getdns/ChangeLog

* 2021-06-??: Version 1.7.0
  * Make TLS Handshake timeout max 4/5th of timeout for the query,
    just like connection setup timeout was, so fallback transport
    have a chance too when TCP connection setup is less well
    detectable (as with TCP_FASTOPEN on MacOS).
  * Issue #466: Memory leak with retrying queries (for examples
    with search paths). Thanks doublez13.
  * Issue #480: Handling of strptime when Cross compiling with CMake.
    A new option to FORCE_COMPAT_STRPTIME (default disabled) will
    (when disabled) make cmake assume the target platform has a POSIX
    compatible strptime when cross-compiling.
  * Setting of the number of milliseconds send data may remain
    unacknowledged by the peer in a TCP connection (when supported 
    by the OS) with getdns_context_set_tcp_send_timeout()
    Thanks maciejsszmigiero.
  * Issue #497: Fix typo in CMAKE included files, so Stubby can use
    TLS v1.3 with chipersuites options ON. Thanks har-riz.
  * Basic name compression on server replied messages. Thanks amialkow!
    This alleviates (but might not completely resolve) issues #495 and
    #320 .
  * Eventloop extensions back to the old names libgetdns_ext_event,
    libgetdns_ext_ev and libgetdns_ext_uv.

* 2020-02-28: Version 1.6.0
  * Issues #457, #458, #461: New symbols with libnettle >= 3.4.
    Thanks hanvinke & kometchtech for testing & reporting.
  * Issue #432: answer_ipv4_address and answer_ipv6_address in reply
    and response dicts.
  * Issue #430: Record and guard UDP max payload size with servers.
  * Issue #407: Run only offline-tests option with:
    src/test/tpkg/run-offline-only.sh (only with git checkouts).
  * Issue #175: Include the packet the stub resolver sent to  the
    upstream the call_reporting dict. Thanks Tom Pusateri
  * Issue #169: Build eventloop support libraries if event libraries
    are available. Thanks Tom Pusateri

* 2019-12-20: Version 1.6.0-beta.1
  * Migration of build system to cmake. Build now works on Ubuntu,
    Windows 10 and macOS.
    Some notes on minor differences in the new cmake build:
      * OpenSSL 1.0.2 or higher is now required
      * libunbound 1.5.9 is now required
      * Only libidn2 2.0.0 and later is supported (not libidn)
      * Windows uses ENABLE_STUB_ONLY=ON as the default
      * Unit and regression tests work on Linux/macOS
        (but not Windows yet)

* 2019-04-03: Version 1.5.2
  * PR #424: Two small trust anchor fetcher fixes
    Thanks Maciej S. Szmigiero
  * Issue #422: Enable server side and update client side TCP Fast
    Open implementation. Thanks Craig Andrews
  * Issue #423: Fix insecure delegation detection while scheduling.
    Thanks Charles Milette
  * Issue #419: Escape backslashed when printing in JSON format.
    Thanks boB Rudis
  * Use GnuTLS instead of OpenSSL for TLS with the --with-gnutls
    option to configure.  libcrypto (from OpenSSL) still needed
    for Zero configuration DNSSEC.
  * DOA rr-type
  * AMTRELAY rr-type

* 2019-01-11: Version 1.5.1
  * Introduce proof of concept GnuTLS implementation. Incomplete support
    for Trust Anchor validation. Requires GnuTLS DANE library. Currently
    untested with GnuTLS prior to 3.5.19, so configure demands a minumum
    version of 3.5.0.
  * Be consistent and always fail connection setup if setting ciphers/curves/
    TLS version/cipher suites fails.
  * Refactor OpenSSL usage into modules under src/openssl.
    Drop support for LibreSSL and versions of OpenSSL prior to 1.0.2.
  * PR #414: remove TLS13 ciphers from cipher_list, but
    only when SSL_CTX_set_ciphersuites is available.
    Thanks Bruno Pagani
  * Issue #415: Filter out #defines etc. when creating
    symbols file.  Thanks Zero King

