Releases: getdnsapi/getdns
getdns-1.5.0 release
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead: |
|
---|---|
tarball | https://getdnsapi.net/dist/getdns-1.5.0.tar.gz |
pgp sig | https://getdnsapi.net/dist/getdns-1.5.0.tar.gz.asc |
sha256 | 577182c3ace919ee70cee5629505581a10dc530bd53fe5c241603ea91c84fa84 |
Dear all,
I am pleased to announce the new Christmas 2018 bugfix and maintenance release, version 1.5.0 of getdns.
Maintenance work included bringing getdns up to par with OpenSSL 1.1.1.
For the DNS-over-TLS capability this means TLS1.3 support.
-
TLS1.3 cipher suites can now be configured, either at context level with the
getdns_context_set_tls_ciphersuites()
function, or at upstream level by specifying atls_ciphersuites
entry.
For example:getdns_query -s -L '{ upstream_recursive_servers: [ { address_data: 1.1.1.1 , tls_ciphersuites: "TLS_AES_256_GCM_SHA384" } ] }'
For TLS1.2 and earlier the (not new)
getdns_context_set_tls_cipher_list()
function, ortls_cipher_list
entry at upstream level needs to be used, analogous to theSSL_CTX_set_ciphersuites()
andSSL_CTX_set_cipher_list()
functions in OpenSSL. -
The minimum & maximum TLS version to be used per upstream can be specified now at context level with the
getdns_context_set_tls_min_version()
and thegetdns_context_set_tls_max_version()
functions, or at upstream level by specifying antls_min_version
or atls_max_version
.
For example:getdns_query -s -L '{ upstream_recursive_servers: [ { address_data : 185.49.141.38 , tls_max_version: GETDNS_TLS1_2 } ] }'
An example that requires TLS1.3 support at context level:
getdns_query -sL '{tls_min_version:GETDNS_TLS1_3}' \ @185.49.141.38 @1.1.1.1 +return_call_reporting
Because
185.49.141.38
does not yet support TLS1.3, this will result in queries to1.1.1.1
only, as can be seen under"call_reporting"
in the response dict.
For DNSSEC:
- Compiling with OpenSSL 1.1.1 means Ed25519 and Ed448 DNSKEY algorithm support.
- A new extension named
dnssec
, which requires that DNSSEC verification is performed. Answers with DNSSEC status INDETERMINATE will no longer return answers with this extension. Only INSECURE and SECURE answers will be returned. One benefit of this mode is that getdns will hard fail if it does not have, or cannot fetch a valid trust anchor and perform validation. - Automatic fetching of trust anchors à la Zero configuration DNSSEC, will now be retried after failure, after a certain amount of milliseconds that can be specified with
getdns_context_set_trust_anchors_backoff_time()
.
This release has a bit more specific error return codes, and in addition logs much more messages using the logging system, in error conditions. Further more, this release adds a few extra logging systems:
GETDNS_LOG_SYS_STUB
(0x2000) for logging about non upstream specific stub resolving`GETDNS_LOG_SYS_RECURSING
(0x4000) for logging about recursive resolvingGETDNS_LOG_SYS_ANCHOR
(0x8000) to logging about fetching trust anchors à la Zero configuration DNSSEC
A few more issues are resolved with this release.
For a complete overview see the ChangeLog section below.
This release has the 0.2.4 release of Stubby included, with:
- Updated
stubby.yml.example
that uses thednssec
extension to enable DNSSEC with explanation of its consequences. - A better
stubby.service
file, that will only start Stubby after the network came up.
Note that Stubby now has a dependency on getdns-1.5.0
because of the dnssec
extension
Merry Christmas & Happy New year from the getdns team!
Photo by Jakob Owens on Unsplash
ChangeLog
* 2018-12-21: Version 1.5.0
* RFE getdnsapi/stubby#121 log re-instantiating TLS
upstreams (because they reached tls_backoff_time) at
log level 4 (WARNING)
* GETDNS_RESPSTATUS_NO_NAME for NODATA answers too
* ZONEMD rr-type
* getdns_query queries for addresses when a query name
without a type is given.
* RFE #408: Fetching of trust anchors will be retried
after failure, after a certain backoff time. The time
can be configured with
getdns_context_set_trust_anchors_backoff_time().
* RFE #408: A "dnssec" extension that requires DNSSEC
verification. When this extension is set, Indeterminate
DNSSEC status will not be returned.
* Issue #410: Unspecified ownership of get_api_information()
* Fix for DNSSEC bug in finding most specific key when
trust anchor proves non-existance of one of the labels
along the authentication chain other than the non-
existance of a DS record on a zonecut.
* Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130:
Configurable minimum and maximum TLS versions with
getdns_context_set_tls_min_version() and
getdns_context_set_tls_max_version() functions and
tls_min_version and tls_max_version configuration parameters
for upstreams.
* Configurable TLS1.3 ciphersuites with the
getdns_context_set_tls_ciphersuites() function and
tls_ciphersuites config parameter for upstreams.
