[getdns-api] getdns 0.3.0 released

Willem Toorop willem at nlnetlabs.nl
Fri Jul 17 19:02:33 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear All,

I am pleased to announce the special IETF93 edition release:
version 0.3.0 of our getdns API implementation.

Besides bugfixes and DNS parameter updates, this release follows the
July 2015 version of the API specification, which has a new function
to set a list of transports:  getdns_context_set_dns_transport_list().

If only one transport value is specified, it will be the only
transport used.  Should it not be available, basic resolution will
fail.  Fallback transport options are specified by including multiple
values in the list.  The values are GETDNS_TRANSPORT_UDP,
GETDNS_TRANSPORT_TCP, GETDNS_TRANSPORT_TLS, or
GETDNS_TRANSPORT_STARTTLS.  The default is a list containing
GETDNS_TRANSPORT_UDP then GETDNS_TRANSPORT_TCP.

Connections for transport options TCP, TLS and STARTTLS will now
always be kept open and multiple queries will be pipelined over them.
 We have a new API function, getdns_context_set_idle_timeout(), with
which you can specify how long a connection is kept open when there
are no pending queries.  The default is 0 milliseconds.

Besides the transports list, this release has improved DNSSEC support.
Before, with stub resolution, libunbound was still used (in forwarding
mode) when one of the DNSSEC extensions was set.  This release has
native stub DNSSEC validation on board, so all DNSSEC extensions can
now be combined with all features available with stub resolution mode,
such as the new transport options, cookies and fine grained control
over EDNS0 options.

In the process to realise native stub validation, both the
dnssec_return_validation_chain extension and the
getdns_validate_dnssec() function have been thoroughly improved.

Before the dnssec_return_validation_chain extension only returned the
chain of DS/DNSKEY's starting at the signers name of signatures.  Now,
the extension will return support records needed to assess all DNSSEC
statuses.  For example, it will also include the proof of
non-existance of a parent DS for INSECURE answers.  But also for BOGUS
answers, just like with all DNSSEC statuses, everything needed to
reassess that DNSSEC status will be included.

The dnssec_return_validation_chain extension will now also try to
return a single RRSIG RR per RRset;  The one that was used to validate
that RRset.  This to maximally assist in reassessing the DNSSEC status
with the "validation_chain" as support records.

The latest improved behaviour can be viewed live on the "Do a query"
page of our website: https://getdnsapi.net/query.html

Complementary to this improvement, the getdns_validate_dnssec()
function can now also assess DNSSEC status for RRsets without
signatures and even empty replies when given such "validation_chain"
as the support_records.  The function can now also validate complete
replies, taking into account everything that affects the validation
process, such as (but not limited to) NSEC3 opt-out evaluation and
handling of by DNAME synthesized CNAMEs.


link   : https://getdnsapi.net/dist/getdns-0.3.0.tar.gz
md5    : 8f1e6b3bf6489d7e49fd1d18366a5ece
sha1   : 84e4a8c21ede346d8fcf3e73860679dd87c8e65f
pgp sig: https://getdnsapi.net/dist/getdns-0.3.0.tar.gz.asc


ChangeLog
=========
* 2015-07-17: Version 0.3.0
  * Unit test for spurious execute bits.  Thanks Paul Wouters.
  * Added new transport list options in API. The option is now an
    ordered list of GETDNS_TRANSPORT_UDP, GETDNS_TRANSPORT_TCP,
    GETDNS_TRANSPORT_TLS, GETDNS_TRANSPORT_STARTTLS.
  * Added new context setting for idle_timeout
  * CSYNC RR type
  * EDNS0 COOKIE option code set to 10
  * dnssec_return_validation_chain for negative and insecure responses.
  * dnssec_return_validation_chain return a single RRSIG on each RRSET
    (whenever possible)
  * getdns_validate_dnssec() accept replies from the replies_tree
  * getdns_validate_dnssec() asses negative and insecure responses.
  * Native stub dnssec validation
  * Implemented getdns_context_set_dnssec_trust_anchors()
  * Switch freely between stub and recursive mode
  * getdns_query -k shows default trust anchors
  * functions and defines to get library and API versions in string and
    numeric values: getdns_get_version(), getdns_get_version_number(),
    getdns_get_api_version() and getdns_get_api_version_number()
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVqTUpAAoJEOX4+CEvd6SYaz0P/28FeoopEJBU56HL1Gf9n/Eb
fL2iKYEWSOyS2jy99KPTIt51lBVGiuDbBxiVTXW5F1jdJqiXEySq7z6eq4Jb+0zz
O1dBAJnqbpJfPQDm/Ii34r9RaHq5oK7oK31MgoQAFKtLB7PH6Qy+QE4yOYRtjGTy
3npH83JSvy69PwxV8mstaz8FNLdR9LKDaSFoDLd97X7RTVqx71j6nT8Nc7NL9xOe
DIunzHIyD2KhXBleGMJUefG8LwBP/f0WfRlFzZjGYjGxFTCyRQvIsFqi1Q24jCkv
Bg8kcHxgD84SEfFIEwDAwFUm/0kbaviVH2rkeMg9dipyV7OURqZLvgTWY/FdjKqa
Tt/qdBZs0TY2wtnGMD5j5jWTHSBrU32Wc1y5hbJB0KtYELNO/vY+TY6A0s5zUEbg
aEJSy9ek10qzb7yidy6Wpuf7EI8+uQlHMTutxGxEu/dKPoqaxkkvcu8tK6H75D/e
d0RhCjkibOmsN3H4dHe/bzqpsMWrmlpx3weNsq8FCCdi8sbB3qOz+nahss7b0UQH
4u6VB1ETJU2FYE5gewwVQ00AhVNmzxebda7B7FulSnQNtN27sz06ZPOhU5IB8yq2
u9Z5UpBExn8xok6W1G6oL0QAcAgItEXtU14WS5sW37AHOIaiHoyw+UjmdsN0cjbd
WybauZMPEzpfQLQtcZcz
=WOS1
-----END PGP SIGNATURE-----
_______________________________________________
getdns-api mailing list
getdns-api at vpnc.org



More information about the spec mailing list