-
Notifications
You must be signed in to change notification settings - Fork 126
/
ChangeLog
744 lines (701 loc) · 36 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
* 2023-??-??: Version 1.7.4
* Issue #536: Broken trust anchor files are silently ignored
Thanks Stéphane Bortzmeyer
* 2022-12-22: Version 1.7.3
* PR #532: Increase CMake required version 3.5 -> 3.20, because we
need cmake_path for Absolute paths in pkg-config (See Issue #517)
Thanks Gabriel Ganne
* Updated to Stubby 0.4.3 quickfix release
* 2022-08-19: Version 1.7.2
* Updated to Stubby 0.4.2 quickfix release
* 2022-08-19: Version 1.7.1
* Always send the `dot` ALPN when using DoT
* Strengthen version determination for Libidn2 during cmake processing
(thanks jpbion).
* Fix for issue in UDP stream selection in case of timeouts.
Thanks Shikha Sharma
* Fix using asterisk in ipstr for any address. Thanks uzlonewolf.
* Issue stubby#295: rdata not correctly written for validation for
certain RR type. Also, set default built type to RelWithDebInfo and
expose CFLAGS via GETDNS_BUILD_CFLAGS define and via
getdns_context_get_api_information()
* Issue #524: Bug fixes from submodules' upstream?
Thanks Johnnyslee
* Issue #517: Allow Absolute path CMAKE_INSTALL_{INCLUDE,LIB}DIR in
pkg-config files. Thanks Alex Shpilkin
* Issue #512: Update README.md to show correct PGP key location.
Thanks Katze Prior.
* 2021-06-04: Version 1.7.0
* Make TLS Handshake timeout max 4/5th of timeout for the query,
just like connection setup timeout was, so fallback transport
have a chance too when TCP connection setup is less well
detectable (as with TCP_FASTOPEN on MacOS).
* Issue #466: Memory leak with retrying queries (for examples
with search paths). Thanks doublez13.
* Issue #480: Handling of strptime when Cross compiling with CMake.
A new option to FORCE_COMPAT_STRPTIME (default disabled) will
(when disabled) make cmake assume the target platform has a POSIX
compatible strptime when cross-compiling.
* Setting of the number of milliseconds send data may remain
unacknowledged by the peer in a TCP connection (when supported
by the OS) with getdns_context_set_tcp_send_timeout()
Thanks maciejsszmigiero.
* Issue #497: Fix typo in CMAKE included files, so Stubby can use
TLS v1.3 with chipersuites options ON. Thanks har-riz.
* Basic name compression on server replied messages. Thanks amialkow!
This alleviates (but might not completely resolve) issues #495 and
#320 .
* Eventloop extensions back to the old names libgetdns_ext_event,
libgetdns_ext_ev and libgetdns_ext_uv.
* Compilation warning fixes. Thanks Andreas!
* 2020-02-28: Version 1.6.0
* Issues #457, #458, #461: New symbols with libnettle >= 3.4.
Thanks hanvinke & kometchtech for testing & reporting.
* Issue #432: answer_ipv4_address and answer_ipv6_address in reply
and response dicts.
* Issue #430: Record and guard UDP max payload size with servers.
* Issue #407: Run only offline-tests option with:
src/test/tpkg/run-offline-only.sh (only with git checkouts).
* Issue #175: Include the packet the stub resolver sent to the
upstream the call_reporting dict. Thanks Tom Pusateri
* Issue #169: Build eventloop support libraries if event libraries
are available. Thanks Tom Pusateri
* 2019-12-20: Version 1.6.0-beta.1
* Migration of build system to cmake. Build now works on Ubuntu,
Windows 10 and macOS.
Some notes on minor differences in the new cmake build:
* OpenSSL 1.0.2 or higher is now required
* libunbound 1.5.9 is now required
* Only libidn2 2.0.0 and later is supported (not libidn)
* Windows uses ENABLE_STUB_ONLY=ON as the default
* Unit and regression tests work on Linux/macOS
(but not Windows yet)
* 2019-04-03: Version 1.5.2
* PR #424: Two small trust anchor fetcher fixes
Thanks Maciej S. Szmigiero
* Issue #422: Enable server side and update client side TCP Fast
Open implementation. Thanks Craig Andrews
* Issue #423: Fix insecure delegation detection while scheduling.
Thanks Charles Milette
* Issue #419: Escape backslashed when printing in JSON format.
Thanks boB Rudis
* Use GnuTLS instead of OpenSSL for TLS with the --with-gnutls
option to configure. libcrypto (from OpenSSL) still needed
for Zero configuration DNSSEC.
* DOA rr-type
* AMTRELAY rr-type
* 2019-01-11: Version 1.5.1
* Introduce proof of concept GnuTLS implementation. Incomplete support
for Trust Anchor validation. Requires GnuTLS DANE library. Currently
untested with GnuTLS prior to 3.5.19, so configure demands a minumum
version of 3.5.0.
* Be consistent and always fail connection setup if setting ciphers/curves/
TLS version/cipher suites fails.
* Refactor OpenSSL usage into modules under src/openssl.
Drop support for LibreSSL and versions of OpenSSL prior to 1.0.2.
* PR #414: remove TLS13 ciphers from cipher_list, but
only when SSL_CTX_set_ciphersuites is available.
Thanks Bruno Pagani
* Issue #415: Filter out #defines etc. when creating
symbols file. Thanks Zero King
* 2018-12-21: Version 1.5.0
* RFE getdnsapi/stubby#121 log re-instantiating TLS
upstreams (because they reached tls_backoff_time) at
log level 4 (WARNING)
* GETDNS_RESPSTATUS_NO_NAME for NODATA answers too
* ZONEMD rr-type
* getdns_query queries for addresses when a query name
without a type is given.
* RFE #408: Fetching of trust anchors will be retried
after failure, after a certain backoff time. The time
can be configured with
getdns_context_set_trust_anchors_backoff_time().
* RFE #408: A "dnssec" extension that requires DNSSEC
verification. When this extension is set, Indeterminate
DNSSEC status will not be returned.
* Issue #410: Unspecified ownership of get_api_information()
* Fix for DNSSEC bug in finding most specific key when
trust anchor proves non-existance of one of the labels
along the authentication chain other than the non-
existance of a DS record on a zonecut.
* Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130:
Configurable minimum and maximum TLS versions with
getdns_context_set_tls_min_version() and
getdns_context_set_tls_max_version() functions and
tls_min_version and tls_max_version configuration parameters
for upstreams.
* Configurable TLS1.3 ciphersuites with the
getdns_context_set_tls_ciphersuites() function and
tls_ciphersuites config parameter for upstreams.
* Bugfix in upstream string configurations: tls_cipher_list and
tls_curve_list
* Bugfix finding signer for validating NSEC and NSEC3s, which
caused trouble with the partly tracing DNSSEC from the root
up, introduced in 1.4.2. Thanks Philip Homburg
* 2018-05-11: Version 1.4.2
* Bugfix getdnsapi/stubby#87: Detect and ignore duplicate certs
in the Windows root CA store.
* PR #397: No TCP sendto without TCP_FASTOPEN
Thanks Emery Hemingway
* Bugfix getdnsapi/stubby#106: Core dump when printing certain
configuration. Thanks Han Vinke
* Bugfix getdnsapi/stubby#99: Partly trace DNSSEC from the root
up (for tld and sld), to find insecure delegations quicker.
Thanks UniverseXXX
* Bugfix: Allow NSEC spans starting from (unexpanded) wildcards
Bug was introduced when dealing with CVE-2017-15105
* Bugfix getdnsapi/stubby#46: Don't assume trailing zero with
string bindata's. Thanks Lonnie Abelbeck
* Bugfix #394: Update src/compat/getentropy_linux.c in order to
handle ENOSYS (not implemented) fallback.
Thanks Brent Blood
* Bugfix #395: Clarify that libidn2 dependency is for version 2.0.0
or higher. Thanks mire3212
* 2018-03-12: Version 1.4.1
* Bugfix #388: Prevent fallback to an earlier tries upstream within a
single query. Thanks Robert Groenenberg
* PR #387: Compile with OpenSSL with deprecated APIs disabled.
Thanks Rosen Penev
* PR #386: UDP failover improvements:
- When all UDP upstreams fail, retry them (more or less) equally
- Limit maximum UDP backoff (default to 1000)
This is configurable with the --with-max-udp-backoff configure
option.
Thanks Robert Groenenberg
* Bugfix: Find zonecut with DS queries (instead of SOA queries).
Thanks Elmer Lastdrager
* Bugfix #385: Verifying insecure NODATA answers (broken since 1.2.1).
Thanks hanvinke
* PR #384: Fix minor spelling and formatting. Thanks dkg.
* Bugfix #382: Parallel install of getdns_query and getdns_server_mon
* 2018-02-21: Version 1.4.0
* .so revision bump to please fedora packaging system.
