From willem at nlnetlabs.nl Tue Feb 6 16:09:53 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Tue, 6 Feb 2018 17:09:53 +0100 Subject: [net-dns-users] Fast track release candidate for Net::DNS 1.15 Message-ID: <08de824c-873d-8335-ce46-f1a6d06731a6@nlnetlabs.nl> Dear all, We have a candidate for the fast track release of Net::DNS 1.15. This release has no bugs resolved nor any new features. Besides some minor code maintenance, this release only adds a Change notice to formalize the retirement of the GOST R 34.11-94 hash algorithm. However, the GOST algorithm will still work when a functional Digest::GOST module is present. See also the Changes section below. Actual release will follow Friday 9 February 2018. link : https://www.net-dns.org/download/Net-DNS-1.14_02.tar.gz sha256: ba1cf328c165a9164e9d9587085882d38e717eb64c79ad72422da895481bd654 asc : https://www.net-dns.org/download/Net-DNS-1.14_02.tar.gz.asc Regression test results: https://www.net-dns.org/regression Changes ======= **** 1.15 [unreleased] GOST R 34.11-94 hash algorithm: end of life 1st Jan 2018 per sunset clause in successor standard GOST R 34.11-2012. Digest::GOST removed from the recommended module metadata, but will still be used if available. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Wed Feb 7 11:23:25 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Wed, 7 Feb 2018 12:23:25 +0100 Subject: [net-dns-users] Release candidate for Net::DNS::SEC 1.04 Message-ID: <3e0eaa3a-f89a-a1a6-bc6c-274cada22462@nlnetlabs.nl> Dear all, We have a candidate for the 1.04 release of Net::DNS::SEC. Net::DNS::SEC is dependent on the Crypt::OpenSSL::(DSA|EDSA|RSA) modules for the cryptographic operations. Unfortunately these modules have not remained up-to-date with the underlying OpenSSL C library and are now non functional with OpenSSL releases from version 1.1.0 and higher. This release contains a Perl foreign function interface on the OpenSSL libcrypto library directly and is no longer dependent on the Crypt::OpenSSL::(DSA|EDSA|RSA) modules, providing more flexibility in OpenSSL upgrade strategies. This is a non trivial architectural change. Therefore we ask you to review this candidate extra thoroughly. If no issues arise, the actual release will follow Wednesday the 14 February 2018. link : http2://www.net-dns.org/download/Net-DNS-SEC-1.03_08.tar.gz sha256: 13e95d088786f58a17deaae0bb10e7e11c8aed2c8d63c71bd3d463ea5ae350c3 asc : http2://www.net-dns.org/download/Net-DNS-SEC-1.03_08.tar.gz.asc Changes ======= **** 1.04 [unreleased] Feature Cryptographic library access re-engineered using PerlXS directly instead of CPAN Crypt::OpenSSL::(DSA|EDSA|RSA) distributions which have fallen into disrepair. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Fri Feb 9 11:45:04 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 9 Feb 2018 12:45:04 +0100 Subject: [net-dns-users] Net::DNS 1.15 Released Message-ID: <3944f85f-4dd4-62fc-b517-1877d7c4d6e9@nlnetlabs.nl> Dear all, We have a new release version 1.15 of Net::DNS. This release has no bugs resolved nor any new features. Besides code maintenance, this release only adds a Change notice to formalize the retirement of the GOST R 34.11-94 hash algorithm. However, the GOST algorithm will still work when a functional Digest::GOST module is present. link : https://www.net-dns.org/download/Net-DNS-1.15.tar.gz sha256: 1ad46ba6438b846a94b4f50d53ecfda55f504a17e11b94effb087ff9329e61d0 asc : https://www.net-dns.org/download/Net-DNS-1.15.tar.gz.asc Regression test results: https://www.net-dns.org/regression Changes ======= **** 1.15 Feb 9, 2018 GOST R 34.11-94 hash algorithm: end of life 1st Jan 2018 per sunset clause in successor standard GOST R 34.11-2012. Digest::GOST removed from the recommended module metadata, but will still be used if available. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Thu Feb 15 15:58:47 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Thu, 15 Feb 2018 16:58:47 +0100 Subject: [net-dns-users] Net::DNS::SEC 1.04 Released Message-ID: <62cf9725-2209-84d0-7f09-91378a11a806@nlnetlabs.nl> Dear all, We have a new release version 1.04 of Net::DNS::SEC. Net::DNS::SEC is dependent on the Crypt::OpenSSL::(DSA|EDSA|RSA) modules for the cryptographic operations. Unfortunately these modules have not remained up-to-date with the underlying OpenSSL C library and are now non functional with OpenSSL releases from version 1.1.0 and higher. This release contains a Perl foreign function interface on the OpenSSL libcrypto library directly and is no longer dependent on the Crypt::OpenSSL::(DSA|EDSA|RSA) modules, providing more flexibility in OpenSSL upgrade strategies. link : https://www.net-dns.org/download/Net-DNS-SEC-1.04.tar.gz sha256: 5b8a6559c9e07abdb9e9a829351afd465478a63c6a7f57c57f54bbd1d1ccf8d2 asc : https://www.net-dns.org/download/Net-DNS-SEC-1.04.tar.gz.asc Changes ======= **** 1.04 February 15, 2018 Feature Cryptographic library access re-engineered using PerlXS directly instead of CPAN Crypt::OpenSSL::(DSA|EDSA|RSA) distributions which have fallen into disrepair. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From rwfranks at acm.org Mon Mar 12 09:54:19 2018 From: rwfranks at acm.org (Dick Franks) Date: Mon, 12 Mar 2018 09:54:19 +0000 Subject: [net-dns-users] DNSSEC algorithms 15 & 16? In-Reply-To: <5B78C96B-FD9C-421D-9554-C263C1871192@verisign.com> References: <5B78C96B-FD9C-421D-9554-C263C1871192@verisign.com> Message-ID: An interim Net::DNS::SEC implementation of Ed25519 and Ed448 should become available within the next few days. However, the build is not fully automated and requires some additional preparation. You can literally get ahead of the curve [groan!] by building OpenSSL from latest released source: tar xvzf openssl-1.1.1-pre2.tar.gz cd openssl-1.1.1-pre2 ./config shared make make test and retaining the following object files: crypto/ec/curve25519.o crypto/ec/curve448/*.o crypto/ec/curve448/arch_32/*.o I freely admit that the build process is a dog's breakfast, but will be making strenuous efforts to improve this long-term. Dick Franks ________________________ On 24 October 2017 at 17:49, Wessels, Duane wrote: > Any plans for adding algorithms 15 & 16 to Net::DNS::SEC yet? > > The users of DNSSEC Debugger are starting to ask for it :-) > > DW > > _______________________________________________ > net-dns-users mailing list > net-dns-users at nlnetlabs.nl > https://www.nlnetlabs.nl/mailman/listinfo/net-dns-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From willem at nlnetlabs.nl Tue Mar 13 10:10:04 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Tue, 13 Mar 2018 11:10:04 +0100 Subject: [net-dns-users] Release candidate for Net::DNS::SEC 1.05 Message-ID: <0b78f012-655a-3836-9f0e-ec7ba34680e3@nlnetlabs.nl> Dear all, We have a candidate for the 1.05 release of Net::DNS::SEC. This release contains an interim Net::DNS::SEC implementation of the Ed25519 and Ed488 curves (algorithm 15 and 16). However, it is provided as a building-kit from which some pieces have to come from a pre-build openssl-1.1.1* source tree. Build instructions can be found in the include/Ed25519.h and include/Ed448.h files from the source tarball. https://net-dns.org/svn/net-dns-sec/release/1.04_04/include/Ed25519.h https://net-dns.org/svn/net-dns-sec/release/1.04_04/include/Ed448.h The current issues of the Crypt::OpenSSL::RSA module with newer versions of OpenSSL, has made the private RSA key generation function of Net::DNS::SEC challenging. Key generation with Net::DNS::SEC was already limited and restricted to RSA. This and readily available better private key generation tools, such as the BIND dnssec-keygen tool (which we already recommended), made us decide to drop this function. This release has also a single bugfix, resolving an issue with missing attributes in private key files. For a complete list of changes and bugfixes see the Changes section. Please review this candidate carefully. If no issues arise, the actual release will follow Tuesday the 20th of March 2018. link : https://www.net-dns.org/download/Net-DNS-SEC-1.04_04.tar.gz sha256: 68398915227a93e891e3eb7979dad82457dd454c6a25299d8c2813915f98b31d asc : https://www.net-dns.org/download/Net-DNS-SEC-1.04_04.tar.gz.asc Changes ======= **** 1.05 [unreleased] Feature Support added for Ed25519 and Ed448 algorithms Fix: rt.cpan.org #124650 Net::DNS::SEC::Private must not die if attribute is not present -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Tue Mar 20 09:41:41 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Tue, 20 Mar 2018 09:41:41 +0000 Subject: [net-dns-users] Net::DNS::SEC 1.05 Released Message-ID: Dear all, I?m pleased to announce a new release, version 1.05 of Net::DNS::SEC. This release contains an interim Net::DNS::SEC implementation of the Ed25519 and Ed488 curves (algorithm 15 and 16). However, it is provided as a building-kit from which some pieces have to come from a pre-build openssl-1.1.1* source tree. Build instructions can be found in the include/Ed25519.h and include/Ed448.h files from the source tarball. https://net-dns.org/svn/net-dns-sec/release/1.04_04/include/Ed25519.h https://net-dns.org/svn/net-dns-sec/release/1.04_04/include/Ed448.h The current state of the Crypt::OpenSSL::RSA module (with respect to newer versions of OpenSSL), has made the private RSA key generation function of Net::DNS::SEC challenging (to say the least). Key generation with Net::DNS::SEC was already limited and restricted to RSA. This and readily available better private key generation tools, such as the BIND dnssec-keygen tool (which we already recommended), made us decide to drop this function. This release has also a single bugfix, resolving an issue with missing attributes in private key files. For a complete list of changes and bugfixes see the Changes section. link : https://www.net-dns.org/download/Net-DNS-SEC-1.05.tar.gz sha256: 1e4cb2575b4d25a3bd9d0b20ed9db2464baacc22f315012a2ad5375574644b2e asc : https://www.net-dns.org/download/Net-DNS-SEC-1.05.tar.gz.asc Changes ======= **** 1.05 March 20, Tuesday Feature Support added for Ed25519 and Ed448 algorithms Fix: rt.cpan.org #124650 Net::DNS::SEC::Private must not die if attribute is not present -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Thu Apr 5 15:01:51 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Thu, 5 Apr 2018 17:01:51 +0200 Subject: [net-dns-users] Net::DNS::SEC 1.07 released Message-ID: <4734b03f-1659-aad4-e202-4926aca6045d@nlnetlabs.nl> All, I am pleased to announce the 1.07 release of Net::DNS::SEC. This is the end-product of work started during the recent IETF101 Hackathon to permit the use of Ed25519 and Ed448 curves (algorithm 15 and 16) using the OpenSSL EVP interface. Unfortunately, progress was impeded by issues arising in OpenSSL-1.1.1-pre2 and shelved in favour of the interim solution released in Net::DNS::SEC 1.05. This release contains the definitive EVP implementation of Ed25519 and Ed488 curves using OpenSSL version 1.1.1-pre3 or later. We believe this is the first main-stream "consumer" DNS library that offers both signing and validation for both RFC8080 Edwards curves. Summary of changes and bugfixes appears below. link : https://www.net-dns.org/download/Net-DNS-SEC-1.07.tar.gz sha256: 39e92aae3d354007583843aa6b24ab74e8725c09ba952a87084529b5229aee94 asc : https://www.net-dns.org/download/Net-DNS-SEC-1.07.tar.gz.asc Changes ======= **** 1.07 April 5, 2018 Fix: rt.cpan.org #124880 1.06 will not install on macOS Feature Support for Ed25519 and Ed448 algorithms -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From dwessels at verisign.com Thu Apr 5 15:36:14 2018 From: dwessels at verisign.com (Wessels, Duane) Date: Thu, 5 Apr 2018 15:36:14 +0000 Subject: [net-dns-users] Net::DNS::SEC 1.07 released In-Reply-To: <4734b03f-1659-aad4-e202-4926aca6045d@nlnetlabs.nl> References: <4734b03f-1659-aad4-e202-4926aca6045d@nlnetlabs.nl> Message-ID: <51A9F0C4-C2A4-4FF6-BFF0-DFA7D95051AF@verisign.com> Great news, thanks Dick and Willem! DW > On Apr 5, 2018, at 8:01 AM, Willem Toorop wrote: > > All, > > I am pleased to announce the 1.07 release of Net::DNS::SEC. > > This is the end-product of work started during the recent IETF101 > Hackathon to permit the use of Ed25519 and Ed448 curves (algorithm 15 > and 16) using the OpenSSL EVP interface. Unfortunately, progress was > impeded by issues arising in OpenSSL-1.1.1-pre2 and shelved in favour of > the interim solution released in Net::DNS::SEC 1.05. > > This release contains the definitive EVP implementation of Ed25519 and > Ed488 curves using OpenSSL version 1.1.1-pre3 or later. We believe this > is the first main-stream "consumer" DNS library that offers both signing > and validation for both RFC8080 Edwards curves. > > Summary of changes and bugfixes appears below. > > > link : https://www.net-dns.org/download/Net-DNS-SEC-1.07.tar.gz > sha256: 39e92aae3d354007583843aa6b24ab74e8725c09ba952a87084529b5229aee94 > asc : https://www.net-dns.org/download/Net-DNS-SEC-1.07.tar.gz.asc > > > Changes > ======= > **** 1.07 April 5, 2018 > > Fix: rt.cpan.org #124880 > 1.06 will not install on macOS > > Feature > Support for Ed25519 and Ed448 algorithms > > _______________________________________________ > net-dns-users mailing list > net-dns-users at nlnetlabs.nl > https://www.nlnetlabs.nl/mailman/listinfo/net-dns-users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From dwessels at verisign.com Thu Apr 12 15:36:29 2018 From: dwessels at verisign.com (Wessels, Duane) Date: Thu, 12 Apr 2018 15:36:29 +0000 Subject: [net-dns-users] NSEC::covered() ? Message-ID: <41BA9334-E45E-40DD-A1C0-3D49D699C6FD@verisign.com> I see NSEC3 as a covered() method, but nothing similar for plain old NSEC. Are there any helper functions available to assist with this, i.e. name canonicalization and comparison? DW From rwfranks at acm.org Fri Apr 13 17:41:24 2018 From: rwfranks at acm.org (Dick Franks) Date: Fri, 13 Apr 2018 18:41:24 +0100 Subject: [net-dns-users] NSEC::covered() ? In-Reply-To: <41BA9334-E45E-40DD-A1C0-3D49D699C6FD@verisign.com> References: <41BA9334-E45E-40DD-A1C0-3D49D699C6FD@verisign.com> Message-ID: On 12 April 2018 at 16:36, Wessels, Duane wrote: > I see NSEC3 as a covered() method, but nothing similar for plain old > NSEC. Are there any helper functions available to assist with this, i.e. > name canonicalization and comparison? > Before we add yet more stuff, a few questions need answers: 1) Is the current NSEC3 model the right shape to support your use case? 2) What improvements, if any, need to be made to the NSEC3 model? 3) Would NSEC replacement, following a similar design pattern, meet your requirement? 4) If not, why not? _____________________________________________ > net-dns-users mailing list > net-dns-users at nlnetlabs.nl > https://www.nlnetlabs.nl/mailman/listinfo/net-dns-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwessels at verisign.com Fri Apr 13 19:24:06 2018 From: dwessels at verisign.com (Wessels, Duane) Date: Fri, 13 Apr 2018 19:24:06 +0000 Subject: [net-dns-users] NSEC::covered() ? In-Reply-To: References: <41BA9334-E45E-40DD-A1C0-3D49D699C6FD@verisign.com> Message-ID: <6E0F8055-1EF7-43DA-AA37-AD7D1B6957C3@verisign.com> I think I could be very happy if NSEC was modeled after what currently exists for NSEC3. It gets me 80-90% of what I want at this time. If you want to make improvements, then I could envision four boolean methods that say whether or not an NSEC(3) proves the various cases that need to be proved. For example: nsec_proves_nxdomain ($nsec, $name) nsec_proves_nodata ($nsec, $name, $type) nsec_proves_nxdomain_wildcard ($nsec, $name) nsec_proves_nxdomain_nodata ($nsec, $name, $type) The caller would iterate through the available NSEC RRs until finding one that return true, and the caller would be responsible for validating the signatures. DW > On Apr 13, 2018, at 10:41 AM, Dick Franks wrote: > > > On 12 April 2018 at 16:36, Wessels, Duane wrote: > I see NSEC3 as a covered() method, but nothing similar for plain old NSEC. Are there any helper functions available to assist with this, i.e. name canonicalization and comparison? > > Before we add yet more stuff, a few questions need answers: > > 1) Is the current NSEC3 model the right shape to support your use case? > > 2) What improvements, if any, need to be made to the NSEC3 model? > > 3) Would NSEC replacement, following a similar design pattern, meet your requirement? > > 4) If not, why not? > > > > _____________________________________________ > net-dns-users mailing list > net-dns-users at nlnetlabs.nl > https://www.nlnetlabs.nl/mailman/listinfo/net-dns-users > > _______________________________________________ > net-dns-users mailing list > net-dns-users at nlnetlabs.nl > https://www.nlnetlabs.nl/mailman/listinfo/net-dns-users From willem at nlnetlabs.nl Fri May 4 15:35:32 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 4 May 2018 17:35:32 +0200 Subject: [net-dns-users] Release candidate for Net::DNS::SEC 1.08 Message-ID: <38371de3-4bd2-3532-e684-52e191819b83@nlnetlabs.nl> Dear all, We have a candidate for the 1.08 release of Net::DNS::SEC. Code has been reworked to generate and verify signatures using the EVP interface which requires OpenSSL 1.0.0 or later. Use of ED25519 and ED448 (algorithms 15 and 16) requires OpenSSL 1.1.1 or later. ECC-GOST (obsolete GOST R 34.10-2001) signature verification requires the Digest::GOST package to be installed. The signature generation function has been removed. Please review this candidate carefully. If no issues arise, the actual release will follow Friday the 11th of May 2018. link : https://www.net-dns.org/download/Net-DNS-SEC-1.07_02.tar.gz sha256: 60c80b5b0052424f348324bd14e024e852d5962845debf98c8b28a6d7fbf4a20 asc : https://www.net-dns.org/download/Net-DNS-SEC-1.07_02.tar.gz.asc Changes ======= **** 1.08 [unreleased] Internal reorganisation to use OpenSSL EVP interface -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Fri May 11 12:14:13 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 11 May 2018 14:14:13 +0200 Subject: [net-dns-users] Net::DNS::SEC 1.08 released Message-ID: <2951c639-9071-8532-a1c7-9aae0c74944d@nlnetlabs.nl> Dear all, I am pleased to announce the 1.08 release of Net::DNS::SEC. Code has been reworked to generate and verify signatures using the EVP interface which requires OpenSSL 1.0.0 or later. Use of ED25519 and ED448 (algorithms 15 and 16) requires OpenSSL 1.1.1 or later. ECC-GOST (obsolete GOST R 34.10-2001) signature verification requires the Digest::GOST package to be installed. The signature generation function has been removed. Summary of changes and bugfixes appears below. link : https://www.net-dns.org/download/Net-DNS-SEC-1.08.tar.gz sha256: 996d4e8dfa0c810221e87f5d290ee12098bb38dd37e9b3fb6276f3b19627d57b asc : https://www.net-dns.org/download/Net-DNS-SEC-1.08.tar.gz.asc Changes ======= **** 1.08 May 11, 2018 Internal reorganisation to use OpenSSL EVP interface -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Mon Jun 11 09:34:48 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Mon, 11 Jun 2018 11:34:48 +0200 Subject: [net-dns-users] Net::DNS::SEC 1.09 released Message-ID: Dear all, We are pleased to announce the 1.09 release of Net::DNS::SEC. Code has been reworked to anticipate the proposed removal of some features in future versions of OpenSSL, but is otherwise functionally identical to 1.08. Test scripts have been modified to avoid filename conflicts which arise when tests are executed in parallel. link : https://www.net-dns.org/download/Net-DNS-SEC-1.09.tar.gz sha256: 58eee69f494bc8157ad7cc043737404090ab0e557600c7e556a1f6422b8808c6 asc : https://www.net-dns.org/download/Net-DNS-SEC-1.09.tar.gz.asc Changes ======= **** 1.09 Jun 4, 2018 Avoid use of EC_GROUP_new, EC_GROUP_set_curve_GFp, and EC_GFp_mont_method which are expected to disappear. Fix filename conflict when tests run in parallel using make -j -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Sun Jul 8 12:50:55 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Sun, 8 Jul 2018 14:50:55 +0200 Subject: [net-dns-users] Release candidate for Net::DNS 1.16 Message-ID: <7238be6a-a1cc-df22-f66b-f82a6ec102d6@nlnetlabs.nl> Dear all, We have a candidate for the upcoming 1.16 release of Net::DNS. This release contains new and improved methods for NSEC and NSEC3 RRs to enquery about the name it covers(), the types in its typemap(), and in case of NSEC3 about the encloser(), nextcloser() and (unexpanded) wildcard(). Also, IPv6 support is now only with the IO::Socket::IP module. Support for the IO::Socket::INET6 is removed (as announced since 1.12). See also the Changes below. Please review this candidate carefully. If no issues arise, the actual release will follow Sunday the 15th of July 2018. link : https://www.net-dns.org/download/Net-DNS-1.15_04.tar.gz sha256: 7538ca61a5d681cc3e7424f8fee64ce3d47525b192edec0ded4fa6d78b70b68f asc : https://www.net-dns.org/download/Net-DNS-1.15_04.tar.gz.asc Regression test results: https://www.net-dns.org/regression Changes ======= **** 1.16 [unreleased] Feature New NSEC3 encloser(), nextcloser() and wildcard() instance methods return closest encloser, "next closer" and putative wildcard names respectively. Feature Add new NSEC covers() instance method. Feature New NSEC typemap() instance method interrogates type list. IO::Socket::INET6 removed from recommended module metadata. IPv6 requires IO::Socket::IP which is now a core package. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Mon Jul 16 04:56:01 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Mon, 16 Jul 2018 00:56:01 -0400 Subject: [net-dns-users] Net::DNS 1.16 Released Message-ID: <3d670af0-1323-227e-003a-d4cbd7e6c63a@nlnetlabs.nl> Dear all, We have a new release version 1.16 of Net::DNS. This release contains new and improved methods for NSEC and NSEC3 RRs to enquery about the name it covers, the types in its typemap, and in case of NSEC3 about the encloser, nextcloser and (unexpanded) wildcard. Also, IPv6 support is from now only with the IO::Socket::IP module. Support for the IO::Socket::INET6 is removed (for which we have warned about since 1.12). See also the Changes section below file. link : https://www.net-dns.org/download/Net-DNS-1.16.tar.gz sha256: 8163eebaf46d1a870b6f596684f345da7c3a7461d7dba2b85f23e02d8982ea37 asc : https://www.net-dns.org/download/Net-DNS-1.16.tar.gz.asc **** 1.16 Jul 15, 2018 Feature New NSEC3 encloser(), nextcloser() and wildcard() instance methods return closest encloser, "next closer" and putative wildcard names respectively. Feature Add new NSEC covers() instance method. Feature New NSEC typemap() instance method interrogates type list. IO::Socket::INET6 removed from recommended module metadata. IPv6 requires IO::Socket::IP which is now a core package. No requirement to escape @ in unquoted contiguous string. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Fri Jul 20 16:55:30 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 20 Jul 2018 12:55:30 -0400 Subject: [net-dns-users] Fast-track bugfix release candidate for Net::DNS 1.17 Message-ID: <1ea55b73-9b27-9389-0345-285fba908834@nlnetlabs.nl> Dear all, We have a fast-track release candidate for the upcoming 1.17 bugfix release of Net::DNS. This release contains three bugfixes, from which two were introduced in release 1.16. * A fix for broken name compression in rdata fields. * A fix for undefined typemap for NSEC3s on empty non-terminals. * A fix for AXFR for nameservers that start with a single SOA in a single packet (like PowerDNS). See also the Changes below. Please review this candidate carefully. If no issues arise, the actual release will follow Wednesday the 25th of July 2018. link : https://www.net-dns.org/download/Net-DNS-1.16_01.tar.gz sha256: 035c3feb834683394505ed943eaf0fec89878960ad8acbd287fa9814aff47692 asc : https://www.net-dns.org/download/Net-DNS-1.16_01.tar.gz.asc Regression test results: https://www.net-dns.org/regression Changes ======= **** 1.17 [unreleased] Fix rt.cpan.org #125890 AXFR: 1 record per packet responses. Fix rt.cpan.org #125889 New NSEC3 for empty non-terminal leaves type bitmap undefined. Fix rt.cpan.org #125882 RDATA name compression pointer calculated incorrectly. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Wed Jul 25 07:10:01 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Wed, 25 Jul 2018 09:10:01 +0200 Subject: [net-dns-users] Net::DNS 1.17 Released Message-ID: <56cdfb15-bf99-ddd7-9727-420fd2105731@nlnetlabs.nl> Dear all, We have a new bugfix release, version 1.17 of Net::DNS. This release contains three bugfixes, from which two were introduced in release 1.16. * A fix for broken name compression in rdata fields. * A fix for undefined typemap for NSEC3s on empty non-terminals. * A fix for AXFR for nameservers that start with a single SOA in a single packet (like PowerDNS). See also the Changes section. link : https://www.net-dns.org/download/Net-DNS-1.17.tar.gz sha256: 9a79fd8fea1a708726c18d193ae4437479206ccb20ffa7f0971371e172e2c2e0 asc : https://www.net-dns.org/download/Net-DNS-1.17.tar.gz.asc Changes ======= **** 1.17 Jul 25, 2018 Fix rt.cpan.org #125890 AXFR: 1 record per packet responses. Fix rt.cpan.org #125889 New NSEC3 for empty non-terminal leaves type bitmap undefined. Fix rt.cpan.org #125882 RDATA name compression pointer calculated incorrectly. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Mon Aug 27 15:18:18 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Mon, 27 Aug 2018 17:18:18 +0200 Subject: [net-dns-users] Fast-track release candidate for Net::DNS::SEC 1.10 Message-ID: <9aa1e6c4-2c6e-b07c-b10d-d4ee8507ec78@nlnetlabs.nl> Dear all, We have a fast-track release candidate for the 1.10 release of Net::DNS::SEC. * Code-coverage has been improved to including coverage of XS module. * The getkeyset demo script has been renamed and stripped of the executable bit (like the other demo scripts), to work around an issue with Redhat packaging. Please review this candidate carefully. If no issues arise, the actual release will follow Friday the 31st of August 2018. link : https://www.net-dns.org/download/Net-DNS-SEC-1.09_03.tar.gz sha256: 0fce4d8d303cf079fba5db18ec13ca731abc9facd940395d97788730b36b947a asc : https://www.net-dns.org/download/Net-DNS-SEC-1.09_03.tar.gz.asc Changes ======= **** 1.10 [unreleased] make test_cover now collects SEC.xs test coverage metrics using gcc and gcov. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Fri Aug 31 13:02:43 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 31 Aug 2018 15:02:43 +0200 Subject: [net-dns-users] Net::DNS::SEC 1.10 Released Message-ID: <2fb04276-c548-078c-1dc6-be20ca68b3ca@nlnetlabs.nl> Dear all, We are pleased to announce the 1.10 release of Net::DNS::SEC. Code-coverage has been improved to including coverage of XS module. The getkeyset demo script has been renamed and stripped of the executable bit (like the other demo scripts), to work around an issue with Redhat packaging. link : https://www.net-dns.org/download/Net-DNS-SEC-1.10.tar.gz sha256: 37a47d4def72d7338f3cc7cd807ec19bd9e2ae638ae656fa536cf0314801989e asc : https://www.net-dns.org/download/Net-DNS-SEC-1.10.tar.gz.asc Changes ======= **** 1.10 Aug 31, 2018 make test_cover now collects SEC.xs test coverage metrics using gcc and gcov. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Fri Sep 14 21:18:22 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 14 Sep 2018 23:18:22 +0200 Subject: [net-dns-users] Release candidate for Net::DNS 1.18 Message-ID: <8c29dba2-14fe-14d0-6fc0-3f6b13d70623@nlnetlabs.nl> Dear all, We have a candidate for the upcoming 1.18 release of Net::DNS. This release includes * Updated root hints, with the "new" IP address for b.root-servers.net. * A bugfix for failing Net::DNS::ZoneFile->parse() when an include directory was specified. * A bugfix for broken resolution when /etc/resolv.conf had an ndots option. * A change in terminology: A DNS reply is not called ?answer? anymore to avoid disambiguate. This change applies to a few function names too: * Net::DNS::Packet::from() replaces answerfrom() * Net::DNS::Packet::size() replaces answersize() * Net::DNS::Resolver::replyfrom() replaces answerfrom() The old function names will remain for backwards compatibility. See also the Changes section. Please review this candidate carefully. If no issues arise, the actual release will follow Friday the 21th of September 2018. link : https://www.net-dns.org/download/Net-DNS-1.17_03.tar.gz sha256: 8ce0ecb4a20a26b209ffd0bf36a728aa3a7430219279e65ddd7f1a5015104bc1 asc : https://www.net-dns.org/download/Net-DNS-1.17_03.tar.gz.asc Regression test results: https://www.net-dns.org/regression Changes ======= **** 1.18 [unreleased] Documentation revised to remove ambigous use of "answer" which has been used to refer to both the answer section of a packet and the entire reply packet received from a nameserver. Fix rt.cpan.org #127018 Net::DNS::ZoneFile->parse() fails if include directory specified. Fix rt.cpan.org #127012 DNS resolution broken when option ndots used in /etc/resolv.conf -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Fri Sep 21 14:56:00 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 21 Sep 2018 16:56:00 +0200 Subject: [net-dns-users] Net::DNS 1.18 released Message-ID: <7d0b0d9f-c685-2251-c715-d9cfffbb620b@nlnetlabs.nl> Dear all, We have new release version 1.18 of Net::DNS. This release includes * Updated root hints, with the new IP address for b.root-servers.net. * A bugfix for failing Net::DNS::ZoneFile->parse() when an include directory was specified. * A bugfix for broken resolution when /etc/resolv.conf had an ndots option. * A change in terminology: A DNS reply is not called ?answer? anymore to avoid disambiguate. This change applies to a few function names too: * Net::DNS::Packet::from() replaces answerfrom() * Net::DNS::Packet::size() replaces answersize() * Net::DNS::Resolver::replyfrom() replaces answerfrom(). The old function names will remain for backwards compatibility. * Overall improved documentation See also the Changes section. link : https://www.net-dns.org/download/Net-DNS-1.18.tar.gz sha256:52ce1494fc9707fd5a60ed71db5cde727157b7f2363787d730d4d1bd9800a9d3 asc : https://www.net-dns.org/download/Net-DNS-1.18.tar.gz.asc Regression test results: https://www.net-dns.org/regression Changes ======= **** 1.18 Sep 21, 2018 Documentation revised to remove ambigous use of "answer" which has been used to refer to both the answer section of a packet and the entire reply packet received from a nameserver. Fix rt.cpan.org #127018 Net::DNS::ZoneFile->parse() fails if include directory specified. Fix rt.cpan.org #127012 DNS resolution broken when options ndots used in /etc/resolv.conf -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From krenair at gmail.com Sun Sep 23 14:18:33 2018 From: krenair at gmail.com (Alex Monk) Date: Sun, 23 Sep 2018 15:18:33 +0100 Subject: [net-dns-users] Problems with strange NXDOMAIN errors coming from Net::DNS code Message-ID: Hi, At Wikimedia, ferm is used as a firewall. It allows you to specify a host by writing something like: @resolve((deployment-prometheus01.deployment-prep.eqiad.wmflabs), AAAA) The problem is, this hostname has no AAAA record, just A (the hostname is filled in automatically by a template that assumes everything will have one). But that should be fine, except Net::DNS gives us a NXDOMAIN error (where the DNS server does not), causing errors that prevent ferm from starting: root at deployment-deploy01:/etc/ferm/conf.d# perl -e "require Net::DNS; my \$resolver = new Net::DNS::Resolver; \$resolver->search('deployment-prometheus01.deployment-prep.eqiad.wmflabs', 'AAAA'); print \$resolver->errorstring" NXDOMAIN Please see https://phabricator.wikimedia.org/T153468 for more information Many thanks Alex -------------- next part -------------- An HTML attachment was scrubbed... URL: From krenair at gmail.com Sun Sep 23 15:40:35 2018 From: krenair at gmail.com (Alex Monk) Date: Sun, 23 Sep 2018 16:40:35 +0100 Subject: [net-dns-users] Problems with strange NXDOMAIN errors coming from Net::DNS code In-Reply-To: References: Message-ID: I've reported this as https://rt.cpan.org/Ticket/Display.html?id=127182 now. On Sun, 23 Sep 2018 at 15:18, Alex Monk wrote: > Hi, > > At Wikimedia, ferm is used as a firewall. It allows you to specify a > host by writing something like: > @resolve((deployment-prometheus01.deployment-prep.eqiad.wmflabs), AAAA) > The problem is, this hostname has no AAAA record, just A (the hostname > is filled in automatically by a template that assumes everything will > have one). But that should be fine, except Net::DNS gives us a > NXDOMAIN error (where the DNS server does not), causing errors that > prevent ferm from starting: > > root at deployment-deploy01:/etc/ferm/conf.d# perl -e "require Net::DNS; my > \$resolver = new Net::DNS::Resolver; > \$resolver->search('deployment-prometheus01.deployment-prep.eqiad.wmflabs', > 'AAAA'); print \$resolver->errorstring" > NXDOMAIN > > Please see https://phabricator.wikimedia.org/T153468 for more information > > Many thanks > Alex > -------------- next part -------------- An HTML attachment was scrubbed... URL: From willem at nlnetlabs.nl Fri Nov 9 20:54:10 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 9 Nov 2018 21:54:10 +0100 Subject: [net-dns-users] Fast-track release candidate for Net::DNS 1.19 Message-ID: <6e6bc8bb-1dc0-5216-c0bd-d01afe4a65ac@nlnetlabs.nl> Dear all, We have a candidate for the upcoming fast-track 1.19 release of Net::DNS. This release two bugfixes: * A bugfix for search() returning a NODATA packet instead of the documented undef in some situations * A bugfix to not use global bare file handles when reading the resolver configuration file This release also contains a new feature to show the structure of EDNS options when printing. For example: $packet->edns->print; ;; EDNS version 0 ;; flags: 8000 ;; rcode: NOERROR ;; size: 1280 ;; option: DAU => ( 8, 10, 13, 14, 15, 16 ) ;; DHU => ( 1, 2, 4 ) ;; COOKIE => ( CLIENT-COOKIE => 7261776279746573, ;; SERVER-COOKIE => ) Please review this candidate carefully. If no issues arise, the actual release will follow Wednesday the 14th of November 2018. link : https://www.net-dns.org/download/Net-DNS-1.18_01.tar.gz sha256: 1dc29d924f2ca63c7a38eee8c0dfc49b8cfe636ba4838a0c647284a58afdb8d5 asc : https://www.net-dns.org/download/Net-DNS-1.18_01.tar.gz.asc Regression test results: https://www.net-dns.org/regression Changes ======= **** 1.19 [unreleased] Show structure of EDNS options using Perl-like syntax. Fix rt.cpan.org #127557 Net::DNS::Resolver::Base should use 3 args open Fix rt.cpan.org #127182 Incorrect logic can cause DNS search to emit fruitless queries. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From willem at nlnetlabs.nl Thu Nov 15 06:04:58 2018 From: willem at nlnetlabs.nl (Willem Toorop) Date: Thu, 15 Nov 2018 07:04:58 +0100 Subject: [net-dns-users] Net::DNS 1.19 released Message-ID: <21b1190c-ab4a-2d45-71f2-f4959f08a465@nlnetlabs.nl> We have a new release version 1.19 of Net::DNS This release two bugfixes: * A bugfix for search() returning a NODATA packet instead of the documented undef in some situations * A bugfix to not use global bare file handles when reading the resolver configuration file This release also contains a new feature to show the structure of EDNS options when printing. For example: $packet->edns->print; ;; EDNS version 0 ;; flags: 8000 ;; rcode: NOERROR ;; size: 1280 ;; option: DAU => ( 8, 10, 13, 14, 15, 16 ) ;; DHU => ( 1, 2, 4 ) ;; COOKIE => ( CLIENT-COOKIE => 7261776279746573, ;; SERVER-COOKIE => ) link : https://www.net-dns.org/download/Net-DNS-1.19.tar.gz sha256: 206278bdd9a538bec3e45b50e80cc5a9d7dc6e70ebf0889ef78254f0f710ccd7 asc : https://www.net-dns.org/download/Net-DNS-1.19.tar.gz.asc Regression test results: https://www.net-dns.org/regression Changes ======= **** 1.19 Nov 14, 2018 Show structure of EDNS options using Perl-like syntax. Fix rt.cpan.org #127557 Net::DNS::Resolver::Base should use 3 args open Fix rt.cpan.org #127182 Incorrect logic can cause DNS search to emit fruitless queries. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: