed some bugs. This release has those bugs fixed, and also contains a few more configuration options to be able to adapt to more diverse situations. The bugs fixed with this release are: * A segfault with the native DNSSEC validation code when DS and DNSKEY queries timed out, * A non RFC compliant edns_client_subnet_private option that caused some upstream EDNS Client Subnet implementations (i.e. Unbound's) to return FORMERR, and * Doing the meta queries for Zero configuration DNSSEC with the resolvers from /etc/resolv.conf, which caused Stubby to query itself for this, effectively breaking the possibility to fetch the root trust-anchors and bootstrap DNSSEC. Besides these fixes, this release allows to configure a getdns_context to be initialized with resolv.conf and hosts at alternative locations, with the getdns_context_set_resolvconf() and getdns_context_set_hosts() functions. Also TLS parameters for DNS-over-TLS are more configurable: * The CA store, for authenticating DNS-over-TLS upstreams, can be specified with the getdns_context_set_tls_ca_path() and getdns_context_set_tls_ca_file() functions. * The default available ciphers are configurable with the getdns_context_set_tls_cipher_list() functions. The default available cipher list has been adapted to support TLS1.3 too linked with a TLS1.3 supporting version of OpenSSL (i.e. >= 1.1.1). Available ciphers can be set for specific upstreams to with getdns_context_set_upstream_recursive_servers(). The getdns_context_get_api_information() function exposes more getdns_context settings, amongst which: * The default settings for extensions, * The paths for files that were used to initialize a getdns_context (resolv.conf, hosts and trust anchors), and * More information about the version, configuration and capabilities of the OpenSSL library in use. This release includes the 0.2.1 release of Stubby. The most prominent bugfix therein is to not do DNSSEC validation for queries with the CD bit set, when DNSSEC validation was not configured in the first place. This bug caused decreased performance for configurations with an unbound forwarding to Stubby. The 0.2.1 release of Stubby also includes some additional auxiliary functionality which is used by the macOS prototype GUI that was just released: https://dnsprivacy.org/wiki/display/DP/Stubby+GUI+for+macOS This release has version number 1.3.0 and not 1.2.2, for which the release candidate was created, because we comply to the Semantic Versioning 2.0.0 scheme, and a few new functions are introduced into the API. The other change from the release candidate is that the Certificate Authority store location settings are now prepended with tls_, like all other setting influencing DNS-over-TLS. Merry Christmas & Happy New year from the getdns team! link : https://getdnsapi.net/dist/getdns-1.3.0.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.3.0.tar.gz.asc sha256: 920fa2e07c72fd0e5854db1820fa777108009fc5cb702f9aa5155ef58b12adb1 ChangeLog ========= * 2017-12-21: Version 1.3.0 * Bugfix #300: Detect dnsmasq and skip unit test that fails with it. Thanks Tim R?hsen and Konomi Kitten * Specify default available cipher suites for authenticated TLS upstreams with getdns_context_set_tls_ciphers_list() An upstream specific available cipher suite may also be given with the tls_cipher_list setting in the upstream dict with getdns_context_set_upstream_recursive_servers() * PR #366: Add support for TLS 1.3 and Chacha20-Poly1305 Thanks Pascal Ernster * Bugfix #356: Do Zero configuration DNSSEC meta queries over on the context configured upstreams. Thanks Andreas Schulze * Report default extension settings with getdns_context_get_api_information() * Specify locations at which CA certificates for verification purposes are located: getdns_context_set_tls_ca_path() getdns_context_set_tls_ca_file() * getdns_context_set_resolvconf() function to initialize a context upstreams and suffices with a resolv.conf file. getdns_context_get_resolvconf() to get the file used to initialize the context's upstreams and suffixes. getdns_context_set_hosts() function to initialize a context's LOCALNAMES namespace. getdns_context_get_hosts() function to get the file used to initialize the context's LOCALNAMES namespace. * get which version of OpenSSL was used at build time and at run time when available with getdns_context_get_api_information() * GETDNS_RETURN_IO_ERROR return error code * Bugfix #359: edns_client_subnet_private should set family Thanks Daniel Areiza & Andreas Schulze * Bugfix getdnsapi/stubby#34: Segfault issue with native DNSSEC validation. Thanks Bruno Pagani Stubby ChangeLog ================ * 2017-12-18: Version 0.2.1 * Fix use of logging on macos 10.11 * 2017-12-18: Version 0.2.0 * Add Powershell scripts for Windows 7 that will update the IPv4 DNS resolvers. * Add Windows scripts to enable a Scheduled task for stubby * Add files to support a separate macOS GUI application to manage stubby https://dnsprivacy.org/wiki/x/CIBn * Add Quad9 details to the configuration file * Bugfix #48: Do not do native DNSSEC validation when cd bit was received (for example from an unbound forwarder), but DNSSEC validation was not enabled in the first place. * Bugfix getdnsapi/getdns#358: Parse config files given with the -C option that have an .yaml extension as YAML not JSON. Thanks Ollivier Robert References ========== [1] https://medium.com/@alexander_band/privacy-using-dns-over-tls-with-the-new-quad9-dns-service-1ff2d2b687c5 [2] https://labs.ripe.net/Members/stephane_bortzmeyer/quad9-a-public-dns-resolver-with-security -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: