From willem at nlnetlabs.nl Thu Dec 1 12:58:43 2016 From: willem at nlnetlabs.nl (Willem Toorop) Date: Thu, 1 Dec 2016 13:58:43 +0100 Subject: [ldns-users] ldns 1.7.0 rc1 Message-ID: Dear users of ldns, We have a release candidate for ldns 1.7.0 This is primarily a bugfix and maintenance release. For a list of fixed bugs and maintenance work see the Changelog below. The most prominent change of this release is related to DANE verification. We received a report that verification of the DANE-TA usage type has issues. Also, the function prototypes that ldns exposes do not provide means to address End Entity name verification. Therefore we strongly recommend to use the DANE verification functions provided by OpenSSL >= 1.1.0 instead. ldns has been adapted to deal with the situation as follows: All ldns DANE verification functions will be mapped directly to OpenSSL's >= 1.1.0 DANE verification functions. The ldns-dane example tool will use OpenSSL >= 1.1.0 DANE functions directly when available. configure will fail when OpenSSL >= 1.1.0 is not available. To compile ldns linked with an older version of OpenSSL or with LibreSSL, one has to either - disable the DANE verification functions with the --disable-dane-verify configure option (the functions to create TLSA RR's will still be available), or - disable verification of DANE-TA usage type with the --disable-dane-ta-usage configure option. In this last case, ldns_dane_verify() will return an LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA error code when the only TLSA RR's that matched the certificate were of the DANE-TA usage type. Please let us know if you want us to deal with this differently. Because ldns will potentially have a different set of function prototypes (for example when compiled with --disable-dane-verify) and because of ABI breakage in earlier versions, the .so version of this release of ldns is bumped. From now on .so versions will no longer follow ldns's own version number, but will be based on libtool's version information scheme that we also practice with libunbound and libgetdns. Please review this release candidate carefully and let us know if anything is wrong. If all is well, the actual release will follow Thursday the 15th of December 2016. Best regards, Willem link: https://nlnetlabs.nl/downloads/ldns/ldns-1.7.0-rc1.tar.gz sha1: aaef2b485e99a5d0f4a69449e29413b59c0d0ad3 asc : https://nlnetlabs.nl/downloads/ldns/ldns-1.7.0-rc1.tar.gz.asc Changelog ========= * Fix lookup of relative names in ldns_resolver_search. * bugfix #548: Double free for answers > 4096 in ldns_resolver_send_pkt * Follow CNAME's when tracing with drill (TODO dnssec trace) * Fix #551 change Regent to Copyright holder in BSD license in some of the headings of the file, to match the opensource.org BSD license. * -e option makes ldns-compare-zones exit with status code 2 on difference * Filter out specified RR types with ldns-read-zone -e and -E options * bugfix #563: Correct DNSKEY from DSA private key. Thanks Peter Koch. * bugfix #562: ldns-keygen match DSA key maximum size with library. And check keysizes with all algorithms. Thanks Peter Koch. * ldns-verify-zone accepts only one single zonefile as argument. * bugfix #573: ldns-keygen write private keys with mode 0600. Thanks Leon Weber * Fix configure to make ldns compile with LibreSSL 2.0 * drill now also accepts dig style -y option (-y <[algo:]name:key> i.s.o. -y ) * OPENPGPKEY draft rr types. Enable with: --enable-rrtype-openpgpkey * bugfix #608: Correct comment about escaped characters * CDS and CDNSKEY rr type from RFC 7344. --enable-rrtype-cds configure option removed * fix: Memory leak in ldns_pkt_rr_list_by_name() Thanks Johannes Naab * fix: Memory leak in ldns_dname2buffer_wire_compress() Thanks Max Liebkies * bugfix #613: Allow tab as whitespace too in last rdata field of types of variable length. Thanks Xiali Yan * bugfix: strip trailing whitespace from $ORIGIN lines in zone files * Let ldns-keygen output .ds files only for KSK keys * Parse RFC7218 TLSA mnemonics, but do not output them * Let ldns-dane use SPKI as the default selector i.s.o. Cert * bugfix: Fit left over NSEC3s once more before adding empty non terminals. Thanks Stuart Browne * bugfix #605: Determine default trust anchor location at compile time Thanks Peter Koch * bugfix #697: Double free with ldns-dane create Thanks Carsten Strotmann * bugfix #623: Do not redefine bool type and boolean values Thanks Jakob Petsovits * bugfix #570: Add TLSA, CDS, CDNSKEY and OPENPGPKEY RR types to ldnsx Thanks Shussain * bugfix #575: ldns_pkt_clone() does not copy timestamp field Thanks Calle Dybedahl * bugfix #584: ldns-update fixes. Send update to port 53, bring manpage in sync with the usage text, and don't alter the ldns_resolver passed to ldns_update_soa_zone_mname(). Created a ldns_resolver_clone() function in the process. Thanks Nicholas Riley. * bugfix #633: ldns_pkt_clone() parameter isn't const. Thanks Jakop Petsovits * bugfix: ldns-dane manpage correction Thanks Erwin Lansing * Spelling fixes. Thanks Andreas Schulze * Hyphen used as minus in manpages. Thanks Andreas Schulze. * RFC7553 RR Type URI is supported by default. * Fix ECDSA signature generation, do not omit leading zeroes. * bugfix: Get rid of superfluous newline in ldns-keyfetcher Thanks Jan-Piet Mens * bugfix: -U option to ldns-signzone to sign with every algorithm Thanks Guido Kroon * bugfix #725: allow RR-types on the type bitmap window border Thanks Pieter Lexis * bugfix #726: 2 typos in drill manpage. Thanks Hugo Lombard * Add type CSYNC support, RFC 7477. * Prepare for ED25519, ED448 support: todo convert* routines in dnssec.h, once openssl has support for signing with these algorithms. The dns algorithm number is not yet allocated. These features are not fully implemented yet, openssl (1.1) does not support the algorithms enough to generate keys and sign and verify with them. * Fix _answerfrom comment in ldns_struct_pkt. * Fix drill axfr ipv4/ipv6 queries. * Fix comment referring to mk_query in packet.h to pkt_query_new. * Fix description of QR flag in packet.h. * Fix for openssl 1.1.0 API changes. * Remove commented out macro. Thanks Thiago Farina * bugfix #641: Include install-sh in .gitignore * bugfix #825: Module import breaks with newer SWIG versions. Thanks Christoph Egger * bugfix #796 - #792: Fix miscellaneous compiler warning issues. Thanks Ngie Cooper * bugfix #769: Add support for :: in an IPv6 address Thanks Hajimu UMEMOTO * bugfix #760: Detect superfluous text in presentation format Thanks Xiali Yan * bugfix #708: warnings and errors with xcode 6.1/7.0 * bugfix #754: Memory leak in ldns_str2rdf_ipseckey Thanks Xiali Yan * bugfix #661: Fail NSEC3 signing when NSEC domainname length would overflow. Thanks Jan-Piet Mens. * bugfix #771: hmac-sha224, hmac-sha384 and hmac-sha512 keys. Thanks Harald Jenny * bugfix #680: ldns fails to reject invalidly formatted RFC 7553 URI RRs. Thanks Robert Edmonds * bugfix #678: Use poll i.s.o. select to support > 1024 fds Thanks William King * Use OpenSSL DANE functions for verification (unless explicitly disabled with --disable-dane-ta-usage). * Bumb .so version * Include OPENPGPKEY RR type by default * rdata processing for SMIMEA RR type -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 829 bytes Desc: OpenPGP digital signature URL: From sca at andreasschulze.de Sat Dec 3 20:28:18 2016 From: sca at andreasschulze.de (A. Schulze) Date: Sat, 3 Dec 2016 21:28:18 +0100 Subject: [ldns-users] ldns 1.7.0 rc1 In-Reply-To: References: Message-ID: <5329f414-269b-7e96-36f2-d90e03c1e64f@andreasschulze.de> Am 01.12.2016 um 13:58 schrieb Willem Toorop: > Dear users of ldns, > > We have a release candidate for ldns 1.7.0 > > This is primarily a bugfix and maintenance release. For a list of > fixed bugs and maintenance work see the Changelog below. > > The most prominent change of this release is related to DANE > verification. We received a report that verification of the DANE-TA > usage type has issues. Also, the function prototypes that ldns exposes > do not provide means to address End Entity name verification. Therefore > we strongly recommend to use the DANE verification functions provided by > OpenSSL >= 1.1.0 instead. > > ldns has been adapted to deal with the situation as follows: > All ldns DANE verification functions will be mapped directly to > OpenSSL's >= 1.1.0 DANE verification functions. > > The ldns-dane example tool will use OpenSSL >= 1.1.0 DANE functions > directly when available. > > configure will fail when OpenSSL >= 1.1.0 is not available. > > To compile ldns linked with an older version of OpenSSL or with > LibreSSL, one has to either > > - disable the DANE verification functions with the > --disable-dane-verify configure option > (the functions to create TLSA RR's will still be available), or > > - disable verification of DANE-TA usage type with the > --disable-dane-ta-usage configure option. > > In this last case, ldns_dane_verify() will return an > LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA error code when > the only TLSA RR's that matched the certificate were of the > DANE-TA usage type. > > Please let us know if you want us to deal with this differently. > > Because ldns will potentially have a different set of function > prototypes (for example when compiled with --disable-dane-verify) and > because of ABI breakage in earlier versions, the .so version of this > release of ldns is bumped. From now on .so versions will no longer > follow ldns's own version number, but will be based on libtool's version > information scheme that we also practice with libunbound and libgetdns. > > Please review this release candidate carefully and let us know if > anything is wrong. If all is well, the actual release will follow > Thursday the 15th of December 2016. Hello Willem, ldns-read-zone dump core on TLSA records. # ulimit -c unlimited # echo '_443._tcp.example.local. TLSA 3 1 1 0815...' | /usr/bin/ldns-read-zone Segmentation fault (core dumped) # gdb /usr/bin/ldns-read-zone /var/core/ldns-read-zone_running_as_pid_11264_got_signal_11 GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1 Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/bin/ldns-read-zone...Reading symbols from /usr/lib/debug//usr/bin/ldns-read-zone...done. done. [New LWP 11264] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `ldns-read-zone'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007f07a695c67b in ?? () from /lib/x86_64-linux-gnu/libc.so.6 (gdb) bt full #0 0x00007f07a695c67b in ?? () from /lib/x86_64-linux-gnu/libc.so.6 No symbol table info available. #1 0x00007f07a6c29175 in ldns_lookup_by_name (table=0x7f07a6e43890 , table at entry=0x7f07a6e43840 , name=name at entry=0x11e8a50 "3") at ./util.c:33 No locals. #2 0x00007f07a6c25114 in ldns_str2rdf_mnemonic4int8 (lt=lt at entry=0x7f07a6e43840 , rd=rd at entry=0x7fff3eeb1c50, str=0x11e8a50 "3") at ./str2host.c:805 No locals. #3 0x00007f07a6c25dd2 in ldns_str2rdf_certificate_usage (rd=rd at entry=0x7fff3eeb1c50, str=) at ./str2host.c:828 No locals. #4 0x00007f07a6c1b868 in ldns_rdf_new_frm_str (type=LDNS_RDF_TYPE_CERTIFICATE_USAGE, str=str at entry=0x11e8a50 "3") at ./rdata.c:355 rdf = status = #5 0x00007f07a6c20dcb in ldns_rr_new_frm_str_internal (newrr=0x7fff3eeb1d70, str=str at entry=0x11d6050 "_443._tcp.example.local. TLSA 3 1 1 0815", default_ttl=default_ttl at entry=0, origin=0x0, prev=, question=question at entry=false) at ./rr.c:586 new = 0x11d8850 desc = 0x7f07a6e41080 rr_type = LDNS_RR_TYPE_TLSA rr_buf = 0x11e89f0 rd_buf = ttl_val = 0 owner = 0x0 ttl = 0x0 clas_val = clas = 0x0 type = 0x0 rdata = 0x11d89e0 "3 1 1 0815" rd = xtok = 0x11f8a60 "" rd_strlen = delimiters = c = owner_dname = endptr = 0x11d89a0 "" was_unknown_rr_format = 0 status = done = false quoted = r = r_cnt = 0 r_min = 4 r_max = 4 hex_data_size = hex_data_str = 0x0 cur_hex_data_size = hex_pos = 0 hex_data = 0x0 #6 0x00007f07a6c215e8 in ldns_rr_new_frm_str (newrr=, str=str at entry=0x11d6050 "_443._tcp.example.local. TLSA 3 1 1 0815", default_ttl=default_ttl at entry=0, origin=, prev=) at ./rr.c:663 No locals. #7 0x00007f07a6c2172b in ldns_rr_new_frm_fp_l (newrr=newrr at entry=0x7fff3eeb1df0, fp=fp at entry=0x7f07a6bde4e0 <_IO_2_1_stdin_>, default_ttl=default_ttl at entry=0x7fff3eeb1dec, origin=origin at entry=0x7fff3eeb1df8, prev=prev at entry=0x7fff3eeb1e00, line_nr=line_nr at entry=0x7fff3eeb1e7c) at ./rr.c:774 line = endptr = 0x0 rr = 0x0 ttl = 0 tmp = s = size = #8 0x00007f07a6c2ab73 in ldns_zone_new_frm_fp_l (z=z at entry=0x7fff3eeb1e80, fp=fp at entry=0x7f07a6bde4e0 <_IO_2_1_stdin_>, origin=origin at entry=0x0, ttl=ttl at entry=0, c=c at entry=LDNS_RR_CLASS_IN, line_nr=line_nr at entry=0x7fff3eeb1e7c) at ./zone.c:227 newzone = 0x11d6010 rr = 0x7f07a6bde4e0 <_IO_2_1_stdin_> my_ttl = 0 my_origin = 0x0 my_prev = 0x1208b30 soa_seen = false s = ret = LDNS_STATUS_MEM_ERR #9 0x0000000000401a51 in main (argc=, argv=) at ./examples/ldns-read-zone.c:257 filename = fp = 0x7f07a6bde4e0 <_IO_2_1_stdin_> z = 0x7f07a68481a8 line_nr = 1 c = canonicalize = false sort = false print_soa = true s = i = stripped_list = cur_rr = fmt_storage = {flags = 14, hashmap = 0x0, bitmap = 0x0} show_types = 0x0 soa_serial_increment_func = 0x0 soa_serial_increment_func_data = 0 hope that helps... Andreas > > Best regards, > > Willem > > > link: https://nlnetlabs.nl/downloads/ldns/ldns-1.7.0-rc1.tar.gz > sha1: aaef2b485e99a5d0f4a69449e29413b59c0d0ad3 > asc : https://nlnetlabs.nl/downloads/ldns/ldns-1.7.0-rc1.tar.gz.asc > > > Changelog > ========= > * Fix lookup of relative names in ldns_resolver_search. > * bugfix #548: Double free for answers > 4096 in ldns_resolver_send_pkt > * Follow CNAME's when tracing with drill (TODO dnssec trace) > * Fix #551 change Regent to Copyright holder in BSD license in > some of the headings of the file, to match the opensource.org > BSD license. > * -e option makes ldns-compare-zones exit with status code 2 on > difference > * Filter out specified RR types with ldns-read-zone -e and -E options > * bugfix #563: Correct DNSKEY from DSA private key. Thanks Peter Koch. > * bugfix #562: ldns-keygen match DSA key maximum size with library. > And check keysizes with all algorithms. Thanks Peter Koch. > * ldns-verify-zone accepts only one single zonefile as argument. > * bugfix #573: ldns-keygen write private keys with mode 0600. > Thanks Leon Weber > * Fix configure to make ldns compile with LibreSSL 2.0 > * drill now also accepts dig style -y option > (-y <[algo:]name:key> i.s.o. -y ) > * OPENPGPKEY draft rr types. Enable with: --enable-rrtype-openpgpkey > * bugfix #608: Correct comment about escaped characters > * CDS and CDNSKEY rr type from RFC 7344. > --enable-rrtype-cds configure option removed > * fix: Memory leak in ldns_pkt_rr_list_by_name() > Thanks Johannes Naab > * fix: Memory leak in ldns_dname2buffer_wire_compress() > Thanks Max Liebkies > * bugfix #613: Allow tab as whitespace too in last rdata field of types > of variable length. Thanks Xiali Yan > * bugfix: strip trailing whitespace from $ORIGIN lines in zone files > * Let ldns-keygen output .ds files only for KSK keys > * Parse RFC7218 TLSA mnemonics, but do not output them > * Let ldns-dane use SPKI as the default selector i.s.o. Cert > * bugfix: Fit left over NSEC3s once more before adding empty non > terminals. Thanks Stuart Browne > * bugfix #605: Determine default trust anchor location at compile time > Thanks Peter Koch > * bugfix #697: Double free with ldns-dane create > Thanks Carsten Strotmann > * bugfix #623: Do not redefine bool type and boolean values > Thanks Jakob Petsovits > * bugfix #570: Add TLSA, CDS, CDNSKEY and OPENPGPKEY RR types to ldnsx > Thanks Shussain > * bugfix #575: ldns_pkt_clone() does not copy timestamp field > Thanks Calle Dybedahl > * bugfix #584: ldns-update fixes. Send update to port 53, bring manpage > in sync with the usage text, and don't alter the ldns_resolver passed > to ldns_update_soa_zone_mname(). Created a ldns_resolver_clone() > function in the process. Thanks Nicholas Riley. > * bugfix #633: ldns_pkt_clone() parameter isn't const. > Thanks Jakop Petsovits > * bugfix: ldns-dane manpage correction > Thanks Erwin Lansing > * Spelling fixes. Thanks Andreas Schulze > * Hyphen used as minus in manpages. Thanks Andreas Schulze. > * RFC7553 RR Type URI is supported by default. > * Fix ECDSA signature generation, do not omit leading zeroes. > * bugfix: Get rid of superfluous newline in ldns-keyfetcher > Thanks Jan-Piet Mens > * bugfix: -U option to ldns-signzone to sign with every algorithm > Thanks Guido Kroon > * bugfix #725: allow RR-types on the type bitmap window border > Thanks Pieter Lexis > * bugfix #726: 2 typos in drill manpage. > Thanks Hugo Lombard > * Add type CSYNC support, RFC 7477. > * Prepare for ED25519, ED448 support: todo convert* routines in > dnssec.h, once openssl has support for signing with these algorithms. > The dns algorithm number is not yet allocated. These features are > not fully implemented yet, openssl (1.1) does not support the > algorithms enough to generate keys and sign and verify with them. > * Fix _answerfrom comment in ldns_struct_pkt. > * Fix drill axfr ipv4/ipv6 queries. > * Fix comment referring to mk_query in packet.h to pkt_query_new. > * Fix description of QR flag in packet.h. > * Fix for openssl 1.1.0 API changes. > * Remove commented out macro. Thanks Thiago Farina > * bugfix #641: Include install-sh in .gitignore > * bugfix #825: Module import breaks with newer SWIG versions. > Thanks Christoph Egger > * bugfix #796 - #792: Fix miscellaneous compiler warning issues. > Thanks Ngie Cooper > * bugfix #769: Add support for :: in an IPv6 address > Thanks Hajimu UMEMOTO > * bugfix #760: Detect superfluous text in presentation format > Thanks Xiali Yan > * bugfix #708: warnings and errors with xcode 6.1/7.0 > * bugfix #754: Memory leak in ldns_str2rdf_ipseckey > Thanks Xiali Yan > * bugfix #661: Fail NSEC3 signing when NSEC domainname length > would overflow. Thanks Jan-Piet Mens. > * bugfix #771: hmac-sha224, hmac-sha384 and hmac-sha512 keys. > Thanks Harald Jenny > * bugfix #680: ldns fails to reject invalidly formatted > RFC 7553 URI RRs. Thanks Robert Edmonds > * bugfix #678: Use poll i.s.o. select to support > 1024 fds > Thanks William King > * Use OpenSSL DANE functions for verification (unless explicitly > disabled with --disable-dane-ta-usage). > * Bumb .so version > * Include OPENPGPKEY RR type by default > * rdata processing for SMIMEA RR type > > > > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/ldns-users > From willem at nlnetlabs.nl Mon Dec 5 08:47:42 2016 From: willem at nlnetlabs.nl (Willem Toorop) Date: Mon, 5 Dec 2016 09:47:42 +0100 Subject: [ldns-users] ldns 1.7.0 rc1 In-Reply-To: <5329f414-269b-7e96-36f2-d90e03c1e64f@andreasschulze.de> References: <5329f414-269b-7e96-36f2-d90e03c1e64f@andreasschulze.de> Message-ID: <6a5e0d81-582e-ce6c-5dde-f55c73c5c0dd@nlnetlabs.nl> Thank you Andreas! Fix attached. -- Willem Op 03-12-16 om 21:28 schreef A. Schulze: > > > Am 01.12.2016 um 13:58 schrieb Willem Toorop: >> Dear users of ldns, >> >> We have a release candidate for ldns 1.7.0 >> >> This is primarily a bugfix and maintenance release. For a list of >> fixed bugs and maintenance work see the Changelog below. >> >> The most prominent change of this release is related to DANE >> verification. We received a report that verification of the DANE-TA >> usage type has issues. Also, the function prototypes that ldns exposes >> do not provide means to address End Entity name verification. Therefore >> we strongly recommend to use the DANE verification functions provided by >> OpenSSL >= 1.1.0 instead. >> >> ldns has been adapted to deal with the situation as follows: >> All ldns DANE verification functions will be mapped directly to >> OpenSSL's >= 1.1.0 DANE verification functions. >> >> The ldns-dane example tool will use OpenSSL >= 1.1.0 DANE functions >> directly when available. >> >> configure will fail when OpenSSL >= 1.1.0 is not available. >> >> To compile ldns linked with an older version of OpenSSL or with >> LibreSSL, one has to either >> >> - disable the DANE verification functions with the >> --disable-dane-verify configure option >> (the functions to create TLSA RR's will still be available), or >> >> - disable verification of DANE-TA usage type with the >> --disable-dane-ta-usage configure option. >> >> In this last case, ldns_dane_verify() will return an >> LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA error code when >> the only TLSA RR's that matched the certificate were of the >> DANE-TA usage type. >> >> Please let us know if you want us to deal with this differently. >> >> Because ldns will potentially have a different set of function >> prototypes (for example when compiled with --disable-dane-verify) and >> because of ABI breakage in earlier versions, the .so version of this >> release of ldns is bumped. From now on .so versions will no longer >> follow ldns's own version number, but will be based on libtool's version >> information scheme that we also practice with libunbound and libgetdns. >> >> Please review this release candidate carefully and let us know if >> anything is wrong. If all is well, the actual release will follow >> Thursday the 15th of December 2016. > > Hello Willem, > > ldns-read-zone dump core on TLSA records. > > # ulimit -c unlimited > > # echo '_443._tcp.example.local. TLSA 3 1 1 0815...' | /usr/bin/ldns-read-zone > Segmentation fault (core dumped) > > # gdb /usr/bin/ldns-read-zone /var/core/ldns-read-zone_running_as_pid_11264_got_signal_11 > GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1 > Copyright (C) 2014 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. Type "show copying" > and "show warranty" for details. > This GDB was configured as "x86_64-linux-gnu". > Type "show configuration" for configuration details. > For bug reporting instructions, please see: > . > Find the GDB manual and other documentation resources online at: > . > For help, type "help". > Type "apropos word" to search for commands related to "word"... > Reading symbols from /usr/bin/ldns-read-zone...Reading symbols from /usr/lib/debug//usr/bin/ldns-read-zone...done. > done. > [New LWP 11264] > [Thread debugging using libthread_db enabled] > Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". > Core was generated by `ldns-read-zone'. > Program terminated with signal SIGSEGV, Segmentation fault. > #0 0x00007f07a695c67b in ?? () from /lib/x86_64-linux-gnu/libc.so.6 > (gdb) bt full > #0 0x00007f07a695c67b in ?? () from /lib/x86_64-linux-gnu/libc.so.6 > No symbol table info available. > #1 0x00007f07a6c29175 in ldns_lookup_by_name (table=0x7f07a6e43890 , table at entry=0x7f07a6e43840 , name=name at entry=0x11e8a50 "3") at ./util.c:33 > No locals. > #2 0x00007f07a6c25114 in ldns_str2rdf_mnemonic4int8 (lt=lt at entry=0x7f07a6e43840 , rd=rd at entry=0x7fff3eeb1c50, str=0x11e8a50 "3") at ./str2host.c:805 > No locals. > #3 0x00007f07a6c25dd2 in ldns_str2rdf_certificate_usage (rd=rd at entry=0x7fff3eeb1c50, str=) at ./str2host.c:828 > No locals. > #4 0x00007f07a6c1b868 in ldns_rdf_new_frm_str (type=LDNS_RDF_TYPE_CERTIFICATE_USAGE, str=str at entry=0x11e8a50 "3") at ./rdata.c:355 > rdf = > status = > #5 0x00007f07a6c20dcb in ldns_rr_new_frm_str_internal (newrr=0x7fff3eeb1d70, str=str at entry=0x11d6050 "_443._tcp.example.local. TLSA 3 1 1 0815", default_ttl=default_ttl at entry=0, origin=0x0, > prev=, question=question at entry=false) at ./rr.c:586 > new = 0x11d8850 > desc = 0x7f07a6e41080 > rr_type = LDNS_RR_TYPE_TLSA > rr_buf = 0x11e89f0 > rd_buf = > ttl_val = 0 > owner = 0x0 > ttl = 0x0 > clas_val = > clas = 0x0 > type = 0x0 > rdata = 0x11d89e0 "3 1 1 0815" > rd = > xtok = 0x11f8a60 "" > rd_strlen = > delimiters = > c = > owner_dname = > endptr = 0x11d89a0 "" > was_unknown_rr_format = 0 > status = > done = false > quoted = > r = > r_cnt = 0 > r_min = 4 > r_max = 4 > hex_data_size = > hex_data_str = 0x0 > cur_hex_data_size = > hex_pos = 0 > hex_data = 0x0 > #6 0x00007f07a6c215e8 in ldns_rr_new_frm_str (newrr=, str=str at entry=0x11d6050 "_443._tcp.example.local. TLSA 3 1 1 0815", default_ttl=default_ttl at entry=0, origin=, > prev=) at ./rr.c:663 > No locals. > #7 0x00007f07a6c2172b in ldns_rr_new_frm_fp_l (newrr=newrr at entry=0x7fff3eeb1df0, fp=fp at entry=0x7f07a6bde4e0 <_IO_2_1_stdin_>, default_ttl=default_ttl at entry=0x7fff3eeb1dec, > origin=origin at entry=0x7fff3eeb1df8, prev=prev at entry=0x7fff3eeb1e00, line_nr=line_nr at entry=0x7fff3eeb1e7c) at ./rr.c:774 > line = > endptr = 0x0 > rr = 0x0 > ttl = 0 > tmp = > s = > size = > #8 0x00007f07a6c2ab73 in ldns_zone_new_frm_fp_l (z=z at entry=0x7fff3eeb1e80, fp=fp at entry=0x7f07a6bde4e0 <_IO_2_1_stdin_>, origin=origin at entry=0x0, ttl=ttl at entry=0, c=c at entry=LDNS_RR_CLASS_IN, > line_nr=line_nr at entry=0x7fff3eeb1e7c) at ./zone.c:227 > newzone = 0x11d6010 > rr = 0x7f07a6bde4e0 <_IO_2_1_stdin_> > my_ttl = 0 > my_origin = 0x0 > my_prev = 0x1208b30 > soa_seen = false > s = > ret = LDNS_STATUS_MEM_ERR > #9 0x0000000000401a51 in main (argc=, argv=) at ./examples/ldns-read-zone.c:257 > filename = > fp = 0x7f07a6bde4e0 <_IO_2_1_stdin_> > z = 0x7f07a68481a8 > line_nr = 1 > c = > canonicalize = false > sort = false > print_soa = true > s = > i = > stripped_list = > cur_rr = > fmt_storage = {flags = 14, hashmap = 0x0, bitmap = 0x0} > show_types = 0x0 > soa_serial_increment_func = 0x0 > soa_serial_increment_func_data = 0 > > > hope that helps... > > Andreas > > >> >> Best regards, >> >> Willem >> >> >> link: https://nlnetlabs.nl/downloads/ldns/ldns-1.7.0-rc1.tar.gz >> sha1: aaef2b485e99a5d0f4a69449e29413b59c0d0ad3 >> asc : https://nlnetlabs.nl/downloads/ldns/ldns-1.7.0-rc1.tar.gz.asc >> >> >> Changelog >> ========= >> * Fix lookup of relative names in ldns_resolver_search. >> * bugfix #548: Double free for answers > 4096 in ldns_resolver_send_pkt >> * Follow CNAME's when tracing with drill (TODO dnssec trace) >> * Fix #551 change Regent to Copyright holder in BSD license in >> some of the headings of the file, to match the opensource.org >> BSD license. >> * -e option makes ldns-compare-zones exit with status code 2 on >> difference >> * Filter out specified RR types with ldns-read-zone -e and -E options >> * bugfix #563: Correct DNSKEY from DSA private key. Thanks Peter Koch. >> * bugfix #562: ldns-keygen match DSA key maximum size with library. >> And check keysizes with all algorithms. Thanks Peter Koch. >> * ldns-verify-zone accepts only one single zonefile as argument. >> * bugfix #573: ldns-keygen write private keys with mode 0600. >> Thanks Leon Weber >> * Fix configure to make ldns compile with LibreSSL 2.0 >> * drill now also accepts dig style -y option >> (-y <[algo:]name:key> i.s.o. -y ) >> * OPENPGPKEY draft rr types. Enable with: --enable-rrtype-openpgpkey >> * bugfix #608: Correct comment about escaped characters >> * CDS and CDNSKEY rr type from RFC 7344. >> --enable-rrtype-cds configure option removed >> * fix: Memory leak in ldns_pkt_rr_list_by_name() >> Thanks Johannes Naab >> * fix: Memory leak in ldns_dname2buffer_wire_compress() >> Thanks Max Liebkies >> * bugfix #613: Allow tab as whitespace too in last rdata field of types >> of variable length. Thanks Xiali Yan >> * bugfix: strip trailing whitespace from $ORIGIN lines in zone files >> * Let ldns-keygen output .ds files only for KSK keys >> * Parse RFC7218 TLSA mnemonics, but do not output them >> * Let ldns-dane use SPKI as the default selector i.s.o. Cert >> * bugfix: Fit left over NSEC3s once more before adding empty non >> terminals. Thanks Stuart Browne >> * bugfix #605: Determine default trust anchor location at compile time >> Thanks Peter Koch >> * bugfix #697: Double free with ldns-dane create >> Thanks Carsten Strotmann >> * bugfix #623: Do not redefine bool type and boolean values >> Thanks Jakob Petsovits >> * bugfix #570: Add TLSA, CDS, CDNSKEY and OPENPGPKEY RR types to ldnsx >> Thanks Shussain >> * bugfix #575: ldns_pkt_clone() does not copy timestamp field >> Thanks Calle Dybedahl >> * bugfix #584: ldns-update fixes. Send update to port 53, bring manpage >> in sync with the usage text, and don't alter the ldns_resolver passed >> to ldns_update_soa_zone_mname(). Created a ldns_resolver_clone() >> function in the process. Thanks Nicholas Riley. >> * bugfix #633: ldns_pkt_clone() parameter isn't const. >> Thanks Jakop Petsovits >> * bugfix: ldns-dane manpage correction >> Thanks Erwin Lansing >> * Spelling fixes. Thanks Andreas Schulze >> * Hyphen used as minus in manpages. Thanks Andreas Schulze. >> * RFC7553 RR Type URI is supported by default. >> * Fix ECDSA signature generation, do not omit leading zeroes. >> * bugfix: Get rid of superfluous newline in ldns-keyfetcher >> Thanks Jan-Piet Mens >> * bugfix: -U option to ldns-signzone to sign with every algorithm >> Thanks Guido Kroon >> * bugfix #725: allow RR-types on the type bitmap window border >> Thanks Pieter Lexis >> * bugfix #726: 2 typos in drill manpage. >> Thanks Hugo Lombard >> * Add type CSYNC support, RFC 7477. >> * Prepare for ED25519, ED448 support: todo convert* routines in >> dnssec.h, once openssl has support for signing with these algorithms. >> The dns algorithm number is not yet allocated. These features are >> not fully implemented yet, openssl (1.1) does not support the >> algorithms enough to generate keys and sign and verify with them. >> * Fix _answerfrom comment in ldns_struct_pkt. >> * Fix drill axfr ipv4/ipv6 queries. >> * Fix comment referring to mk_query in packet.h to pkt_query_new. >> * Fix description of QR flag in packet.h. >> * Fix for openssl 1.1.0 API changes. >> * Remove commented out macro. Thanks Thiago Farina >> * bugfix #641: Include install-sh in .gitignore >> * bugfix #825: Module import breaks with newer SWIG versions. >> Thanks Christoph Egger >> * bugfix #796 - #792: Fix miscellaneous compiler warning issues. >> Thanks Ngie Cooper >> * bugfix #769: Add support for :: in an IPv6 address >> Thanks Hajimu UMEMOTO >> * bugfix #760: Detect superfluous text in presentation format >> Thanks Xiali Yan >> * bugfix #708: warnings and errors with xcode 6.1/7.0 >> * bugfix #754: Memory leak in ldns_str2rdf_ipseckey >> Thanks Xiali Yan >> * bugfix #661: Fail NSEC3 signing when NSEC domainname length >> would overflow. Thanks Jan-Piet Mens. >> * bugfix #771: hmac-sha224, hmac-sha384 and hmac-sha512 keys. >> Thanks Harald Jenny >> * bugfix #680: ldns fails to reject invalidly formatted >> RFC 7553 URI RRs. Thanks Robert Edmonds >> * bugfix #678: Use poll i.s.o. select to support > 1024 fds >> Thanks William King >> * Use OpenSSL DANE functions for verification (unless explicitly >> disabled with --disable-dane-ta-usage). >> * Bumb .so version >> * Include OPENPGPKEY RR type by default >> * rdata processing for SMIMEA RR type >> >> >> >> >> _______________________________________________ >> ldns-users mailing list >> ldns-users at open.nlnetlabs.nl >> https://open.nlnetlabs.nl/mailman/listinfo/ldns-users >> > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/ldns-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-crash-in-read-of-TLSA-record.patch Type: text/x-diff Size: 1362 bytes Desc: not available URL: From sca at andreasschulze.de Mon Dec 5 17:12:23 2016 From: sca at andreasschulze.de (A. Schulze) Date: Mon, 5 Dec 2016 18:12:23 +0100 Subject: [ldns-users] ldns 1.7.0 rc1 In-Reply-To: <6a5e0d81-582e-ce6c-5dde-f55c73c5c0dd@nlnetlabs.nl> References: <5329f414-269b-7e96-36f2-d90e03c1e64f@andreasschulze.de> <6a5e0d81-582e-ce6c-5dde-f55c73c5c0dd@nlnetlabs.nl> Message-ID: <219b19dc-a94f-b129-35be-18591dfdc0cb@andreasschulze.de> Am 05.12.2016 um 09:47 schrieb Willem Toorop: > Fix attached. thanks, Willem. I could confirm all works fine now. But I've to mention I only use ldns-keygen, ldns-read-zone and ldns-sign-zone. I have a local modification that enable ldns-keygen to create symlinks to just generated keys. The idea is to have stable names for the key files. Anybody think it is interesting for others too? Andreas From michael at weiser.dinsnail.net Mon Dec 12 23:59:10 2016 From: michael at weiser.dinsnail.net (Michael Weiser) Date: Tue, 13 Dec 2016 00:59:10 +0100 Subject: [ldns-users] Some selective const goodness for tsig Message-ID: <20161212235910.GF13032@weiser.dinsnail.net> Hi, for ddns I need to use tsig. I track all my strings as const char * as much as possible and find it inelegant to have to write something like the following, especially since ldns either just stores the pointer and never free()s it (ldns_tsig_credentials) or strdup()s it internally (ldns_resolver): /* they forgot to const them but they strdup them, so all is well */ ldns_resolver_set_tsig_algorithm(updres, (char *)algop->theirname); ldns_resolver_set_tsig_keyname(updres, (char *)keyname); ldns_resolver_set_tsig_keydata(updres, (char *)key); So I const'ed tsig parameters as much as sensible in the attached patch. I'd appreciate if this could be included. -- Thanks, Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Some-selective-const-goodness-for-tsig.patch Type: text/x-diff Size: 5943 bytes Desc: not available URL: From michael at weiser.dinsnail.net Mon Dec 12 23:57:27 2016 From: michael at weiser.dinsnail.net (Michael Weiser) Date: Tue, 13 Dec 2016 00:57:27 +0100 Subject: [ldns-users] Add sha384 and sha512 tsig algorithms Message-ID: <20161212235727.GE13032@weiser.dinsnail.net> Hi, I've been developing a small ddns client with ldns and I'd like to use sha512 against the ISC bind 9.11.0 named I'm running on the server. So I've added the respective calls to ldns and all seems to be fine. Find the patch against branch release-1.7.x attached for your consideration. -- Thanks, Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-sha384-and-sha512-tsig-algorithms.patch Type: text/x-diff Size: 1607 bytes Desc: not available URL: From willem at nlnetlabs.nl Wed Dec 14 13:46:05 2016 From: willem at nlnetlabs.nl (Willem Toorop) Date: Wed, 14 Dec 2016 14:46:05 +0100 Subject: [ldns-users] Some selective const goodness for tsig In-Reply-To: <20161212235910.GF13032@weiser.dinsnail.net> References: <20161212235910.GF13032@weiser.dinsnail.net> Message-ID: <0fddc5be-f30d-7818-93f9-4b35722544ea@nlnetlabs.nl> Thank you Michael, Both patches applied! http://git.nlnetlabs.nl/ldns/commit/?h=release-1.7.x&id=8b36efd7 http://git.nlnetlabs.nl/ldns/commit/?h=release-1.7.x&id=3e7b7c11 Op 13-12-16 om 00:59 schreef Michael Weiser: > Hi, > > for ddns I need to use tsig. I track all my strings as const char * as > much as possible and find it inelegant to have to write something like > the following, especially since ldns either just stores the pointer and > never free()s it (ldns_tsig_credentials) or strdup()s it internally > (ldns_resolver): > > /* they forgot to const them but they strdup them, so all is well */ > ldns_resolver_set_tsig_algorithm(updres, (char *)algop->theirname); > ldns_resolver_set_tsig_keyname(updres, (char *)keyname); > ldns_resolver_set_tsig_keydata(updres, (char *)key); > > So I const'ed tsig parameters as much as sensible in the attached patch. > I'd appreciate if this could be included. > > > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/ldns-users > From michael at weiser.dinsnail.net Wed Dec 14 20:20:58 2016 From: michael at weiser.dinsnail.net (Michael Weiser) Date: Wed, 14 Dec 2016 21:20:58 +0100 Subject: [ldns-users] Some selective const goodness for tsig In-Reply-To: <0fddc5be-f30d-7818-93f9-4b35722544ea@nlnetlabs.nl> References: <20161212235910.GF13032@weiser.dinsnail.net> <0fddc5be-f30d-7818-93f9-4b35722544ea@nlnetlabs.nl> Message-ID: <20161214202058.GA20129@weiser.dinsnail.net> Hi Willem, On Wed, Dec 14, 2016 at 02:46:05PM +0100, Willem Toorop wrote: > Thank you Michael, > Both patches applied! Thank you and sorry for the fallout it created. It appears I forgot --with-examples when testing or I would have caught it. -- Sorry and thanks again, Michael From willem at nlnetlabs.nl Thu Dec 15 16:54:29 2016 From: willem at nlnetlabs.nl (Willem Toorop) Date: Thu, 15 Dec 2016 17:54:29 +0100 Subject: [ldns-users] ldns 1.7.0 rc3 In-Reply-To: References: Message-ID: Dear maintainers, There are still some minor pending issues with the release candidate that need to be resolved before release. These involve detection of GOST support in newer OpenSSLs and an issue with how the language bindings deal with variables that have become const. Because of this, the actual release date is postponed and will be Tuesday, the 20th of December. In the mean time I have attached a third release candidate that contains all the issues that have been resolved since the first candidate. This includes, a crash bug when reading TLSA in presentation format, and incorrect detection of DSA support with OpenSSL >= 1.1.0 Best regards, Willem link: https://nlnetlabs.nl/downloads/ldns/ldns-1.7.0-rc3.tar.gz sha1: aaea9435026ff37df3ef148bff777904027256d8 asc : https://nlnetlabs.nl/downloads/ldns/ldns-1.7.0-rc3.tar.gz.asc Changelog ========= * Fix lookup of relative names in ldns_resolver_search. * bugfix #548: Double free for answers > 4096 in ldns_resolver_send_pkt * Follow CNAME's when tracing with drill (TODO dnssec trace) * Fix #551 change Regent to Copyright holder in BSD license in some of the headings of the file, to match the opensource.org BSD license. * -e option makes ldns-compare-zones exit with status code 2 on difference * Filter out specified RR types with ldns-read-zone -e and -E options * bugfix #563: Correct DNSKEY from DSA private key. Thanks Peter Koch. * bugfix #562: ldns-keygen match DSA key maximum size with library. And check keysizes with all algorithms. Thanks Peter Koch. * ldns-verify-zone accepts only one single zonefile as argument. * bugfix #573: ldns-keygen write private keys with mode 0600. Thanks Leon Weber * Fix configure to make ldns compile with LibreSSL 2.0 * drill now also accepts dig style -y option (-y <[algo:]name:key> i.s.o. -y ) * OPENPGPKEY draft rr types. Enable with: --enable-rrtype-openpgpkey * bugfix #608: Correct comment about escaped characters * CDS and CDNSKEY rr type from RFC 7344. --enable-rrtype-cds configure option removed * fix: Memory leak in ldns_pkt_rr_list_by_name() Thanks Johannes Naab * fix: Memory leak in ldns_dname2buffer_wire_compress() Thanks Max Liebkies * bugfix #613: Allow tab as whitespace too in last rdata field of types of variable length. Thanks Xiali Yan * bugfix: strip trailing whitespace from $ORIGIN lines in zone files * Let ldns-keygen output .ds files only for KSK keys * Parse RFC7218 TLSA mnemonics, but do not output them * Let ldns-dane use SPKI as the default selector i.s.o. Cert * bugfix: Fit left over NSEC3s once more before adding empty non terminals. Thanks Stuart Browne * bugfix #605: Determine default trust anchor location at compile time Thanks Peter Koch * bugfix #697: Double free with ldns-dane create Thanks Carsten Strotmann * bugfix #623: Do not redefine bool type and boolean values Thanks Jakob Petsovits * bugfix #570: Add TLSA, CDS, CDNSKEY and OPENPGPKEY RR types to ldnsx Thanks Shussain * bugfix #575: ldns_pkt_clone() does not copy timestamp field Thanks Calle Dybedahl * bugfix #584: ldns-update fixes. Send update to port 53, bring manpage in sync with the usage text, and don't alter the ldns_resolver passed to ldns_update_soa_zone_mname(). Created a ldns_resolver_clone() function in the process. Thanks Nicholas Riley. * bugfix #633: ldns_pkt_clone() parameter isn't const. Thanks Jakop Petsovits * bugfix: ldns-dane manpage correction Thanks Erwin Lansing * Spelling fixes. Thanks Andreas Schulze * Hyphen used as minus in manpages. Thanks Andreas Schulze. * RFC7553 RR Type URI is supported by default. * Fix ECDSA signature generation, do not omit leading zeroes. * bugfix: Get rid of superfluous newline in ldns-keyfetcher Thanks Jan-Piet Mens * bugfix: -U option to ldns-signzone to sign with every algorithm Thanks Guido Kroon * const function parameters whenever possible. Thanks Ray Bellis * bugfix #725: allow RR-types on the type bitmap window border Thanks Pieter Lexis * bugfix #726: 2 typos in drill manpage. Thanks Hugo Lombard * Add type CSYNC support, RFC 7477. * Prepare for ED25519, ED448 support: todo convert* routines in dnssec.h, once openssl has support for signing with these algorithms. The dns algorithm number is not yet allocated. These features are not fully implemented yet, openssl (1.1) does not support the algorithms enough to generate keys and sign and verify with them. * Fix _answerfrom comment in ldns_struct_pkt. * Fix drill axfr ipv4/ipv6 queries. * Fix comment referring to mk_query in packet.h to pkt_query_new. * Fix description of QR flag in packet.h. * Fix for openssl 1.1.0 API changes. * Remove commented out macro. Thanks Thiago Farina * bugfix #641: Include install-sh in .gitignore * bugfix #825: Module import breaks with newer SWIG versions. Thanks Christoph Egger * bugfix #796 - #792: Fix miscellaneous compiler warning issues. Thanks Ngie Cooper * bugfix #769: Add support for :: in an IPv6 address Thanks Hajimu UMEMOTO * bugfix #760: Detect superfluous text in presentation format Thanks Xiali Yan * bugfix #708: warnings and errors with xcode 6.1/7.0 * bugfix #754: Memory leak in ldns_str2rdf_ipseckey Thanks Xiali Yan * bugfix #661: Fail NSEC3 signing when NSEC domainname length would overflow. Thanks Jan-Piet Mens. * bugfix #771: hmac-sha224, hmac-sha384 and hmac-sha512 keys. Thanks Harald Jenny * bugfix #680: ldns fails to reject invalidly formatted RFC 7553 URI RRs. Thanks Robert Edmonds * bugfix #678: Use poll i.s.o. select to support > 1024 fds Thanks William King * Use OpenSSL DANE functions for verification (unless explicitly disabled with --disable-dane-ta-usage). * Bumb .so version * Include OPENPGPKEY RR type by default * rdata processing for SMIMEA RR type * Fix crash in displaying TLSA RR's. Thanks Andreas Schulze * Update ldns-key2ds man page to mention GOST and SHA384 hash functions. Thanks Harald Jenny * Add sha384 and sha512 tsig algorithm. Thanks Michael Weiser * Clarify data ownership with consts for tsig parameters. Thanks Michael Weiser * bugfix: Fix detection of DSA support with OpenSSL >= 1.1.0 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 829 bytes Desc: OpenPGP digital signature URL: From michael at weiser.dinsnail.net Sun Dec 18 17:51:48 2016 From: michael at weiser.dinsnail.net (Michael Weiser) Date: Sun, 18 Dec 2016 18:51:48 +0100 Subject: [ldns-users] ldns 1.7.0 rc3 In-Reply-To: References: Message-ID: <20161218175148.GA24087@weiser.dinsnail.net> Hi Willem, On Thu, Dec 15, 2016 at 05:54:29PM +0100, Willem Toorop wrote: > GOST support in newer OpenSSLs and an issue with how the language > bindings deal with variables that have become const. Since I was the one who created it, I today had a look at the python-const situation. I get two sets of warnings: 1. ldns_tsig_credentials_struct: ldns/tsig.h:28: Warning 451: Setting a const char * variable may leak memory. ldns/tsig.h:29: Warning 451: Setting a const char * variable may leak memory. ldns/tsig.h:30: Warning 451: Setting a const char * variable may leak memory. These are from wrapping ldns_tsig_credentials_struct into a python object. From what I understand it boils down to the fact that swig doesn't dare free() the old value when setting a new one but also doesn't dare not strdup()ing the new value. This can be silenced by something like this: --- a/contrib/python/ldns.i +++ b/contrib/python/ldns.i @@ -126,6 +126,9 @@ uint32_t ldns_read_timeval_usec(struct timeval* t) { %immutable ldns_struct_rr_descriptor::_name; %immutable ldns_error_str; %immutable ldns_signing_algorithms; +%immutable ldns_tsig_credentials_struct::algorithm; +%immutable ldns_tsig_credentials_struct::keyname; +%immutable ldns_tsig_credentials_struct::keydata; //*_new_frm_fp_l %apply int *OUTPUT { (int *line_nr) }; This turns ldns_tsig_credentials_struct read-only (no setter methods are created) and in consequence most likely totally useless as a python object. It could be used to safely interface to a bit of C code though that initialised its own ldns_tsig_credentials_struct any odd way and use the contents from python, if (I don't know how) this initialised struct can be turned into a python object. Alternatively a swig typemap could be written that either passes the literal pointers around not caring about duplicating them or basically ignores the const and restores behaviour of free()ing the values when new ones are set. If the python binding is meant only ever to be used *from* python, both solutions should be fine. But if someone wanted to use it to interact with a bit of C code that might have done anything to ldns_tsig_credentials_struct previously, it creates exactly the same dilemma, swig is telling us about with this warning. The clean way[tm] would then be to make the object opaque to C users as well and have _init, _free and _set functions comparable to ldns_resolver and other ldns objects. Which begs the question I have been asking myself on the level of C programming as well: What *is* ldns_tsig_credentials_struct actually good for other than keeping those three parameters neatly together in the user application? Are there actually any known users other than examples/ldns-update.c? I'd expect most user applications to elect to handle those parameters their own way anyway, leaving only potential for confusion and boilerplate code... So I have to ask: Might it be the simplest fix to simply drop the whole concept? Suggested patch attached. Or was the usage of ldns_tsig_credentials_struct supposed to be extended to pass all three parameters to ldns in one go? 2. resolver: ./contrib/python/ldns_wrapper.c: In function '_ldns_resolver_tsig_algorithm': ./contrib/python/ldns_wrapper.c:3609:9: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] str = ldns_resolver_tsig_algorithm(res); ^ ./contrib/python/ldns_wrapper.c: In function '_ldns_resolver_tsig_keydata': ./contrib/python/ldns_wrapper.c:3669:9: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] str = ldns_resolver_tsig_keydata(res); ^ ./contrib/python/ldns_wrapper.c: In function '_ldns_resolver_tsig_keyname': ./contrib/python/ldns_wrapper.c:3680:9: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] str = ldns_resolver_tsig_keyname(res); Those can easily be fixed like this, it seems: diff --git a/contrib/python/ldns_resolver.i b/contrib/python/ldns_resolver.i index b926e65a..7081ec36 100644 --- a/contrib/python/ldns_resolver.i +++ b/contrib/python/ldns_resolver.i @@ -113,9 +113,9 @@ %rename(__ldns_resolver_tsig_algorithm) ldns_resolver_tsig_algorithm; %inline %{ - char * _ldns_resolver_tsig_algorithm(const ldns_resolver *res) + const char * _ldns_resolver_tsig_algorithm(const ldns_resolver *res) { - char *str; + const char *str; str = ldns_resolver_tsig_algorithm(res); if (str != NULL) { str = strdup(str); (full patch attached). I hope this is helpful, if only perhaps as a second opinion. :) -- Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-const-warnings-for-tsig-parameters.patch Type: text/x-diff Size: 1817 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Make-ldns_tsig_credentials_struct-read-only-for-pyth.patch Type: text/x-diff Size: 859 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Drop-ldns_tsig_credentials.patch Type: text/x-diff Size: 8953 bytes Desc: not available URL: From willem at nlnetlabs.nl Mon Dec 19 13:40:30 2016 From: willem at nlnetlabs.nl (Willem Toorop) Date: Mon, 19 Dec 2016 14:40:30 +0100 Subject: [ldns-users] ldns 1.7.0 rc3 In-Reply-To: <20161218175148.GA24087@weiser.dinsnail.net> References: <20161218175148.GA24087@weiser.dinsnail.net> Message-ID: <3e44989c-8233-40d5-b7dd-f6da7ca34f48@nlnetlabs.nl> Thank you Michael, That the ldns_tsig_credentials type is not actually used in any function of the API (besides the access and clone functions) is indeed a bit peculiar. I do not know what the intention was originally, but they have been exposed in earlier releases and they don't do any harm either, so I'd rather not remove them. I've applied your patches to update the python bindings; and did the perl bindings myself. Cheers, -- Willem Op 18-12-16 om 18:51 schreef Michael Weiser: > Hi Willem, > > On Thu, Dec 15, 2016 at 05:54:29PM +0100, Willem Toorop wrote: > >> GOST support in newer OpenSSLs and an issue with how the language >> bindings deal with variables that have become const. > > Since I was the one who created it, I today had a look at the > python-const situation. I get two sets of warnings: > > 1. ldns_tsig_credentials_struct: > > ldns/tsig.h:28: Warning 451: Setting a const char * variable may leak memory. > ldns/tsig.h:29: Warning 451: Setting a const char * variable may leak memory. > ldns/tsig.h:30: Warning 451: Setting a const char * variable may leak memory. > > These are from wrapping ldns_tsig_credentials_struct into a python > object. From what I understand it boils down to the fact that swig > doesn't dare free() the old value when setting a new one but also > doesn't dare not strdup()ing the new value. > > This can be silenced by something like this: > > --- a/contrib/python/ldns.i > +++ b/contrib/python/ldns.i > @@ -126,6 +126,9 @@ uint32_t ldns_read_timeval_usec(struct timeval* t) { > %immutable ldns_struct_rr_descriptor::_name; > %immutable ldns_error_str; > %immutable ldns_signing_algorithms; > +%immutable ldns_tsig_credentials_struct::algorithm; > +%immutable ldns_tsig_credentials_struct::keyname; > +%immutable ldns_tsig_credentials_struct::keydata; > > //*_new_frm_fp_l > %apply int *OUTPUT { (int *line_nr) }; > > This turns ldns_tsig_credentials_struct read-only (no setter methods are > created) and in consequence most likely totally useless as a python > object. It could be used to safely interface to a bit of C code though > that initialised its own ldns_tsig_credentials_struct any odd way and > use the contents from python, if (I don't know how) this initialised > struct can be turned into a python object. > > Alternatively a swig typemap could be written that either passes the > literal pointers around not caring about duplicating them or basically > ignores the const and restores behaviour of free()ing the values when > new ones are set. If the python binding is meant only ever to be used > *from* python, both solutions should be fine. But if someone wanted to > use it to interact with a bit of C code that might have done anything > to ldns_tsig_credentials_struct previously, it creates exactly the same > dilemma, swig is telling us about with this warning. > > The clean way[tm] would then be to make the object opaque to C users as > well and have _init, _free and _set functions comparable to > ldns_resolver and other ldns objects. > > Which begs the question I have been asking myself on the level of C > programming as well: What *is* ldns_tsig_credentials_struct actually > good for other than keeping those three parameters neatly together in > the user application? Are there actually any known users other than > examples/ldns-update.c? I'd expect most user applications to elect to > handle those parameters their own way anyway, leaving only potential for > confusion and boilerplate code... > > So I have to ask: Might it be the simplest fix to simply drop the whole > concept? Suggested patch attached. > > Or was the usage of ldns_tsig_credentials_struct supposed to be extended > to pass all three parameters to ldns in one go? > > 2. resolver: > ./contrib/python/ldns_wrapper.c: In function '_ldns_resolver_tsig_algorithm': > ./contrib/python/ldns_wrapper.c:3609:9: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] > str = ldns_resolver_tsig_algorithm(res); > ^ > ./contrib/python/ldns_wrapper.c: In function '_ldns_resolver_tsig_keydata': > ./contrib/python/ldns_wrapper.c:3669:9: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] > str = ldns_resolver_tsig_keydata(res); > ^ > ./contrib/python/ldns_wrapper.c: In function '_ldns_resolver_tsig_keyname': > ./contrib/python/ldns_wrapper.c:3680:9: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] > str = ldns_resolver_tsig_keyname(res); > > Those can easily be fixed like this, it seems: > > diff --git a/contrib/python/ldns_resolver.i b/contrib/python/ldns_resolver.i > index b926e65a..7081ec36 100644 > --- a/contrib/python/ldns_resolver.i > +++ b/contrib/python/ldns_resolver.i > @@ -113,9 +113,9 @@ > %rename(__ldns_resolver_tsig_algorithm) ldns_resolver_tsig_algorithm; > %inline > %{ > - char * _ldns_resolver_tsig_algorithm(const ldns_resolver *res) > + const char * _ldns_resolver_tsig_algorithm(const ldns_resolver *res) > { > - char *str; > + const char *str; > str = ldns_resolver_tsig_algorithm(res); > if (str != NULL) { > str = strdup(str); > > (full patch attached). > > I hope this is helpful, if only perhaps as a second opinion. :) > From willem at nlnetlabs.nl Tue Dec 20 11:23:08 2016 From: willem at nlnetlabs.nl (Willem Toorop) Date: Tue, 20 Dec 2016 12:23:08 +0100 Subject: [ldns-users] ldns 1.7.0 released Message-ID: <8d1e04f3-d6b6-8070-d584-c016b97debae@nlnetlabs.nl> Dear maintainers and users of ldns software, I am pleased to announce that version 1.7.0 of ldns is now available. This is primarily a bugfix and maintenance release. For a list of fixed bugs and maintenance work see the Changelog below. The most prominent changes of this release are related DANE verification and OpenSSL 1.1.0 support. Verification of TLSA RRs with the DANE-TA usage type in previous versions of ldns had issues. Also, the DANE verify functions that ldns exposes do not provide means to address End Entity name verification. Therefore we strongly recommend to use the DANE verification functions provided by OpenSSL >= 1.1.0 instead. ldns has been adapted to deal with this situation as follows: All ldns DANE verification functions will be mapped directly to OpenSSL's >= 1.1.0 DANE verification functions. The ldns-dane example tool will use OpenSSL >= 1.1.0 DANE functions directly when available. configure will fail when OpenSSL >= 1.1.0 is not available. To compile ldns linked with an older version of OpenSSL or with LibreSSL, one has to either - disable the DANE verification functions with the --disable-dane-verify configure option (the functions to create TLSA RR's will still be available), or - disable verification of DANE-TA usage type with the --disable-dane-ta-usage configure option. In this last case, ldns_dane_verify() will return an LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA error code when the only TLSA RR's that matched the certificate were of the DANE-TA usage type. GOST support in OpenSSL >= 1.1.0 is now only available through a separate to be installed engine (see: https://github.com/gost-engine/engine/wiki ). ldns configure only includes support for GOST when available, however with OpenSSL >= 1.1.0, GOST support might not be available but become available later when an GOST engine is installed and configured. Use the --enable-gost-anyway option to configure, to configure ldns with OpenSSL >= 1.1.0 *and* GOST support, even when it is not available at compile time. Because ldns will potentially have a different set of function prototypes or supported algorithms (for example when compiled with --disable-dane-verify, or without GOST support) and because of ABI breakage in earlier versions, the .so version of this release of ldns is bumped. From now on .so versions will no longer follow ldns's own version number, but will be based on libtool's version information scheme that we also practice with libunbound and libgetdns. I hope this release will be useful for you and that you will keep us informed of your experiences. Best regards, Willem link : https://nlnetlabs.nl/downloads/ldns/ldns-1.7.0.tar.gz sha256: c19f5b1b4fb374cfe34f4845ea11b1e0551ddc67803bd6ddd5d2a20f0997a6cc asc : https://nlnetlabs.nl/downloads/ldns/ldns-1.7.0.tar.gz.asc Changelog: ========== * Fix lookup of relative names in ldns_resolver_search. * bugfix #548: Double free for answers > 4096 in ldns_resolver_send_pkt * Follow CNAME's when tracing with drill (TODO dnssec trace) * Fix #551 change Regent to Copyright holder in BSD license in some of the headings of the file, to match the opensource.org BSD license. * -e option makes ldns-compare-zones exit with status code 2 on difference * Filter out specified RR types with ldns-read-zone -e and -E options * bugfix #563: Correct DNSKEY from DSA private key. Thanks Peter Koch. * bugfix #562: ldns-keygen match DSA key maximum size with library. And check keysizes with all algorithms. Thanks Peter Koch. * ldns-verify-zone accepts only one single zonefile as argument. * bugfix #573: ldns-keygen write private keys with mode 0600. Thanks Leon Weber * Fix configure to make ldns compile with LibreSSL 2.0 * drill now also accepts dig style -y option (-y <[algo:]name:key> i.s.o. -y ) * OPENPGPKEY draft rr types. Enable with: --enable-rrtype-openpgpkey * bugfix #608: Correct comment about escaped characters * CDS and CDNSKEY rr type from RFC 7344. --enable-rrtype-cds configure option removed * fix: Memory leak in ldns_pkt_rr_list_by_name() Thanks Johannes Naab * fix: Memory leak in ldns_dname2buffer_wire_compress() Thanks Max Liebkies * bugfix #613: Allow tab as whitespace too in last rdata field of types of variable length. Thanks Xiali Yan * bugfix: strip trailing whitespace from $ORIGIN lines in zone files * Let ldns-keygen output .ds files only for KSK keys * Parse RFC7218 TLSA mnemonics, but do not output them * Let ldns-dane use SPKI as the default selector i.s.o. Cert * bugfix: Fit left over NSEC3s once more before adding empty non terminals. Thanks Stuart Browne * bugfix #605: Determine default trust anchor location at compile time Thanks Peter Koch * bugfix #697: Double free with ldns-dane create Thanks Carsten Strotmann * bugfix #623: Do not redefine bool type and boolean values Thanks Jakob Petsovits * bugfix #570: Add TLSA, CDS, CDNSKEY and OPENPGPKEY RR types to ldnsx Thanks Shussain * bugfix #575: ldns_pkt_clone() does not copy timestamp field Thanks Calle Dybedahl * bugfix #584: ldns-update fixes. Send update to port 53, bring manpage in sync with the usage text, and don't alter the ldns_resolver passed to ldns_update_soa_zone_mname(). Created a ldns_resolver_clone() function in the process. Thanks Nicholas Riley. * bugfix #633: ldns_pkt_clone() parameter isn't const. Thanks Jakop Petsovits * bugfix: ldns-dane manpage correction Thanks Erwin Lansing * Spelling fixes. Thanks Andreas Schulze * Hyphen used as minus in manpages. Thanks Andreas Schulze. * RFC7553 RR Type URI is supported by default. * Fix ECDSA signature generation, do not omit leading zeroes. * bugfix: Get rid of superfluous newline in ldns-keyfetcher Thanks Jan-Piet Mens * bugfix: -U option to ldns-signzone to sign with every algorithm Thanks Guido Kroon * const function parameters whenever possible. Thanks Ray Bellis * bugfix #725: allow RR-types on the type bitmap window border Thanks Pieter Lexis * bugfix #726: 2 typos in drill manpage. Thanks Hugo Lombard * Add type CSYNC support, RFC 7477. * Prepare for ED25519, ED448 support: todo convert* routines in dnssec.h, once openssl has support for signing with these algorithms. The dns algorithm number is not yet allocated. These features are not fully implemented yet, openssl (1.1) does not support the algorithms enough to generate keys and sign and verify with them. * Fix _answerfrom comment in ldns_struct_pkt. * Fix drill axfr ipv4/ipv6 queries. * Fix comment referring to mk_query in packet.h to pkt_query_new. * Fix description of QR flag in packet.h. * Fix for openssl 1.1.0 API changes. * Remove commented out macro. Thanks Thiago Farina * bugfix #641: Include install-sh in .gitignore * bugfix #825: Module import breaks with newer SWIG versions. Thanks Christoph Egger * bugfix #796 - #792: Fix miscellaneous compiler warning issues. Thanks Ngie Cooper * bugfix #769: Add support for :: in an IPv6 address Thanks Hajimu UMEMOTO * bugfix #760: Detect superfluous text in presentation format Thanks Xiali Yan * bugfix #708: warnings and errors with xcode 6.1/7.0 * bugfix #754: Memory leak in ldns_str2rdf_ipseckey Thanks Xiali Yan * bugfix #661: Fail NSEC3 signing when NSEC domainname length would overflow. Thanks Jan-Piet Mens. * bugfix #771: hmac-sha224, hmac-sha384 and hmac-sha512 keys. Thanks Harald Jenny * bugfix #680: ldns fails to reject invalidly formatted RFC 7553 URI RRs. Thanks Robert Edmonds * bugfix #678: Use poll i.s.o. select to support > 1024 fds Thanks William King * Use OpenSSL DANE functions for verification (unless explicitly disabled with --disable-dane-ta-usage). * Bumb .so version * Include OPENPGPKEY RR type by default * rdata processing for SMIMEA RR type * Fix crash in displaying TLSA RR's. Thanks Andreas Schulze * Update ldns-key2ds man page to mention GOST and SHA384 hash functions. Thanks Harald Jenny * Add sha384 and sha512 tsig algorithm. Thanks Michael Weiser * Clarify data ownership with consts for tsig parameters. Thanks Michael Weiser * bugfix: Fix detection of DSA support with OpenSSL >= 1.1.0 * bugfix #1160: Provide sha256 for release tarballs * --enable-gost-anyway compiles GOST support with OpenSSL >= 1.1.0 even when the GOST engine is not available.