Skip to content

Releases: getdnsapi/getdns

getdns-1.5.0 release

21 Dec 19:33
@wtoorop wtoorop
v1.5.0
309db67
Compare
Choose a tag to compare
getdns-1.5.0 release
 
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead:
tarball https://getdnsapi.net/dist/getdns-1.5.0.tar.gz
pgp sig https://getdnsapi.net/dist/getdns-1.5.0.tar.gz.asc
sha256 577182c3ace919ee70cee5629505581a10dc530bd53fe5c241603ea91c84fa84

Dear all,

I am pleased to announce the new Christmas 2018 bugfix and maintenance release, version 1.5.0 of getdns.

Maintenance work included bringing getdns up to par with OpenSSL 1.1.1.

For the DNS-over-TLS capability this means TLS1.3 support.

  • TLS1.3 cipher suites can now be configured, either at context level with the getdns_context_set_tls_ciphersuites() function, or at upstream level by specifying a tls_ciphersuites entry.
    For example:

    getdns_query -s -L '{ upstream_recursive_servers:
                      [ { address_data: 1.1.1.1
                        , tls_ciphersuites: "TLS_AES_256_GCM_SHA384" } ] }'

    For TLS1.2 and earlier the (not new) getdns_context_set_tls_cipher_list() function, or tls_cipher_list entry at upstream level needs to be used, analogous to the SSL_CTX_set_ciphersuites() and SSL_CTX_set_cipher_list() functions in OpenSSL.

  • The minimum & maximum TLS version to be used per upstream can be specified now at context level with the getdns_context_set_tls_min_version() and the getdns_context_set_tls_max_version() functions, or at upstream level by specifying an tls_min_version or a tls_max_version.
    For example:

    getdns_query -s -L '{ upstream_recursive_servers:
                      [ { address_data   : 185.49.141.38
                        , tls_max_version: GETDNS_TLS1_2 } ] }'

    An example that requires TLS1.3 support at context level:

    getdns_query -sL '{tls_min_version:GETDNS_TLS1_3}' \
    @185.49.141.38 @1.1.1.1 +return_call_reporting

    Because 185.49.141.38 does not yet support TLS1.3, this will result in queries to 1.1.1.1 only, as can be seen under "call_reporting" in the response dict.

For DNSSEC:

  • Compiling with OpenSSL 1.1.1 means Ed25519 and Ed448 DNSKEY algorithm support.
  • A new extension named dnssec, which requires that DNSSEC verification is performed. Answers with DNSSEC status INDETERMINATE will no longer return answers with this extension. Only INSECURE and SECURE answers will be returned. One benefit of this mode is that getdns will hard fail if it does not have, or cannot fetch a valid trust anchor and perform validation.
  • Automatic fetching of trust anchors à la Zero configuration DNSSEC, will now be retried after failure, after a certain amount of milliseconds that can be specified with getdns_context_set_trust_anchors_backoff_time().

This release has a bit more specific error return codes, and in addition logs much more messages using the logging system, in error conditions. Further more, this release adds a few extra logging systems:

  • GETDNS_LOG_SYS_STUB (0x2000) for logging about non upstream specific stub resolving`
  • GETDNS_LOG_SYS_RECURSING (0x4000) for logging about recursive resolving
  • GETDNS_LOG_SYS_ANCHOR (0x8000) to logging about fetching trust anchors à la Zero configuration DNSSEC

A few more issues are resolved with this release.
For a complete overview see the ChangeLog section below.

This release has the 0.2.4 release of Stubby included, with:

  • Updated stubby.yml.example that uses the dnssec extension to enable DNSSEC with explanation of its consequences.
  • A better stubby.service file, that will only start Stubby after the network came up.

Note that Stubby now has a dependency on getdns-1.5.0 because of the dnssec extension

Merry Christmas & Happy New year from the getdns team!

Photo by Jakob Owens on Unsplash

ChangeLog

* 2018-12-21: Version 1.5.0
  * RFE getdnsapi/stubby#121 log re-instantiating TLS
    upstreams (because they reached tls_backoff_time) at
    log level 4 (WARNING)
  * GETDNS_RESPSTATUS_NO_NAME for NODATA answers too
  * ZONEMD rr-type
  * getdns_query queries for addresses when a query name
    without a type is given.
  * RFE #408: Fetching of trust anchors will be retried
    after failure, after a certain backoff time. The time
    can be configured with
    getdns_context_set_trust_anchors_backoff_time().
  * RFE #408: A "dnssec" extension that requires DNSSEC
    verification.  When this extension is set, Indeterminate
    DNSSEC status will not be returned.
  * Issue #410: Unspecified ownership of get_api_information()
  * Fix for DNSSEC bug in finding most specific key when
    trust anchor proves non-existance of one of the labels
    along the authentication chain other than the non-
    existance of a DS record on a zonecut.
  * Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130:
    Configurable minimum and maximum TLS versions with
    getdns_context_set_tls_min_version() and
    getdns_context_set_tls_max_version() functions and
    tls_min_version and tls_max_version configuration parameters
    for upstreams.
  * Configurable TLS1.3 ciphersuites with the
    getdns_context_set_tls_ciphersuites() function and
    tls_ciphersuites config parameter for upstreams.
  * Bugfix in upstream string configurations: tls_cipher_list and
    tls_curve_list
  * Bugfix finding signer for validating NSEC and NSEC3s, which
    caused trouble with the partly tracing DNSSEC from the root
    up, introduced in 1.4.2.  Thanks Philip Homburg

