We have a first release candidate for the upcoming 1.2.2 bugfix release of getdns.
Recently Stubby has seen increased interest. Already after the release of the Windows installer, but even more so after the introduction of Quad9 and the description of how to use DNS-over-TLS with Stubby by Alex Band and Stéphane Borzmeyer.
The increased install base has generated excellent feedback and has also revealed some bugs. This release has those bugs fixed, and also contains a few more configuration options to be able to adapt to more diverse situations.
The bugs fixed with this release are:
edns_client_subnet_private option that caused some upstream EDNS Client Subnet implementations (i.e. Unbound's) to return
/etc/resolv.conf, which cause Stubby to query itself for this, effectively breaking the possibility to fetch the root trust-anchors and bootstrap DNSSEC.
Besides these fixes, this release allows to configure a
getdns_context to be initialized with
hosts at alternative locations, with the
Also a specific location for the CA store, for authenticating DNS-over-TLS upstreams, can be specified with the
hosts and trust anchors), and
This release candidate includes a candidate for a 0.2.0 release of Stubby.
The most prominent bugfix therein is to not do DNSSEC validation for queries with the
CD bit set, when DNSSEC validation was not configured in the first place.
This bug caused decreased performance for configurations with an unbound forwarding to Stubby.
The 0.2.0 release (candidate) of Stubby also includes some additional auxiliary functionality which is used by the macOS prototype GUI that was just released: https://dnsprivacy.org/wiki/display/DP/Stubby+GUI+for+macOS
Please review this release candidate carefully, if all is well, the actual release will follow Thursday the 21th of December.
* 2017-12-??: Version 1.2.2 * Bugfix #356: Do Zero configuration DNSSEC meta queries over on the context configured upstreams. * Report default extension settings with getdns_context_get_api_information() * Specify locations at which CA certificates for verification purposes are located: getdns_context_set_CApath() getdns_context_set_CAfile() * getdns_context_set_resolvconf() function to initialize a context upstreams and suffices with a resolv.conf file. getdns_context_get_resolvconf() to get the file used to initialize the context's upstreams and suffixes. getdns_context_set_hosts() function to initialize a context's LOCALNAMES namespace. getdns_context_get_hosts() function to get the file used to initialize the context's LOCALNAMES namespace. * get which version of OpenSSL was used at build time and at run time when available with getdns_context_get_api_information() * GETDNS_RETURN_IO_ERROR return error code * Bugfix #359: edns_client_subnet_private should set family Thanks Daniel Areiza * Bugfix getdnsapi/stubby#34: Segfault issue with native DNSSEC validation. Thanks Bruno Pagani
* 2017-12-?: Version 0.2.0 * Add files to support a separate macOS GUI application to manage stubby * Bugfix #48: Do not do native DNSSEC validation when cd bit was received (for example from an unbound forwarder), but DNSSEC validation was not enabled in the first place. * Bugfix getdnsapi/getdns#358: Parse config files given with the -C option that have an .yaml extension as YAML not JSON. Thanks Ollivier Robert