From willem at nlnetlabs.nl Fri Nov 3 20:50:15 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 3 Nov 2017 21:50:15 +0100 Subject: [getdns-users] First release candidate for getdns-1.2.1 Message-ID: Dear all, We have a first release candidate for the upcoming 1.2.1 bugfix release of getdns. This release includes bugfixes, robustness and stability improvements only. For a more detailed description of all changes see the ChangeLog section below. The version of Stubby included with this release has been updated to 0.1.5. The ChangeLog entries up from the version of Stubby included in the previous release (0.1.3) are included the Stubby ChangeLog section below. Please review this release candidate carefully, if all is well, the actual release will follow Friday the 10th of November. link : https://getdnsapi.net/dist/getdns-1.2.1-rc1.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.2.1-rc1.tar.gz.asc sha256: c6ac3a7a401020da4c513a75aee2da2ae8e9511bec3a599654dee72000cd3f71 ChangeLog ========= * 2017-11-??: Version 1.2.1 * Stubby version 0.1.5 included * Handle more I/O error cases. Also, when an I/O error does occur, never stop listening (with servers), and never exit (when running the built-in event loop). * Bugfix: Tolerate unsigned and unused RRsets in the authority section. Fixes DNSSEC with BIND upstream. * Bugfix: DNSSEC validation without support records * Bugfix: Validation of full recursive DNSKEY lookups * Bugfix: Retry to validate full recursion BOGUS replies with zero configuration DNSSEC only when DNSSEC was actually requested * Bugfix #348: Fix a linking issue in stubby when libbsd is present Thanks Remi Gacogne * More robust scheduling; Eliminating a segfault with long running applications. * Miscellaneous Windows portability fixes from Jim Hague. * Fix Makefile dependencies for parallel install. Thanks ilovezfs Stubby ChangeLog ================ * 2017-11-03: Version 0.1.5 * Add Windows installer package. Installer available at dnsprivacy.org * Fix to systemd file names (thanks ArchangeGabriel) * Add SPKI for Uncensored DNS (thanks woopstar) * Fix installation of stubby.yml file (thanks ArchangeGabriel) * Fix detection of platform for standalone build * Fix location of pid file installation * Update the stubby.yml file to contain details of all available servers. Only a small subset are enabled by default. * 2017-10-20: Version 0.1.4 * '-i' option of stubby no longer tries to bind to the listen addresses so it can be run without requiring root privileges. Makes it easier to validate the configuration file syntax. * Fix incorrect IP addresses for some servers in the config file. Add note that IPv6 addresses ending in :: are not supported (must use ::0). Also add example of using a specific port in a listen address. * Fixes for Windows support -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From sca at andreasschulze.de Mon Nov 6 19:48:55 2017 From: sca at andreasschulze.de (A. Schulze) Date: Mon, 6 Nov 2017 20:48:55 +0100 Subject: [getdns-users] First release candidate for getdns-1.2.1 - but still trouble In-Reply-To: References: Message-ID: <1a98644b-9009-3bd4-8ab0-03f07c032220@andreasschulze.de> Am 03.11.2017 um 21:50 schrieb Willem Toorop: > We have a first release candidate for the upcoming 1.2.1 bugfix release > of getdns. Hello Willem, I compiled the version - no warnings - no noise. But - unrelated to this version - I have still trouble if "dnssec_return_status: GETDNS_EXTENSION_TRUE" is enabled. In this case I get no answers. here is my working setup: # cat /etc/resolv.conf nameserver 127.0.0.1 # cat /etc/unbound/root.key . IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 . IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D # cat /root/.stubby.yml dns_transport_list: - GETDNS_TRANSPORT_TLS tls_authentication: GETDNS_AUTHENTICATION_REQUIRED #dnssec_return_status: GETDNS_EXTENSION_TRUE listen_addresses: - 127.0.0.1 upstream_recursive_servers: - address_data: 145.100.185.15 tls_auth_name: "dnsovertls.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= # stubby -C /root/.stubby.yml -i > /dev/null | tail -n 1 [19:25:53.102282] STUBBY: Read config from file /root/.stubby.yml Result: Config file syntax is valid. # stubby -C /root/.stubby.yml & # dig dnssec-failed.org +dnssec +noall +answer ;; ANSWER SECTION: dnssec-failed.org. 7155 IN A 69.252.80.75 dnssec-failed.org. 7155 IN RRSIG A 5 2 7200 20171113150538 20171102150038 44973 dnssec-failed.org. juxwes...nsQE= # dig andreasschulze.de +dnssec +noall +answer ;; ANSWER SECTION: andreasschulze.de. 439 IN A 188.194.67.116 andreasschulze.de. 544 IN RRSIG A 8 2 600 20171116191712 20171106191712 29011 andreasschulze.de. LWfRy...gg== I expect to get no answer for dnssec-failed.org if I enable "dnssec_return_status: GETDNS_EXTENSION_TRUE" If I restart stubby I get this: # dig dnssec-failed.org +dnssec ; <<>> DiG 9.10.3-P4-Debian <<>> dnssec-failed.org +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61836 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;dnssec-failed.org. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Nov 06 20:38:54 CET 2017 ;; MSG SIZE rcvd: 35 -> that's fine! but: # dig andreasschulze.de +dnssec ; <<>> DiG 9.10.3-P4-Debian <<>> andreasschulze.de +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33838 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;andreasschulze.de. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Nov 06 20:43:03 CET 2017 ;; MSG SIZE rcvd: 35 That's not so good :-/ The only thing I noticed: a new directory "/root/.getdns/" was created. But the directory is empty. Do I misunderstood something completely wrong or are some files missing in my package? Andreas From sca at andreasschulze.de Mon Nov 6 19:54:36 2017 From: sca at andreasschulze.de (A. Schulze) Date: Mon, 6 Nov 2017 20:54:36 +0100 Subject: [getdns-users] First release candidate for getdns-1.2.1 - feature request In-Reply-To: References: Message-ID: <2de6829c-92fc-0f52-8819-474392290a59@andreasschulze.de> Am 03.11.2017 um 21:50 schrieb Willem Toorop: > We have a first release candidate for the upcoming 1.2.1 bugfix release > of getdns. just forgot to mention: I like query-logging ... (my volume is small enough) would it be possible to implement a query logging like unbound does? disabled by default but enabled upon configuration and/or verbose loglevel? Andreas From willem at nlnetlabs.nl Tue Nov 7 12:27:45 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Tue, 7 Nov 2017 13:27:45 +0100 Subject: [getdns-users] First release candidate for getdns-1.2.1 - but still trouble In-Reply-To: <1a98644b-9009-3bd4-8ab0-03f07c032220@andreasschulze.de> References: <1a98644b-9009-3bd4-8ab0-03f07c032220@andreasschulze.de> Message-ID: <5db8e66e-2b8c-5de2-bb72-e990f0485cce@nlnetlabs.nl> Andreas, Are you very certain you use the latest getdns library? i.e. the 1.2.1 release candidate from the tarball from the website, or git checkout from the release/1.2.1 branch. I have recent commits that make dnssec validation work with bind upstreams (i.e. the dnsovertls.sinodun.com ones). You can check by using the getdnsapi.net upstream instead of the sinodun (which is unbound and didn't have the issue). Also, I am pretty sure you were able to validate the root DNSKEY rrset with the trust anchor you provided (you can check with dig . dnskey +dnssec), because otherwise the root-achors.xml and p7s files would have been downloaded from data.iana.org. About that. If you do not configure a trust-anchor and don't have a trust-anchor on the default location, getdns will fetch them from iana.org for you. The actual output of stubby -i might be helpful. Could you send that off-list? -- Willem Op 06-11-17 om 20:48 schreef A. Schulze: > > > Am 03.11.2017 um 21:50 schrieb Willem Toorop: > >> We have a first release candidate for the upcoming 1.2.1 bugfix release >> of getdns. > > Hello Willem, > > I compiled the version - no warnings - no noise. > > But - unrelated to this version - I have still trouble if "dnssec_return_status: GETDNS_EXTENSION_TRUE" is enabled. > In this case I get no answers. > > here is my working setup: > > # cat /etc/resolv.conf > nameserver 127.0.0.1 > > # cat /etc/unbound/root.key > . IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 > . IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D > > # cat /root/.stubby.yml > dns_transport_list: > - GETDNS_TRANSPORT_TLS > tls_authentication: GETDNS_AUTHENTICATION_REQUIRED > #dnssec_return_status: GETDNS_EXTENSION_TRUE > listen_addresses: > - 127.0.0.1 > upstream_recursive_servers: > - address_data: 145.100.185.15 > tls_auth_name: "dnsovertls.sinodun.com" > tls_pubkey_pinset: > - digest: "sha256" > value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= > > # stubby -C /root/.stubby.yml -i > /dev/null | tail -n 1 > [19:25:53.102282] STUBBY: Read config from file /root/.stubby.yml > Result: Config file syntax is valid. > > # stubby -C /root/.stubby.yml & > > # dig dnssec-failed.org +dnssec +noall +answer > > ;; ANSWER SECTION: > dnssec-failed.org. 7155 IN A 69.252.80.75 > dnssec-failed.org. 7155 IN RRSIG A 5 2 7200 20171113150538 20171102150038 44973 dnssec-failed.org. juxwes...nsQE= > > # dig andreasschulze.de +dnssec +noall +answer > > ;; ANSWER SECTION: > andreasschulze.de. 439 IN A 188.194.67.116 > andreasschulze.de. 544 IN RRSIG A 8 2 600 20171116191712 20171106191712 29011 andreasschulze.de. LWfRy...gg== > > I expect to get no answer for dnssec-failed.org if I enable "dnssec_return_status: GETDNS_EXTENSION_TRUE" > If I restart stubby I get this: > > # dig dnssec-failed.org +dnssec > > ; <<>> DiG 9.10.3-P4-Debian <<>> dnssec-failed.org +dnssec > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61836 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;dnssec-failed.org. IN A > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Mon Nov 06 20:38:54 CET 2017 > ;; MSG SIZE rcvd: 35 > > -> that's fine! > but: > > # dig andreasschulze.de +dnssec > > ; <<>> DiG 9.10.3-P4-Debian <<>> andreasschulze.de +dnssec > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33838 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;andreasschulze.de. IN A > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Mon Nov 06 20:43:03 CET 2017 > ;; MSG SIZE rcvd: 35 > > That's not so good :-/ > > The only thing I noticed: a new directory "/root/.getdns/" was created. But the directory is empty. > Do I misunderstood something completely wrong or are some files missing in my package? > > Andreas > _______________________________________________ > Users mailing list > Users at getdnsapi.net > https://getdnsapi.net/mailman/listinfo/users > From sca at andreasschulze.de Tue Nov 7 17:03:14 2017 From: sca at andreasschulze.de (A. Schulze) Date: Tue, 7 Nov 2017 18:03:14 +0100 Subject: [getdns-users] First release candidate for getdns-1.2.1 - but still trouble In-Reply-To: <5db8e66e-2b8c-5de2-bb72-e990f0485cce@nlnetlabs.nl> References: <1a98644b-9009-3bd4-8ab0-03f07c032220@andreasschulze.de> <5db8e66e-2b8c-5de2-bb72-e990f0485cce@nlnetlabs.nl> Message-ID: Am 07.11.2017 um 13:27 schrieb Willem Toorop: > Andreas, > > Are you very certain you use the latest getdns library? i.e. the 1.2.1 > release candidate from the tarball from the website, or git checkout > from the release/1.2.1 branch. I'm very sure to use the right version: # ldd /usr/bin/stubby | grep getdns libgetdns.so.6 => /usr/lib/x86_64-linux-gnu/libgetdns.so.6 # strings /usr/lib/x86_64-linux-gnu/libgetdns.so.6 | grep -F 1.2 1.2.1-rc1 getdns 1.2.1-rc1 configured on 2017-11-07T16:39:09Z for the December 2015 version of the API > I have recent commits that make dnssec > validation work with bind upstreams (i.e. the dnsovertls.sinodun.com > ones). You can check by using the getdnsapi.net upstream instead of the > sinodun (which is unbound and didn't have the issue). nothing changed between dnsovertls.sinodun.com and getdnsapi.net > Also, I am pretty sure you were able to validate the root DNSKEY rrset > with the trust anchor you provided (you can check with dig . dnskey > +dnssec), because otherwise the root-achors.xml and p7s files would have > been downloaded from data.iana.org. running "strace -f stubby 2>&1 | grep -e ^open -e ^stat" I found a problem: stubby try to stat "/etc/unbound/getdns-root.key" which did not exist. I copied my /etc/unbound/root.key to that name and get answers now. But only for questions without DO flag. > About that. If you do not configure a trust-anchor and don't have a > trust-anchor on the default location, getdns will fetch them from > iana.org for you. I never saw any download activity. > The actual output of stubby -i might be helpful. # cat .stubby.yml dns_transport_list: - GETDNS_TRANSPORT_TLS tls_authentication: GETDNS_AUTHENTICATION_REQUIRED dnssec_return_status: GETDNS_EXTENSION_TRUE listen_addresses: - 127.0.0.1 upstream_recursive_servers: - address_data: 185.49.141.37 tls_auth_name: "getdnsapi.net" tls_pubkey_pinset: - digest: "sha256" value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= # stubby -i > /tmp/stubby-i.txt 2>&1 ... file attached ... one other point to note: using strace I also saw stubby try to find the CA file in /etc/ssl/certs. There is no other error message then "validation failed" if a required CA file is not present. Andreas -------------- next part -------------- [16:55:47.352587] STUBBY: Read config from file /root/.stubby.yml Result: Config file syntax is valid. { "all_context": { "appdata_dir": , "append_name": GETDNS_APPEND_NAME_TO_SINGLE_LABEL_FIRST, "dns_transport_list": [ GETDNS_TRANSPORT_TLS ], "dnssec_allowed_skew": 0, "edns_client_subnet_private": 1, "edns_do_bit": 0, "edns_extended_rcode": 0, "edns_version": 0, "follow_redirects": GETDNS_REDIRECTS_FOLLOW, "idle_timeout": 10000, "limit_outstanding_queries": 0, "namespaces": [ GETDNS_NAMESPACE_LOCALNAMES, GETDNS_NAMESPACE_DNS ], "resolution_type": GETDNS_RESOLUTION_STUB, "round_robin_upstreams": 1, "suffix": [], "timeout": 5000, "tls_authentication": GETDNS_AUTHENTICATION_REQUIRED, "tls_backoff_time": 3600, "tls_connection_retries": 2, "tls_query_padding_blocksize": 256, "trust_anchors_url": , "trust_anchors_verify_CA": , "trust_anchors_verify_email": , "upstream_recursive_servers": [ { "address_data": , "address_type": , "tls_auth_name": , "tls_pubkey_pinset": [ { "digest": , "value": } ] } ] }, "api_version_number": 132058112, "api_version_string": , "compilation_comment": , "implementation_string": , "listen_addresses": [ ], "resolution_type": GETDNS_RESOLUTION_STUB, "trust_anchor_file": , "version_number": 16908481, "version_string": } From willem at nlnetlabs.nl Fri Nov 10 16:18:08 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Sat, 11 Nov 2017 00:18:08 +0800 Subject: [getdns-users] First release candidate for getdns-1.2.1 - but still trouble In-Reply-To: References: <1a98644b-9009-3bd4-8ab0-03f07c032220@andreasschulze.de> <5db8e66e-2b8c-5de2-bb72-e990f0485cce@nlnetlabs.nl> Message-ID: <5111f761-d8d0-cd9d-2ed2-8b2e52d3ea0f@nlnetlabs.nl> Thanks Andreas, I think I know what the issue is. Your /etc/resolv.conf is pointing to 127.0.0.1, and that will be used to do the DNS queries to start Zero configuration DNSSEC (i.e. lookup of data.iana.org). However doing a query to Stubby listening on 127.0.0.1, in turn triggers another lookup for data.iana.org etc. because it wants to validate. So there is clearly a chicken and egg problem here that needs to be resolved. Unfortunately sending the meta queries with the CD flag (checking disabled) won't help, because this is translated in stubby to the dnssec_return_all_statuses extension, which will also trigger Zero configuration DNSSEC. I have to rethink the meta queries for Zero configuration DNSSEC, which is inline with what I'm planning to do at the IETF hackathon (i.e. DANE authenticating DNS-over-TLS upstreams, which also involves meta-queries which cannot be done without working upstream!). So if you don't mind, I will release 1.2.1 which has a lot of stability fixes anyway, and create an github issue for this specific problem, to be addressed in (hopefully) an soon future release. Thanks for reporting though! -- Willem Op 08-11-17 om 01:03 schreef A. Schulze: > > > Am 07.11.2017 um 13:27 schrieb Willem Toorop: >> Andreas, >> >> Are you very certain you use the latest getdns library? i.e. the 1.2.1 >> release candidate from the tarball from the website, or git checkout >> from the release/1.2.1 branch. > I'm very sure to use the right version: > > # ldd /usr/bin/stubby | grep getdns > libgetdns.so.6 => /usr/lib/x86_64-linux-gnu/libgetdns.so.6 > > # strings /usr/lib/x86_64-linux-gnu/libgetdns.so.6 | grep -F 1.2 > 1.2.1-rc1 > getdns 1.2.1-rc1 configured on 2017-11-07T16:39:09Z for the December 2015 version of the API > >> I have recent commits that make dnssec >> validation work with bind upstreams (i.e. the dnsovertls.sinodun.com >> ones). You can check by using the getdnsapi.net upstream instead of the >> sinodun (which is unbound and didn't have the issue). > > nothing changed between dnsovertls.sinodun.com and getdnsapi.net > >> Also, I am pretty sure you were able to validate the root DNSKEY rrset >> with the trust anchor you provided (you can check with dig . dnskey >> +dnssec), because otherwise the root-achors.xml and p7s files would have >> been downloaded from data.iana.org. > > running "strace -f stubby 2>&1 | grep -e ^open -e ^stat" I found a problem: > > stubby try to stat "/etc/unbound/getdns-root.key" which did not exist. > I copied my /etc/unbound/root.key to that name and get answers now. > But only for questions without DO flag. > >> About that. If you do not configure a trust-anchor and don't have a >> trust-anchor on the default location, getdns will fetch them from >> iana.org for you. > I never saw any download activity. > >> The actual output of stubby -i might be helpful. > # cat .stubby.yml > dns_transport_list: > - GETDNS_TRANSPORT_TLS > tls_authentication: GETDNS_AUTHENTICATION_REQUIRED > dnssec_return_status: GETDNS_EXTENSION_TRUE > listen_addresses: > - 127.0.0.1 > upstream_recursive_servers: > - address_data: 185.49.141.37 > tls_auth_name: "getdnsapi.net" > tls_pubkey_pinset: > - digest: "sha256" > value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= > > # stubby -i > /tmp/stubby-i.txt 2>&1 > > ... file attached ... > > one other point to note: > using strace I also saw stubby try to find the CA file in /etc/ssl/certs. > There is no other error message then "validation failed" if a required CA file is not present. > > > Andreas > > > > _______________________________________________ > Users mailing list > Users at getdnsapi.net > https://getdnsapi.net/mailman/listinfo/users > From willem at nlnetlabs.nl Fri Nov 10 17:15:42 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Sat, 11 Nov 2017 01:15:42 +0800 Subject: [getdns-users] getdns-1.2.1 released Message-ID: <7c97a1d3-8740-e2bc-93d3-5659bc76d1fb@nlnetlabs.nl> Dear all, We have a new bugfix release version 1.2.1 of getdns. This release includes bugfixes, robustness and stability improvements only. For a more detailed description of all changes see the ChangeLog section below. The version of Stubby included with this release has been updated to 0.1.5. The ChangeLog entries up from the version of Stubby included in the previous release (0.1.3) are included the Stubby ChangeLog section below. link : https://getdnsapi.net/dist/getdns-1.2.1.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.2.1.tar.gz.asc sha256: c6ac3a7a401020da4c513a75aee2da2ae8e9511bec3a599654dee72000cd3f71 ChangeLog ========= * 2017-11-11: Version 1.2.1 * Stubby version 0.1.5 included * Handle more I/O error cases. Also, when an I/O error does occur, never stop listening (with servers), and never exit (when running the built-in event loop). * Bugfix: Tolerate unsigned and unused RRsets in the authority section. Fixes DNSSEC with BIND upstream. * Bugfix: DNSSEC validation without support records * Bugfix: Validation of full recursive DNSKEY lookups * Bugfix: Retry to validate full recursion BOGUS replies with zero configuration DNSSEC only when DNSSEC was actually requested * Bugfix #348: Fix a linking issue in stubby when libbsd is present Thanks Remi Gacogne * More robust scheduling; Eliminating a segfault with long running applications. * Miscellaneous Windows portability fixes from Jim Hague. * Fix Makefile dependencies for parallel install. Thanks ilovezfs Stubby ChangeLog ================ * 2017-11-03: Version 0.1.5 * Add Windows installer package. Installer available at dnsprivacy.org * Fix to systemd file names (thanks ArchangeGabriel) * Add SPKI for Uncensored DNS (thanks woopstar) * Fix installation of stubby.yml file (thanks ArchangeGabriel) * Fix detection of platform for standalone build * Fix location of pid file installation * Update the stubby.yml file to contain details of all available servers. Only a small subset are enabled by default. * 2017-10-20: Version 0.1.4 * '-i' option of stubby no longer tries to bind to the listen addresses so it can be run without requiring root privileges. Makes it easier to validate the configuration file syntax. * Fix incorrect IP addresses for some servers in the config file. Add note that IPv6 addresses ending in :: are not supported (must use ::0). Also add example of using a specific port in a listen address. * Fixes for Windows support -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From sca at andreasschulze.de Sun Nov 12 13:58:03 2017 From: sca at andreasschulze.de (A. Schulze) Date: Sun, 12 Nov 2017 14:58:03 +0100 Subject: [getdns-users] First release candidate for getdns-1.2.1 - but still trouble In-Reply-To: <5111f761-d8d0-cd9d-2ed2-8b2e52d3ea0f@nlnetlabs.nl> References: <1a98644b-9009-3bd4-8ab0-03f07c032220@andreasschulze.de> <5db8e66e-2b8c-5de2-bb72-e990f0485cce@nlnetlabs.nl> <5111f761-d8d0-cd9d-2ed2-8b2e52d3ea0f@nlnetlabs.nl> Message-ID: Am 10.11.2017 um 17:18 schrieb Willem Toorop: > Thanks Andreas, > > I think I know what the issue is. Your /etc/resolv.conf is pointing to > 127.0.0.1, and that will be used to do the DNS queries to start Zero > configuration DNSSEC (i.e. lookup of data.iana.org). However doing a > query to Stubby listening on 127.0.0.1, in turn triggers another lookup > for data.iana.org etc. because it wants to validate. stubby worked as I changed the setup: * /etc/resolv.conf contain "nameserver 127.0.0.1" * unbound listen on 127.0.0.1 and could serve "data.iana.org" * stubby listen on ::1 * ~/.getdns/ don't exist # stubby & $ dig @::1 getdnsapi.net. -> answer > So there is clearly a chicken and egg problem here that needs to be > resolved. Unfortunately sending the meta queries with the CD flag > (checking disabled) won't help, because this is translated in stubby to > the dnssec_return_all_statuses extension, which will also trigger Zero > configuration DNSSEC. > > I have to rethink the meta queries for Zero configuration DNSSEC, which > is inline with what I'm planning to do at the IETF hackathon (i.e. DANE > authenticating DNS-over-TLS upstreams, which also involves meta-queries > which cannot be done without working upstream!). So if you don't mind, > I will release 1.2.1 which has a lot of stability fixes anyway, and > create an github issue for this specific problem, to be addressed in > (hopefully) an soon future release. I created an issue on github... Andreas From willem at nlnetlabs.nl Fri Nov 3 20:50:12 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 3 Nov 2017 21:50:12 +0100 Subject: [getdns-api] First release candidate for getdns-1.2.1 Message-ID: Dear all, We have a first release candidate for the upcoming 1.2.1 bugfix release of getdns. This release includes bugfixes, robustness and stability improvements only. For a more detailed description of all changes see the ChangeLog section below. The version of Stubby included with this release has been updated to 0.1.5. The ChangeLog entries up from the version of Stubby included in the previous release (0.1.3) are included the Stubby ChangeLog section below. Please review this release candidate carefully, if all is well, the actual release will follow Friday the 10th of November. link : https://getdnsapi.net/dist/getdns-1.2.1-rc1.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.2.1-rc1.tar.gz.asc sha256: c6ac3a7a401020da4c513a75aee2da2ae8e9511bec3a599654dee72000cd3f71 ChangeLog ========= * 2017-11-??: Version 1.2.1 * Stubby version 0.1.5 included * Handle more I/O error cases. Also, when an I/O error does occur, never stop listening (with servers), and never exit (when running the built-in event loop). * Bugfix: Tolerate unsigned and unused RRsets in the authority section. Fixes DNSSEC with BIND upstream. * Bugfix: DNSSEC validation without support records * Bugfix: Validation of full recursive DNSKEY lookups * Bugfix: Retry to validate full recursion BOGUS replies with zero configuration DNSSEC only when DNSSEC was actually requested * Bugfix #348: Fix a linking issue in stubby when libbsd is present Thanks Remi Gacogne * More robust scheduling; Eliminating a segfault with long running applications. * Miscellaneous Windows portability fixes from Jim Hague. * Fix Makefile dependencies for parallel install. Thanks ilovezfs Stubby ChangeLog ================ * 2017-11-03: Version 0.1.5 * Add Windows installer package. Installer available at dnsprivacy.org * Fix to systemd file names (thanks ArchangeGabriel) * Add SPKI for Uncensored DNS (thanks woopstar) * Fix installation of stubby.yml file (thanks ArchangeGabriel) * Fix detection of platform for standalone build * Fix location of pid file installation * Update the stubby.yml file to contain details of all available servers. Only a small subset are enabled by default. * 2017-10-20: Version 0.1.4 * '-i' option of stubby no longer tries to bind to the listen addresses so it can be run without requiring root privileges. Makes it easier to validate the configuration file syntax. * Fix incorrect IP addresses for some servers in the config file. Add note that IPv6 addresses ending in :: are not supported (must use ::0). Also add example of using a specific port in a listen address. * Fixes for Windows support -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Fri Nov 10 17:15:52 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Sat, 11 Nov 2017 01:15:52 +0800 Subject: [getdns-api] getdns-1.2.1 released Message-ID: <508c1a40-2366-57de-941f-513e20cf5a58@nlnetlabs.nl> Dear all, We have a new bugfix release version 1.2.1 of getdns. This release includes bugfixes, robustness and stability improvements only. For a more detailed description of all changes see the ChangeLog section below. The version of Stubby included with this release has been updated to 0.1.5. The ChangeLog entries up from the version of Stubby included in the previous release (0.1.3) are included the Stubby ChangeLog section below. link : https://getdnsapi.net/dist/getdns-1.2.1.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.2.1.tar.gz.asc sha256: c6ac3a7a401020da4c513a75aee2da2ae8e9511bec3a599654dee72000cd3f71 ChangeLog ========= * 2017-11-11: Version 1.2.1 * Stubby version 0.1.5 included * Handle more I/O error cases. Also, when an I/O error does occur, never stop listening (with servers), and never exit (when running the built-in event loop). * Bugfix: Tolerate unsigned and unused RRsets in the authority section. Fixes DNSSEC with BIND upstream. * Bugfix: DNSSEC validation without support records * Bugfix: Validation of full recursive DNSKEY lookups * Bugfix: Retry to validate full recursion BOGUS replies with zero configuration DNSSEC only when DNSSEC was actually requested * Bugfix #348: Fix a linking issue in stubby when libbsd is present Thanks Remi Gacogne * More robust scheduling; Eliminating a segfault with long running applications. * Miscellaneous Windows portability fixes from Jim Hague. * Fix Makefile dependencies for parallel install. Thanks ilovezfs Stubby ChangeLog ================ * 2017-11-03: Version 0.1.5 * Add Windows installer package. Installer available at dnsprivacy.org * Fix to systemd file names (thanks ArchangeGabriel) * Add SPKI for Uncensored DNS (thanks woopstar) * Fix installation of stubby.yml file (thanks ArchangeGabriel) * Fix detection of platform for standalone build * Fix location of pid file installation * Update the stubby.yml file to contain details of all available servers. Only a small subset are enabled by default. * 2017-10-20: Version 0.1.4 * '-i' option of stubby no longer tries to bind to the listen addresses so it can be run without requiring root privileges. Makes it easier to validate the configuration file syntax. * Fix incorrect IP addresses for some servers in the config file. Add note that IPv6 addresses ending in :: are not supported (must use ::0). Also add example of using a specific port in a listen address. * Fixes for Windows support -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: