From willem at nlnetlabs.nl Fri May 4 14:51:36 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 4 May 2018 16:51:36 +0200 Subject: [getdns-users] First release candidate for getdns-1.4.2 Message-ID: <51cc0d6f-b93e-fcfe-ed91-3933bef69d53@nlnetlabs.nl> Dear all, We have a first release candidate for the upcoming 1.4.2 bugfix release of getdns. The two major bugfixes are: * DNSSEC Denial of Existence validation at NSEC wildcards, which was broken since 1.4.0. * Null termination of strings in configuration dictionaries. This in particular affected Stubby configurations with settings for `trust_anchors_url`, `trust_anchors_verify_CA`, `trust_anchors_verify_email`, `appdata_dir`, `resolvconf`, `hosts`, `tls_ca_path`, `tls_ca_file`, `tls_cipher_list` and `tls_curves_list`. If you use Stubby and had one of these configured, but they did not affect Stubby operation as expected, retry with this release candidate to see if it resolves the issue. DNSSEC validation in stub mode has been improved and should be possible more often now (also with badly behaving authoritatives), because it is now partly traced from the root up. This release has a release candidate for Stubby 0.2.3 included, with: * An updated stubby.yml file NOTE! The entries for securedns.eu have changed! * Better recommendations for running Stubby with systemd * No pass through of ENDS0 options that were handled by underlying getdns. Please review these release candidates carefully, if all is well, the actual release will follow Friday the 11th of May. link : https://getdnsapi.net/dist/getdns-1.4.2-rc1.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.4.2-rc1.tar.gz.asc sha256: 3d2f7c866d3db39236d1a6a27ae64c59ddc38789422bc67d88ad2d7c979e71cd ChangeLog ========= * 2018-05-??: Version 1.4.2 * Bugfix getdnsapi/stubby#99: Partly trace DNSSEC from the root up (for tld and sld), to find insecure delegations quicker. Thanks UniverseXXX * Bugfix: Allow NSEC spans starting from (unexpanded) wildcards Bug was introduced when dealing with CVE-2017-15105 * Bugfix getdnsapi/stubby#46: Don't assume trailing zero with string bindata's. Thanks Lonnie Abelbeck * Bugfix #394: Update src/compat/getentropy_linux.c in order to handle ENOSYS (not implemented) fallback. Thanks Brent Blood * Bugfix #395: Clarify that libidn2 dependency is for version 2.0.0 or higher. Thanks mire3212 Stubby ChangeLog ================ * Better systemd configuration recommendations. Thanks hanvinke, and Bruno Pagani * Bugfix #98: EDNS options that are handled internally should not be passed on through downstream. Thanks Twisteroid Ambassador * With systemd setups, make /run/stubby directory writeable for stubby user and include a "appdata_dir" directory in stubby.yml.example * Update securedns.eu entries in stubby.yml.example * Added Cloudflare servers in stubby.yml.example * Added basic upstart script in contrib/upstart dir. Thanks vapniks -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From sca at andreasschulze.de Mon May 7 19:54:24 2018 From: sca at andreasschulze.de (A. Schulze) Date: Mon, 7 May 2018 21:54:24 +0200 Subject: [getdns-users] First release candidate for getdns-1.4.2 In-Reply-To: <51cc0d6f-b93e-fcfe-ed91-3933bef69d53@nlnetlabs.nl> References: <51cc0d6f-b93e-fcfe-ed91-3933bef69d53@nlnetlabs.nl> Message-ID: Am 04.05.2018 um 16:51 schrieb Willem Toorop: > We have a first release candidate for the upcoming 1.4.2 bugfix release > of getdns. compile and run without noise but I did not use the mentioned parameter anyway. Andreas From psood74 at gmail.com Tue May 8 18:49:21 2018 From: psood74 at gmail.com (Puneet Sood) Date: Tue, 08 May 2018 18:49:21 +0000 Subject: [getdns-users] Questions about getdns_query Message-ID: Hello, Some basic questions that I could not find answers to on the website. 