[ldns-users] ldns 1.7.0 rc1
Willem Toorop
willem at nlnetlabs.nl
Mon Dec 5 08:47:42 UTC 2016
Thank you Andreas!
Fix attached.
-- Willem
Op 03-12-16 om 21:28 schreef A. Schulze:
>
>
> Am 01.12.2016 um 13:58 schrieb Willem Toorop:
>> Dear users of ldns,
>>
>> We have a release candidate for ldns 1.7.0
>>
>> This is primarily a bugfix and maintenance release. For a list of
>> fixed bugs and maintenance work see the Changelog below.
>>
>> The most prominent change of this release is related to DANE
>> verification. We received a report that verification of the DANE-TA
>> usage type has issues. Also, the function prototypes that ldns exposes
>> do not provide means to address End Entity name verification. Therefore
>> we strongly recommend to use the DANE verification functions provided by
>> OpenSSL >= 1.1.0 instead.
>>
>> ldns has been adapted to deal with the situation as follows:
>> All ldns DANE verification functions will be mapped directly to
>> OpenSSL's >= 1.1.0 DANE verification functions.
>>
>> The ldns-dane example tool will use OpenSSL >= 1.1.0 DANE functions
>> directly when available.
>>
>> configure will fail when OpenSSL >= 1.1.0 is not available.
>>
>> To compile ldns linked with an older version of OpenSSL or with
>> LibreSSL, one has to either
>>
>> - disable the DANE verification functions with the
>> --disable-dane-verify configure option
>> (the functions to create TLSA RR's will still be available), or
>>
>> - disable verification of DANE-TA usage type with the
>> --disable-dane-ta-usage configure option.
>>
>> In this last case, ldns_dane_verify() will return an
>> LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA error code when
>> the only TLSA RR's that matched the certificate were of the
>> DANE-TA usage type.
>>
>> Please let us know if you want us to deal with this differently.
>>
>> Because ldns will potentially have a different set of function
>> prototypes (for example when compiled with --disable-dane-verify) and
>> because of ABI breakage in earlier versions, the .so version of this
>> release of ldns is bumped. From now on .so versions will no longer
>> follow ldns's own version number, but will be based on libtool's version
>> information scheme that we also practice with libunbound and libgetdns.
>>
>> Please review this release candidate carefully and let us know if
>> anything is wrong. If all is well, the actual release will follow
>> Thursday the 15th of December 2016.
>
> Hello Willem,
>
> ldns-read-zone dump core on TLSA records.
>
> # ulimit -c unlimited
>
> # echo '_443._tcp.example.local. TLSA 3 1 1 0815...' | /usr/bin/ldns-read-zone
> Segmentation fault (core dumped)
>
> # gdb /usr/bin/ldns-read-zone /var/core/ldns-read-zone_running_as_pid_11264_got_signal_11
> GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
> Copyright (C) 2014 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law. Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-linux-gnu".
> Type "show configuration" for configuration details.
> For bug reporting instructions, please see:
> <http://www.gnu.org/software/gdb/bugs/>.
> Find the GDB manual and other documentation resources online at:
> <http://www.gnu.org/software/gdb/documentation/>.
> For help, type "help".
> Type "apropos word" to search for commands related to "word"...
> Reading symbols from /usr/bin/ldns-read-zone...Reading symbols from /usr/lib/debug//usr/bin/ldns-read-zone...done.
> done.
> [New LWP 11264]
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> Core was generated by `ldns-read-zone'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0 0x00007f07a695c67b in ?? () from /lib/x86_64-linux-gnu/libc.so.6
> (gdb) bt full
> #0 0x00007f07a695c67b in ?? () from /lib/x86_64-linux-gnu/libc.so.6
> No symbol table info available.
> #1 0x00007f07a6c29175 in ldns_lookup_by_name (table=0x7f07a6e43890 <completed>, table at entry=0x7f07a6e43840 <ldns_tlsa_certificate_usages>, name=name at entry=0x11e8a50 "3") at ./util.c:33
> No locals.
> #2 0x00007f07a6c25114 in ldns_str2rdf_mnemonic4int8 (lt=lt at entry=0x7f07a6e43840 <ldns_tlsa_certificate_usages>, rd=rd at entry=0x7fff3eeb1c50, str=0x11e8a50 "3") at ./str2host.c:805
> No locals.
> #3 0x00007f07a6c25dd2 in ldns_str2rdf_certificate_usage (rd=rd at entry=0x7fff3eeb1c50, str=<optimized out>) at ./str2host.c:828
> No locals.
> #4 0x00007f07a6c1b868 in ldns_rdf_new_frm_str (type=LDNS_RDF_TYPE_CERTIFICATE_USAGE, str=str at entry=0x11e8a50 "3") at ./rdata.c:355
> rdf = <optimized out>
> status = <optimized out>
> #5 0x00007f07a6c20dcb in ldns_rr_new_frm_str_internal (newrr=0x7fff3eeb1d70, str=str at entry=0x11d6050 "_443._tcp.example.local. TLSA 3 1 1 0815", default_ttl=default_ttl at entry=0, origin=0x0,
> prev=<optimized out>, question=question at entry=false) at ./rr.c:586
> new = 0x11d8850
> desc = 0x7f07a6e41080 <rdata_field_descriptors+2496>
> rr_type = LDNS_RR_TYPE_TLSA
> rr_buf = 0x11e89f0
> rd_buf = <optimized out>
> ttl_val = 0
> owner = 0x0
> ttl = 0x0
> clas_val = <optimized out>
> clas = 0x0
> type = 0x0
> rdata = 0x11d89e0 "3 1 1 0815"
> rd = <optimized out>
> xtok = 0x11f8a60 ""
> rd_strlen = <optimized out>
> delimiters = <optimized out>
> c = <optimized out>
> owner_dname = <optimized out>
> endptr = 0x11d89a0 ""
> was_unknown_rr_format = 0
> status = <optimized out>
> done = false
> quoted = <optimized out>
> r = <optimized out>
> r_cnt = 0
> r_min = 4
> r_max = 4
> hex_data_size = <optimized out>
> hex_data_str = 0x0
> cur_hex_data_size = <optimized out>
> hex_pos = 0
> hex_data = 0x0
> #6 0x00007f07a6c215e8 in ldns_rr_new_frm_str (newrr=<optimized out>, str=str at entry=0x11d6050 "_443._tcp.example.local. TLSA 3 1 1 0815", default_ttl=default_ttl at entry=0, origin=<optimized out>,
> prev=<optimized out>) at ./rr.c:663
> No locals.
> #7 0x00007f07a6c2172b in ldns_rr_new_frm_fp_l (newrr=newrr at entry=0x7fff3eeb1df0, fp=fp at entry=0x7f07a6bde4e0 <_IO_2_1_stdin_>, default_ttl=default_ttl at entry=0x7fff3eeb1dec,
> origin=origin at entry=0x7fff3eeb1df8, prev=prev at entry=0x7fff3eeb1e00, line_nr=line_nr at entry=0x7fff3eeb1e7c) at ./rr.c:774
> line = <optimized out>
> endptr = 0x0
> rr = 0x0
> ttl = 0
> tmp = <optimized out>
> s = <optimized out>
> size = <optimized out>
> #8 0x00007f07a6c2ab73 in ldns_zone_new_frm_fp_l (z=z at entry=0x7fff3eeb1e80, fp=fp at entry=0x7f07a6bde4e0 <_IO_2_1_stdin_>, origin=origin at entry=0x0, ttl=ttl at entry=0, c=c at entry=LDNS_RR_CLASS_IN,
> line_nr=line_nr at entry=0x7fff3eeb1e7c) at ./zone.c:227
> newzone = 0x11d6010
> rr = 0x7f07a6bde4e0 <_IO_2_1_stdin_>
> my_ttl = 0
> my_origin = 0x0
> my_prev = 0x1208b30
> soa_seen = false
> s = <optimized out>
> ret = LDNS_STATUS_MEM_ERR
> #9 0x0000000000401a51 in main (argc=<optimized out>, argv=<optimized out>) at ./examples/ldns-read-zone.c:257
> filename = <optimized out>
> fp = 0x7f07a6bde4e0 <_IO_2_1_stdin_>
> z = 0x7f07a68481a8
> line_nr = 1
> c = <optimized out>
> canonicalize = false
> sort = false
> print_soa = true
> s = <optimized out>
> i = <optimized out>
> stripped_list = <optimized out>
> cur_rr = <optimized out>
> fmt_storage = {flags = 14, hashmap = 0x0, bitmap = 0x0}
> show_types = 0x0
> soa_serial_increment_func = 0x0
> soa_serial_increment_func_data = 0
>
>
> hope that helps...
>
> Andreas
>
>
>>
>> Best regards,
>>
>> Willem
>>
>>
>> link: https://nlnetlabs.nl/downloads/ldns/ldns-1.7.0-rc1.tar.gz
>> sha1: aaef2b485e99a5d0f4a69449e29413b59c0d0ad3
>> asc : https://nlnetlabs.nl/downloads/ldns/ldns-1.7.0-rc1.tar.gz.asc
>>
>>
>> Changelog
>> =========
>> * Fix lookup of relative names in ldns_resolver_search.
>> * bugfix #548: Double free for answers > 4096 in ldns_resolver_send_pkt
>> * Follow CNAME's when tracing with drill (TODO dnssec trace)
>> * Fix #551 change Regent to Copyright holder in BSD license in
>> some of the headings of the file, to match the opensource.org
>> BSD license.
>> * -e option makes ldns-compare-zones exit with status code 2 on
>> difference
>> * Filter out specified RR types with ldns-read-zone -e and -E options
>> * bugfix #563: Correct DNSKEY from DSA private key. Thanks Peter Koch.
>> * bugfix #562: ldns-keygen match DSA key maximum size with library.
>> And check keysizes with all algorithms. Thanks Peter Koch.
>> * ldns-verify-zone accepts only one single zonefile as argument.
>> * bugfix #573: ldns-keygen write private keys with mode 0600.
>> Thanks Leon Weber
>> * Fix configure to make ldns compile with LibreSSL 2.0
>> * drill now also accepts dig style -y option
>> (-y <[algo:]name:key> i.s.o. -y <name:key[:algo]>)
>> * OPENPGPKEY draft rr types. Enable with: --enable-rrtype-openpgpkey
>> * bugfix #608: Correct comment about escaped characters
>> * CDS and CDNSKEY rr type from RFC 7344.
>> --enable-rrtype-cds configure option removed
>> * fix: Memory leak in ldns_pkt_rr_list_by_name()
>> Thanks Johannes Naab
>> * fix: Memory leak in ldns_dname2buffer_wire_compress()
>> Thanks Max Liebkies
>> * bugfix #613: Allow tab as whitespace too in last rdata field of types
>> of variable length. Thanks Xiali Yan
>> * bugfix: strip trailing whitespace from $ORIGIN lines in zone files
>> * Let ldns-keygen output .ds files only for KSK keys
>> * Parse RFC7218 TLSA mnemonics, but do not output them
>> * Let ldns-dane use SPKI as the default selector i.s.o. Cert
>> * bugfix: Fit left over NSEC3s once more before adding empty non
>> terminals. Thanks Stuart Browne
>> * bugfix #605: Determine default trust anchor location at compile time
>> Thanks Peter Koch
>> * bugfix #697: Double free with ldns-dane create
>> Thanks Carsten Strotmann
>> * bugfix #623: Do not redefine bool type and boolean values
>> Thanks Jakob Petsovits
>> * bugfix #570: Add TLSA, CDS, CDNSKEY and OPENPGPKEY RR types to ldnsx
>> Thanks Shussain
>> * bugfix #575: ldns_pkt_clone() does not copy timestamp field
>> Thanks Calle Dybedahl
>> * bugfix #584: ldns-update fixes. Send update to port 53, bring manpage
>> in sync with the usage text, and don't alter the ldns_resolver passed
>> to ldns_update_soa_zone_mname(). Created a ldns_resolver_clone()
>> function in the process. Thanks Nicholas Riley.
>> * bugfix #633: ldns_pkt_clone() parameter isn't const.
>> Thanks Jakop Petsovits
>> * bugfix: ldns-dane manpage correction
>> Thanks Erwin Lansing
>> * Spelling fixes. Thanks Andreas Schulze
>> * Hyphen used as minus in manpages. Thanks Andreas Schulze.
>> * RFC7553 RR Type URI is supported by default.
>> * Fix ECDSA signature generation, do not omit leading zeroes.
>> * bugfix: Get rid of superfluous newline in ldns-keyfetcher
>> Thanks Jan-Piet Mens
>> * bugfix: -U option to ldns-signzone to sign with every algorithm
>> Thanks Guido Kroon
>> * bugfix #725: allow RR-types on the type bitmap window border
>> Thanks Pieter Lexis
>> * bugfix #726: 2 typos in drill manpage.
>> Thanks Hugo Lombard
>> * Add type CSYNC support, RFC 7477.
>> * Prepare for ED25519, ED448 support: todo convert* routines in
>> dnssec.h, once openssl has support for signing with these algorithms.
>> The dns algorithm number is not yet allocated. These features are
>> not fully implemented yet, openssl (1.1) does not support the
>> algorithms enough to generate keys and sign and verify with them.
>> * Fix _answerfrom comment in ldns_struct_pkt.
>> * Fix drill axfr ipv4/ipv6 queries.
>> * Fix comment referring to mk_query in packet.h to pkt_query_new.
>> * Fix description of QR flag in packet.h.
>> * Fix for openssl 1.1.0 API changes.
>> * Remove commented out macro. Thanks Thiago Farina
>> * bugfix #641: Include install-sh in .gitignore
>> * bugfix #825: Module import breaks with newer SWIG versions.
>> Thanks Christoph Egger
>> * bugfix #796 - #792: Fix miscellaneous compiler warning issues.
>> Thanks Ngie Cooper
>> * bugfix #769: Add support for :: in an IPv6 address
>> Thanks Hajimu UMEMOTO
>> * bugfix #760: Detect superfluous text in presentation format
>> Thanks Xiali Yan
>> * bugfix #708: warnings and errors with xcode 6.1/7.0
>> * bugfix #754: Memory leak in ldns_str2rdf_ipseckey
>> Thanks Xiali Yan
>> * bugfix #661: Fail NSEC3 signing when NSEC domainname length
>> would overflow. Thanks Jan-Piet Mens.
>> * bugfix #771: hmac-sha224, hmac-sha384 and hmac-sha512 keys.
>> Thanks Harald Jenny
>> * bugfix #680: ldns fails to reject invalidly formatted
>> RFC 7553 URI RRs. Thanks Robert Edmonds
>> * bugfix #678: Use poll i.s.o. select to support > 1024 fds
>> Thanks William King
>> * Use OpenSSL DANE functions for verification (unless explicitly
>> disabled with --disable-dane-ta-usage).
>> * Bumb .so version
>> * Include OPENPGPKEY RR type by default
>> * rdata processing for SMIMEA RR type
>>
>>
>>
>>
>> _______________________________________________
>> ldns-users mailing list
>> ldns-users at open.nlnetlabs.nl
>> https://open.nlnetlabs.nl/mailman/listinfo/ldns-users
>>
> _______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/ldns-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-crash-in-read-of-TLSA-record.patch
Type: text/x-diff
Size: 1362 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/ldns-users/attachments/20161205/82c75539/attachment.bin>
More information about the ldns-users
mailing list