Thanks Paul Wouters
* Specify the supported curves with getdns_context_set_tls_curves_list()
An upstream specific list of supported curves may also be given
with the tls_curves_list setting in the upstream dict with
getdns_context_set_upstream_recursive_servers()
* New tool getdns_server_mon for checking upstream recursive
resolver's capabilities.
* Improved handling of opportunistic back-off. If other transports
are working, don’t forcibly promote failed upstreams just wait for
the re-try timer.
* Hostname authentication with libressl
Thanks Norbert Copones
* Security bugfix in response to CVE-2017-15105. Although getdns was
not vulnerable for this specific issue, as a precaution code has been
adapted so that signatures of DNSKEYs, DSs, NSECs and NSEC3s can not
be wildcard expansions when used with DNSSEC proofs. Only direct
queries for those types are allowed to be wildcard expansions.
* Bugfix PR#379: Miscelleneous double free or corruption, and corrupted
memory double linked list detected issue, with serving functionality.
Thanks maddie and Bruno Pagani
* Security Bugfix PR#293: Check sha256 pinset's
with OpenSSL native DANE functions for OpenSSL >= 1.1.0
with Viktor Dukhovni's danessl library for OpenSSL >= 1.0.0
don't allow for authentication exceptions (like self-signed
certificates) otherwise. Thanks Viktor Dukhovni
* libidn2 support. Thanks Paul Wouters
* 2017-12-21: Version 1.3.0
* Bugfix #300: Detect dnsmasq and skip unit test that fails with it.
Thanks Tim Rühsen and Konomi Kitten
* Specify default available cipher suites for authenticated TLS
upstreams with getdns_context_set_tls_ciphers_list()
An upstream specific available cipher suite may also be given
with the tls_cipher_list setting in the upstream dict with
getdns_context_set_upstream_recursive_servers()
* PR #366: Add support for TLS 1.3 and Chacha20-Poly1305
Thanks Pascal Ernster
* Bugfix #356: Do Zero configuration DNSSEC meta queries over on the
context configured upstreams. Thanks Andreas Schulze
* Report default extension settings with
getdns_context_get_api_information()
* Specify locations at which CA certificates for verification purposes
are located: getdns_context_set_tls_ca_path()
getdns_context_set_tls_ca_file()
* getdns_context_set_resolvconf() function to initialize a context
upstreams and suffices with a resolv.conf file.
getdns_context_get_resolvconf() to get the file used to initialize
the context's upstreams and suffixes.
getdns_context_set_hosts() function to initialize a context's
LOCALNAMES namespace.
getdns_context_get_hosts() function to get the file used to initialize
the context's LOCALNAMES namespace.
* get which version of OpenSSL was used at build time and at run time
when available with getdns_context_get_api_information()
* GETDNS_RETURN_IO_ERROR return error code
* Bugfix #359: edns_client_subnet_private should set family
Thanks Daniel Areiza & Andreas Schulze
* Bugfix getdnsapi/stubby#34: Segfault issue with native DNSSEC
validation. Thanks Bruno Pagani
* 2017-11-11: Version 1.2.1
* Handle more I/O error cases. Also, when an I/O error does occur,
never stop listening (with servers), and
never exit (when running the built-in event loop).
* Bugfix: Tolerate unsigned and unused RRsets in the authority section.
Fixes DNSSEC with BIND upstream.
* Bugfix: DNSSEC validation without support records
* Bugfix: Validation of full recursive DNSKEY lookups
* Bugfix: Retry to validate full recursion BOGUS replies with zero
configuration DNSSEC only when DNSSEC was actually requested
* Bugfix #348: Fix a linking issue in stubby when libbsd is present
Thanks Remi Gacogne
* More robust scheduling; Eliminating a segfault with long running
applications.
* Miscellaneous Windows portability fixes from Jim Hague.
* Fix Makefile dependencies for parallel install.
Thanks ilovezfs
* 2017-09-29: Version 1.2.0
* Bugfix of rc1: authentication of first query with TLS
Thanks Travis Burtrum
* A function to set the location for library specific data,
like trust-anchors: getdns_context_set_appdata().
* Zero configuration DNSSEC - build upon the scheme
described in RFC7958. The URL from which to fetch
the trust anchor, the verification CA and email
can be set with the new getdns_context_set_trust_anchor_url(),
getdns_context_set_trust_anchor_verify_CA() and
getdns_context_set_trust_anchor_verify_email() functions.
The default values are to fetch from IANA and to validate
with the ICANN CA.
* Update of Stubby with yaml configuration file and
logging from a certain severity support.
