6.0.1

CHANGES:

• remove rresult dependency (#273 @hannesm, review by @reynir)

6.0.0

CHANGES:

• use Cstruct.length instead of deprecated Cstruct.len

• avoid deprecated fmt functions

• dns-client: send EDNS tcp keepalive with a timeout of 120 seconds if TCP
  is used (@reynir @hannesm)

• BREAKING dns: Rr_map.get_ttl is now ttl, and takes 'a key -> 'a -> int32
  (instead of b -> int32), Rr_map.with_ttl now is 'a key -> 'a -> int32 -> 'a
  (instead of b -> int32 -> b) (#264 @hannesm)

• BREAKING dns: Rr_map.A now uses Ipaddr.V4.Set.t, Aaaa uses Ipaddr.V6.Set.t
  (requires ipaddr 5.2.0) (#268 @hannesm)

• BREAKING dns.cache: type entry now is polymorphic ('a entry = Entry of 'a ...) (instead of Entry of Rr_map.b) (#263 @reynir and @hannesm)

• BREAKING dns.cache: use a LRU.F.t instead of LRU.M.t (#256 @hannesm)

• dns.cache: provide get_or_cname and get_any function (#256 #257 @hannesm)

• BUGFIX dns.cache: update if time to live of cached entry expired
  (reported in #259 by @dinosaure, fix by @reynir and @hannesm)

• dns-client support DNS-over-TLS (RFC 7858): the type io_addr is now a variant
  of Plaintext (Ipaddr.t * int) or Tls (Tls.Config.client * Ipaddr.t * int)
  By default, ca-certs (ca-certs-nss for MirageOS) are used as trust anchors,
  and the certificate is expected to contain the IP address of the resolver.
  The default resolver (anycast.uncensoreddns.org) certificate is verified by
  hostname, since the let's encrypt certificate does not include an IP address
  in SubjectAlternativeNames (#270 @hannesm)

• BREAKING dns-client.mirage.Make is extended by a Mirage_clock.PCLOCK
  (#270 @hannesm)

• BREAKING dns-client, dns-stub: use Dns.proto instead of custom [TCP|UDP]
  (#266 @hannesm)

• dns-client: use a mutable timeout_ns : int64 instead of
  timeout_ns : int64 ref (#269 @hannesm)

• BREAKING dns-client: remove ?nameserver from
  getaddrinfo/gethostbyname/gehostbyname6/get_resource_record - if a custom
  nameserver should be queried, a distinct Dns_client.t can be constructed
  (#269 @reynir and @hannesm)

• dns-client: multiplex over TCP connections (#269 @reynir and @hannesm)

• dns-client: use happy-eyeballs to connect to all nameservers from
  /etc/resolv.conf sequentially (lwt and mirage) (#269 @reynir and @hannesm)

• BREAKING dns-client remove UDP support from lwt (#270 @reynir and @hannesm)

• BREAKING dns-resolver.mirage add DNS-over-TLS support (@reynir @hannesm)

• BREAKING dns-resolver remove "mode" from codebase, default to recursive
  (a stub resolver is available as dns-stub) (#260 @hannesm)

• dns-resolver: use dns.cache instead of copy in Dns_resolver_cache
  (#256 @hannesm)

• BUGFIX dns-resolver: fix responses to queries (reported in #255 by @dinosaure,
  fix in #258 by @reynir and @hannesm)

• dns-resolver: refactor and cleanup code, remove statistics, remove dead code
  (#258 #261 @reynir @hannesm)

• dns-stub: reconnect to resolver, resend all outstanding queries
  (#269 @hannesm)

v5.0.1

CHANGES:

• dns-certify: adapt to X.509 0.13.0 API changes (#254 @hannesm)

v5.0.0

CHANGES:

• IPv6 support for client and server (Mirage, Unix, Lwt) (#249 #252 @hannesm)
  This results in breaking changes, especially in the Mirage boilerplate,
  since now a Mirage_stack.V4V6 is needed instead of a Mirage_stack.V4.
• dns-certify: support EC private keys, now that X509 0.12.0 supports them
  (#252 @hannesm)

v4.6.3

CHANGES:

• dns-server: wildcard support (#248 @hannesm)
• dns-certify: only dnskey needs to be a valid hostname (#247 @hannesm),
  allow [`raw] Domain_name.t in signing requests (#249 @hannesm)
• dns-client.resolvconf provides a parser for /etc/resolv.conf (#240 @hannesm),
  used in dns-client.unix and dns-client.lwt (#241 @hannesm)
• BUGFIX dns-cli notify keys are accepted in namekey_c (#242 @hannesm)
• BUGFIX dns: revise TXT resource record encoding and storage (for DKIM usage)
  previously RR were cut at 255 characters (fixes #244, #245 @hannesm)
• BUGFIX dns: decoding of TSIG packets (#250 @hannesm)
• BUGFIX ocertify: pem file may contain a certificate chain (#246 @hannesm)

v4.6.2

CHANGES:

• fixes for 32 bit support (OCaml-CI now runs on 32 bit) in test suite and EDNS
• dns: fix EDNS flag decoding and encoding (16 bit only)
  reported in #234 by @dinosaure, fix #235 by @hannesm
• dns-server: reply to unsupported EDNS version (not 0) with
  rcode=16 (BadVersOrSig), as required by RFC 6891, and tested by DNS flag day
  issue #166, fix in #237 by @hannesm

v4.6.1

CHANGES:

• dns-client.lwt, dns-client.unix: initialize RNG (#232 @hannesm)
• dns-cli: compatible with mirage-crypto-rng 0.8 (#232 @hannesm)

v4.6.0

CHANGES:

• dns: bugfix for name compression when encoding names at offset > (2 ^ 14) - 1
  (#225 @hannesm)
• dns: allow unknown DNSKEY algorithm, TLSA certificate usage, selector,
  matching type, SSHFP algorithm and typ. This makes the DNS library
  future-proof for when new values are assigned (#228 @hannesm)
• dns: enforce a max_rdata_length for all resource records. This ensures that
  when a resource record is loaded into the server, it can be extracted via a
  DNS query and transferred via IXFR/AXFR
  (#230 @hannesm, reported in #229 via #225)
• AXFR: encode and decode support for AXFR transfers spanning multiple messages
  (#225 @hannesm)
• client: do not initialize the Mirage_crypto_rng in the library, initialize
  the RNG in applications (#227 @hannesm)
• certify: provide cert_matches_csr function and use it (cleans up partial
  ad-hoc matches which did not verify that all hostnames of the CSR are present
  in the certificate) (#226 @hannesm, reported in #224)

v4.5.0

CHANGES:

• client: add timeout for DNS requests (defaults to 5 seconds, as in resolv.h).
• dns-client-mirage functor requires a Mirage_time.S implementation (changes API).
  Update your code as in this commit:
  robur-coop/unikernels@201e980
  #223 @linse @hannesm, review by @cfcs

v4.4.1

CHANGES:

• client: treat '.localhost' and '.invalid' special, as specified in RFC 6761
  and let-localhost-be-localhost. #221 @hannesm, review by @cfcs (who reported
  #220, original report robur-coop/miragevpn#28)