b6b73a501ee79c0fafb0721023eb3a5d0e1bfa047fbe65302db278cb956bd1fe
          Dear All,
We have a special New Year's Eve release, version 0.9.0 of getdns.
This release brings the implementation on par with the December 2015 version of the specification and has (almost) all of the still remaining functionality from the specification implemented. These include:
See this in action with
getdns_query, for example with the root servers of the Yeti DNS Project (https://yeti-dns.org/):getdns_query -f yeti.key -R yeti.hints getdnsapi.net A +dnssec_return_statusWhere
yeti.keycame from:
https://github.com/BII-Lab/Yeti-Project/raw/master/domain/KSK.pub andyeti.hintscame from: https://github.com/BII-Lab/Yeti-Project/raw/master/domain/named.cache
Specification of upstreams with
getdns_queryhas been extended to configure a TSIG name and secret. From thegetdns_queryhelp text:getdns_query [<option> ...] [@<upstream> ...] [+<extension> ...] [<name>] [<type>] upstreams: @<ip>[%<scope_id>][@<port>][#<tls port>][~<tls name>][^<tsig spec>] tsig spec: [<algorithm>:]<name>:<secret in Base64>For example:
getdns_query -s @185.49.141.37^hmac-md5.tsigs.getdnsapi.net:16G69OTeXW6xSQ== getdnsapi.net SOAYou can check the query was
TSIGauthenticated by looking for thetsig_statuskey in the replies in thereplies_tree.
append_name" setting.Options have been added to
getdns_queryto try this out too. A list of suffixes to be tried can be given with the-Zoption, so that this query:getdns_query -Z getdnsapi.net,com -A www.verisignlabsWill first try to get the addresses for
www.verisignlabs.getdnsapi.netand will then try and return the successful lookup of the addresses forwww.verisignlabs.com
add_warning_for_bad_dns extension.For example, this query:
getdns_query +add_warning_for_bad_dns _443._tcp.www.nlnetlabs.nl TXTwill result in having the following
"bad dns"list in the reply in thereplies_tree:"bad_dns": [ GETDNS_BAD_DNS_CNAME_RETURNED_FOR_OTHER_TYPE , GETDNS_BAD_DNS_ALL_NUMERIC_LABEL ]
Other new features and noteworthy improvements are:
getdns_dicts representing resource records to and from wire- and zone file format.Also zone files can be read into a
getdns_listofgetdns_dicts representing the resource records in that zone file. These lists can then conveniently be used with (for example)getdns_context_set_dns_root_servers()andgetdns_context_set_dnssec_trust_anchors().There is brief doxygen documentation for the conversion functions here:
Example usage can be found in the unit test package for these functions:
The output produced by this example program:
edns-tcp-keepalive supportConfiguration is done per-upstream, with an additional member of the upstream object,
tls_pubkey_pinset. This is a list of dicts, each of which describes a public key pin, which looks like this:{ "address_data": <bindata for 185.49.141.38>, "address_type": <bindata of "IPv4">, "tls_pubkey_pinset": [ { "digest": <bindata of "sha256">, "value": <bindata of 0x17d099f483436ddfb6791428cd8aaa6d...> }, { "digest": <bindata of "sha256">, "value": <bindata of 0x7e8c59467221f606695a797ecc488a6b...> } ] }There is a new argument for
getdns_query,-K, to specify pins. All pins are applied to all upstreams. For example:getdns_query -s -K 'pin-sha256="foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S="' @185.49.141.38~getdnsapi.net -L -m
Besides these new functionalities, a few bugs have been fixed. For a complete overview see the ChangeLog below.
* 2015-12-31: Version 0.9.0
  * Update of unofficial extension to the API that supports stub mode 
    TLS verification. GETDNS_AUTHENTICATION_HOSTNAME is replaced by 
    GETDNS_AUTHENTICATION_REQUIRED (but remains available as an alias). 
    Upstreams can now be configured with either a hostname or a SPKI pinset 
    for TLS authentication (or both). If the GETDNS_AUTHENTICATION_REQUIRED
    option is used at least one piece of authentication information must be 
    configured for each upstream, and all the configured authentication 
    information for an upstream must validate.
  * Remove STARTTLS implementation (no change to SPEC)
  * Enable TCP Fast Open when possible. Add OSX support for TFO.
  * Rename return_call_debugging to return_call_reporting
  * Bugfix: configure problem with getdns-0.5.1 on OpenBSD
    Thanks Claus Assmann.
  * pkg-config support.  Thanks Neil Cook.
  * Functions to convert from RR dicts to wireformat and text format
    and vice versa.  Including a function that builds a getdns_list
    of RR dicts from a zonefile.
  * Use the with the getdns_context_set_dns_root_servers() function
    provided root servers in recursing resolution modus.
  * getdns_query option (-f) to read a DNSSEC trust anchor from file.
  * getdns_query option (-R) to read a "root hints" file.
  * Bugfix: Detect and prevent duplicate NSEC(3)s to be returned with
    dnssec_return_validation_chain.
  * Bugfix: Remove duplicate RRs from RRsets when DNSSEC verifying
  * Client side edns-tcp-keepalive support
  * TSIG support + getdns_query syntax to specify TSIG parameters
    per upstream: @<ip>[^[<algorithm>:]<name>:<secret in Base64>]
  * Bugfix: Allow truncated answers to be returned in case of missing
    fallback transport.
  * Verify upstream TLS pubkeys with pinsets; A getdns_query option
    (-K) to attach pinsets to getdns_contexts.
    Thanks Daniel Kahn Gillmor
  * Initial support for Windows.  Thanks Gowri Visweswaran
  * add_warning_for_bad_dns extension
  * Try and retry with suffixes giving with getdns_context_set_suffix()
    following directions given by getdns_context_set_append_name()
    getdns_query options to set suffixes and append_name directions:
    '-W' to append suffix always (default)
    '-1' to append suffix only to single label after failure
    '-M' to append suffix only to multi label name after failure
    '-N' to never append a suffix
    '-Z <suffixes>' to set suffixes with the given comma separed list
  * Better help text for getdns_query (printed with the '-h' option)
  * Setting the +specify_class extension with getdns_query
  * Return NOT_IMPLEMENTED for not implemented namespaces, and the
    not implemented getdns_context_set_follow_redirects() function.