* 2018-12-21: Version 1.5.0
  * RFE getdnsapi/stubby#121 log re-instantiating TLS
    upstreams (because they reached tls_backoff_time) at
    log level 4 (WARNING)
  * GETDNS_RESPSTATUS_NO_NAME for NODATA answers too
  * ZONEMD rr-type
  * getdns_query queries for addresses when a query name
    without a type is given.
  * RFE #408: Fetching of trust anchors will be retried
    after failure, after a certain backoff time. The time
    can be configured with
    getdns_context_set_trust_anchors_backoff_time().
  * RFE #408: A "dnssec" extension that requires DNSSEC
    verification.  When this extension is set, Indeterminate
    DNSSEC status will not be returned.
  * Issue #410: Unspecified ownership of get_api_information()
  * Fix for DNSSEC bug in finding most specific key when
    trust anchor proves non-existance of one of the labels
    along the authentication chain other than the non-
    existance of a DS record on a zonecut.
  * Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130:
    Configurable minimum and maximum TLS versions with
    getdns_context_set_tls_min_version() and
    getdns_context_set_tls_max_version() functions and
    tls_min_version and tls_max_version configuration parameters
    for upstreams.
  * Configurable TLS1.3 ciphersuites with the
    getdns_context_set_tls_ciphersuites() function and
    tls_ciphersuites config parameter for upstreams.
  * Bugfix in upstream string configurations: tls_cipher_list and
    tls_curve_list
  * Bugfix finding signer for validating NSEC and NSEC3s, which
    caused trouble with the partly tracing DNSSEC from the root
    up, introduced in 1.4.2.  Thanks Philip Homburg

* 2018-05-11: Version 1.4.2
  * Bugfix getdnsapi/stubby#87: Detect and ignore duplicate certs
    in the Windows root CA store.
  * PR #397: No TCP sendto without TCP_FASTOPEN
    Thanks Emery Hemingway
  * Bugfix getdnsapi/stubby#106: Core dump when printing certain
    configuration. Thanks Han Vinke
  * Bugfix getdnsapi/stubby#99: Partly trace DNSSEC from the root
    up (for tld and sld), to find insecure delegations quicker.
    Thanks UniverseXXX
  * Bugfix: Allow NSEC spans starting from (unexpanded) wildcards
    Bug was introduced when dealing with CVE-2017-15105
  * Bugfix getdnsapi/stubby#46: Don't assume trailing zero with
    string bindata's.  Thanks Lonnie Abelbeck
  * Bugfix #394: Update src/compat/getentropy_linux.c in order to
    handle ENOSYS (not implemented) fallback.
    Thanks Brent Blood
  * Bugfix #395: Clarify that libidn2 dependency is for version 2.0.0
    or higher. Thanks mire3212

* 2018-03-12: Version 1.4.1
  * Bugfix #388: Prevent fallback to an earlier tries upstream within a
    single query.  Thanks Robert Groenenberg
  * PR #387: Compile with OpenSSL with deprecated APIs disabled.
    Thanks Rosen Penev
  * PR #386: UDP failover improvements:
    - When all UDP upstreams fail, retry them (more or less) equally
    - Limit maximum UDP backoff (default to 1000)
      This is configurable with the --with-max-udp-backoff configure
      option.
    Thanks Robert Groenenberg
  * Bugfix: Find zonecut with DS queries (instead of SOA queries).
    Thanks Elmer Lastdrager
  * Bugfix #385: Verifying insecure NODATA answers (broken since 1.2.1).
    Thanks hanvinke
  * PR #384: Fix minor spelling and formatting.  Thanks dkg.
  * Bugfix #382: Parallel install of getdns_query and getdns_server_mon

* 2018-02-21: Version 1.4.0
  * .so revision bump to please fedora packaging system.
    Thanks Paul Wouters
  * Specify the supported curves with getdns_context_set_tls_curves_list()
    An upstream specific list of supported curves may also be given
    with the tls_curves_list setting in the upstream dict with
    getdns_context_set_upstream_recursive_servers()
  * New tool getdns_server_mon for checking upstream recursive
    resolver's capabilities.
  * Improved handling of opportunistic back-off.  If other transports
    are working, don’t forcibly promote failed upstreams just wait for
    the re-try timer.
  * Hostname authentication with libressl
    Thanks Norbert Copones
  * Security bugfix in response to CVE-2017-15105.  Although getdns was
    not vulnerable for this specific issue, as a precaution code has been
    adapted so that signatures of DNSKEYs, DSs, NSECs and NSEC3s can not
    be wildcard expansions when used with DNSSEC proofs.  Only direct
    queries for those types are allowed to be wildcard expansions.
  * Bugfix PR#379: Miscelleneous double free or corruption, and corrupted
    memory double linked list detected issue, with serving functionality.
    Thanks maddie and Bruno Pagani
  * Security Bugfix PR#293: Check sha256 pinset's
    with OpenSSL native DANE functions for OpenSSL >= 1.1.0
    with Viktor Dukhovni's danessl library for OpenSSL >= 1.0.0
    don't allow for authentication exceptions (like self-signed
    certificates) otherwise.  Thanks Viktor Dukhovni
  * libidn2 support.  Thanks Paul Wouters

