From willem at nlnetlabs.nl Fri Dec 14 15:19:42 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 14 Dec 2018 16:19:42 +0100 Subject: [getdns-users] First release candidate for getdns-1.5.0 Message-ID: <6d494b81-9c4f-5c70-cf8f-dbd058b04cf4@nlnetlabs.nl> Dear all, We have a first candidate for the upcoming 1.5.0 bugfix and maintenance release of getdns. Maintenance work included bringing getdns up to par with OpenSSL 1.1.1. For the DNS-over-TLS capability this means TLS1.3 support. - TLS1.3 cipher suites can now be configured, either at context level with the getdns_context_set_tls_ciphersuites() function, or at upstream level by specifying a tls_ciphersuites entry. For example: getdns_query -s -L '{ upstream_recursive_servers: [ { address_data : 1.1.1.1 , tls_ciphersuites: "TLS_AES_256_GCM_SHA384" } ] }' - The minimum & maximum TLS version to be used per upstream can be specified now at context level with the getdns_context_set_tls_min_version() and the getdns_context_set_tls_max_version() functions, or at upstream level by specifying an tls_min_version or a tls_max_version. For example: getdns_query -s -L '{ upstream_recursive_servers: [ { address_data : 185.49.141.38 , tls_max_version: GETDNS_TLS1_2 } ] }' For DNSSEC: - Compiling with OpenSSL 1.1.1 means Ed25519 and Ed448 DNSKEY algorithm support. - A new extension named dnssec, which requires that DNSSEC verification is performed. Answers with DNSSEC status INDETERMINATE will no longer return answers with this extension. Only INSECURE and SECURE answers will be returned. - Automatic fetching of trust anchors ? la zero configuration DNSSEC, will now be retried after failure, after a certain amount of milliseconds that can be specified with getdns_context_set_trust_anchors_backoff_time(). This release has a bit more specific error return codes, and in addition logs much more messages using the logging system, in error conditions. Further more, this release adds a few extra logging systems: - GETDNS_LOG_SYS_STUB (0x2000) for logging about non upstream specific stub resolving` - GETDNS_LOG_SYS_RECURSING (0x4000) for logging `about recursive resolving - GETDNS_LOG_SYS_ANCHOR (0x8000) for logging about fetching trust anchors ? la zero conf DNSSEC A few more issues are resolved with this release. For a complete overview see the ChangeLog below. This release has a release candidate for Stubby 0.2.4 included, with: - A better stubby.service file, that will only start Stubby after the network came up. Please review these release candidates carefully, if all is well, the actual release will follow Friday the 21th of December. link : https://getdnsapi.net/dist/getdns-1.5.0-rc1.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.5.0-rc1.tar.gz.asc sha256: 8bf13d39de90f03939b7b531cae079061cae29ab ChangeLog ========= * 2018-12-??: Version 1.5.0 * ZONEMD rr-type * getdns_query queries for addresses when a query name without a type is given. * RFE #408: Fetching of trust anchors will be retried after failure, after a certain backoff time. The time can be configured with getdns_context_set_trust_anchors_backoff_time(). * RFE #408: A "dnssec" extension that requires DNSSEC verification. When this extension is set, Indeterminate DNSSEC status will not be returned. * Issue #410: Unspecified ownership of get_api_information() * Fix for DNSSEC bug in finding most specific key when trust anchor proves non-existance of one of the labels along the authentication chain other than the non- existance of a DS record on a zonecut. * Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130: Configurable minimum and maximum TLS versions with getdns_context_set_tls_min_version() and getdns_context_set_tls_max_version() functions and tls_min_version and tls_max_version configuration parameters for upstreams. * Configurable TLS1.3 ciphersuites with the getdns_context_set_tls_ciphersuites() function and tls_ciphersuites config parameter for upstreams. * Bugfix in upstream string configurations: tls_cipher_list and tls_curve_list * Bugfix finding signer for validating NSEC and NSEC3s, which caused trouble with the partly tracing DNSSEC from the root up, introduced in 1.4.2. Thanks Philip Homburg Stubby ChangeLog ================ * 2018-12-??: Version 0.2.3 * More DoT servers for stubby.yml.example * Bugfix: only start Stubby when network is up Thanks Bruno Pagani -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From sca at andreasschulze.de Fri Dec 14 19:35:11 2018 From: sca at andreasschulze.de (A. Schulze) Date: Fri, 14 Dec 2018 20:35:11 +0100 Subject: [getdns-users] First release candidate for getdns-1.5.0 In-Reply-To: <6d494b81-9c4f-5c70-cf8f-dbd058b04cf4@nlnetlabs.nl> References: <6d494b81-9c4f-5c70-cf8f-dbd058b04cf4@nlnetlabs.nl> Message-ID: Am 14.12.18 um 16:19 schrieb Willem Toorop: > We have a first candidate for the upcoming 1.5.0 bugfix and maintenance > release of getdns. compiled without warnings. but one (not new) typo: "spelling-error-in-binary libgetdns.so.10.1.0 explicitely explicitly" $ grep -rw explicitely . ./src/anchor.c: , "Trust anchor verification explicitely " ./src/anchor.c: , "Trust anchor verification explicitely " ./src/anchor.c: , "Trust anchor verification explicitely " ./src/anchor.c: , "Trust anchor verification explicitely " ./src/stub.c: * we need to verify auth_name explicitely (otherwise it will not be checked, ./src/stub.c: * to be disabled explicitely. ./src/util-internal.c: * Note that spec doesn't explicitely mention these. > Maintenance work included bringing getdns up to par with OpenSSL 1.1.1. build with openssl-1.1.1a here. > For the DNS-over-TLS capability this means TLS1.3 support. > - TLS1.3 cipher suites can now be configured, either at context level > with the getdns_context_set_tls_ciphersuites() function, or at > upstream level by specifying a tls_ciphersuites entry. > > For example: > > getdns_query -s -L '{ upstream_recursive_servers: > [ { address_data : 1.1.1.1 > , tls_ciphersuites: "TLS_AES_256_GCM_SHA384" } ] }' tls_ciphersuites can be used for TLSv1.3 only. What about TLS1.2? > - The minimum & maximum TLS version to be used per upstream can be > specified now at context level with the > getdns_context_set_tls_min_version() and the > getdns_context_set_tls_max_version() functions, or at upstream level > by specifying an tls_min_version or a tls_max_version. > > For example: > > getdns_query -s -L '{ upstream_recursive_servers: > [ { address_data : 185.49.141.38 > , tls_max_version: GETDNS_TLS1_2 } ] }' to enforce TLS1.3 only, would I set getdns_query -s -L '{ upstream_recursive_servers: [ { address_data : 185.49.141.38 , tls_min_version: GETDNS_TLS1_3 } ] }' right? > - Compiling with OpenSSL 1.1.1 means Ed25519 and Ed448 DNSKEY > algorithm support. are there any public domains signed using Ed25519? > - A new extension named dnssec, which requires that DNSSEC > verification is performed. Answers with DNSSEC status INDETERMINATE > will no longer return answers with this extension. Only INSECURE and > SECURE answers will be returned. How will that extension be enabled in stubby.yml? -> example? btw: there is a directory "src/test" neither "make test" nor "make check" work. How do I run the tests? Andreas From willem at nlnetlabs.nl Fri Dec 21 11:11:19 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 21 Dec 2018 12:11:19 +0100 Subject: [getdns-users] First release candidate for getdns-1.5.0 In-Reply-To: References: <6d494b81-9c4f-5c70-cf8f-dbd058b04cf4@nlnetlabs.nl> Message-ID: On 14-12-18 20:35, A. Schulze wrote: > compiled without warnings. > > but one (not new) typo: "spelling-error-in-binary libgetdns.so.10.1.0 explicitely explicitly" Thanks. Updated. > tls_ciphersuites can be used for TLSv1.3 only. What about TLS1.2? For TLS1.2 you have to use getdns_context_set_tls_cipher_list(). or tls_cipher_list parameter at upstream level. Basically tls_ciphersuites maps to SSL_CTX_set_ciphersuites() (for contexts) and SSL_set_ciphersuites() per upstream in the underlying OpenSSL and tls_cipher_list() to SSL_CTX_set_cipher_list() and SSL_set_cipher_list(). The set_tls_cipher_list function and setting are available since 1.3.0. > to enforce TLS1.3 only, would I set > getdns_query -s -L '{ upstream_recursive_servers: > [ { address_data : 185.49.141.38 > , tls_min_version: GETDNS_TLS1_3 } ] }' > right? Right! And since 185.49.141.38 does not support TLS1.3 yet, it will fail to connect. 