v4.4.0

CHANGES:

• dns-stub, a new opam package, is a stub resolver #209 @hannesm, review by
  @cfcs
• embed IP address of recursive resolver only once #214 @hannesm, fixes #210,
  review by @cfcs
• Dns_trie.lookup returns NotAuthoritative if no SOA is present #217 @hannesm,
  review by @cfcs
• Secondary server is looked up in trie properly (may be in another zone, which
  primary is not authoritative for the other zone) #217 @hannesm, review by
  @cfcs
• new function Dns.Dnskey.pp_name_key #218 @hannesm, review by @cfcs
• dns-certify uses new ACME protocol (where the intermediate certificate is
  part of the issuance process) #219 @hannesm, review by @cfcs
• dns-certify/dns-tsig/dns-cli: use mirage-crypto #219 @hannesm, review by @cfcs

v4.3.1

CHANGES:

• server (#207, @hannesm, review by @cfcs)
  • provide return code and request vs reply statistics
  • BUGFIX update only increase SOA.serial of zones which changed (including regression tests)
  • expose Authentication.access_granted, Authentication.zone_and_operation, Authentication.operation_to_string
• dns (#207, @hannesm, review by @cfcs)
  • expose Rcode.to_string for metrics above

v4.3.0

CHANGES:

• dns
  • BUGFIX Name_rr_map.remove_sub remove empty maps (#205, @hannesm)
• server (#205, @hannesm)
  • authentication refactoring: given a key by its Domain_name.t (name._op.zone),
    this is valid for operation op for zone and subdomains thereof. The
    operation may be one of update, transfer, and notify, with an update
    key being valid for any operation, and a transfer key valid for
    notifications as well
  • Primary.create has a new optional argument unauthenticated_zone_transfer
    to allow unsigned zone transfer requests
  • the type Authentication.a and value Authentication.tsig_auth are removed
    • Primary.create and Secondary.create no longer have the a argument
  • authentication uniformly uses Authentication.access
  • handle_update / handle_axfr_request / handle_ixfr_request are provided and
    under test
  • tests for authentication and handle_question
• client (#204, @hannesm)
  • introduce get_resource_record which is the same as getaddrinfo, but returns
    the error as variant instead of [ `Msg of string ]
  • BUGFIX follow_cname handles replies with a cname and no data for the alias
    appropriately (and a regression test has been developed)

v4.2.0

CHANGES:

• dns
  relax resource record parsing, don't require the name to be a hostname it
  used to be strict on the parser, but that violates RFC 2181 Sec 11

  The DNS itself places only one restriction on the particular labels that can
  be used to identify resource records. That one restriction relates to the
  length of the label and the full name.
  previous code had already exceptions for DNSKEY, TXT, CNAME, TLSA (service
  name or host name), SRV (service name) (#201 @hannesm)

• dns-certify
  BUGFIX provide signing_request to create certificate signing requests,
  now including all hostnames in subjectAlternativeName (previously, the
  common name was left out which is not what RFC 5280 recommends)
  (#198 @hannesm)
• dns-server.mirage
  • provide metrics (using the metrics library) of connections and actions (#199 @hannesm)
  • BREAKING the on_update callback passed to primary has more arguments (#200 @hannesm)
    ~authenticated_key : [raw] Domain_name.t option ~update_source` : Ipaddr.V4.t
• dns-server
  • BREAKING handle_buf: returns Domain_name.t of key used for authentication (#200 @hannesm)
  • BUGFIX handle_update: allow modification of multiple zones at once
    still, each name must be within the zone given in Query.name (which
    is authenticated against), allowing hidden let's encrypt secondary
    for multiple zones, using a keys authorized for the root zone (#200 @hannesm)
  • BUGFIX Dns_trie.zone returns the zone (Domain_name.t * Soa.t) of a
    provided Domain_name.t, it now works for non-existing names, tests
    were added (#200 @hannesm)
• dns-mirage: log packets on debug level instead of info (#198 @hannesm)

v4.1.0

CHANGES:

• Client improvements (#191 #192 @olleolleolle @linse @cfcs @hannesm in marrakesh September)

• new sublibrary dns.cache providing an LRU cache, mostly copied from resolver
• it uses a LRU cache now (defaults to 32 entries) from dns.cache
  • since #195 a mutable LRU.M.t
• tests were added
• Dns_client_flow has been migrated to Dns_client
• various code cleanups (extracted functions), better naming, improved docstrings
• Uflow is now known as Transport
• requires a monotonic clock on creation

• adapt to x509 0.8.0 API changes (#193 @hannesm)
• adapt to newer MirageOS interfaces (#196 @hannesm)

v4.0.0

CHANGES:

• Switch to uDNS implementation, developed from scratch since 2017, primarily
  focusing on a recursive caching resolver. The server part supports dynamic
  updates (RFC 2135), transaction authentication with HMAC (RFC 2845), zone
  transfer (RFC 5936), incremental zone transfer (RFC 1995), change
  notifications (RFC 1996) amongst others.
• The core library uses a GADT for resource record sets, where the key (resource
  record type) specifies the value type.
• The API does not leak exceptions, but uses the result type where appropriate.
• TCP transport is well supported and used widely (client uses it by default)
• Naming: client is a DNS client, resolver is the recursive resolver library
• The DNS library is split into the following opam packages and sublibraries:
  • dns - the core library
  • dns-tsig - transaction signatures
  • dns-zone - zone file parser (mostly taken from the 1.x series)
  • dns-cli - command line utilities (odig, onotify, ..)
  • dns-client - pure client implementation
    • .unix - DNS client using the Unix module for communication
    • .lwt - DNS client using Lwt_unix for communication
    • .mirage - DNS client using MirageOS for communication
  • dns-certify - helpers for let's encrypt provisioning
    • .mirage - certificate provisioning with MirageOS
  • dns-mirage - generic MirageOS communication layer
  • dns-server - pure server implementation
    • .mirage - MirageOS primary and secondary server
  • dns-resolver - pure recursive resolver implementation
    • .mirage - MirageOS recursive resolver
• Only OCaml 4.07.0 and above are supported
• Multicast DNS has been dropped for now
• A client using async from JS has not been implemented yet

v1.1.3

CHANGES:

• Support domain-name.0.3.0 interface, which bumps the minimum
  OCaml version supported to 4.04 due to that dependency (@avsm)
• Fix tests with recent OCaml (use mmap/bigarray-compat) (@avsm)

v1.1.2

CHANGES:

• Mirage: adapt to mirage-kv 2.0.0 interface (#156 by @samoht)

v1.1.1

CHANGES:

• Support Base64.3.0.0 interface (@avsm)

v1.1.0

CHANGES:

• Improve parsing robustness with:
  • invalid pointers in packets
  • taking total packet size limitations into account
  • handling unknown opcodes gracefully without an exception
    Work done by @Willy-Tan in #154.
• Port build from jbuilder to Dune (#155 #152 #153 by @paurkedal @samoht)
• Update opam metadata to the 2.0 format.