* Fix tpkg exit status on test failure. Thanks Jim Hague.
* Refined logging levels for upstream statistics
* Reuse (best behaving) backed-off TLS upstreams when non are usable.
* Let TLS upstreams back-off a incremental amount of time.
Back-off time starts with 1 second and is doubled each failure, but
will not exceed the time given by getdns_context_set_tls_backoff_time()
* Make TLS upstream management more resilient to temporary outages
(like laptop sleeps)
* 2017-09-04: Version 1.1.3
* Small bugfixes that came out of static analysis
* No annotations with the output of getdns_query anymore,
unless -V option is given to increase verbosity
Thanks Ollivier Robert
* getdns_query will now exit with failure status if replies are BOGUS
* Bugfix: dnssec_return_validation_chain now also works when fallback
to full recursion was needed with dnssec_roadblock_avoidance
* More clear build instructions from Paul Hoffman. Thanks.
* Bugfix #320.1: Eliminate multiple closing of file descriptors
Thanks Neil Cook
* Bugfix #320.2: Array bounds bug in upstream_select
Thanks Neil Cook
* Bugfix #318: getdnsapi/getdns/README.md links to nonexistent wiki
pages. Thanks James Raftery
* Bugfix #322: MacOS 10.10 (Yosemite) provides TCP fastopen interface
but does not have it implemented. Thanks Joel Purra
* Compile without Stubby by default. Stubby now has a git repository
of its own. The new Stubby repository is added as a submodule.
Stubby will still be build alongside getdns with the --with-stubby
configure option.
* 2017-07-03: Version 1.1.2
* Bugfix for parallel make install
* Bugfix to trigger event callbacks on socket errors
* A getdns_context_set_logfunc() function with which one may
register a callback log function for certain library subsystems
at certain levels. Currently this can only be used for
upstream stastistics subsystem.
* 2017-06-15: Version 1.1.1
* Bugfix #306 hanging/segfaulting on certain (IPv6) upstream failures
* Spelling fix s/receive/receive. Thanks Andreas Schulze.
* Added stubby-setdns-macos.sh script to support Homebrew formula
* Include stubby.conf in the districution tarball
* Bugfix #286 reschedule reused listening addresses
* Bugfix #166 Allow parallel builds and unit-tests
* NSAP-PTR, EID and NIMLOC, TALINK, AVC support
* Bugfix of TA RR type
* OPENPGPKEY and SMIMEA support
* Bugfix TAG rdata type presentation format for CAA RR type
* Bugfix Zero sized gateways with IPSECKEY gateway_type 0
* Guidance for integration with systemd
* Also check for memory leaks with advances server capabilities.
* Bugfix convert IP string to IP dict with getdns_str2dict() directly.
* 2017-04-13: Version 1.1.0
* bugfix: Check size of tls_auth_name.
* Improvements that came from Visual Studio static analysis
* Fix to compile with libressl. Thanks phicoh.
* Spelling fixes. Thanks Andreas Schulze.
* bugfix: Reschedule request timeout when getting the DNSSEC chain.
* getdns_context_unset_edns_maximum_udp_payload_size() to reset
to default IPv4/IPv6 dependent edns max udp payload size.
* Implement sensible default edns0 padding policy. Thanks DKG.
* Keep connections open with sync requests too.
* Fix of event loops so they do not give up with naked timers with
windows. Thanks Christian Huitema.
* Include peer certificate with DNS-over-TLS in combination with
the return_call_reporting extension.
* More fine grained control over TLS upstream retry and back off
behaviour with getdns_context_set_tls_backoff_time() and
getdns_context_set_tls_connection_retries().
* New round robin over the available upstreams feaure.
Enable with getdns_context_set_round_robin_upstreams()
* Bugfix: Queue requests when no sockets available for outgoing queries.
* Obey the outstanding query limit with STUB resolution mode too.
* Updated stubby config file
* Draft MDNS client implementation by Christian Huitema.
Enable with --enable-draft-mdns-support to configure
* bugfix: Let synchronous queries use fds > MAX_FDSETSIZE;
By moving default eventloop from select to poll
Thanks Neil Cook
* bugfix: authentication failure for self signed cert + only pinset
* bugfix: issue with session re-use making authentication appear to fail
* 2017-01-13: Version 1.0.0
* edns0_cookies extension enabled by default (per RFC7873)
* dnssec_roadblock_avoidance enabled by default (per RFC8027)
* bugfix: DSA support with OpenSSL 1.1.0
* Initialize OpenSSL just once in a thread safe way
* Thread safety with arc4random function
* Improvements that came from Visual Studio static analysis
Thanks Christian Huitema
* Conventional RFC3986 IPv6 [address]:port parsing from getdns_query
* bugfix: OpenSSL 1.1.0 style crypto locking
Thanks volkommenheit
* configure tells *which* dependency is missing
* bugfix: Exclude terminating '\0' from bindata's returned by
getdns_get_suffix(). Thanks Jim Hague
* Better README.md. Thanks Andrew Sullivan
* 2016-10-19: Version 1.1.0-a2
* Improved TLS connection management
* OpenSSL 1.1 support
* Stubby, Server version of getdns_query that by default listens
on 127.0.0.1 and ::1 and reads config from /etc/stubby.conf
and $HOME/.stubby.conf
* 2016-07-14: Version 1.1.0a1
* Conversion functions from text strings to getdns native types:
getdns_str2dict(), getdns_str2list(), getdns_str2bindata() and
getdns_str2int()
* A getdns_context_config() function that configures a context
with settings given in a getdns_dict
* A a getdns_context_set_listen_addresses() function and companion
getdns_reply() function to construct simple name servers.
* Relocate getdns_query to src/tools and build by default
* Enhancements to the logic used to select connection based upstream
transports (TCP, TLS) to improve robustness and re-use of
connections/upstreams.
* 2016-07-14: Version 1.0.0b2
* Collect coverage information from the unit tests
Thanks Shane Kerr
* pkg-config for the getdns_ext_event library
Thanks Tom Pusateri
* Bugfix: Multiple requests on the same upstream with a transport
that keeps connections open in synchronous stub mode.
* Canonicalized DNSSEC chain with dnssec_return_validation_chain
(when validated)
* A dnssec_return_full_validation_chain extension which includes
then validated resource records.
* Bugfix: Callbacks fired while scheduling (answer from cache)
with the unbound plugable event API
* header extension to set opcode and flags in stub mode
* Unit tests that cover more code
* Static checking with the clang analyzer
* getdns_pretty_print_dict prints dname's as primitives
* Accept just bindata's instead of address dicts.
Allow misshing "address_type" in address dicts.
* TLS session resumption
* -C <config file> option to getdns_query to configure context
from a json like formatted file. The output of -i (print API
information) can be used as config file directly.
Settings may also be given in this format as arguments of
the getdns_query command directly.
* DNS server mode for getdns_query. Enable by providing addresses
to listen on, either by giving "-z <listen address>" options or by
providing "listen_addresses" in the config file or settings.
* Bugfixes from deckard testing: CNAME loop protection.
* "srv_addresses" in response dict with getdns_service()
* use libbsd when available
Thanks Guillem Jover
* Bugfix: DNSSEC wildcard validation issue
* Bugfix: TLS timeouts not re-using a connection
* A getdns_context_get_eventloop(), to get the current
(pluggable) eventloop from context
* getdns_query now uses the default event loop (instead of custom)
* Return call_reporting info in case of timeout
Thanks Robert Groenenberg
* Bugfix: Build fails with autoconf 2.63, works with 2.68.
Thanks Robert Groenenberg
* Doxygen output for getdns.h and getdns_extra.h only
* Do not call SSL_library_init() from getdns_context_create() when
the second bit from the set_from_os parameter is set.
* 2016-03-31: Version 1.0.0b1
* openssl 1.1.0 support
* GETDNS_APPEND_NAME_TO_SINGLE_LABEL_FIRST default suffix handling
* getdns_context_set_follow_redirects()
* Read suffix list from registry on Windows
* A dnssec_return_all_statuses extension
* Set root servers without temporary file (libunbound >= 1.5.8 needed)
* Eliminate unit test's ldns dependency
* pkts wireformat <-> getdns_dict <-> string
conversion functions
* Eliminate all side effects when doing sync requests
(libunbound >= 1.5.9 needed)
* Bugfix: Load gost algorithm if digest is seen before key algorithm
Thanks Jelte Janssen
* Bugfix: Respect DNSSEC skew.
* Offline dnssec validation for any given point in time
* Correct return value in documentation for getdns_pretty_print_dict().
Thanks Linus Nordberg
* Bugfix: Don't treat "domain" or "search" as a nameserver.
Thanks Linus Nordberg
* Use the default CA trust store on Windows (for DNS over TLS).
* Propagate eventloop to unbound when unbound has pluggable event loops
(libunbound >= 1.5.9 needed)
* Replace mini_event extension by default_eventloop
* Bugfix: Segfault on NULL pin
* Bugfix: Correct output of get_api_settings
* Bugfix: Memory leak with getdns_get_api_information()
Thanks Robert Groenenberg.
* 2015-12-31: Version 0.9.0
* Update of unofficial extension to the API that supports stub mode
TLS verification. GETDNS_AUTHENTICATION_HOSTNAME is replaced by
GETDNS_AUTHENTICATION_REQUIRED (but remains available as an alias).
Upstreams can now be configured with either a hostname or a SPKI pinset
for TLS authentication (or both). If the GETDNS_AUTHENTICATION_REQUIRED
option is used at least one piece of authentication information must be
configured for each upstream, and all the configured authentication
information for an upstream must validate.
* Remove STARTTLS implementation (no change to SPEC)
* Enable TCP Fast Open when possible. Add OSX support for TFO.
* Rename return_call_debugging to return_call_reporting
* Bugfix: configure problem with getdns-0.5.1 on OpenBSD
Thanks Claus Assmann.
* pkg-config support. Thanks Neil Cook.
* Functions to convert from RR dicts to wireformat and text format
and vice versa. Including a function that builds a getdns_list
of RR dicts from a zonefile.
* Use the with the getdns_context_set_dns_root_servers() function
provided root servers in recursing resolution modus.
* getdns_query option (-f) to read a DNSSEC trust anchor from file.
* getdns_query option (-R) to read a "root hints" file.
* Bugfix: Detect and prevent duplicate NSEC(3)s to be returned with
dnssec_return_validation_chain.
* Bugfix: Remove duplicate RRs from RRsets when DNSSEC verifying
* Client side edns-tcp-keepalive support
* TSIG support + getdns_query syntax to specify TSIG parameters
per upstream: @<ip>[^[<algorithm>:]<name>:<secret in Base64>]
* Bugfix: Allow truncated answers to be returned in case of missing
fallback transport.
* Verify upstream TLS pubkeys with pinsets; A getdns_query option
(-K) to attach pinsets to getdns_contexts.
Thanks Daniel Kahn Gillmor
* Initial support for Windows. Thanks Gowri Visweswaran
* add_warning_for_bad_dns extension
* Try and retry with suffixes giving with getdns_context_set_suffix()
following directions given by getdns_context_set_append_name()
getdns_query options to set suffixes and append_name directions:
'-W' to append suffix always (default)
'-1' to append suffix only to single label after failure
'-M' to append suffix only to multi label name after failure
'-N' to never append a suffix
'-Z <suffixes>' to set suffixes with the given comma separated list
* Better help text for getdns_query (printed with the '-h' option)
* Setting the +specify_class extension with getdns_query
* Return NOT_IMPLEMENTED for not implemented namespaces, and the
not implemented getdns_context_set_follow_redirects() function.
* 2015-11-18: Version 0.5.1
* Bugfix: growing upstreams arrow.
* Bugfix: Segfault on timeout in specific conditions
* Bugfix: install getdns_extra.h from build location
* Bugfix: Don't let cookies overwrite existing EDNS0 options
* Don't link libdl
* The EDNS(0) Padding Option (draft-mayrhofer-edns0-padding).
When using DNS over TLS, query sizes will be padded to multiples
of a block size given with:
getdns_context_set_tls_query_padding_blocksize()
* An EDNS client subnet private option, that will ask a EDNS client
subnet aware resolver to not reveal any details about the
originating network. See: draft-ietf-dnsop-edns-client-subnet
Set with: getdns_context_set_edns_client_subnet_private()
* The return_call_debugging extension. The extension will also return
the transport used on top of the information about the request which
is described in the API spec.
* A dnssec_roadblock_avoidance extension. When set, the library will
work in stub resolution mode and try to get a by DNSSEC validation
assessed answer. On BOGUS answers the library will retry rescursive
resolution mode. This is the simplest form of passive roadblock
detection and avoidance: draft-ietf-dnsop-dnssec-roadblock-avoidance.
Use the --enable-draft-dnssec-roadblock-avoidance option to configure
to compile with this extension.
* 2015-10-29: Version 0.5.0
* Native crypto. No ldns dependency anymore.
(ldns still necessary to be able to run tests though)
* JSON pointer arguments to getdns_dict_get_* and getdns_dict_set_*
to dereference nested dicts and lists.
* Bugfix: DNSSEC code finding zone cut with redirects + pursuing unsigned
DS answers close to the root. Thanks Theogene Bucuti!
* Default port for TLS changed to 853
* Unofficial extension to the API to allow TLS hostname verification to be
required for stub mode when using only TLS as a transport.
When required a hostname must be supplied in the
'hostname' field of the upstream_list dict and the TLS cipher suites are
restricted to the 4 AEAD suites recommended in RFC7525.
* 2015-09-09: Version 0.3.3
* Fix clearing upstream events on shutdown
* Fix dnssec validation of direct CNAME queries.
Thanks Simson L. Garfinkel.
* Fix get_api_information():version_string also for release candidates
* 2015-09-04: Version 0.3.2
* Fix returned upstreams list by getdns_context_get_api_information()
* Fix some autoconf issues when srcdir != builddir
* Fix remove build date from manpage version for reproducible builds
* Fix transport fallback issues plus transport fallback unit test script
* Fix string bindata's need not contain trailing zero byte
* --enable-stub-only configure option for stub only operation.
Stub mode will be the default. Removes the dependency on libunbound
* --with-getdns_query compiles and installs the getdns_query tool too
* Fix assert on context destruction from a callback in stub mode too.
* Use a thread instead of a process for running the unbound event loop.
* 2015-07-18: Version 0.3.1
* Fix repeating rdata fields
* 2015-07-17: Version 0.3.0
* Unit test for spurious execute bits. Thanks Paul Wouters.
* Added new transport list options in API. The option is now an ordered
list of GETDNS_TRANSPORT_UDP, GETDNS_TRANSPORT_TCP,
GETDNS_TRANSPORT_TLS, GETDNS_TRANSPORT_STARTTLS.
* Added new context setting for idle_timeout
* CSYNC RR type
* EDNS0 COOKIE option code set to 10
* dnssec_return_validation_chain for negative and insecure responses.
* dnssec_return_validation_chain return a single RRSIG on each RRSET
(whenever possible)
* getdns_validate_dnssec() accept replies from the replies_tree
* getdns_validate_dnssec() asses negative and insecure responses.
* Native stub dnssec validation
* Implemented getdns_context_set_dnssec_trust_anchors()
* Switch freely between stub and recursive mode
* getdns_query -k shows default trust anchors
* functions and defines to get library and API versions in string
and numeric values: getdns_get_version(), getdns_get_version_number(),
getdns_get_api_version() and getdns_get_api_version_number()
* 2015-05-21: Version 0.2.0
* Fix libversion numbering: Thanks Daniel Kahn Gillmor
* run_once method for the libevent extension
* autoreconf -fi on FreeBSD always, because of newer libtool version
suitable for FreeBSD installs too. Thanks Robert Edmonds
* True asynchronous processing of the new TLS transport options
* GETDNS_TRANSPORT_STARTTLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN
transport option.
* Manpage fixes: Thanks Anthony Kirby
* 2015-04-19: Version 0.1.8
* The GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN and
GETDNS_TRANSPORT_TLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN
DNS over TLS transport options.
* 2015-04-08: Version 0.1.7
* Individual getter functions for context settings
* Fix: --with-current-date function to make build deterministically
reproducible (i.e. the GETDNS_COMPILATION_COMMENT define from
getdns.h contains a date value). Thanks Ondřej Surý
* Fix: Include m4 dir in distribution tarball
* Fix: Link build requirements in tests too. Thanks Ondřej Surý
* Fix: Remove executable flags on source files. Thanks Paul Wouters
* Fix: Return "just_address_answers" only when queried for addresses
* Eliminate ldns intermediate wireformat parsing
* The CSYNC RR type
* Fix: canonical_name in response dict returns the canonical name
found after following all CNAMEs
* Implementation of the section 6 and 7 version of
draft-ietf-dnsop-cookies-01.txt for stub resolution. Enable with the
--enable-draft-edns-cookies option to configure. Use it by setting the
edns_cookies extension to GETDNS_EXTENSION_TRUE.
* Pretty printing of lists with:
char *getdns_pretty_print_list(getdns_list *list)
* Output to json format with:
char * getdns_print_json_dict(const getdns_dict *some_dict, int pretty);
char * getdns_print_json_list(const getdns_list *some_list, int pretty);
* snprintf style versions of the dict, list and json print functions.
* Better random number generation with OpenBSD's arc4random
* Let getdns_address schedule the AAAA query first. This results in AAAA
being the first in the just_address_answers sections of the response dict.
* New context update callback function to also return a user given argument
along with the context and which item was changed.
Thanks Scott Hollenbeck.
* Demotivate use of getdns_strerror and expose getdns_get_errorstr_by_id.
Thanks Scott Hollenbeck.
* A getter for context update callback, to allow for chaining update
callbacks.
* 2015-01-16: Version 0.1.6
* Fix: linking against libev on FreeBSD
* Fix: Let configure report problem on FreeBSD when configuring with
libevent and libunbound <= 1.4.22 is not compiled with libevent.
* Fix: Build on Mac OS-X
* Fix: Lintian errors in manpages
* Better libcheck detection
* Better portability with UNIX systems
* 2014-10-31: Version 0.1.5
* Unit tests for transport settings
* Fix: adhere to set maximum UDP payload size
* API change: when no maximum UDP payload size is set, outgoing
values will adhere to the suggestions in RFC 6891 and may follow
a scheme that uses multiple values to maximize receptivity.
* Stub mode use 1232 maximum UDP payload size when connecting to an
IPv6 upstreams and 1432 with an IPv4 upstream.
* Evaluate namespaces (or not) on a per query basis
* GETDNS_NAMESPACE_LOCALNAMES namespace now gives just_address_answers
only and does not mimic a DNS packet answer anymore
* The add_opt_parameters extension
* IPv6 scope_id support with link-local addresses. Both with parsing
/etc/resolv.conf and by providing them explicitly via
getdns_context_set_upstream_recursive_servers
* Query for A and AAAA simultaneously with return_both_v4_and_v6
* GETDNS_TRANSPORT_TCP_ONLY_KEEP_CONNECTIONS_OPEN DNS transport
* Fix: Answers without RRs in query secion (i.e. REFUSED)
* Fix: Return empty response dict on timeout in async mode too
* Move spec examples to spec subdirectory
* Fix issue#76: Setting UDP Payload size below 512 should not error
* Fix: Include OPT RR in response dict always (even without options)
* TCP Fast open support (linux only).
Enable with the --enable-tcp-fastopen configure option
* Bump library version because of binary API change
* 2014-09-03: Version 0.1.4
* Synchronous resolves now respect timeout setting,
* On timeout *_sync functions now return GETDNS_RETURN_GOOD and a
response dict with "status" GETDNS_RESPSTATUS_ALL_TIMEOUT>
* Fix issue#50: getdns_dict_remove_name returns GETDNS_RETURN_GOOD on
success.
* Fix Issue#54: set_ub_dns_transport() not working
* Fix Issue#49: Typo in documentation (thanks Stephane Bortzmeyer)
* getdns_context_set_limit_outstanding_queries(),
getdns_context_set_dnssec_allowed_skew() and
getdns_context_set_edns_maximum_udp_payload_size() now working
* <rr>_unknown rdata field for unknown or unsupported RR types
* Temporarily disable timeout unit test 3 because of unpredictable results
* Spec updated to version 0.507
* Renamed "resolver_type" to "resolution_type" in dict returned from
getdns_context_get_api_information()
* Added GETDNS_RESPSTATUS_ALL_BOGUS_ANSWERS return code for with the
dnssec_return_only_secure extension
* Added support for CDS and CDNSKEY RR types, but needs ldns > 1.6.17 to
be able to parse the wire format (not released yet at time of writing)
* Added OPENPGPKEY RR type, but no rdata fields implementation yet
* Updated spec to version 0.508 (September 2014)
* Also chase NSEC and NSEC3 RRSIGs with dnssec_return_validation_chain
* 2014-06-25: Version 0.1.3
* libtool chage, remove -release, added -version-info
* Update specification to the June 2014 version (0.501)
* 2014-06-02: Version 0.1.2
* Fixed rdata fields for MX
* Expose only public API symbols
* Updated manpages
* specify_class extension
* Build from separate build directory
* Anticipate libunbound not returning the answer packet
* Pretty print bindata's representing IP addresses
* Anticipate absence of implicit DSO linking
* Mention getdns specific options to configure in INSTALL
Thanks Paul Hoffman
* Mac OSX package built instructions for generic user in README.md
Thanks Joel Purra
* Fixed build problems on RHEL/CentOS due using libevent 1.x
* 2014-03-24 : Version 0.1.1
* default to NOT build extensions (libev, libuv, libevent), handle
--with/--without options to configure for them
* Fixed some build/make nits
* respect configure --docdir=X
* Documentation/man page updates
* Fix install and cpp guards in getdns_extra.h
* Add method to switch between threads and fork mode for unbound
* Fixes for libuv integration (saghul)
* Fixes for calling getdns_destroy_context within a callback
* Fixed signal related defines/decls
* 2014-02-25 : Version 0.1.0
* Initial public release of the getdns API