From willem at nlnetlabs.nl Wed Feb 14 14:52:53 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Wed, 14 Feb 2018 15:52:53 +0100 Subject: [getdns-users] First release candidate for getdns-1.4.0 Message-ID: <19476c8d-d8cc-d94a-e5e3-c645f0201496@nlnetlabs.nl> Dear all, We have a candidate for the upcoming 1.4.0 security and stability release of getdns. Security Fixes ============== The release contains two security fixes. 1. When TLS upstreams were authenticated with SHA256 SPKI pins, certain verification errors - like self-signed certificates - were tolerated when the SPKI pin matched. This is wrong because checking for the error status indicating self-signed certificates does not mean that no other errors occurred. Only one error status is returned by the underlying OpenSSL verification function and that error status masks potential other errors. This release will check SPKI pins with the native OpenSSL DANE functions, for OpenSSL version 1.1.0 and higher, or with the DANE functions from the included Viktor Dukhovni's danessl library for OpenSSL version 1.0.0 and higher. For OpenSSL versions before 1.0.0 and for LibreSSL, self-signed certificates are no longer tolerated. 2. The recent CVE-2017-15105, exposed a flaw with a few resolvers, that made it possible to downgrade secure connections. One of the causes of the issue, was that wildcard expansions of resource records used in DNSSEC proof were allowed. Although getdns was not vulnerable to the specific issue addressed in CVE-2017-15105, it did not explicitly disallow wildcard expansions of resource records used in DNSSEC proof. This release has that fixed. Stability Fixes =============== Detailed reports from our Stubby users have revealed a few more bugs causing crashes in the getdns library in certain conditions. 'Additional API' - new functions ================================ Besides the available ciphers, now the supported curves can be configured too with the getdns_context_set_tls_curves_list() function or per upstream with getdns_context_set_upstream_recursive_servers() . Tools ===== This release includes a new tool getdns_server_mon based on St?phane Borzmeyer's monitor DNS-over-TLS tool. This tool is used to generate the table showing public DNS-over-TLS servers capabilities, see: https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/ NOTE ==== Although this release is binary compatible up to getdns version 1.1.0, the .so version is still bumped at request for the fedora package. Stubby ====== This release candidate includes a candidate for a 0.2.2 release of Stubby. - It includes an updated and fixed stubby.yml configuration file. - Has additional logging of basic configuration on startup. - Has a manpage included Please review this release candidate carefully, if all is well, the actual release will follow Wednesday the 21st of February. link : https://getdnsapi.net/dist/getdns-1.4.0-rc1.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.4.0-rc1.tar.gz.asc sha256: b60963f966111e24efdc96e048d1e3b7492d5cfd590abc73cff227ecc3549f52 ChangeLog ========= * 2018-02-??: Version 1.4.0 * .so revision bump to please fedora packaging system. Thanks Paul Wouters * Specify the supported curves with getdns_context_set_tls_curves_list() An upstream specific list of supported curves may also be given with the tls_curves_list setting in the upstream dict with getdns_context_set_upstream_recursive_servers() * New tool getdns_server_mon for checking upstream recursive resolver's capabilities. * Improved handling of opportunistic back-off. If other transports are working, don?t forcibly promote failed upstreams just wait for the re-try timer. * Hostname authentication with libressl Thanks Norbert Copones * Security bugfix in response to CVE-2017-15105. Although getdns was not vulnerable for this specific issue, as a precaution code has been adapted so that signatures of DNSKEYs, DSs, NSECs and NSEC3s can not be wildcard expansions when used with DNSSEC proofs. Only direct queries for those types are allowed to be wildcard expansions. * Bugfix PR#379: Miscelleneous double free or corruption, and corrupted memory double linked list detected issue, with serving functionality. Thanks maddie and Bruno Pagani * Security Bugfix PR#293: Check sha256 pinset's with OpenSSL native DANE functions for OpenSSL >= 1.1.0 with Viktor Dukhovni's danessl library for OpenSSL >= 1.0.0 don't allow for authentication exceptions (like self-signed certificates) otherwise. Thanks Viktor Dukhovni * libidn2 support. Thanks Paul Wouters Stubby ChangeLog ================ * 2018-02-??: Version 0.2.2 * Fixes and updates to the stubby.yml.config file. Add separate entries for servers that listen on port 443. * Additional logging of basic config on startup * -V option to show version * Added a man page -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Wed Feb 21 20:19:28 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Wed, 21 Feb 2018 21:19:28 +0100 Subject: [getdns-users] getdns-1.4.0 released Message-ID: <8ee0774a-33a8-b8f1-ab46-f2f15a24094d@nlnetlabs.nl> Dear all, I am pleased to announce the new security and bugfix release, version 1.4.0 of getdns. Security Fixes ============== The release contains two security fixes. 1. When TLS upstreams were authenticated with SHA256 SPKI pins, certain verification errors - like self-signed certificates - were tolerated when the SPKI pin matched. This is wrong because checking for the error status indicating self-signed certificates does not mean that no other errors occurred. Only one error status is returned by the underlying OpenSSL verification function and that error status masks potential other errors. This release will check SPKI pins with the native OpenSSL DANE functions, for OpenSSL version 1.1.0 and higher, or with the DANE functions from the included Viktor Dukhovni's danessl library for OpenSSL version 1.0.0 and higher. For OpenSSL versions before 1.0.0 and for LibreSSL, self-signed certificates are no longer tolerated. 2. The recent CVE-2017-15105, exposed a flaw with a few resolvers, that made it possible to downgrade secure connections. One of the causes of the issue, was that wildcard expansions of resource records used in DNSSEC proof were allowed. Although getdns was not vulnerable to the specific issue addressed in CVE-2017-15105, it did not explicitly disallow wildcard expansions of resource records used in DNSSEC proof. This release has that fixed. Stability Fixes =============== Detailed reports from our Stubby users have revealed a few more bugs causing crashes in the getdns library in certain conditions. 'Additional API' - new functions ================================ Besides the available ciphers, now the supported curves can be configured too with the getdns_context_set_tls_curves_list() function or per upstream with getdns_context_set_upstream_recursive_servers() . Tools ===== This release includes a new tool getdns_server_mon based on St?phane Borzmeyer's monitor DNS-over-TLS tool. This tool is used to generate the table showing public DNS-over-TLS servers capabilities, see: https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/ NOTE ==== Although this release is binary compatible up to getdns version 1.1.0, the .so version is still bumped at request for the fedora package. Stubby ====== This release includes the new version 0.2.2 release of Stubby. - It includes an updated and fixed stubby.yml configuration file. - Has additional logging of basic configuration on startup. - Has a manpage included link : https://getdnsapi.net/dist/getdns-1.4.0.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.4.0.tar.gz.asc sha256: de360cd554fdec4bae3f5afbb36145872b8ff7306ded5deb0905442c4909f7b3 ChangeLog ========= * 2018-02-21: Version 1.4.0 * .so revision bump to please fedora packaging system. Thanks Paul Wouters * Specify the supported curves with getdns_context_set_tls_curves_list() An upstream specific list of supported curves may also be given with the tls_curves_list setting in the upstream dict with getdns_context_set_upstream_recursive_servers() * New tool getdns_server_mon for checking upstream recursive resolver's capabilities. * Improved handling of opportunistic back-off. If other transports are working, don?t forcibly promote failed upstreams just wait for the re-try timer. * Hostname authentication with libressl Thanks Norbert Copones * Security bugfix in response to CVE-2017-15105. Although getdns was not vulnerable for this specific issue, as a precaution code has been adapted so that signatures of DNSKEYs, DSs, NSECs and NSEC3s can not be wildcard expansions when used with DNSSEC proofs. Only direct queries for those types are allowed to be wildcard expansions. * Bugfix PR#379: Miscelleneous double free or corruption, and corrupted memory double linked list detected issue, with serving functionality. Thanks maddie and Bruno Pagani * Security Bugfix PR#293: Check sha256 pinset's with OpenSSL native DANE functions for OpenSSL >= 1.1.0 with Viktor Dukhovni's danessl library for OpenSSL >= 1.0.0 don't allow for authentication exceptions (like self-signed certificates) otherwise. Thanks Viktor Dukhovni * libidn2 support. Thanks Paul Wouters Stubby ChangeLog ================ * 2018-02-21: Version 0.2.2 * Fixes and updates to the stubby.yml.config file. Add separate entries for servers that listen on port 443. * Additional logging of basic config on startup * -V option to show version * Added a man page -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From hello.titties123 at googlemail.com Fri Feb 23 09:46:35 2018 From: hello.titties123 at googlemail.com (Herbert Meier) Date: Fri, 23 Feb 2018 10:46:35 +0100 Subject: [getdns-users] Using stubby with unbound Message-ID: Dear all, since some time I'm using stubby as a stub resolver, but now I would like to use it in conjunction with unbound. Primarily, to have DNS caching. Unfortunately, I was not able to find any documentation on how to do this. I would appreciate if someone could give me a pointer how to achieve this. Thanks so much. Regards, Herbert -------------- next part -------------- An HTML attachment was scrubbed... URL: From sara at sinodun.com Fri Feb 23 09:53:28 2018 From: sara at sinodun.com (Sara Dickinson) Date: Fri, 23 Feb 2018 09:53:28 +0000 Subject: [getdns-users] Using stubby with unbound In-Reply-To: References: Message-ID: <2FDC665E-8D6C-4E93-90FD-909D3B6D744D@sinodun.com> > On 23 Feb 2018, at 09:46, Herbert Meier wrote: > > Dear all, > > since some time I'm using stubby as a stub resolver, but now I would like to use it in conjunction with unbound. Primarily, to have DNS caching. > Unfortunately, I was not able to find any documentation on how to do this. > I would appreciate if someone could give me a pointer how to achieve this. Hi Herbert, We have some brief documentation on this page: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients and it is mentioned in the Configuration section of the main Stubby page: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby Hope this helps! Sara. -------------- next part -------------- An HTML attachment was scrubbed... URL: From willem at nlnetlabs.nl Wed Feb 14 14:52:52 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Wed, 14 Feb 2018 15:52:52 +0100 Subject: [getdns-api] First release candidate for getdns-1.4.0 Message-ID: <5c3f0e6a-469f-ec62-9167-da1bcb71d782@nlnetlabs.nl> Dear all, We have a candidate for the upcoming 1.4.0 security and stability release of getdns. Security Fixes ============== The release contains two security fixes. 1. When TLS upstreams were authenticated with SHA256 SPKI pins, certain verification errors - like self-signed certificates - were tolerated when the SPKI pin matched. This is wrong because checking for the error status indicating self-signed certificates does not mean that no other errors occurred. Only one error status is returned by the underlying OpenSSL verification function and that error status masks potential other errors. This release will check SPKI pins with the native OpenSSL DANE functions, for OpenSSL version 1.1.0 and higher, or with the DANE functions from the included Viktor Dukhovni's danessl library for OpenSSL version 1.0.0 and higher. For OpenSSL versions before 1.0.0 and for LibreSSL, self-signed certificates are no longer tolerated. 2. The recent CVE-2017-15105, exposed a flaw with a few resolvers, that made it possible to downgrade secure connections. One of the causes of the issue, was that wildcard expansions of resource records used in DNSSEC proof were allowed. Although getdns was not vulnerable to the specific issue addressed in CVE-2017-15105, it did not explicitly disallow wildcard expansions of resource records used in DNSSEC proof. This release has that fixed. Stability Fixes =============== Detailed reports from our Stubby users have revealed a few more bugs causing crashes in the getdns library in certain conditions. 'Additional API' - new functions ================================ Besides the available ciphers, now the supported curves can be configured too with the getdns_context_set_tls_curves_list() function or per upstream with getdns_context_set_upstream_recursive_servers() . Tools ===== This release includes a new tool getdns_server_mon based on St?phane Borzmeyer's monitor DNS-over-TLS tool. This tool is used to generate the table showing public DNS-over-TLS servers capabilities, see: https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/ NOTE ==== Although this release is binary compatible up to getdns version 1.1.0, the .so version is still bumped at request for the fedora package. Stubby ====== This release candidate includes a candidate for a 0.2.2 release of Stubby. - It includes an updated and fixed stubby.yml configuration file. - Has additional logging of basic configuration on startup. - Has a manpage included Please review this release candidate carefully, if all is well, the actual release will follow Wednesday the 21st of February. link : https://getdnsapi.net/dist/getdns-1.4.0-rc1.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.4.0-rc1.tar.gz.asc sha256: b60963f966111e24efdc96e048d1e3b7492d5cfd590abc73cff227ecc3549f52 ChangeLog ========= * 2018-02-??: Version 1.4.0 * .so revision bump to please fedora packaging system. Thanks Paul Wouters * Specify the supported curves with getdns_context_set_tls_curves_list() An upstream specific list of supported curves may also be given with the tls_curves_list setting in the upstream dict with getdns_context_set_upstream_recursive_servers() * New tool getdns_server_mon for checking upstream recursive resolver's capabilities. * Improved handling of opportunistic back-off. If other transports are working, don?t forcibly promote failed upstreams just wait for the re-try timer. * Hostname authentication with libressl Thanks Norbert Copones * Security bugfix in response to CVE-2017-15105. Although getdns was not vulnerable for this specific issue, as a precaution code has been adapted so that signatures of DNSKEYs, DSs, NSECs and NSEC3s can not be wildcard expansions when used with DNSSEC proofs. Only direct queries for those types are allowed to be wildcard expansions. * Bugfix PR#379: Miscelleneous double free or corruption, and corrupted memory double linked list detected issue, with serving functionality. Thanks maddie and Bruno Pagani * Security Bugfix PR#293: Check sha256 pinset's with OpenSSL native DANE functions for OpenSSL >= 1.1.0 with Viktor Dukhovni's danessl library for OpenSSL >= 1.0.0 don't allow for authentication exceptions (like self-signed certificates) otherwise. Thanks Viktor Dukhovni * libidn2 support. Thanks Paul Wouters Stubby ChangeLog ================ * 2018-02-??: Version 0.2.2 * Fixes and updates to the stubby.yml.config file. Add separate entries for servers that listen on port 443. * Additional logging of basic config on startup * -V option to show version * Added a man page -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Wed Feb 21 20:19:21 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Wed, 21 Feb 2018 21:19:21 +0100 Subject: [getdns-api] getdns-1.4.0 released Message-ID: Dear all, I am pleased to announce the new security and bugfix release, version 1.4.0 of getdns. Security Fixes ============== The release contains two security fixes. 1. When TLS upstreams were authenticated with SHA256 SPKI pins, certain verification errors - like self-signed certificates - were tolerated when the SPKI pin matched. This is wrong because checking for the error status indicating self-signed certificates does not mean that no other errors occurred. Only one error status is returned by the underlying OpenSSL verification function and that error status masks potential other errors. This release will check SPKI pins with the native OpenSSL DANE functions, for OpenSSL version 1.1.0 and higher, or with the DANE functions from the included Viktor Dukhovni's danessl library for OpenSSL version 1.0.0 and higher. For OpenSSL versions before 1.0.0 and for LibreSSL, self-signed certificates are no longer tolerated. 2. The recent CVE-2017-15105, exposed a flaw with a few resolvers, that made it possible to downgrade secure connections. One of the causes of the issue, was that wildcard expansions of resource records used in DNSSEC proof were allowed. Although getdns was not vulnerable to the specific issue addressed in CVE-2017-15105, it did not explicitly disallow wildcard expansions of resource records used in DNSSEC proof. This release has that fixed. Stability Fixes =============== Detailed reports from our Stubby users have revealed a few more bugs causing crashes in the getdns library in certain conditions. 'Additional API' - new functions ================================ Besides the available ciphers, now the supported curves can be configured too with the getdns_context_set_tls_curves_list() function or per upstream with getdns_context_set_upstream_recursive_servers() . Tools ===== This release includes a new tool getdns_server_mon based on St?phane Borzmeyer's monitor DNS-over-TLS tool. This tool is used to generate the table showing public DNS-over-TLS servers capabilities, see: https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/ NOTE ==== Although this release is binary compatible up to getdns version 1.1.0, the .so version is still bumped at request for the fedora package. Stubby ====== This release includes the new version 0.2.2 release of Stubby. - It includes an updated and fixed stubby.yml configuration file. - Has additional logging of basic configuration on startup. - Has a manpage included link : https://getdnsapi.net/dist/getdns-1.4.0.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.4.0.tar.gz.asc sha256: de360cd554fdec4bae3f5afbb36145872b8ff7306ded5deb0905442c4909f7b3 ChangeLog ========= * 2018-02-21: Version 1.4.0 * .so revision bump to please fedora packaging system. Thanks Paul Wouters * Specify the supported curves with getdns_context_set_tls_curves_list() An upstream specific list of supported curves may also be given with the tls_curves_list setting in the upstream dict with getdns_context_set_upstream_recursive_servers() * New tool getdns_server_mon for checking upstream recursive resolver's capabilities. * Improved handling of opportunistic back-off. If other transports are working, don?t forcibly promote failed upstreams just wait for the re-try timer. * Hostname authentication with libressl Thanks Norbert Copones * Security bugfix in response to CVE-2017-15105. Although getdns was not vulnerable for this specific issue, as a precaution code has been adapted so that signatures of DNSKEYs, DSs, NSECs and NSEC3s can not be wildcard expansions when used with DNSSEC proofs. Only direct queries for those types are allowed to be wildcard expansions. * Bugfix PR#379: Miscelleneous double free or corruption, and corrupted memory double linked list detected issue, with serving functionality. Thanks maddie and Bruno Pagani * Security Bugfix PR#293: Check sha256 pinset's with OpenSSL native DANE functions for OpenSSL >= 1.1.0 with Viktor Dukhovni's danessl library for OpenSSL >= 1.0.0 don't allow for authentication exceptions (like self-signed certificates) otherwise. Thanks Viktor Dukhovni * libidn2 support. Thanks Paul Wouters Stubby ChangeLog ================ * 2018-02-21: Version 0.2.2 * Fixes and updates to the stubby.yml.config file. Add separate entries for servers that listen on port 443. * Additional logging of basic config on startup * -V option to show version * Added a man page -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From robert.groenenberg at broadforward.com Wed Feb 28 10:56:39 2018 From: robert.groenenberg at broadforward.com (Robert Groenenberg) Date: Wed, 28 Feb 2018 11:56:39 +0100 Subject: [getdns-api] UDP failover improvements Message-ID: <335f043a-323d-37d7-2ccc-f273d8aeacb8@broadforward.com> Hi Willem, Sara, To improve (in our view) getdns with respect to the failover/retry behaviour towards UDP upstreams, we've made 1 fix and 2 enhancements: 1) restrict the back_off value of an upstream to a configurable maximum. This avoids that the back_off value (doubled at each timeout for an upstream) keeps growing until the value rolls over. We didn't want the interval for retrying an upstream to grow to values like 2^16 or bigger when that upstream had an outage. Note that the retry interval still is in 'query attempts', perhaps we want to make that time-based at some point. 2) when an upstream has been unavailable and is found to be Ok at some point, its back_off value is not reset. So on a subsequent timeout the back_off continues with the value from the previous failure. We consider this a bug. 3) when all configured upstreams of a context are unavailable, in our view it makes more sense to retry these in a round-robin fashion instead of sticking to the back_off values (especially when one becomes unavailable earlier than another). The original backoff mechanism may lead that one unavailable upstream is tried hundreds or thousands of times before another one is given a try, while the latter may be available again. Switching to round-robin when all are unavailable for a number of attempts will lead to faster recovery. I have these changes available on top of the latest 'develop' branch. Shall I create pull-requests for them? (Credits also go to my colleague Shikha Sharma) Cheers, Robert -------------- next part -------------- An HTML attachment was scrubbed... URL: From willem at nlnetlabs.nl Wed Feb 28 11:20:53 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Wed, 28 Feb 2018 12:20:53 +0100 Subject: [getdns-api] UDP failover improvements In-Reply-To: <335f043a-323d-37d7-2ccc-f273d8aeacb8@broadforward.com> References: <335f043a-323d-37d7-2ccc-f273d8aeacb8@broadforward.com> Message-ID: <63d7747f-82bf-bf22-99e1-fc4451d7fed9@nlnetlabs.nl> Op 28-02-18 om 11:56 schreef Robert Groenenberg: > Hi Willem, Sara, Hi Robert, > To improve (in our view) getdns with respect to the failover/retry > behaviour towards UDP upstreams, we've made 1 fix and 2 enhancements: > > 1) restrict the back_off value of an upstream to a configurable maximum. > This avoids that the back_off value (doubled at each timeout for an > upstream) keeps growing until the value rolls over. We didn't want the > interval for retrying an upstream to grow to values like 2^16 or bigger > when that upstream had an outage. Note that the retry interval still is > in 'query attempts', perhaps we want to make that time-based at some point. Yes, the quickfix would be limiting that number. For the longer term time-based backoffs are probably the way to go. That would be more consistent with how stateful transports are handled currently too. > 2) when an upstream has been unavailable and is found to be Ok at some > point, its back_off value is not reset. So on a subsequent timeout the > back_off continues with the value from the previous failure. We consider > this a bug. Acknowledged! > 3) when all configured upstreams of a context are unavailable, in our > view it makes more sense to retry these in a round-robin fashion instead > of sticking to the back_off values (especially when one becomes > unavailable earlier than another). The original backoff mechanism may > lead that one unavailable upstream is tried hundreds or thousands of > times before another one is given a try, while the latter may be > available again. Switching to round-robin when all are unavailable for a > number of attempts will lead to faster recovery. Yes that sounds good too. > I have these changes available on top of the latest 'develop' branch. > Shall I create pull-requests for them? > (Credits also go to my colleague Shikha Sharma) Yes please. I am currently in the process of reorganizing upstream management, so perhaps your changes will not remain as provided, but it will be a good starting point re-evaluating stateless upstreams backoff handling nevertheless. Thanks and cheers! -- Willem > > Cheers, > Robert > > > _______________________________________________ > spec mailing list > spec at getdnsapi.net >