* Bugfix in upstream string configurations: tls_cipher_list and
tls_curve_list
* Bugfix finding signer for validating NSEC and NSEC3s, which
caused trouble with the partly tracing DNSSEC from the root
up, introduced in 1.4.2. Thanks Philip Homburg
Stubby ChangeLog
* 2018-12-21: Version 0.2.4
* DNSSEC required with dnssec extension in example config
* Removed the yeti servers from stubby.yml.example
* Added the Foundation RESTENA servers in stubby.yml.example
* Bugfix: only start Stubby when network is up
Thanks Bruno Pagani
First release candidate for getdns-1.5.0
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead: |
|
---|---|
tarball | https://getdnsapi.net/dist/getdns-1.5.0-rc1.tar.gz |
pgp sig | https://getdnsapi.net/dist/getdns-1.5.0-rc1.tar.gz.asc |
sha256 | 8bf13d39de90f03939b7b531cae079061cae29ab |
Dear all,
We have a first candidate for the upcoming 1.5.0 bugfix and maintenance release of getdns.
Maintenance work included bringing getdns up to par with OpenSSL 1.1.1.
For the DNS-over-TLS capability this means TLS1.3 support.
- TLS1.3 cipher suites can now be configured, either at context level with the
getdns_context_set_tls_ciphersuites()
function, or at upstream level by specifying atls_ciphersuites
entry.
For example:
getdns_query -s -L '{ upstream_recursive_servers: [ { address_data: 1.1.1.1, tls_ciphersuites: "TLS_AES_256_GCM_SHA384" } ] }'
- The minimum & maximum TLS version to be used per upstream can be specified now at context level with the
getdns_context_set_tls_min_version()
and thegetdns_context_set_tls_max_version()
functions, or at upstream level by specifying antls_min_version
or atls_max_version
.
For example:
getdns_query -s -L '{ upstream_recursive_servers: [ { address_data : 185.49.141.38 , tls_max_version: GETDNS_TLS1_2 } ] }'
For DNSSEC:
- Compiling with OpenSSL 1.1.1 means Ed25519 and Ed448 DNSKEY algorithm support.
- A new extension names just
dnssec
, which requires that DNSSEC verification is performed.
Answers with DNSSEC status INDETERMINATE will no longer return answers with this extension.
Only INSECURE and SECURE answers will be returned. - Automatic fetching of trast anchors à la zero configuration DNSSEC, will now be retried after failure, after a certain amount of miliseconds that can be specified with
getdns_context_set_trust_anchors_backoff_time()
.
This release has a bit more specific error return codes, and in addition logs much more messages using the logging system, in error conditions.
Further more, this release adds a few extra logging systems:
GETDNS_LOG_SYS_STUB
(0x2000) for logging about non upstream specific stub resolving`GETDNS_LOG_SYS_RECURSING
(0x4000) for loggin about recursive resolvingGETDNS_LOG_SYS_ANCHOR
(0x8000) to logging about fetching trust anchors à la zero configuration DNSSEC
A few more issues are resolved with this release.
For a complete overview see the ChangeLog below.
This release has a release candidate for Stubby 0.2.4 included, with:
- A better
stubby.service
file, that will only start Stubby after the network came up.
Please review these release candidates carefully, if all is well, the actual release will follow Friday the 21th of December.
Photo by Jakob Owens on Unsplash
ChangeLog
* 2018-12-??: Version 1.5.0
* ZONEMD rr-type
* getdns_query queries for addresses when a query name
without a type is given.
* RFE #408: Fetching of trust anchors will be retried
after failure, after a certain backoff time. The time
can be configured with
getdns_context_set_trust_anchors_backoff_time().
* RFE #408: A "dnssec" extension that requires DNSSEC
verification. When this extension is set, Indeterminate
DNSSEC status will not be returned.
* Issue #410: Unspecified ownership of get_api_information()
* Fix for DNSSEC bug in finding most specific key when
trust anchor proves non-existance of one of the labels
along the authentication chain other than the non-
existance of a DS record on a zonecut.
* Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130:
Configurable minimum and maximum TLS versions with
getdns_context_set_tls_min_version() and
getdns_context_set_tls_max_version() functions and
tls_min_version and tls_max_version configuration parameters
for upstreams.
* Configurable TLS1.3 ciphersuites with the
getdns_context_set_tls_ciphersuites() function and
tls_ciphersuites config parameter for upstreams.
* Bugfix in upstream string configurations: tls_cipher_list and
tls_curve_list
* Bugfix finding signer for validating NSEC and NSEC3s, which
caused trouble with the partly tracing DNSSEC from the root
up, introduced in 1.4.2. Thanks Philip Homburg
Stubby ChangeLog
* 2018-12-??: Version 0.2.3
* More DoT servers for stubby.yml.example
* Bugfix: only start Stubby when network is up
Thanks Bruno Pagani
getdns-1.4.2 release
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead: |
|
---|---|
tarball | https://getdnsapi.net/dist/getdns-1.4.2.tar.gz |
pgp sig | https://getdnsapi.net/dist/getdns-1.4.2.tar.gz.asc |
sha256 | 1685b82dfe297cffc4bae08a773cdc88a3edf9a4e5a1ea27d8764bb5affc0e80 |
Dear all,
I am pleased to announce the new bugfix release, version 1.4.2 of getdns
The two major bugfixes are:
-
DNSSEC Denial of Existence validation at NSEC wildcards, which was broken since 1.4.0.
-
Null termination of strings in configuration dictionaries. This in particular affected Stubby configurations with settings for
trust_anchors_url
,trust_anchors_verify_CA
,trust_anchors_verify_email
,appdata_dir
,resolvconf
,hosts
,tls_ca_path
,tls_ca_file
,tls_cipher_list
andtls_curves_list
.
If you use Stubby and had one of these configured, but they did not affect Stubby operation as expected, retry with this release candidate to see if it resolves the issue.
DNSSEC validation in stub mode has been improved and should be possible more often now (also with badly behaving authoritatives), because it is now partly traced from the root up.
A few more issues are resolved with this release.
For a complete overview see the ChangeLog below.
This release has Stubby release 0.2.3 included, with:
- An updated
stubby.yml
file (Watch out! The entries for securedns.eu have changed!) - Better recommendations for running Stubby with
systemd
- No pass through of ENDS0 options that were handled by underlying getdns
Picture of Palais du Pharo in Marseille of Knowtex (CC BY 2.0)
ChangeLog
* 2018-05-11: Version 1.4.2
* Bugfix getdnsapi/stubby#87: Detect and ignore duplicate certs
in the Windows root CA store.
* PR #397: No TCP sendto without TCP_FASTOPEN
Thanks Emery Hemingway
* Bugfix getdnsapi/stubby#106: Core dump when printing certain
configuration. Thanks Han Vinke
* Bugfix getdnsapi/stubby#99: Partly trace DNSSEC from the root
up (for tld and sld), to find insecure delegations quicker.
Thanks UniverseXXX
* Bugfix: Allow NSEC spans starting from (unexpanded) wildcards
Bug was introduced when dealing with CVE-2017-15105
* Bugfix getdnsapi/stubby#46: Don't assume trailing zero with
string bindata's. Thanks Lonnie Abelbeck
* Bugfix #394: Update src/compat/getentropy_linux.c in order to
handle ENOSYS (not implemented) fallback.
Thanks Brent Blood
* Bugfix #395: Clarify that libidn2 dependency is for version 2.0.0
or higher. Thanks mire3212
Stubby ChangeLog
* 2018-05-11: Version 0.2.3
* Bugfix #62 and #106: With systemd setups, make /run/stubby directory
writeable for stubby user and include a "appdata_dir" directory
in stubby.yml.example.
Thanks Paul Wouters, eccgecko and Han Vinke
* Update securedns.eu entries in stubby.yml.example
* Added Cloudflare servers in stubby.yml.example
* Added basic upstart script in contrib/upstart dir. Thanks vapniks
* Bugfix #98: EDNS options that are handled internally should not
be passed on through downstream. Thanks Twisteroid Ambassador
First release candidate for getdns-1.4.2
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead: |
|
---|---|
tarball | https://getdnsapi.net/dist/getdns-1.4.2-rc1.tar.gz |
pgp sig | https://getdnsapi.net/dist/getdns-1.4.2-rc1.tar.gz.asc |
sha256 | 3d2f7c866d3db39236d1a6a27ae64c59ddc38789422bc67d88ad2d7c979e71cd |
Dear all,
We have a first release candidate for the upcoming 1.4.2 bugfix release of getdns.
The two major bugfixes are:
-
DNSSEC Denial of Existence validation at NSEC wildcards, which was broken since 1.4.0.
-
Null termination of strings in configuration dictionaries. This in particular affected Stubby configurations with settings for
trust_anchors_url
,trust_anchors_verify_CA
,trust_anchors_verify_email
,appdata_dir
,resolvconf
,hosts
,tls_ca_path
,tls_ca_file
,tls_cipher_list
andtls_curves_list
.
If you use Stubby and had one of these configured, but they did not affect Stubby operation as expected, retry with this release candidate to see if it resolves the issue.
DNSSEC validation in stub mode has been improved and should be possible more often now (also with badly behaving authoritatives), because it is now partly traced from the root up.
A few more issues are resolved with this release.
For a complete overview see the ChangeLog below.
This release has a release candidate for Stubby 0.2.3 included, with:
- An updated
stubby.yml
file (Watch out! The entries for securedns.eu have changed!) - Better recommendations for running Stubby with
systemd
- No pass through of ENDS0 options that were handled by underlying getdns
Please review these release candidates carefully, if all is well, the actual release will follow Friday the 11th of May.
Japanese freedom characters courtesy of Jin4Ever (CC BY 4.0)
ChangeLog
* 2018-05-??: Version 1.4.2
* Bugfix getdnsapi/stubby#99: Partly trace DNSSEC from the root
up (for tld and sld), to find insecure delegations quicker.
Thanks UniverseXXX
* Bugfix: Allow NSEC spans starting from (unexpanded) wildcards
Bug was introduced when dealing with CVE-2017-15105
* Bugfix getdnsapi/stubby#46: Don't assume trailing zero with
string bindata's. Thanks Lonnie Abelbeck
* Bugfix #394: Update src/compat/getentropy_linux.c in order to
handle ENOSYS (not implemented) fallback.
Thanks Brent Blood
* Bugfix #395: Clarify that libidn2 dependency is for version 2.0.0
or higher. Thanks mire3212
Stubby ChangeLog
* 2018-05-??: Version 0.2.3
* With systemd setups, make /run/stubby directory writeable for stubby user
and include a "appdata_dir" directory in stubby.yml.example
* Update securedns.eu entries in stubby.yml.example
* Added Cloudflare servers in stubby.yml.example
* Added basic upstart script in contrib/upstart dir. Thanks vapniks
* Bugfix #98: EDNS options that are handled internally should not
be passed on through downstream. Thanks Twisteroid Ambassador
getdns-1.4.1 release
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead: |
|
---|---|
tarball | https://getdnsapi.net/dist/getdns-1.4.1.tar.gz |
pgp sig | https://getdnsapi.net/dist/getdns-1.4.1.tar.gz.asc |
sha256 | 245233dc780f615b6ab1472f2b9cdcd957a451a736f3036717d0da466ab1c51e |
Dear all,
I am pleased to announce the new bugfix release, version 1.4.1 of getdns.
This release has a fix for a DNSSEC validation failure for insecure NODATA responses, which was introduced in getdns-1.2.1.
Besides this DNSSEC bugfix getdns can now also determine the DNSSEC validation status of zone's with missing SOA records. This sometimes occurs with sloppily implemented CDNs.
Besides these DNSSEC fixes, this release also contains a few upstream management improvements, mainly contributed by Robert Groenenberg:
-
Before, when a UDP query for a specific upstream failed, is was marked to back off for a certain number of queries. The number of queries to let pass before giving it another go, increased exponentially on each successive failure. This exponential back off increase is now limited. The default maximum UDP back off value is 1000. This means that when an UDP upstream is down, it will always at least retry one every 1000 queries.
-
When all UDP upstreams are failing (for example because the WiFi is temporarily down), the back off scheme described above will be abandoned, and all failing upstreams will be retried equally. This speeds up DNS availability reestablishment when upstream become functional again (WiFi is up!).
-
For each individual query, every upstream will be tried only once. This resolves a nasty bug in which failing TCP upstreams are retried over and over again with the same failing query, because TCP upstreams lack the time based back off mechanisms that TLS upstreams have.
A few more issues are resolved with this release.
For a complete overview view the ChangeLog below.
Picture of eurostar train to London courtesy of Erich Westendarp (CC0 1.0)
ChangeLog
* 2018-03-12: Version 1.4.1
* Bugfix #388: Prevent fallback to an earlier tried upstream within a
single query. Thanks Robert Groenenberg
* PR #387: Compile with OpenSSL with deprecated APIs disabled.
Thanks Rosen Penev
* PR #386: UDP failover improvements:
- When all UDP upstreams fail, retry them (more or less) equally
- Limit maximum UDP backoff (default to 1000)
This is configurable with the --with-max-udp-backoff configure
option.
Thanks Robert Groenenberg
* Bugfix: Find zonecut with DS queries (instead of SOA queries).
Thanks Elmer Lastdrager
* Bugfix #385: Verifying insecure NODATA answers (broken since 1.2.1).
Thanks hanvinke
* PR #384: Fix minor spelling and formatting. Thanks dkg.
* Bugfix #382: Parallel install of getdns_query and getdns_server_mon
First release candidate for getdns-1.4.1
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead: |
|
---|---|
tarball | https://getdnsapi.net/dist/getdns-1.4.1-rc1.tar.gz |
pgp sig | https://getdnsapi.net/dist/getdns-1.4.1-rc1.tar.gz.asc |
sha256 | e1540d289ec82a752f0d4046d59c2445b76dcdc74a8653b90d7e530e6b2bec19 |
Dear all,
We have a first release candidate for the upcoming 1.4.1 quick-fix release of getdns.
This release has a fix for a DNSSEC validation failure for insecure NODATA responses, which was introduced in getdns-1.2.1.
Besides this DNSSEC bugfix getdns can now also determine the DNSSEC validation status of zone's with missing SOA records. This sometimes occurs with sloppily implemented CDNs.
Besides these DNSSEC fixes, this release also contains a few upstream management improvements, mainly contributed by Robert Groenenberg:
-
Before, when a UDP query for a specific upstream failed, is was marked to back off for a certain number of queries.
The number of queries to let pass before giving it another go, increased exponentially on each successive failure.
This exponential back off increase is now limited.
The default maximum UDP back off value is 1000.
This means that when an UDP upstream is down, it will always at least retry one every 1000 queries. -
When all UDP upstreams are failing (for example because the WiFi is temporarily down), the back off scheme described above will be abandoned, and all failing upstreams will be retried equally.
This speeds up DNS availability reestablishment when upstream become functional again (WiFi is up!). -
For each individual query, every upstream will be tried only once.
This resolves a nasty bug in which failing TCP upstreams are retried over and over again with the same failing query, because TCP upstreams lack the time based back off mechanisms that TLS upstreams have.
A few more issues are resolved with this release.
For a complete overview view the ChangeLog below.
Please review this release candidate carefully, if all is well, the actual release will follow Monday the 12th of March.
Drawing of adhesive bandage courtesy of Nevit Dilmen (CC BY-SA 3.0)
ChangeLog
* 2018-03-??: Version 1.4.1
* Bugfix #388: Prevent fallback to an earlier tried upstream within a
single query. Thanks Robert Groenenberg
* PR #387: Compile with OpenSSL with deprecated APIs disabled.
Thanks Rosen Penev
* PR #386: UDP failover improvements:
- When all UDP upstreams fail, retry them (more or less) equally
- Limit maximum UDP backoff (default to 1000)
This is configurable with the --with-max-udp-backoff configure
option.
Thanks Robert Groenenberg
* Bugfix: Find zonecut with DS queries (instead of SOA queries).
Thanks Elmer Lastdrager
* Bugfix #385: Verifying insecure NODATA answers (broken since 1.2.1).
Thanks hanvinke
* PR #384: Fix minor spelling and formatting. Thanks dkg.
* Bugfix #382: Parallel install of getdns_query and getdns_server_mon
getdns-1.4.0 release
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead: |
|
---|---|
tarball | https://getdnsapi.net/dist/getdns-1.4.0.tar.gz |
pgp sig | https://getdnsapi.net/dist/getdns-1.4.0.tar.gz.asc |
sha256 | de360cd554fdec4bae3f5afbb36145872b8ff7306ded5deb0905442c4909f7b3 |
Dear all,
I am pleased to announce the new security and bugfix release, version 1.4.0 of getdns.
Security Fixes: The release contains two security fixes.
-
When TLS upstreams were authenticated with SHA256 SPKI pins, certain verification errors - like self-signed certificates - were tolerated when the SPKI pin matched.
This is wrong because checking for the error status indicating self-signed certificates does not mean that no other errors occurred.
Only one error status is returned by the underlying OpenSSL verification function and that error status masks potential other errors.This release will check SPKI pins with the native OpenSSL DANE functions, for OpenSSL version 1.1.0 and higher, or with the DANE functions from the included Viktor Dukhovni's danessl library for OpenSSL version 1.0.0 and higher.
For OpenSSL versions before 1.0.0 and for LibreSSL, self-signed certificates are no longer tolerated.
-
The recent CVE-2017-15105, exposed a flaw with a few resolvers, that made it possible to downgrade secure connections.
One of the causes of the issue, was that wildcard expansions of resource records used in DNSSEC proof were allowed.
Although getdns was not vulnerable to the specific issue addressed in CVE-2017-15105, it did not explicitly disallow wildcard expansions of resource records used in DNSSEC proof.
This release has that fixed.
Stability Fixes: Detailed reports from our Stubby users have revealed a few more bugs causing crashes in the getdns library in certain conditions.
'Additional API' - new functions: Besides the available ciphers, now the supported curves can be configured too with the getdns_context_set_tls_curves_list()
function or the per upstream in with the getdns_context_set_upstream_recursive_servers()
function.
Tools: This release includes a new tool getdns_server_mon
based on Stéphane Borzmeyer's monitor DNS-over-TLS tool.
This tool is used to generate the table showing public DNS-over-TLS servers capabilities
NOTE: Although this release is binary compatible up to getdns version 1.1.0, the .so version is still bumped at request for the fedora package.
Stubby: This release includes the new version 0.2.2 release of Stubby.
- It includes an updated and fixed
stubby.yml
configuration file. - Has additional logging of basic configuration on startup.
- Has a manpage included
Picture of Safe and Sounds Puppy courtesy of Kaydee H (CC BY-SA 2.0)
ChangeLog
* 2018-02-21: Version 1.4.0
* .so revision bump to please fedora packaging system.
Thanks Paul Wouters
* Specify the supported curves with getdns_context_set_tls_curves_list()
An upstream specific list of supported curves may also be given
with the tls_curves_list setting in the upstream dict with
getdns_context_set_upstream_recursive_servers()
* New tool getdns_server_mon for checking upstream recursive
resolver's capabilities.
* Improved handling of opportunistic back-off. If other transports
are working, don’t forcibly promote failed upstreams just wait for
the re-try timer.
* Hostname authentication with libressl
Thanks Norbert Copones
* Security bugfix in response to CVE-2017-15105. Although getdns was
not vulnerable for this specific issue, as a precaution code has been
adapted so that signatures of DNSKEYs, DSs, NSECs and NSEC3s can not
be wildcard expansions when used with DNSSEC proofs. Only direct
queries for those types are allowed to be wildcard expansions.
* Bugfix PR#379: Miscelleneous double free or corruption, and corrupted
memory double linked list detected issue, whith serving functionality.
Thanks maddie and Bruno Pagani
* Security Bugfix PR#293: Check sha256 pinset's
with OpenSSL native DANE functions for OpenSSL >= 1.1.0
with Viktor Dukhovni's danessl library for OpenSSL >= 1.0.0
don't allow for authentication exceptions (like self-signed
certificates) otherwise. Thanks Viktor Dukhovni
* libidn2 support. Thanks Paul Wouters
Stubby ChangeLog
* 2018-02-21: Version 0.2.2
* Fixes and updates to the stubby.yml.config file. Add separate entries for
servers that listen on port 443.
* Additional logging of basic config on startup
* -V option to show version
* Added a man page
First release candidate for getdns-1.4.0
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead: |
|
---|---|
tarball | https://getdnsapi.net/dist/getdns-1.4.0-rc1.tar.gz |
pgp sig | https://getdnsapi.net/dist/getdns-1.4.0-rc1.tar.gz.asc |
sha256 | b60963f966111e24efdc96e048d1e3b7492d5cfd590abc73cff227ecc3549f52 |
Dear all,
We have a first release candidate for the upcoming 1.4.0 security and stability release of getdns.
Security Fixes: The release contains two security fixes.
-
When TLS upstreams were authenticated with SHA256 SPKI pins, certain verification errors - like self-signed certificates - were tolerated when the SPKI pin matched.
This is wrong because checking for the error status indicating self-signed certificates does not mean that no other errors occurred.
Only one error status is returned by the underlying OpenSSL verification function and that error status masks potential other errors.This release will check SPKI pins with the native OpenSSL DANE functions, for OpenSSL version 1.1.0 and higher, or with the DANE functions from the included Viktor Dukhovni's danessl library for OpenSSL version 1.0.0 and higher.
For OpenSSL versions before 1.0.0 and for LibreSSL, self-signed certificates are no longer tolerated.
-
The recent CVE-2017-15105, exposed a flaw with a few resolvers, that made it possible to downgrade secure connections.
One of the causes of the issue, was that wildcard expansions of resource records used in DNSSEC proof were allowed.
Although getdns was not vulnerable to the specific issue addressed in CVE-2017-15105, it did not explicitly disallow wildcard expansions of resource records used in DNSSEC proof.
This release has that fixed.
Stability Fixes: Detailed reports from our Stubby users have revealed a few more bugs causing crashes in the getdns library in certain conditions.
'Additional API' - new functions: Besides the available ciphers, now the supported curves can be configured too with the getdns_context_set_tls_curves_list()
function or the per upstream in with the getdns_context_set_upstream_recursive_servers()
function.
Tools: This release includes a new tool getdns_server_mon
based on Stéphane Borzmeyer's monitor DNS-over-TLS tool.
This tool is used to generate the table showing public DNS-over-TLS servers capabilities
NOTE: Although this release is binary compatible up to getdns version 1.1.0, the .so version is still bumped at request for the fedora package.
Stubby: This release candidate includes a candidate for a 0.2.2 release of Stubby.
- It includes an updated and fixed
stubby.yml
configuration file. - Has additional logging of basic configuration on startup.
- Has a manpage included
Please review this release candidate carefully, if all is well, the actual release will follow Wednesday the 21st of February.
Picture of Boo Valentine courtesy of DaPuglet (CC BY-SA 2.0)
ChangeLog
* 2018-02-??: Version 1.4.0
* .so revision bump to please fedora packaging system.
Thanks Paul Wouters
* Specify the supported curves with getdns_context_set_tls_curves_list()
An upstream specific list of supported curves may also be given
with the tls_curves_list setting in the upstream dict with
getdns_context_set_upstream_recursive_servers()
* New tool getdns_server_mon for checking upstream recursive
resolver's capabilities.
* Improved handling of opportunistic back-off. If other transports
are working, don’t forcibly promote failed upstreams just wait for
the re-try timer.
* Hostname authentication with libressl
Thanks Norbert Copones
* Security bugfix in response to CVE-2017-15105. Although getdns was
not vulnerable for this specific issue, as a precaution code has been
adapted so that signatures of DNSKEYs, DSs, NSECs and NSEC3s can not
be wildcard expansions when used with DNSSEC proofs. Only direct
queries for those types are allowed to be wildcard expansions.
* Bugfix PR#379: Miscelleneous double free or corruption, and corrupted
memory double linked list detected issue, whith serving functionality.
Thanks maddie and Bruno Pagani
* Security Bugfix PR#293: Check sha256 pinset's
with OpenSSL native DANE functions for OpenSSL >= 1.1.0
with Viktor Dukhovni's danessl library for OpenSSL >= 1.0.0
don't allow for authentication exceptions (like self-signed
certificates) otherwise. Thanks Viktor Dukhovni
* libidn2 support. Thanks Paul Wouters
Stubby ChangeLog
* 2018-02-??: Version 0.2.2
* Fixes and updates to the stubby.yml.config file. Add separate entries for
servers that listen on port 443.
