1* 2019-04-03: Version 1.5.2 2 * PR #424: Two small trust anchor fetcher fixes 3 Thanks Maciej S. Szmigiero 4 * Issue #422: Enable server side and update client side TCP Fast 5 Open implementation. Thanks Craig Andrews 6 * Issue #423: Fix insecure delegation detection while scheduling. 7 Thanks Charles Milette 8 * Issue #419: Escape backslashed when printing in JSON format. 9 Thanks boB Rudis 10 * Use GnuTLS instead of OpenSSL for TLS with the --with-gnutls 11 option to configure. libcrypto (from OpenSSL) still needed 12 for Zero configuration DNSSEC. 13 * DOA rr-type 14 * AMTRELAY rr-type 15 16* 2019-01-11: Version 1.5.1 17 * Introduce proof of concept GnuTLS implementation. Incomplete support 18 for Trust Anchor validation. Requires GnuTLS DANE library. Currently 19 untested with GnuTLS prior to 3.5.19, so configure demands a minumum 20 version of 3.5.0. 21 * Be consistent and always fail connection setup if setting ciphers/curves/ 22 TLS version/cipher suites fails. 23 * Refactor OpenSSL usage into modules under src/openssl. 24 Drop support for LibreSSL and versions of OpenSSL prior to 1.0.2. 25 * PR #414: remove TLS13 ciphers from cipher_list, but 26 only when SSL_CTX_set_ciphersuites is available. 27 Thanks Bruno Pagani 28 * Issue #415: Filter out #defines etc. when creating 29 symbols file. Thanks Zero King 30 31* 2018-12-21: Version 1.5.0 32 * RFE getdnsapi/stubby#121 log re-instantiating TLS 33 upstreams (because they reached tls_backoff_time) at 34 log level 4 (WARNING) 35 * GETDNS_RESPSTATUS_NO_NAME for NODATA answers too 36 * ZONEMD rr-type 37 * getdns_query queries for addresses when a query name 38 without a type is given. 39 * RFE #408: Fetching of trust anchors will be retried 40 after failure, after a certain backoff time. The time 41 can be configured with 42 getdns_context_set_trust_anchors_backoff_time(). 43 * RFE #408: A "dnssec" extension that requires DNSSEC 44 verification. When this extension is set, Indeterminate 45 DNSSEC status will not be returned. 46 * Issue #410: Unspecified ownership of get_api_information() 47 * Fix for DNSSEC bug in finding most specific key when 48 trust anchor proves non-existance of one of the labels 49 along the authentication chain other than the non- 50 existance of a DS record on a zonecut. 51 * Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130: 52 Configurable minimum and maximum TLS versions with 53 getdns_context_set_tls_min_version() and 54 getdns_context_set_tls_max_version() functions and 55 tls_min_version and tls_max_version configuration parameters 56 for upstreams. 57 * Configurable TLS1.3 ciphersuites with the 58 getdns_context_set_tls_ciphersuites() function and 59 tls_ciphersuites config parameter for upstreams. 60 * Bugfix in upstream string configurations: tls_cipher_list and 61 tls_curve_list 62 * Bugfix finding signer for validating NSEC and NSEC3s, which 63 caused trouble with the partly tracing DNSSEC from the root 64 up, introduced in 1.4.2. Thanks Philip Homburg 65 66* 2018-05-11: Version 1.4.2 67 * Bugfix getdnsapi/stubby#87: Detect and ignore duplicate certs 68 in the Windows root CA store. 69 * PR #397: No TCP sendto without TCP_FASTOPEN 70 Thanks Emery Hemingway 71 * Bugfix getdnsapi/stubby#106: Core dump when printing certain 72 configuration. Thanks Han Vinke 73 * Bugfix getdnsapi/stubby#99: Partly trace DNSSEC from the root 74 up (for tld and sld), to find insecure delegations quicker. 75 Thanks UniverseXXX 76 * Bugfix: Allow NSEC spans starting from (unexpanded) wildcards 77 Bug was introduced when dealing with CVE-2017-15105 78 * Bugfix getdnsapi/stubby#46: Don't assume trailing zero with 79 string bindata's. Thanks Lonnie Abelbeck 80 * Bugfix #394: Update src/compat/getentropy_linux.c in order to 81 handle ENOSYS (not implemented) fallback. 82 Thanks Brent Blood 83 * Bugfix #395: Clarify that libidn2 dependency is for version 2.0.0 84 or higher. Thanks mire3212 85 86* 2018-03-12: Version 1.4.1 87 * Bugfix #388: Prevent fallback to an earlier tries upstream within a 88 single query. Thanks Robert Groenenberg 89 * PR #387: Compile with OpenSSL with deprecated APIs disabled. 90 Thanks Rosen Penev 91 * PR #386: UDP failover improvements: 92 - When all UDP upstreams fail, retry them (more or less) equally 93 - Limit maximum UDP backoff (default to 1000) 94 This is configurable with the --with-max-udp-backoff configure 95 option. 96 Thanks Robert Groenenberg 97 * Bugfix: Find zonecut with DS queries (instead of SOA queries). 98 Thanks Elmer Lastdrager 99 * Bugfix #385: Verifying insecure NODATA answers (broken since 1.2.1). 100 Thanks hanvinke 101 * PR #384: Fix minor spelling and formatting. Thanks dkg. 102 * Bugfix #382: Parallel install of getdns_query and getdns_server_mon 103 104* 2018-02-21: Version 1.4.0 105 * .so revision bump to please fedora packaging system. 106 Thanks Paul Wouters 107 * Specify the supported curves with getdns_context_set_tls_curves_list() 108 An upstream specific list of supported curves may also be given 109 with the tls_curves_list setting in the upstream dict with 110 getdns_context_set_upstream_recursive_servers() 111 * New tool getdns_server_mon for checking upstream recursive 112 resolver's capabilities. 113 * Improved handling of opportunistic back-off. If other transports 114 are working, don’t forcibly promote failed upstreams just wait for 115 the re-try timer. 116 * Hostname authentication with libressl 117 Thanks Norbert Copones 118 * Security bugfix in response to CVE-2017-15105. Although getdns was 119 not vulnerable for this specific issue, as a precaution code has been 120 adapted so that signatures of DNSKEYs, DSs, NSECs and NSEC3s can not 121 be wildcard expansions when used with DNSSEC proofs. Only direct 122 queries for those types are allowed to be wildcard expansions. 123 * Bugfix PR#379: Miscelleneous double free or corruption, and corrupted 124 memory double linked list detected issue, with serving functionality. 125 Thanks maddie and Bruno Pagani 126 * Security Bugfix PR#293: Check sha256 pinset's 127 with OpenSSL native DANE functions for OpenSSL >= 1.1.0 128 with Viktor Dukhovni's danessl library for OpenSSL >= 1.0.0 129 don't allow for authentication exceptions (like self-signed 130 certificates) otherwise. Thanks Viktor Dukhovni 131 * libidn2 support. Thanks Paul Wouters 132 133* 2017-12-21: Version 1.3.0 134 * Bugfix #300: Detect dnsmasq and skip unit test that fails with it. 135 Thanks Tim Rühsen and Konomi Kitten 136 * Specify default available cipher suites for authenticated TLS 137 upstreams with getdns_context_set_tls_ciphers_list() 138 An upstream specific available cipher suite may also be given 139 with the tls_cipher_list setting in the upstream dict with 140 getdns_context_set_upstream_recursive_servers() 141 * PR #366: Add support for TLS 1.3 and Chacha20-Poly1305 142 Thanks Pascal Ernster 143 * Bugfix #356: Do Zero configuration DNSSEC meta queries over on the 144 context configured upstreams. Thanks Andreas Schulze 145 * Report default extension settings with 146 getdns_context_get_api_information() 147 * Specify locations at which CA certificates for verification purposes 148 are located: getdns_context_set_tls_ca_path() 149 getdns_context_set_tls_ca_file() 150 * getdns_context_set_resolvconf() function to initialize a context 151 upstreams and suffices with a resolv.conf file. 152 getdns_context_get_resolvconf() to get the file used to initialize 153 the context's upstreams and suffixes. 154 getdns_context_set_hosts() function to initialize a context's 155 LOCALNAMES namespace. 156 getdns_context_get_hosts() function to get the file used to initialize 157 the context's LOCALNAMES namespace. 158 * get which version of OpenSSL was used at build time and at run time 159 when available with getdns_context_get_api_information() 160 * GETDNS_RETURN_IO_ERROR return error code 161 * Bugfix #359: edns_client_subnet_private should set family 162 Thanks Daniel Areiza & Andreas Schulze 163 * Bugfix getdnsapi/stubby#34: Segfault issue with native DNSSEC 164 validation. Thanks Bruno Pagani 165 166* 2017-11-11: Version 1.2.1 167 * Handle more I/O error cases. Also, when an I/O error does occur, 168 never stop listening (with servers), and 169 never exit (when running the built-in event loop). 170 * Bugfix: Tolerate unsigned and unused RRsets in the authority section. 171 Fixes DNSSEC with BIND upstream. 172 * Bugfix: DNSSEC validation without support records 173 * Bugfix: Validation of full recursive DNSKEY lookups 174 * Bugfix: Retry to validate full recursion BOGUS replies with zero 175 configuration DNSSEC only when DNSSEC was actually requested 176 * Bugfix #348: Fix a linking issue in stubby when libbsd is present 177 Thanks Remi Gacogne 178 * More robust scheduling; Eliminating a segfault with long running 179 applications. 180 * Miscellaneous Windows portability fixes from Jim Hague. 181 * Fix Makefile dependencies for parallel install. 182 Thanks ilovezfs 183 184* 2017-09-29: Version 1.2.0 185 * Bugfix of rc1: authentication of first query with TLS 186 Thanks Travis Burtrum 187 * A function to set the location for library specific data, 188 like trust-anchors: getdns_context_set_appdata(). 189 * Zero configuration DNSSEC - build upon the scheme 190 described in RFC7958. The URL from which to fetch 191 the trust anchor, the verification CA and email 192 can be set with the new getdns_context_set_trust_anchor_url(), 193 getdns_context_set_trust_anchor_verify_CA() and 194 getdns_context_set_trust_anchor_verify_email() functions. 195 The default values are to fetch from IANA and to validate 196 with the ICANN CA. 197 * Update of Stubby with yaml configuration file and 198 logging from a certain severity support. 199 * Fix tpkg exit status on test failure. Thanks Jim Hague. 200 * Refined logging levels for upstream statistics 201 * Reuse (best behaving) backed-off TLS upstreams when non are usable. 202 * Let TLS upstreams back-off a incremental amount of time. 203 Back-off time starts with 1 second and is doubled each failure, but 204 will not exceed the time given by getdns_context_set_tls_backoff_time() 205 * Make TLS upstream management more resilient to temporary outages 206 (like laptop sleeps) 207 208* 2017-09-04: Version 1.1.3 209 * Small bugfixes that came out of static analysis 210 * No annotations with the output of getdns_query anymore, 211 unless -V option is given to increase verbosity 212 Thanks Ollivier Robert 213 * getdns_query will now exit with failure status if replies are BOGUS 214 * Bugfix: dnssec_return_validation_chain now also works when fallback 215 to full recursion was needed with dnssec_roadblock_avoidance 216 * More clear build instructions from Paul Hoffman. Thanks. 217 * Bugfix #320.1: Eliminate multiple closing of file descriptors 218 Thanks Neil Cook 219 * Bugfix #320.2: Array bounds bug in upstream_select 220 Thanks Neil Cook 221 * Bugfix #318: getdnsapi/getdns/README.md links to nonexistent wiki 222 pages. Thanks James Raftery 223 * Bugfix #322: MacOS 10.10 (Yosemite) provides TCP fastopen interface 224 but does not have it implemented. Thanks Joel Purra 225 * Compile without Stubby by default. Stubby now has a git repository 226 of its own. The new Stubby repository is added as a submodule. 227 Stubby will still be build alongside getdns with the --with-stubby 228 configure option. 229 230* 2017-07-03: Version 1.1.2 231 * Bugfix for parallel make install 232 * Bugfix to trigger event callbacks on socket errors 233 * A getdns_context_set_logfunc() function with which one may 234 register a callback log function for certain library subsystems 235 at certain levels. Currently this can only be used for 236 upstream stastistics subsystem. 237 238* 2017-06-15: Version 1.1.1 239 * Bugfix #306 hanging/segfaulting on certain (IPv6) upstream failures 240 * Spelling fix s/receive/receive. Thanks Andreas Schulze. 241 * Added stubby-setdns-macos.sh script to support Homebrew formula 242 * Include stubby.conf in the districution tarball 243 * Bugfix #286 reschedule reused listening addresses 244 * Bugfix #166 Allow parallel builds and unit-tests 245 * NSAP-PTR, EID and NIMLOC, TALINK, AVC support 246 * Bugfix of TA RR type 247 * OPENPGPKEY and SMIMEA support 248 * Bugfix TAG rdata type presentation format for CAA RR type 249 * Bugfix Zero sized gateways with IPSECKEY gateway_type 0 250 * Guidance for integration with systemd 251 * Also check for memory leaks with advances server capabilities. 252 * Bugfix convert IP string to IP dict with getdns_str2dict() directly. 253 254* 2017-04-13: Version 1.1.0 255 * bugfix: Check size of tls_auth_name. 256 * Improvements that came from Visual Studio static analysis 257 * Fix to compile with libressl. Thanks phicoh. 258 * Spelling fixes. Thanks Andreas Schulze. 259 * bugfix: Reschedule request timeout when getting the DNSSEC chain. 260 * getdns_context_unset_edns_maximum_udp_payload_size() to reset 261 to default IPv4/IPv6 dependent edns max udp payload size. 262 * Implement sensible default edns0 padding policy. Thanks DKG. 263 * Keep connections open with sync requests too. 264 * Fix of event loops so they do not give up with naked timers with 265 windows. Thanks Christian Huitema. 266 * Include peer certificate with DNS-over-TLS in combination with 267 the return_call_reporting extension. 268 * More fine grained control over TLS upstream retry and back off 269 behaviour with getdns_context_set_tls_backoff_time() and 270 getdns_context_set_tls_connection_retries(). 271 * New round robin over the available upstreams feaure. 272 Enable with getdns_context_set_round_robin_upstreams() 273 * Bugfix: Queue requests when no sockets available for outgoing queries. 274 * Obey the outstanding query limit with STUB resolution mode too. 275 * Updated stubby config file 276 * Draft MDNS client implementation by Christian Huitema. 277 Enable with --enable-draft-mdns-support to configure 278 * bugfix: Let synchronous queries use fds > MAX_FDSETSIZE; 279 By moving default eventloop from select to poll 280 Thanks Neil Cook 281 * bugfix: authentication failure for self signed cert + only pinset 282 * bugfix: issue with session re-use making authentication appear to fail 283 284* 2017-01-13: Version 1.0.0 285 * edns0_cookies extension enabled by default (per RFC7873) 286 * dnssec_roadblock_avoidance enabled by default (per RFC8027) 287 * bugfix: DSA support with OpenSSL 1.1.0 288 * Initialize OpenSSL just once in a thread safe way 289 * Thread safety with arc4random function 290 * Improvements that came from Visual Studio static analysis 291 Thanks Christian Huitema 292 * Conventional RFC3986 IPv6 [address]:port parsing from getdns_query 293 * bugfix: OpenSSL 1.1.0 style crypto locking 294 Thanks volkommenheit 295 * configure tells *which* dependency is missing 296 * bugfix: Exclude terminating '\0' from bindata's returned by 297 getdns_get_suffix(). Thanks Jim Hague 298 * Better README.md. Thanks Andrew Sullivan 299 300* 2016-10-19: Version 1.1.0-a2 301 * Improved TLS connection management 302 * OpenSSL 1.1 support 303 * Stubby, Server version of getdns_query that by default listens 304 on 127.0.0.1 and ::1 and reads config from /etc/stubby.conf 305 and $HOME/.stubby.conf 306 307* 2016-07-14: Version 1.1.0a1 308 * Conversion functions from text strings to getdns native types: 309 getdns_str2dict(), getdns_str2list(), getdns_str2bindata() and 310 getdns_str2int() 311 * A getdns_context_config() function that configures a context 312 with settings given in a getdns_dict 313 * A a getdns_context_set_listen_addresses() function and companion 314 getdns_reply() function to construct simple name servers. 315 * Relocate getdns_query to src/tools and build by default 316 * Enhancements to the logic used to select connection based upstream 317 transports (TCP, TLS) to improve robustness and re-use of 318 connections/upstreams. 319 320* 2016-07-14: Version 1.0.0b2 321 * Collect coverage information from the unit tests 322 Thanks Shane Kerr 323 * pkg-config for the getdns_ext_event library 324 Thanks Tom Pusateri 325 * Bugfix: Multiple requests on the same upstream with a transport 326 that keeps connections open in synchronous stub mode. 327 * Canonicalized DNSSEC chain with dnssec_return_validation_chain 328 (when validated) 329 * A dnssec_return_full_validation_chain extension which includes 330 then validated resource records. 331 * Bugfix: Callbacks fired while scheduling (answer from cache) 332 with the unbound plugable event API 333 * header extension to set opcode and flags in stub mode 334 * Unit tests that cover more code 335 * Static checking with the clang analyzer 336 * getdns_pretty_print_dict prints dname's as primitives 337 * Accept just bindata's instead of address dicts. 338 Allow misshing "address_type" in address dicts. 339 * TLS session resumption 340 * -C <config file> option to getdns_query to configure context 341 from a json like formatted file. The output of -i (print API 342 information) can be used as config file directly. 343 Settings may also be given in this format as arguments of 344 the getdns_query command directly. 345 * DNS server mode for getdns_query. Enable by providing addresses 346 to listen on, either by giving "-z <listen address>" options or by 347 providing "listen_addresses" in the config file or settings. 348 * Bugfixes from deckard testing: CNAME loop protection. 349 * "srv_addresses" in response dict with getdns_service() 350 * use libbsd when available 351 Thanks Guillem Jover 352 * Bugfix: DNSSEC wildcard validation issue 353 * Bugfix: TLS timeouts not re-using a connection 354 * A getdns_context_get_eventloop(), to get the current 355 (pluggable) eventloop from context 356 * getdns_query now uses the default event loop (instead of custom) 357 * Return call_reporting info in case of timeout 358 Thanks Robert Groenenberg 359 * Bugfix: Build fails with autoconf 2.63, works with 2.68. 360 Thanks Robert Groenenberg 361 * Doxygen output for getdns.h and getdns_extra.h only 362 * Do not call SSL_library_init() from getdns_context_create() when 363 the second bit from the set_from_os parameter is set. 364 365* 2016-03-31: Version 1.0.0b1 366 * openssl 1.1.0 support 367 * GETDNS_APPEND_NAME_TO_SINGLE_LABEL_FIRST default suffix handling 368 * getdns_context_set_follow_redirects() 369 * Read suffix list from registry on Windows 370 * A dnssec_return_all_statuses extension 371 * Set root servers without temporary file (libunbound >= 1.5.8 needed) 372 * Eliminate unit test's ldns dependency 373 * pkts wireformat <-> getdns_dict <-> string 374 conversion functions 375 * Eliminate all side effects when doing sync requests 376 (libunbound >= 1.5.9 needed) 377 * Bugfix: Load gost algorithm if digest is seen before key algorithm 378 Thanks Jelte Janssen 379 * Bugfix: Respect DNSSEC skew. 380 * Offline dnssec validation for any given point in time 381 * Correct return value in documentation for getdns_pretty_print_dict(). 382 Thanks Linus Nordberg 383 * Bugfix: Don't treat "domain" or "search" as a nameserver. 384 Thanks Linus Nordberg 385 * Use the default CA trust store on Windows (for DNS over TLS). 386 * Propagate eventloop to unbound when unbound has pluggable event loops 387 (libunbound >= 1.5.9 needed) 388 * Replace mini_event extension by default_eventloop 389 * Bugfix: Segfault on NULL pin 390 * Bugfix: Correct output of get_api_settings 391 * Bugfix: Memory leak with getdns_get_api_information() 392 Thanks Robert Groenenberg. 393 394* 2015-12-31: Version 0.9.0 395 * Update of unofficial extension to the API that supports stub mode 396 TLS verification. GETDNS_AUTHENTICATION_HOSTNAME is replaced by 397 GETDNS_AUTHENTICATION_REQUIRED (but remains available as an alias). 398 Upstreams can now be configured with either a hostname or a SPKI pinset 399 for TLS authentication (or both). If the GETDNS_AUTHENTICATION_REQUIRED 400 option is used at least one piece of authentication information must be 401 configured for each upstream, and all the configured authentication 402 information for an upstream must validate. 403 * Remove STARTTLS implementation (no change to SPEC) 404 * Enable TCP Fast Open when possible. Add OSX support for TFO. 405 * Rename return_call_debugging to return_call_reporting 406 * Bugfix: configure problem with getdns-0.5.1 on OpenBSD 407 Thanks Claus Assmann. 408 * pkg-config support. Thanks Neil Cook. 409 * Functions to convert from RR dicts to wireformat and text format 410 and vice versa. Including a function that builds a getdns_list 411 of RR dicts from a zonefile. 412 * Use the with the getdns_context_set_dns_root_servers() function 413 provided root servers in recursing resolution modus. 414 * getdns_query option (-f) to read a DNSSEC trust anchor from file. 415 * getdns_query option (-R) to read a "root hints" file. 416 * Bugfix: Detect and prevent duplicate NSEC(3)s to be returned with 417 dnssec_return_validation_chain. 418 * Bugfix: Remove duplicate RRs from RRsets when DNSSEC verifying 419 * Client side edns-tcp-keepalive support 420 * TSIG support + getdns_query syntax to specify TSIG parameters 421 per upstream: @<ip>[^[<algorithm>:]<name>:<secret in Base64>] 422 * Bugfix: Allow truncated answers to be returned in case of missing 423 fallback transport. 424 * Verify upstream TLS pubkeys with pinsets; A getdns_query option 425 (-K) to attach pinsets to getdns_contexts. 426 Thanks Daniel Kahn Gillmor 427 * Initial support for Windows. Thanks Gowri Visweswaran 428 * add_warning_for_bad_dns extension 429 * Try and retry with suffixes giving with getdns_context_set_suffix() 430 following directions given by getdns_context_set_append_name() 431 getdns_query options to set suffixes and append_name directions: 432 '-W' to append suffix always (default) 433 '-1' to append suffix only to single label after failure 434 '-M' to append suffix only to multi label name after failure 435 '-N' to never append a suffix 436 '-Z <suffixes>' to set suffixes with the given comma separated list 437 * Better help text for getdns_query (printed with the '-h' option) 438 * Setting the +specify_class extension with getdns_query 439 * Return NOT_IMPLEMENTED for not implemented namespaces, and the 440 not implemented getdns_context_set_follow_redirects() function. 441 442* 2015-11-18: Version 0.5.1 443 * Bugfix: growing upstreams arrow. 444 * Bugfix: Segfault on timeout in specific conditions 445 * Bugfix: install getdns_extra.h from build location 446 * Bugfix: Don't let cookies overwrite existing EDNS0 options 447 * Don't link libdl 448 * The EDNS(0) Padding Option (draft-mayrhofer-edns0-padding). 449 When using DNS over TLS, query sizes will be padded to multiples 450 of a block size given with: 451 getdns_context_set_tls_query_padding_blocksize() 452 * An EDNS client subnet private option, that will ask a EDNS client 453 subnet aware resolver to not reveal any details about the 454 originating network. See: draft-ietf-dnsop-edns-client-subnet 455 Set with: getdns_context_set_edns_client_subnet_private() 456 * The return_call_debugging extension. The extension will also return 457 the transport used on top of the information about the request which 458 is described in the API spec. 459 * A dnssec_roadblock_avoidance extension. When set, the library will 460 work in stub resolution mode and try to get a by DNSSEC validation 461 assessed answer. On BOGUS answers the library will retry rescursive 462 resolution mode. This is the simplest form of passive roadblock 463 detection and avoidance: draft-ietf-dnsop-dnssec-roadblock-avoidance. 464 Use the --enable-draft-dnssec-roadblock-avoidance option to configure 465 to compile with this extension. 466 467* 2015-10-29: Version 0.5.0 468 * Native crypto. No ldns dependency anymore. 469 (ldns still necessary to be able to run tests though) 470 * JSON pointer arguments to getdns_dict_get_* and getdns_dict_set_* 471 to dereference nested dicts and lists. 472 * Bugfix: DNSSEC code finding zone cut with redirects + pursuing unsigned 473 DS answers close to the root. Thanks Theogene Bucuti! 474 * Default port for TLS changed to 853 475 * Unofficial extension to the API to allow TLS hostname verification to be 476 required for stub mode when using only TLS as a transport. 477 When required a hostname must be supplied in the 478 'hostname' field of the upstream_list dict and the TLS cipher suites are 479 restricted to the 4 AEAD suites recommended in RFC7525. 480 481* 2015-09-09: Version 0.3.3 482 * Fix clearing upstream events on shutdown 483 * Fix dnssec validation of direct CNAME queries. 484 Thanks Simson L. Garfinkel. 485 * Fix get_api_information():version_string also for release candidates 486 487* 2015-09-04: Version 0.3.2 488 * Fix returned upstreams list by getdns_context_get_api_information() 489 * Fix some autoconf issues when srcdir != builddir 490 * Fix remove build date from manpage version for reproducible builds 491 * Fix transport fallback issues plus transport fallback unit test script 492 * Fix string bindata's need not contain trailing zero byte 493 * --enable-stub-only configure option for stub only operation. 494 Stub mode will be the default. Removes the dependency on libunbound 495 * --with-getdns_query compiles and installs the getdns_query tool too 496 * Fix assert on context destruction from a callback in stub mode too. 497 * Use a thread instead of a process for running the unbound event loop. 498 499* 2015-07-18: Version 0.3.1 500 * Fix repeating rdata fields 501 502* 2015-07-17: Version 0.3.0 503 * Unit test for spurious execute bits. Thanks Paul Wouters. 504 * Added new transport list options in API. The option is now an ordered 505 list of GETDNS_TRANSPORT_UDP, GETDNS_TRANSPORT_TCP, 506 GETDNS_TRANSPORT_TLS, GETDNS_TRANSPORT_STARTTLS. 507 * Added new context setting for idle_timeout 508 * CSYNC RR type 509 * EDNS0 COOKIE option code set to 10 510 * dnssec_return_validation_chain for negative and insecure responses. 511 * dnssec_return_validation_chain return a single RRSIG on each RRSET 512 (whenever possible) 513 * getdns_validate_dnssec() accept replies from the replies_tree 514 * getdns_validate_dnssec() asses negative and insecure responses. 515 * Native stub dnssec validation 516 * Implemented getdns_context_set_dnssec_trust_anchors() 517 * Switch freely between stub and recursive mode 518 * getdns_query -k shows default trust anchors 519 * functions and defines to get library and API versions in string 520 and numeric values: getdns_get_version(), getdns_get_version_number(), 521 getdns_get_api_version() and getdns_get_api_version_number() 522 523* 2015-05-21: Version 0.2.0 524 * Fix libversion numbering: Thanks Daniel Kahn Gillmor 525 * run_once method for the libevent extension 526 * autoreconf -fi on FreeBSD always, because of newer libtool version 527 suitable for FreeBSD installs too. Thanks Robert Edmonds 528 * True asynchronous processing of the new TLS transport options 529 * GETDNS_TRANSPORT_STARTTLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN 530 transport option. 531 * Manpage fixes: Thanks Anthony Kirby 532 533* 2015-04-19: Version 0.1.8 534 * The GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN and 535 GETDNS_TRANSPORT_TLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN 536 DNS over TLS transport options. 537 538* 2015-04-08: Version 0.1.7 539 * Individual getter functions for context settings 540 * Fix: --with-current-date function to make build deterministically 541 reproducible (i.e. the GETDNS_COMPILATION_COMMENT define from 542 getdns.h contains a date value). Thanks Ondřej Surý 543 * Fix: Include m4 dir in distribution tarball 544 * Fix: Link build requirements in tests too. Thanks Ondřej Surý 545 * Fix: Remove executable flags on source files. Thanks Paul Wouters 546 * Fix: Return "just_address_answers" only when queried for addresses 547 * Eliminate ldns intermediate wireformat parsing 548 * The CSYNC RR type 549 * Fix: canonical_name in response dict returns the canonical name 550 found after following all CNAMEs 551 * Implementation of the section 6 and 7 version of 552 draft-ietf-dnsop-cookies-01.txt for stub resolution. Enable with the 553 --enable-draft-edns-cookies option to configure. Use it by setting the 554 edns_cookies extension to GETDNS_EXTENSION_TRUE. 555 * Pretty printing of lists with: 556 char *getdns_pretty_print_list(getdns_list *list) 557 * Output to json format with: 558 char * getdns_print_json_dict(const getdns_dict *some_dict, int pretty); 559 char * getdns_print_json_list(const getdns_list *some_list, int pretty); 560 * snprintf style versions of the dict, list and json print functions. 561 * Better random number generation with OpenBSD's arc4random 562 * Let getdns_address schedule the AAAA query first. This results in AAAA 563 being the first in the just_address_answers sections of the response dict. 564 * New context update callback function to also return a user given argument 565 along with the context and which item was changed. 566 Thanks Scott Hollenbeck. 567 * Demotivate use of getdns_strerror and expose getdns_get_errorstr_by_id. 568 Thanks Scott Hollenbeck. 569 * A getter for context update callback, to allow for chaining update 570 callbacks. 571 572* 2015-01-16: Version 0.1.6 573 * Fix: linking against libev on FreeBSD 574 * Fix: Let configure report problem on FreeBSD when configuring with 575 libevent and libunbound <= 1.4.22 is not compiled with libevent. 576 * Fix: Build on Mac OS-X 577 * Fix: Lintian errors in manpages 578 * Better libcheck detection 579 * Better portability with UNIX systems 580 581* 2014-10-31: Version 0.1.5 582 * Unit tests for transport settings 583 * Fix: adhere to set maximum UDP payload size 584 * API change: when no maximum UDP payload size is set, outgoing 585 values will adhere to the suggestions in RFC 6891 and may follow 586 a scheme that uses multiple values to maximize receptivity. 587 * Stub mode use 1232 maximum UDP payload size when connecting to an 588 IPv6 upstreams and 1432 with an IPv4 upstream. 589 * Evaluate namespaces (or not) on a per query basis 590 * GETDNS_NAMESPACE_LOCALNAMES namespace now gives just_address_answers 591 only and does not mimic a DNS packet answer anymore 592 * The add_opt_parameters extension 593 * IPv6 scope_id support with link-local addresses. Both with parsing 594 /etc/resolv.conf and by providing them explicitly via 595 getdns_context_set_upstream_recursive_servers 596 * Query for A and AAAA simultaneously with return_both_v4_and_v6 597 * GETDNS_TRANSPORT_TCP_ONLY_KEEP_CONNECTIONS_OPEN DNS transport 598 * Fix: Answers without RRs in query secion (i.e. REFUSED) 599 * Fix: Return empty response dict on timeout in async mode too 600 * Move spec examples to spec subdirectory 601 * Fix issue#76: Setting UDP Payload size below 512 should not error 602 * Fix: Include OPT RR in response dict always (even without options) 603 * TCP Fast open support (linux only). 604 Enable with the --enable-tcp-fastopen configure option 605 * Bump library version because of binary API change 606 607* 2014-09-03: Version 0.1.4 608 * Synchronous resolves now respect timeout setting, 609 * On timeout *_sync functions now return GETDNS_RETURN_GOOD and a 610 response dict with "status" GETDNS_RESPSTATUS_ALL_TIMEOUT> 611 * Fix issue#50: getdns_dict_remove_name returns GETDNS_RETURN_GOOD on 612 success. 613 * Fix Issue#54: set_ub_dns_transport() not working 614 * Fix Issue#49: Typo in documentation (thanks Stephane Bortzmeyer) 615 * getdns_context_set_limit_outstanding_queries(), 616 getdns_context_set_dnssec_allowed_skew() and 617 getdns_context_set_edns_maximum_udp_payload_size() now working 618 * <rr>_unknown rdata field for unknown or unsupported RR types 619 * Temporarily disable timeout unit test 3 because of unpredictable results 620 * Spec updated to version 0.507 621 * Renamed "resolver_type" to "resolution_type" in dict returned from 622 getdns_context_get_api_information() 623 * Added GETDNS_RESPSTATUS_ALL_BOGUS_ANSWERS return code for with the 624 dnssec_return_only_secure extension 625 * Added support for CDS and CDNSKEY RR types, but needs ldns > 1.6.17 to 626 be able to parse the wire format (not released yet at time of writing) 627 * Added OPENPGPKEY RR type, but no rdata fields implementation yet 628 * Updated spec to version 0.508 (September 2014) 629 * Also chase NSEC and NSEC3 RRSIGs with dnssec_return_validation_chain 630 631* 2014-06-25: Version 0.1.3 632 * libtool chage, remove -release, added -version-info 633 * Update specification to the June 2014 version (0.501) 634 635* 2014-06-02: Version 0.1.2 636 * Fixed rdata fields for MX 637 * Expose only public API symbols 638 * Updated manpages 639 * specify_class extension 640 * Build from separate build directory 641 * Anticipate libunbound not returning the answer packet 642 * Pretty print bindata's representing IP addresses 643 * Anticipate absence of implicit DSO linking 644 * Mention getdns specific options to configure in INSTALL 645 Thanks Paul Hoffman 646 * Mac OSX package built instructions for generic user in README.md 647 Thanks Joel Purra 648 * Fixed build problems on RHEL/CentOS due using libevent 1.x 649 650 651* 2014-03-24 : Version 0.1.1 652 * default to NOT build extensions (libev, libuv, libevent), handle 653 --with/--without options to configure for them 654 * Fixed some build/make nits 655 * respect configure --docdir=X 656 * Documentation/man page updates 657 * Fix install and cpp guards in getdns_extra.h 658 * Add method to switch between threads and fork mode for unbound 659 * Fixes for libuv integration (saghul) 660 * Fixes for calling getdns_destroy_context within a callback 661 * Fixed signal related defines/decls 662 663 664* 2014-02-25 : Version 0.1.0 665 * Initial public release of the getdns API 666