From willem at nlnetlabs.nl Mon Sep 4 09:52:00 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Mon, 4 Sep 2017 11:52:00 +0200 Subject: [getdns-users] getdns-1.1.3 released Message-ID: Dear all, We have a new bugfix release version 1.1.3 of getdns. The brew formula for getdns and Stubby were conflicting because they both installed Stubby. To resolve, we gave Stubby its own repository (https://github.com/getdnsapi/stubby) with getdns as a library dependency. This release will allow for two complementary brew formulas. 1. One that installs the getdns library and the getdns_query tool with: brew install getdns 2. Another one that installs Stubby and (implicitly) the getdns library: brew install stubby This release does include the new Stubby from its own repository too, but it is not build by default anymore. To build Stubby together with the library you must configure it with the --with-stubby option. Besides this organizational matter, we have a few fixes for high priority bugs in this release: * When UDP upstreams were "temporarily" failing, the upstream selection process would crash when it would come back to the first specified UDP upstream after it initially failed. * High-load multi-threading environments had an serviceability issue, because file descriptors were closed repeatedly when they were finished. As a result, a freshly obtained reused file descriptor by some thread could become unusable because it would be closed by another thread immediately. A few more minor bugs have been addressed with this release too. For a complete overview see the ChangeLog section below. link : https://getdnsapi.net/dist/getdns-1.1.3.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.1.3.tar.gz.asc sha256: Dear all, We have a new bugfix release version 1.1.3 of getdns. The brew formula for getdns and Stubby were conflicting because they both installed Stubby. To resolve, we gave Stubby its own repository (https://github.com/getdnsapi/stubby) with getdns as a library dependency. This release will allow for two complementary brew formulas. 1. One that installs the getdns library and the getdns_query tool with: brew install getdns 2. Another one that installs Stubby and (implicitly) the getdns library: brew install stubby This release does include the new Stubby from its own repository too, but it is not build by default anymore. To build Stubby together with the library you must configure it with the --with-stubby option. Besides this organizational matter, we have a few fixes for high priority bugs in this release: * When UDP upstreams were "temporarily" failing, the upstream selection process would crash when it would come back to the first specified UDP upstream after it initially failed. * High-load multi-threading environments had an serviceability issue, because file descriptors were closed repeatedly when they were finished. As a result, a freshly obtained reused file descriptor by some thread could become unusable because it would be closed by another thread immediately. A few more minor bugs have been addressed with this release too. For a complete overview see the ChangeLog section below. link : https://getdnsapi.net/dist/getdns-1.1.3.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.1.3.tar.gz.asc sha256: 1a75f3264936c6f9a9d57cd98df912f62fb1a0b1d4dc799065ded76987337ce1 ChangeLog ========= * 2017-09-04: Version 1.1.3 * Small bugfixes that came out of static analysis * No annotations with the output of getdns_query anymore, unless -V option is given to increase verbosity Thanks Ollivier Robert * getdns_query will now exit with failure status if replies are BOGUS * Bugfix: dnssec_return_validation_chain now also works when fallback to full recursion was needed with dnssec_roadblock_avoidance * More clear build instructions from Paul Hoffman. Thanks. * Bugfix #320.1: Eliminate multiple closing of file descriptors Thanks Neil Cook * Bugfix #320.2: Array bounds bug in upstream_select Thanks Neil Cook * Bugfix #318: getdnsapi/getdns/README.md links to nonexistent wiki pages. Thanks James Raftery * Bugfix #322: MacOS 10.10 (Yosemite) provides TCP fastopen interface but does not have it implemented. Thanks Joel Purra * Compile without Stubby by default. Stubby now has a git repository of its own. The new Stubby repository is added as a submodule. Stubby will still be build alongside getdns with the --with-stubby configure option. ChangeLog ========= * 2017-09-01: Version 1.1.3 * No annotations with the output of getdns_query anymore, unless -V option is given to increase verbosity Thanks Ollivier Robert * getdns_query will now exit with failure status if replies are BOGUS * Bugfix: dnssec_return_validation_chain now also works when fallback to full recursion was needed with dnssec_roadblock_avoidance * More clear build instructions from Paul Hoffman. Thanks. * Bugfix #320.1: Eliminate multiple closing of file descriptors Thanks Neil Cook * Bugfix #320.2: Array bounds bug in upstream_select Thanks Neil Cook * Bugfix #318: getdnsapi/getdns/README.md links to nonexistent wiki pages. Thanks James Raftery * Bugfix #322: MacOS 10.10 (Yosemite) provides TCP fastopen interface but does not have it implemented. Thanks Joel Purra * Compile without Stubby by default. Stubby now has a git repository of its own. The new Stubby repository is added as a submodule. Stubby will still be build alongside getdns with the --with-stubby configure option. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 829 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Tue Sep 12 08:34:57 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Tue, 12 Sep 2017 10:34:57 +0200 Subject: [getdns-users] KSK rollover impact on getdns Message-ID: <1de457a1-e090-2a6e-0bc2-390c72aa14be@nlnetlabs.nl> Dear All, The following post details on the impact of the root Key Signing Key rollover on getdns DNSSEC validation. With the KSK rollover in process and taking place on 11th of October, users must be aware of the different situations and actions needed for the different versions. getdns v1.1 and earlier ======================= In the releases to-date getdns does not have automatic DNSSEC trust-anchor management included within the library. When installing getdns v1.1 or earlier from source, a message is displayed requesting the manual installation of a root trust-anchor with unbound-anchor using the command > unbound-achor -a The default location of the used by getdns in this case depends on the value of sysconfdir during configuring. Typically this could be /usr/local/etc/unbound/getdns-root.key or /etc/unbound/getdns-root.key. Installations before 2nd of February ------------------------------------ If the most recent manual installation of the root trust-anchor was performed before 2nd February 2017 and no trust anchor management is performed externally to getdns, then another manual installation *MUST be re-run before 11th October* to obtain the new KSK in order to enable DNSSEC validation to continue after October 11th. The easiest way to determine this is to run > getdns_query -k - if there is only 1 entry for a DNSKEY then the last update was most likely before 2nd February 2017. Installations after 2nd of February ------------------------------------ If the most recent manual installation of the root trust-anchor was performed after 2nd February 2017, then that operation also installed the new KSK and getdns is already equipped to perform DNSSEC validation after October 11th. This is because getdns parses the default trust-anchors file as a zone file and uses all the keys it finds (regardless of any annotations that unbound-anchor may have added). This is true in both stub and full recursive mode. Also note that when used in a long running process getdns is not aware of updates to the trust-anchor file. Long running programs that use getdns to perform DNSSEC validation MUST be restarted after the trust-anchors have been manually updated for the changes to take effect. getdns v1.2 =========== We recognise that a dependency on external or manual trust-anchor management for a library intended for applications is not optimal. Ideally applications that want to use DNSSEC validation, for example to perform DANE, would want to be able to rely on an application library to deliver DNSSEC, without requiring additional system configuration. Therefore the soon-to-be release version 1.2.0 of getdns will include a form of built-in trust-anchor management modelled on RFC7958, that is suitable for a resolver library which can not assume reliable up-time and which we have named: zero configuration DNSSEC. With zero configuration DNSSEC, a new set of root trust-anchors will be fetched from https://data.iana.org/root-anchors/root-anchors.xml and validated with ICANN when a DNSSEC answer could not be validated and the root DNSKEY set is either seen for the first time or has changed. Details about the precise operation of zero configuration DNSSEC will come with the getdns 1.2.0 release announcement. We strongly recommend upgrading to getdns 1.2 as soon as possible for all users who perform DNSSEC validation. Details of the release dates of getdns will be announced on the getdns-users list. KSK rollover : https://www.icann.org/resources/pages/ksk-rollover unbound-anchor : https://unbound.net/documentation/unbound-anchor.html RFC7958 : https://tools.ietf.org/html/rfc7958 users list : https://getdnsapi.net/mailman/listinfo/users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 829 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Fri Sep 22 14:01:11 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 22 Sep 2017 16:01:11 +0200 Subject: [getdns-users] First release candidate for getdns-1.2.0 Message-ID: Dear all, We have a first release candidate for the upcoming 1.2.0 feature release of getdns. This release will contain three new features: * Built-in DNSSEC trust-anchor management: Zero configuration DNSSEC * Reading getdns_dict's (to be used for configuration) in YAML format * Better TLS upstream failure management, more resilient to short-term connectivity loss and laptop "sleeps". Zero configuration DNSSEC ========================= Until now, we've assumed an external system component (like unbound-anchor) to do the trust-anchor management for getdns, but this is not optimal. Ideally applications that want to use DNSSEC validation would want to be able to rely on an application library to deliver DNSSEC, without requiring additional system configuration. This release includes a form of built-in trust-anchor management modelled on RFC7958, that is suitable for a resolver library which can not assume reliable up-time and which we have named: Zero configuration DNSSEC. With Zero configuration DNSSEC, the "root-anchors.xml" file (from http://data.iana.org/root-anchors/root-anchors.xml) will be verified by validating the S/MIME signatures (stored separately in "root-anchors.p7s") with the ICANN Root Certificate Authority. Trust anchors from "root-anchors.xml" will be used only when the accompanying "root-anchors.p7s" matches and validates and when either: * There were no other trust anchors provided, either by the default trust anchor file (likely either /etc/unbound/getdns-root.key or /usr/local/etc/unbound/getdns-root.key), or set explicitly by the application with the getdns_context_set_dnssec_trust_anchors() function, or * The available trust anchors (from the default location or set explicitly by the application) caused the root DNSKEY RRset to fail validation. The "root-anchors.xml" and "root-anchors.p7s" files will be tried to read from a location for storing library specific data: ${HOME}/.getdns/ on Unix like systems (Linux, BSD's, MacOS) and %AppData%\getdns on Windows. When trust anchors from "root-anchors.xml" are used, the root DNSKEY is also tracked (for changes) and a copy of it is stored in a "root.key" file in the library specific data directory. A (new) version of "root-anchors.xml" and "root-anchors.p7s" will be retrieved from ICANN, when either: * The library specific data directory is (creatable and) writeable by the current user, but the "root-anchors.xml" or "root-anchors.p7s" files were absent, or * There is a new root DNSKEY RRset (or signature) and it contains keys with ID's which were not in "root-anchors.xml". Zero configuration DNSSEC assumes DNSSEC with the ICANN root trust-anchors and is configured to use the ICANN defaults defined in RFC7958, though all default parameters can be adapted to fit alternate DNS(SEC) roots, with: * getdns_context_set_trust_anchors_url() * getdns_context_set_trust_anchors_verify_CA() * getdns_context_set_trust_anchors_verify_email() * getdns_context_set_appdata_dir() Converting YAML to getdns_dicts =============================== We already had a function for converting the getdns JSON like format to getdns_dicts, and configuring of getdns_context's with getdns_dicts; And this is how Stubby manages it's configuration files. As a consequence those configuration files needed to be in the getdns JSON like format, but the use of opening and closing brackets for lists and dicts and the lack of comments make it unsuitable for human consumption. With this release a new function is introduced: getdns_yaml2dict() which converts from the much more readable and humane YAML format into getdns_dicts. This release will also include a version of Stubby that will read YAML configuration files. Stubby will first try to read the configuration in YAML format (from the "stubby.yml" file) and will fall back to the old getdns JSON like format (from the stubby.conf file) only when it failed to be read. Don't forget that the --with-stubby option needs to be used with configure when you want to build Stubby alongside the library. This feature adds an additional dependency on libyaml. We are still considering whether this functionality (and consequently the dependency on libyaml) would be a better fit for Stubby instead of the getdns library. Suggestions or thoughts on this matter are welcome. Better TLS upstream failure management ====================================== RFC7858 suggested a back-off period of one hour on failing TLS upstreams. However this is not a resilient and practical demeanour in practice when short-term network outages or connection loss caused, for example, by laptops going to sleep. This release introduces a new TLS upstream failure management scheme in which the back-off time is incremented gradually from 1 second up, and doubled each retry with a maximum set by the getdns_context_set_tls_backoff_time() function. Also, back-off time is ignored when there are no more responding TLS upstreams and the upstream with the least amount of retries will be used for retrying first. Stubby will be much more resilient against transient outages and connection losses with this scheme. Please review this release candidate carefully, if all is well, the actual release will follow Friday the 29th of September. link : https://getdnsapi.net/dist/getdns-1.2.0-rc1.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.2.0-rc1.tar.gz.asc sha256: 4ed9185e06c6162a09c73a27141fbe735a893b0c13e47db91583f0eb583799fb ChangeLog ========= * 2017-09-??: Version 1.2.0 * A function to set the location for library specific data, like trust-anchors: getdns_context_set_appdata(). * Zero configuration DNSSEC - build upon the scheme described in RFC7958. The URL from which to fetch the trust anchor, the verification CA and email can be set with the new getdns_context_set_trust_anchor_url(), getdns_context_set_trust_anchor_verify_CA() and getdns_context_set_trust_anchor_verify_email() functions. The default values are to fetch from IANA and to validate with the ICANN CA. * Update of Stubby with yaml configuration file and logging from a certain severity support. * Conversion of yaml to getdns_dict and getdns_list with getdns_yaml2dict() and getdns_yaml2list() functions * Fix tpkg exit status on test failure. Thanks Jim Hague. * Refined logging levels for upstream statistics * Reuse (best behaving) backed-off TLS upstreams when non are usable. * Let TLS upstreams back-off a incremental amount of time. Back-off time starts with 1 second and is doubled each failure, but will not exceed the time given by getdns_context_set_tls_backoff_time() * Make TLS upstream management more resilient to temporary outages (like laptop sleeps) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 829 bytes Desc: OpenPGP digital signature URL: From sca at andreasschulze.de Sat Sep 23 19:52:43 2017 From: sca at andreasschulze.de (A. Schulze) Date: Sat, 23 Sep 2017 21:52:43 +0200 Subject: [getdns-users] First release candidate for getdns-1.2.0 In-Reply-To: References: Message-ID: <89ee6b3f-9d43-fc4c-c10e-f6de73414a5a@andreasschulze.de> Am 22.09.2017 um 16:01 schrieb Willem Toorop: > Dear all, > > We have a first release candidate for the upcoming 1.2.0 feature release > of getdns. Hello Willem, what I noticed so far... * spelling-error in stubby/src/stubby.c: "extention" should be "extension" * stubby/stubby.yml.example - I suggest to reformat to avoid linebreaks on 80 char terminals - missing double-quotes in the inactive line #dnssec_trust_anchors: /etc/unbound/getdns-root.key * unbound uses /etc/unbound/root.key. Is there a reason getdns defaults to /etc/unbound/getdns-root.key? Andreas From willem at nlnetlabs.nl Mon Sep 25 07:35:06 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Mon, 25 Sep 2017 09:35:06 +0200 Subject: [getdns-users] First release candidate for getdns-1.2.0 In-Reply-To: <89ee6b3f-9d43-fc4c-c10e-f6de73414a5a@andreasschulze.de> References: <89ee6b3f-9d43-fc4c-c10e-f6de73414a5a@andreasschulze.de> Message-ID: Op 23-09-17 om 21:52 schreef A. Schulze: > > > Am 22.09.2017 um 16:01 schrieb Willem Toorop: >> Dear all, >> >> We have a first release candidate for the upcoming 1.2.0 feature release >> of getdns. > > Hello Willem, > > what I noticed so far... > > * spelling-error in stubby/src/stubby.c: "extention" should be "extension" > > * stubby/stubby.yml.example > - I suggest to reformat to avoid linebreaks on 80 char terminals > - missing double-quotes in the inactive line > #dnssec_trust_anchors: /etc/unbound/getdns-root.key Thanks! Improvements committed to the release/v1.2.0 branch. > * unbound uses /etc/unbound/root.key. > Is there a reason getdns defaults to /etc/unbound/getdns-root.key? Good question. For one, getdns interprets the trust anchor file as a zone file and ignores all annotations; so it is handling the root key somewhat different then unbound. With Zero configuration DNSSEC we would prefer not to have a dnssec_trust_anchor specified at all. I think we should replace this line with one with which the location of the library specific data can be set. I.e. something like: # Specify the location where getdns will store it's library specific # data. Currently this directory is used only for Zero configuration # DNSSEC and will be used to track and store the root-anchors.xml, # root-anchors.p7s and root.key files. # # appdata_dir: "/etc/getdns" -- Willem > > Andreas > > _______________________________________________ > Users mailing list > Users at getdnsapi.net > https://getdnsapi.net/mailman/listinfo/users > From willem at nlnetlabs.nl Fri Sep 29 21:00:43 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 29 Sep 2017 23:00:43 +0200 Subject: [getdns-users] getdns-1.2.0 released Message-ID: <657eb88f-5da8-f627-6e38-fef3482ac486@nlnetlabs.nl> Dear all, We have a new feature release version 1.2.0 of getdns. This release contains two new features: * Built-in DNSSEC trust-anchor management: *Zero configuration DNSSEC* * Better TLS upstream failure management, more resilient to transient connectivity loss and laptop "sleeps" etc. and: * An updated version of Stubby (0.1.3) with YAML configuration files. Zero configuration DNSSEC ========================= Until now, we've assumed an external system component (like unbound-anchor) to do the trust-anchor management for getdns, but this is not optimal. Ideally applications that want to use DNSSEC validation, for example to perform DANE, would want to be able to rely on an application library to deliver DNSSEC, without requiring additional system configuration. This release includes a form of built-in trust-anchor management modelled on RFC7958, that is suitable for a resolver library which can not assume reliable up-time and which we have named: Zero configuration DNSSEC. With Zero configuration DNSSEC, the "root-anchors.xml" file (from http://data.iana.org/root-anchors/root-anchors.xml) will be verified by validating the S/MIME signatures (stored separately in "root-anchors.p7s") with the ICANN Root Certificate Authority. Trust anchors from "root-anchors.xml" will be used only when the accompanying "root-anchors.p7s" matches and validates and when either: * There were no other trust anchors provided, either by the default trust anchor file (likely either /etc/unbound/getdns-root.key or /usr/local/etc/unbound/getdns-root.key), or set explicitly by the application with the getdns_context_set_dnssec_trust_anchors() function, or * The available trust anchors (from the default location or set explicitly by the application) caused the root DNSKEY RRset to fail validation. The "root-anchors.xml" and "root-anchors.p7s" files will be tried to read from a location for storing library specific data: ${HOME}/.getdns/ on Unix like systems (Linux, BSD's, MacOS) and %AppData%\getdns on Windows. When trust anchors from "root-anchors.xml" are used, the root DNSKEY is also tracked (for changes) and a copy of it is stored in a "root.key" file in the library specific data directory. A (new) version of "root-anchors.xml" and "root-anchors.p7s" will be retrieved from data.iana.org, when either: * The library specific data directory is (creatable and) writeable by the current user, but the "root-anchors.xml" or "root-anchors.p7s" files were absent, or * There is a new root DNSKEY RRset (or signature) and it contains keys with ID's which were not in "root-anchors.xml". Zero configuration DNSSEC assumes DNSSEC with the ICANN root trust-anchors and is configured to use the ICANN defaults defined in RFC7958, but all default parameters can be adapted to fit alternate DNS(SEC) roots, with: * getdns_context_set_trust_anchors_url() * getdns_context_set_trust_anchors_verify_CA() * getdns_context_set_trust_anchors_verify_email() * getdns_context_set_appdata_dir() Better TLS upstream failure management ====================================== RFC7858 suggested a back-off period of one hour on failing TLS upstreams. However this is not a resilient and practical demeanor in practice when short-term network outages or connection loss caused, for example, by laptops going to sleep. This release introduces a new TLS upstream failure management scheme in which the back-off time is incremented gradually from 1 second up, and doubled each retry with a maximum set by the getdns_context_set_tls_backoff_time() function. Also, back-off time is ignored when there are no more responding TLS upstreams and the upstream with the least amount of retries