577182c3ace919ee70cee5629505581a10dc530bd53fe5c241603ea91c84fa84
Dear all,
I am pleased to announce the new Christmas 2018 bugfix and maintenance release, version 1.5.0 of getdns.
Maintenance work included bringing getdns up to par with OpenSSL 1.1.1.
For the DNS-over-TLS capability this means TLS1.3 support.
TLS1.3 cipher suites can now be configured, either at context level with the getdns_context_set_tls_ciphersuites()
function, or at upstream level by specifying a tls_ciphersuites
entry.
For example:
getdns_query -s -L \
'{ upstream_recursive_servers: [
{ address_data : 1.1.1.1
, tls_ciphersuites: "TLS_AES_256_GCM_SHA384"
} ] }'
For TLS1.2 and earlier the (not new) getdns_context_set_tls_cipher_list()
function, or tls_cipher_list
entry at upstream level needs to be used, analogous to the SSL_CTX_set_ciphersuites()
and SSL_CTX_set_cipher_list()
functions in OpenSSL.
The minimum & maximum TLS version to be used per upstream can be specified now at context level with the getdns_context_set_tls_min_version()
and the getdns_context_set_tls_max_version()
functions, or at upstream level by specifying an tls_min_version
or a tls_max_version
.
For example:
getdns_query -s -L '{ upstream_recursive_servers:
[ { address_data : 185.49.141.38
, tls_max_version: GETDNS_TLS1_2 } ] }'
An example that requires TLS1.3 support at context level:
getdns_query -sL '{tls_min_version:GETDNS_TLS1_3}' \
@185.49.141.38 @1.1.1.1 +return_call_reporting
Because 185.49.141.38
does not yet support TLS1.3, this will result in queries to 1.1.1.1
only, as can be seen under "call_reporting"
in the response dict.
For DNSSEC:
dnssec
, which requires that DNSSEC verification is performed.
Answers with DNSSEC status INDETERMINATE will no longer return answers with this extension.
Only INSECURE and SECURE answers will be returned.
One benefit of this mode is that getdns will hard fail if it does not have, or cannot fetch a valid trust anchor and perform validation.getdns_context_set_trust_anchors_backoff_time()
.This release has a bit more specific error return codes, and in addition logs much more messages using the logging system, in error conditions. Further more, this release adds a few extra logging systems:
GETDNS_LOG_SYS_STUB
(0x2000) for logging about non upstream specific stub resolving`GETDNS_LOG_SYS_RECURSING
(0x4000) for logging about recursive resolvingGETDNS_LOG_SYS_ANCHOR
(0x8000) to logging about fetching trust anchors à la Zero configuration DNSSECA few more issues are resolved with this release. For a complete overview see the ChangeLog section below.
This release has the 0.2.4 release of Stubby included, with:
stubby.yml.example
that uses the dnssec
extension to enable DNSSEC with explanation of its consequences.stubby.service
file, that will only start Stubby after the network came up.Note that Stubby now has a dependency on getdns-1.5.0
because of the dnssec
extension
Merry Christmas & Happy New year from the getdns team!
Photo by Jakob Owens on Unsplash
* 2018-12-21: Version 1.5.0 * RFE getdnsapi/stubby#121 log re-instantiating TLS upstreams (because they reached tls_backoff_time) at log level 4 (WARNING) * GETDNS_RESPSTATUS_NO_NAME for NODATA answers too * ZONEMD rr-type * getdns_query queries for addresses when a query name without a type is given. * RFE #408: Fetching of trust anchors will be retried after failure, after a certain backoff time. The time can be configured with getdns_context_set_trust_anchors_backoff_time(). * RFE #408: A "dnssec" extension that requires DNSSEC verification. When this extension is set, Indeterminate DNSSEC status will not be returned. * Issue #410: Unspecified ownership of get_api_information() * Fix for DNSSEC bug in finding most specific key when trust anchor proves non-existance of one of the labels along the authentication chain other than the non- existance of a DS record on a zonecut. * Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130: Configurable minimum and maximum TLS versions with getdns_context_set_tls_min_version() and getdns_context_set_tls_max_version() functions and tls_min_version and tls_max_version configuration parameters for upstreams. * Configurable TLS1.3 ciphersuites with the getdns_context_set_tls_ciphersuites() function and tls_ciphersuites config parameter for upstreams. * Bugfix in upstream string configurations: tls_cipher_list and tls_curve_list * Bugfix finding signer for validating NSEC and NSEC3s, which caused trouble with the partly tracing DNSSEC from the root up, introduced in 1.4.2. Thanks Philip Homburg
* 2018-12-21: Version 0.2.4 * DNSSEC required with dnssec extension in example config * Removed the yeti servers from stubby.yml.example * Added the Foundation RESTENA servers in stubby.yml.example * Bugfix: only start Stubby when network is up Thanks Bruno Pagani