-
Notifications
You must be signed in to change notification settings - Fork 3
/
NEWS
1268 lines (1016 loc) · 51.3 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
$Id$
OpenDNSSEC 2.0.0a4 (EnforcerNG branch)
* SUPPORT-72: Improve logging when failed to increment serial in case
of key rollover and serial value "keep" [OPENDNSSEC-461].
* OPENDNSSEC-106: Add 'ods-enforcerd -p <policy>' option. This prompts the
enforcer to run once and only process the specified policy and associated
zones.
* OPENDNSSEC-330: NSEC3PARAM TTL can now be optionally configured in kasp.xml.
Default value remains PT0S.
* OPENDNSSEC-390: ods-ksmutil: Add an option to the 'ods-ksmutil key ds-seen'
command so the user can choose not to notify the enforcer.
* OPENDNSSEC-430: ods-ksmutil: Improve 'zone add' - Zone add command
could warn if a specified zone file or adapter file does not exits.
* OPENDNSSEC-431: ods-ksmutil: Improve 'zone add' - Support default <input>
and <output> values for DNS adapters.
* OPENDNSSEC-454: ods-ksmutil: Add option for 'ods-ksmutil key import' to
check if there is a matching key in the repository before import.
* OPENDNSSEC-281: Enforcer NG: Commandhandler sometimes unresponsive.
* OPENDNSSEC-276, Enforcer NG: HSM initialized after fork().
* OPENDNSSEC-330: Signer Engine: NSEC3PARAM TTL is default TTL again, to
prevent bad caching effects on resolvers.
* OPENDNSSEC-428: Add option for 'ods-ksmutil key generate' to take
number of zones as a parameter
* OPENDNSSEC-515: Signer Engine: Don't replace tabs in RR with whitespace.
Bugfixes:
* OPENDNSSEC-435: Signer Engine: Fix a serious memory leak in signature
cleanup.
* OPENDNSSEC-463: Signer Engine: Duration PT0S is now printed correctly.
* OPENDNSSEC-466: Signer Engine: Created bad TSIG signature when falling back
to AXFR.
* OPENDNSSEC-467: Signer Engine: After ods-signer clear, signer should not use
inbound serial.
OpenDNSSEC 2.0.0a3 (EnforcerNG branch) - 2012-06-18
Bugfixes:
* SUPPORT-66: Signer Engine: Fix file descriptor leak in case of TCP write
error [OPENDNSSEC-427].
* SUPPORT-71: Signer Engine: Fix double free crash in case of HSM connection
error during signing [OPENDNSSEC-444].
* OPENDNSSEC-401: 'ods-signer sign <zone> --serial <nr>' command produces seg
fault when run directly on command line (i.e. not via interactive mode)
* OPENDNSSEC-440: 'ods-ksmutil key generate' and the enforcer can create
too many keys if there are keys already available and the KSK and ZSK use
same algorithm and length
* OPENDNSSEC-424: Signer Engine: Respond to SOA queries from file instead
of memory. Makes response non-blocking.
* OPENDNSSEC-425 Change "hsmutil list" output so that the table header goes
to stdout not stderr
* OPENDNSSEC-438: 'ods-ksmutil key generate' and the enforcer can create
too many keys for <SharedKeys/> policies when KSK and ZSK use same
algorithm and length
* OPENDNSSEC-443: ods-ksmutil: Clean up of hsm connection handling
* Signer Engine: Improved Inbound XFR checking.
* Signer Engine: Fix double free corruption in case of adding zone with
DNS Outbound Adapters and NotifyCommand enabled.
* Enforcer: Limit number of pregenerated keys when using <SharedKeys>.
* Enforcer: MySQL database backend implemented.
* Enforcer: New directive <MaxZoneTTL> to make safe assumptions about
zonefile.
* Enforcer: New zone add command, allow specifying adapters.
* Enforcer: New zone del command, use --force for still signed zones.
* Enforcer: Pre-generate keys on the HSM.
* Enforcer: SQLite database backend implemented.
OpenDNSSEC 2.0.0-trunk
* OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not updated on SOA
Minimum change.
Bugfixes:
* OPENDNSSEC-481: libhsm: Fix an off-by-one length check error.
* OPENDNSSEC-482: libhsm: Improved cleanup for C_FindObjects.
OpenDNSSEC 1.4.1 - 2013-06-27
* SUPPORT-58: Extend ods-signer sign <zone> with --serial <nr> so that the user
can specify the SOA serial to use in the signed zone [OPENDNSSEC-401].
* OPENDNSSEC-91: Make the keytype flag required when rolling keys
Bugfixes:
* SUPPORT-60: Fix datecounter in case inbound serial is higher than outbound
serial [OPENDNSSEC-420].
* OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not updated on SOA
Minimum change.
* OPENDNSSEC-421: Signer Engine: Fix assertion error in case NSEC3 hash
algorithm in signconf is not SHA1.
* OPENDNSSEC-421: ods-kaspcheck: Check whether NSEC3 hash algorithm in kasp
is valid.
* Bugfix: The time when inbound serial is acquired was reset invalidly,
could cause OpenDNSSEC wanting AXFR responses while requesting IXFR (thanks
Stuart Lau).
* Bugfix: Fix malform in Outbound IXFR/TCP subsequent packet (thanks Stuart
Lau).
* OPENDNSSEC-398: The ods-ksmutil key rollover command does not work correctly
when rolling all keys using the --policy option
OpenDNSSEC 1.4.0 - 2013-04-22
* Production release of 1.4
* Versioning scheme and release support policies updated
* Summary of changes in 1.4 can be found on the wiki:
http://wiki.opendnssec.org/display/DOCS
OpenDNSSEC 1.4.0rc3 - 2013-03-15
* Further testing of OPENDNSSEC-387 completed, release returned to rc status.
OpenDNSSEC 1.4.0b3 - 2013-02-20
Note: This release is marked as a beta release (rather than rc3) due to
OPENDNSSEC-387, which is a significant functional change compared to rc2.
* OPENDNSSEC-387: Rollback of multi-threaded enforcer. Due to key allocation
issues the usefulness of the threaded enforcer is outweighed by the code
complications. The option still remains in conf.xml for compatibility with
existing use; but it will now be silently ignored.
Bugfixes:
* OPENDNSSEC-183: Enforcer: If no DNSKEYs use negative TTL as TTL(DNSKEY).
* OPENDNSSEC-185: Enforcer: Used wrong value for negative caching.
* OPENDNSSEC-206: Enforcer: Notify Signer on generating new signer
configuration.
* OPENDNSSEC-224: Enforcer: Fix rolling simultaneous keys.
(e.g. emergency roll)
* OPENDNSSEC-271: Enforcer: Signer configurations w/o keys are now accepted.
* Enforcer: Handle cases where negative cache > positive cache.
* Enforcer: Take resign interval into account when signer does smooth
rollover.
* OPENDNSSEC-388: Signer Engine: Internal serial should take into account
the inbound serial.
* SUPPORT-50/51: Signer Engine: Inbound DNS Adapter incorrectly updates
NSEC3PARAM and DNSKEY RRset [OPENDNSSEC-389]
* OPENDNSSEC-389: Input DNS Adapter incorrectly updating NSEC3PARAM and DNSKEY RRsets
Known Issues:
* Enforcer: Key material not always reused when using <SharedKeys>.
* Enforcer: Lacking documentation.
* Enforcer: No migration tools.
OpenDNSSEC EnforcerNG branch alpha2 - 2011-10-18
* Enforcer: Automatic introduce keys marked as manual, like other enforcer.
* Enforcer: Automatically retract never submitted DS records.
* Enforcer: CSK is now configurable.
* Enforcer: Do not allow lifetime of key to be shorter than TTL.
* Enforcer: Support for RollOverType in kasp.xml
Bugfixes:
* Enforcer: Fixed concurrency related crashes.
* Enforcer: Remove some scheduling when waiting for user input.
* Enforcer: Schedule the purging of keys.
OpenDNSSEC EnforcerNG branch alpha1 - 2011-09-23
HIGH-LEVEL DESIGN GOALS:
* Support for a large number of zones. The enforcer should reasonably be
useable with many zones. Think order of magnitude 50.000 concurrent zones.
* Allow for future rollover strategies. Provide a generic framework to
implement other kinds of rollovers in the future.
* Drop in replacement. Should replace the current enforcer but keep the same
interface and provide migration scripts from earlier installs.
Trunk
Bugfixes:
OpenDNSSEC 1.4.0rc2 - 2013-01-25
* OPENDNSSEC-350: Signer Engine: Better log message when IXFR is not ready for
reading.
* OPENDNSSEC-367: ods-ksmutil: Require user confirmation if the algorithm for
a key is changed in a policy (as this rollover is not handled cleanly)
Bugfixes:
* SUPPORT-44: Signer Engine: Drop privileges after binding to socket
[OPENDNSSEC-364].
* Signer Engine: XFR not ready should not be a fatal status for task read
(thanks Ville Mattila).
* OPENDNSSEC-365: Enforcer: Nasty bug where KSKs could get prematurely retired.
OpenDNSSEC 1.4.0rc1 - 2013-01-10
* OPENDNSSEC-359: Remove eppclient
OpenDNSSEC 1.4.0b2 - 2012-12-17
* OPENDNSSEC-292: Provide scripts to convert database between different
supported formats
* OPENDNSSEC-299: ods-ksmutil: ods-ksmutil <enter> now includes policy import
* OPENDNSSEC-300: ods-ksmutil: policy purge documented with a warning
* OPENDNSSEC-315: "ods-hsmutil logout" will delete any credentials in the
shared memory.
* OPENDNSSEC-330: Signer Engine: NSEC3PARAM TTL should be set to zero.
* OPENDNSSEC-338: ods-ksmutil: fix zone delete on MySQL (broken by SUPPORT-27)
* OPENDNSSEC-345: ods-ksmutil: use ods-control to HUP the enforcerd process
* ods-ksmutil: Deprecate the one-step key backup command
Bugfixes:
* SUPPORT-40: Signer Engine: Keep occluded data in signed zone files/transfers.
* OPENDNSSEC-349: Enforcer: Fix some memory leaks in the enforcer found by
valgrind.
* OPENDNSSEC-353: Signer Engine: Add/remove NSEC3s for empty non-terminals
between apex and delegation when DS is added/removed.
* Signer Engine: Fixed locking and notification on the drudge work queue,
signals could be missed so that drudgers would stall when there was work to
be done.
* libhsm: Fixed PIN handling on OpenBSD.
* Enforcer: If enabled enforcer workers and configured number of workers is 1,
make sure that enforcer runs the signer update command after signer
configuration change.
* Signer Engine: Don't add double RRSIGs generated by the same key for the
DNSKEY RRset.
* Signer Engine: Rollback incompleted zone transfers on disk (could happen
if a connection was reset during transfer).
* Multi-threaded enforcer: various minor fixes including deadlock problems.
OpenDNSSEC 1.4.0b1 - 2012-09-06
* OPENDNSSEC-130: libhsm: The PIN is now optional in conf.xml. The PIN can be
entered using "ods-hsmutil login" and is stored in shared memory. The daemons
will not start until this has been done by the user.
* OPENDNSSEC-297: Enforcer: Multi-threaded option available for the enforcer to
improve performance (MySQL only).
* OPENDNSSEC-320: Signer Engine: The <ProvideTransfer>, <Notify>, <AllowNotify>
and <RequestTransfer> elements are now optional, but if provided they require
one or more <Peer> or <Remote> elements.
Bugfixes:
* OPENDNSSEC-255: Signer Engine: OpenDNSSEC 1.4.0a1 writes out mangled RRSIG
record.
* OPENDNSSEC-261: Signer Engine: Ldns fails to parse RR that seems
syntactically correct.
* OPENDNSSEC-269: Signer Engine: Crash when multiple threads access ixfr
struct.
* OPENDNSSEC-281: Commandhandler sometimes unresponsive.
* OPENDNSSEC-318: Signer Engine: Don't stop dns and xfr handlers if these
threads have not yet been started.
* OPENDNSSEC-319: Signer Engine: Fix TSIG segfault on signer shutdown.
* OPENDNSSEC-325: Signer Engine: Don't include RRSIG records when DO bit is
not set.
* OPENDNSSEC-326: Signer Engine: Stop serving a zone that could not be
transferred from master and has been expired.
OpenDNSSEC 1.4.0a3 - 2012-08-08
* OPENDNSSEC-258: Optionally include cka_id in output to
DelegationSignerSubmitCommand.
Bugfixes:
* SUPPORT-27: ods-ksmutil: simplify zone delete so that it only marks keys
as dead (rather than actually removing them). Leave the key removal to purge
jobs.
* SUPPORT-29: Signer Engine: Fix ods-signer clear <zone> command exits
prematurely [OPENDNSSEC-289].
* SUPPORT-30: Signer Engine: RRSIGs are left in the signed zone when
authoritative RRsets become glue [OPENDNSSEC-282].
* OPENDNSSEC-278: ods-ksmutil processes waiting forever to get DB lock
* OPENDNSSEC-290: Signer Engine: Fix false conflict when changing CNAME into
other RRtype.
* OPENDNSSEC-298: Enforcer: Only unlink existing pidfile on exit if we wrote it.
* OPENDNSSEC-304: Signer Engine: Check pidfile on startup, if pidfile exists
and corresponding process is running, then complain and exit.
* OPENDNSSEC-306: Can't delete zone until Enforcer made signconf.
* Fix assertion error when printing signed zone with empty non-terminals and
NSEC.
* Make setting QUERY ID in XFR requests more random.
OpenDNSSEC 1.4.0a2 - 2012-05-24
* OPENDNSSEC-226: Change in conf.xml: Configure the DNS listener IP address
with /Listener/Interface/Address instead of /Listener/Interface/IPv{4,6}.
* OPENDNSSEC-228: Signer Engine: Make 'ods-signer update' reload signconfs
even if zonelist has not changed.
* OPENDNSSEC-231: Signer Engine: Allow for Classless IN-ADDR.ARPA names
(RFC 2317).
* OPENDNSSEC-249: ods-ksmutil: If key export finds nothing to do then say so
rather than display nothing which might be misinterpreted.
* OPENDNSSEC-262: Signer Engine: Make DNS Adapter ACL optional.
* OPENDNSSEC-263: Signer Engine: Added EDNS0 support, so that zone transfers
and SOA requests with OPT RRs are possible.
* Enforcer: Add indexes for foreign keys. (sqlite only, MySQL already has them.)
Bugfixes:
* OPENDNSSEC-247: Signer Engine: TTL on NSEC(3) was not updated on SOA
Minimum change.
* OPENDNSSEC-252: Signer Engine: Mark xfrhandler started, so that we don't
try to join a non-existing thread on exit.
* OPENDNSSEC-259: Signer Engine: Fix assertion failure for outbound AXFR for
large zones.
* OPENDNSSEC-264: Signer Engine: Fix assertion error on reading IXFR from
backup.
* OPENDNSSEC-265: Signer Engine: Fix crash in corner cases when signing zone
with NSEC3 and Opt-out.
* OPENDNSSEC-267: Signer Engine: Sign NOTIFY OK response with TSIG, if present
in the query and ACL.
OpenDNSSEC 1.4.0a1 - 2012-03-15
* Auditor: The Auditor has been removed.
* Enforcer: Key label logging upon deletion (#192 Sebastian Castro)
* Enforcer: Stop multiple instances of the Enforcer running by checking for
the pidfile at startup. If you want to run multiple instances then a
different pidfile will need to be specified with the -P flag.
* Enforcer/ods-ksmutil: Use TTLs from KASP when generating DNSKEY and DS
records for output.
* Enforcer/ods-ksmutil: Give a more descriptive error message if the
<Datastore> tag in conf.xml does not match the database-backend set at
compile time.
* ods-ksmutil: Add warnings on "key export --ds" if no active or ready keys
were seen, or if both were seen (so a key rollover is happening).
* ods-ksmutil: Prevent MySQL username or password being interpreted by the
shell when running "ods-ksmutil setup"
* ods-ksmutil: "zone delete" renames the signconf file; so that if the zone is
put back the signer will not pick up the old file.
* ods-ksmutil: "key delete" added. It allows keys that are not currently in
use to be deleted from the database and HSM.
* OPENDNSSEC-1: Enforcer: Check DelegationSignerSubmitCommand exists and can
be executed by ods-enforcerd.
* OPENDNSSEC-10: ods-ksmutil: Include key size and algorithm in "key list"
with -v flag.
* OPENDNSSEC-28: ods-ksmutil: "key list" shows next state with -v flag.
* OPENDNSSEC-35: ods-ksmutil: "rollover list -v" now includes more information
on the KSKs waiting for the ds-seen command.
* OPENDNSSEC-83: ods-ksmutil: "key generate" now displays how many keys will
be generated and presents the user with the opportunity to stop the
operation.
* OPENDNSSEC-124: ods-ksmutil: Suppress database connection information when
no -v flag is given.
* Signer Engine: Input and Output DNS Adapters.
* Signer Engine: Zonefetcher has been removed.
Known issues:
* Signer Engine: The backup files do not work correctly in this alpha release.
Bugfixes:
* Bugfix #246: Less confusing text for XML validation in ods-kaspcheck.
* ods-ksmutil: "update kasp" now reflects changes in policy descriptions.
* ods-ksmutil: Policy descriptions now have special characters quoted.
* ods-ksmutil: Fix typo in policy export with NSEC3.
OpenDNSSEC 1.3.13 - 2013-02-20
Bugfixes:
* OPENDNSSEC-388: Signer Engine: Internal serial should take into account
the inbound serial.
* OPENDNSSEC-242: Signer Engine: Could get stuck on load signconf while
signconf was not changed.
* Signer Engine: Fixed locking and notification on the drudge work queue,
signals could be missed so that drudgers would stall when there was work to
be done.
OpenDNSSEC 1.3.12 - 2012-12-03
Bugfixes:
* SUPPORT-42: ./configure fails on FreeBSD (or if ldns is not installed in a
directory in the default search path of the complier).
* OpenDNSSEC does not compile against ldns 1.6.16 on platforms that rely on
the OpenDNSSEC implementation of strlcpy/cat
OpenDNSSEC 1.3.11 - 2012-11-13
* OPENDNSSEC-330: NSEC3PARAM TTL should be set to zero.
Bugfixes:
* OPENDNSSEC-306: Cant delete zone until Enforcer made signerconf.
* OPENDNSSEC-281: Commandhandler sometimes unresponsive.
* OPENDNSSEC-299: ods-ksmutil <enter> now includes policy import
* OPENDNSSEC-300: ods-ksmutil policy purge documented with a warning
* OPENDNSSEC-338: ods-ksmutil: fix zone delete on MySQL (broken by SUPPORT-27)
* OPENDNSSEC-342: Auditor comparisons made case-insensitive
* OPENDNSSEC-345: ods-ksmutil: use ods-control to HUP the enforcerd process
OpenDNSSEC 1.3.10 - 2012-08-10
Bugfixes:
* SUPPORT-30: RRSIGs are left in the signed zone when authoritative RRsets
become glue [OPENDNSSEC-282].
* OPENDNSSEC-261: Ldns fails to parse RR that seems syntactically correct.
Was due to memory allocation issues. Provided better log message.
* OPENDNSSEC-285: Signer segfault for 6 or more -v options
* OPENDNSSEC-298: Only unlink existing pidfile on exit if we wrote it.
* OPENDNSSEC-303: Return if open/parse of zonelist.xml fails in ksmutil.c
update_zones() and cmd_listzone().
* OPENDNSSEC-304: Signer Engine: Check pidfile on startup, if pidfile exists
and corresponding process is running, then complain and exit.
* Signer seems to hang on a ods-signer command. Shutdown client explicitly
with shutdown().
* opendnssec.spec file removed
OpenDNSSEC 1.3.9 - 2012-06-15
* OPENDNSSEC-277: Enforcer: Performance optimisation of database access.
Bugfixes:
* SUPPORT-27: ods-ksmutil: simplify zone delete so that it only marks keys as
dead (rather than actually removing them). Leave the key removal to purge
jobs.
OpenDNSSEC 1.3.8 - 2012-05-09
* OPENDNSSEC-228: Signer Engine: Make 'ods-signer update' reload signconfs
even if zonelist has not changed.
* OPENDNSSEC-231: Signer Engine: Allow for Classless IN-ADDR.ARPA names
(RFC 2317).
* OPENDNSSEC-234: Enforcer: Add indexes for foreign keys in kasp DB. (sqlite
only, MySQL already has them.)
* OPENDNSSEC-246: Signer Engine: Warn if <Audit/> is in signer configuration,
but ods-auditor is not installed
* OPENDNSSEC-249: Enforcer: ods-ksmutil: If key export finds nothing to do
then say so rather than display nothing which might be misinterpreted.
Bugfixes:
* OPENDNSSEC-247: Signer Engine: TTL on NSEC(3) was not updated on SOA
Minimum change.
* OPENDNSSEC-253: Enforcer: Fix "ods-ksmutil zone delete --all"
OpenDNSSEC 1.3.7 - 2012-03-13
* OPENDNSSEC-215: Signer Engine: Always recover serial from backup,
even if it is corrupted, preventing unnecessary serial decrementals.
* OPENDNSSEC-217: Enforcer: Tries to detect pidfile staleness, so that
the daemon will start after a power failure.
Bugfixes:
* ods-hsmutil: Fixed a small memory leak when printing a DNSKEY.
* OPENDNSSEC-216: Signer Engine: Fix duplicate NSEC3PARAM bug.
* OPENDNSSEC-218: Signer Engine: Prevent endless loop in case the locators
in the signer backup files and the HSM are out of sync.
* OPENDNSSEC-225: Fix problem with pid found when not existing.
* SUPPORT-21: HSM SCA 6000 in combination with OpenCryptoki can return RSA key
material with leading zeroes. DNSSEC does not allow leading zeroes in key
data. You are affected by this bug if your DNSKEY RDATA e.g. begins with
"BAABA". Normal keys begin with e.g. "AwEAA". OpenDNSSEC will now sanitize
incoming data before adding it to the DNSKEY. Do not upgrade to this version
if you are affected by the bug. You first need to go unsigned, then do the
upgrade, and finally sign your zone again. SoftHSM and other HSM:s will not
produce data with leading zeroes and the bug will thus not affect you.
OpenDNSSEC 1.3.6 - 2012-02-17
* OPENDNSSEC-33: Signer Engine: Check HSM connection before use, attempt to
reconnect if it is not valid.
* OPENDNSSEC-178: Signer Engine: Instead of waiting an arbitrary amount of
time, let worker wait with pushing sign operations until the queue is
non-full.
* Signer Engine: Adjust some log messages.
Bugfixes:
* ods-control: Wrong exit status if Enforcer was already running.
* OPENDNSSEC-56: ods-ksmutil had the wrong option for config file in the
help usage text.
* OPENDNSSEC-207: Signer Engine: Fix communication from a process not
attached to a shell.
* OPENDNSSEC-209: Signer Engine: Make output file adapter atomic by writing
signed file to an intermediate file first.
OpenDNSSEC 1.3.5 - 2012-01-23
* Auditor: Include the zone name in the log messages.
* ldns 1.6.12 is required for bugfixes.
* ods-ksmutil: Suppress database connection information when no -v flag is
given.
* ods-enforcerd: Stop multiple instances of the enforcer running by checking
for the pidfile at startup. If you want to run multiple instances then a
different pidfile will need to be specified with the -P flag.
* ods-ksmutil: "zone delete" renames the signconf file; so that if the zone is
put back the signer will not pick up the old file.
* Signer Engine: Verbosity can now be set via conf.xml, default is 3.
Bugfixes:
* Bugfix OPENDNSSEC-174: Configure the location for conf.xml with --config
or -c when starting the signer.
* Bugfix OPENDNSSEC-192: Signer crashed on deleting NSEC3 for a domain that
becomes opt-out.
* Bugfix OPENDNSSEC-193: Auditor crashed with certain empty non-terminals.
* Signer Engine: A file descriptor for sockets with value zero is allowed.
* Signer Engine: Only log messages about a full signing queue in debug mode.
* Signer Engine: Fix time issues, make sure that the internal serial does
not wander off after a failed audit.
* Signer Engine: Upgrade ldns to avoid future problems on 32-bit platforms
with extra long signature expiration dates. More information in separate
announcement.
OpenDNSSEC 1.3.4 - 2011-12-09
Bugfixes:
* Signer: Use debug instead of warning for drudgers queue being full, also
sleep 10ms if it is full to not hog CPU. This increased signing on
single core machines by a factor of 2.
OpenDNSSEC 1.3.3 - 2011-11-17
Bugfixes:
* Auditor: Handle ruby 1.9 differences in ods-kaspcheck.
* Auditor: Require dnsruby 1.53 for bugfixes.
* Bugfix #262: Drudgers seem to be in a waiting state, but the RRset FIFO
queue is full. Do an additional broadcast.
* Enforcer: Check HSM connection when waking up from sleep, attempt to
reconnect if it is not valid. (r5511 in trunk, ported into the branch due
to issues seen when CKR_DEVICE_ERROR returned by HSM.)
* libhsm: Added hsm_check_context() to check if the associated sessions are
still alive. (Required for the above.)
* ods-ksmutil: key import was not setting the retire time.
* Signer Engine: Fix a threading issue, that could leave a zone without
a task.
* Signer Engine: Update the signed zone file if only the $TTL or explicit
TTL has been changed.
* Signer Engine: Remove the NSEC3PARAM RR when doing NSEC3 to NSEC rollover.
* Signer Engine: Deal with carriage returns (dos format) in zone file.
* Signer Engine: <Refresh> is PT0S means that refresh equals signtime.
* Signer Engine: Defense in depth in signer for duplicate keys.
* Signer Engine: Make sure that all required zonelist elements exist,
otherwise error.
* Signer Engine: Warn the user if the serial is b0rk, and you can not
use the serial from the signconf.
* Signer Engine: Log Auditor exit code.
* Fix a similar bug like #257: Error in ods-signerd, where a corrupted
backup file results in an invalid pointer free().
OpenDNSSEC 1.3.2 - 2011-09-13
Bugfixes:
* Bugfix #257: Error in ods-signerd, where a corrupted backup file results
in an invalid pointer free().
* Signer Engine: Mark that a zone has a valid signer configuration, after
recovering the zone from the backup files.
OpenDNSSEC 1.3.1 - 2011-09-07
Bugfixes:
* Auditor: Fix 'ZSK in use too long' message to handle new signer behaviour.
* Bugfix #255: RHEL6 patch to contrib/opendnssec.spec. (Rick van Rein)
* Bugfix #256: Make sure argument in "ods-control signer" is not stripped off.
* Bugfix #259: ods-ksmutil: Prevent MySQL username or password being
interpreted by the shell when running "ods-ksmutil setup".
* Bugfix #260: "ods-ksmutil zone list" now handles empty zonelists.
* Enforcer: Unsigned comparison resulting in wrong error message.
* ods-ksmutil: fixed issue where first ds-seen command run on a zone would
work, but return an error code and not send a HUP to the enforcerd.
* Signer Engine: A threading issue occasionally puts the default validity
on NSEC(3) RRs and the denial validity on other RRs.
* Signer Engine: An update command could interrupt the signing process and the
zone would get missing signatures.
* Signer Engine: Fix an issue where some systems could not copy the zone file.
* Zonefetcher: Check inbound serial in transferred file, to prevent
redundant zone transfers.
OpenDNSSEC 1.3.0 - 2011-07-12
* Include simple-dnskey-mailer-plugin in dist.
* Enforcer: Change message about KSK retirement to make it less confusing.
Bugfixes:
* ods-control: If the Enforcer did not close down, you entered an infinite
loop.
* Signer Engine: Fix log message typos.
* Signer Engine: Fix crash where ods-signer update
* Signer Engine: Also replace DNSKEYs if <DNSKEY><TTL> has changed in policy.
* Zonefetcher: Sometimes invalid 'Address already in use' occurred.
* Bugfix #247: Fixes bug introduced by bugfix #242.
OpenDNSSEC 1.3.0rc3 - 2011-06-12
* Do not distribute trang.
Bugfixes:
* Fix test for java executable and others.
* Auditor: Fix delegation checks.
* Bugfix #242: Race condition when receiving multiple NOTIFIES for a zone.
* ods-kaspcheck: Do not expect resalt in NSEC policy.
* Signer Engine: Ifdef a header file.
* Signer Engine: The default working directory was not specified.
* Signer Engine: Handle stdout console output throttling that would
truncate daemon output intermittently.
OpenDNSSEC 1.3.0.rc2 - 2011-05-18
* Match the names of the signer pidfile and enforcer pidfile.
* Include check for resign < resalt in ods-kaspcheck.
Bugfixes:
* Bugfix #231: Fix MySQL version check.
* ods-ksmutil: Update now sends a HUP to the enforcerd.
* Signer Engine: Fix assertion failure if zone was just added.
* Signer Engine: Don't hsm_close() on setup error.
* Signer Engine: Fix race condition bug when doing a single run.
* Signer Engine: In case of failure, also mark zone processed (single run).
* Signer Engine: Don't leak backup file descriptor.
* signconf.rnc now allows NSEC3 Iterations of 0
OpenDNSSEC 1.3.0rc1 - 2011-04-21
* <SkipPublicKey/> is enabled for SoftHSM in the default configuration.
It improves the performance by only using the private key objects.
* Document the <RolloverNotification> tag in conf.xml.
* Include check for resign < resalt in ods-kaspcheck.
Bugfixes:
* Bugfix #221: Segmentation Fault on schedule.c:232
* Enforcer: 'make check' now works.
* Enforcer: Fixed some memory leaks in the tests.
* Signer Engine: Coverity report fixes some leaks and thread issues.
* Signer Engine: Now logs to the correct facility again.
OpenDNSSEC 1.3.0b1 - 2011-03-23
* Support for signing the root. Use the zone name "."
* Enforcer: Stop import of policy if it is not consistent.
* ods-signer: The queue command will now also show what tasks the workers
are working on.
* Signer Engine: Just warn if occluded zone data was found, don't stop signing
process.
* Signer Engine: Simpler serial maintenance, reduces the number of conflicts.
Less chance to hit a 'cannot update: serial too small' error message.
* Signer Engine: Simpler NSEC(3) maintenance.
* Signer Engine: Temperate the number of backup files.
* Signer Engine: Set number of <SignerThreads> in conf.xml to
get peak performance from HSMs that can handle multiple threads.
Bugfixes:
* Bugreport #139: ods-auditor fails on root zone.
* Bugreport #198: Zone updates ignored?
* Replace tab with white-space when writing to syslog.
* Signer Engine: Do not block update command while signing.
OpenDNSSEC 1.2.1 - 2011-03-18
* ldns 1.6.9 is required for bugfixes.
* dnsruby-1.52 required for bugfixes.
Bugfixes:
* Auditor: 'make check' now works when srcdir != builddir.
* Auditor: Include the 'make check' files in the tarball.
* Enforcer: Fix the migration script for SQLite.
* Enforcer: Increase size of keypairs(id) field in MySQL to allow more than
32767 keys; see MIGRATION for details.
* Enforcer: Minor change to NOT_READY_KEY error message.
* libhsm: Increase the maximum number of attached HSM:s from 10 to 100.
* ods-ksmutil: Send trivial MySQL messages to stdout when exporting zonelist
etc. Otherwise the resulting XML needs to be edited by hand.
* ods-control: Fix for Bourne shell.
* Signer Engine: Prevent race condition when setting up the workers and
the command handler.
* Signer Engine: Check if the signature exists before recycling it.
* Signer Engine: Quit when there are errors in the configuration.
* Signer Engine: Enable core dump on failure.
* Signer Engine: Explicitly close down log msg with null.
* Signer Engine: Backup state after writing output.
* Signer Engine: Allow update of serial if internal structure is not
initialized.
* Signer Engine: NSEC chain could become broken if the predecessor domain
of a deleted domain was a glue domain.
OpenDNSSEC 1.2.0 - 2011-01-13
Bugfixes:
* Enforcer: Fixed a number of build warnings.
OpenDNSSEC 1.2.0rc3 - 2010-12-27
* Moved migration instructions to the file MIGRATION
Bugfixes:
* Bugreport #199: The previous DB schema change made the zone removal broken.
* Enforcer: When retiring old KSK, use TTL(ds) and not TTL(ksk).
* Enforcer: Minimize the set of DS RRs sent to DelegationSignerSubmitCommand.
* Enforcer: Replace tab with a space character in the DNSKEY printed to syslog.
* Enforcer: Fixed pontential format string bug.
* ods-ksmutil: Log to syslog when ds-seen changes a key to active/standby.
* Signer Engine: Don't be smart with RRSIG TTLs, the hsm will set them for you.
* Signer Engine: Set notify command for zone when receiving ods-signer update.
* Signer Engine: Update TTL of NSEC(3) records if SOA Minimum has changed
in KASP.
* Signer Engine: Now logs to the correct facility.
* Signer Engine: Also remove NSEC records when detecting changes in
signconf <Denial>
* Signer Engine: Dropped privileges before starting Zonefetcher.
OpenDNSSEC 1.2.0rc2 - 2010-11-24
Bugfixes:
* Signer Engine: Use the correct TTL for RRs after the $INCLUDE directive.
* Signer Engine: Also create new signature if TTL of RR has changed.
* Signer Engine: Drop old NSEC/NSEC3 records.
* ods-ksmutil: Fixed some memory leaks.
OpenDNSSEC 1.2.0rc1 - 2010-11-17
* New commandline option for the signer: ods-signer running.
* Allow connection to different MySQL ports in the Enforcer.
* Tone down and explain warning when converting M or Y to seconds
* ldns 1.6.7 is required for bugfixes
* dnsruby 1.51 is required for bugfixes
Bugfixes:
* Bugreport #187: ods-control signer start will return non-zero if start up
failed (uses ods-signer running).
* Narrow glue at the zone cut is allowed, do not consider it as occluded.
* Move zone fetcher output to correct input adapter file.
* Enforcer shared keys on zones with ShareKeys disabled.
* Make names of key states consistent.
* Signer Engine file descriptor leak fix on engine.sock.
* Set explicit "unlimited" repository capacity to prevent random integer being
read. Requires "ods-ksmutil update conf" to be run if using an existing
database.
* Fix issue with key generation creating too many keys Ticket #194.
* Bugreport #189: Auditor did not handle white-space-seperated substrings
for base64 text
* Bugreport #190: Auditor (and signer) does not handle case correctly
* Signer now silence stdout-output from the notify command
OpenDNSSEC 1.2.0b1 - 2010-10-18
* A new signer engine, written in c. Zones are maintained in memory, instead of
in files on disk.
* Signer Engine: Check if the signature exists before recycling it.
* Removed the python and python-4suite-xml dependencies.
* Remove separate autoconf for libhsm/conf/enforcer.
* Add option to disable building the signer.
* Signer logs statistics just after outputting a new signed zone.
* libhsm will skip processing (and not create) any public keys if the
per repository option <SkipPublicKey/> is set.
* Keysharing improved - keys can now exist in different states on each zone
that the key is in use for.
* Backup prepare/commit/rollback added for 2-step backups without taking the
enforcer offline.
* Standby keys are now optional (default to 0) and should be considered
experimental.
Bugfixes:
* Fix semantics of refresh value in Signer Engine.
* Auditor handles chains of empty nonterminals correctly.
* Recalculate salt immediately if the saltlength is changed.
* libhsm connected to slot 0 if the token label was not found.
An error is now returned instead of connecting to the slot.
* Bugreport #102: Removed the obsoleted python-4suite-xml dependency.
* Fixed Known Issue: KSK rollover requires manual timing.
* Fixed Known Issue: Key rollover and reuse of signatures.
* Fixed Known Issue: Issue with sharing keys and adding zones.
* Fixed Known Issue: Quicksorter does not allow certain owner names
(Quicksorter is removed, signer now reads and sorts the zone).
OpenDNSSEC 1.1.3 - 2010-09-10
Bugfixes:
* Bugreport #183: Partial zone could get signed if zone transfer failed
when using zone_fetcher
OpenDNSSEC 1.1.2 - 2010-08-24
* Dnsruby 1.49 now required (for correct zone parsing)
* ldns 1.6.6 is required to fix the zone fetcher bug
Bugfixes:
* ods-control stop did not stopped zone fetcher (bug was introduced in 1.1.0)
* Auditor correctly handles chains of empty nonterminals
* Zone fetcher can block zone transfers if AXFR once failed. This is a bug
in ldns versions 1.6.5 and lower. See KNOWN_ISSUES for more information.
* Bugreport #165: Ensure Output SOA serial is always bigger than Input SOA
serial.
* Bugreport #166: Correct exit value from signer.
* Bugreport #167: Zone fetcher now also picks up changes when zonelist is
reloaded (thanks Rick van Rein)
* Bugreport #168: ods-control with tightened control for the Enforcer
* Bugreport #169: Do not include config.h in the distribution
* Bugreport #170: Typo in a man page (ods-signer)
* Bugreport #172: Correction of some macros in a man page (ods-timing)
* Bugreport #173: A man page used a macro that does not exist (ods-ksmutil)
OpenDNSSEC 1.1.1 - 2010-07-08
Bugfixes:
* Bugreport #127: Large SOA serial numbers were not handled properly by signer
* Bugreport #133: Better handling of SOA serial when setting is 'keep'
* Bugreport #136: quicksorter could not handle standard bind format SOA rdata
* The Auditor could not handle the new way of rolling KSKs
* One log message in the Enforcer referred to an old command
* The Enforcer forgot to publish certain keys during transition between states
OpenDNSSEC 1.1.0 - 2010-05-26
OpenDNSSEC 1.1.0rc3 - 2010-05-15
Bugfixes:
* Could not compile quicksorter on FreeBSD.
* Bugreport #131: test suite fails in 1.1.0rc2
OpenDNSSEC 1.1.0rc2 - 2010-05-04
Bugfixes:
* Fix semantics of refresh value in Signer Engine.
OpenDNSSEC 1.1.0rc1 - 2010-04-21
* Partial Auditor added
* Dnsruby-1.46 required
* Improved error messages when the system runs out of keys
* Optimise communication of signconfs for multiple zones sharing keys.
Group zones in zonelist.xml by policy to get this benefit.
* Bugreport #101: Signer Engine now maintains its own pidfile.
* Jitter redefined: now in the range of [-jitter, ..., +jitter]
* Optimized sorter: quicksorter (sorter becomes obsolete).
* Optimized zone_reader, includes nseccing/nsec3ing (nseccer and nsec3er
become obsolete).
* Enable database selection using --with-database-backend={sqlite3|mysql}
* Enable the EPP-client using --enable-eppclient
For sending DS RR to the parent zone (experimental)
* Turn NSEC3 OptOut off by default
* Install kasp2html XML stylesheet
* Add simple kasp2html conversion script
* DNSKEY records communicated to an external script if configured
* The command 'ods-signer restart' is removed.
* Signer Engine now also reuses signatures after a change in NSEC(3)
configuration or rolling keys.
* Quicksorter defaults to class IN.
Bugfixes:
* Enforcer: Make sure that we read the correct config file when dropping privs
* Enforcer: Prevent int overflow when generating a large number of keys
* Enforcer: Fixed a confusion between standby ZSKs and KSKs
* Fixed various enable-options in the configure scripts
* Respect $DESTDIR for config files
* Looked for the database init script in $prefix/share/opendnssec and not
datadir.
* More proper memory cleanup in parsing zonefetch.xml
* Zonefetch.xml now accepts hmac-md5, which is an alias for
hmac-md5.sig-alg.reg.int.
* Zone fetcher logged wrong zone when NOTIFY received.
* Zone fetcher sometimes did not log when signalling signer engine failed.
* Fix issue of importing keys into kasp leaving random strings in the
retire date.
* Fix KSK rollover logic to be proper DoubleDNSKEY
* Fix issue with reading repositories from conf.xml
* Fix issue with reading policies from kasp.xml
* Canonicalize RRs before nseccing zone.
* Bugreport #113: zone fetcher started before dropping privileges, so that
it can bind to socket.
* Signer Engine defaults to working directory if missing.
* libhsm: fixed incorrect label length for wildcards (leftmost wildcard label
was included in count).
OpenDNSSEC 1.0.0 - 2010-02-09
Bugfixes:
* Fixed broken path in ods-control
OpenDNSSEC 1.0.0rc4 - 2010-02-02
* Added manual pages for ods-auditor(1), ods-control(8), ods-enforcerd(8),
ods-signerd(8), ods-signer(8), ods-hsmpseed(1), ods-hsmutil(1),
ods-kaspcheck(1), ods-ksmutil(1), ods-timing(5), opendnssec(7).
* Move ods-control & ods-signer from PREFIX/bin to PREFIX/sbin.
* Dnsruby-1.43 is now required
Bugfixes:
* Bugreport #89: Signer Engine: bug in logging.c.
* Auditor: Had some problems with escaped characters in domain names
OpenDNSSEC 1.0.0rc3 - 2010-01-25
* A code review was performed by members of the project group. No serious
problem was found. The code review resulted in some polishing of the code.
* Dnsruby-1.42 is now required, it fixes issues with TXT and NAPTR record
parsing.
* ldns 1.6.4 is now required.
* Known issues has been moved from NEWS to KNOWN_ISSUES.
Bugfixes:
* ods-ksmutil: The ksk-roll command did not handle its options correctly
* Auditor: Configured zone SOA TTL now used to track pre-published keys,
rather than the unsigned zone SOA TTL.
* Enforcer: There was a flaw in the implementation of the timing code (it
follows an earlier version of the draft and at one point does not add on
the safety margin).
* Enforcer: MySQL memory leaks fixed.
* Signer Engine: When changing policy or rollover a key, the old signed zone
was not found,
so always resulting in a fresh resign.
* Signer Engine: RRsets with varying TTLs on the records where considered
different RRsets, the signer engine now eqaulizes those TTLs.
OpenDNSSEC 1.0.0rc2 - 2009-12-16
Bugfixes:
* Signer Engine: Signer processes could remain open, if they were not close
correctly.
* ods-ksmutil: Got a segmentation fault, when an HSM was missing in the
configuration. Only applied to versions using MySQL.
* Zone fetcher: Did not close files before moving them.
* Zone fetcher: The serial arithmetic was not correct.
* Auditor: It now ignores unrecognized RR types.
* Signer Engine: Wrong handling of escaped characters in strings
(fixed in ldns trunk)
* Set correct permissions on the configuration files.
Known issues:
* Zone fetcher: When using TSIG, an incorrect MAC can be created if the
length of the used secret is 'too long' (longer than the maximum digest
length). This problem is in LDNS 1.6.3 and previous versions. This bug is
fixed in the upcoming LDNS 1.6.4 release.
* Auditor: Some good NAPTR records may fail to verify with dnsruby-1.41.
This will be fixed in a future dnsruby release.
* TXT RRs: Some TXT RRs with escape characters may fail to parse correctly
with dnsruby-1.41 and ldns 1.6.3. This is fixed in the upcoming releases.
OpenDNSSEC 1.0.0rc1 - 2009-12-04
* Auditor: dnsruby-1.41 should be used (includes fixes for zero length
salt and RFC3597 unknown classes)
* Signer Engine: ldns 1.6.3 should be used (includes NSEC3 bugfix and class
inheritance when creating signatures)
Bugfixes:
* Signer Engine: 1.0.0b8 introduced a bug that no signatures where reused.
Re-fixed.
* Signer Engine: Fix ods-signer start (could hang on MacOSX)
* Signer Engine: Mark a zone in progress if in use by one of the tools.
Prevents multiple tasks being created for the same zone.
* Signer Engine: Dropped records when zone content changed.
* Signer Engine: Drop inherited groups and set additional groups when dropping
privileges.
* Zone fetcher: Clean up empty files if AXFR failed
* Zone fetcher: Make syslogging RFC-compliant
OpenDNSSEC 1.0.0b9 - 2009-11-27
* ods-ksmutil: update command split so that individual configuration files can
be updated separately.
* ods-ksmutil: "ds-seen" renamed to "ksk-roll" which is a more accurate
description of its effect. (ds-seen will reappear in v1.1)
* add contributed .spec file for RPM builds
* Signer Engine: verifies signature after creation.
Bugfixes:
* Signer Engine: Output better information if the HSM fails with the signing.
* ods-ksmutil: update zonelist correctly links keys to new zones if key sharing
is turned on.
* Bugreport #59: Problem starting ods-signer on a 64-bit machine
* ods-ksmutil: update zonelist command now correctly adds and deletes zones
(and sorts out their keys).
OpenDNSSEC 1.0.0b8 - 2009-11-23
* ods-ksmutil: KSK rollover now holds at the point where the new key is made