will be used for retrying first. Stubby will be much more resilient against short term outages and connection losses with this scheme. YAML configuration files for Stubby =================================== This release comes with an updated version of Stubby (version 0.1.3) with the new improvement to read configuration files in YAML format. Previously Stubby would read configuration files in the JSON like format that is understood by getdns. However, the necessity to deal with opening and closing brackets and the lack of comments make it unsuitable for human consumption. YAML is much better readable and most importantly: can be annotated with comments and is as such a good fit for configuration files. Stubby configuration files are now specified in YAML format by default. JSON format can still be used if it is given on the command line with the -C flag. Don't forget that the --with-stubby option needs to be used with configure when you want to build Stubby alongside the library. When build with Stubby, there is an additional dependency on libyaml for the stubby binary only. Also note that the primary location for information on Stubby has moved to the dnsprivacy.org website: https://dnsprivacy.org/wiki/x/JYAT link : https://getdnsapi.net/dist/getdns-1.2.0.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.2.0.tar.gz.asc sha256: 06e6494b5d8b9404f439d5a98a3ab8f1f4b3557fb7aa3db005b021a6289b4229 ChangeLog ========= * 2017-09-29: Version 1.2.0 * Bugfix of rc1: authentication of first query with TLS Thanks Travis Burtrum * A function to set the location for library specific data, like trust-anchors: getdns_context_set_appdata(). * Zero configuration DNSSEC - build upon the scheme described in RFC7958. The URL from which to fetch the trust anchor, the verification CA and email can be set with the new getdns_context_set_trust_anchor_url(), getdns_context_set_trust_anchor_verify_CA() and getdns_context_set_trust_anchor_verify_email() functions. The default values are to fetch from IANA and to validate with the ICANN CA. * Update of Stubby with yaml configuration file and logging from a certain severity support. * Fix tpkg exit status on test failure. Thanks Jim Hague. * Refined logging levels for upstream statistics * Reuse (best behaving) backed-off TLS upstreams when non are usable. * Let TLS upstreams back-off a incremental amount of time. Back-off time starts with 1 second and is doubled each failure, but will not exceed the time given by getdns_context_set_tls_backoff_time() * Make TLS upstream management more resilient to temporary outages (like laptop sleeps) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 829 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Mon Sep 4 09:51:58 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Mon, 4 Sep 2017 11:51:58 +0200 Subject: [getdns-api] getdns-1.1.3 released Message-ID: Dear all, We have a new bugfix release version 1.1.3 of getdns. The brew formula for getdns and Stubby were conflicting because they both installed Stubby. To resolve, we gave Stubby its own repository (https://github.com/getdnsapi/stubby) with getdns as a library dependency. This release will allow for two complementary brew formulas. 1. One that installs the getdns library and the getdns_query tool with: brew install getdns 2. Another one that installs Stubby and (implicitly) the getdns library: brew install stubby This release does include the new Stubby from its own repository too, but it is not build by default anymore. To build Stubby together with the library you must configure it with the --with-stubby option. Besides this organizational matter, we have a few fixes for high priority bugs in this release: * When UDP upstreams were "temporarily" failing, the upstream selection process would crash when it would come back to the first specified UDP upstream after it initially failed. * High-load multi-threading environments had an serviceability issue, because file descriptors were closed repeatedly when they were finished. As a result, a freshly obtained reused file descriptor by some thread could become unusable because it would be closed by another thread immediately. A few more minor bugs have been addressed with this release too. For a complete overview see the ChangeLog section below. link : https://getdnsapi.net/dist/getdns-1.1.3.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.1.3.tar.gz.asc sha256: 1a75f3264936c6f9a9d57cd98df912f62fb1a0b1d4dc799065ded76987337ce1 ChangeLog ========= * 2017-09-04: Version 1.1.3 * Small bugfixes that came out of static analysis * No annotations with the output of getdns_query anymore, unless -V option is given to increase verbosity Thanks Ollivier Robert * getdns_query will now exit with failure status if replies are BOGUS * Bugfix: dnssec_return_validation_chain now also works when fallback to full recursion was needed with dnssec_roadblock_avoidance * More clear build instructions from Paul Hoffman. Thanks. * Bugfix #320.1: Eliminate multiple closing of file descriptors Thanks Neil Cook * Bugfix #320.2: Array bounds bug in upstream_select Thanks Neil Cook * Bugfix #318: getdnsapi/getdns/README.md links to nonexistent wiki pages. Thanks James Raftery * Bugfix #322: MacOS 10.10 (Yosemite) provides TCP fastopen interface but does not have it implemented. Thanks Joel Purra * Compile without Stubby by default. Stubby now has a git repository of its own. The new Stubby repository is added as a submodule. Stubby will still be build alongside getdns with the --with-stubby configure option. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 829 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Tue Sep 12 08:34:54 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Tue, 12 Sep 2017 10:34:54 +0200 Subject: [getdns-api] KSK rollover impact on getdns Message-ID: <8de6ec06-7439-b944-2380-d72e11ac7e74@nlnetlabs.nl> Dear All, The following post details on the impact of the root Key Signing Key rollover on getdns DNSSEC validation. With the KSK rollover in process and taking place on 11th of October, users must be aware of the different situations and actions needed for the different versions. getdns v1.1 and earlier ======================= In the releases to-date getdns does not have automatic DNSSEC trust-anchor management included within the library. When installing getdns v1.1 or earlier from source, a message is displayed requesting the manual installation of a root trust-anchor with unbound-anchor using the command > unbound-achor -a The default location of the used by getdns in this case depends on the value of sysconfdir during configuring. Typically this could be /usr/local/etc/unbound/getdns-root.key or /etc/unbound/getdns-root.key. Installations before 2nd of February ------------------------------------ If the most recent manual installation of the root trust-anchor was performed before 2nd February 2017 and no trust anchor management is performed externally to getdns, then another manual installation *MUST be re-run before 11th October* to obtain the new KSK in order to enable DNSSEC validation to continue after October 11th. The easiest way to determine this is to run > getdns_query -k - if there is only 1 entry for a DNSKEY then the last update was most likely before 2nd February 2017. Installations after 2nd of February ------------------------------------ If the most recent manual installation of the root trust-anchor was performed after 2nd February 2017, then that operation also installed the new KSK and getdns is already equipped to perform DNSSEC validation after October 11th. This is because getdns parses the default trust-anchors file as a zone file and uses all the keys it finds (regardless of any annotations that unbound-anchor may have added). This is true in both stub and full recursive mode. Also note that when used in a long running process getdns is not aware of updates to the trust-anchor file. Long running programs that use getdns to perform DNSSEC validation MUST be restarted after the trust-anchors have been manually updated for the changes to take effect. getdns v1.2 =========== We recognise that a dependency on external or manual trust-anchor management for a library intended for applications is not optimal. Ideally applications that want to use DNSSEC validation, for example to perform DANE, would want to be able to rely on an application library to deliver DNSSEC, without requiring additional system configuration. Therefore the soon-to-be release version 1.2.0 of getdns will include a form of built-in trust-anchor management modelled on RFC7958, that is suitable for a resolver library which can not assume reliable up-time and which we have named: zero configuration DNSSEC. With zero configuration DNSSEC, a new set of root trust-anchors will be fetched from https://data.iana.org/root-anchors/root-anchors.xml and validated with ICANN when a DNSSEC answer could not be validated and the root DNSKEY set is either seen for the first time or has changed. Details about the precise operation of zero configuration DNSSEC will come with the getdns 1.2.0 release announcement. We strongly recommend upgrading to getdns 1.2 as soon as possible for all users who perform DNSSEC validation. Details of the release dates of getdns will be announced on the getdns-users list. KSK rollover : https://www.icann.org/resources/pages/ksk-rollover unbound-anchor : https://unbound.net/documentation/unbound-anchor.html RFC7958 : https://tools.ietf.org/html/rfc7958 users list : https://getdnsapi.net/mailman/listinfo/users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 829 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Fri Sep 22 14:01:14 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 22 Sep 2017 16:01:14 +0200 Subject: [getdns-api] First release candidate for getdns-1.2.0 Message-ID: Dear all, We have a first release candidate for the upcoming 1.2.0 feature release of getdns. This release will contain three new features: * Built-in DNSSEC trust-anchor management: Zero configuration DNSSEC * Reading getdns_dict's (to be used for configuration) in YAML format * Better TLS upstream failure management, more resilient to short-term connectivity loss and laptop "sleeps". Zero configuration DNSSEC ========================= Until now, we've assumed an external system component (like unbound-anchor) to do the trust-anchor management for getdns, but this is not optimal. Ideally applications that want to use DNSSEC validation would want to be able to rely on an application library to deliver DNSSEC, without requiring additional system configuration. This release includes a form of built-in trust-anchor management modelled on RFC7958, that is suitable for a resolver library which can not assume reliable up-time and which we have named: Zero configuration DNSSEC. With Zero configuration DNSSEC, the "root-anchors.xml" file (from http://data.iana.org/root-anchors/root-anchors.xml) will be verified by validating the S/MIME signatures (stored separately in "root-anchors.p7s") with the ICANN Root Certificate Authority. Trust anchors from "root-anchors.xml" will be used only when the accompanying "root-anchors.p7s" matches and validates and when either: * There were no other trust anchors provided, either by the default trust anchor file (likely either /etc/unbound/getdns-root.key or /usr/local/etc/unbound/getdns-root.key), or set explicitly by the application with the getdns_context_set_dnssec_trust_anchors() function, or * The available trust anchors (from the default location or set explicitly by the application) caused the root DNSKEY RRset to fail validation. The "root-anchors.xml" and "root-anchors.p7s" files will be tried to read from a location for storing library specific data: ${HOME}/.getdns/ on Unix like systems (Linux, BSD's, MacOS) and %AppData%\getdns on Windows. When trust anchors from "root-anchors.xml" are used, the root DNSKEY is also tracked (for changes) and a copy of it is stored in a "root.key" file in the library specific data directory. A (new) version of "root-anchors.xml" and "root-anchors.p7s" will be retrieved from ICANN, when either: * The library specific data directory is (creatable and) writeable by the current user, but the "root-anchors.xml" or "root-anchors.p7s" files were absent, or * There is a new root DNSKEY RRset (or signature) and it contains keys with ID's which were not in "root-anchors.xml". Zero configuration DNSSEC assumes DNSSEC with the ICANN root trust-anchors and is configured to use the ICANN defaults defined in RFC7958, though all default parameters can be adapted to fit alternate DNS(SEC) roots, with: * getdns_context_set_trust_anchors_url() * getdns_context_set_trust_anchors_verify_CA() * getdns_context_set_trust_anchors_verify_email() * getdns_context_set_appdata_dir() Converting YAML to getdns_dicts =============================== We already had a function for converting the getdns JSON like format to getdns_dicts, and configuring of getdns_context's with getdns_dicts; And this is how Stubby manages it's configuration files. As a consequence those configuration files needed to be in the getdns JSON like format, but the use of opening and closing brackets for lists and dicts and the lack of comments make it unsuitable for human consumption. With this release a new function is introduced: getdns_yaml2dict() which converts from the much more readable and humane YAML format into getdns_dicts. This release will also include a version of Stubby that will read YAML configuration files. Stubby will first try to read the configuration in YAML format (from the "stubby.yml" file) and will fall back to the old getdns JSON like format (from the stubby.conf file) only when it failed to be read. Don't forget that the --with-stubby option needs to be used with configure when you want to build Stubby alongside the library. This feature adds an additional dependency on libyaml. We are still considering whether this functionality (and consequently the dependency on libyaml) would be a better fit for Stubby instead of the getdns library. Suggestions or thoughts on this matter are welcome. Better TLS upstream failure management ====================================== RFC7858 suggested a back-off period of one hour on failing TLS upstreams. However this is not a resilient and practical demeanour in practice when short-term network outages or connection loss caused, for example, by laptops going to sleep. This release introduces a new TLS upstream failure management scheme in which the back-off time is incremented gradually from 1 second up, and doubled each retry with a maximum set by the getdns_context_set_tls_backoff_time() function. Also, back-off time is ignored when there are no more responding TLS upstreams and the upstream with the least amount of retries will be used for retrying first. Stubby will be much more resilient against transient outages and connection losses with this scheme. Please review this release candidate carefully, if all is well, the actual release will follow Friday the 29th of September. link : https://getdnsapi.net/dist/getdns-1.2.0-rc1.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.2.0-rc1.tar.gz.asc sha256: 4ed9185e06c6162a09c73a27141fbe735a893b0c13e47db91583f0eb583799fb ChangeLog ========= * 2017-09-??: Version 1.2.0 * A function to set the location for library specific data, like trust-anchors: getdns_context_set_appdata(). * Zero configuration DNSSEC - build upon the scheme described in RFC7958. The URL from which to fetch the trust anchor, the verification CA and email can be set with the new getdns_context_set_trust_anchor_url(), getdns_context_set_trust_anchor_verify_CA() and getdns_context_set_trust_anchor_verify_email() functions. The default values are to fetch from IANA and to validate with the ICANN CA. * Update of Stubby with yaml configuration file and logging from a certain severity support. * Conversion of yaml to getdns_dict and getdns_list with getdns_yaml2dict() and getdns_yaml2list() functions * Fix tpkg exit status on test failure. Thanks Jim Hague. * Refined logging levels for upstream statistics * Reuse (best behaving) backed-off TLS upstreams when non are usable. * Let TLS upstreams back-off a incremental amount of time. Back-off time starts with 1 second and is doubled each failure, but will not exceed the time given by getdns_context_set_tls_backoff_time() * Make TLS upstream management more resilient to temporary outages (like laptop sleeps) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 829 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Fri Sep 29 21:00:35 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 29 Sep 2017 23:00:35 +0200 Subject: [getdns-api] getdns-1.2.0 released Message-ID: Dear all, We have a new feature release version 1.2.0 of getdns. This release contains two new features: * Built-in DNSSEC trust-anchor management: *Zero configuration DNSSEC* * Better TLS upstream failure management, more resilient to transient connectivity loss and laptop "sleeps" etc. and: * An updated version of Stubby (0.1.3) with YAML configuration files. Zero configuration DNSSEC ========================= Until now, we've assumed an external system component (like unbound-anchor) to do the trust-anchor management for getdns, but this is not optimal. Ideally applications that