From rick at openfortress.nl Sun Jul 2 19:46:58 2017 From: rick at openfortress.nl (Rick van Rein) Date: Sun, 02 Jul 2017 21:46:58 +0200 Subject: [getdns-users] GetDNSapi for Erlang In-Reply-To: <4a4d4b92-0c2b-1000-eb61-320ae63137a5@nlnetlabs.nl> References: <5955BC69.30401@openfortress.nl> <4a4d4b92-0c2b-1000-eb61-320ae63137a5@nlnetlabs.nl> Message-ID: <59594DB2.20105@openfortress.nl> Hey Willem, >> Is anyone aware of work that has been done to make GetDNSapi work with >> Erlang? DuckDuckGo seems to have misplaced the answers to this one :) > > I don't know for sure, but I vaguely remember that Linus Nordberg (on > the CC) was interested in getdns bindings for Erlang for his CT for > DNSSEC work and I believe he looked into this at some point. Thanks. It is very strange to hit a language these days with barely any support for DNS and DNSSEC! But that's what GetDNS is all about of course. But I have come to realise that my question was too hasty... the extensive dictionaries generated by GetDNS are very close to a scripted or dynamic language, and Erlang being function and dynamic in nature I thought the match would work. In the end however, I realised that the Unbound API is much closer to Erlang in style, because it is easier to use with pattern matching on an output record with bogus/secure/... flags. The extra work needed for parsing the RDATA is easy because Erlang even does pattern matching in binaries: case SrvRDATA of << _:48, $. >> -> ...unavailable...; << Priority:16, Weight:16, Port:16, Target >> ) -> ...act... end In comparison, I believe pattern matching GetDNS's dictionaries would be more difficult. I saw a link with the message-passing between minute processes (Go adopted the same style) on account of event-driven GetDNS, but that is not unique about GetDNS, of course. Hope I'm not disappointing you with this :) Thanks, -Rick From willem at nlnetlabs.nl Mon Jul 3 10:21:31 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Mon, 3 Jul 2017 12:21:31 +0200 Subject: [getdns-users] GetDNSapi for Erlang In-Reply-To: <59594DB2.20105@openfortress.nl> References: <5955BC69.30401@openfortress.nl> <4a4d4b92-0c2b-1000-eb61-320ae63137a5@nlnetlabs.nl> <59594DB2.20105@openfortress.nl> Message-ID: <3a977436-86ae-bacf-c9c5-c679bc2b4d86@nlnetlabs.nl> Op 02-07-17 om 21:46 schreef Rick van Rein: > Hey Willem, > >>> Is anyone aware of work that has been done to make GetDNSapi work with >>> Erlang? DuckDuckGo seems to have misplaced the answers to this one :) >> >> I don't know for sure, but I vaguely remember that Linus Nordberg (on >> the CC) was interested in getdns bindings for Erlang for his CT for >> DNSSEC work and I believe he looked into this at some point. > > Thanks. It is very strange to hit a language these days with barely > any support for DNS and DNSSEC! But that's what GetDNS is all about > of course. > > But I have come to realise that my question was too hasty... > the extensive dictionaries generated by GetDNS are very close to a > scripted or dynamic language, and Erlang being function and dynamic > in nature I thought the match would work. > > In the end however, I realised that the Unbound API is much closer > to Erlang in style, because it is easier to use with pattern matching > on an output record with bogus/secure/... flags. The extra work > needed for parsing the RDATA is easy because Erlang even does > pattern matching in binaries: > > case SrvRDATA of > << _:48, $. >> -> ...unavailable...; > << Priority:16, Weight:16, Port:16, Target >> ) -> ...act... > end Hey Rick, Did you know that getdns, when used to lookup SRV records, produces a list of addresses and ports sorted in the half random way by weight and priority as described in RFC2782? You can find it under "srv_addresses" in the top of the response object. > In comparison, I believe pattern matching GetDNS's dictionaries > would be more difficult. I saw a link with the message-passing > between minute processes (Go adopted the same style) on account > of event-driven GetDNS, but that is not unique about GetDNS, of > course. > > Hope I'm not disappointing you with this :) A little bit, but I'll get over it ;) Cheers, -- Willem > > Thanks, > -Rick > _______________________________________________ > Users mailing list > Users at getdnsapi.net > https://getdnsapi.net/mailman/listinfo/users > From willem at nlnetlabs.nl Mon Jul 3 15:09:27 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Mon, 3 Jul 2017 17:09:27 +0200 Subject: [getdns-users] getdns-1.1.2 released Message-ID: <43a07ec7-4069-f59e-199d-6cc9a2f55da2@nlnetlabs.nl> Dear all, We have a quickfix release version 1.1.2 of getdns. The brew formula for Stubby installed and configured a version of the getdns library that would not fit other applications using getdns very well. More specifically, libgetdns was configured to output statistics about upstreams. To allow to display upstream statistics without the necessity for a specifically configured library, this release introduces a single new feature: the ability to register a callback function that will fire when certain subsystems have a log message of a certain severity. Which subsystems will fire the callback can be specified with the registration function. Currently this is only available for upstream statistics, but in the future the log messages for the other subsystems will be provided in a similar fashion. Besides this single feature, we have a few bugfixes in this release. The most prominent one fixing fallbacks on certain error conditions for stateful transports on MacOS. For a more complete overview also see the ChangeLog section below. link : https://getdnsapi.net/dist/getdns-1.1.2.