Stubby ChangeLog

* 2018-12-21: Version 0.2.4
 * DNSSEC required with dnssec extension in example config
 * Removed the yeti servers from stubby.yml.example
 * Added the Foundation RESTENA servers in stubby.yml.example
 * Bugfix: only start Stubby when network is up
   Thanks Bruno Pagani
Assets 4
Loading

First release candidate for getdns-1.5.0

14 Dec 15:09
@wtoorop wtoorop
v1.5.0-rc1
36cb9b0
Compare
Choose a tag to compare
First release candidate for getdns-1.5.0 Pre-release
Pre-release
 
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead:
tarball https://getdnsapi.net/dist/getdns-1.5.0-rc1.tar.gz
pgp sig https://getdnsapi.net/dist/getdns-1.5.0-rc1.tar.gz.asc
sha256 8bf13d39de90f03939b7b531cae079061cae29ab

Dear all,

We have a first candidate for the upcoming 1.5.0 bugfix and maintenance release of getdns.

Maintenance work included bringing getdns up to par with OpenSSL 1.1.1.

For the DNS-over-TLS capability this means TLS1.3 support.

  • TLS1.3 cipher suites can now be configured, either at context level with the getdns_context_set_tls_ciphersuites() function, or at upstream level by specifying a tls_ciphersuites entry.
    For example:
    getdns_query -s -L '{ upstream_recursive_servers: [ { address_data: 1.1.1.1, tls_ciphersuites: "TLS_AES_256_GCM_SHA384" } ] }'
  • The minimum & maximum TLS version to be used per upstream can be specified now at context level with the getdns_context_set_tls_min_version() and the getdns_context_set_tls_max_version() functions, or at upstream level by specifying an tls_min_version or a tls_max_version.
    For example:
    getdns_query -s -L '{ upstream_recursive_servers: [ { address_data : 185.49.141.38 , tls_max_version: GETDNS_TLS1_2 } ] }'

For DNSSEC:

  • Compiling with OpenSSL 1.1.1 means Ed25519 and Ed448 DNSKEY algorithm support.
  • A new extension names just dnssec, which requires that DNSSEC verification is performed.
    Answers with DNSSEC status INDETERMINATE will no longer return answers with this extension.
    Only INSECURE and SECURE answers will be returned.
  • Automatic fetching of trast anchors à la zero configuration DNSSEC, will now be retried after failure, after a certain amount of miliseconds that can be specified with getdns_context_set_trust_anchors_backoff_time().

This release has a bit more specific error return codes, and in addition logs much more messages using the logging system, in error conditions.
Further more, this release adds a few extra logging systems:

  • GETDNS_LOG_SYS_STUB (0x2000) for logging about non upstream specific stub resolving`
  • GETDNS_LOG_SYS_RECURSING(0x4000) for loggin about recursive resolving
  • GETDNS_LOG_SYS_ANCHOR (0x8000) to logging about fetching trust anchors à la zero configuration DNSSEC

A few more issues are resolved with this release.
For a complete overview see the ChangeLog below.

This release has a release candidate for Stubby 0.2.4 included, with:

  • A better stubby.service file, that will only start Stubby after the network came up.

Please review these release candidates carefully, if all is well, the actual release will follow Friday the 21th of December.

Photo by Jakob Owens on Unsplash

ChangeLog

* 2018-12-??: Version 1.5.0
  * ZONEMD rr-type
  * getdns_query queries for addresses when a query name
    without a type is given.
  * RFE #408: Fetching of trust anchors will be retried
    after failure, after a certain backoff time. The time
    can be configured with
    getdns_context_set_trust_anchors_backoff_time().
  * RFE #408: A "dnssec" extension that requires DNSSEC
    verification.  When this extension is set, Indeterminate
    DNSSEC status will not be returned.
  * Issue #410: Unspecified ownership of get_api_information()
  * Fix for DNSSEC bug in finding most specific key when
    trust anchor proves non-existance of one of the labels
    along the authentication chain other than the non-
    existance of a DS record on a zonecut.
  * Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130:
    Configurable minimum and maximum TLS versions with
    getdns_context_set_tls_min_version() and
    getdns_context_set_tls_max_version() functions and
    tls_min_version and tls_max_version configuration parameters
    for upstreams.
  * Configurable TLS1.3 ciphersuites with the
    getdns_context_set_tls_ciphersuites() function and
    tls_ciphersuites config parameter for upstreams.
  * Bugfix in upstream string configurations: tls_cipher_list and
    tls_curve_list
  * Bugfix finding signer for validating NSEC and NSEC3s, which
    caused trouble with the partly tracing DNSSEC from the root
    up, introduced in 1.4.2.  Thanks Philip Homburg

Stubby ChangeLog

* 2018-12-??: Version 0.2.3
 * More DoT servers for stubby.yml.example
 * Bugfix: only start Stubby when network is up
   Thanks Bruno Pagani
Assets 4
Loading

getdns-1.4.2 release

11 May 11:32
@wtoorop wtoorop
v1.4.2
e481273
Compare
Choose a tag to compare
getdns-1.4.2 release
 
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead:
tarball https://getdnsapi.net/dist/getdns-1.4.2.tar.gz
pgp sig https://getdnsapi.net/dist/getdns-1.4.2.tar.gz.asc
sha256 1685b82dfe297cffc4bae08a773cdc88a3edf9a4e5a1ea27d8764bb5affc0e80

Dear all,

I am pleased to announce the new bugfix release, version 1.4.2 of getdns
The two major bugfixes are:

  • DNSSEC Denial of Existence validation at NSEC wildcards, which was broken since 1.4.0.

  • Null termination of strings in configuration dictionaries. This in particular affected Stubby configurations with settings for trust_anchors_url, trust_anchors_verify_CA, trust_anchors_verify_email, appdata_dir, resolvconf, hosts, tls_ca_path, tls_ca_file, tls_cipher_list and tls_curves_list.
    If you use Stubby and had one of these configured, but they did not affect Stubby operation as expected, retry with this release candidate to see if it resolves the issue.

DNSSEC validation in stub mode has been improved and should be possible more often now (also with badly behaving authoritatives), because it is now partly traced from the root up.

A few more issues are resolved with this release.
For a complete overview see the ChangeLog below.

This release has Stubby release 0.2.3 included, with:

  • An updated stubby.yml file (Watch out! The entries for securedns.eu have changed!)
  • Better recommendations for running Stubby with systemd
  • No pass through of ENDS0 options that were handled by underlying getdns

Picture of Palais du Pharo in Marseille of Knowtex (CC BY 2.0)

ChangeLog

* 2018-05-11: Version 1.4.2
  * Bugfix getdnsapi/stubby#87: Detect and ignore duplicate certs
    in the Windows root CA store.
  * PR #397: No TCP sendto without TCP_FASTOPEN
    Thanks Emery Hemingway
  * Bugfix getdnsapi/stubby#106: Core dump when printing certain
    configuration. Thanks Han Vinke
  * Bugfix getdnsapi/stubby#99: Partly trace DNSSEC from the root
    up (for tld and sld), to find insecure delegations quicker.
    Thanks UniverseXXX
  * Bugfix: Allow NSEC spans starting from (unexpanded) wildcards
    Bug was introduced when dealing with CVE-2017-15105
  * Bugfix getdnsapi/stubby#46: Don't assume trailing zero with
    string bindata's.  Thanks Lonnie Abelbeck
  * Bugfix #394: Update src/compat/getentropy_linux.c in order to
    handle ENOSYS (not implemented) fallback.
    Thanks Brent Blood
  * Bugfix #395: Clarify that libidn2 dependency is for version 2.0.0
    or higher. Thanks mire3212

Stubby ChangeLog

* 2018-05-11: Version 0.2.3
 * Bugfix #62 and #106: With systemd setups, make /run/stubby directory
   writeable for stubby user and include a "appdata_dir" directory
   in stubby.yml.example.
   Thanks Paul Wouters, eccgecko and Han Vinke
 * Update securedns.eu entries in stubby.yml.example
 * Added Cloudflare servers in stubby.yml.example
 * Added basic upstart script in contrib/upstart dir. Thanks vapniks
 * Bugfix #98: EDNS options that are handled internally should not
   be passed on through downstream.  Thanks Twisteroid Ambassador
Assets 4
Loading

First release candidate for getdns-1.4.2

04 May 14:39
@wtoorop wtoorop
v1.4.2-rc1
5a816f3
Compare
Choose a tag to compare
First release candidate for getdns-1.4.2 Pre-release
Pre-release
 
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead:
tarball https://getdnsapi.net/dist/getdns-1.4.2-rc1.tar.gz
pgp sig https://getdnsapi.net/dist/getdns-1.4.2-rc1.tar.gz.asc
sha256 3d2f7c866d3db39236d1a6a27ae64c59ddc38789422bc67d88ad2d7c979e71cd

Dear all,

We have a first release candidate for the upcoming 1.4.2 bugfix release of getdns.
The two major bugfixes are:

  • DNSSEC Denial of Existence validation at NSEC wildcards, which was broken since 1.4.0.

  • Null termination of strings in configuration dictionaries. This in particular affected Stubby configurations with settings for trust_anchors_url, trust_anchors_verify_CA, trust_anchors_verify_email, appdata_dir, resolvconf, hosts, tls_ca_path, tls_ca_file, tls_cipher_list and tls_curves_list.
    If you use Stubby and had one of these configured, but they did not affect Stubby operation as expected, retry with this release candidate to see if it resolves the issue.

DNSSEC validation in stub mode has been improved and should be possible more often now (also with badly behaving authoritatives), because it is now partly traced from the root up.

A few more issues are resolved with this release.
For a complete overview see the ChangeLog below.

This release has a release candidate for Stubby 0.2.3 included, with:

  • An updated stubby.yml file (Watch out! The entries for securedns.eu have changed!)
  • Better recommendations for running Stubby with systemd
  • No pass through of ENDS0 options that were handled by underlying getdns

Please review these release candidates carefully, if all is well, the actual release will follow Friday the 11th of May.

Japanese freedom characters courtesy of Jin4Ever (CC BY 4.0)

ChangeLog

* 2018-05-??: Version 1.4.2
  * Bugfix getdnsapi/stubby#99: Partly trace DNSSEC from the root
    up (for tld and sld), to find insecure delegations quicker.
    Thanks UniverseXXX
  * Bugfix: Allow NSEC spans starting from (unexpanded) wildcards
    Bug was introduced when dealing with CVE-2017-15105
  * Bugfix getdnsapi/stubby#46: Don't assume trailing zero with
    string bindata's.  Thanks Lonnie Abelbeck
  * Bugfix #394: Update src/compat/getentropy_linux.c in order to
    handle ENOSYS (not implemented) fallback.
    Thanks Brent Blood
  * Bugfix #395: Clarify that libidn2 dependency is for version 2.0.0
    or higher. Thanks mire3212

Stubby ChangeLog

* 2018-05-??: Version 0.2.3
 * With systemd setups, make /run/stubby directory writeable for stubby user
   and include a "appdata_dir" directory in stubby.yml.example
 * Update securedns.eu entries in stubby.yml.example
 * Added Cloudflare servers in stubby.yml.example
 * Added basic upstart script in contrib/upstart dir. Thanks vapniks
 * Bugfix #98: EDNS options that are handled internally should not
   be passed on through downstream.  Thanks Twisteroid Ambassador
Assets 4
Loading

getdns-1.4.1 release

12 Mar 12:28
@wtoorop wtoorop
v1.4.1
75f59b9
Compare
Choose a tag to compare
getdns-1.4.1 release
 
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead:
tarball https://getdnsapi.net/dist/getdns-1.4.1.tar.gz
pgp sig https://getdnsapi.net/dist/getdns-1.4.1.tar.gz.asc
sha256 245233dc780f615b6ab1472f2b9cdcd957a451a736f3036717d0da466ab1c51e

Dear all,

I am pleased to announce the new bugfix release, version 1.4.1 of getdns.

This release has a fix for a DNSSEC validation failure for insecure NODATA responses, which was introduced in getdns-1.2.1.
Besides this DNSSEC bugfix getdns can now also determine the DNSSEC validation status of zone's with missing SOA records. This sometimes occurs with sloppily implemented CDNs.

Besides these DNSSEC fixes, this release also contains a few upstream management improvements, mainly contributed by Robert Groenenberg:

  • Before, when a UDP query for a specific upstream failed, is was marked to back off for a certain number of queries. The number of queries to let pass before giving it another go, increased exponentially on each successive failure. This exponential back off increase is now limited. The default maximum UDP back off value is 1000. This means that when an UDP upstream is down, it will always at least retry one every 1000 queries.

  • When all UDP upstreams are failing (for example because the WiFi is temporarily down), the back off scheme described above will be abandoned, and all failing upstreams will be retried equally. This speeds up DNS availability reestablishment when upstream become functional again (WiFi is up!).

  • For each individual query, every upstream will be tried only once. This resolves a nasty bug in which failing TCP upstreams are retried over and over again with the same failing query, because TCP upstreams lack the time based back off mechanisms that TLS upstreams have.

A few more issues are resolved with this release.
For a complete overview view the ChangeLog below.

Picture of eurostar train to London courtesy of Erich Westendarp (CC0 1.0)

ChangeLog

* 2018-03-12: Version 1.4.1
  * Bugfix #388: Prevent fallback to an earlier tried upstream within a
    single query.  Thanks Robert Groenenberg
  * PR #387: Compile with OpenSSL with deprecated APIs disabled.
    Thanks Rosen Penev
  * PR #386: UDP failover improvements:
    - When all UDP upstreams fail, retry them (more or less) equally
    - Limit maximum UDP backoff (default to 1000)
      This is configurable with the --with-max-udp-backoff configure
      option.
    Thanks Robert Groenenberg
  * Bugfix: Find zonecut with DS queries (instead of SOA queries).
    Thanks Elmer Lastdrager
  * Bugfix #385: Verifying insecure NODATA answers (broken since 1.2.1).
    Thanks hanvinke
  * PR #384: Fix minor spelling and formatting.  Thanks dkg.
  * Bugfix #382: Parallel install of getdns_query and getdns_server_mon
Assets 4
Loading

First release candidate for getdns-1.4.1

05 Mar 16:11
@wtoorop wtoorop
v1.4.1-rc1
ef0a77e
Compare
Choose a tag to compare
First release candidate for getdns-1.4.1 Pre-release
Pre-release
 
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead:
tarball https://getdnsapi.net/dist/getdns-1.4.1-rc1.tar.gz
pgp sig https://getdnsapi.net/dist/getdns-1.4.1-rc1.tar.gz.asc
sha256 e1540d289ec82a752f0d4046d59c2445b76dcdc74a8653b90d7e530e6b2bec19

Dear all,

We have a first release candidate for the upcoming 1.4.1 quick-fix release of getdns.

This release has a fix for a DNSSEC validation failure for insecure NODATA responses, which was introduced in getdns-1.2.1.
Besides this DNSSEC bugfix getdns can now also determine the DNSSEC validation status of zone's with missing SOA records. This sometimes occurs with sloppily implemented CDNs.

Besides these DNSSEC fixes, this release also contains a few upstream management improvements, mainly contributed by Robert Groenenberg:

  • Before, when a UDP query for a specific upstream failed, is was marked to back off for a certain number of queries.
    The number of queries to let pass before giving it another go, increased exponentially on each successive failure.
    This exponential back off increase is now limited.
    The default maximum UDP back off value is 1000.
    This means that when an UDP upstream is down, it will always at least retry one every 1000 queries.

  • When all UDP upstreams are failing (for example because the WiFi is temporarily down), the back off scheme described above will be abandoned, and all failing upstreams will be retried equally.
    This speeds up DNS availability reestablishment when upstream become functional again (WiFi is up!).

  • For each individual query, every upstream will be tried only once.
    This resolves a nasty bug in which failing TCP upstreams are retried over and over again with the same failing query, because TCP upstreams lack the time based back off mechanisms that TLS upstreams have.

A few more issues are resolved with this release.
For a complete overview view the ChangeLog below.

Please review this release candidate carefully, if all is well, the actual release will follow Monday the 12th of March.

Drawing of adhesive bandage courtesy of Nevit Dilmen (CC BY-SA 3.0)

ChangeLog

* 2018-03-??: Version 1.4.1
  * Bugfix #388: Prevent fallback to an earlier tried upstream within a
    single query.  Thanks Robert Groenenberg
  * PR #387: Compile with OpenSSL with deprecated APIs disabled.
    Thanks Rosen Penev
  * PR #386: UDP failover improvements:
    - When all UDP upstreams fail, retry them (more or less) equally
    - Limit maximum UDP backoff (default to 1000)
      This is configurable with the --with-max-udp-backoff configure
      option.
    Thanks Robert Groenenberg
  * Bugfix: Find zonecut with DS queries (instead of SOA queries).
    Thanks Elmer Lastdrager
  * Bugfix #385: Verifying insecure NODATA answers (broken since 1.2.1).
    Thanks hanvinke
  * PR #384: Fix minor spelling and formatting.  Thanks dkg.
  * Bugfix #382: Parallel install of getdns_query and getdns_server_mon
Assets 4
Loading

getdns-1.4.0 release

22 Feb 09:11
@wtoorop wtoorop
v1.4.0
a037398
Compare
Choose a tag to compare
getdns-1.4.0 release
 
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead:
tarball https://getdnsapi.net/dist/getdns-1.4.0.tar.gz
pgp sig https://getdnsapi.net/dist/getdns-1.4.0.tar.gz.asc
sha256 de360cd554fdec4bae3f5afbb36145872b8ff7306ded5deb0905442c4909f7b3

Dear all,

I am pleased to announce the new security and bugfix release, version 1.4.0 of getdns.

Security Fixes: The release contains two security fixes.

  1. When TLS upstreams were authenticated with SHA256 SPKI pins, certain verification errors - like self-signed certificates - were tolerated when the SPKI pin matched.
    This is wrong because checking for the error status indicating self-signed certificates does not mean that no other errors occurred.
    Only one error status is returned by the underlying OpenSSL verification function and that error status masks potential other errors.

    This release will check SPKI pins with the native OpenSSL DANE functions, for OpenSSL version 1.1.0 and higher, or with the DANE functions from the included Viktor Dukhovni's danessl library for OpenSSL version 1.0.0 and higher.

    For OpenSSL versions before 1.0.0 and for LibreSSL, self-signed certificates are no longer tolerated.

  2. The recent CVE-2017-15105, exposed a flaw with a few resolvers, that made it possible to downgrade secure connections.
    One of the causes of the issue, was that wildcard expansions of resource records used in DNSSEC proof were allowed.
    Although getdns was not vulnerable to the specific issue addressed in CVE-2017-15105, it did not explicitly disallow wildcard expansions of resource records used in DNSSEC proof.
    This release has that fixed.

Stability Fixes: Detailed reports from our Stubby users have revealed a few more bugs causing crashes in the getdns library in certain conditions.

'Additional API' - new functions: Besides the available ciphers, now the supported curves can be configured too with the getdns_context_set_tls_curves_list() function or the per upstream in with the getdns_context_set_upstream_recursive_servers() function.

Tools: This release includes a new tool getdns_server_mon based on Stéphane Borzmeyer's monitor DNS-over-TLS tool.
This tool is used to generate the table showing public DNS-over-TLS servers capabilities

NOTE: Although this release is binary compatible up to getdns version 1.1.0, the .so version is still bumped at request for the fedora package.

Stubby: This release includes the new version 0.2.2 release of Stubby.

  • It includes an updated and fixed stubby.yml configuration file.
  • Has additional logging of basic configuration on startup.
  • Has a manpage included

Picture of Safe and Sounds Puppy courtesy of Kaydee H (CC BY-SA 2.0)

ChangeLog

* 2018-02-21: Version 1.4.0
  * .so revision bump to please fedora packaging system.
    Thanks Paul Wouters
  * Specify the supported curves with getdns_context_set_tls_curves_list()
    An upstream specific list of supported curves may also be given
    with the tls_curves_list setting in the upstream dict with
    getdns_context_set_upstream_recursive_servers()
  * New tool getdns_server_mon for checking upstream recursive
    resolver's capabilities.
  * Improved handling of opportunistic back-off.  If other transports
    are working, don’t forcibly promote failed upstreams just wait for
    the re-try timer.
  * Hostname authentication with libressl
    Thanks Norbert Copones
  * Security bugfix in response to CVE-2017-15105.  Although getdns was
    not vulnerable for this specific issue, as a precaution code has been
    adapted so that signatures of DNSKEYs, DSs, NSECs and NSEC3s can not
    be wildcard expansions when used with DNSSEC proofs.  Only direct
    queries for those types are allowed to be wildcard expansions.
  * Bugfix PR#379: Miscelleneous double free or corruption, and corrupted
    memory double linked list detected issue, whith serving functionality.
    Thanks maddie and Bruno Pagani
  * Security Bugfix PR#293: Check sha256 pinset's
    with OpenSSL native DANE functions for OpenSSL >= 1.1.0
    with Viktor Dukhovni's danessl library for OpenSSL >= 1.0.0
    don't allow for authentication exceptions (like self-signed
    certificates) otherwise.  Thanks Viktor Dukhovni
  * libidn2 support.  Thanks Paul Wouters