want to use DNSSEC validation, for example to perform DANE, would want to be able to rely on an application library to deliver DNSSEC, without requiring additional system configuration. This release includes a form of built-in trust-anchor management modelled on RFC7958, that is suitable for a resolver library which can not assume reliable up-time and which we have named: Zero configuration DNSSEC. With Zero configuration DNSSEC, the "root-anchors.xml" file (from http://data.iana.org/root-anchors/root-anchors.xml) will be verified by validating the S/MIME signatures (stored separately in "root-anchors.p7s") with the ICANN Root Certificate Authority. Trust anchors from "root-anchors.xml" will be used only when the accompanying "root-anchors.p7s" matches and validates and when either: * There were no other trust anchors provided, either by the default trust anchor file (likely either /etc/unbound/getdns-root.key or /usr/local/etc/unbound/getdns-root.key), or set explicitly by the application with the getdns_context_set_dnssec_trust_anchors() function, or * The available trust anchors (from the default location or set explicitly by the application) caused the root DNSKEY RRset to fail validation. The "root-anchors.xml" and "root-anchors.p7s" files will be tried to read from a location for storing library specific data: ${HOME}/.getdns/ on Unix like systems (Linux, BSD's, MacOS) and %AppData%\getdns on Windows. When trust anchors from "root-anchors.xml" are used, the root DNSKEY is also tracked (for changes) and a copy of it is stored in a "root.key" file in the library specific data directory. A (new) version of "root-anchors.xml" and "root-anchors.p7s" will be retrieved from data.iana.org, when either: * The library specific data directory is (creatable and) writeable by the current user, but the "root-anchors.xml" or "root-anchors.p7s" files were absent, or * There is a new root DNSKEY RRset (or signature) and it contains keys with ID's which were not in "root-anchors.xml". Zero configuration DNSSEC assumes DNSSEC with the ICANN root trust-anchors and is configured to use the ICANN defaults defined in RFC7958, but all default parameters can be adapted to fit alternate DNS(SEC) roots, with: * getdns_context_set_trust_anchors_url() * getdns_context_set_trust_anchors_verify_CA() * getdns_context_set_trust_anchors_verify_email() * getdns_context_set_appdata_dir() Better TLS upstream failure management ====================================== RFC7858 suggested a back-off period of one hour on failing TLS upstreams. However this is not a resilient and practical demeanor in practice when short-term network outages or connection loss caused, for example, by laptops going to sleep. This release introduces a new TLS upstream failure management scheme in which the back-off time is incremented gradually from 1 second up, and doubled each retry with a maximum set by the getdns_context_set_tls_backoff_time() function. Also, back-off time is ignored when there are no more responding TLS upstreams and the upstream with the least amount of retries will be used for retrying first. Stubby will be much more resilient against short term outages and connection losses with this scheme. YAML configuration files for Stubby =================================== This release comes with an updated version of Stubby (version 0.1.3) with the new improvement to read configuration files in YAML format. Previously Stubby would read configuration files in the JSON like format that is understood by getdns. However, the necessity to deal with opening and closing brackets and the lack of comments make it unsuitable for human consumption. YAML is much better readable and most importantly: can be annotated with comments and is as such a good fit for configuration files. Stubby configuration files are now specified in YAML format by default. JSON format can still be used if it is given on the command line with the -C flag. Don't forget that the --with-stubby option needs to be used with configure when you want to build Stubby alongside the library. When build with Stubby, there is an additional dependency on libyaml for the stubby binary only. Also note that the primary location for information on Stubby has moved to the dnsprivacy.org website: https://dnsprivacy.org/wiki/x/JYAT link : https://getdnsapi.net/dist/getdns-1.2.0.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.2.0.tar.gz.asc sha256: 06e6494b5d8b9404f439d5a98a3ab8f1f4b3557fb7aa3db005b021a6289b4229 ChangeLog ========= * 2017-09-29: Version 1.2.0 * Bugfix of rc1: authentication of first query with TLS Thanks Travis Burtrum * A function to set the location for library specific data, like trust-anchors: getdns_context_set_appdata(). * Zero configuration DNSSEC - build upon the scheme described in RFC7958. The URL from which to fetch the trust anchor, the verification CA and email can be set with the new getdns_context_set_trust_anchor_url(), getdns_context_set_trust_anchor_verify_CA() and getdns_context_set_trust_anchor_verify_email() functions. The default values are to fetch from IANA and to validate with the ICANN CA. * Update of Stubby with yaml configuration file and logging from a certain severity support. * Fix tpkg exit status on test failure. Thanks Jim Hague. * Refined logging levels for upstream statistics * Reuse (best behaving) backed-off TLS upstreams when non are usable. * Let TLS upstreams back-off a incremental amount of time. Back-off time starts with 1 second and is doubled each failure, but will not exceed the time given by getdns_context_set_tls_backoff_time() * Make TLS upstream management more resilient to temporary outages (like laptop sleeps) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 829 bytes Desc: OpenPGP digital signature URL: