1OpenDNSSEC 2.1.10 - 2021-09-10 2 3* OPENDNSSEC-957: Fix exit code signer daemon to not always report failure. 4* OPENDNSSEC-958: Fix immediate resalting after migration from 1.4. 5* OPENDNSSEC-959: Emit warning on ods-kaspcheck for NSEC iteration count 6 that is deemed too high. 7* SUPPORT-265: Resolve conflict when deleting keys from HSM whilst 8 also performing step in key roll process. Typically a message 9 "key_data_update failed" is present in logs. 10* Provided RedHat/CentOS spec file in contrib directory. 11 12OpenDNSSEC 2.1.9 - 2021-05-03 13 14* OPENDNSSEC-955: Prevent concurrency between C_Login/C_OpenSession and 15 C_FindObject in PKCS#11 operations as some HSMs do not like this and 16 the key may (transiently) not be available. 17* OPENDNSSEC-956: Harden the signing procedure to still sign zones for 18 which there are unused keys specified in the signconf. These are 19 included by the enforcer because there may be (outdated) signatures 20 for them, but the signer doesn't need this reference anymore in 2.1. 21 However this was left in for backwards compatibility (probably). 22 23OpenDNSSEC 2.1.8 - 2021-02-20 24 25* OPENDNSSEC-954: Upgrade autoconf/automake configuration chain for 26 version 2.69/1.16.2. 27* SUPPORT-261: Fix to crash when using ods-enforcer set-policy command. 28* OPENDNSSEC-953: Fix to crash in case zone file not present while getting 29 a signconf update and state flush command. 30 Thanks to Stefan Ubbink from SIDN for the co-operation in this fix. 31* OPENDNSSEC-951: Modify the purging of keys, to make it automatic to purge 32 keys from the HSM. 33 Thanks to Stefan Ubbink from SIDN for the co-operation in this fix. 34* OPENDNSSEC-950: Fix that caused crash when signer was offline for a 35 prolonged period (but the enforcer wasn't) in the middle of a ZSK roll. 36* OPENDNSSEC-952: memory leak in when receiving NOTIFY for non-existent 37 zone (Thanks Sébastien Tisserant to for reporting). 38 39OpenDNSSEC 2.1.7 - 2020-10-05 40 41* OPENDNSSEC-949: Fix for migration bug not keeping proper parameters of NSEC3 42 signed zones. Amongst others the zone become NSEC. Loading the policies 43 fixes the situation, migration scripts now corrected. Since 1.4 does not 44 require a salt, a resalt might be automatic after migrating, as this is 45 a required parameter. 46* OPENDNSSEC-948: do not recreate signatures for keys that are moving out 47 this fixes unexpected double signatures in the zone. 48* SUPPORT-253: Incorrect keytag used when using Combined Signing keys (CSK) 49 (Thanks to Simon Arlott) 50* SUPPORT-257: Export keys by locator (Thansk to Simon Arlott) 51* SUPPORT-222: Support ED25519/ED448 keys. This requires library ldns 1.7.0 52 or better, otherwise unavailable. (Thanks again to Simon Arlott) 53* SUPPORT-260: Crash on OpenBSD systems in ixfr_del_rr; possible unverified 54 fix. 55* Load libsqlite3.so.0 and fall back on libsqlite3.so.0 to allow to run 56 migration tool on systems without libsqlite3.so.0 soft link. 57 (Thanks to Paul Wouters) 58* Some compilation warnings, o.a. gcc10 related, code quality and 59 initialization improvements. 60 (Thanks to Jonas Berlin, and Mathieu MirMont, and Paul Wouters). 61 62OpenDNSSEC 2.1.6 - 2020-02-10 63 64* OPENDNSSEC-913: verify database connection upon every use. 65* OPENDNSSEC-944: bad display of date of next transition (regression) 66* SUPPORT-250: missing signatures on using combined keys (CSK) 67* OPENDNSSEC-945: memory leak per command to enforcer. 68* OPENDNSSEC-946: unclean enforcer exit in case of certain config problems. 69* OPENDNSSEC-411: set-policy command to change policy of zone (experimental) 70 71OpenDNSSEC 2.1.5 - 2019-11-05 72 73* SUPPORT-245: Resolve memory leak in signer introduced in 2.1.4. 74* SUPPORT-244: Don't require Host and Port to be specified in conf.xml 75 when migrating with a MySQL-based enforcer database backend. 76* Allow for MySQL database to pre-exist when performing a migration, 77 and be a bit more verbose during migration. 78* New -f argument to ods-enforcer key list to show the full list of key states, 79 similar to combinining -d and -v. 80* Fix AllowExtraction tag in configuration file definition (thanks to raixie1A). 81* SUPPORT-242: Skip over EDNS cookie option (thanks to Håvard Eidne and 82 Ulrich-Lorenz Schlueter). 83* SUPPORT-240: Prevent exit of enforcer daemon upon interrupted interaction 84 with CLI commands. 85* Correct some error messages (thanks to Jonas Berlin). 86 87OpenDNSSEC 2.1.4 - 2019-05-16 88 89* SUPPORT-229: Missing signatures for key new while signatures for old key 90 still present under certain kasp policies, leading to bogus zones. 91 Root cause for bug existed but made prominent since 2.1.3 release. 92* OPENDNSSEC-942: time leap command for signer for debugging purposes 93 only, not to be used on actual deployments. 94* OPENDNSSEC-943: support build on MacOS with missing pthread barriers 95* SUPPORT-229: fixed for too early retivement of signatures upon double 96 rrsig key roll signing strategy. 97* Strip build directory from doxygen docs 98* remove bashisms from ods-kasp2html.in 99* upgrade developer build scripts to softhsm-2.5.0 update some platform 100 dependent files (only for developers). 101* The ods-signer and ods-signerd man page should be in section 8 not 22 102 Note that this might mean that package managers should remove the older 103 man pages from the old location. 104 105OpenDNSSEC 2.1.3 - 2017-08-10 106 107* OPENDNSSEC-508: Tag <RolloverNotification> was not functioning correctly 108* OPENDNSSEC-901: Enforcer would ignore <ManualKeyGeneration/> tag in conf.xml 109* OPENDNSSEC-906: Tag <AllowExtraction> tag included from late 1.4 development 110* OPENDNSSEC-894: repair configuration script to allow excluding the build of 111 the enforcer. 112* OPENDNSSEC-890: Mismatching TTLs in record sets would cause bogus signatures. 113* OPENDNSSEC-886: Improper time calculation on 32 bits machine causes purge 114 time to be skipped. 115* OPENDNSSEC-904 / SUPPORT-216 autoconfigure fails to properly identify 116 functions in ssl library on certain distributions 117 causing tsig unknown algorithm hmac-sha256 118* OPENDNSSEC-908: Warn when TTL exceeds KASP's MaxZoneTTL instead of capping. 119 120OpenDNSSEC 2.1.1 - 2017-04-28 121 122* OPENDNSSEC-882: Signerd exit code always non-zero. 123* OPENDNSSEC-889: MySQL migration script didn't work for all database and 124 MySQL versions. 125* OPENDNSSEC-887: Segfault on extraneous <Interval> tag. 126* OPENDNSSEC-880: Command line parsing for import key command failed. 127* OPENDNSSEC-890: Bogus signatures upon wrong zone input when TTLs for 128 same rrset are mismatching. 129 130OpenDNSSEC 2.1.0 - 2017-02-22 131 132* If listening port for signer is not set in conf file, the default value 133 "15354" is used. 134* Enforce and signconf tasks are now scheduled individually per zone. Resign 135 per policy. 136* OPENDNSSEC-450: Implement support for ECDSA P-256, P-384, GOST. Notice: 137 SoftHSMv1 only supports RSA. SoftHSMv2 can be compiled with support for these. 138* zone delete removes tasks associated with zone from queue. 139* Show help for ods-enforcer-db-setup 140* OPENDNSSEC-778: Double NSEC3PARAM record after resalt. 141* In the kasp file, KSK/ZSK section, the algorithm length MUST be set now. 142* signer clear <zone> would assert when signconf wasn't read yet. 143* The <Interval> tag had been deprecated, and is now no longer allowed to 144 be specified in the conf.xml for the Enforcer. 145* OPENDNSSEC-864: ods-signer didn't print help. Also --version and --socket 146 options where not processed. 147* OPENDNSSEC-869: ds-seen command did not give error on badly formatted keytag. 148* OPENDNSSEC-681: After fork() allow child process to pass error messages to 149 parent so they can be printed to the console in case of failed start. 150* OPENDNSSEC-849: Crash on free of part of IXFR structure. 151* OPENDNSSEC-759: Reduce HSM access during ods-signerd start. Daemon should 152 start quicker and earlier available for user input. 153* OPENDNSSEC-479: Transferring zones and sending notifies through a bound socket, 154 using the same interface as listener. 155* Key cache is now shared between threads. 156* OPENDNSSEC-858: Don't print "completed in x seconds" to stderr for enforcer 157 commands. 158* Various memory leaks 159* OPENDNSSEC-601: signer and enforcer working dir would not properly fallback to 160 default when not specified. 161* OPENDNSSEC-503: Speed up initial signing and algorithm rollover. 162* A bash autocompletion script is included in contrib for ods-enforcer and 163 ods-signer. 164* SUPPORT-208: Strip comment from key export. 165* OPENDNSSEC-552: On key export don't print SHA1 DS by default. (introduced 166 --sha1 option to key export.) Usage of sha1 is deprecated and will be removed 167 from future versions of OpenDNSSEC. 168 169OpenDNSSEC 2.0.1 - 2016-07-21 170 171* Fixed crash and linking issue in ods-migrate. 172* Fixed case where 2.0.0 could not read backup files from 1.4.10. 173* Fixed bug in migration script where key state wasn't transformed properly. 174 175OpenDNSSEC 2.0.0-1 176 177* include db creation scripts in dist tarball needed for migration from 1.4. 178 179OpenDNSSEC 2.0.0 - 2016-07-07 180 181* OpenDNSSEC-99: Skip "are you sure" messages. Add --force and -f flag to 182 ods-enforcer-db-setup and hsmutil purge 183* OPENDNSSEC-808: Crash on query with empty query section (thanks Håvard Eidnes) 184* OpenDNSSEC-771: Signer. Do not log warning on deleting a missing 185 NSEC3PARAM RR. 186* OPENDNSSEC-801: Set AA flag on outgoing AXFR. 187* SUPPORT-191: Regression, Must accept notify without SOA (thanks Christos Trochalakis) 188 189OpenDNSSEC 2.0b1 - 2016-04-14 190 191First public release of OpenDNSSEC. Initial pre-releases have been 192made to a smaller audience, this pre-release is explicitly made available 193to all. At this moment, there are no known functional bugs. There are 194naturally issues, especially to make working with OpenDNSSEC easier, however 195none should prevent you to use OpenDNSSEC in production for the average 196case, even though this is a pre-release. Which is because of the still 197limited documentation, and is not being run in production yet. 198 199* The enforcer can no longer be run on a single policy at a time 200 anymore. An enforce run will always process all zones. 201* The key generate method is at this time not available. 202* The key export method will not allow you to export keys for all zones 203 at once (--all flag) or for a particular type of key (--keystate). 204 It will not export ZSK keys. 205* The zonelist.xml in etc/opendnssec is no longer updated automatically, 206 and by default works as if the --no-xml flag was specified. Use 207 --xml to the zone add command to update the zonelist.xml. If updating 208 the zonelist fails, the zone will still be added and not updated in 209 the xml with future zone adds. 210* Plugins directory renamed to contrib. 211* Default signer working directory renamed from tmp to signer. 212* Configure option --with-database-backend renamed --with-enforcer-database 213* Zones on a manual rollover policy will not get a key assigned to them 214 immediately. 215 216OpenDNSSEC 2.0.0a5 217 218Project transfer to NLnetLabs, performing code drop as-is for evaluation 219purposes only. 220 221 222OpenDNSSEC 2.0.0a4 (EnforcerNG branch) 223 224* SUPPORT-72: Improve logging when failed to increment serial in case 225 of key rollover and serial value "keep" [OPENDNSSEC-461]. 226* SUPPORT-114: libhsm: Optimize storage in HSM by deleting the public 227 key directly if SkipPublicKey is used [OPENDNSSEC-573]. 228* OPENDNSSEC-106: Add 'ods-enforcerd -p <policy>' option. This prompts the 229 enforcer to run once and only process the specified policy and associated 230 zones. 231* OPENDNSSEC-330: NSEC3PARAM TTL can now be optionally configured in kasp.xml. 232 Default value remains PT0S. 233* OPENDNSSEC-390: ods-ksmutil: Add an option to the 'ods-ksmutil key ds-seen' 234 command so the user can choose not to notify the enforcer. 235* OPENDNSSEC-430: ods-ksmutil: Improve 'zone add' - Zone add command 236 could warn if a specified zone file or adapter file does not exits. 237* OPENDNSSEC-431: ods-ksmutil: Improve 'zone add' - Support default <input> 238 and <output> values for DNS adapters. 239* OPENDNSSEC-454: ods-ksmutil: Add option for 'ods-ksmutil key import' to 240 check if there is a matching key in the repository before import. 241* OPENDNSSEC-281: Enforcer NG: Commandhandler sometimes unresponsive. 242* OPENDNSSEC-276, Enforcer NG: HSM initialized after fork(). 243* OPENDNSSEC-330: Signer Engine: NSEC3PARAM TTL is default TTL again, to 244 prevent bad caching effects on resolvers. 245* OPENDNSSEC-428: Add option for 'ods-ksmutil key generate' to take 246 number of zones as a parameter 247* OPENDNSSEC-515: Signer Engine: Don't replace tabs in RR with whitespace. 248 249Bugfixes: 250* OPENDNSSEC-435: Signer Engine: Fix a serious memory leak in signature 251 cleanup. 252* OPENDNSSEC-463: Signer Engine: Duration PT0S is now printed correctly. 253* OPENDNSSEC-466: Signer Engine: Created bad TSIG signature when falling back 254 to AXFR. 255* OPENDNSSEC-467: Signer Engine: After ods-signer clear, signer should not use 256 inbound serial. 257 258 259OpenDNSSEC 2.0.0a3 (EnforcerNG branch) - 2012-06-18 260Bugfixes: 261* SUPPORT-66: Signer Engine: Fix file descriptor leak in case of TCP write 262 error [OPENDNSSEC-427]. 263* SUPPORT-71: Signer Engine: Fix double free crash in case of HSM connection 264 error during signing [OPENDNSSEC-444]. 265* OPENDNSSEC-401: 'ods-signer sign <zone> --serial <nr>' command produces seg 266 fault when run directly on command line (i.e. not via interactive mode) 267* OPENDNSSEC-440: 'ods-ksmutil key generate' and the enforcer can create 268 too many keys if there are keys already available and the KSK and ZSK use 269 same algorithm and length 270* OPENDNSSEC-424: Signer Engine: Respond to SOA queries from file instead 271 of memory. Makes response non-blocking. 272* OPENDNSSEC-425 Change "hsmutil list" output so that the table header goes 273 to stdout not stderr 274* OPENDNSSEC-438: 'ods-ksmutil key generate' and the enforcer can create 275 too many keys for <SharedKeys/> policies when KSK and ZSK use same 276 algorithm and length 277* OPENDNSSEC-443: ods-ksmutil: Clean up of hsm connection handling 278* Signer Engine: Improved Inbound XFR checking. 279* Signer Engine: Fix double free corruption in case of adding zone with 280 DNS Outbound Adapters and NotifyCommand enabled. 281 282* Enforcer: Limit number of pregenerated keys when using <SharedKeys>. 283* Enforcer: MySQL database backend implemented. 284* Enforcer: New directive <MaxZoneTTL> to make safe assumptions about 285 zonefile. 286* Enforcer: New zone add command, allow specifying adapters. 287* Enforcer: New zone del command, use --force for still signed zones. 288* Enforcer: Pre-generate keys on the HSM. 289* Enforcer: SQLite database backend implemented. 290 291 292OpenDNSSEC 2.0.0-trunk 293 294* OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not updated on SOA 295 Minimum change. 296 297Bugfixes: 298* OPENDNSSEC-481: libhsm: Fix an off-by-one length check error. 299* OPENDNSSEC-482: libhsm: Improved cleanup for C_FindObjects. 300 301 302OpenDNSSEC 1.4.1 - 2013-06-27 303 304* SUPPORT-58: Extend ods-signer sign <zone> with --serial <nr> so that the user 305 can specify the SOA serial to use in the signed zone [OPENDNSSEC-401]. 306* OPENDNSSEC-91: Make the keytype flag required when rolling keys 307 308Bugfixes: 309* SUPPORT-60: Fix datecounter in case inbound serial is higher than outbound 310 serial [OPENDNSSEC-420]. 311* OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not updated on SOA 312 Minimum change. 313* OPENDNSSEC-421: Signer Engine: Fix assertion error in case NSEC3 hash 314 algorithm in signconf is not SHA1. 315* OPENDNSSEC-421: ods-kaspcheck: Check whether NSEC3 hash algorithm in kasp 316 is valid. 317* Bugfix: The time when inbound serial is acquired was reset invalidly, 318 could cause OpenDNSSEC wanting AXFR responses while requesting IXFR (thanks 319 Stuart Lau). 320* Bugfix: Fix malform in Outbound IXFR/TCP subsequent packet (thanks Stuart 321 Lau). 322* OPENDNSSEC-398: The ods-ksmutil key rollover command does not work correctly 323 when rolling all keys using the --policy option 324 325 326OpenDNSSEC 1.4.0 - 2013-04-22 327 328* Production release of 1.4 329* Versioning scheme and release support policies updated 330* Summary of changes in 1.4 can be found on the wiki: 331 http://wiki.opendnssec.org/display/DOCS 332 333 334OpenDNSSEC 1.4.0rc3 - 2013-03-15 335 336* Further testing of OPENDNSSEC-387 completed, release returned to rc status. 337 338 339OpenDNSSEC 1.4.0b3 - 2013-02-20 340 341Note: This release is marked as a beta release (rather than rc3) due to 342OPENDNSSEC-387, which is a significant functional change compared to rc2. 343 344* OPENDNSSEC-387: Rollback of multi-threaded enforcer. Due to key allocation 345 issues the usefulness of the threaded enforcer is outweighed by the code 346 complications. The option still remains in conf.xml for compatibility with 347 existing use; but it will now be silently ignored. 348 349Bugfixes: 350* OPENDNSSEC-183: Enforcer: If no DNSKEYs use negative TTL as TTL(DNSKEY). 351* OPENDNSSEC-185: Enforcer: Used wrong value for negative caching. 352* OPENDNSSEC-206: Enforcer: Notify Signer on generating new signer 353 configuration. 354* OPENDNSSEC-224: Enforcer: Fix rolling simultaneous keys. 355 (e.g. emergency roll) 356* OPENDNSSEC-271: Enforcer: Signer configurations w/o keys are now accepted. 357* Enforcer: Handle cases where negative cache > positive cache. 358* Enforcer: Take resign interval into account when signer does smooth 359 rollover. 360* OPENDNSSEC-388: Signer Engine: Internal serial should take into account 361 the inbound serial. 362* SUPPORT-50/51: Signer Engine: Inbound DNS Adapter incorrectly updates 363 NSEC3PARAM and DNSKEY RRset [OPENDNSSEC-389] 364* OPENDNSSEC-389: Input DNS Adapter incorrectly updating NSEC3PARAM and DNSKEY RRsets 365 366Known Issues: 367* Enforcer: Key material not always reused when using <SharedKeys>. 368* Enforcer: Lacking documentation. 369* Enforcer: No migration tools. 370 371 372OpenDNSSEC EnforcerNG branch alpha2 - 2011-10-18 373 374* Enforcer: Automatic introduce keys marked as manual, like other enforcer. 375* Enforcer: Automatically retract never submitted DS records. 376* Enforcer: CSK is now configurable. 377* Enforcer: Do not allow lifetime of key to be shorter than TTL. 378* Enforcer: Support for RollOverType in kasp.xml 379 380Bugfixes: 381* Enforcer: Fixed concurrency related crashes. 382* Enforcer: Remove some scheduling when waiting for user input. 383* Enforcer: Schedule the purging of keys. 384 385 386OpenDNSSEC EnforcerNG branch alpha1 - 2011-09-23 387 388HIGH-LEVEL DESIGN GOALS: 389* Support for a large number of zones. The enforcer should reasonably be 390 useable with many zones. Think order of magnitude 50.000 concurrent zones. 391* Allow for future rollover strategies. Provide a generic framework to 392 implement other kinds of rollovers in the future. 393* Drop in replacement. Should replace the current enforcer but keep the same 394 interface and provide migration scripts from earlier installs. 395 396Trunk 397 398Bugfixes: 399 400 401OpenDNSSEC 1.4.0rc2 - 2013-01-25 402 403* OPENDNSSEC-350: Signer Engine: Better log message when IXFR is not ready for 404 reading. 405* OPENDNSSEC-367: ods-ksmutil: Require user confirmation if the algorithm for 406 a key is changed in a policy (as this rollover is not handled cleanly) 407 408Bugfixes: 409* SUPPORT-44: Signer Engine: Drop privileges after binding to socket 410 [OPENDNSSEC-364]. 411* Signer Engine: XFR not ready should not be a fatal status for task read 412 (thanks Ville Mattila). 413* OPENDNSSEC-365: Enforcer: Nasty bug where KSKs could get prematurely retired. 414 415 416OpenDNSSEC 1.4.0rc1 - 2013-01-10 417 418* OPENDNSSEC-359: Remove eppclient 419 420 421OpenDNSSEC 1.4.0b2 - 2012-12-17 422 423* OPENDNSSEC-292: Provide scripts to convert database between different 424 supported formats 425* OPENDNSSEC-299: ods-ksmutil: ods-ksmutil <enter> now includes policy import 426* OPENDNSSEC-300: ods-ksmutil: policy purge documented with a warning 427* OPENDNSSEC-315: "ods-hsmutil logout" will delete any credentials in the 428 shared memory. 429* OPENDNSSEC-330: Signer Engine: NSEC3PARAM TTL should be set to zero. 430* OPENDNSSEC-338: ods-ksmutil: fix zone delete on MySQL (broken by SUPPORT-27) 431* OPENDNSSEC-345: ods-ksmutil: use ods-control to HUP the enforcerd process 432* ods-ksmutil: Deprecate the one-step key backup command 433 434Bugfixes: 435* SUPPORT-40: Signer Engine: Keep occluded data in signed zone files/transfers. 436* OPENDNSSEC-349: Enforcer: Fix some memory leaks in the enforcer found by 437 valgrind. 438* OPENDNSSEC-353: Signer Engine: Add/remove NSEC3s for empty non-terminals 439 between apex and delegation when DS is added/removed. 440* Signer Engine: Fixed locking and notification on the drudge work queue, 441 signals could be missed so that drudgers would stall when there was work to 442 be done. 443* libhsm: Fixed PIN handling on OpenBSD. 444* Enforcer: If enabled enforcer workers and configured number of workers is 1, 445 make sure that enforcer runs the signer update command after signer 446 configuration change. 447* Signer Engine: Don't add double RRSIGs generated by the same key for the 448 DNSKEY RRset. 449* Signer Engine: Rollback incompleted zone transfers on disk (could happen 450 if a connection was reset during transfer). 451* Multi-threaded enforcer: various minor fixes including deadlock problems. 452 453 454OpenDNSSEC 1.4.0b1 - 2012-09-06 455 456* OPENDNSSEC-130: libhsm: The PIN is now optional in conf.xml. The PIN can be 457 entered using "ods-hsmutil login" and is stored in shared memory. The daemons 458 will not start until this has been done by the user. 459* OPENDNSSEC-297: Enforcer: Multi-threaded option available for the enforcer to 460 improve performance (MySQL only). 461* OPENDNSSEC-320: Signer Engine: The <ProvideTransfer>, <Notify>, <AllowNotify> 462 and <RequestTransfer> elements are now optional, but if provided they require 463 one or more <Peer> or <Remote> elements. 464 465Bugfixes: 466* OPENDNSSEC-255: Signer Engine: OpenDNSSEC 1.4.0a1 writes out mangled RRSIG 467 record. 468* OPENDNSSEC-261: Signer Engine: Ldns fails to parse RR that seems 469 syntactically correct. 470* OPENDNSSEC-269: Signer Engine: Crash when multiple threads access ixfr 471 struct. 472* OPENDNSSEC-281: Commandhandler sometimes unresponsive. 473* OPENDNSSEC-318: Signer Engine: Don't stop dns and xfr handlers if these 474 threads have not yet been started. 475* OPENDNSSEC-319: Signer Engine: Fix TSIG segfault on signer shutdown. 476* OPENDNSSEC-325: Signer Engine: Don't include RRSIG records when DO bit is 477 not set. 478* OPENDNSSEC-326: Signer Engine: Stop serving a zone that could not be 479 transferred from master and has been expired. 480 481 482OpenDNSSEC 1.4.0a3 - 2012-08-08 483 484* OPENDNSSEC-258: Optionally include cka_id in output to 485 DelegationSignerSubmitCommand. 486 487Bugfixes: 488* SUPPORT-27: ods-ksmutil: simplify zone delete so that it only marks keys 489 as dead (rather than actually removing them). Leave the key removal to purge 490 jobs. 491* SUPPORT-29: Signer Engine: Fix ods-signer clear <zone> command exits 492 prematurely [OPENDNSSEC-289]. 493* SUPPORT-30: Signer Engine: RRSIGs are left in the signed zone when 494 authoritative RRsets become glue [OPENDNSSEC-282]. 495* OPENDNSSEC-278: ods-ksmutil processes waiting forever to get DB lock 496* OPENDNSSEC-290: Signer Engine: Fix false conflict when changing CNAME into 497 other RRtype. 498* OPENDNSSEC-298: Enforcer: Only unlink existing pidfile on exit if we wrote it. 499* OPENDNSSEC-304: Signer Engine: Check pidfile on startup, if pidfile exists 500 and corresponding process is running, then complain and exit. 501* OPENDNSSEC-306: Can't delete zone until Enforcer made signconf. 502* Fix assertion error when printing signed zone with empty non-terminals and 503 NSEC. 504* Make setting QUERY ID in XFR requests more random. 505 506 507OpenDNSSEC 1.4.0a2 - 2012-05-24 508 509* OPENDNSSEC-226: Change in conf.xml: Configure the DNS listener IP address 510 with /Listener/Interface/Address instead of /Listener/Interface/IPv{4,6}. 511* OPENDNSSEC-228: Signer Engine: Make 'ods-signer update' reload signconfs 512 even if zonelist has not changed. 513* OPENDNSSEC-231: Signer Engine: Allow for Classless IN-ADDR.ARPA names 514 (RFC 2317). 515* OPENDNSSEC-249: ods-ksmutil: If key export finds nothing to do then say so 516 rather than display nothing which might be misinterpreted. 517* OPENDNSSEC-262: Signer Engine: Make DNS Adapter ACL optional. 518* OPENDNSSEC-263: Signer Engine: Added EDNS0 support, so that zone transfers 519 and SOA requests with OPT RRs are possible. 520* Enforcer: Add indexes for foreign keys. (sqlite only, MySQL already has them.) 521 522Bugfixes: 523* OPENDNSSEC-247: Signer Engine: TTL on NSEC(3) was not updated on SOA 524 Minimum change. 525* OPENDNSSEC-252: Signer Engine: Mark xfrhandler started, so that we don't 526 try to join a non-existing thread on exit. 527* OPENDNSSEC-259: Signer Engine: Fix assertion failure for outbound AXFR for 528 large zones. 529* OPENDNSSEC-264: Signer Engine: Fix assertion error on reading IXFR from 530 backup. 531* OPENDNSSEC-265: Signer Engine: Fix crash in corner cases when signing zone 532 with NSEC3 and Opt-out. 533* OPENDNSSEC-267: Signer Engine: Sign NOTIFY OK response with TSIG, if present 534 in the query and ACL. 535 536 537OpenDNSSEC 1.4.0a1 - 2012-03-15 538 539* Auditor: The Auditor has been removed. 540* Enforcer: Key label logging upon deletion (#192 Sebastian Castro) 541* Enforcer: Stop multiple instances of the Enforcer running by checking for 542 the pidfile at startup. If you want to run multiple instances then a 543 different pidfile will need to be specified with the -P flag. 544* Enforcer/ods-ksmutil: Use TTLs from KASP when generating DNSKEY and DS 545 records for output. 546* Enforcer/ods-ksmutil: Give a more descriptive error message if the 547 <Datastore> tag in conf.xml does not match the database-backend set at 548 compile time. 549* ods-ksmutil: Add warnings on "key export --ds" if no active or ready keys 550 were seen, or if both were seen (so a key rollover is happening). 551* ods-ksmutil: Prevent MySQL username or password being interpreted by the 552 shell when running "ods-ksmutil setup" 553* ods-ksmutil: "zone delete" renames the signconf file; so that if the zone is 554 put back the signer will not pick up the old file. 555* ods-ksmutil: "key delete" added. It allows keys that are not currently in 556 use to be deleted from the database and HSM. 557* OPENDNSSEC-1: Enforcer: Check DelegationSignerSubmitCommand exists and can 558 be executed by ods-enforcerd. 559* OPENDNSSEC-10: ods-ksmutil: Include key size and algorithm in "key list" 560 with -v flag. 561* OPENDNSSEC-28: ods-ksmutil: "key list" shows next state with -v flag. 562* OPENDNSSEC-35: ods-ksmutil: "rollover list -v" now includes more information 563 on the KSKs waiting for the ds-seen command. 564* OPENDNSSEC-83: ods-ksmutil: "key generate" now displays how many keys will 565 be generated and presents the user with the opportunity to stop the 566 operation. 567* OPENDNSSEC-124: ods-ksmutil: Suppress database connection information when 568 no -v flag is given. 569* Signer Engine: Input and Output DNS Adapters. 570* Signer Engine: Zonefetcher has been removed. 571 572Known issues: 573* Signer Engine: The backup files do not work correctly in this alpha release. 574 575Bugfixes: 576* Bugfix #246: Less confusing text for XML validation in ods-kaspcheck. 577* ods-ksmutil: "update kasp" now reflects changes in policy descriptions. 578* ods-ksmutil: Policy descriptions now have special characters quoted. 579* ods-ksmutil: Fix typo in policy export with NSEC3. 580 581 582OpenDNSSEC 1.3.13 - 2013-02-20 583 584Bugfixes: 585* OPENDNSSEC-388: Signer Engine: Internal serial should take into account 586 the inbound serial. 587* OPENDNSSEC-242: Signer Engine: Could get stuck on load signconf while 588 signconf was not changed. 589* Signer Engine: Fixed locking and notification on the drudge work queue, 590 signals could be missed so that drudgers would stall when there was work to 591 be done. 592 593 594OpenDNSSEC 1.3.12 - 2012-12-03 595 596Bugfixes: 597* SUPPORT-42: ./configure fails on FreeBSD (or if ldns is not installed in a 598 directory in the default search path of the complier). 599* OpenDNSSEC does not compile against ldns 1.6.16 on platforms that rely on 600 the OpenDNSSEC implementation of strlcpy/cat 601 602 603OpenDNSSEC 1.3.11 - 2012-11-13 604 605* OPENDNSSEC-330: NSEC3PARAM TTL should be set to zero. 606 607Bugfixes: 608* OPENDNSSEC-306: Cant delete zone until Enforcer made signerconf. 609* OPENDNSSEC-281: Commandhandler sometimes unresponsive. 610* OPENDNSSEC-299: ods-ksmutil <enter> now includes policy import 611* OPENDNSSEC-300: ods-ksmutil policy purge documented with a warning 612* OPENDNSSEC-338: ods-ksmutil: fix zone delete on MySQL (broken by SUPPORT-27) 613* OPENDNSSEC-342: Auditor comparisons made case-insensitive 614* OPENDNSSEC-345: ods-ksmutil: use ods-control to HUP the enforcerd process 615 616 617OpenDNSSEC 1.3.10 - 2012-08-10 618 619Bugfixes: 620* SUPPORT-30: RRSIGs are left in the signed zone when authoritative RRsets 621 become glue [OPENDNSSEC-282]. 622* OPENDNSSEC-261: Ldns fails to parse RR that seems syntactically correct. 623 Was due to memory allocation issues. Provided better log message. 624* OPENDNSSEC-285: Signer segfault for 6 or more -v options 625* OPENDNSSEC-298: Only unlink existing pidfile on exit if we wrote it. 626* OPENDNSSEC-303: Return if open/parse of zonelist.xml fails in ksmutil.c 627 update_zones() and cmd_listzone(). 628* OPENDNSSEC-304: Signer Engine: Check pidfile on startup, if pidfile exists 629 and corresponding process is running, then complain and exit. 630* Signer seems to hang on a ods-signer command. Shutdown client explicitly 631 with shutdown(). 632* opendnssec.spec file removed 633 634 635OpenDNSSEC 1.3.9 - 2012-06-15 636 637* OPENDNSSEC-277: Enforcer: Performance optimisation of database access. 638 639Bugfixes: 640* SUPPORT-27: ods-ksmutil: simplify zone delete so that it only marks keys as 641 dead (rather than actually removing them). Leave the key removal to purge 642 jobs. 643 644 645OpenDNSSEC 1.3.8 - 2012-05-09 646 647* OPENDNSSEC-228: Signer Engine: Make 'ods-signer update' reload signconfs 648 even if zonelist has not changed. 649* OPENDNSSEC-231: Signer Engine: Allow for Classless IN-ADDR.ARPA names 650 (RFC 2317). 651* OPENDNSSEC-234: Enforcer: Add indexes for foreign keys in kasp DB. (sqlite 652 only, MySQL already has them.) 653* OPENDNSSEC-246: Signer Engine: Warn if <Audit/> is in signer configuration, 654 but ods-auditor is not installed 655* OPENDNSSEC-249: Enforcer: ods-ksmutil: If key export finds nothing to do 656 then say so rather than display nothing which might be misinterpreted. 657 658Bugfixes: 659* OPENDNSSEC-247: Signer Engine: TTL on NSEC(3) was not updated on SOA 660 Minimum change. 661* OPENDNSSEC-253: Enforcer: Fix "ods-ksmutil zone delete --all" 662 663 664OpenDNSSEC 1.3.7 - 2012-03-13 665 666* OPENDNSSEC-215: Signer Engine: Always recover serial from backup, 667 even if it is corrupted, preventing unnecessary serial decrementals. 668* OPENDNSSEC-217: Enforcer: Tries to detect pidfile staleness, so that 669 the daemon will start after a power failure. 670 671Bugfixes: 672* ods-hsmutil: Fixed a small memory leak when printing a DNSKEY. 673* OPENDNSSEC-216: Signer Engine: Fix duplicate NSEC3PARAM bug. 674* OPENDNSSEC-218: Signer Engine: Prevent endless loop in case the locators 675 in the signer backup files and the HSM are out of sync. 676* OPENDNSSEC-225: Fix problem with pid found when not existing. 677* SUPPORT-21: HSM SCA 6000 in combination with OpenCryptoki can return RSA key 678 material with leading zeroes. DNSSEC does not allow leading zeroes in key 679 data. You are affected by this bug if your DNSKEY RDATA e.g. begins with 680 "BAABA". Normal keys begin with e.g. "AwEAA". OpenDNSSEC will now sanitize 681 incoming data before adding it to the DNSKEY. Do not upgrade to this version 682 if you are affected by the bug. You first need to go unsigned, then do the 683 upgrade, and finally sign your zone again. SoftHSM and other HSM:s will not 684 produce data with leading zeroes and the bug will thus not affect you. 685 686 687OpenDNSSEC 1.3.6 - 2012-02-17 688 689* OPENDNSSEC-33: Signer Engine: Check HSM connection before use, attempt to 690 reconnect if it is not valid. 691* OPENDNSSEC-178: Signer Engine: Instead of waiting an arbitrary amount of 692 time, let worker wait with pushing sign operations until the queue is 693 non-full. 694* Signer Engine: Adjust some log messages. 695 696Bugfixes: 697* ods-control: Wrong exit status if Enforcer was already running. 698* OPENDNSSEC-56: ods-ksmutil had the wrong option for config file in the 699 help usage text. 700* OPENDNSSEC-207: Signer Engine: Fix communication from a process not 701 attached to a shell. 702* OPENDNSSEC-209: Signer Engine: Make output file adapter atomic by writing 703 signed file to an intermediate file first. 704 705 706OpenDNSSEC 1.3.5 - 2012-01-23 707 708* Auditor: Include the zone name in the log messages. 709* ldns 1.6.12 is required for bugfixes. 710* ods-ksmutil: Suppress database connection information when no -v flag is 711 given. 712* ods-enforcerd: Stop multiple instances of the enforcer running by checking 713 for the pidfile at startup. If you want to run multiple instances then a 714 different pidfile will need to be specified with the -P flag. 715* ods-ksmutil: "zone delete" renames the signconf file; so that if the zone is 716 put back the signer will not pick up the old file. 717* Signer Engine: Verbosity can now be set via conf.xml, default is 3. 718 719Bugfixes: 720* Bugfix OPENDNSSEC-174: Configure the location for conf.xml with --config 721 or -c when starting the signer. 722* Bugfix OPENDNSSEC-192: Signer crashed on deleting NSEC3 for a domain that 723 becomes opt-out. 724* Bugfix OPENDNSSEC-193: Auditor crashed with certain empty non-terminals. 725* Signer Engine: A file descriptor for sockets with value zero is allowed. 726* Signer Engine: Only log messages about a full signing queue in debug mode. 727* Signer Engine: Fix time issues, make sure that the internal serial does 728 not wander off after a failed audit. 729* Signer Engine: Upgrade ldns to avoid future problems on 32-bit platforms 730 with extra long signature expiration dates. More information in separate 731 announcement. 732 733 734OpenDNSSEC 1.3.4 - 2011-12-09 735 736Bugfixes: 737* Signer: Use debug instead of warning for drudgers queue being full, also 738 sleep 10ms if it is full to not hog CPU. This increased signing on 739 single core machines by a factor of 2. 740 741 742OpenDNSSEC 1.3.3 - 2011-11-17 743 744Bugfixes: 745* Auditor: Handle ruby 1.9 differences in ods-kaspcheck. 746* Auditor: Require dnsruby 1.53 for bugfixes. 747* Bugfix #262: Drudgers seem to be in a waiting state, but the RRset FIFO 748 queue is full. Do an additional broadcast. 749* Enforcer: Check HSM connection when waking up from sleep, attempt to 750 reconnect if it is not valid. (r5511 in trunk, ported into the branch due 751 to issues seen when CKR_DEVICE_ERROR returned by HSM.) 752* libhsm: Added hsm_check_context() to check if the associated sessions are 753 still alive. (Required for the above.) 754* ods-ksmutil: key import was not setting the retire time. 755* Signer Engine: Fix a threading issue, that could leave a zone without 756 a task. 757* Signer Engine: Update the signed zone file if only the $TTL or explicit 758 TTL has been changed. 759* Signer Engine: Remove the NSEC3PARAM RR when doing NSEC3 to NSEC rollover. 760* Signer Engine: Deal with carriage returns (dos format) in zone file. 761* Signer Engine: <Refresh> is PT0S means that refresh equals signtime. 762* Signer Engine: Defense in depth in signer for duplicate keys. 763* Signer Engine: Make sure that all required zonelist elements exist, 764 otherwise error. 765* Signer Engine: Warn the user if the serial is b0rk, and you can not 766 use the serial from the signconf. 767* Signer Engine: Log Auditor exit code. 768* Fix a similar bug like #257: Error in ods-signerd, where a corrupted 769 backup file results in an invalid pointer free(). 770 771 772OpenDNSSEC 1.3.2 - 2011-09-13 773 774Bugfixes: 775* Bugfix #257: Error in ods-signerd, where a corrupted backup file results 776 in an invalid pointer free(). 777* Signer Engine: Mark that a zone has a valid signer configuration, after 778 recovering the zone from the backup files. 779 780 781OpenDNSSEC 1.3.1 - 2011-09-07 782 783Bugfixes: 784* Auditor: Fix 'ZSK in use too long' message to handle new signer behaviour. 785* Bugfix #255: RHEL6 patch to contrib/opendnssec.spec. (Rick van Rein) 786* Bugfix #256: Make sure argument in "ods-control signer" is not stripped off. 787* Bugfix #259: ods-ksmutil: Prevent MySQL username or password being 788 interpreted by the shell when running "ods-ksmutil setup". 789* Bugfix #260: "ods-ksmutil zone list" now handles empty zonelists. 790* Enforcer: Unsigned comparison resulting in wrong error message. 791* ods-ksmutil: fixed issue where first ds-seen command run on a zone would 792 work, but return an error code and not send a HUP to the enforcerd. 793* Signer Engine: A threading issue occasionally puts the default validity 794 on NSEC(3) RRs and the denial validity on other RRs. 795* Signer Engine: An update command could interrupt the signing process and the 796 zone would get missing signatures. 797* Signer Engine: Fix an issue where some systems could not copy the zone file. 798* Zonefetcher: Check inbound serial in transferred file, to prevent 799 redundant zone transfers. 800 801 802OpenDNSSEC 1.3.0 - 2011-07-12 803 804* Include simple-dnskey-mailer-plugin in dist. 805* Enforcer: Change message about KSK retirement to make it less confusing. 806 807Bugfixes: 808* ods-control: If the Enforcer did not close down, you entered an infinite 809 loop. 810* Signer Engine: Fix log message typos. 811* Signer Engine: Fix crash where ods-signer update 812* Signer Engine: Also replace DNSKEYs if <DNSKEY><TTL> has changed in policy. 813* Zonefetcher: Sometimes invalid 'Address already in use' occurred. 814* Bugfix #247: Fixes bug introduced by bugfix #242. 815 816 817OpenDNSSEC 1.3.0rc3 - 2011-06-12 818 819* Do not distribute trang. 820 821Bugfixes: 822* Fix test for java executable and others. 823* Auditor: Fix delegation checks. 824* Bugfix #242: Race condition when receiving multiple NOTIFIES for a zone. 825* ods-kaspcheck: Do not expect resalt in NSEC policy. 826* Signer Engine: Ifdef a header file. 827* Signer Engine: The default working directory was not specified. 828* Signer Engine: Handle stdout console output throttling that would 829 truncate daemon output intermittently. 830 831 832OpenDNSSEC 1.3.0.rc2 - 2011-05-18 833 834* Match the names of the signer pidfile and enforcer pidfile. 835* Include check for resign < resalt in ods-kaspcheck. 836 837Bugfixes: 838* Bugfix #231: Fix MySQL version check. 839* ods-ksmutil: Update now sends a HUP to the enforcerd. 840* Signer Engine: Fix assertion failure if zone was just added. 841* Signer Engine: Don't hsm_close() on setup error. 842* Signer Engine: Fix race condition bug when doing a single run. 843* Signer Engine: In case of failure, also mark zone processed (single run). 844* Signer Engine: Don't leak backup file descriptor. 845* signconf.rnc now allows NSEC3 Iterations of 0 846 847 848OpenDNSSEC 1.3.0rc1 - 2011-04-21 849 850* <SkipPublicKey/> is enabled for SoftHSM in the default configuration. 851 It improves the performance by only using the private key objects. 852* Document the <RolloverNotification> tag in conf.xml. 853* Include check for resign < resalt in ods-kaspcheck. 854 855Bugfixes: 856* Bugfix #221: Segmentation Fault on schedule.c:232 857* Enforcer: 'make check' now works. 858* Enforcer: Fixed some memory leaks in the tests. 859* Signer Engine: Coverity report fixes some leaks and thread issues. 860* Signer Engine: Now logs to the correct facility again. 861 862 863OpenDNSSEC 1.3.0b1 - 2011-03-23 864 865* Support for signing the root. Use the zone name "." 866* Enforcer: Stop import of policy if it is not consistent. 867* ods-signer: The queue command will now also show what tasks the workers 868 are working on. 869* Signer Engine: Just warn if occluded zone data was found, don't stop signing 870 process. 871* Signer Engine: Simpler serial maintenance, reduces the number of conflicts. 872 Less chance to hit a 'cannot update: serial too small' error message. 873* Signer Engine: Simpler NSEC(3) maintenance. 874* Signer Engine: Temperate the number of backup files. 875* Signer Engine: Set number of <SignerThreads> in conf.xml to 876 get peak performance from HSMs that can handle multiple threads. 877 878Bugfixes: 879* Bugreport #139: ods-auditor fails on root zone. 880* Bugreport #198: Zone updates ignored? 881* Replace tab with white-space when writing to syslog. 882* Signer Engine: Do not block update command while signing. 883 884 885OpenDNSSEC 1.2.1 - 2011-03-18 886 887* ldns 1.6.9 is required for bugfixes. 888* dnsruby-1.52 required for bugfixes. 889 890Bugfixes: 891* Auditor: 'make check' now works when srcdir != builddir. 892* Auditor: Include the 'make check' files in the tarball. 893* Enforcer: Fix the migration script for SQLite. 894* Enforcer: Increase size of keypairs(id) field in MySQL to allow more than 895 32767 keys; see MIGRATION for details. 896* Enforcer: Minor change to NOT_READY_KEY error message. 897* libhsm: Increase the maximum number of attached HSM:s from 10 to 100. 898* ods-ksmutil: Send trivial MySQL messages to stdout when exporting zonelist 899 etc. Otherwise the resulting XML needs to be edited by hand. 900* ods-control: Fix for Bourne shell. 901* Signer Engine: Prevent race condition when setting up the workers and 902 the command handler. 903* Signer Engine: Check if the signature exists before recycling it. 904* Signer Engine: Quit when there are errors in the configuration. 905* Signer Engine: Enable core dump on failure. 906* Signer Engine: Explicitly close down log msg with null. 907* Signer Engine: Backup state after writing output. 908* Signer Engine: Allow update of serial if internal structure is not 909 initialized. 910* Signer Engine: NSEC chain could become broken if the predecessor domain 911 of a deleted domain was a glue domain. 912 913 914OpenDNSSEC 1.2.0 - 2011-01-13 915 916Bugfixes: 917* Enforcer: Fixed a number of build warnings. 918 919 920OpenDNSSEC 1.2.0rc3 - 2010-12-27 921 922* Moved migration instructions to the file MIGRATION 923 924Bugfixes: 925* Bugreport #199: The previous DB schema change made the zone removal broken. 926* Enforcer: When retiring old KSK, use TTL(ds) and not TTL(ksk). 927* Enforcer: Minimize the set of DS RRs sent to DelegationSignerSubmitCommand. 928* Enforcer: Replace tab with a space character in the DNSKEY printed to syslog. 929* Enforcer: Fixed pontential format string bug. 930* ods-ksmutil: Log to syslog when ds-seen changes a key to active/standby. 931* Signer Engine: Don't be smart with RRSIG TTLs, the hsm will set them for you. 932* Signer Engine: Set notify command for zone when receiving ods-signer update. 933* Signer Engine: Update TTL of NSEC(3) records if SOA Minimum has changed 934 in KASP. 935* Signer Engine: Now logs to the correct facility. 936* Signer Engine: Also remove NSEC records when detecting changes in 937 signconf <Denial> 938* Signer Engine: Dropped privileges before starting Zonefetcher. 939 940 941OpenDNSSEC 1.2.0rc2 - 2010-11-24 942 943Bugfixes: 944* Signer Engine: Use the correct TTL for RRs after the $INCLUDE directive. 945* Signer Engine: Also create new signature if TTL of RR has changed. 946* Signer Engine: Drop old NSEC/NSEC3 records. 947* ods-ksmutil: Fixed some memory leaks. 948 949 950OpenDNSSEC 1.2.0rc1 - 2010-11-17 951 952* New commandline option for the signer: ods-signer running. 953* Allow connection to different MySQL ports in the Enforcer. 954* Tone down and explain warning when converting M or Y to seconds 955* ldns 1.6.7 is required for bugfixes 956* dnsruby 1.51 is required for bugfixes 957 958Bugfixes: 959* Bugreport #187: ods-control signer start will return non-zero if start up 960 failed (uses ods-signer running). 961* Narrow glue at the zone cut is allowed, do not consider it as occluded. 962* Move zone fetcher output to correct input adapter file. 963* Enforcer shared keys on zones with ShareKeys disabled. 964* Make names of key states consistent. 965* Signer Engine file descriptor leak fix on engine.sock. 966* Set explicit "unlimited" repository capacity to prevent random integer being 967 read. Requires "ods-ksmutil update conf" to be run if using an existing 968 database. 969* Fix issue with key generation creating too many keys Ticket #194. 970* Bugreport #189: Auditor did not handle white-space-seperated substrings 971 for base64 text 972* Bugreport #190: Auditor (and signer) does not handle case correctly 973* Signer now silence stdout-output from the notify command 974 975 976OpenDNSSEC 1.2.0b1 - 2010-10-18 977 978* A new signer engine, written in c. Zones are maintained in memory, instead of 979 in files on disk. 980* Signer Engine: Check if the signature exists before recycling it. 981* Removed the python and python-4suite-xml dependencies. 982* Remove separate autoconf for libhsm/conf/enforcer. 983* Add option to disable building the signer. 984* Signer logs statistics just after outputting a new signed zone. 985* libhsm will skip processing (and not create) any public keys if the 986 per repository option <SkipPublicKey/> is set. 987* Keysharing improved - keys can now exist in different states on each zone 988 that the key is in use for. 989* Backup prepare/commit/rollback added for 2-step backups without taking the 990 enforcer offline. 991* Standby keys are now optional (default to 0) and should be considered 992 experimental. 993 994Bugfixes: 995* Fix semantics of refresh value in Signer Engine. 996* Auditor handles chains of empty nonterminals correctly. 997* Recalculate salt immediately if the saltlength is changed. 998* libhsm connected to slot 0 if the token label was not found. 999 An error is now returned instead of connecting to the slot. 1000* Bugreport #102: Removed the obsoleted python-4suite-xml dependency. 1001* Fixed Known Issue: KSK rollover requires manual timing. 1002* Fixed Known Issue: Key rollover and reuse of signatures. 1003* Fixed Known Issue: Issue with sharing keys and adding zones. 1004* Fixed Known Issue: Quicksorter does not allow certain owner names 1005 (Quicksorter is removed, signer now reads and sorts the zone). 1006 1007 1008OpenDNSSEC 1.1.3 - 2010-09-10 1009 1010Bugfixes: 1011* Bugreport #183: Partial zone could get signed if zone transfer failed 1012 when using zone_fetcher 1013 1014 1015OpenDNSSEC 1.1.2 - 2010-08-24 1016 1017* Dnsruby 1.49 now required (for correct zone parsing) 1018* ldns 1.6.6 is required to fix the zone fetcher bug 1019 1020Bugfixes: 1021* ods-control stop did not stopped zone fetcher (bug was introduced in 1.1.0) 1022* Auditor correctly handles chains of empty nonterminals 1023* Zone fetcher can block zone transfers if AXFR once failed. This is a bug 1024 in ldns versions 1.6.5 and lower. See KNOWN_ISSUES for more information. 1025* Bugreport #165: Ensure Output SOA serial is always bigger than Input SOA 1026 serial. 1027* Bugreport #166: Correct exit value from signer. 1028* Bugreport #167: Zone fetcher now also picks up changes when zonelist is 1029 reloaded (thanks Rick van Rein) 1030* Bugreport #168: ods-control with tightened control for the Enforcer 1031* Bugreport #169: Do not include config.h in the distribution 1032* Bugreport #170: Typo in a man page (ods-signer) 1033* Bugreport #172: Correction of some macros in a man page (ods-timing) 1034* Bugreport #173: A man page used a macro that does not exist (ods-ksmutil) 1035 1036 1037OpenDNSSEC 1.1.1 - 2010-07-08 1038 1039Bugfixes: 1040* Bugreport #127: Large SOA serial numbers were not handled properly by signer 1041* Bugreport #133: Better handling of SOA serial when setting is 'keep' 1042* Bugreport #136: quicksorter could not handle standard bind format SOA rdata 1043* The Auditor could not handle the new way of rolling KSKs 1044* One log message in the Enforcer referred to an old command 1045* The Enforcer forgot to publish certain keys during transition between states 1046 1047 1048OpenDNSSEC 1.1.0 - 2010-05-26 1049 1050 1051OpenDNSSEC 1.1.0rc3 - 2010-05-15 1052 1053Bugfixes: 1054* Could not compile quicksorter on FreeBSD. 1055* Bugreport #131: test suite fails in 1.1.0rc2 1056 1057 1058OpenDNSSEC 1.1.0rc2 - 2010-05-04 1059 1060Bugfixes: 1061* Fix semantics of refresh value in Signer Engine. 1062 1063 1064OpenDNSSEC 1.1.0rc1 - 2010-04-21 1065 1066* Partial Auditor added 1067* Dnsruby-1.46 required 1068* Improved error messages when the system runs out of keys 1069* Optimise communication of signconfs for multiple zones sharing keys. 1070 Group zones in zonelist.xml by policy to get this benefit. 1071* Bugreport #101: Signer Engine now maintains its own pidfile. 1072* Jitter redefined: now in the range of [-jitter, ..., +jitter] 1073* Optimized sorter: quicksorter (sorter becomes obsolete). 1074* Optimized zone_reader, includes nseccing/nsec3ing (nseccer and nsec3er 1075 become obsolete). 1076* Enable database selection using --with-database-backend={sqlite3|mysql} 1077* Enable the EPP-client using --enable-eppclient 1078 For sending DS RR to the parent zone (experimental) 1079* Turn NSEC3 OptOut off by default 1080* Install kasp2html XML stylesheet 1081* Add simple kasp2html conversion script 1082* DNSKEY records communicated to an external script if configured 1083* The command 'ods-signer restart' is removed. 1084* Signer Engine now also reuses signatures after a change in NSEC(3) 1085 configuration or rolling keys. 1086* Quicksorter defaults to class IN. 1087 1088Bugfixes: 1089* Enforcer: Make sure that we read the correct config file when dropping privs 1090* Enforcer: Prevent int overflow when generating a large number of keys 1091* Enforcer: Fixed a confusion between standby ZSKs and KSKs 1092* Fixed various enable-options in the configure scripts 1093* Respect $DESTDIR for config files 1094* Looked for the database init script in $prefix/share/opendnssec and not 1095 datadir. 1096* More proper memory cleanup in parsing zonefetch.xml 1097* Zonefetch.xml now accepts hmac-md5, which is an alias for 1098 hmac-md5.sig-alg.reg.int. 1099* Zone fetcher logged wrong zone when NOTIFY received. 1100* Zone fetcher sometimes did not log when signalling signer engine failed. 1101* Fix issue of importing keys into kasp leaving random strings in the 1102 retire date. 1103* Fix KSK rollover logic to be proper DoubleDNSKEY 1104* Fix issue with reading repositories from conf.xml 1105* Fix issue with reading policies from kasp.xml 1106* Canonicalize RRs before nseccing zone. 1107* Bugreport #113: zone fetcher started before dropping privileges, so that 1108 it can bind to socket. 1109* Signer Engine defaults to working directory if missing. 1110* libhsm: fixed incorrect label length for wildcards (leftmost wildcard label 1111 was included in count). 1112 1113 1114OpenDNSSEC 1.0.0 - 2010-02-09 1115 1116Bugfixes: 1117* Fixed broken path in ods-control 1118 1119 1120OpenDNSSEC 1.0.0rc4 - 2010-02-02 1121 1122* Added manual pages for ods-auditor(1), ods-control(8), ods-enforcerd(8), 1123 ods-signerd(8), ods-signer(8), ods-hsmpseed(1), ods-hsmutil(1), 1124 ods-kaspcheck(1), ods-ksmutil(1), ods-timing(5), opendnssec(7). 1125* Move ods-control & ods-signer from PREFIX/bin to PREFIX/sbin. 1126* Dnsruby-1.43 is now required 1127 1128Bugfixes: 1129* Bugreport #89: Signer Engine: bug in logging.c. 1130* Auditor: Had some problems with escaped characters in domain names 1131 1132 1133OpenDNSSEC 1.0.0rc3 - 2010-01-25 1134 1135* A code review was performed by members of the project group. No serious 1136 problem was found. The code review resulted in some polishing of the code. 1137* Dnsruby-1.42 is now required, it fixes issues with TXT and NAPTR record 1138 parsing. 1139* ldns 1.6.4 is now required. 1140* Known issues has been moved from NEWS to KNOWN_ISSUES. 1141 1142Bugfixes: 1143* ods-ksmutil: The ksk-roll command did not handle its options correctly 1144* Auditor: Configured zone SOA TTL now used to track pre-published keys, 1145 rather than the unsigned zone SOA TTL. 1146* Enforcer: There was a flaw in the implementation of the timing code (it 1147 follows an earlier version of the draft and at one point does not add on 1148 the safety margin). 1149* Enforcer: MySQL memory leaks fixed. 1150* Signer Engine: When changing policy or rollover a key, the old signed zone 1151 was not found, 1152 so always resulting in a fresh resign. 1153* Signer Engine: RRsets with varying TTLs on the records where considered 1154 different RRsets, the signer engine now eqaulizes those TTLs. 1155 1156 1157OpenDNSSEC 1.0.0rc2 - 2009-12-16 1158 1159Bugfixes: 1160* Signer Engine: Signer processes could remain open, if they were not close 1161 correctly. 1162* ods-ksmutil: Got a segmentation fault, when an HSM was missing in the 1163 configuration. Only applied to versions using MySQL. 1164* Zone fetcher: Did not close files before moving them. 1165* Zone fetcher: The serial arithmetic was not correct. 1166* Auditor: It now ignores unrecognized RR types. 1167* Signer Engine: Wrong handling of escaped characters in strings 1168 (fixed in ldns trunk) 1169* Set correct permissions on the configuration files. 1170 1171Known issues: 1172* Zone fetcher: When using TSIG, an incorrect MAC can be created if the 1173 length of the used secret is 'too long' (longer than the maximum digest 1174 length). This problem is in LDNS 1.6.3 and previous versions. This bug is 1175 fixed in the upcoming LDNS 1.6.4 release. 1176* Auditor: Some good NAPTR records may fail to verify with dnsruby-1.41. 1177 This will be fixed in a future dnsruby release. 1178* TXT RRs: Some TXT RRs with escape characters may fail to parse correctly 1179 with dnsruby-1.41 and ldns 1.6.3. This is fixed in the upcoming releases. 1180 1181 1182OpenDNSSEC 1.0.0rc1 - 2009-12-04 1183 1184* Auditor: dnsruby-1.41 should be used (includes fixes for zero length 1185 salt and RFC3597 unknown classes) 1186* Signer Engine: ldns 1.6.3 should be used (includes NSEC3 bugfix and class 1187 inheritance when creating signatures) 1188 1189Bugfixes: 1190* Signer Engine: 1.0.0b8 introduced a bug that no signatures where reused. 1191 Re-fixed. 1192* Signer Engine: Fix ods-signer start (could hang on MacOSX) 1193* Signer Engine: Mark a zone in progress if in use by one of the tools. 1194 Prevents multiple tasks being created for the same zone. 1195* Signer Engine: Dropped records when zone content changed. 1196* Signer Engine: Drop inherited groups and set additional groups when dropping 1197 privileges. 1198* Zone fetcher: Clean up empty files if AXFR failed 1199* Zone fetcher: Make syslogging RFC-compliant 1200 1201 1202OpenDNSSEC 1.0.0b9 - 2009-11-27 1203 1204* ods-ksmutil: update command split so that individual configuration files can 1205 be updated separately. 1206* ods-ksmutil: "ds-seen" renamed to "ksk-roll" which is a more accurate 1207 description of its effect. (ds-seen will reappear in v1.1) 1208* add contributed .spec file for RPM builds 1209* Signer Engine: verifies signature after creation. 1210 1211Bugfixes: 1212* Signer Engine: Output better information if the HSM fails with the signing. 1213* ods-ksmutil: update zonelist correctly links keys to new zones if key sharing 1214 is turned on. 1215* Bugreport #59: Problem starting ods-signer on a 64-bit machine 1216* ods-ksmutil: update zonelist command now correctly adds and deletes zones 1217 (and sorts out their keys). 1218 1219OpenDNSSEC 1.0.0b8 - 2009-11-23 1220 1221* ods-ksmutil: KSK rollover now holds at the point where the new key is made 1222 active until the command "ds-seen" is issued. 1223* ods-ksmutil: "database backup" implemented to safely make a copy of the 1224 SQLite enforcer database. 1225 1226Bugfixes: 1227* Auditor: Crashed on unknown RR class. 1228* Signer Engine: NSEC3 RR included wrong information in bitmap (fixed in ldns 1229 trunk). 1230* Signer Engine: Force a new signed zone if input is reread. Necessary because 1231 we cannot recognize if 1232 glue or unsigned delegations have been added and/or removed (yet). 1233* Signer Engine: Fix adding duplicate signatures in case of single key is 1234 being used as both ZSK and KSK. 1235* Bugreport #46: Vanishing records 1236* KASP Enforcer: Could not handle zones with names longer than 30 characters. 1237 1238 1239OpenDNSSEC 1.0.0b7 - 2009-11-16 1240 1241* ods-auditor: Dnsruby version 1.40 or later required. 1242* ods-kaspcheck: Checks Enforcer SQLite datastore to ensure writable 1243* Signer Engine: LDNS 1.6.2 is recommended (bugfixes) 1244* The supported RRs are documented on the wiki 1245 1246Bugfixes: 1247* ods-ksmutil: Segmentation fault when missing arguments to "key import" 1248* KASP Enforcer: Improved support for MySQL (experimental) 1249* Signer Engine: DLV is included in NSEC RR (fixed in LDNS 1.6.2) 1250* Signer Engine: Better handling of removed zones 1251* Signer Engine: Correct handling of zero length rdata - RFC3597 style (fixed 1252 in LDNS trunk) 1253* Signer Engine: Inherit class of zone to DNSSEC-related RRs 1254 1255 1256OpenDNSSEC 1.0.0b6 - 2009-11-06 1257 1258* ods-hsmutil now has a command ("purge") to remove ALL keys from a given 1259 repository. 1260 1261Bugfixes: 1262* Some minor bugfixes for the auditor 1263* Better detection for MySQL (now requires --enable-mysql to build) 1264* Init PKCS#11 library with CKF_OS_LOCKING_OK 1265* Change config file flag to hsmspeed 1266 1267 1268OpenDNSSEC 1.0.0b5 - 2009-10-31 1269 1270* Reintroduce MySQL for enforcer back-end on an experimental footing 1271 1272Bugfixes: 1273* Auditor: Fixed TXT parsing. 1274* ods-ksmutil: Database could not be created for first time users. 1275* ods-ksmutil: Set the correct privileges on the database. 1276* Signer Engine: Tweek log levels. 1277* Signer Engine: Fixed segmentation fault with WKS RR (in LDNS trunk). 1278* Signer Engine: Fixed NSAP, IPSECKEY, and SIG parsing (in LDNS trunk). 1279* Signer Engine: Disable multiline parsing when the line is commented out. 1280* Signer Engine: The tools are not hanging any more. Better pipe handling. 1281* Signer Engine: NSEC zone even if only 1 NSEC is needed. 1282* Signer Engine: Don't create NSEC3 records for empty non terminals that 1283 lead to glue. 1284* Signer Engine: LDNS can now parse explicit TTLs that are non-numbers 1285 (for example 3d2h, in LDNS trunk). 1286* Bugreport #43: ods-signer: The command parser was too strict with white 1287 spaces. 1288 1289OpenDNSSEC 1.0.0b4 - 2009-10-23 1290 1291* Default TTL in case of $TTL or explicit RR TTL becomes the SOA Minimum 1292 value (was 3600). 1293* The signer engine will check if another engine is already running before 1294 starting. 1295* Startup scripts for Solaris (SMF). 1296* Auditor gives an error if key moves to "in use" without sufficient 1297 "prepublished" time. 1298 1299Bugfixes: 1300* Trailing spaces are not part of the domain name/ include file/ ttl in 1301 directives. 1302* nsec3er: Print final RRset, even if no NSEC3 was needed at that RRset. 1303* Proper privileges dropping when creating the command socket 1304* Signer sometimes didn't terminate if socket shutdown failed. 1305 1306Known issues: 1307* The Signer Engine fails with broken pipes sometimes. 1308 1309 1310OpenDNSSEC 1.0.0b3 - 2009-10-16 1311 1312* The auditor now tracks the SOA serial over time 1313* The auditor (dnsruby) supports RSA/SHA256 and RSA/SHA512 1314 1315Bugfixes: 1316* The LDNS bug that affected SRV records has been fixed in ldns-trunk. 1317* Bugreport #41: Fix for SOA serial 'keep'. 1318* Allow for SOA Serial/TTL/Minimum values of zero. 1319* Correct socket binding of NotifyListen. 1320* Systems with older SQLite had problem rolling keys on a policy. 1321* Auditor now handles SSHFP and NAPTR records correctly 1322 (but needs Dnsruby 1.39) 1323* Auditor now handles TTLs in zone file with suffix s, m, h, d, and w. 1324 1325 1326OpenDNSSEC 1.0.0b2 - 2009-10-09 1327 1328* Added experimental support for RSA/SHA256 and RSA/SHA512 to KASP auditor. 1329 Dnsruby version 1.38 or higher required for SHA2 support. 1330* Added experimental support for RSA/SHA256 and RSA/SHA512 to KASP enforcer 1331 and the signer engine. 1332* SignerThreads and KeygenInterval has been deprecated (actually removed 1333 just before 1.0.0b1). 1334* Added support for RSA/SHA256 and RSA/SHA512 to libhsm. No API changes. 1335 1336Bugfixes: 1337* Bugreport #33 (#35): Output a signed zone if only the SOA record changed. 1338* Zone fetcher did not start correctly 1339* Create the pid / socket directory if it not yet exists, with the correct 1340 privileges. 1341* Signer Engine now catches exception if running with incorrect permission. 1342* TCP-support for LDNS on Solaris is fixed in LDNS trunk. 1343 1344Known issues: 1345* LDNS is having problem with SRV records. The main effect is that these 1346 records are given non-valid RRSIGs. This is still under investigation. 1347 1348 1349OpenDNSSEC 1.0.0b1 - 2009-10-02 1350 1351* <Purge> tag added to automatically delete keys that have been dead 1352 for some interval. 1353* Rename all OpenDNSSEC command line tools and daemons to ods-XXX (e.g. 1354 ksmutil becomes ods-ksmutil). 1355* kasp_check command added to check the conf.xml and kasp.xml configuration 1356 files for sanity and consistency. 1357* communicated and keygend combined to form "ods-enforcerd". 1358* ksmutil command line changes. Most commands have changed slightly, but 1359 there are some significant changes (see 1360 http://svn.opendnssec.org/docs/command-tools-syntax.txt for details.) 1361* Enforcer database now has a version number. If it differs from the version 1362 number in the code (specified via a #define statement), the software will 1363 issue an error message and not connect to the database. 1364* "ksmutil list keys" now displays the keytag if the -l flag is passed to it. 1365* "Emergency Keys" renamed to "Standby Keys" as this better reflects their 1366 role in OpenDNSSEC. 1367* The behaviour of SOA Serial value 'counter' has changed according to 1368 Ticket #31. 1369* The directory "xml" and been renamed to "conf". (This is part of repository 1370 clean.) 1371* There are changes to the KASP DB: 1372* Zone fetcher added, that will do AXFR from the master. 1373 1374 If want to use your old database, use the following commands to upgrade: 1375 1376 sqlite3 <PATH_TO_ENFORCER.DB> < enforcer/utils/migrate_090922_1.sqlite3 1377 sqlite3 <PATH_TO_ENFORCER.DB> < enforcer/utils/migrate_090930_1.sqlite3 1378 sqlite3 <PATH_TO_ENFORCER.DB> < enforcer/utils/migrate_091002_1.sqlite3 1379 1380 Or, to start a new (with loss of information), remove old keys from the HSM 1381 and issue the command: 1382 1383 ksmutil setup 1384 1385Bugfixes: 1386* Make sure that parenthesis in zonefiles don't concatenate rdata fields. 1387 1388Known issues: 1389* TCP-support for LDNS on Solaris is currently broken due to an issue with 1390 SO_RCVTIMEO. The result is that the zonefetcher doesn't work. No other 1391 parts of OpenDNSSEC is affected by this bug. 1392 There is currently no workaround. 1393 1394 1395OpenDNSSEC 1.0a5 - 2009-09-21 1396 1397Features: 1398* support %zonefile expansion in the signer engine NotifyCommand 1399 1400Bugfixes: 1401* Read <OptOut/> correctly from the kasp.xml 1402* Correctly discover Empty Non-Terminals when reading input zonefile 1403* Don't error on space-only lines in input zonefile 1404 1405 1406OpenDNSSEC 1.0a4 - 2009-09-10 1407 1408Features: 1409* warn (by sending a message to the log) about: 1410 - impending key rollover 1411 - Rollover occurrance 1412 - when it is safe to remove a DS record 1413* add export of DNSKEY and DS records to ksmutil 1414* add configure option '--disable-auditor' to disable building the auditor 1415* Added <ManualRollover/> tag to kasp.xml; this allows automatic rollovers 1416 to be turned off in a policy for either keytype. 1417* Changes to the KASP DB, please apply: 1418 If want to use your old DB: 1419 sqlite3 <PATH_TO_ENFORCER.DB> < enforcer/utils/migrate_090901_1.sqlite3 1420 Or start fresh (with loss of information. User should remove old keys 1421 from the HSM): 1422 ksmutil setup 1423 1424Bugfixes: 1425* "signer_engine_cli clear <ZONE>" dont crash on missing files anymore 1426 and removes all internal files now 1427* Bugreport #18, #19: Fix segfault at nseccer, nsec3er or finalizer when 1428 handling large zones. 1429* Signer Engine starts correctly (problem was python 2.4, not RHEL5). 1430 1431 1432OpenDNSSEC 1.0a3 - 2009-08-26 1433 1434Features: 1435* ksmutil import key implemented for importing key ID of existing keys 1436* "hsmspeed" will test the speed of the HSM. 1437* "hsmutil test" will test the HSM against OpenDNSSEC. 1438* Changes to the KASP DB, please apply: 1439 If want to use your old DB: 1440 sqlite3 <PATH_TO_ENFORCER.DB> < enforcer/utils/migrate_090820_1.sqlite3 1441 Or start fresh (with loss of information. User should remove old keys 1442 from the HSM): 1443 ksmutil setup 1444 1445Bugfixes: 1446* Better display of null backups (i.e. backup required) in ksmutil list 1447* Don't show historical rollovers in ksmutil list 1448* Fix key counting routines so that they all agree 1449* Missing SQLite includes in the Enforcer 1450 1451Known bugs: 1452* Signer Engine not starting correctly in RHEL5. 1453 Use "signer_engine -d" for now 1454* "signer_engine_cli clear <ZONE>" crashes on missing files 1455 1456 1457OpenDNSSEC 1.0a2 - 2009-08-14 1458 1459Features: 1460* conf.xml format changed 1461* Read the default path to kasp.xml from conf.xml 1462* libksm integrated into enforcer (and no longer installed) 1463* Dropping privileges as specified 1464* Option to specify that a key from a specific repository 1465 should not be used if it has not been backed up 1466* ksmutil backup done, to signal that the keys are backed up 1467* KASP Auditor should now function properly 1468* A quick start script is available 1469* XSLT to translate KASP into readable text (HTML) 1470* Changes to the KASP DB, please apply: 1471 If want to use your old DB: 1472 sqlite3 <PATH_TO_ENFORCER.DB> < enforcer/utils/migrate_090812_1.sqlite3 1473 sqlite3 <PATH_TO_ENFORCER.DB> < enforcer/utils/migrate_090813_1.sqlite3 1474 Or start fresh (with loss of information): 1475 ksmutil setup 1476 1477Bugfixes: 1478* Signer Engine can now read standard bind format correctly 1479* make install creates an incorrectly named directory 1480* ksmutil addzone defaults to wrong path 1481* SoftHSM links libsofthsm to build directory 1482* libksm install problem when builddir == srcdir 1483* Missing include of header file in SoftHSM 1484* Text about a problem with Botan on some systems. 1485 1486 1487OpenDNSSEC 1.0a1 - 2009-07-30 1488 1489* Initial release (aka "Technology Preview") 1490