This has been a long time coming, and I’m happy to announce the release of the Trust-DNS Resolver 0.11, an embedable stub resolver, and the Trust-DNS Client and Server 0.16. This release has taken a long time, mainly due to much refactoring to make new features possible. I knew that there were going to be a significant number of breaking changes, but I hope the new features are worth the pain to everyone who has adopted the various libraries in their code.
The resolver continues to be the most popular library out of the project, far exceeding any of my hopes for it’s usage. Thank you to everyone who continues to use it and help verify it across so many platforms. For any Windows and/or Android based Rustaceans, there are some open issues about improving support on those platforms; I’d be happy to try and find some time to help guide people in this area. For this release, the Resolver didn’t see a lot of work, which is a sign that it’s becoming much more stable, and there shouldn’t be any major breaking changes. The biggest feature for it is the ability to perform queries in parallel, this defaults to 2. The internal LRU cache for the resolver was changed to be query based, rather than record based. This was done to support the resolver’s use in the server. I’d be ready to promote the resolver to 1.0, except that with the future of async/await coming, I think it makes sense to delay promotion to 1.0 until after that stabilizes.
Most of the work on this release went into the server. I had originally started this project to try and make managing DNS zones easier. Basically for the past year (nearly) the entire focus of the project has been on making the resolver a stable and feature complete tool, so I’m very excited that with its becoming more stable I can focus more energy on the server. I’ll list out the new features, and try and explain why I think they’re cool:
- Forward authority support - this is the biggest feature by far, and the reason the resolver saw a significant amount of refactoring. This allows the server to perform stub resolution for upstream DNS servers. It should be considered experimental, and is an optional feature.
- CNAME resolution fixed - it was disappointing to realize that CNAME resolution has (always?) been broken in the server. This also will now properly populate the response with additional records.
- NSEC record generation - this wasn’t always compliant with the standard in some edge cases, this was improved with a lot of help from @Darkspirit, thank you. This helps make trust-dns-server DNSSEC compliant.
- ANAME resolution - this is an implementation of the Address-specific DNS aliases RFC. You can think of this as CNAME for A or AAAA records at the zone Apex. Technically, CNAME can not coexist with other records at the same name/label, though some DNS providers do allow this with restrictions that are similar to ANAME.
- Additional processing - returns records that would likely be requested by a stub-resolver or client if not present in the response (saving a round trip or more). The ANAME, CNAME, MX, NS, and SRV record types are supported.
- wildcard labels - for example
*.example.com, which allows the server to return records for a query of any name that would match the
The most involved feature was the forwarding support. This required some deep changes in the server to allow for async queries to the authority, in this case the resolver. I threw out three different attempts at making this change before settling on the one that’s there now. It was a slog to say the least, and the main reason this release took so long. That, and then a friend convinced me to implement ANAME, which of course turned out to take longer. Performing that work made me realize that CNAME was broken.
To support all of these changes in the server, and thinking about the fact that we might want new Authority backend implementations in the future (like Postgres or some other DB), a new suite of battery tests was created to make sure that any new Authority works as expected (or at least the way that I think is expected ). There is a suite for each function of authorities, basic dns, dnssec, and dynamic update. I’m favoring these unit tests over the integration tests I already had, as these are easier to isolate specific functions of the authority that wasn’t as simple when doing the same thing via a full end-to-end test. These should make it simpler for us to support new authority implementations in the future, with greater confidence in their correctness.
As always, thank you to all the contributors to this release. Here are the full release notes:
Trust-DNS Server and Client 0.16.0
- (proto) UDP Sockets not being properly closed in timeout scenarios #635
- (server) CNAME resolutions #720
- (server) NSEC evaluation for NODATA and NXDOMAIN responses #697
- (server) Call add_update_auth_key in named.rs #683 (@Darkspirit)
- (proto) support for the OPENPGPKEY and SSHFP record types #646 #647
- (server/client) support ECDSA signing with ring #688 (@Darkspirit)
- (server) forwarding support in server with trust-dns-resolver (default feature) #674
- (server) Authority trait for generic Authorities (File, Sqlite, Forwarder) #674
- (server) ANAME resolutions #720
- (server) Additional section processing for ANAME, CNAME, MX, NS, and SRV #720
- (server) Added endpoint name config to DoH and DoT TLS endpoint #714
- (proto) NAPTR record data (no additional record processing support) #731
- (server) Added support for wildcard lookups, i.e.
*.example.comin zone files
- breaking (proto) UdpClientStream and UdpClientConnection refactored to associate UDP sockets to single requests #635
- breaking (server) configuration for sqlite dynamic update different, see dnssec_with_update.toml for example #622
- breaking (util)/dnskey_to_pem has been renamed to bind_dnskey_to_pem for clarity #622
- breaking (proto) Record::from_rdata no longer requires RecordType parameter #674
- breaking (server) AuthLookup inner types simplified #674
- breaking (server) RequestHandler now requires associated type for Future results of lookups #674
- breaking (server) ResponseHandler now requires Clone and 'static #674
- breaking (server) Catalog::lookup takes ownership of MessageRequest and returns a LookupFuture #674
- breaking (server) MessageRequest and Queries no longer carrying lifetime parameters #674
Trust-DNS Resolver 0.11
- Ignore UDP responses not from target src address #629 #630 #631 (@aep)
- Improved NSEC validation of responses #697
- New option to execute queries concurrently, default is 2 #615
- Lookup::record_iter for listing all records returned in request #674
- NAPTR record data (no additional record processing support) #731
- Added option to distrust Nameservers on SERVFAIL responses, continue resolution #613
- breaking Record::from_rdata no longer requires RecordType parameter #674
- LRU cache is now based on Query rather than just name #674