[getdns-api] getdns-1.4.2 released
Willem Toorop
willem at nlnetlabs.nl
Fri May 11 13:40:20 CEST 2018
Dear all,
I am pleased to announce the new bugfix release, version 1.4.2 of getdns
The two major bugfixes are:
* DNSSEC Denial of Existence validation at NSEC wildcards, which was
broken since 1.4.0.
* Null termination of strings in configuration dictionaries. This in
particular affected Stubby configurations with settings for
trust_anchors_url, trust_anchors_verify_CA,
trust_anchors_verify_email, appdata_dir, resolvconf, hosts,
tls_ca_path, tls_ca_file, tls_cipher_list and tls_curves_list.
If you use Stubby and had one of these configured, but they did not
affect Stubby operation as expected, retry with this release
candidate to see if it resolves the issue.
DNSSEC validation in stub mode has been improved and should be possible
more often now (also with badly behaving authoritatives), because it is
now partly traced from the root up.
A few more issues are resolved with this release.
For a complete overview see the ChangeLog below.
This release has Stubby release 0.2.3 included, with:
* An updated stubby.yml file
(Watch out! The entries for securedns.eu have changed!)
* Better recommendations for running Stubby with systemd
* No pass through of ENDS0 options that were handled by underlying
getdns
link : https://getdnsapi.net/dist/getdns-1.4.2.tar.gz
pgp : https://getdnsapi.net/dist/getdns-1.4.2.tar.gz.asc
sha256: 1685b82dfe297cffc4bae08a773cdc88a3edf9a4e5a1ea27d8764bb5affc0e80
ChangeLog
=========
* 2018-05-11: Version 1.4.2
* Bugfix getdnsapi/stubby#87: Detect and ignore duplicate certs
in the Windows root CA store.
* PR #397: No TCP sendto without TCP_FASTOPEN
Thanks Emery Hemingway
* Bugfix getdnsapi/stubby#106: Core dump when printing certain
configuration. Thanks Han Vinke
* Bugfix getdnsapi/stubby#99: Partly trace DNSSEC from the root
up (for tld and sld), to find insecure delegations quicker.
Thanks UniverseXXX
* Bugfix: Allow NSEC spans starting from (unexpanded) wildcards
Bug was introduced when dealing with CVE-2017-15105
* Bugfix getdnsapi/stubby#46: Don't assume trailing zero with
string bindata's. Thanks Lonnie Abelbeck
* Bugfix #394: Update src/compat/getentropy_linux.c in order to
handle ENOSYS (not implemented) fallback.
Thanks Brent Blood
* Bugfix #395: Clarify that libidn2 dependency is for version 2.0.0
or higher. Thanks mire3212
Stubby ChangeLog
================
* 2018-05-11: Version 0.2.3
* Bugfix #62 and #106: With systemd setups, make /run/stubby directory
writeable for stubby user and include a "appdata_dir" directory
in stubby.yml.example.
Thanks Paul Wouters, eccgecko and Han Vinke
* Update securedns.eu entries in stubby.yml.example
* Added Cloudflare servers in stubby.yml.example
* Added basic upstart script in contrib/upstart dir. Thanks vapniks
* Bugfix #98: EDNS options that are handled internally should not
be passed on through downstream. Thanks Twisteroid Ambassador
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://getdnsapi.net/pipermail/spec/attachments/20180511/621279dd/attachment.bin>
More information about the spec
mailing list