Releases: mirage/ocaml-dns
6.0.0
CHANGES:
-
use Cstruct.length instead of deprecated Cstruct.len
-
avoid deprecated fmt functions
-
dns-client: send EDNS tcp keepalive with a timeout of 120 seconds if TCP
is used (@reynir @hannesm) -
BREAKING dns: Rr_map.get_ttl is now ttl, and takes 'a key -> 'a -> int32
(instead of b -> int32), Rr_map.with_ttl now is 'a key -> 'a -> int32 -> 'a
(instead of b -> int32 -> b) (#264 @hannesm) -
BREAKING dns: Rr_map.A now uses Ipaddr.V4.Set.t, Aaaa uses Ipaddr.V6.Set.t
(requires ipaddr 5.2.0) (#268 @hannesm) -
BREAKING dns.cache: type entry now is polymorphic ('a entry =
Entry of 'a ...) (instead ofEntry of Rr_map.b) (#263 @reynir and @hannesm) -
BREAKING dns.cache: use a LRU.F.t instead of LRU.M.t (#256 @hannesm)
-
dns.cache: provide get_or_cname and get_any function (#256 #257 @hannesm)
-
BUGFIX dns.cache: update if time to live of cached entry expired
(reported in #259 by @dinosaure, fix by @reynir and @hannesm) -
dns-client support DNS-over-TLS (RFC 7858): the type io_addr is now a variant
ofPlaintext (Ipaddr.t * int) orTls (Tls.Config.client * Ipaddr.t * int)
By default, ca-certs (ca-certs-nss for MirageOS) are used as trust anchors,
and the certificate is expected to contain the IP address of the resolver.
The default resolver (anycast.uncensoreddns.org) certificate is verified by
hostname, since the let's encrypt certificate does not include an IP address
in SubjectAlternativeNames (#270 @hannesm) -
BREAKING dns-client.mirage.Make is extended by a Mirage_clock.PCLOCK
(#270 @hannesm) -
BREAKING dns-client, dns-stub: use Dns.proto instead of custom [
TCP|UDP]
(#266 @hannesm) -
dns-client: use a
mutable timeout_ns : int64instead of
timeout_ns : int64 ref(#269 @hannesm) -
BREAKING dns-client: remove
?nameserverfrom
getaddrinfo/gethostbyname/gehostbyname6/get_resource_record - if a custom
nameserver should be queried, a distinct Dns_client.t can be constructed
(#269 @reynir and @hannesm) -
dns-client: multiplex over TCP connections (#269 @reynir and @hannesm)
-
dns-client: use happy-eyeballs to connect to all nameservers from
/etc/resolv.conf sequentially (lwt and mirage) (#269 @reynir and @hannesm) -
BREAKING dns-client remove UDP support from lwt (#270 @reynir and @hannesm)
-
BREAKING dns-resolver.mirage add DNS-over-TLS support (@reynir @hannesm)
-
BREAKING dns-resolver remove "mode" from codebase, default to recursive
(a stub resolver is available as dns-stub) (#260 @hannesm) -
dns-resolver: use dns.cache instead of copy in Dns_resolver_cache
(#256 @hannesm) -
BUGFIX dns-resolver: fix responses to queries (reported in #255 by @dinosaure,
fix in #258 by @reynir and @hannesm) -
dns-resolver: refactor and cleanup code, remove statistics, remove dead code
(#258 #261 @reynir @hannesm) -
dns-stub: reconnect to resolver, resend all outstanding queries
(#269 @hannesm)
Contributors
Assets 3
v5.0.1
v5.0.0
CHANGES:
- IPv6 support for client and server (Mirage, Unix, Lwt) (#249 #252 @hannesm)
This results in breaking changes, especially in the Mirage boilerplate,
since now a Mirage_stack.V4V6 is needed instead of a Mirage_stack.V4. - dns-certify: support EC private keys, now that X509 0.12.0 supports them
(#252 @hannesm)
v4.6.3
CHANGES:
- dns-server: wildcard support (#248 @hannesm)
- dns-certify: only dnskey needs to be a valid hostname (#247 @hannesm),
allow [`raw] Domain_name.t in signing requests (#249 @hannesm) - dns-client.resolvconf provides a parser for /etc/resolv.conf (#240 @hannesm),
used in dns-client.unix and dns-client.lwt (#241 @hannesm) - BUGFIX dns-cli notify keys are accepted in namekey_c (#242 @hannesm)
- BUGFIX dns: revise TXT resource record encoding and storage (for DKIM usage)
previously RR were cut at 255 characters (fixes #244, #245 @hannesm) - BUGFIX dns: decoding of TSIG packets (#250 @hannesm)
- BUGFIX ocertify: pem file may contain a certificate chain (#246 @hannesm)
v4.6.2
CHANGES:
- fixes for 32 bit support (OCaml-CI now runs on 32 bit) in test suite and EDNS
- dns: fix EDNS flag decoding and encoding (16 bit only)
reported in #234 by @dinosaure, fix #235 by @hannesm - dns-server: reply to unsupported EDNS version (not 0) with
rcode=16 (BadVersOrSig), as required by RFC 6891, and tested by DNS flag day
issue #166, fix in #237 by @hannesm
v4.6.1
v4.6.0
CHANGES:
- dns: bugfix for name compression when encoding names at offset > (2 ^ 14) - 1
(#225 @hannesm) - dns: allow unknown DNSKEY algorithm, TLSA certificate usage, selector,
matching type, SSHFP algorithm and typ. This makes the DNS library
future-proof for when new values are assigned (#228 @hannesm) - dns: enforce a max_rdata_length for all resource records. This ensures that
when a resource record is loaded into the server, it can be extracted via a
DNS query and transferred via IXFR/AXFR
(#230 @hannesm, reported in #229 via #225) - AXFR: encode and decode support for AXFR transfers spanning multiple messages
(#225 @hannesm) - client: do not initialize the Mirage_crypto_rng in the library, initialize
the RNG in applications (#227 @hannesm) - certify: provide cert_matches_csr function and use it (cleans up partial
ad-hoc matches which did not verify that all hostnames of the CSR are present
in the certificate) (#226 @hannesm, reported in #224)
v4.5.0
v4.4.1
v4.4.0
CHANGES:
- dns-stub, a new opam package, is a stub resolver #209 @hannesm, review by
@cfcs - embed IP address of recursive resolver only once #214 @hannesm, fixes #210,
review by @cfcs - Dns_trie.lookup returns NotAuthoritative if no SOA is present #217 @hannesm,
review by @cfcs - Secondary server is looked up in trie properly (may be in another zone, which
primary is not authoritative for the other zone) #217 @hannesm, review by
@cfcs - new function Dns.Dnskey.pp_name_key #218 @hannesm, review by @cfcs
- dns-certify uses new ACME protocol (where the intermediate certificate is
part of the issuance process) #219 @hannesm, review by @cfcs - dns-certify/dns-tsig/dns-cli: use mirage-crypto #219 @hannesm, review by @cfcs