We have a fast-track single bugfix release of getdns: version 0.3.3.
The native DNSSEC validation, which is part of getdns since version 0.3.0, failed to validate direct CNAME queries. This affected direct CNAME queries only. Queries that have CNAME redirections included are not affected. Also the (default) RECURSING resolution mode is not affected, except when used in combination with the dnssec_return_validation_chain extension.
When a query is done for a valid CNAME in either STUB resolution mode or with the dnssec_return_validation_chain extension, with getdns version 0.3.0, 0.3.1 or 0.3.2, the returned dnssec_status will be GETDNS_DNSSEC_BOGUS always.
This release has this issue resolved. A patch for getdns version 0.3.0, 0.3.1 and 0.3.2 is provided here: https://getdnsapi.net/patches/dnssec-cname-query-validation.patch
Because of the smallness of the change, we've decided to bypass a release candidate and do the release immediately.
* 2015-09-09: Version 0.3.3 * Fix clearing upstream events on shutdown * Fix dnssec validation of direct CNAME queries. Thanks Simson L. Garfinkel. * Fix get_api_information():version_string also for release candidates