[getdns-users] First release candidate for getdns-1.5.0

A. Schulze sca at andreasschulze.de
Fri Dec 14 19:35:11 UTC 2018 


Am 14.12.18 um 16:19 schrieb Willem Toorop:
> We have a first candidate for the upcoming 1.5.0 bugfix and maintenance
> release of getdns.

compiled without warnings.

but one (not new) typo: "spelling-error-in-binary libgetdns.so.10.1.0 explicitely explicitly"
$ grep -rw explicitely .
./src/anchor.c:                    , "Trust anchor verification explicitely "
./src/anchor.c:                    , "Trust anchor verification explicitely "
./src/anchor.c:                    , "Trust anchor verification explicitely "
./src/anchor.c:                    , "Trust anchor verification explicitely "
./src/stub.c: * we need to verify auth_name explicitely (otherwise it will not be checked,
./src/stub.c: * to be disabled explicitely.
./src/util-internal.c:   * Note that spec doesn't explicitely mention these.

> Maintenance work included bringing getdns up to par with OpenSSL 1.1.1.
build with openssl-1.1.1a here.
 
> For the DNS-over-TLS capability this means TLS1.3 support.
>   - TLS1.3 cipher suites can now be configured, either at context level
>     with the getdns_context_set_tls_ciphersuites() function, or at
>     upstream level by specifying a tls_ciphersuites entry.
> 
>     For example:
> 
>       getdns_query -s -L '{ upstream_recursive_servers:
>         [ { address_data    : 1.1.1.1
>           , tls_ciphersuites: "TLS_AES_256_GCM_SHA384" } ] }'
tls_ciphersuites can be used for TLSv1.3 only. What about TLS1.2?
 
>   - The minimum & maximum TLS version to be used per upstream can be
>     specified now at context level with the
>     getdns_context_set_tls_min_version() and the
>     getdns_context_set_tls_max_version() functions, or at upstream level
>     by specifying an tls_min_version or a tls_max_version.
> 
>     For example:
> 
>       getdns_query -s -L '{ upstream_recursive_servers:
>         [ { address_data   : 185.49.141.38
>           , tls_max_version: GETDNS_TLS1_2 } ] }'
to enforce TLS1.3 only, would I set
        getdns_query -s -L '{ upstream_recursive_servers:
          [ { address_data   : 185.49.141.38
           , tls_min_version: GETDNS_TLS1_3 } ] }'
right?

>   - Compiling with OpenSSL 1.1.1 means Ed25519 and Ed448 DNSKEY
>     algorithm support.
are there any public domains signed using Ed25519?
 
>   - A new extension named dnssec, which requires that DNSSEC
>     verification is performed. Answers with DNSSEC status INDETERMINATE
>     will no longer return answers with this extension. Only INSECURE and
>     SECURE answers will be returned.
How will that extension be enabled in stubby.yml? -> example?

btw:
there is a directory "src/test" neither "make test" nor "make check" work.
How do I run the tests?

Andreas

More information about the Users mailing list