[getdns-users] First release candidate for getdns-1.2.2
Willem Toorop
willem at nlnetlabs.nl
Thu Dec 14 14:19:20 UTC 2017
Dear all,
We have a first release candidate for the upcoming 1.2.2 bugfix release
of getdns.
Recently Stubby has seen increased interest. Already after the release
of the Windows installer, but even more so after the introduction of
Quad9 and the description of how to use DNS-over-TLS with Stubby by Alex
Band and Stéphane Borzmeyer.
The increased install base has generated excellent feedback and has also
revealed some bugs. This release has those bugs fixed, and also contains
a few more configuration options to be able to adapt to more diverse
situations.
The bugs fixed with this release are:
* A segfault with the native DNSSEC validation code when DS and DNSKEY
queries timed out,
* A non RFC compliant edns_client_subnet_private option that caused
some upstream EDNS Client Subnet implementations (i.e. Unbound's) to
return FORMERR, and
* Doing the meta queries for Zero configuration DNSSEC with the
resolvers from /etc/resolv.conf, which cause Stubby to query itself
for this, effectively breaking the possibility to fetch the root
trust-anchors and bootstrap DNSSEC.
Besides these fixes, this release allows to configure a getdns_context
to be initialized with resolv.conf and hosts at alternative locations,
with the getdns_context_set_resolvconf() and getdns_context_set_hosts()
functions. Also a specific location for the CA store, for authenticating
DNS-over-TLS upstreams, can be specified with the
getdns_context_set_CApath() and getdns_context_set_CAfile() functions.
The getdns_context_get_api_information() function exposes more
getdns_context settings, amongst which:
* The default settings for extensions,
* The paths for files that were used to initialize a getdns_context
(resolv.conf, hosts and trust anchors), and
* More information about the version, configuration and capabilities
of the OpenSSL library in use.
This release candidate includes a candidate for a 0.2.0 release of
Stubby. The most prominent bugfix therein is to not do DNSSEC validation
for queries with the CD bit set, when DNSSEC validation was not
configured in the first place. This bug caused decreased performance for
configurations with an unbound forwarding to Stubby.
The Stubby release candidate also includes some additional auxiliary
functionality which is used by the macOS prototype GUI that was just
released: https://dnsprivacy.org/wiki/display/DP/Stubby+GUI+for+macOS
Please review this release candidate carefully, if all is well, the
actual release will follow Thursday the 21th of December.
link : https://getdnsapi.net/dist/getdns-1.2.2-rc1.tar.gz
pgp : https://getdnsapi.net/dist/getdns-1.2.2-rc1.tar.gz.asc
sha256: cebfad179d6b0db8e1f4875152caf788e870710f1c52c0a92ea10d4622d4438b
ChangLog
========
* 2017-12-??: Version 1.2.2
* Bugfix #356: Do Zero configuration DNSSEC meta queries over on the
context configured upstreams.
* Report default extension settings with
getdns_context_get_api_information()
* Specify locations at which CA certificates for verification purposes
are located: getdns_context_set_CApath() getdns_context_set_CAfile()
* getdns_context_set_resolvconf() function to initialize a context
upstreams and suffices with a resolv.conf file.
getdns_context_get_resolvconf() to get the file used to initialize
the context's upstreams and suffixes.
getdns_context_set_hosts() function to initialize a context's
LOCALNAMES namespace.
getdns_context_get_hosts() function to get the file used to
initialize the context's LOCALNAMES namespace.
* get which version of OpenSSL was used at build time and at run time
when available with getdns_context_get_api_information()
* GETDNS_RETURN_IO_ERROR return error code
* Bugfix #359: edns_client_subnet_private should set family
Thanks Daniel Areiza
* Bugfix getdnsapi/stubby#34: Segfault issue with native DNSSEC
validation. Thanks Bruno Pagani
Stubby ChangeLog
================
* 2017-12-?: Version 0.2.0
* Add files to support a separate macOS GUI application to manage
stubby
* Bugfix #48: Do not do native DNSSEC validation when cd bit was
received (for example from an unbound forwarder), but DNSSEC
validation was not enabled in the first place.
* Bugfix getdnsapi/getdns#358: Parse config files given with the
-C option that have an .yaml extension as YAML not JSON.
Thanks Ollivier Robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.getdnsapi.net/pipermail/users/attachments/20171214/20ca5cda/attachment.bin>
More information about the Users
mailing list