* 2017-12-21: Version 1.3.0
  * Bugfix #300: Detect dnsmasq and skip unit test that fails with it.
    Thanks Tim Rühsen and Konomi Kitten
  * Specify default available cipher suites for authenticated TLS
    upstreams with getdns_context_set_tls_ciphers_list()
    An upstream specific available cipher suite may also be given
    with the tls_cipher_list setting in the upstream dict with
    getdns_context_set_upstream_recursive_servers()
  * PR #366: Add support for TLS 1.3 and Chacha20-Poly1305
    Thanks Pascal Ernster
  * Bugfix #356: Do Zero configuration DNSSEC meta queries over on the
    context configured upstreams.  Thanks Andreas Schulze
  * Report default extension settings with
    getdns_context_get_api_information()
  * Specify locations at which CA certificates for verification purposes
    are located: getdns_context_set_tls_ca_path()
    getdns_context_set_tls_ca_file()
  * getdns_context_set_resolvconf() function to initialize a context 
    upstreams and suffices with a resolv.conf file.
    getdns_context_get_resolvconf() to get the file used to initialize
    the context's upstreams and suffixes.
    getdns_context_set_hosts() function to initialize a context's
    LOCALNAMES namespace.
    getdns_context_get_hosts() function to get the file used to initialize
    the context's LOCALNAMES namespace.
  * get which version of OpenSSL was used at build time and at run time
    when available with getdns_context_get_api_information()
  * GETDNS_RETURN_IO_ERROR return error code
  * Bugfix #359: edns_client_subnet_private should set family
    Thanks Daniel Areiza & Andreas Schulze
  * Bugfix getdnsapi/stubby#34: Segfault issue with native DNSSEC
    validation.  Thanks Bruno Pagani

* 2017-11-11: Version 1.2.1
  * Handle more I/O error cases.  Also, when an I/O error does occur,
    never stop listening (with servers), and
    never exit (when running the built-in event loop).
  * Bugfix: Tolerate unsigned and unused RRsets in the authority section.
            Fixes DNSSEC with BIND upstream.
  * Bugfix: DNSSEC validation without support records
  * Bugfix: Validation of full recursive DNSKEY lookups
  * Bugfix: Retry to validate full recursion BOGUS replies with zero
    configuration DNSSEC only when DNSSEC was actually requested
  * Bugfix #348: Fix a linking issue in stubby when libbsd is present
    Thanks Remi Gacogne
  * More robust scheduling; Eliminating a segfault with long running
    applications.
  * Miscellaneous Windows portability fixes from Jim Hague.
  * Fix Makefile dependencies for parallel install.
    Thanks ilovezfs

* 2017-09-29: Version 1.2.0
  * Bugfix of rc1: authentication of first query with TLS
    Thanks Travis Burtrum
  * A function to set the location for library specific data,
    like trust-anchors: getdns_context_set_appdata().
  * Zero configuration DNSSEC - build upon the scheme
    described in RFC7958.  The URL from which to fetch
    the trust anchor, the verification CA and email
    can be set with the new getdns_context_set_trust_anchor_url(),
    getdns_context_set_trust_anchor_verify_CA() and
    getdns_context_set_trust_anchor_verify_email() functions.
    The default values are to fetch from IANA and to validate
    with the ICANN CA.
  * Update of Stubby with yaml configuration file and
    logging from a certain severity support.
  * Fix tpkg exit status on test failure. Thanks Jim Hague.
  * Refined logging levels for upstream statistics
  * Reuse (best behaving) backed-off TLS upstreams when non are usable.
  * Let TLS upstreams back-off a incremental amount of time.
    Back-off time starts with 1 second and is doubled each failure, but
    will not exceed the time given by getdns_context_set_tls_backoff_time()
  * Make TLS upstream management more resilient to temporary outages
    (like laptop sleeps)

* 2017-09-04: Version 1.1.3
  * Small bugfixes that came out of static analysis
  * No annotations with the output of getdns_query anymore,
    unless -V option is given to increase verbosity
    Thanks Ollivier Robert
  * getdns_query will now exit with failure status if replies are BOGUS
  * Bugfix: dnssec_return_validation_chain now also works when fallback
    to full recursion was needed with dnssec_roadblock_avoidance
  * More clear build instructions from Paul Hoffman.  Thanks.
  * Bugfix #320.1: Eliminate multiple closing of file descriptors
    Thanks Neil Cook
  * Bugfix #320.2: Array bounds bug in upstream_select
    Thanks Neil Cook
  * Bugfix #318: getdnsapi/getdns/README.md links to nonexistent wiki
    pages.  Thanks James Raftery
  * Bugfix #322: MacOS 10.10 (Yosemite) provides TCP fastopen interface
    but does not have it implemented.  Thanks Joel Purra
  * Compile without Stubby by default.  Stubby now has a git repository
    of its own.  The new Stubby repository is added as a submodule.
    Stubby will still be build alongside getdns with the --with-stubby
    configure option.

* 2017-07-03: Version 1.1.2
  * Bugfix for parallel make install
  * Bugfix to trigger event callbacks on socket errors
  * A getdns_context_set_logfunc() function with which one may
    register a callback log function for certain library subsystems
    at certain levels.  Currently this can only be used for
    upstream stastistics subsystem.

* 2017-06-15: Version 1.1.1
  * Bugfix #306 hanging/segfaulting on certain (IPv6) upstream failures
  * Spelling fix s/receive/receive.  Thanks Andreas Schulze.
  * Added stubby-setdns-macos.sh script to support Homebrew formula
  * Include stubby.conf in the districution tarball
  * Bugfix #286 reschedule reused listening addresses
  * Bugfix #166 Allow parallel builds and unit-tests
  * NSAP-PTR, EID and NIMLOC, TALINK, AVC support
  * Bugfix of TA RR type
  * OPENPGPKEY and SMIMEA support
  * Bugfix TAG rdata type presentation format for CAA RR type
  * Bugfix Zero sized gateways with IPSECKEY gateway_type 0
  * Guidance for integration with systemd
  * Also check for memory leaks with advances server capabilities.
  * Bugfix convert IP string to IP dict with getdns_str2dict() directly.

* 2017-04-13: Version 1.1.0
  * bugfix: Check size of tls_auth_name.
  * Improvements that came from Visual Studio static analysis
  * Fix to compile with libressl.  Thanks phicoh.
  * Spelling fixes.  Thanks Andreas Schulze.
  * bugfix: Reschedule request timeout when getting the DNSSEC chain.
  * getdns_context_unset_edns_maximum_udp_payload_size() to reset
    to default IPv4/IPv6 dependent edns max udp payload size.
  * Implement sensible default edns0 padding policy.  Thanks DKG.
  * Keep connections open with sync requests too.
  * Fix of event loops so they do not give up with naked timers with
    windows.  Thanks Christian Huitema.
  * Include peer certificate with DNS-over-TLS in combination with
    the return_call_reporting extension.
  * More fine grained control over TLS upstream retry and back off
    behaviour with getdns_context_set_tls_backoff_time() and
    getdns_context_set_tls_connection_retries().
  * New round robin over the available upstreams feaure.
    Enable with getdns_context_set_round_robin_upstreams()
  * Bugfix: Queue requests when no sockets available for outgoing queries.
  * Obey the outstanding query limit with STUB resolution mode too.
  * Updated stubby config file
  * Draft MDNS client implementation by Christian Huitema.
    Enable with --enable-draft-mdns-support to configure
  * bugfix: Let synchronous queries use fds > MAX_FDSETSIZE;
            By moving default eventloop from select to poll
    Thanks Neil Cook
  * bugfix: authentication failure for self signed cert + only pinset
  * bugfix: issue with session re-use making authentication appear to fail

* 2017-01-13: Version 1.0.0
  * edns0_cookies extension enabled by default (per RFC7873)
  * dnssec_roadblock_avoidance enabled by default (per RFC8027)
  * bugfix: DSA support with OpenSSL 1.1.0
  * Initialize OpenSSL just once in a thread safe way
  * Thread safety with arc4random function
  * Improvements that came from Visual Studio static analysis
    Thanks Christian Huitema
  * Conventional RFC3986 IPv6 [address]:port parsing from getdns_query
  * bugfix: OpenSSL 1.1.0 style crypto locking
    Thanks volkommenheit
  * configure tells *which* dependency is missing
  * bugfix: Exclude terminating '\0' from bindata's returned by
    getdns_get_suffix(). Thanks Jim Hague
  * Better README.md.  Thanks Andrew Sullivan

* 2016-10-19: Version 1.1.0-a2
  * Improved TLS connection management
  * OpenSSL 1.1 support
  * Stubby, Server version of getdns_query that by default listens
    on 127.0.0.1 and ::1 and reads config from /etc/stubby.conf
    and $HOME/.stubby.conf

* 2016-07-14: Version 1.1.0a1
  * Conversion functions from text strings to getdns native types:
    getdns_str2dict(), getdns_str2list(), getdns_str2bindata() and
    getdns_str2int()
  * A getdns_context_config() function that configures a context
    with settings given in a getdns_dict
  * A a getdns_context_set_listen_addresses() function and companion
    getdns_reply() function to construct simple name servers.
  * Relocate getdns_query to src/tools and build by default
  * Enhancements to the logic used to select connection based upstream
    transports (TCP, TLS) to improve robustness and re-use of
    connections/upstreams.

* 2016-07-14: Version 1.0.0b2
  * Collect coverage information from the unit tests
    Thanks Shane Kerr
  * pkg-config for the getdns_ext_event library
    Thanks Tom Pusateri
  * Bugfix: Multiple requests on the same upstream with a transport 
    that keeps connections open in synchronous stub mode.
  * Canonicalized DNSSEC chain with dnssec_return_validation_chain
    (when validated)
  * A dnssec_return_full_validation_chain extension which includes
    then validated resource records.
  * Bugfix: Callbacks fired while scheduling (answer from cache)
    with the unbound plugable event API
  * header extension to set opcode and flags in stub mode
  * Unit tests that cover more code
  * Static checking with the clang analyzer
  * getdns_pretty_print_dict prints dname's as primitives
  * Accept just bindata's instead of address dicts.
    Allow misshing "address_type" in address dicts.
  * TLS session resumption
  * -C <config file> option to getdns_query to configure context 
    from a json like formatted file.  The output of -i (print API
    information) can be used as config file directly.
    Settings may also be given in this format as arguments of
    the getdns_query command directly.
  * DNS server mode for getdns_query.  Enable by providing addresses
    to listen on, either by giving "-z <listen address>" options or by
    providing "listen_addresses" in the config file or settings.
  * Bugfixes from deckard testing: CNAME loop protection.
  * "srv_addresses" in response dict with getdns_service()
  * use libbsd when available
    Thanks Guillem Jover
  * Bugfix: DNSSEC wildcard validation issue
  * Bugfix: TLS timeouts not re-using a connection
  * A getdns_context_get_eventloop(), to get the current
    (pluggable) eventloop from context
  * getdns_query now uses the default event loop (instead of custom)
  * Return call_reporting info in case of timeout
    Thanks Robert Groenenberg
  * Bugfix: Build fails with autoconf 2.63, works with 2.68.
    Thanks Robert Groenenberg
  * Doxygen output for getdns.h and getdns_extra.h only
  * Do not call SSL_library_init() from getdns_context_create() when
    the second bit from the set_from_os parameter is set.

* 2016-03-31: Version 1.0.0b1
  * openssl 1.1.0 support
  * GETDNS_APPEND_NAME_TO_SINGLE_LABEL_FIRST default suffix handling
  * getdns_context_set_follow_redirects()
  * Read suffix list from registry on Windows
  * A dnssec_return_all_statuses extension
  * Set root servers without temporary file (libunbound >= 1.5.8 needed)
  * Eliminate unit test's ldns dependency
  * pkts wireformat <-> getdns_dict <-> string
    conversion functions
  * Eliminate all side effects when doing sync requests
    (libunbound >= 1.5.9 needed)
  * Bugfix: Load gost algorithm if digest is seen before key algorithm
    Thanks Jelte Janssen
  * Bugfix: Respect DNSSEC skew.
  * Offline dnssec validation for any given point in time
  * Correct return value in documentation for getdns_pretty_print_dict().
    Thanks Linus Nordberg
  * Bugfix: Don't treat "domain" or "search" as a nameserver.
    Thanks Linus Nordberg
  * Use the default CA trust store on Windows (for DNS over TLS).
  * Propagate eventloop to unbound when unbound has pluggable event loops
    (libunbound >= 1.5.9 needed)
  * Replace mini_event extension by default_eventloop
  * Bugfix: Segfault on NULL pin
  * Bugfix: Correct output of get_api_settings
  * Bugfix: Memory leak with getdns_get_api_information() 
    Thanks Robert Groenenberg.

* 2015-12-31: Version 0.9.0
  * Update of unofficial extension to the API that supports stub mode 
    TLS verification. GETDNS_AUTHENTICATION_HOSTNAME is replaced by 
    GETDNS_AUTHENTICATION_REQUIRED (but remains available as an alias). 
    Upstreams can now be configured with either a hostname or a SPKI pinset 
    for TLS authentication (or both). If the GETDNS_AUTHENTICATION_REQUIRED
    option is used at least one piece of authentication information must be 
    configured for each upstream, and all the configured authentication 
    information for an upstream must validate.
  * Remove STARTTLS implementation (no change to SPEC)
  * Enable TCP Fast Open when possible. Add OSX support for TFO.
  * Rename return_call_debugging to return_call_reporting
  * Bugfix: configure problem with getdns-0.5.1 on OpenBSD
    Thanks Claus Assmann.
  * pkg-config support.  Thanks Neil Cook.
  * Functions to convert from RR dicts to wireformat and text format
    and vice versa.  Including a function that builds a getdns_list
    of RR dicts from a zonefile.
  * Use the with the getdns_context_set_dns_root_servers() function
    provided root servers in recursing resolution modus.
  * getdns_query option (-f) to read a DNSSEC trust anchor from file.
  * getdns_query option (-R) to read a "root hints" file.
  * Bugfix: Detect and prevent duplicate NSEC(3)s to be returned with
    dnssec_return_validation_chain.
  * Bugfix: Remove duplicate RRs from RRsets when DNSSEC verifying
  * Client side edns-tcp-keepalive support
  * TSIG support + getdns_query syntax to specify TSIG parameters
    per upstream: @<ip>[^[<algorithm>:]<name>:<secret in Base64>]
  * Bugfix: Allow truncated answers to be returned in case of missing
    fallback transport.
  * Verify upstream TLS pubkeys with pinsets; A getdns_query option
    (-K) to attach pinsets to getdns_contexts.
    Thanks Daniel Kahn Gillmor
  * Initial support for Windows.  Thanks Gowri Visweswaran
  * add_warning_for_bad_dns extension
  * Try and retry with suffixes giving with getdns_context_set_suffix()
    following directions given by getdns_context_set_append_name()
    getdns_query options to set suffixes and append_name directions:
    '-W' to append suffix always (default)
    '-1' to append suffix only to single label after failure
    '-M' to append suffix only to multi label name after failure
    '-N' to never append a suffix
    '-Z <suffixes>' to set suffixes with the given comma separated list
  * Better help text for getdns_query (printed with the '-h' option)
  * Setting the +specify_class extension with getdns_query
  * Return NOT_IMPLEMENTED for not implemented namespaces, and the
    not implemented getdns_context_set_follow_redirects() function.

* 2015-11-18: Version 0.5.1
  * Bugfix: growing upstreams arrow.
  * Bugfix: Segfault on timeout in specific conditions
  * Bugfix: install getdns_extra.h from build location
  * Bugfix: Don't let cookies overwrite existing EDNS0 options
  * Don't link libdl
  * The EDNS(0) Padding Option (draft-mayrhofer-edns0-padding).
    When using DNS over TLS, query sizes will be padded to multiples
    of a block size given with:
    getdns_context_set_tls_query_padding_blocksize()
  * An EDNS client subnet private option, that will ask a EDNS client
    subnet aware resolver to not reveal any details about the 
    originating network.  See: draft-ietf-dnsop-edns-client-subnet
    Set with: getdns_context_set_edns_client_subnet_private()
  * The return_call_debugging extension.  The extension will also return
    the transport used on top of the information about the request which
    is described in the API spec.
  * A dnssec_roadblock_avoidance extension.  When set, the library will
    work in stub resolution mode and try to get a by DNSSEC validation
    assessed answer.  On BOGUS answers the library will retry rescursive
    resolution mode.  This is the simplest form of passive roadblock
    detection and avoidance: draft-ietf-dnsop-dnssec-roadblock-avoidance.
    Use the --enable-draft-dnssec-roadblock-avoidance option to configure
    to compile with this extension.

* 2015-10-29: Version 0.5.0
  * Native crypto.  No ldns dependency anymore.
    (ldns still necessary to be able to run tests though)
  * JSON pointer arguments to getdns_dict_get_* and getdns_dict_set_* 
    to dereference nested dicts and lists.
  * Bugfix: DNSSEC code finding zone cut with redirects + pursuing unsigned
    DS answers close to the root.  Thanks Theogene Bucuti!
  * Default port for TLS changed to 853
  * Unofficial extension to the API to allow TLS hostname verification to be
    required for stub mode when using only TLS as a transport. 
    When required a hostname must be supplied in the
    'hostname' field of the upstream_list dict and the TLS cipher suites are
    restricted to the 4 AEAD suites recommended in RFC7525.

* 2015-09-09: Version 0.3.3
  * Fix clearing upstream events on shutdown
  * Fix dnssec validation of direct CNAME queries.
    Thanks Simson L. Garfinkel.
  * Fix get_api_information():version_string also for release candidates

* 2015-09-04: Version 0.3.2
  * Fix returned upstreams list by getdns_context_get_api_information()
  * Fix some autoconf issues when srcdir != builddir
  * Fix remove build date from manpage version for reproducible builds
  * Fix transport fallback issues plus transport fallback unit test script
  * Fix string bindata's need not contain trailing zero byte
  * --enable-stub-only configure option for stub only operation.
    Stub mode will be the default.  Removes the dependency on libunbound
  * --with-getdns_query compiles and installs the getdns_query tool too
  * Fix assert on context destruction from a callback in stub mode too.
  * Use a thread instead of a process for running the unbound event loop.

* 2015-07-18: Version 0.3.1
  * Fix repeating rdata fields

* 2015-07-17: Version 0.3.0
  * Unit test for spurious execute bits.  Thanks Paul Wouters.
  * Added new transport list options in API. The option is now an ordered
    list of GETDNS_TRANSPORT_UDP, GETDNS_TRANSPORT_TCP,
    GETDNS_TRANSPORT_TLS, GETDNS_TRANSPORT_STARTTLS.
  * Added new context setting for idle_timeout
  * CSYNC RR type
  * EDNS0 COOKIE option code set to 10
  * dnssec_return_validation_chain for negative and insecure responses.
  * dnssec_return_validation_chain return a single RRSIG on each RRSET
    (whenever possible)
  * getdns_validate_dnssec() accept replies from the replies_tree
  * getdns_validate_dnssec() asses negative and insecure responses.
  * Native stub dnssec validation
  * Implemented getdns_context_set_dnssec_trust_anchors()
  * Switch freely between stub and recursive mode
  * getdns_query -k shows default trust anchors
  * functions and defines to get library and API versions in string
    and numeric values: getdns_get_version(), getdns_get_version_number(),
    getdns_get_api_version() and getdns_get_api_version_number()

* 2015-05-21: Version 0.2.0
  * Fix libversion numbering:  Thanks Daniel Kahn Gillmor
  * run_once method for the libevent extension
  * autoreconf -fi on FreeBSD always, because of newer libtool version
    suitable for FreeBSD installs too.  Thanks Robert Edmonds
  * True asynchronous processing of the new TLS transport options
  * GETDNS_TRANSPORT_STARTTLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN
    transport option.
  * Manpage fixes: Thanks Anthony Kirby

* 2015-04-19: Version 0.1.8
  * The GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN and
    GETDNS_TRANSPORT_TLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN
    DNS over TLS transport options. 

* 2015-04-08: Version 0.1.7
  * Individual getter functions for context settings
  * Fix: --with-current-date function to make build deterministically
    reproducible (i.e. the GETDNS_COMPILATION_COMMENT define from
    getdns.h contains a date value).  Thanks Ondřej Surý
  * Fix: Include m4 dir in distribution tarball
  * Fix: Link build requirements in tests too.  Thanks Ondřej Surý
  * Fix: Remove executable flags on source files.  Thanks Paul Wouters
  * Fix: Return "just_address_answers" only when queried for addresses
  * Eliminate ldns intermediate wireformat parsing
  * The CSYNC RR type
  * Fix: canonical_name in response dict returns the canonical name
    found after following all CNAMEs
  * Implementation of the section 6 and 7 version of 
    draft-ietf-dnsop-cookies-01.txt for stub resolution.  Enable with the
    --enable-draft-edns-cookies option to configure.  Use it by setting the
    edns_cookies extension to GETDNS_EXTENSION_TRUE.
  * Pretty printing of lists with:
    char *getdns_pretty_print_list(getdns_list *list)
  * Output to json format with:
    char * getdns_print_json_dict(const getdns_dict *some_dict, int pretty);
    char * getdns_print_json_list(const getdns_list *some_list, int pretty);
  * snprintf style versions of the dict, list and json print functions.
  * Better random number generation with OpenBSD's arc4random
  * Let getdns_address schedule the AAAA query first.  This results in AAAA
    being the first in the just_address_answers sections of the response dict.
  * New context update callback function to also return a user given argument
    along with the context and which item was changed.
    Thanks Scott Hollenbeck.
  * Demotivate use of getdns_strerror and expose getdns_get_errorstr_by_id.
    Thanks Scott Hollenbeck.
  * A getter for context update callback, to allow for chaining update
    callbacks.

* 2015-01-16: Version 0.1.6
  * Fix: linking against libev on FreeBSD
  * Fix: Let configure report problem on FreeBSD when configuring with
    libevent and libunbound <= 1.4.22 is not compiled with libevent.
  * Fix: Build on Mac OS-X
  * Fix: Lintian errors in manpages
  * Better libcheck detection
  * Better portability with UNIX systems

* 2014-10-31: Version 0.1.5
  * Unit tests for transport settings
  * Fix: adhere to set maximum UDP payload size
  * API change: when no maximum UDP payload size is set, outgoing
    values will adhere to the suggestions in RFC 6891 and may follow
    a scheme that uses multiple values to maximize receptivity.
  * Stub mode use 1232 maximum UDP payload size when connecting to an
    IPv6 upstreams and 1432 with an IPv4 upstream.
  * Evaluate namespaces (or not) on a per query basis
  * GETDNS_NAMESPACE_LOCALNAMES namespace now gives just_address_answers
    only and does not mimic a DNS packet answer anymore
  * The add_opt_parameters extension
  * IPv6 scope_id support with link-local addresses.  Both with parsing
    /etc/resolv.conf and by providing them explicitly via
    getdns_context_set_upstream_recursive_servers
  * Query for A and AAAA simultaneously with return_both_v4_and_v6
  * GETDNS_TRANSPORT_TCP_ONLY_KEEP_CONNECTIONS_OPEN DNS transport
  * Fix: Answers without RRs in query secion (i.e. REFUSED)
  * Fix: Return empty response dict on timeout in async mode too
  * Move spec examples to spec subdirectory
  * Fix issue#76: Setting UDP Payload size below 512 should not error
  * Fix: Include OPT RR in response dict always (even without options)
  * TCP Fast open support (linux only).
    Enable with the --enable-tcp-fastopen configure option
  * Bump library version because of binary API change

* 2014-09-03: Version 0.1.4
  * Synchronous resolves now respect timeout setting,
  * On timeout *_sync functions now return GETDNS_RETURN_GOOD and a
    response dict with "status" GETDNS_RESPSTATUS_ALL_TIMEOUT>
  * Fix issue#50: getdns_dict_remove_name returns GETDNS_RETURN_GOOD on
    success.
  * Fix Issue#54: set_ub_dns_transport() not working
  * Fix Issue#49: Typo in documentation (thanks Stephane Bortzmeyer)
  * getdns_context_set_limit_outstanding_queries(),
    getdns_context_set_dnssec_allowed_skew() and
    getdns_context_set_edns_maximum_udp_payload_size() now working
  * <rr>_unknown rdata field for unknown or unsupported RR types
  * Temporarily disable timeout unit test 3 because of unpredictable results
  * Spec updated to version 0.507
  * Renamed "resolver_type" to "resolution_type" in dict returned from
    getdns_context_get_api_information()
  * Added GETDNS_RESPSTATUS_ALL_BOGUS_ANSWERS return code for with the
    dnssec_return_only_secure extension
  * Added support for CDS and CDNSKEY RR types, but needs ldns > 1.6.17 to
    be able to parse the wire format (not released yet at time of writing)
  * Added OPENPGPKEY RR type, but no rdata fields implementation yet
  * Updated spec to version 0.508 (September 2014)
  * Also chase NSEC and NSEC3 RRSIGs with dnssec_return_validation_chain

* 2014-06-25: Version 0.1.3
  * libtool chage, remove -release, added -version-info
  * Update specification to the June 2014 version (0.501)

* 2014-06-02: Version 0.1.2
  * Fixed rdata fields for MX
  * Expose only public API symbols
  * Updated manpages
  * specify_class extension
  * Build from separate build directory
  * Anticipate libunbound not returning the answer packet
  * Pretty print bindata's representing IP addresses
  * Anticipate absence of implicit DSO linking
  * Mention getdns specific options to configure in INSTALL
    Thanks Paul Hoffman
  * Mac OSX package built instructions for generic user in README.md
    Thanks Joel Purra
  * Fixed build problems on RHEL/CentOS due using libevent 1.x


* 2014-03-24 : Version 0.1.1
  * default to NOT build extensions (libev, libuv, libevent), handle
    --with/--without options to configure for them
  * Fixed some build/make nits
  * respect configure --docdir=X
  * Documentation/man page updates
  * Fix install and cpp guards in getdns_extra.h
  * Add method to switch between threads and fork mode for unbound
  * Fixes for libuv integration (saghul)
  * Fixes for calling getdns_destroy_context within a callback
  * Fixed signal related defines/decls


* 2014-02-25 : Version 0.1.0
  * Initial public release of the getdns API