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.1.2.tar.gz.asc sha256: 685fbd493601c88c90b0bf3021ba0ee863e3297bf92f01b8bf1b3c6637c86ba5 ChangeLog ========= * 2017-07-03: Version 1.1.2 * Bugfix for parallel make install * Bugfix to trigger event callbacks on socket errors * A getdns_context_set_logfunc() function with which one may register a callback log function for certain library subsystems at certain levels. Currently this can only be used for upstream stastistics subsystem. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 829 bytes Desc: OpenPGP digital signature URL: From sca at andreasschulze.de Wed Jul 5 17:41:06 2017 From: sca at andreasschulze.de (A. Schulze) Date: Wed, 5 Jul 2017 19:41:06 +0200 Subject: [getdns-users] where is the "ad" bit? Message-ID: Hello, I try to replace a validating unbound-resolver with stubby (DNS-via-TLS to this unbound-resolver) and found dnssec validation differences. how should I configure stubby to make "dig @stubby dnssec-failed.org." return SERVFAIL and "dig @stubby getdnsapi.net." return data with AD bit set? Andreas From willem at nlnetlabs.nl Wed Jul 5 21:13:03 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Wed, 5 Jul 2017 23:13:03 +0200 Subject: [getdns-users] where is the "ad" bit? In-Reply-To: References: Message-ID: Op 05-07-17 om 19:41 schreef A. Schulze: > Hello, > > I try to replace a validating unbound-resolver with stubby (DNS-via-TLS to this unbound-resolver) and found dnssec validation differences. > > how should I configure stubby to make > "dig @stubby dnssec-failed.org." return SERVFAIL and "dig @stubby getdnsapi.net." return data with AD bit set? Hi Andreas, You have to adapt your stubby.conf file to include dnssec_return_status: GETDNS_EXTENSION_TRUE For example here is the start of the stubby.conf file with that extension set. { dnssec_return_status: GETDNS_EXTENSION_TRUE , resolution_type: GETDNS_RESOLUTION_STUB , dns_transport_list: [ GETDNS_TRANSPORT_TLS ] , tls_authentication: GETDNS_AUTHENTICATION_REQUIRED , tls_query_padding_blocksize: 256 , edns_client_subnet_private : 1 , listen_addresses: [ 127.0.0.1, 0::1 ] , idle_timeout: 10000 , round_robin_upstreams: 1 , upstream_recursive_servers: [ { address_data: 145.100.185.15 , tls_auth_name: "dnsovertls.sinodun.com" , tls_pubkey_pinset: [ { digest: "sha256" , value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= } ] }, Cheers, -- Willem > > Andreas > _______________________________________________ > Users mailing list > Users at getdnsapi.net > https://getdnsapi.net/mailman/listinfo/users > From sca at andreasschulze.de Sun Jul 9 13:10:24 2017 From: sca at andreasschulze.de (A. Schulze) Date: Sun, 09 Jul 2017 15:10:24 +0200 Subject: [getdns-users] where is the "ad" bit? Message-ID: <20170709151024.Horde.GIDAKKKAr9npfrFtRnF0F9X@andreasschulze.de> Am 05.07.2017 um 23:13 schrieb Willem Toorop: > You have to adapt your stubby.conf file to include > > dnssec_return_status: GETDNS_EXTENSION_TRUE Hello Willem, that works. so thanks for the hint. one more question (maybe unrelated) beside the "ad" flag I see now also "cd" flag set in the response. I know "cd" only if I try to get data for the intentional broken domain "dnssec-faild.org" Andreas > > For example here is the start of the stubby.conf file with that > extension set. > > { dnssec_return_status: GETDNS_EXTENSION_TRUE > , resolution_type: GETDNS_RESOLUTION_STUB > , dns_transport_list: [ GETDNS_TRANSPORT_TLS ] > , tls_authentication: GETDNS_AUTHENTICATION_REQUIRED > , tls_query_padding_blocksize: 256 > , edns_client_subnet_private : 1 > , listen_addresses: [ 127.0.0.1, 0::1 ] > , idle_timeout: 10000 > , round_robin_upstreams: 1 > , upstream_recursive_servers: > [ { address_data: 145.100.185.15 > , tls_auth_name: "dnsovertls.sinodun.com" > , tls_pubkey_pinset: > [ { digest: "sha256" > , value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= > } ] > }, > > Cheers, > -- Willem >> >> Andreas >> _______________________________________________ >> Users mailing list >> Users at getdnsapi.net >> https://getdnsapi.net/mailman/listinfo/users >> > > _______________________________________________ > Users mailing list > Users at getdnsapi.net > https://getdnsapi.net/mailman/listinfo/users > From marcel.van.garderen at broadforward.com Thu Jul 13 13:01:17 2017 From: marcel.van.garderen at broadforward.com (Marcel van Garderen) Date: Thu, 13 Jul 2017 