From he at uninett.no Mon Oct 8 12:57:30 2012 From: he at uninett.no (Havard Eidnes) Date: Mon, 08 Oct 2012 14:57:30 +0200 (CEST) Subject: [ldns-users] drill: automatic -k with /etc/trusted-key.key? Message-ID: <20121008.145730.226013528.he@uninett.no> Hi, I had occasion to start looking at "drill" again, after briefly having looked at "dig +sigchase". Dig compiled with sigchase support automatically trusts the key in /etc/trusted-key.key if it exists, so that one can avoid always needing to supply "+trusted-key=" when using dig to do DNSSEC checking. Would it not be useful to avoid needing to specify "-k " as well for drill? The attached patch does this. Regards, - H?vard -------------- next part -------------- For compatibility with dig, if neither -k nor -D is specified, read /etc/trusted-key.key if it exists, and if successful, turn on DNSSEC handling. --- drill/drill.c.orig 2012-01-20 10:18:41.000000000 +0000 +++ drill/drill.c @@ -10,6 +10,8 @@ #include "drill.h" #include +#include + #ifdef HAVE_SSL #include #endif @@ -397,6 +399,25 @@ main(int argc, char *argv[]) argc -= optind; argv += optind; + /* + * If DNSSEC isn't enabled already, and /etc/trusted-key.key + * exists, try to read it and turn on DNSSEC handling if successful. + */ + { + struct stat sb; + + if (stat("/etc/trusted-key.key", &sb) == 0) { + if (qdnssec != true) { + status = read_key_file("/etc/trusted-key.key", key_list); + if (status != LDNS_STATUS_OK) { + error("Could not parse the key file /etc/trusted-key.key: %s", ldns_get_errorstr_by_id(status)); + } else { + qdnssec = true; /* OK key, turn on DNSSEC */ + } + } + } + } + /* do a secure trace when requested */ if (PURPOSE == DRILL_TRACE && qdnssec) { #ifdef HAVE_SSL From he at uninett.no Mon Oct 8 13:52:47 2012 From: he at uninett.no (Havard Eidnes) Date: Mon, 08 Oct 2012 15:52:47 +0200 (CEST) Subject: [ldns-users] drill: automatic -k with /etc/trusted-key.key? In-Reply-To: <20121008.145730.226013528.he@uninett.no> References: <20121008.145730.226013528.he@uninett.no> Message-ID: <20121008.155247.508094344.he@uninett.no> And... here's the corresponding man page update. Regards, - H?vard -------------- next part -------------- Document the probing for /etc/trusted-key.key. --- drill.1.orig 2010-08-06 07:09:45.000000000 +0000 +++ drill.1 @@ -161,6 +161,13 @@ given \fBdrill\fR tries to validate the key. No chasing is done. When \fBdrill\fR is doing a secure trace, this key will be used as trust anchor. Can contain a DNSKEY or a DS record. +Alternatively, if +\fB-k\fR +is not specified, and +\fI/etc/trusted-key.key\fR +exists and contains a valid DNSKEY or DS record, it will be used +as the trust anchor. + .TP \fB\-o \fImnemonic\fR Use this option to set or unset specific header bits. A bit is From willem at nlnetlabs.nl Tue Oct 9 08:04:05 2012 From: willem at nlnetlabs.nl (Willem Toorop) Date: Tue, 09 Oct 2012 10:04:05 +0200 Subject: [ldns-users] drill: automatic -k with /etc/trusted-key.key? In-Reply-To: <20121008.155247.508094344.he@uninett.no> References: <20121008.145730.226013528.he@uninett.no> <20121008.155247.508094344.he@uninett.no> Message-ID: <5073DA75.7070508@nlnetlabs.nl> Hi Havard, Good idea. Though it would be even nicer to have the key location configurable (with ${sysconfdir}/trusted-key.key as a default). I will see if I can get it in before the release candidate (which should make it shortly). -- Willem Op 08-10-12 15:52, Havard Eidnes schreef: > And... > > here's the corresponding man page update. > > Regards, > > - H?vard > > > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users > From bduff at ecessa.com Mon Oct 15 21:16:55 2012 From: bduff at ecessa.com (Bryan Duff) Date: Mon, 15 Oct 2012 16:16:55 -0500 Subject: [ldns-users] Fwd: ldns bind to source patch In-Reply-To: <507C42EA.7050000@ecessa.com> References: <507C42EA.7050000@ecessa.com> Message-ID: <507C7D47.4090508@ecessa.com> Hrmmm... let's try the ldns mailing list. -Bryan -------- Original Message -------- Subject: ldns bind to source patch Date: Mon, 15 Oct 2012 12:07:54 -0500 From: Bryan Duff To: nsd-users at NLnetLabs.nl This allows binding the connection (UDP only in the patch) to a source IP (with the purpose of altering routing). Since this will cause API breakage, I suppose we'll want to alter this as a separate function call(s) in net and resolver. This patch includes updating drill to use this. Thanks. -Bryan -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- Index: resolver.c =================================================================== --- resolver.c (revision 3757) +++ resolver.c (working copy) @@ -26,6 +26,12 @@ return r->_port; } +ldns_rdf * +ldns_resolver_source(const ldns_resolver *r) +{ + return r->_source; +} + uint16_t ldns_resolver_edns_udp_size(const ldns_resolver *r) { @@ -234,6 +240,12 @@ r->_port = p; } +void +ldns_resolver_set_source(ldns_resolver *r, ldns_rdf *s) +{ + r->_source = s; +} + ldns_rdf * ldns_resolver_pop_nameserver(ldns_resolver *r) { Index: drill/drill.c =================================================================== --- drill/drill.c (revision 3757) +++ drill/drill.c (working copy) @@ -29,6 +29,7 @@ fprintf(stream, "\n\targuments may be placed in random order\n"); fprintf(stream, "\n Options:\n"); fprintf(stream, "\t-D\t\tenable DNSSEC (DO bit)\n"); + fprintf(stream, "\t-I\t\tsource address to query from\n"); #ifdef HAVE_SSL fprintf(stream, "\t-T\t\ttrace from the root down to \n"); fprintf(stream, "\t-S\t\tchase signature(s) from to a know key [*]\n"); @@ -103,6 +104,7 @@ ldns_pkt *pkt; ldns_pkt *qpkt; char *serv; + char *src; const char *name; char *name2; char *progname; @@ -110,6 +112,7 @@ char *answer_file = NULL; ldns_buffer *query_buffer = NULL; ldns_rdf *serv_rdf; + ldns_rdf *src_rdf = NULL; ldns_rr_type type; ldns_rr_class clas; #if 0 @@ -157,7 +160,7 @@ int_type = -1; serv = NULL; type = 0; int_clas = -1; name = NULL; clas = 0; - qname = NULL; + qname = NULL; src = NULL; progname = strdup(argv[0]); #ifdef USE_WINSOCK @@ -195,7 +198,7 @@ /* global first, query opt next, option with parm's last * and sorted */ /* "46DITSVQf:i:w:q:achuvxzy:so:p:b:k:" */ - while ((c = getopt(argc, argv, "46ab:c:d:Df:hi:Ik:o:p:q:Qr:sStTuvV:w:xy:z")) != -1) { + while ((c = getopt(argc, argv, "46ab:c:d:Df:hi:I:k:o:p:q:Qr:sStTuvV:w:xy:z")) != -1) { switch(c) { /* global options */ case '4': @@ -208,7 +211,7 @@ qdnssec = true; break; case 'I': - /* reserved for backward compatibility */ + src = optarg; break; case 'T': if (PURPOSE == DRILL_CHASE) { @@ -480,6 +483,14 @@ } } + if (src) { + src_rdf = ldns_rdf_new_addr_frm_str(src); + if(!src_rdf) { + fprintf(stderr, "-I must be (or resolve) to a valid IP[v6] address.\n"); + exit(EXIT_FAILURE); + } + } + /* set the nameserver to use */ if (!serv) { /* no server given make a resolver from /etc/resolv.conf */ @@ -541,6 +552,9 @@ } /* set the resolver options */ ldns_resolver_set_port(res, qport); + if(src_rdf) { + ldns_resolver_set_source(res, src_rdf); + } if (verbosity >= 5) { ldns_resolver_set_debug(res, true); } else { @@ -924,6 +938,7 @@ exit: ldns_rdf_deep_free(qname); + ldns_rdf_deep_free(src_rdf); ldns_resolver_deep_free(res); ldns_resolver_deep_free(cmdline_res); ldns_rr_list_deep_free(key_list); Index: ldns/net.h.in =================================================================== --- ldns/net.h.in (revision 3757) +++ ldns/net.h.in (working copy) @@ -39,7 +39,7 @@ * \param[out] result packet with the answer * \return status */ -ldns_status ldns_udp_send(uint8_t **result, ldns_buffer *qbin, const struct sockaddr_storage *to, socklen_t tolen, struct timeval timeout, size_t *answersize); +ldns_status ldns_udp_send(uint8_t **result, ldns_buffer *qbin, const struct sockaddr_storage *to, socklen_t tolen, const struct sockaddr_storage *from, socklen_t fromlen, struct timeval timeout, size_t *answersize); /** * Send an udp query and don't wait for an answer but return @@ -51,7 +51,7 @@ * \return the socket used */ -int ldns_udp_bgsend(ldns_buffer *qbin, const struct sockaddr_storage *to, socklen_t tolen, struct timeval timeout); +int ldns_udp_bgsend(ldns_buffer *qbin, const struct sockaddr_storage *from, socklen_t fromlen, const struct sockaddr_storage *to, socklen_t tolen, struct timeval timeout); /** * Send an tcp query and don't wait for an answer but return Index: ldns/resolver.h =================================================================== --- ldns/resolver.h (revision 3757) +++ ldns/resolver.h (working copy) @@ -61,6 +61,9 @@ /** Port to send queries to */ uint16_t _port; + /** Source address to query from */ + ldns_rdf *_source; + /** Array of nameservers to query (IP addresses or dnames) */ ldns_rdf **_nameservers; /** Number of nameservers in \c _nameservers */ @@ -152,6 +155,13 @@ uint16_t ldns_resolver_port(const ldns_resolver *r); /** + * Get the source address the resolver should use + * \param[in] r the resolver + * \return the source rdf + */ +ldns_rdf *ldns_resolver_source(const ldns_resolver *r); + +/** * Is the resolver set to recurse * \param[in] r the resolver * \return true if so, otherwise false @@ -338,6 +348,13 @@ void ldns_resolver_set_port(ldns_resolver *r, uint16_t p); /** + * Set the source rdf (address) the resolver should use + * \param[in] r the resolver + * \param[in] s the source address + */ +void ldns_resolver_set_source(ldns_resolver *r, ldns_rdf *s); + +/** * Set the resolver recursion * \param[in] r the resolver * \param[in] b true: set to recurse, false: unset Index: net.c =================================================================== --- net.c (revision 3757) +++ net.c (working copy) @@ -60,7 +60,9 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf *tsig_mac) { uint8_t i; - + + struct sockaddr_storage *src = NULL; + size_t src_len; struct sockaddr_storage *ns; size_t ns_len; struct timeval tv_s; @@ -90,6 +92,10 @@ ldns_resolver_nameservers_randomize(r); } + if(ldns_resolver_source(r)) { + src = ldns_rdf2native_sockaddr_storage(ldns_resolver_source(r), 0, &src_len); + } + /* loop through all defined nameservers */ for (i = 0; i < ldns_resolver_nameserver_count(r); i++) { if (rtt[i] == LDNS_RESOLV_RTT_INF) { @@ -144,9 +150,8 @@ /* ldns_rdf_print(stdout, ns_array[i]); */ send_status = ldns_udp_send(&reply_bytes, qb, ns, - (socklen_t)ns_len, ldns_resolver_timeout(r), - &reply_size); - + (socklen_t)ns_len, src, (socklen_t)src_len, + ldns_resolver_timeout(r), &reply_size); if (send_status == LDNS_STATUS_OK) { break; } @@ -201,6 +206,9 @@ sleep((unsigned int) ldns_resolver_retrans(r)); } + if(src) { + LDNS_FREE(src); + } if (all_servers_rtt_inf) { LDNS_FREE(reply_bytes); return LDNS_STATUS_RES_NO_NS; @@ -292,12 +300,13 @@ ldns_status ldns_udp_send(uint8_t **result, ldns_buffer *qbin, const struct sockaddr_storage *to, - socklen_t tolen, struct timeval timeout, size_t *answer_size) + socklen_t tolen, const struct sockaddr_storage *from, socklen_t fromlen, + struct timeval timeout, size_t *answer_size) { int sockfd; uint8_t *answer; - sockfd = ldns_udp_bgsend(qbin, to, tolen, timeout); + sockfd = ldns_udp_bgsend(qbin, from, fromlen, to, tolen, timeout); if (sockfd == 0) { return LDNS_STATUS_SOCKET_ERROR; @@ -335,7 +344,8 @@ } int -ldns_udp_bgsend(ldns_buffer *qbin, const struct sockaddr_storage *to, socklen_t tolen, +ldns_udp_bgsend(ldns_buffer *qbin, const struct sockaddr_storage *from, socklen_t fromlen, + const struct sockaddr_storage *to, socklen_t tolen, struct timeval timeout) { int sockfd; @@ -346,6 +356,12 @@ return 0; } + if(from) { + if(bind(sockfd, (const struct sockaddr*)from, fromlen)) { + return 0; + } + } + if (ldns_udp_send_query(qbin, sockfd, to, tolen) == 0) { #ifndef USE_WINSOCK close(sockfd); From willem at nlnetlabs.nl Tue Oct 16 13:58:17 2012 From: willem at nlnetlabs.nl (Willem Toorop) Date: Tue, 16 Oct 2012 15:58:17 +0200 Subject: [ldns-users] Fwd: ldns bind to source patch In-Reply-To: <507C7D47.4090508@ecessa.com> References: <507C42EA.7050000@ecessa.com> <507C7D47.4090508@ecessa.com> Message-ID: <507D67F9.2090405@nlnetlabs.nl> Hi Bryan, Good suggestion and implementation draft/outline. Thanks! I will apply a version with alternate function names (as you already suggested) in trunk for the 1.6.15 release, after I have finished releasing 1.6.14. Regards, -- Willem Op 15-10-12 23:16, Bryan Duff schreef: > Hrmmm... let's try the ldns mailing list. > > -Bryan > > > -------- Original Message -------- > Subject: ldns bind to source patch > Date: Mon, 15 Oct 2012 12:07:54 -0500 > From: Bryan Duff > To: nsd-users at NLnetLabs.nl > > > > This allows binding the connection (UDP only in the patch) to a source > IP (with the purpose of altering routing). > > Since this will cause API breakage, I suppose we'll want to alter this > as a separate function call(s) in net and resolver. > > This patch includes updating drill to use this. > > Thanks. > > -Bryan > > > > > > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users > From willem at nlnetlabs.nl Tue Oct 23 14:04:47 2012 From: willem at nlnetlabs.nl (Willem Toorop) Date: Tue, 23 Oct 2012 16:04:47 +0200 Subject: [ldns-users] ldns 1.6.14 released Message-ID: <5086A3FF.4060801@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Everyone, I am pleased to announce that version 1.6.14 of ldns is now available. This release has more bugfixes than normally because of the code reviews from CZ.NIC and Paul Wouters. Thank you! We have many improvements in the pyldns contribution from Karel Slany which are now listed in its own Changelog file in contrib/python (and below). The most notably new feature is DANE support (RFC6698). New functions for verifying and constructing TLSA resource records have been added. The example tool, ldns-dane, has been added to demonstrate the new functions and for the general usability of DANE operation. I hope this release will be useful for you and that you will keep us informed of your experiences. Best regards, Willem Toorop link: http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.14.tar.gz sha1: 2ef5fbf33b25d2f7b736c332ebccc0862dd12d02 Changelog: ========== * DANE support (RFC6698), including ldns-dane example tool. * Configurable default CA certificate repository for ldns-dane with --with-ca-file=CAFILE and --with-ca-path=CAPATH * Configurable default trust anchor with --with-trust-anchor=FILE for drill, ldns-verify-zone and ldns-dane * bugfix #474: Define socklen_t when undefined (like in Win32) * bugfix #473: Dead code removal and resource leak fix in drill * bugfix #471: Let ldns_resolver_push_dnssec_anchor accept DS RR's too. * Various bugfixes from code reviews from CZ.NIC and Paul Wouters * ldns-notify TSIG option argument checking * Let ldns_resolver_nameservers_randomize keep nameservers and rtt's in sync. * Let ldns_pkt_push_rr now return false on (memory) errors. * Make buffer_export comply to documentation and fix buffer2str * Various improvements and fixes of pyldns from Katel Slany now documented in their own Changelog. * bugfix: Make ldns_resolver_pop_nameserver clear the array when there was only one. * bugfix #459: Remove ldns_symbols and export symbols based on regex * bugfix #458: Track all newly created signatures when signing. * bugfix #454: Only set -g and -O2 CFLAGS when no CFLAGS was given. * bugfix #457: Memory leak fix for ldns_key_new_frm_algorithm. * pyldns memory handling fixes and the python3/ldns-signzone.py examples script contribution from Karel Slany. * bugfix #450: Base # bytes for P, G and Y (T) on the guaranteed to be bigger (or equal) P in ldns_key_dsa2bin. * bugfix #449: Deep free cloned rdf's in ldns_tsig_mac_new. * bugfix #448: Copy nameserver value (in stead of reference) of the answering nameserver to the answer packet in ldns_send_buffer, so the original value may be deep freed with the ldns_resolver struct. * New -0 option for ldns-read-zone to replace inception, expiration and signature rdata fields with (null). Thanks Paul Wouters. * New -p option for ldns-read-zone to prepend-pad SOA serial to take up ten characters. * Return error if printing RR fails due to unknown/null RDATA. pyldns Changelog: ================= * Added rich comparison methods for ldns_dname, ldns_rdf, ldns_rr and ldns_rr_list classes. * Added deprecation warnings into ldns_rr.new_frm_fp() and ldns_rr.new_frm_fp_l() and others. * Fixed ldns_rr.set_rdf(), which may cause memory leaks, because it returns new objects (in the scope of Python). Also it leaked memory, when the call was not successful. * Fixed ldns_get_rr_list_hosts_frm_file, marked as newobject. * Fixed ldns_rr_list.cat() to return bool as mentioned in documentation. * Fixed ldns_rr_list_cat_clone, marked as newobject. * Fixed ldns_rr_list.new_frm_file(). Exception argument was invalid. * Fixed ldns_rr_list.push_rr() to return bool as mentioned in documentation. * Fixed ldns_rr_list.push_rr_list() to return bool as mentioned in documentation. * Fixed ldns_rr_list.set_rr(), which caused memory corruption, double free problems and memory leaks. (The wrapper used original function instead of its push cloned variant which was missing.) * Fixed ldns_rr_list.set_rr_count(), added python exception raise in order to avoid assertion failure. * Fixed ldns_rr_list.subtype_by_rdf(), marked as newobject. * Added ldns_rr.to_canonical(), ldns_rr.is_question(), ldns_rr.type_by_name(), ldns_rr.class_by_name(), ldns_rr_list.new(), ldns_rr.set_question(). * Modified ldns_rr_list.owner() and ldns_rr.owner(), now returns ldns_dname. * Fixed assertion failures for several methods when receiving incorrect but syntactically valid arguments (i.e., ldns_rr.a_address(), ldns_rr.dnskey_algorithm(), ldns_rr.dnskey_flags(), ldns_rr.dnskey_key(), ldns_rr.dnskey_protocol(), ldns_rr.mx_exchange(), ldns_rr.mx_preference(), ldns_rr.ns_nsdname(), ldns_rr.owner(), ldns_rr.rdf(), ldns_rr.rrsig_algorithm(), ldns_rr.rrsig_expiration(), ldns_rr.rrsig_inception(), ldns_rr.rrsig_keytag(), ldns_rr.rrsig_labels(), ldns_rr.rrsig_origttl(), ldns_rr.rrsig_sig(), ldns_rr.rrsig_signame(), ldns_rr.rrsig_typecovered(), ldns_rr_list.owner(), ldns_rr_list.rr()) * Fixed ldns_rr.a_address(), which was asserting when called on non A or AAAA type rr. Now returns None when fails. * Added scripts for testing the basic functionality of the ldns_rr, ldns_rr_descriptor and ldns_rr_list class code. * Improved documentation of ldns_rr, ldns_rr_descriptor and ldns_rr_list. * Fixed automatic conversion from Python string to ldns_rdf and ldns_dname. Caused memory corruption when using Python 3. * The Python 3 wrapper code now raises TypeError instead of ValueError when receiving a non FILE * argument when it should be a FILE *. * Fixed wrong handling of _ldns_rr_list_free() and _ldns_rr_list_deep_free() when compiling with LDNS_DEBUG directive. * Fixed malfunctioning ldns.ldns_rdf_new_frm_fp_l(). * Fixed malfunctioning ldns_drf.absolute() and ldns_dname.absolute(). * Marked several functions related to ldns_rdf and ldns_buffer as returning new objects. * Method operating on ldns_dnames and returning dname ldns_rdfs now return ldns_dname instances. * Improved documentation of ldns_buffer, ldns_rdf and ldns_dname classes. * Methods ldns_buffer.available() and ldns_buffer.available_at() now return bool types as described in the documentation. * Added scripts for testing the basic functionality of the ldns_buffer, ldns_rdf, ldns_dname class code. * Added deprecation warnings to ldns_rdf methods operating on dname rdfs. The user is encouraged to converts dname ldns_rdfs to ldns_dnames. * Extended ldns_dname constructor to accept ldns_rdfs containing dnames. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQhqP/AAoJEOX4+CEvd6SYmYAP/1LoH5b5Re32DmpX44hUdQ4c KbW6wG+/L1LuTTaWy7hX7DGsHQ2j8IyPZdaI1ZnoKYhudadLM3RF/QZKr5Kd3hoy YEWlbCdpQ8INMzl0j5ak7aBRkbvkveFJL1Ya8d3p9CSdUQR2hLTNiwjp3s+c31pk dnD/XqZ0ggfu3dDJhPXxCvAwl8hVqsVE3kUDVCKNezYrw88Sda+DCeu7Rl/Fefyq vBLBg2WjuRrtT5icuTFcMq339/zHp45EGglYxG2a9e1mOKHVmhrTUmPsoDXtaxLc 13j6zTywxeWgRWW1t/2n4/bg4sLDsv5jYQxtpb2iQtJ1VHjYWQxhqNbikW6N2kha vyubIv0ecdIbTtLMYT9vUmfb8CKFezggHqd9/W0cGGZNMuZjDLgFfUwKdWKNeKRT Odg5JhVk1OfhkCzY3EvfsjccLzSZHUssPbI45YJaPrv+T13TgFdnBv5ufLP7NfpR NNSqf9pn+YF7IKgj/9cU7Q3WW1HOwaVspL2lFhfvJlirsX1yKp/eigQeNa5bCSfl 7I5F2gGc14+E7moQByvQ75EkOkdlJ/Owq1t8/6IMWNldb2Vn9awDqaS9AfV9LQKN g/8qQHNwQ5idbxA48fNcyhhMY8bUMJiGOo+AWKAcBWdMKTLVIKdiswEC8O7o4aJ9 MPug3EFbN6n5YzCQNIaZ =csYG -----END PGP SIGNATURE----- From willem at nlnetlabs.nl Thu Oct 25 13:55:30 2012 From: willem at nlnetlabs.nl (Willem Toorop) Date: Thu, 25 Oct 2012 15:55:30 +0200 Subject: [ldns-users] WARNING: Binary Incompatibility in 1.6.14 Message-ID: <508944D2.1030902@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, There is a binary incompatibility in 1.6.14 which is fixed with an emergency release of 1.6.15. It is available here: link: http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.15.tar.gz sha1: a47cb11fa5c601410e2e8feda36ab343162fe92b Only ldns 1.6.14, and no other version, breaks binary compatibility with earlier versions. Part of the return status codes have different values in ldns 1.6.14. This has unpredictable effects on software using ldns such as Unbound and OpenDNSSEC when the library is upgraded. ldns 1.6.15 is binary compatible with ldns 1.6.13 and earlier again. We strongly recommend to package that version and skip packaging ldns 1.6.14 if possible. Warning! If you have compiled ldns using software with ldns-1.6.14, then this new version will be binary incompatible with your installed version. You will have to recompile the software together with ldns-1.6.15. Was the software compiled with ldns-1.6.13 or earlier, then you will not have this problem and can safely install ldns-1.6.15. Best regards, Willem Changelog: ========== * Remove LDNS_STATUS_EXISTS_ERR from ldns/error.h to make ldns binary compatible with earlier releases again. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQiUTSAAoJEOX4+CEvd6SY9IIP/Aym6qMG1zTsMkpvqz/bcwJ9 sxVuauy8s2gqEQpH7UXuabnEpUM3Op/mC+Udto5q38L1yf8N2InjinUOgPBHAnBQ eTQjVI8Wz18HN6sB6QBAV51oct6X8mMv4sfPdKEsrUdK7E5FI/dPdJs0K6PuULM4 YG4zu7iaXOvXn+TO2KYHYZYuYvFb9WVzW0V4VQa/6f2dc/Fgc5rnASFcecgJBkSo gX3q040rWkK/MQYrtqMW5DEz6aqqqbwVEvqQYQqe/uVghRruvxTeKE8aKOCLi1yY hIfkHam6PoFkyWTrTykjVFeweeGiIQCLwf35AWNy39wrTaEVTg7L+ZktmqUdcnTu HFgPKR8dkk7jFf5KX6lBiiNJNYSZyZ7sMJlZeK5H5BEE+BJF8O8L10MuWU/3o+mn DO31Oa90YdIASe/UrOnCbAC2y5MOfpVYltYuEgcXpIcL4hUR8WM8n+thQMFK8C9h BlLRY0rncYeC7yn2+BTzu26oZoWG60E1LfwJXZLvcRHiSehHK4nZLcFqBVLZpb7v WRlqmfApt2mzuRE8WpvS7mgmwhItHC1hHril2ojCNONUVnRg0Hf2adkDuZFSHuPC LqquZlksXKiAoX0Qj1fDVGlLVOc6zpi50G5r4H9rRvybiVobtSBDga7OGKsHLyyf Ia+SvidfZCWqSTwaFzXB =g5zc -----END PGP SIGNATURE----- From Willem at NLnetLabs.nl Thu Oct 25 18:16:53 2012 From: Willem at NLnetLabs.nl (Willem Toorop) Date: Thu, 25 Oct 2012 20:16:53 +0200 Subject: [ldns-users] ldns 1.6.15 emergency release Message-ID: <50898215.8090804@NLnetLabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear all, It has come to my attention that the ldns 1.6.15 emergency release was not available from the referred to location. Now it is. link: http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.15.tar.gz sha1: a47cb11fa5c601410e2e8feda36ab343162fe92b The previous announcement is repeated verbatim below: WARNING: Binary Incompatibility in ldns 1.6.14 ============================================== There is a binary incompatibility in ldns 1.6.14 which is fixed with an emergency release of ldns 1.6.15. It is available here: link: http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.15.tar.gz sha1: a47cb11fa5c601410e2e8feda36ab343162fe92b Only ldns 1.6.14, and no other version, breaks binary compatibility with earlier versions. Part of the return status codes have different values in ldns 1.6.14. This has unpredictable effects on software using ldns such as Unbound and OpenDNSSEC when the library is upgraded. ldns 1.6.15 is binary compatible with ldns 1.6.13 and earlier again. We strongly recommend to package that version and skip packaging ldns 1.6.14 if possible. Warning! If you have compiled ldns using software with ldns-1.6.14, then this new version will be binary incompatible with your installed version. You will have to recompile the software together with ldns-1.6.15. Was the software compiled with ldns-1.6.13 or earlier, then you will not have this problem and can safely install ldns-1.6.15. Best regards, Willem Changelog: ========== * Remove LDNS_STATUS_EXISTS_ERR from ldns/error.h to make ldns binary compatible with earlier releases again. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQiYIQAAoJEOX4+CEvd6SYA/cP/2esz/Yg8MydsvYljEt7gqv9 JguJxQFCEkxTi7ySg2G+qk1Snyfw1HAU2eSDY77gAHmBVWNeYxvSaPunrDNNj8V8 W3TVl/TBEvsPGjKkcnS6kHYPhYjHPdxhPdIDUc6i9iZ2l3npPRzZiV6fbS/6jTH+ w9aY7wYmjFTrHRN58N+OmV5/EPk26NlmOKcizhGTomumpq+cfla44fANqFuhJnXj IdaTLgWDCSuYQjJVCRZR/rCRiQ6W+BbwGBXh3dlme1X78B8xaQWsFfWWoyK1TsMG FiaA0ug8oF84GPEGqTvKz28S+VY6uIx5/sqUn7+I6bzal9ILaGAZirhCMwGO9HCq mGHjo6kNtNumCEwvHhiIUdQcRuuvdyjlltaxJrn/10Bz/WCvjH5XBIeGPu9IkYkK v/lBdeKn8nN2/DJjUslTUCU9jmKK9CYsav2cmZ9zYpletPxMqKtYCPd6DfacTJae unan/ybPeU+AfXpuWIemHzW44wc+JuyU9qDS0BYRd3JoMweNateALJ63UowT2nWr Ptgn4p4ogC9690y+8MXzEnkGm1/8z7ECkNXk7O1SUogrzrbe3OOwbpwdR5HC7jDg KkBYahoruSovL2LpBvzCgye3cMIYhYxmxnnmi0zid6Nsk2+DYF88gmsDmgH4yOvJ E6WV2yjJhINAjW+sR6WV =wwMj -----END PGP SIGNATURE-----