Fri 17 Jul 2015  

getdns-0.3.0 release



Packaging status

Dear All,

I am pleased to announce the special IETF93 edition release: version 0.3.0 of our getdns API implementation.

Besides bugfixes and DNS parameter updates, this release follows the July 2015 version of the API specification, which has a new function to set a list of transports: getdns_context_set_dns_transport_list().

If only one transport value is specified, it will be the only transport used. Should it not be available, basic resolution will fail. Fallback transport options are specified by including multiple values in the list. The values are GETDNS_TRANSPORT_UDP, GETDNS_TRANSPORT_TCP, GETDNS_TRANSPORT_TLS, or GETDNS_TRANSPORT_STARTTLS. The default is a list containing GETDNS_TRANSPORT_UDP then GETDNS_TRANSPORT_TCP.

Connections for transport options TCP, TLS and STARTTLS will now always be kept open and multiple queries will be pipelined over them. We have a new API function, getdns_context_set_idle_timeout(), with which you can specify how long a connection is kept open when there are no pending queries. The default is 0 milliseconds.

Besides the transports list, this release has improved DNSSEC support. Before, with stub resolution, libunbound was still used (in forwarding mode) when one of the DNSSEC extensions was set. This release has native stub DNSSEC validation on board, so all DNSSEC extensions can now be combined with all features available with stub resolution mode, such as the new transport options, cookies and fine grained control over EDNS0 options.

In the process to realise native stub validation, both the dnssec_return_validation_chain extension and the getdns_validate_dnssec() function have been thoroughly improved.

Before the dnssec_return_validation_chain extension only returned the chain of DS/DNSKEY's starting at the signers name of signatures. Now, the extension will return support records needed to assess all DNSSEC statuses. For example, it will also include the proof of non-existance of a parent DS for INSECURE answers. But also for BOGUS answers, just like with all DNSSEC statuses, everything needed to reassess that DNSSEC status will be included.

The dnssec_return_validation_chain extension will now also try to return a single RRSIG RR per RRset; The one that was used to validate that RRset. This to maximally assist in reassessing the DNSSEC status with the "validation_chain" as support records.

The latest improved behaviour can be viewed live on the "Do a query" page of our website:

Complementary to this improvement, the getdns_validate_dnssec() function can now also assess DNSSEC status for RRsets without signatures and even empty replies when given such "validation_chain" as the support_records. The function can now also validate complete replies, taking into account everything that affects the validation process, such as (but not limited to) NSEC3 opt-out evaluation and handling of by DNAME synthesized CNAMEs.

* 2015-07-17: Version 0.3.0
  * Unit test for spurious execute bits.  Thanks Paul Wouters.
  * Added new transport list options in API. The option is now an ordered
  * Added new context setting for idle_timeout
  * CSYNC RR type
  * EDNS0 COOKIE option code set to 10
  * dnssec_return_validation_chain for negative and insecure responses.
  * dnssec_return_validation_chain return a single RRSIG on each RRSET
    (whenever possible)
  * getdns_validate_dnssec() accept replies from the replies_tree
  * getdns_validate_dnssec() asses negative and insecure responses.
  * Native stub dnssec validation
  * Implemented getdns_context_set_dnssec_trust_anchors()
  * Switch freely between stub and recursive mode
  * getdns_query -k shows default trust anchors
  * functions and defines to get library and API versions in string
    and numeric values: getdns_get_version(), getdns_get_version_number(),
    getdns_get_api_version() and getdns_get_api_version_number()