Stubby ChangeLog

* 2018-02-21: Version 0.2.2
 * Fixes and updates to the stubby.yml.config file. Add separate entries for
   servers that listen on port 443.
 * Additional logging of basic config on startup
 * -V option to show version
 * Added a man page
Assets 4
Loading

First release candidate for getdns-1.4.0

21 Feb 09:53
@wtoorop wtoorop
v1.4.0-rc1
f2c5312
Compare
Choose a tag to compare
First release candidate for getdns-1.4.0 Pre-release
Pre-release
 
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead:
tarball https://getdnsapi.net/dist/getdns-1.4.0-rc1.tar.gz
pgp sig https://getdnsapi.net/dist/getdns-1.4.0-rc1.tar.gz.asc
sha256 b60963f966111e24efdc96e048d1e3b7492d5cfd590abc73cff227ecc3549f52

Dear all,

We have a first release candidate for the upcoming 1.4.0 security and stability release of getdns.

Security Fixes: The release contains two security fixes.

  1. When TLS upstreams were authenticated with SHA256 SPKI pins, certain verification errors - like self-signed certificates - were tolerated when the SPKI pin matched.
    This is wrong because checking for the error status indicating self-signed certificates does not mean that no other errors occurred.
    Only one error status is returned by the underlying OpenSSL verification function and that error status masks potential other errors.

    This release will check SPKI pins with the native OpenSSL DANE functions, for OpenSSL version 1.1.0 and higher, or with the DANE functions from the included Viktor Dukhovni's danessl library for OpenSSL version 1.0.0 and higher.

    For OpenSSL versions before 1.0.0 and for LibreSSL, self-signed certificates are no longer tolerated.

  2. The recent CVE-2017-15105, exposed a flaw with a few resolvers, that made it possible to downgrade secure connections.
    One of the causes of the issue, was that wildcard expansions of resource records used in DNSSEC proof were allowed.
    Although getdns was not vulnerable to the specific issue addressed in CVE-2017-15105, it did not explicitly disallow wildcard expansions of resource records used in DNSSEC proof.
    This release has that fixed.

Stability Fixes: Detailed reports from our Stubby users have revealed a few more bugs causing crashes in the getdns library in certain conditions.

'Additional API' - new functions: Besides the available ciphers, now the supported curves can be configured too with the getdns_context_set_tls_curves_list() function or the per upstream in with the getdns_context_set_upstream_recursive_servers() function.

Tools: This release includes a new tool getdns_server_mon based on Stéphane Borzmeyer's monitor DNS-over-TLS tool.
This tool is used to generate the table showing public DNS-over-TLS servers capabilities

NOTE: Although this release is binary compatible up to getdns version 1.1.0, the .so version is still bumped at request for the fedora package.

Stubby: This release candidate includes a candidate for a 0.2.2 release of Stubby.

  • It includes an updated and fixed stubby.yml configuration file.
  • Has additional logging of basic configuration on startup.
  • Has a manpage included

Please review this release candidate carefully, if all is well, the actual release will follow Wednesday the 21st of February.

Picture of Boo Valentine courtesy of DaPuglet (CC BY-SA 2.0)

ChangeLog

* 2018-02-??: Version 1.4.0
  * .so revision bump to please fedora packaging system.
    Thanks Paul Wouters
  * Specify the supported curves with getdns_context_set_tls_curves_list()
    An upstream specific list of supported curves may also be given
    with the tls_curves_list setting in the upstream dict with
    getdns_context_set_upstream_recursive_servers()
  * New tool getdns_server_mon for checking upstream recursive
    resolver's capabilities.
  * Improved handling of opportunistic back-off.  If other transports
    are working, don’t forcibly promote failed upstreams just wait for
    the re-try timer.
  * Hostname authentication with libressl
    Thanks Norbert Copones
  * Security bugfix in response to CVE-2017-15105.  Although getdns was
    not vulnerable for this specific issue, as a precaution code has been
    adapted so that signatures of DNSKEYs, DSs, NSECs and NSEC3s can not
    be wildcard expansions when used with DNSSEC proofs.  Only direct
    queries for those types are allowed to be wildcard expansions.
  * Bugfix PR#379: Miscelleneous double free or corruption, and corrupted
    memory double linked list detected issue, whith serving functionality.
    Thanks maddie and Bruno Pagani
  * Security Bugfix PR#293: Check sha256 pinset's
    with OpenSSL native DANE functions for OpenSSL >= 1.1.0
    with Viktor Dukhovni's danessl library for OpenSSL >= 1.0.0
    don't allow for authentication exceptions (like self-signed
    certificates) otherwise.  Thanks Viktor Dukhovni
  * libidn2 support.  Thanks Paul Wouters

Stubby ChangeLog

* 2018-02-??: Version 0.2.2
 * Fixes and updates to the stubby.yml.config file. Add separate entries for
   servers that listen on port 443.
 * Additional logging of basic config on startup
 * -V option to show version
 * Added a man page
Assets 4
Loading

getdns-1.3.0 released

27 Dec 10:24
@wtoorop wtoorop
v1.3.0
25a31e6
Compare
Choose a tag to compare
getdns-1.3.0 released
 
Please do not use the github generated Source code (zip) and (tar.gz) files,
but our own tarball instead:
tarball https://getdnsapi.net/dist/getdns-1.3.0.tar.gz
pgp sig https://getdnsapi.net/dist/getdns-1.3.0.tar.gz.asc
sha256 920fa2e07c72fd0e5854db1820fa777108009fc5cb702f9aa5155ef58b12adb1

Dear all,

I am pleased to announce the new special Christmas 2017 bugfix release, version 1.3.0 of getdns.

Recently Stubby has seen increased interest. Already after the release of the Windows installer, but even more so after the introduction of Quad9 and the description of how to use DNS-over-TLS with Stubby by Alex Band and Stéphane Borzmeyer.

The increased install base has generated excellent feedback and has also revealed some bugs. This release has those bugs fixed, and also contains a few more configuration options to be able to adapt to more diverse situations.

The bugs fixed with this release are:

  • A segfault with the native DNSSEC validation code when DS and DNSKEY queries timed out,
  • A non RFC compliant edns_client_subnet_private option that caused some upstream EDNS Client Subnet implementations (i.e. Unbound's) to return FORMERR, and
  • Doing the meta queries for Zero configuration DNSSEC with the resolvers from /etc/resolv.conf, which caused Stubby to query itself for this, effectively breaking the possibility to fetch the root trust-anchors and bootstrap DNSSEC.

Besides these fixes, this release allows to configure a getdns_context to be initialized with resolv.conf and hosts at alternative locations, with the getdns_context_set_resolvconf() and getdns_context_set_hosts() functions.

Also the TLS parameters for DNS-over-TLS are more configurable with this release. The CA store, for authenticating DNS-over-TLS upstreams, can be specified with the getdns_context_set_tls_ca_path() and getdns_context_set_tls_ca_file() functions. The default available ciphers are configurable with the getdns_context_set_tls_cipher_list() functions. The default available cipher list has been adapted to support TLS1.3 too linked with a TLS1.3 supporting version of OpenSSL (i.e. >= 1.1.1). Available ciphers can be set for specific upstreams to with getdns_context_set_upstream_recursive_servers().

The getdns_context_get_api_information() function exposes more getdns_context settings, amongst which:

  • The default settings for extensions,
  • The paths for files that were used to initialize a getdns_context (resolv.conf, hosts and trust anchors), and
  • More information about the version, configuration and capabilities of the OpenSSL library in use.

This release includes the 0.2.1 release of Stubby. The most prominent bugfix therein is to not do DNSSEC validation for queries with the CD bit set, when DNSSEC validation was not configured in the first place. This bug caused decreased performance for configurations with an unbound forwarding to Stubby.

The 0.2.1 release of Stubby also includes some additional auxiliary functionality which is used by the macOS prototype GUI that was just released: https://dnsprivacy.org/wiki/display/DP/Stubby+GUI+for+macOS

This release has version number 1.3.0 and not 1.2.2, for which the release candidate was created, because we comply to the Semantic Versioning 2.0.0 scheme, and a few new functions are introduced into the API. The other change from the release candidate is that the Certificate Authority store location settings are now prepended with tls_, like all other setting influencing DNS-over-TLS.

Merry CHristmas & Happy New year from the getdns team!

Picture of ladybug in Christmas tree courtesy of David Whelan

ChangeLog

* 2017-12-21: Version 1.3.0
  * Bugfix #300: Detect dnsmasq and skip unit test that fails with it.
    Thanks Tim Rühsen and Konomi Kitten
  * Specify default available cipher suites for authenticated TLS
    upstreams with getdns_context_set_tls_ciphers_list()
    An upstream specific available cipher suite may also be given
    with the tls_cipher_list setting in the upstream dict with
    getdns_context_set_upstream_recursive_servers()
  * PR #366: Add support for TLS 1.3 and Chacha20-Poly1305
    Thanks Pascal Ernster
  * Bugfix #356: Do Zero configuration DNSSEC meta queries over on the
    context configured upstreams.  Thanks Andreas Schulze
  * Report default extension settings with
    getdns_context_get_api_information()
  * Specify locations at which CA certificates for verification purposes
    are located: getdns_context_set_tls_ca_path()
    getdns_context_set_tls_ca_file()
  * getdns_context_set_resolvconf() function to initialize a context 
    upstreams and suffices with a resolv.conf file.
    getdns_context_get_resolvconf() to get the file used to initialize
    the context's upstreams and suffixes.
    getdns_context_set_hosts() function to initialize a context's
    LOCALNAMES namespace.
    getdns_context_get_hosts() function to get the file used to initialize
    the context's LOCALNAMES namespace.
  * get which version of OpenSSL was used at build time and at run time
    when available with getdns_context_get_api_information()
  * GETDNS_RETURN_IO_ERROR return error code
  * Bugfix #359: edns_client_subnet_private should set family
    Thanks Daniel Areiza & Andreas Schulze
  * Bugfix getdnsapi/stubby#34: Segfault issue with native DNSSEC
    validation.  Thanks Bruno Pagani

Stubby ChangeLog

* 2017-12-18: Version 0.2.1
 * Fix use of logging on macos 10.11

* 2017-12-18: Version 0.2.0
 * Add Powershell scripts for Windows 7 that will update the IPv4 DNS resolvers.
 * Add Windows scripts to enable a Scheduled task for stubby
 * Add files to support a separate macOS GUI application to manage stubby
   https://dnsprivacy.org/wiki/x/CIBn
 * Add Quad9 details to the configuration file
 * Bugfix #48: Do not do native DNSSEC validation when cd bit was
   received (for example from an unbound forwarder), but DNSSEC
   validation was not enabled in the first place.
 * Bugfix getdnsapi/getdns#358: Parse config files given with the
   -C option that have an .yaml extension as YAML not JSON.
   Thanks Ollivier Robert
Assets 4
Loading

First release candidate for getdns-1.2.2

28 Dec 10:42
@wtoorop wtoorop
v1.2.2-rc1
ac17d4e
Compare
Choose a tag to compare
First release candidate for getdns-1.2.2 Pre-release
Pre-release
 
Please do not use the github generated Source code (zip) and (tar.gz) files, but our own tarball instead:
tarball https://getdnsapi.net/dist/getdns-1.2.2-rc1.tar.gz
pgp sig https://getdnsapi.net/dist/getdns-1.2.2-rc1.tar.gz.asc
sha256 cebfad179d6b0db8e1f4875152caf788e870710f1c52c0a92ea10d4622d4438b

Dear all,

We have a first release candidate for the upcoming 1.2.2 bugfix release of getdns.

Recently Stubby has seen increased interest.
Already after the release of the Windows installer, but even more so after the introduction of Quad9 and the description of how to use DNS-over-TLS with Stubby by Alex Band and Stéphane Borzmeyer.

The increased install base has generated excellent feedback and has also revealed some bugs.
This release has those bugs fixed, and also contains a few more configuration options to be able to adapt to more diverse situations.

The bugs fixed with this release are:

  • A segfault with the native DNSSEC validation code when DS and DNSKEY queries timed out,
  • A non RFC compliant edns_client_subnet_private option that caused some upstream EDNS Client Subnet implementations (i.e. Unbound's) to return FORMERR, and
  • Doing the meta queries for Zero configuration DNSSEC with the resolvers from /etc/resolv.conf, which cause Stubby to query itself for this, effectively breaking the possibility to fetch the root trust-anchors and bootstrap DNSSEC.

Besides these fixes, this release allows to configure a getdns_context to be initialized with resolv.conf and hosts at alternative locations, with the getdns_context_set_resolvconf() and getdns_context_set_hosts() functions.
Also a specific location for the CA store, for authenticating DNS-over-TLS upstreams, can be specified with the getdns_context_set_CApath() and getdns_context_set_CAfile() functions.

The getdns_context_get_api_information() function exposes more getdns_context settings, amongst which:

  • The default settings for extensions,
  • The paths for files that were used to initialize a getdns_context (resolv.conf, hosts and trust anchors), and
  • More information about the version, configuration and capabilities of the OpenSSL library in use.

This release candidate includes a candidate for a 0.2.0 release of Stubby.
The most prominent bugfix therein is to not do DNSSEC validation for queries with the CD bit set, when DNSSEC validation was not configured in the first place.
This bug caused decreased performance for configurations with an unbound forwarding to Stubby.

The 0.2.0 release (candidate) of Stubby also includes some additional auxiliary functionality which is used by the macOS prototype GUI that was just released: https://dnsprivacy.org/wiki/display/DP/Stubby+GUI+for+macOS

Please review this release candidate carefully, if all is well, the actual release will follow Thursday the 21th of December.

ChangeLog

* 2017-12-??: Version 1.2.2
  * Bugfix #356: Do Zero configuration DNSSEC meta queries over on the
    context configured upstreams.
  * Report default extension settings with
    getdns_context_get_api_information()
  * Specify locations at which CA certificates for verification purposes
    are located: getdns_context_set_CApath() getdns_context_set_CAfile()
  * getdns_context_set_resolvconf() function to initialize a context 
    upstreams and suffices with a resolv.conf file.
    getdns_context_get_resolvconf() to get the file used to initialize
    the context's upstreams and suffixes.
    getdns_context_set_hosts() function to initialize a context's
    LOCALNAMES namespace.
    getdns_context_get_hosts() function to get the file used to initialize
    the context's LOCALNAMES namespace.
  * get which version of OpenSSL was used at build time and at run time
    when available with getdns_context_get_api_information()
  * GETDNS_RETURN_IO_ERROR return error code
  * Bugfix #359: edns_client_subnet_private should set family
    Thanks Daniel Areiza
  * Bugfix getdnsapi/stubby#34: Segfault issue with native DNSSEC
    validation.  Thanks Bruno Pagani

Stubby ChangeLog

* 2017-12-?: Version 0.2.0
  * Add files to support a separate macOS GUI application to manage stubby
  * Bugfix #48: Do not do native DNSSEC validation when cd bit was
    received (for example from an unbound forwarder), but DNSSEC
    validation was not enabled in the first place.
  * Bugfix getdnsapi/getdns#358: Parse config files given with the
    -C option that have an .yaml extension as YAML not JSON.
    Thanks Ollivier Robert
Assets 4
Loading