15:01:17 +0200 Subject: [getdns-users] Question on transport fallback option of the getdns API Message-ID: <86631312-24cf-c284-9c3b-24ad0b3dcaa2@broadforward.com> Hi getdns users, My name is Marcel and this is my 1st post to the user's list... I have a question on the usage of the getdns API function getdns_context_set_dns_transport_list(). With this function the user can provide an ordered list of transport protocols that will be used for DNS lookups. Fallback options are specified by including multiple values in the list. I did some experiments with transport fallback using the following dns context(lib version 1.0.0b2). Here, the transport list is 'first try UDP and if it fails try TCP (the single IP address is masked) {#012 "all_context":#012 {#012 "append_name": GETDNS_APPEND_NAME_TO_SINGLE_LABEL_FIRST,#012 "dns_transport_list":#012 [#012 GETDNS_TRANSPORT_UDP,#012 GETDNS_TRANSPORT_TCP#012 ],#012 "dnssec_allowed_skew": 0,#012 "edns_do_bit": 0,#012 "edns_extended_rcode": 0,#012 "edns_maximum_udp_payload_size": 512,#012 "edns_version": 0,#012 "follow_redirects": GETDNS_REDIRECTS_FOLLOW,#012 "idle_timeout": 5000000,#012 "limit_outstanding_queries": 0,#012 "namespaces":#012 [#012 GETDNS_NAMESPACE_LOCALNAMES,#012 GETDNS_NAMESPACE_DNS#012 ],#012 "suffix": [],#012 "timeout": 1000,#012 "tls_authentication": GETDNS_AUTHENTICATION_NONE,#012 "upstream_recursive_servers":#012 [#012 {#012 "address_data": ,#012 "address_type": #012 }#012 ]#012 },#012 "implementation_string": ,#012 "resolution_type": GETDNS_RESOLUTION_STUB,#012 "version_string": #012} The issue is that I was not seeing any transport fallback attempts (using the same context). When the DNS lookup failed (using UDP, timeout), there was no TCP attempt during any of the next 10 lookups. The library just kept on trying UDP. Changing the order (TCP with fallback to UDP) did not make any difference: it just kept on trying TCP. Any feedback would be greatly appreciated! Regards, Marcel -------------- next part -------------- An HTML attachment was scrubbed... URL: From sca at andreasschulze.de Sun Jul 16 11:17:46 2017 From: sca at andreasschulze.de (A. Schulze) Date: Sun, 16 Jul 2017 13:17:46 +0200 Subject: [getdns-users] Question on transport fallback option of the getdns API In-Reply-To: <86631312-24cf-c284-9c3b-24ad0b3dcaa2@broadforward.com> References: <86631312-24cf-c284-9c3b-24ad0b3dcaa2@broadforward.com> Message-ID: Am 13.07.2017 um 15:01 schrieb Marcel van Garderen: > I have a question on the usage of the getdns API function getdns_context_set_dns_transport_list(). just had a similar discussion about configuring stubby. Imagine I like to run stubby as replacement for unbound. Queries from local applications send to stubby (via "nameserver ::1" in /etc/resolv.conf) the software should try to answer while acting as full recursive resolver. It know the root nameservers an root's DNSKEYs and follog delegations. But if that fail I like stubby to forward the requests to an upstream resolver provides via DHCP for example. Willem don't denied that should be possible but how could a configuration file look like? this messages is mainly intended as a reminder :-) Andreas From willem at nlnetlabs.nl Mon Jul 3 15:09:29 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Mon, 3 Jul 2017 17:09:29 +0200 Subject: [getdns-api] getdns-1.1.2 released Message-ID: Dear all, We have a quickfix release version 1.1.2 of getdns. The brew formula for Stubby installed and configured a version of the getdns library that would not fit other applications using getdns very well. More specifically, libgetdns was configured to output statistics about upstreams. To allow to display upstream statistics without the necessity for a specifically configured library, this release introduces a single new feature: the ability to register a callback function that will fire when certain subsystems have a log message of a certain severity. Which subsystems will fire the callback can be specified with the registration function. Currently this is only available for upstream statistics, but in the future the log messages for the other subsystems will be provided in a similar fashion. Besides this single feature, we have a few bugfixes in this release. The most prominent one fixing fallbacks on certain error conditions for stateful transports on MacOS. For a more complete overview also see the ChangeLog section below. link : https://getdnsapi.net/dist/getdns-1.1.2.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.1.2.tar.gz.asc sha256: 685fbd493601c88c90b0bf3021ba0ee863e3297bf92f01b8bf1b3c6637c86ba5 ChangeLog ========= * 2017-07-03: Version 1.1.2 * Bugfix for parallel make install * Bugfix to trigger event callbacks on socket errors * A getdns_context_set_logfunc() function with which one may register a callback log function for certain library subsystems at certain levels. Currently this can only be used for upstream stastistics subsystem. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 829 bytes Desc: OpenPGP digital signature URL: