Initially, this was going to be a small release, but then a bunch of contributions brought a whole bunch of features! There are a few major things in this release.
On the Client side, which also is used by the Resolver, @briansmith did a significant amount of refactoring to have *ring* perform the DNSSec proof validation, making OpenSSL completely optional. This means that *ring* can be used for RSA, ECDSA and ED25519 validations. There is more work going on here to cleanup the library and remove OpenSSL as a dev dependency as well, but this is a huge step in that direction.
Moving up to the Resolver, and a big thanks to @liranringel, the Resolver can now read the system DNS configuration from the Windows registry (only 64bit support at this time). This was a huge contribution, which is based off @liranringel’s new ipconfig crate for Windows. This is an awesome new addition. It can be used with the Resolver::from_system_conf method.
Additionally, @cssvision added support for reading the
/etc/hosts file (on Unix’s) first for
lookup_ip resolutions. This can be disabled with the ResolverOpts::use_hosts_file option, and is on by default.
For myself, the
NameServerPool now first prioritizes UDP for lookups prior to attempting TCP. This should fix some resolution issues where TCP connections might not actually be available. In addition to that, on truncated responses from upstream servers, the Resolver will promote to TCP and continue the Resolution (mostly important for DNSSec). This helps with large response record sets. Also, CNAME chains will be fully resolved, which was a limitation of the Resolver in the past.
Thank you to all the contributors in this release! Also, thank you to the users who’ve reported issues in the various TRust-DNS libraries, these reports are important to the growing stability of the libraries. Full release notes below:
- Split UDP and TCP into different NS pools, prefer UDP lookups first
- On truncated UDP responses, promote to TCP for resolution
- 64bit Windows support for reading DNS configuration! (@liranringel)
- CNAME chain resolution (where CNAME results are not returned in the same query)
- Resolution prefers
/etc/hosts before querying (@cssivision)
0.12.0 Client & Server
- Server was not properly signing zone after fresh start
- RSA and ECDSA validation with ring for DNSSec, removes dependency on openssl (@briansmith)
ClientHandle, simpler form with
Query for ease of Query creation
- Large celanup of signing and verification paths in DNSSec (@briansmith)
TrustAnchor::insert_trust_anchor to more safely consume
PublicKey rather than