1. When doing a query from the command-line, is there a way to get debug info like what transports (udp, tcp, tls) are being tried? $ getdns_query @1.1.1.1 www.wikipedia.org 2. When attempting to use TLS (only), it's unclear what the right invocation is and the error message is not helpful. What is the right way to do a TLS only query? $ getdns_query -L @1.1.1.1 www.wikipedia.org A An error occurred: 301 'The context has internal deficiencies' All done. Thanks, Puneet From sara at sinodun.com Wed May 9 12:28:00 2018 From: sara at sinodun.com (Sara Dickinson) Date: Wed, 9 May 2018 13:28:00 +0100 Subject: [getdns-users] Questions about getdns_query In-Reply-To: References: Message-ID: > On 8 May 2018, at 19:49, Puneet Sood wrote: > > Hello, > > Some basic questions that I could not find answers to on the website. > > 1. When doing a query from the command-line, is there a way to get debug > info like what transports (udp, tcp, tls) are being tried? > $ getdns_query @1.1.1.1 www.wikipedia.org Hi, If you add ?+return_call_reporting' you will see an extra section in the response dict that shows what transport was eventually used for the query. If you want very detailed debugging of each transport tried and fallback conditions then you can compile getdns with the '?enabled-debug-stub' flag (but beware, this debug output is verbose). Also note that the query above will use getdns in the default recursive mode (not in stub mode) which does not support TLS (since no recursive resolver does). [Unless you built getdns with the ?--enable-stub-only- flag which disables recursive mode so the default is stub] > > 2. When attempting to use TLS (only), it's unclear what the right > invocation is and the error message is not helpful. What is the right way > to do a TLS only query? getdns_query -s -L @1.1.1.1 www.wikipedia.org -s switches to stub mode -L specfies TLS as the only transport -m requires authentication of the upstream so for Cloudflare use getdns_query -s -L -m @1.1.1.1~cloudflare-dns.com. www.wikipedia.org > > $ getdns_query -L @1.1.1.1 www.wikipedia.org A > An error occurred: 301 'The context has internal deficiencies' > All done. This is (as mentioned above) because recursive mode doesn?t support TLS. This is on the webpage but rather hidden: https://getdnsapi.net/documentation/readme/#minor-omissions But I also agree the error message is distinctly unhelpful here and this issue should be clearer in the usage! The usage does contain descriptions of all the parameters but I think this page: https://getdnsapi.net/blog/getdns_query/ could do with some update :-) There Sara. -------------- next part -------------- An HTML attachment was scrubbed... URL: From willem at nlnetlabs.nl Fri May 11 11:40:23 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 11 May 2018 13:40:23 +0200 Subject: [getdns-users] getdns-1.4.2 released Message-ID: <3f811d0d-c347-0a00-8a07-30aa71d0f05d@nlnetlabs.nl> Dear all, I am pleased to announce the new bugfix release, version 1.4.2 of getdns The two major bugfixes are: * DNSSEC Denial of Existence validation at NSEC wildcards, which was broken since 1.4.0. * Null termination of strings in configuration dictionaries. This in particular affected Stubby configurations with settings for trust_anchors_url, trust_anchors_verify_CA, trust_anchors_verify_email, appdata_dir, resolvconf, hosts, tls_ca_path, tls_ca_file, tls_cipher_list and tls_curves_list. If you use Stubby and had one of these configured, but they did not affect Stubby operation as expected, retry with this release candidate to see if it resolves the issue. DNSSEC validation in stub mode has been improved and should be possible more often now (also with badly behaving authoritatives), because it is now partly traced from the root up. A few more issues are resolved with this release. For a complete overview see the ChangeLog below. This release has Stubby release 0.2.3 included, with: * An updated stubby.yml file (Watch out! The entries for securedns.eu have changed!) * Better recommendations for running Stubby with systemd * No pass through of ENDS0 options that were handled by underlying getdns link : https://getdnsapi.net/dist/getdns-1.4.2.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.4.2.tar.gz.asc sha256: 1685b82dfe297cffc4bae08a773cdc88a3edf9a4e5a1ea27d8764bb5affc0e80 ChangeLog ========= * 2018-05-11: Version 1.4.2 * Bugfix getdnsapi/stubby#87: Detect and ignore duplicate certs in the Windows root CA store. * PR #397: No TCP sendto without TCP_FASTOPEN Thanks Emery Hemingway * Bugfix getdnsapi/stubby#106: Core dump when printing certain configuration. Thanks Han Vinke * Bugfix getdnsapi/stubby#99: Partly trace DNSSEC from the root up (for tld and sld), to find insecure delegations quicker. Thanks UniverseXXX * Bugfix: Allow NSEC spans starting from (unexpanded) wildcards Bug was introduced when dealing with CVE-2017-15105 * Bugfix getdnsapi/stubby#46: Don't assume trailing zero with string bindata's. Thanks Lonnie Abelbeck * Bugfix #394: Update src/compat/getentropy_linux.c in order to handle ENOSYS (not implemented) fallback. Thanks Brent Blood * Bugfix #395: Clarify that libidn2 dependency is for version 2.0.0 or higher. Thanks mire3212 Stubby ChangeLog ================ * 2018-05-11: Version 0.2.3 * Bugfix #62 and #106: With systemd setups, make /run/stubby directory writeable for stubby user and include a "appdata_dir" directory in stubby.yml.example. Thanks Paul Wouters, eccgecko and Han Vinke * Update securedns.eu entries in stubby.yml.example * Added Cloudflare servers in stubby.yml.example * Added basic upstart script in contrib/upstart dir. Thanks vapniks * Bugfix #98: EDNS options that are handled internally should not be passed on through downstream. Thanks Twisteroid Ambassador -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Fri May 4 14:51:39 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 4 May 2018 16:51:39 +0200 Subject: [getdns-api] First release candidate for getdns-1.4.2 Message-ID: Dear all, We have a first release candidate for the upcoming 1.4.2 bugfix release of getdns. The two major bugfixes are: * DNSSEC Denial of Existence validation at NSEC wildcards, which was broken since 1.4.0. * Null termination of strings in configuration dictionaries. This in particular affected Stubby configurations with settings for `trust_anchors_url`, `trust_anchors_verify_CA`, `trust_anchors_verify_email`, `appdata_dir`, `resolvconf`, `hosts`, `tls_ca_path`, `tls_ca_file`, `tls_cipher_list` and `tls_curves_list`. If you use Stubby and had one of these configured, but they did not affect Stubby operation as expected, retry with this release candidate to see if it resolves the issue. DNSSEC validation in stub mode has been improved and should be possible more often now (also with badly behaving authoritatives), because it is now partly traced from the root up. This release has a release candidate for Stubby 0.2.3 included, with: * An updated stubby.yml file NOTE! The entries for securedns.eu have changed! * Better recommendations for running Stubby with systemd * No pass through of ENDS0 options that were handled by underlying getdns. Please review these release candidates carefully, if all is well, the actual release will follow Friday the 11th of May. link : https://getdnsapi.net/dist/getdns-1.4.2-rc1.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.4.2-rc1.tar.gz.asc sha256: 3d2f7c866d3db39236d1a6a27ae64c59ddc38789422bc67d88ad2d7c979e71cd ChangeLog ========= * 2018-05-??: Version 1.4.2 * Bugfix getdnsapi/stubby#99: Partly trace DNSSEC from the root up (for tld and sld), to find insecure delegations quicker. Thanks UniverseXXX * Bugfix: Allow NSEC spans starting from (unexpanded) wildcards Bug was introduced when dealing with CVE-2017-15105 * Bugfix getdnsapi/stubby#46: Don't assume trailing zero with string bindata's. Thanks Lonnie Abelbeck * Bugfix #394: Update src/compat/getentropy_linux.c in order to handle ENOSYS (not implemented) fallback. Thanks Brent Blood * Bugfix #395: Clarify that libidn2 dependency is for version 2.0.0 or higher. Thanks mire3212 Stubby ChangeLog ================ * Better systemd configuration recommendations. Thanks hanvinke, and Bruno Pagani * Bugfix #98: EDNS options that are handled internally should not be passed on through downstream. Thanks Twisteroid Ambassador * With systemd setups, make /run/stubby directory writeable for stubby user and include a "appdata_dir" directory in stubby.yml.example * Update securedns.eu entries in stubby.yml.example * Added Cloudflare servers in stubby.yml.example * Added basic upstart script in contrib/upstart dir. Thanks vapniks -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Fri May 11 11:40:20 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 11 May 2018 13:40:20 +0200 Subject: [getdns-api] getdns-1.4.2 released Message-ID: <47a7e070-36c7-659e-fd37-6b98587be9f4@nlnetlabs.nl> Dear all, I am pleased to announce the new bugfix release, version 1.4.2 of getdns The two major bugfixes are: * DNSSEC Denial of Existence validation at NSEC wildcards, which was broken since 1.4.0. * Null termination of strings in configuration dictionaries. This in particular affected Stubby configurations with settings for trust_anchors_url, trust_anchors_verify_CA, trust_anchors_verify_email, appdata_dir, resolvconf, hosts, tls_ca_path, tls_ca_file, tls_cipher_list and tls_curves_list. If you use Stubby and had one of these configured, but they did not affect Stubby operation as expected, retry with this release candidate to see if it resolves the issue. DNSSEC validation in stub mode has been improved and should be possible more often now (also with badly behaving authoritatives), because it is now partly traced from the root up. A few more issues are resolved with this release. For a complete overview see the ChangeLog below. This release has Stubby release 0.2.3 included, with: * An updated stubby.yml file (Watch out! The entries for securedns.eu have changed!) * Better recommendations for running Stubby with systemd * No pass through of ENDS0 options that were handled by underlying getdns link : https://getdnsapi.net/dist/getdns-1.4.2.tar.gz pgp : https://getdnsapi.net/dist/getdns-1.4.2.tar.gz.asc sha256: 1685b82dfe297cffc4bae08a773cdc88a3edf9a4e5a1ea27d8764bb5affc0e80 ChangeLog ========= * 2018-05-11: Version 1.4.2 * Bugfix getdnsapi/stubby#87: Detect and ignore duplicate certs in the Windows root CA store. * PR #397: No TCP sendto without TCP_FASTOPEN Thanks Emery Hemingway * Bugfix getdnsapi/stubby#106: Core dump when printing certain configuration. Thanks Han Vinke * Bugfix getdnsapi/stubby#99: Partly trace DNSSEC from the root up (for tld and sld), to find insecure delegations quicker. Thanks UniverseXXX * Bugfix: Allow NSEC spans starting from (unexpanded) wildcards Bug was introduced when dealing with CVE-2017-15105 * Bugfix getdnsapi/stubby#46: Don't assume trailing zero with string bindata's. Thanks Lonnie Abelbeck * Bugfix #394: Update src/compat/getentropy_linux.c in order to handle ENOSYS (not implemented) fallback. Thanks Brent Blood * Bugfix #395: Clarify that libidn2 dependency is for version 2.0.0 or higher. Thanks mire3212 Stubby ChangeLog ================ * 2018-05-11: Version 0.2.3 * Bugfix #62 and #106: With systemd setups, make /run/stubby directory writeable for stubby user and include a "appdata_dir" directory in stubby.yml.example. Thanks Paul Wouters, eccgecko and Han Vinke * Update securedns.eu entries in stubby.yml.example * Added Cloudflare servers in stubby.yml.example * Added basic upstart script in contrib/upstart dir. Thanks vapniks * Bugfix #98: EDNS options that are handled internally should not be passed on through downstream. Thanks Twisteroid Ambassador -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: