[getdns-users] First release candidate for getdns-1.5.0

Willem Toorop willem at nlnetlabs.nl
Fri Dec 21 11:11:19 UTC 2018


On 14-12-18 20:35, A. Schulze wrote:
> compiled without warnings.
> 
> but one (not new) typo: "spelling-error-in-binary libgetdns.so.10.1.0 explicitely explicitly"

Thanks.  Updated.

> tls_ciphersuites can be used for TLSv1.3 only. What about TLS1.2?

For TLS1.2 you have to use getdns_context_set_tls_cipher_list().
or tls_cipher_list parameter at upstream level.

Basically tls_ciphersuites maps to SSL_CTX_set_ciphersuites() (for
contexts) and SSL_set_ciphersuites() per upstream in the underlying
OpenSSL and tls_cipher_list() to SSL_CTX_set_cipher_list() and
SSL_set_cipher_list().

The set_tls_cipher_list function and setting are available since 1.3.0.

> to enforce TLS1.3 only, would I set
>         getdns_query -s -L '{ upstream_recursive_servers:
>           [ { address_data   : 185.49.141.38
>            , tls_min_version: GETDNS_TLS1_3 } ] }'
> right?

Right! And since 185.49.141.38 does not support TLS1.3 yet, it will fail
to connect. 1.1.1.1 which does support TLS1_3, so if you would set it at
context level and have both 185.49.141.38 and 1.1.1.1 as upstreams, you
will always connect with 1.1.1.1.  Check yourself with:

getdns_query -sL '{tls_min_version:GETDNS_TLS1_3}' @185.49.141.38
@1.1.1.1 +return_call_reporting

> are there any public domains signed using Ed25519?

Certainly: d2a15n3.rootcanary.net and d2a16n3.rootcanary.net for Ed448.
Both domains contain an A record on the name secure and a bogus A record
on the name bogus. I.e.:


$ getdns_query -s secure.d2a15n3.rootcanary.net A +dnssec | grep status
      "dnssec_status": GETDNS_DNSSEC_SECURE,
  "status": GETDNS_RESPSTATUS_GOOD

$ getdns_query -s secure.d2a16n3.rootcanary.net A +dnssec | grep status
      "dnssec_status": GETDNS_DNSSEC_SECURE,
  "status": GETDNS_RESPSTATUS_GOOD

$ getdns_query -s bogus.d2a15n3.rootcanary.net A +dnssec | grep status
  "status": GETDNS_RESPSTATUS_ALL_BOGUS_ANSWERS

$ getdns_query -s bogus.d2a16n3.rootcanary.net A +dnssec | grep status
  "status": GETDNS_RESPSTATUS_ALL_BOGUS_ANSWERS

Note that you have to specify the RR type (A) explicitly, otherwise a
query for both A and AAAA will be done, which will return a SECURE
NODATA response for the AAAA.

$ getdns_query -s bogus.d2a16n3.rootcanary.net +dnssec | grep status
      "dnssec_status": GETDNS_DNSSEC_SECURE,
  "status": GETDNS_RESPSTATUS_NO_NAME

>  
>>   - A new extension named dnssec, which requires that DNSSEC
>>     verification is performed. Answers with DNSSEC status INDETERMINATE
>>     will no longer return answers with this extension. Only INSECURE and
>>     SECURE answers will be returned.
> How will that extension be enabled in stubby.yml? -> example?

I have changed the DNSSEC section in the stubby.yml.example file into
the following:

############################### DNSSEC SETTINGS ########################
# Require DNSSEC validation. This will withhold answers with BOGUS
# DNSSEC status and answers that could not be validated (i.e. with
# DNSSEC status INDETERMINATE). Beware that if no DNSSEC trust-anchor is
# provided, or if stubby is not able to fetch and validate the DNSSEC
# trust-anchor itself (using Zero configuration DNSSEC), stubby will not
# return answers at all.  If DNSSEC validation is required, a trust-
# anchor is also required.
# dnssec: GETDNS_EXTENSION_TRUE

> 
> btw:
> there is a directory "src/test" neither "make test" nor "make check" work.
> How do I run the tests?

>From the root of the checked out source, you should be able to run `make
test`.  This has a dependency on libcheck.  If libcheck is not found you
will get a warning during configure:

libcheck not found or usable; unit tests will not be compiled and run

-- Willem
> 
> Andreas
> _______________________________________________
> Users mailing list
> Users at getdnsapi.net
> https://getdnsapi.net/mailman/listinfo/users
> 






More information about the Users mailing list