1.1.1.1 which does support TLS1_3, so if you would set it at context level and have both 185.49.141.38 and 1.1.1.1 as upstreams, you will always connect with 1.1.1.1. Check yourself with: getdns_query -sL '{tls_min_version:GETDNS_TLS1_3}' @185.49.141.38 @1.1.1.1 +return_call_reporting > are there any public domains signed using Ed25519? Certainly: d2a15n3.rootcanary.net and d2a16n3.rootcanary.net for Ed448. Both domains contain an A record on the name secure and a bogus A record on the name bogus. I.e.: $ getdns_query -s secure.d2a15n3.rootcanary.net A +dnssec | grep status "dnssec_status": GETDNS_DNSSEC_SECURE, "status": GETDNS_RESPSTATUS_GOOD $ getdns_query -s secure.d2a16n3.rootcanary.net A +dnssec | grep status "dnssec_status": GETDNS_DNSSEC_SECURE, "status": GETDNS_RESPSTATUS_GOOD $ getdns_query -s bogus.d2a15n3.rootcanary.net A +dnssec | grep status "status": GETDNS_RESPSTATUS_ALL_BOGUS_ANSWERS $ getdns_query -s bogus.d2a16n3.rootcanary.net A +dnssec | grep status "status": GETDNS_RESPSTATUS_ALL_BOGUS_ANSWERS Note that you have to specify the RR type (A) explicitly, otherwise a query for both A and AAAA will be done, which will return a SECURE NODATA response for the AAAA. $ getdns_query -s bogus.d2a16n3.rootcanary.net +dnssec | grep status "dnssec_status": GETDNS_DNSSEC_SECURE, "status": GETDNS_RESPSTATUS_NO_NAME > >> - A new extension named dnssec, which requires that DNSSEC >> verification is performed. Answers with DNSSEC status INDETERMINATE >> will no longer return answers with this extension. Only INSECURE and >> SECURE answers will be returned. > How will that extension be enabled in stubby.yml? -> example? I have changed the DNSSEC section in the stubby.yml.example file into the following: ############################### DNSSEC SETTINGS ######################## # Require DNSSEC validation. This will withhold answers with BOGUS # DNSSEC status and answers that could not be validated (i.e. with # DNSSEC status INDETERMINATE). Beware that if no DNSSEC trust-anchor is # provided, or if stubby is not able to fetch and validate the DNSSEC # trust-anchor itself (using Zero configuration DNSSEC), stubby will not # return answers at all. If DNSSEC validation is required, a trust- # anchor is also required. # dnssec: GETDNS_EXTENSION_TRUE > > btw: > there is a directory "src/test" neither "make test" nor "make check" work. > How do I run the tests? >From the root of the checked out source, you should be able to run `make test`. This has a dependency on libcheck. If libcheck is not found you will get a warning during configure: libcheck not found or usable; unit tests will not be compiled and run -- Willem > > Andreas > _______________________________________________ > Users mailing list > Users at getdnsapi.net > https://getdnsapi.net/mailman/listinfo/users > From willem at nlnetlabs.nl Fri Dec 21 19:55:45 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 21 Dec 2018 20:55:45 +0100 Subject: [getdns-users] getdns-1.5.0 released Message-ID: Dear all, I am pleased to announce the new Christmas 2018 bugfix and maintenance release, version 1.5.0 of getdns. Maintenance work included bringing getdns up to par with OpenSSL 1.1.1. For the DNS-over-TLS capability this means TLS1.3 support. - TLS1.3 cipher suites can now be configured, either at context level with the getdns_context_set_tls_ciphersuites() function, or at upstream level by specifying a tls_ciphersuites entry. For example: getdns_query -s -L '{ upstream_recursive_servers: [ { address_data : 1.1.1.1 , tls_ciphersuites: "TLS_AES_256_GCM_SHA384" } ] }' For TLS1.2 and earlier the (not new) getdns_context_set_tls_cipher_list() function, or tls_cipher_list entry at upstream level needs to be used, analogous to the SSL_CTX_set_ciphersuites() and SSL_CTX_set_cipher_list() functions in OpenSSL. - The minimum & maximum TLS version to be used per upstream can be specified now at context level with the getdns_context_set_tls_min_version() and the getdns_context_set_tls_max_version() functions, or at upstream level by specifying an tls_min_version or a tls_max_version. For example: getdns_query -s -L '{ upstream_recursive_servers: [ { address_data : 185.49.141.38 , tls_max_version: GETDNS_TLS1_2 } ] }' An example that requires TLS1.3 support at context level: getdns_query -sL '{tls_min_version:GETDNS_TLS1_3}' \ @185.49.141.38 @1.1.1.1 +return_call_reporting Because 185.49.141.38 does not yet support TLS1.3, this will result in queries to 1.1.1.1 only, as can be seen under "call_reporting" in the response dict. For DNSSEC: - Compiling with OpenSSL 1.1.1 means Ed25519 and Ed448 DNSKEY algorithm support. - A new extension named dnssec, which requires that DNSSEC verification is performed. Answers with DNSSEC status INDETERMINATE will no longer return answers with this extension. Only INSECURE and SECURE answers will be returned. One benefit of this mode is that getdns will hard fail if it does not have, or cannot fetch a valid trust anchor and perform validation. - Automatic fetching of trust anchors ? la Zero configuration DNSSEC, will now be retried after failure, after a certain amount of milliseconds that can be specified with getdns_context_set_trust_anchors_backoff_time(). This release has a bit more specific error return codes, and in addition logs much more messages using the logging system, in error conditions. Further more, this release adds a few extra logging systems: - GETDNS_LOG_SYS_STUB (0x2000) for logging about non upstream specific stub resolving - GETDNS_LOG_SYS_RECURSING (0x4000) for logging about recursive resolving - GETDNS_LOG_SYS_ANCHOR (0x8000) for logging about fetching trust anchors ? la Zero conf DNSSEC A few more issues are resolved with this release. For a complete overview see the ChangeLog section below. This release has the 0.2.4 release of Stubby included, with: - Updated stubby.yml.example that uses the dnssec extension to enable DNSSEC with explanation of its consequences. - A better stubby.service file, that will only start Stubby after the network came up. Note that Stubby now has a dependency on getdns-1.5.0 because of the dnssec extension Merry Christmas & Happy New year from the getdns team! link : https://getdnsapi.net/dist/getdns-1.5.0.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.5.0.tar.gz.asc sha256: 577182c3ace919ee70cee5629505581a10dc530bd53fe5c241603ea91c84fa84 web : https://getdnsapi.net/releases/getdns-1-5-0/ ChangeLog ========= * 2018-12-21: Version 1.5.0 * RFE getdnsapi/stubby#121 log re-instantiating TLS upstreams (because they reached tls_backoff_time) at log level 4 (WARNING) * GETDNS_RESPSTATUS_NO_NAME for NODATA answers too * ZONEMD rr-type * getdns_query queries for addresses when a query name without a type is given. * RFE #408: Fetching of trust anchors will be retried after failure, after a certain backoff time. The time can be configured with getdns_context_set_trust_anchors_backoff_time(). * RFE #408: A "dnssec" extension that requires DNSSEC verification. When this extension is set, Indeterminate DNSSEC status will not be returned. * Issue #410: Unspecified ownership of get_api_information() * Fix for DNSSEC bug in finding most specific key when trust anchor proves non-existance of one of the labels along the authentication chain other than the non- existance of a DS record on a zonecut. * Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130: Configurable minimum and maximum TLS versions with getdns_context_set_tls_min_version() and getdns_context_set_tls_max_version() functions and tls_min_version and tls_max_version configuration parameters for upstreams. * Configurable TLS1.3 ciphersuites with the getdns_context_set_tls_ciphersuites() function and tls_ciphersuites config parameter for upstreams. * Bugfix in upstream string configurations: tls_cipher_list and tls_curve_list * Bugfix finding signer for validating NSEC and NSEC3s, which caused trouble with the partly tracing DNSSEC from the root up, introduced in 1.4.2. Thanks Philip Homburg Stubby ChangeLog ================ * 2018-12-21: Version 0.2.4 * DNSSEC required with dnssec extension in example config * Removed the yeti servers from stubby.yml.example * Added the Foundation RESTENA servers in stubby.yml.example * Bugfix: only start Stubby when network is up Thanks Bruno Pagani -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Fri Dec 14 15:19:41 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 14 Dec 2018 16:19:41 +0100 Subject: [getdns-api] First release candidate for getdns-1.5.0 Message-ID: Dear all, We have a first candidate for the upcoming 1.5.0 bugfix and maintenance release of getdns. Maintenance work included bringing getdns up to par with OpenSSL 1.1.1. For the DNS-over-TLS capability this means TLS1.3 support. - TLS1.3 cipher suites can now be configured, either at context level with the getdns_context_set_tls_ciphersuites() function, or at upstream level by specifying a tls_ciphersuites entry. For example: getdns_query -s -L '{ upstream_recursive_servers: [ { address_data : 1.1.1.1 , tls_ciphersuites: "TLS_AES_256_GCM_SHA384" } ] }' - The minimum & maximum TLS version to be used per upstream can be specified now at context level with the getdns_context_set_tls_min_version() and the getdns_context_set_tls_max_version() functions, or at upstream level by specifying an tls_min_version or a tls_max_version. For example: getdns_query -s -L '{ upstream_recursive_servers: [ { address_data : 185.49.141.38 , tls_max_version: GETDNS_TLS1_2 } ] }' For DNSSEC: - Compiling with OpenSSL 1.1.1 means Ed25519 and Ed448 DNSKEY algorithm support. - A new extension named dnssec, which requires that DNSSEC verification is performed. Answers with DNSSEC status INDETERMINATE will no longer return answers with this extension. Only INSECURE and SECURE answers will be returned. - Automatic fetching of trust anchors ? la zero configuration DNSSEC, will now be retried after failure, after a certain amount of milliseconds that can be specified with getdns_context_set_trust_anchors_backoff_time(). This release has a bit more specific error return codes, and in addition logs much more messages using the logging system, in error conditions. Further more, this release adds a few extra logging systems: - GETDNS_LOG_SYS_STUB (0x2000) for logging about non upstream specific stub resolving` - GETDNS_LOG_SYS_RECURSING (0x4000) for logging `about recursive resolving - GETDNS_LOG_SYS_ANCHOR (0x8000) for logging about fetching trust anchors ? la zero conf DNSSEC A few more issues are resolved with this release. For a complete overview see the ChangeLog below. This release has a release candidate for Stubby 0.2.4 included, with: - A better stubby.service file, that will only start Stubby after the network came up. Please review these release candidates carefully, if all is well, the actual release will follow Friday the 21th of December. link : https://getdnsapi.net/dist/getdns-1.5.0-rc1.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.5.0-rc1.tar.gz.asc sha256: 8bf13d39de90f03939b7b531cae079061cae29ab ChangeLog ========= * 2018-12-??: Version 1.5.0 * ZONEMD rr-type * getdns_query queries for addresses when a query name without a type is given. * RFE #408: Fetching of trust anchors will be retried after failure, after a certain backoff time. The time can be configured with getdns_context_set_trust_anchors_backoff_time(). * RFE #408: A "dnssec" extension that requires DNSSEC verification. When this extension is set, Indeterminate DNSSEC status will not be returned. * Issue #410: Unspecified ownership of get_api_information() * Fix for DNSSEC bug in finding most specific key when trust anchor proves non-existance of one of the labels along the authentication chain other than the non- existance of a DS record on a zonecut. * Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130: Configurable minimum and maximum TLS versions with getdns_context_set_tls_min_version() and getdns_context_set_tls_max_version() functions and tls_min_version and tls_max_version configuration parameters for upstreams. * Configurable TLS1.3 ciphersuites with the getdns_context_set_tls_ciphersuites() function and tls_ciphersuites config parameter for upstreams. * Bugfix in upstream string configurations: tls_cipher_list and tls_curve_list * Bugfix finding signer for validating NSEC and NSEC3s, which caused trouble with the partly tracing DNSSEC from the root up, introduced in 1.4.2. Thanks Philip Homburg Stubby ChangeLog ================ * 2018-12-??: Version 0.2.3 * More DoT servers for stubby.yml.example * Bugfix: only start Stubby when network is up Thanks Bruno Pagani -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Fri Dec 21 19:55:35 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 21 Dec 2018 20:55:35 +0100 Subject: [getdns-api] getdns-1.5.0 released Message-ID: <108ffa4d-4bbd-ee46-6c3f-7b7254b8d47a@nlnetlabs.nl> Dear all, I am pleased to announce the new Christmas 2018 bugfix and maintenance release, version 1.5.0 of getdns. Maintenance work included bringing getdns up to par with OpenSSL 1.1.1. For the DNS-over-TLS capability this means TLS1.3 support. - TLS1.3 cipher suites can now be configured, either at context level with the getdns_context_set_tls_ciphersuites() function, or at upstream level by specifying a tls_ciphersuites entry. For example: getdns_query -s -L '{ upstream_recursive_servers: [ { address_data : 1.1.1.1 , tls_ciphersuites: "TLS_AES_256_GCM_SHA384" } ] }' For TLS1.2 and earlier the (not new) getdns_context_set_tls_cipher_list() function, or tls_cipher_list entry at upstream level needs to be used, analogous to the SSL_CTX_set_ciphersuites() and SSL_CTX_set_cipher_list() functions in OpenSSL. - The minimum & maximum TLS version to be used per upstream can be specified now at context level