[ldns-users] ldns 1.7.0 rc1
A. Schulze
sca at andreasschulze.de
Sat Dec 3 20:28:18 UTC 2016
Am 01.12.2016 um 13:58 schrieb Willem Toorop:
> Dear users of ldns,
>
> We have a release candidate for ldns 1.7.0
>
> This is primarily a bugfix and maintenance release. For a list of
> fixed bugs and maintenance work see the Changelog below.
>
> The most prominent change of this release is related to DANE
> verification. We received a report that verification of the DANE-TA
> usage type has issues. Also, the function prototypes that ldns exposes
> do not provide means to address End Entity name verification. Therefore
> we strongly recommend to use the DANE verification functions provided by
> OpenSSL >= 1.1.0 instead.
>
> ldns has been adapted to deal with the situation as follows:
> All ldns DANE verification functions will be mapped directly to
> OpenSSL's >= 1.1.0 DANE verification functions.
>
> The ldns-dane example tool will use OpenSSL >= 1.1.0 DANE functions
> directly when available.
>
> configure will fail when OpenSSL >= 1.1.0 is not available.
>
> To compile ldns linked with an older version of OpenSSL or with
> LibreSSL, one has to either
>
> - disable the DANE verification functions with the
> --disable-dane-verify configure option
> (the functions to create TLSA RR's will still be available), or
>
> - disable verification of DANE-TA usage type with the
> --disable-dane-ta-usage configure option.
>
> In this last case, ldns_dane_verify() will return an
> LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA error code when
> the only TLSA RR's that matched the certificate were of the
> DANE-TA usage type.
>
> Please let us know if you want us to deal with this differently.
>
> Because ldns will potentially have a different set of function
> prototypes (for example when compiled with --disable-dane-verify) and
> because of ABI breakage in earlier versions, the .so version of this
> release of ldns is bumped. From now on .so versions will no longer
> follow ldns's own version number, but will be based on libtool's version
> information scheme that we also practice with libunbound and libgetdns.
>
> Please review this release candidate carefully and let us know if
> anything is wrong. If all is well, the actual release will follow
> Thursday the 15th of December 2016.
Hello Willem,
ldns-read-zone dump core on TLSA records.
# ulimit -c unlimited
# echo '_443._tcp.example.local. TLSA 3 1 1 0815...' | /usr/bin/ldns-read-zone
Segmentation fault (core dumped)
# gdb /usr/bin/ldns-read-zone /var/core/ldns-read-zone_running_as_pid_11264_got_signal_11
GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/ldns-read-zone...Reading symbols from /usr/lib/debug//usr/bin/ldns-read-zone...done.
done.
[New LWP 11264]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `ldns-read-zone'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f07a695c67b in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt full
#0 0x00007f07a695c67b in ?? () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#1 0x00007f07a6c29175 in ldns_lookup_by_name (table=0x7f07a6e43890 <completed>, table at entry=0x7f07a6e43840 <ldns_tlsa_certificate_usages>, name=name at entry=0x11e8a50 "3") at ./util.c:33
No locals.
#2 0x00007f07a6c25114 in ldns_str2rdf_mnemonic4int8 (lt=lt at entry=0x7f07a6e43840 <ldns_tlsa_certificate_usages>, rd=rd at entry=0x7fff3eeb1c50, str=0x11e8a50 "3") at ./str2host.c:805
No locals.
#3 0x00007f07a6c25dd2 in ldns_str2rdf_certificate_usage (rd=rd at entry=0x7fff3eeb1c50, str=<optimized out>) at ./str2host.c:828
No locals.
#4 0x00007f07a6c1b868 in ldns_rdf_new_frm_str (type=LDNS_RDF_TYPE_CERTIFICATE_USAGE, str=str at entry=0x11e8a50 "3") at ./rdata.c:355
rdf = <optimized out>
status = <optimized out>
#5 0x00007f07a6c20dcb in ldns_rr_new_frm_str_internal (newrr=0x7fff3eeb1d70, str=str at entry=0x11d6050 "_443._tcp.example.local. TLSA 3 1 1 0815", default_ttl=default_ttl at entry=0, origin=0x0,
prev=<optimized out>, question=question at entry=false) at ./rr.c:586
new = 0x11d8850
desc = 0x7f07a6e41080 <rdata_field_descriptors+2496>
rr_type = LDNS_RR_TYPE_TLSA
rr_buf = 0x11e89f0
rd_buf = <optimized out>
ttl_val = 0
owner = 0x0
ttl = 0x0
clas_val = <optimized out>
clas = 0x0
type = 0x0
rdata = 0x11d89e0 "3 1 1 0815"
rd = <optimized out>
xtok = 0x11f8a60 ""
rd_strlen = <optimized out>
delimiters = <optimized out>
c = <optimized out>
owner_dname = <optimized out>
endptr = 0x11d89a0 ""
was_unknown_rr_format = 0
status = <optimized out>
done = false
quoted = <optimized out>
r = <optimized out>
r_cnt = 0
r_min = 4
r_max = 4
hex_data_size = <optimized out>
hex_data_str = 0x0
cur_hex_data_size = <optimized out>
hex_pos = 0
hex_data = 0x0
#6 0x00007f07a6c215e8 in ldns_rr_new_frm_str (newrr=<optimized out>, str=str at entry=0x11d6050 "_443._tcp.example.local. TLSA 3 1 1 0815", default_ttl=default_ttl at entry=0, origin=<optimized out>,
prev=<optimized out>) at ./rr.c:663
No locals.
#7 0x00007f07a6c2172b in ldns_rr_new_frm_fp_l (newrr=newrr at entry=0x7fff3eeb1df0, fp=fp at entry=0x7f07a6bde4e0 <_IO_2_1_stdin_>, default_ttl=default_ttl at entry=0x7fff3eeb1dec,
origin=origin at entry=0x7fff3eeb1df8, prev=prev at entry=0x7fff3eeb1e00, line_nr=line_nr at entry=0x7fff3eeb1e7c) at ./rr.c:774
line = <optimized out>
endptr = 0x0
rr = 0x0
ttl = 0
tmp = <optimized out>
s = <optimized out>
size = <optimized out>
#8 0x00007f07a6c2ab73 in ldns_zone_new_frm_fp_l (z=z at entry=0x7fff3eeb1e80, fp=fp at entry=0x7f07a6bde4e0 <_IO_2_1_stdin_>, origin=origin at entry=0x0, ttl=ttl at entry=0, c=c at entry=LDNS_RR_CLASS_IN,
line_nr=line_nr at entry=0x7fff3eeb1e7c) at ./zone.c:227
newzone = 0x11d6010
rr = 0x7f07a6bde4e0 <_IO_2_1_stdin_>
my_ttl = 0
my_origin = 0x0
my_prev = 0x1208b30
soa_seen = false
s = <optimized out>
ret = LDNS_STATUS_MEM_ERR
#9 0x0000000000401a51 in main (argc=<optimized out>, argv=<optimized out>) at ./examples/ldns-read-zone.c:257
filename = <optimized out>
fp = 0x7f07a6bde4e0 <_IO_2_1_stdin_>
z = 0x7f07a68481a8
line_nr = 1
c = <optimized out>
canonicalize = false
sort = false
print_soa = true
s = <optimized out>
i = <optimized out>
stripped_list = <optimized out>
cur_rr = <optimized out>
fmt_storage = {flags = 14, hashmap = 0x0, bitmap = 0x0}
show_types = 0x0
soa_serial_increment_func = 0x0
soa_serial_increment_func_data = 0
hope that helps...
Andreas
>
> Best regards,
>
> Willem
>
>
> link: https://nlnetlabs.nl/downloads/ldns/ldns-1.7.0-rc1.tar.gz
> sha1: aaef2b485e99a5d0f4a69449e29413b59c0d0ad3
> asc : https://nlnetlabs.nl/downloads/ldns/ldns-1.7.0-rc1.tar.gz.asc
>
>
> Changelog
> =========
> * Fix lookup of relative names in ldns_resolver_search.
> * bugfix #548: Double free for answers > 4096 in ldns_resolver_send_pkt
> * Follow CNAME's when tracing with drill (TODO dnssec trace)
> * Fix #551 change Regent to Copyright holder in BSD license in
> some of the headings of the file, to match the opensource.org
> BSD license.
> * -e option makes ldns-compare-zones exit with status code 2 on
> difference
> * Filter out specified RR types with ldns-read-zone -e and -E options
> * bugfix #563: Correct DNSKEY from DSA private key. Thanks Peter Koch.
> * bugfix #562: ldns-keygen match DSA key maximum size with library.
> And check keysizes with all algorithms. Thanks Peter Koch.
> * ldns-verify-zone accepts only one single zonefile as argument.
> * bugfix #573: ldns-keygen write private keys with mode 0600.
> Thanks Leon Weber
> * Fix configure to make ldns compile with LibreSSL 2.0
> * drill now also accepts dig style -y option
> (-y <[algo:]name:key> i.s.o. -y <name:key[:algo]>)
> * OPENPGPKEY draft rr types. Enable with: --enable-rrtype-openpgpkey
> * bugfix #608: Correct comment about escaped characters
> * CDS and CDNSKEY rr type from RFC 7344.
> --enable-rrtype-cds configure option removed
> * fix: Memory leak in ldns_pkt_rr_list_by_name()
> Thanks Johannes Naab
> * fix: Memory leak in ldns_dname2buffer_wire_compress()
> Thanks Max Liebkies
> * bugfix #613: Allow tab as whitespace too in last rdata field of types
> of variable length. Thanks Xiali Yan
> * bugfix: strip trailing whitespace from $ORIGIN lines in zone files
> * Let ldns-keygen output .ds files only for KSK keys
> * Parse RFC7218 TLSA mnemonics, but do not output them
> * Let ldns-dane use SPKI as the default selector i.s.o. Cert
> * bugfix: Fit left over NSEC3s once more before adding empty non
> terminals. Thanks Stuart Browne
> * bugfix #605: Determine default trust anchor location at compile time
> Thanks Peter Koch
> * bugfix #697: Double free with ldns-dane create
> Thanks Carsten Strotmann
> * bugfix #623: Do not redefine bool type and boolean values
> Thanks Jakob Petsovits
> * bugfix #570: Add TLSA, CDS, CDNSKEY and OPENPGPKEY RR types to ldnsx
> Thanks Shussain
> * bugfix #575: ldns_pkt_clone() does not copy timestamp field
> Thanks Calle Dybedahl
> * bugfix #584: ldns-update fixes. Send update to port 53, bring manpage
> in sync with the usage text, and don't alter the ldns_resolver passed
> to ldns_update_soa_zone_mname(). Created a ldns_resolver_clone()
> function in the process. Thanks Nicholas Riley.
> * bugfix #633: ldns_pkt_clone() parameter isn't const.
> Thanks Jakop Petsovits
> * bugfix: ldns-dane manpage correction
> Thanks Erwin Lansing
> * Spelling fixes. Thanks Andreas Schulze
> * Hyphen used as minus in manpages. Thanks Andreas Schulze.
> * RFC7553 RR Type URI is supported by default.
> * Fix ECDSA signature generation, do not omit leading zeroes.
> * bugfix: Get rid of superfluous newline in ldns-keyfetcher
> Thanks Jan-Piet Mens
> * bugfix: -U option to ldns-signzone to sign with every algorithm
> Thanks Guido Kroon
> * bugfix #725: allow RR-types on the type bitmap window border
> Thanks Pieter Lexis
> * bugfix #726: 2 typos in drill manpage.
> Thanks Hugo Lombard
> * Add type CSYNC support, RFC 7477.
> * Prepare for ED25519, ED448 support: todo convert* routines in
> dnssec.h, once openssl has support for signing with these algorithms.
> The dns algorithm number is not yet allocated. These features are
> not fully implemented yet, openssl (1.1) does not support the
> algorithms enough to generate keys and sign and verify with them.
> * Fix _answerfrom comment in ldns_struct_pkt.
> * Fix drill axfr ipv4/ipv6 queries.
> * Fix comment referring to mk_query in packet.h to pkt_query_new.
> * Fix description of QR flag in packet.h.
> * Fix for openssl 1.1.0 API changes.
> * Remove commented out macro. Thanks Thiago Farina
> * bugfix #641: Include install-sh in .gitignore
> * bugfix #825: Module import breaks with newer SWIG versions.
> Thanks Christoph Egger
> * bugfix #796 - #792: Fix miscellaneous compiler warning issues.
> Thanks Ngie Cooper
> * bugfix #769: Add support for :: in an IPv6 address
> Thanks Hajimu UMEMOTO
> * bugfix #760: Detect superfluous text in presentation format
> Thanks Xiali Yan
> * bugfix #708: warnings and errors with xcode 6.1/7.0
> * bugfix #754: Memory leak in ldns_str2rdf_ipseckey
> Thanks Xiali Yan
> * bugfix #661: Fail NSEC3 signing when NSEC domainname length
> would overflow. Thanks Jan-Piet Mens.
> * bugfix #771: hmac-sha224, hmac-sha384 and hmac-sha512 keys.
> Thanks Harald Jenny
> * bugfix #680: ldns fails to reject invalidly formatted
> RFC 7553 URI RRs. Thanks Robert Edmonds
> * bugfix #678: Use poll i.s.o. select to support > 1024 fds
> Thanks William King
> * Use OpenSSL DANE functions for verification (unless explicitly
> disabled with --disable-dane-ta-usage).
> * Bumb .so version
> * Include OPENPGPKEY RR type by default
> * rdata processing for SMIMEA RR type
>
>
>
>
> _______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/ldns-users
>
More information about the ldns-users
mailing list