* Additional logging of basic config on startup
* -V option to show version
* Added a man page
getdns-1.3.0 released
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead: |
|
---|---|
tarball | https://getdnsapi.net/dist/getdns-1.3.0.tar.gz |
pgp sig | https://getdnsapi.net/dist/getdns-1.3.0.tar.gz.asc |
sha256 | 920fa2e07c72fd0e5854db1820fa777108009fc5cb702f9aa5155ef58b12adb1 |
Dear all,
I am pleased to announce the new special Christmas 2017 bugfix release, version 1.3.0 of getdns.
Recently Stubby has seen increased interest. Already after the release of the Windows installer, but even more so after the introduction of Quad9 and the description of how to use DNS-over-TLS with Stubby by Alex Band and Stéphane Borzmeyer.
The increased install base has generated excellent feedback and has also revealed some bugs. This release has those bugs fixed, and also contains a few more configuration options to be able to adapt to more diverse situations.
The bugs fixed with this release are:
- A segfault with the native DNSSEC validation code when DS and DNSKEY queries timed out,
- A non RFC compliant
edns_client_subnet_private
option that caused some upstream EDNS Client Subnet implementations (i.e. Unbound's) to returnFORMERR
, and - Doing the meta queries for Zero configuration DNSSEC with the resolvers from
/etc/resolv.conf
, which caused Stubby to query itself for this, effectively breaking the possibility to fetch the root trust-anchors and bootstrap DNSSEC.
Besides these fixes, this release allows to configure a getdns_context
to be initialized with resolv.conf
and hosts
at alternative locations, with the getdns_context_set_resolvconf()
and getdns_context_set_hosts()
functions.
Also the TLS parameters for DNS-over-TLS are more configurable with this release. The CA store, for authenticating DNS-over-TLS upstreams, can be specified with the getdns_context_set_tls_ca_path()
and getdns_context_set_tls_ca_file()
functions. The default available ciphers are configurable with the getdns_context_set_tls_cipher_list()
functions. The default available cipher list has been adapted to support TLS1.3 too linked with a TLS1.3 supporting version of OpenSSL (i.e. >= 1.1.1). Available ciphers can be set for specific upstreams to with getdns_context_set_upstream_recursive_servers()
.
The getdns_context_get_api_information()
function exposes more getdns_context
settings, amongst which:
- The default settings for extensions,
- The paths for files that were used to initialize a
getdns_context
(resolv.conf
,hosts
and trust anchors), and - More information about the version, configuration and capabilities of the OpenSSL library in use.
This release includes the 0.2.1 release of Stubby. The most prominent bugfix therein is to not do DNSSEC validation for queries with the CD
bit set, when DNSSEC validation was not configured in the first place. This bug caused decreased performance for configurations with an unbound forwarding to Stubby.
The 0.2.1 release of Stubby also includes some additional auxiliary functionality which is used by the macOS prototype GUI that was just released: https://dnsprivacy.org/wiki/display/DP/Stubby+GUI+for+macOS
This release has version number 1.3.0 and not 1.2.2, for which the release candidate was created, because we comply to the Semantic Versioning 2.0.0 scheme, and a few new functions are introduced into the API. The other change from the release candidate is that the Certificate Authority store location settings are now prepended with tls_
, like all other setting influencing DNS-over-TLS.
Merry CHristmas & Happy New year from the getdns team!
Picture of ladybug in Christmas tree courtesy of David Whelan
ChangeLog
* 2017-12-21: Version 1.3.0
* Bugfix #300: Detect dnsmasq and skip unit test that fails with it.
Thanks Tim Rühsen and Konomi Kitten
* Specify default available cipher suites for authenticated TLS
upstreams with getdns_context_set_tls_ciphers_list()
An upstream specific available cipher suite may also be given
with the tls_cipher_list setting in the upstream dict with
getdns_context_set_upstream_recursive_servers()
* PR #366: Add support for TLS 1.3 and Chacha20-Poly1305
Thanks Pascal Ernster
* Bugfix #356: Do Zero configuration DNSSEC meta queries over on the
context configured upstreams. Thanks Andreas Schulze
* Report default extension settings with
getdns_context_get_api_information()
* Specify locations at which CA certificates for verification purposes
are located: getdns_context_set_tls_ca_path()
getdns_context_set_tls_ca_file()
* getdns_context_set_resolvconf() function to initialize a context
upstreams and suffices with a resolv.conf file.
getdns_context_get_resolvconf() to get the file used to initialize
the context's upstreams and suffixes.
getdns_context_set_hosts() function to initialize a context's
LOCALNAMES namespace.
getdns_context_get_hosts() function to get the file used to initialize
the context's LOCALNAMES namespace.
* get which version of OpenSSL was used at build time and at run time
when available with getdns_context_get_api_information()
* GETDNS_RETURN_IO_ERROR return error code
* Bugfix #359: edns_client_subnet_private should set family
Thanks Daniel Areiza & Andreas Schulze
* Bugfix getdnsapi/stubby#34: Segfault issue with native DNSSEC
validation. Thanks Bruno Pagani
Stubby ChangeLog
* 2017-12-18: Version 0.2.1
* Fix use of logging on macos 10.11
* 2017-12-18: Version 0.2.0
* Add Powershell scripts for Windows 7 that will update the IPv4 DNS resolvers.
* Add Windows scripts to enable a Scheduled task for stubby
* Add files to support a separate macOS GUI application to manage stubby
https://dnsprivacy.org/wiki/x/CIBn
* Add Quad9 details to the configuration file
* Bugfix #48: Do not do native DNSSEC validation when cd bit was
received (for example from an unbound forwarder), but DNSSEC
validation was not enabled in the first place.
* Bugfix getdnsapi/getdns#358: Parse config files given with the
-C option that have an .yaml extension as YAML not JSON.
Thanks Ollivier Robert
First release candidate for getdns-1.2.2
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead: |
|
---|---|
tarball | https://getdnsapi.net/dist/getdns-1.2.2-rc1.tar.gz |
pgp sig | https://getdnsapi.net/dist/getdns-1.2.2-rc1.tar.gz.asc |
sha256 | cebfad179d6b0db8e1f4875152caf788e870710f1c52c0a92ea10d4622d4438b |
Dear all,
We have a first release candidate for the upcoming 1.2.2 bugfix release of getdns.
Recently Stubby has seen increased interest.
Already after the release of the Windows installer, but even more so after the introduction of Quad9 and the description of how to use DNS-over-TLS with Stubby by Alex Band and Stéphane Borzmeyer.
The increased install base has generated excellent feedback and has also revealed some bugs.
This release has those bugs fixed, and also contains a few more configuration options to be able to adapt to more diverse situations.
The bugs fixed with this release are:
- A segfault with the native DNSSEC validation code when DS and DNSKEY queries timed out,
- A non RFC compliant
edns_client_subnet_private
option that caused some upstream EDNS Client Subnet implementations (i.e. Unbound's) to returnFORMERR
, and - Doing the meta queries for Zero configuration DNSSEC with the resolvers from
/etc/resolv.conf
, which cause Stubby to query itself for this, effectively breaking the possibility to fetch the root trust-anchors and bootstrap DNSSEC.
Besides these fixes, this release allows to configure a getdns_context
to be initialized with resolv.conf
and hosts
at alternative locations, with the getdns_context_set_resolvconf()
and getdns_context_set_hosts()
functions.
Also a specific location for the CA store, for authenticating DNS-over-TLS upstreams, can be specified with the getdns_context_set_CApath()
and getdns_context_set_CAfile()
functions.
The getdns_context_get_api_information()
function exposes more getdns_context
settings, amongst which:
- The default settings for extensions,
- The paths for files that were used to initialize a
getdns_context
(resolv.conf
,hosts
and trust anchors), and - More information about the version, configuration and capabilities of the OpenSSL library in use.
This release candidate includes a candidate for a 0.2.0 release of Stubby.
The most prominent bugfix therein is to not do DNSSEC validation for queries with the CD
bit set, when DNSSEC validation was not configured in the first place.
This bug caused decreased performance for configurations with an unbound forwarding to Stubby.
The 0.2.0 release (candidate) of Stubby also includes some additional auxiliary functionality which is used by the macOS prototype GUI that was just released: https://dnsprivacy.org/wiki/display/DP/Stubby+GUI+for+macOS
Please review this release candidate carefully, if all is well, the actual release will follow Thursday the 21th of December.
ChangeLog
* 2017-12-??: Version 1.2.2
* Bugfix #356: Do Zero configuration DNSSEC meta queries over on the
context configured upstreams.
* Report default extension settings with
getdns_context_get_api_information()
* Specify locations at which CA certificates for verification purposes
are located: getdns_context_set_CApath() getdns_context_set_CAfile()
* getdns_context_set_resolvconf() function to initialize a context
upstreams and suffices with a resolv.conf file.
getdns_context_get_resolvconf() to get the file used to initialize
the context's upstreams and suffixes.
getdns_context_set_hosts() function to initialize a context's
LOCALNAMES namespace.
getdns_context_get_hosts() function to get the file used to initialize
the context's LOCALNAMES namespace.
* get which version of OpenSSL was used at build time and at run time
when available with getdns_context_get_api_information()
* GETDNS_RETURN_IO_ERROR return error code
* Bugfix #359: edns_client_subnet_private should set family
Thanks Daniel Areiza
* Bugfix getdnsapi/stubby#34: Segfault issue with native DNSSEC
validation. Thanks Bruno Pagani
Stubby ChangeLog
* 2017-12-?: Version 0.2.0
* Add files to support a separate macOS GUI application to manage stubby
* Bugfix #48: Do not do native DNSSEC validation when cd bit was
received (for example from an unbound forwarder), but DNSSEC
validation was not enabled in the first place.
* Bugfix getdnsapi/getdns#358: Parse config files given with the
-C option that have an .yaml extension as YAML not JSON.
Thanks Ollivier Robert