with the getdns_context_set_tls_min_version() and the getdns_context_set_tls_max_version() functions, or at upstream level by specifying an tls_min_version or a tls_max_version. For example: getdns_query -s -L '{ upstream_recursive_servers: [ { address_data : 185.49.141.38 , tls_max_version: GETDNS_TLS1_2 } ] }' An example that requires TLS1.3 support at context level: getdns_query -sL '{tls_min_version:GETDNS_TLS1_3}' \ @185.49.141.38 @1.1.1.1 +return_call_reporting Because 185.49.141.38 does not yet support TLS1.3, this will result in queries to 1.1.1.1 only, as can be seen under "call_reporting" in the response dict. For DNSSEC: - Compiling with OpenSSL 1.1.1 means Ed25519 and Ed448 DNSKEY algorithm support. - A new extension named dnssec, which requires that DNSSEC verification is performed. Answers with DNSSEC status INDETERMINATE will no longer return answers with this extension. Only INSECURE and SECURE answers will be returned. One benefit of this mode is that getdns will hard fail if it does not have, or cannot fetch a valid trust anchor and perform validation. - Automatic fetching of trust anchors ? la Zero configuration DNSSEC, will now be retried after failure, after a certain amount of milliseconds that can be specified with getdns_context_set_trust_anchors_backoff_time(). This release has a bit more specific error return codes, and in addition logs much more messages using the logging system, in error conditions. Further more, this release adds a few extra logging systems: - GETDNS_LOG_SYS_STUB (0x2000) for logging about non upstream specific stub resolving - GETDNS_LOG_SYS_RECURSING (0x4000) for logging about recursive resolving - GETDNS_LOG_SYS_ANCHOR (0x8000) for logging about fetching trust anchors ? la Zero conf DNSSEC A few more issues are resolved with this release. For a complete overview see the ChangeLog section below. This release has the 0.2.4 release of Stubby included, with: - Updated stubby.yml.example that uses the dnssec extension to enable DNSSEC with explanation of its consequences. - A better stubby.service file, that will only start Stubby after the network came up. Note that Stubby now has a dependency on getdns-1.5.0 because of the dnssec extension Merry Christmas & Happy New year from the getdns team! link : https://getdnsapi.net/dist/getdns-1.5.0.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.5.0.tar.gz.asc sha256: 577182c3ace919ee70cee5629505581a10dc530bd53fe5c241603ea91c84fa84 web : https://getdnsapi.net/releases/getdns-1-5-0/ ChangeLog ========= * 2018-12-21: Version 1.5.0 * RFE getdnsapi/stubby#121 log re-instantiating TLS upstreams (because they reached tls_backoff_time) at log level 4 (WARNING) * GETDNS_RESPSTATUS_NO_NAME for NODATA answers too * ZONEMD rr-type * getdns_query queries for addresses when a query name without a type is given. * RFE #408: Fetching of trust anchors will be retried after failure, after a certain backoff time. The time can be configured with getdns_context_set_trust_anchors_backoff_time(). * RFE #408: A "dnssec" extension that requires DNSSEC verification. When this extension is set, Indeterminate DNSSEC status will not be returned. * Issue #410: Unspecified ownership of get_api_information() * Fix for DNSSEC bug in finding most specific key when trust anchor proves non-existance of one of the labels along the authentication chain other than the non- existance of a DS record on a zonecut. * Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130: Configurable minimum and maximum TLS versions with getdns_context_set_tls_min_version() and getdns_context_set_tls_max_version() functions and tls_min_version and tls_max_version configuration parameters for upstreams. * Configurable TLS1.3 ciphersuites with the getdns_context_set_tls_ciphersuites() function and tls_ciphersuites config parameter for upstreams. * Bugfix in upstream string configurations: tls_cipher_list and tls_curve_list * Bugfix finding signer for validating NSEC and NSEC3s, which caused trouble with the partly tracing DNSSEC from the root up, introduced in 1.4.2. Thanks Philip Homburg Stubby ChangeLog ================ * 2018-12-21: Version 0.2.4 * DNSSEC required with dnssec extension in example config * Removed the yeti servers from stubby.yml.example * Added the Foundation RESTENA servers in stubby.yml.example * Bugfix: only start Stubby when network is up Thanks Bruno Pagani -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: