1zkt 1.1.3 -- 21. Nov 2014 2 3* func New Config Parameter DependFiles added. 4 Contains a (comma separated) list of files which are 5 included into the ZoneFile. The timestamps of this files 6 are checked additional to the timestamp of the ZoneFile. 7 Based on a suggestion from Sven Strickroth 8 9* misc Makefile changed to build tar file out of git repository 10 11* misc Minimum supported BIND version is now 9.8 12 13* bug Fixed bug in BIND version parsing (9.10.1 was parsed as 910 14 which is similar to 9.1.0) 15 Version 9.10.1 is parsed now as 091001 16 17* misc Remove flag to request large exponent when creating keys 18 (BIND always creates keys with large exponents since BIND 9.5.0) 19 20* misc Project moved to github 21 Thanks to Jakob Schlyter for doing the initial stuff 22 23zkt 1.1.2 -- 05. Dec 2012 24 25* bug Fixed bug introduced by changes on inc_soa_serial() 26 27zkt 1.1.1 -- 27. Nov 2012 28 29* bug Error fixed in zkt-conf in parsing the version number 30 31* misc inc_soa_serial() now returns 0 on success 32 33* bug Fixed bug in inc_serial() 34 The zone file wasn't closed on succesful change of the soa record. 35 Many thanks to Frederik Soderblom for fixing this. 36 37zkt 1.1 -- 30. Jan 2012 38 39* misc Release numbering changed to three level "major.minor.revison" scheme 40 41* bug REMOVE_HOLD_TIME was set to 10 days only (Thanks to Chris Thompson) 42 43* doc Improved README file (Thanks to Jan-Piet Mens) 44 45* misc Fixed some typos in log messages 46 47* bug Fixed error in rollover.c (return code of genfirstkey() wasn't checked) 48 49* misc Default of KeySetDir changed from NULL to ".." (best for hierarchical mode) 50 Default Sig Lifetime changed from 10 days to 3 weeks (21 days) 51 Default ZSK lifetime changed from 3 months to 4 times the sig lifetime 52 Default KSK lifetime changed from 1 year to 2 years 53 Parameter checks in checkconfig() adapted. 54 KSK random device changed back from /dev/urandom to BIND default 55 (Be aware of some possibly long delay in key generation) 56 57* func New configure option to set the bind utility path manually (--enable-bindutil_path) 58 BIND_UTIL_PATH in config_zkt.h will no longer used 59 (Thanks to Mans Nilsson) 60 61* bug If nsec3 is turned on and KeyAlgo (or AddKeyAlgo) is RSHASHA1 62 or DSA, genkey() uses algorithm type NSECRSASHA1 or NSEC3DSA instead. 63 (Thanks to Holger Wirtz) 64 65* bug Error in printconfigdiff() fixed. (Thanks to Holger Wirtz) 66 67* func Description added to (some of the) dnssec.conf parameters 68 69* func Adding a patch from Hrant Dadivanyan to always pre-publish ZSKs 70 71* misc Config file syntax changed to parameter names without underscores. 72 zkt-conf uses ZKT_VERSION string as config version 73 74* bug "make install-man" now installs all man page 75 76* bug Bug fixed in zfparse.c. zkt-conf was unable to detect an already 77 included dnskey.db file if another file was included. 78 79* misc destination dnssec-zkt removed from Makefile.in 80 81* func dki_prt_managedkeys() added to dki.c 82 zkt_list_managedkeys() added to zkt.c 83 zkt-ls has new option -M to print out a list of managed-keys 84 85* bug Bug fixed in the config parser (zconf.c). Couldn't parse 86 agorithm RSASHA512 correctly (Thanks to Michael Sinatra) 87 88zkt 1.0 -- 15. June 2010 89 90* func "/dev/urandom" check added to checkconfig() 91 92* func Config compability switch (-C) added to zkt-conf 93 94* func zkt-ls has a new switch -s to change sorting of domains from 95 subdomain before parent to subdomain below the parent 96 97* func "zkt-ls -T" prints only parent trust anchor 98 99zkt 1.0rc1 -- 1. Apr 2010 (The 1.0 release was sponsored by DOMINIC(r) ) 100 101* func Several config parameter are printed now in a more consistent and 102 user friendly form. 103 SerialFormat "Incremental" could be abbreviated as "inc" on input. 104 105* bug use of AC_ARG_ENABLE macros changed in a way that it is possible 106 to use it as a "--disable-FEATURE" switch. 107 108* port no longer checking for malloc() in configue script. 109 Mainly because it checks only if malloc(0) is allowed and we do 110 not need this. 111 112* port --disable-color-mode added to configure script 113 114* bug Makro PRINT_AGE_OF_YEAR renamed to PRINT_AGE_WITH_YEAR in configure.ac 115 116* misc man page zkt-keyman added 117 118* misc New command zkt-keyman added as replacement for dnssec-zkt's key 119 management functionality 120 121* misc man page zkt-ls added 122 123* port Check for ncurses added to Makefile.in 124 125* misc Color mode (Option -C) added to zkt-ls (experimental) 126 New source file tcap.c. 127 128* misc Deprecate "single linked list" version of ZKT. The binary tree 129 version is the default for years, so the VERSION string does no 130 longer contain a "T". Now, if someone insist on the single link 131 list version (configure --disable-tree) a "S" is added to the 132 version string. 133 Anyway, the code for the single link list version does no longer 134 have the same functionality and will be removed in one of the later 135 releases. 136 137* misc New command zkt-ls added as replacement for dnssec-zkt's key 138 listing functionality 139 140* func New key algorithms RSASHA256 and RSAHSHA512 added to dki.[ch] 141 and zconf.c 142 New parameter NSEC3 added. Now it's possible to configure 143 an NSEC3_OPTOUT zone. 144 145* bug Token parsing function gettok() fixed to recognize tokens 146 with dashes ("zone-statistics" was seen as "zone"). 147 Thanks to Andreas Baess for finding this bug. 148 149* bug Fixed bug in (re)salting dynamic zones. 150 sig_zone() and gensalt() needs parameter change for this 151 152* func New option -a added to zkt-conf 153 154* func In zconf.c CONF_TIMEINT parameter are now able to recognize 155 "unset" values (which is represented internaly as 0) 156 157* func Set Max_TTL to sig lifetime for dynamic zones or if Max_TTL 158 is less than 1. 159 max_ttl checks in checkconfig() fixed. 160 161* func printconfigdiff() added to zconf.c and used by zkt-conf. 162 Now local configs are printed as diff to site wide config. 163 164* misc man page zkt-signer.8 changed to new command syntax 165 166* func Per domain logging added. Use parameter LogDomainDir to 167 enable it. For more details see file README.logging. 168 169* func distribute.sh supports new action type "distkeys" but is 170 currently not used 171 172* misc LOG_FNAMETMPL changed and moved from config_zkt.h to log.h 173 174* misc Default soa serial format changed from "Incremental" 175 to "Unixtime" 176 177* func dnssec-signer command renamed to zkt-signer. Man page updated. 178 179* func New command zkt-conf added as replacement for dnssec-zkt -Z 180 181* misc timeint2str() is now global (zconf.c) 182 183* func zfparse.c - a rudimentary zone file parser 184 scans minimum and maximum ttl values; adds $INCLUDE dnskey.db 185 186zkt 0.99d -- Not released 187 188* func Option SIG_DnsKeyKSK for DNSKEY signing with KSK only 189 added (only useful with BIND9.7) 190 191* misc For BIND 9.7 compability: 192 Run dnssec-signzone in compability mode ("-C") if 193 SigGenerateDS is true. 194 Run dnssec-keygen in compability mode ("-C -q") 195 Add option -u to dnssec-signzone if NSEC3 chaining is requested 196 197zkt 0.99c -- 1. Aug 2009 198 199* misc dnssec-signer command line option vars changed to storage 200 class static. 201 202* port setenv() replaced by putenv() in misc.c 203 204* misc Install binaries in prefix/bin instead of $HOME/bin. 205 Fixing some spelling errors in dnssec-signzone.8 and 206 dnssec-zkt.8. 207 Thanks to Mans Nilsson. 208 209* port timegm() check added to configure.ac 210 211* misc configure.ac, Makefile.in, and doc is now part of distribution 212 213* bug off by one error fixed in splitpath() 214 215* misc is_dotfile() renamed to is_dotfilename() (misc.c) 216 217* misc inc_soaserial() sourced out to soaserial.c 218 219* misc reload() functions sourced out to nscomm.c 220 221* bug Introducing parameter "KeyAlgorithm" for both ZSK and 222 KSK keys instead of separate KSK and ZSK algorithms. 223 New functions dki_algo() and dki_findalgo(). 224 225* bug Redirect stderr message (additionally to stdout) of 226 dnssec-signzone command to pipe. 227 Pick up last line of output for logging. 228 229* misc "Sig_GenerateDS" is no longer a hidden parameter. 230 231* misc "make clean" now remove the binary files 232 New target "distclean" added to Makefile 233 234* bug Wrong typecast in zconf.c parsing CONF_TIMEINT (Thanks to Frederick 235 Soderblum and Peter Norin for the patch) 236 Changed all TIMEINT parameter values to long. 237 238* bug If someone changes the zone.db file in dynamic mode, this will be treated 239 the same way as an initial setup, so the zone.db file will be used as new 240 input file (Thanks to Shane Wegner for this patch) 241 242* bug Option nsec3_param added to dnssec-signzone command for dynamic zones. 243 244* func New option "NamedChrootDir" added to dnssec.conf to specify the 245 directory of a chrooted named. Without such an option 246 "dnssec-signer -N named.conf" couldn't find the zone file directory. 247 248* misc Default ZSK lifetime set to 12 weeks instead of 3 months (30days) to 249 suppress the warning message about ZSK keysize of 512 bits. 250 251zkt 0.98 -- 28. Dec 2008 252 253* misc Target "install-man" added to Makefile 254 man files moved to sub directory "man" 255 256* func If a BIND version greater equal 9.6.0 is used, option -d doesn't 257 initiate a resigning of a zone. It's just for key rollover. 258 259* func New pseudo algorithms for NSEC3 DNSKEYS added. 260 Support of NSEC3 hashing if a BIND version greater equal 9.6.0 261 is used. New parameter "SaltBits" added to the config file to 262 set the salt length in bits (default is 24 which means 6 hex nibbles). 263 The number of hash iterations is set to the default value of 264 dnssec-signzone which depends on key size. 265 266* misc Renaming of all example zone directories so that the directory 267 name does not end with a dot (Necessary for installing the 268 source tree in an MS-Windows environment). 269 str_tolowerdup() renamed to domain_canonicdup() and code added 270 to append a dot to the domain name if it's not already there. 271 272* misc Add 'sec' (second) qualifier to debug output in kskrollover(). 273 274* bug Remove a trailing '/' at the -D argument. 275 276* misc Configure script now uses the BIND_UTIL_PATH out of config_zkt.h 277 if the BIND dnssec-signzone command is not found 278 279* bug A zone with only a standby key signing key (which means w/o an 280 active ksk) aborts the dnssec-signer command. 281 Fixed by Shane Kerr. 282 283* func Changed inc_serial() so that the SOA record parser accepts a label 284 other than '@' and an optional ttl value before the class and SOA 285 RR identifier (Both are case insensitive). Thanks to Shane Kerr 286 for the suggestion. 287 288* bug Change of global configured key liftetime during a zone signing 289 key rollover results in unnecessary additional pre-published 290 zone signing keys (Thanks to Frank Behrens for the patch) 291 292* misc Sig_Random config file parameter defaults now to false 293 294* bug The man page refers the wrong licence (GPL instead of BSD) 295 296zkt 0.97 -- 5. Aug 2008 297 298* bug LG_* logging level wasn't mapped to syslog level in lg_mesg(). 299 gettock() in ncparse.c did not recognize C single line comments "//" 300 (Thanks to Frank Behrens for finding this out) 301 302* misc dist_and_reload () now calls the "Distribute_Cmd" twice: 303 First with argument "distribute" for signed zone file distribution, 304 second with argument "reload" to initiate a reload. 305 Again see example/flat/dist.sh for an example script. 306 307* bug full KSK rollover will (mostly) also work for dynamic zones 308 This is a hack and requires further investigation. Currently 309 it will not work if someone is using non standard zone file 310 names. 311 312* misc default ZSK lifetime set to 3 month 313 314* misc get_mtime() renamed to file_mtime() 315 316* func is_exec_ok() added and called in dist_and_reload () 317 318* func New parameter "Distribute_Cmd" added for specifing a user 319 defined distribution (and reload) command (See example/flat/dist.sh). 320 321* misc Changed wording to be a bit more consistent to 322 draft-gudmundsson-life-of-dnskey-00.txt 323 - State of published key will be print as "pub" instead of "pre" 324 by dnssec-zkt. 325 - Option --pre-publish of dnssec-zkt changed to --published. 326 - Changed wording in all comments and log message from "pre-publish" 327 to "published". 328 329* func Highly experimental code to do a full automatic ksk rollover 330 in hierachical mode. 331 ksk_rollover() added in rollover.c; parameter change for ksk_status() 332 333* misc Changed name of "dnssec-soaserial" to "zkt-soaserial" 334 335* bug Fixed verbose logging error if -N or -D option was used 336 337* func Some LG_INFO messages added about key status change 338 339* func Remove of function to register a new ksk (zktr.[ch]) 340 341* misc Changed licence from GNU GPLv2 to BSD licence 342 343* bug Fixed bug in logging of ZSK rollover 344 345* misc Changed tar file to zipped one and archive the files with 346 toplevel directory 347 348* bug Fixed use of uninitialized vars in zconf.c (line) 349 350* port Preparation for use of autoconf 351 - config.h renamed to config_zkt.h and change of include directives 352 - conditional include of config.h 353 - ./configure script is able to determine BIND utility path 354 (BIND_UTIL_PATH) and version (BIND_VERSION) 355 - compile time options are settable via configure script (--enable-xxx) 356 - For now, the configure script is not able to set the install dir. 357 358* bug ksk rollover phase2 did not trigger resigning of parent 359 (the parent file was copied to the parent directory only 360 after child zone resigning) 361 362* bug fixed bad notice message in zskstatus () 363 364* func dnssec-zkt -Z print out syslog facility & level with 365 upper case letter and without quotation marks 366 367* func Syslog facility DAEMON added 368 369zkt 0.96 -- 19. June 2008 370 371* func Config file option "SIG_Parameter" added. 372 373* func Function verbmesg() added and used for verbose logging 374 to stdout and/or to syslog resp. file. 375 Config file parameter VerboseLog added to config file. 376 377* bug Option -O wasn't recognized by dnssec-signer 378 379* func Better support of initial setup of dynamic signed 380 zones (just create an empty "zone.db.dsigned" file 381 and run dnssec-signer with option -d). 382 383* func Improved error logging; incr_soa() errors are written 384 as clear text message instead of error number 385 386* func elog_mesg() function replaced by a more general 387 logging mechanism. 388 ErrorLog config parameter replaced by LogFile, 389 LogLevel and SyslogFacility, SyslogLevel parameter 390 391* func New function filesize() added 392 393* func dki_prt_trustedkey print out old key id if key 394 is revoked 395 396* func dki_new() writes gentime (GMT) and proposed key 397 lifetime (days) as comment into the *.key file 398 399* bug Doing some housekeeping 400 401zkt 0.95 -- 19. April 2008 402 403* misc This is not a public released version of zkt. 404 405* func All config file option are now settable via 406 commandline option -O (--option or --config-option) 407 408* misc Function fatal() now has an exit code of 127. 409 This is necessary because values from 1 to 64 are 410 reflecting the number of errors occured. 411 412* func Errorlog functionality added 413 All dnssec-signer errors will be logged in the file 414 specified by the Errorlog config file parameter or 415 specified by the command line option -L (--errorlog). 416 If a directory is given, then the logging will occur 417 in a file within this directory which is named 418 like "zkt-<current-date>.log". 419 The dnssec-signer command has an exit code of 0 if 420 no error occured, an exit code of 127 on fatal errors, 421 an exit code from 1 to 63 reflecting the number of errors 422 occured, or an exit code of 64 if more than 63 errors 423 occured. 424 425* func dnssec-signer: Introducing long options 426 427* bug New skript added to example/views directory to 428 read in the right config file 429 430* func New option -f (--lifetime) and -F (--setlifetime) 431 added to dnssec-zkt. 432 433* func New option -e (--expire) added to dnssec-zkt. 434 (Seems to be that the dnssec-zkt command is a little 435 bit overloaded with options.) 436 437* func dki.c and zkt.c supports storage of key lifetime, 438 generation time and expiration time as a comment in the 439 .key file. With this, it's possible to change the default 440 lifetime without any impact on already used keys. 441 442zkt 0.94 -- 6. Dec 2007 443 444* bug Case mismatch of zone name and key file name prevent 445 dki_read() from reading the key. 446 Thanks to Alan Clegg for finding this out. 447 Added some additional error processing and convert 448 zone name to lower case. 449 450* misc Builtin default for KSK_randfile changed 451 from NULL to "/dev/urandom". 452 453* bug dnssec-signer has to use private keys for signing 454 even if the revoke bit is set. 455 To achieve this the file pattern K*.private is added 456 to the dnssec-signzone run. 457 458* bug Uninitialized variable "len" in sign_zone(). 459 460* func Default config file is settable via environment 461 variable ZKT_CONFFILE 462 463* func Support of views added 464 Link dnssec-zkt to dnssec-zkt-<view> and 465 dnssec-signer to dnssec-signer-<view>. 466 Option -V and --view added to dnssec-zkt. 467 Option -V added to dnssec-signer. 468 View support added to parse_namedconf(). 469 470zkt 0.93 -- 1. Nov 2007 471 472* func The ksk registration mechanism is disabled by 473 default (see REG_URL in config.h). 474 475* func Basic support for revoke flag added (RFC5011). 476 Semantic of option -R of dnssec-zkt changed. 477 478* func Undocumented option -S changed to lower case. 479 Pre-pulished KSK will be shown as "standby" key. 480 New Option -S (standby) for pre-publish KSK. 481 482* func New command dnssec-soaserial added. 483 484* bug dnssec-signer do not print the incremented serial 485 number anymore. 486 time2str() fixed bug in time format (HAS_STRFTIME=0). 487 488* port New build dependencies "solaris", "macos" and "help" 489 added to Makefile. 490 491zkt 0.92 -- 1. Oct 2007 492 493* func Parameter "Serialformat" in dnssec.conf added . 494 Now it is possible to use the unixtime format for 495 the SOA serial number. If you use BIND 9.4 or 496 greater in conjunction with this, than there is no 497 need for the special SOA serial formating in 498 the zonefile. (Thanks to Jakob Schlyter for the 499 -N option of dnssec-signzone and the suggestion to 500 add the unixtime support to zkt) 501 502* func Option --ksk-roll-stat added. 503 504* port Added macro HAS_GETOPT_LONG to support OS with 505 lack of getopt_long() (e.g. solaris). 506 Options -[01239] added. 507 508* misc Unused macro HAS_ULONG removed from config.h. 509 Deklaration of unsigned types moved from dki.h to 510 config.h (so it will be available in _all_ source 511 files). Thanks to Mans Nilsson. 512 Unused macro isblank() (ncparse.c) removed. 513 514* bug In dosigning(): freeze the dynamic zone _before_ copying 515 the zone file. 516 517zkt 0.91 -- 1. Apr 2007 518 519* doc --ksk-rollover option added to usage(). 520 521* func some experimental code for dynamic zones added. 522 new functions added: copyzonefile(), dyn_update_freeze(). 523 New option "-d" added. 524 525zkt 0.90 -- 6. Dec 2006 526 527* func CHECK_RESIGN interval added to config.h. 528 This is the dnssec-signer calling interval (at least 1 day or 86400 sec). 529 530* func new function dki_destroy() added; semantic of dk_remove() 531 changed to rename the key files instead of physical deletion. 532 533* doc Setup of new example directory (flat and hierarchical). 534 535* doc dnssec-zkt man page updated. 536 Added some comments in misc.c 537 538* misc function strtaint() renamed to str_untaint(), 539 dki_keycmp() renamed to dki_tagcmp(). 540 541* func New parameter key_ttl added to dnssec.conf. 542 New func dki_prt_dnskeyttl () added. 543 Now dnskey.db is written with key_ttl value. 544 545* func dnssec-signer: In hierarchical mode sign_zone() copies the 546 parent-file (if such a file exist) instead of the 547 keyset-file to the parent directory. 548 549* func dnssec-zkt: Option --ksk-roll-phase[123] and function 550 ksk_rollover() added. 551 552* misc zconf: default values for sigvalidity, resign_int etc. changed, 553 new dnssec.conf example file created. 554 555* func dnssec-zkt: Long option support added. 556 557zkt 0.83 -- 11. Sep 2006 558 559* bug dosigning(): Fixed bug in the bug fixing of printing undefined 560 serial number if incr_serial() failed. (Thanks to Randy McCasskill). 561 562zkt 0.82 -- 8. Sep 2006 563 564* bug Use option -e for dnssec-keygen calls in dki_new(), because 565 an RSA exponent of 3 is vulnerable. 566 567* bug dosigning(): Fixed bug in printing undefined serial 568 number if incr_serial() failed. 569 570 an RSA exponent of 3 is vulnerable. 571 572* bug dosigning(): Fixed bug in printing undefined serial 573 number if incr_serial() failed. 574 575zkt 0.81 -- 13. July 2006 576 577* bug The function ceatekey() won't work with USE_TREE. 578 Size of MAX_DNAME increased. 579 580zkt 0.8 -- 09. July 2006 581 582* func Now a hierarchical directory structure with subdomains stored in 583 subfolders of the parent domain are allowed. Added copyfile(), 584 cmpfile() and new_keysetfiles() for that. 585 586* func Config parameter added to choose if the domain name is 587 right or left justified listed by dnssec-zkt (printkeyinfo). 588 589* func New class of key added ("sep"). A SEP key is a (public) key file 590 without the private counterpart. So we could use the key solely 591 as an secure entry point. (dki.h, dki_read). 592 593zkt 0.70 -- 15. Sep 2005 594 595* func Experimental code added to use a binary search tree instead of a 596 single linked list. This is mainly for performance improvement for large 597 sites. If you don't want to use it, set USE_TREE in config.h to zero. 598 In the first step only dnssec-zkt use the new data structure. 599 The tree is build over the domain names and each node is the starting point 600 of a linked list of keys. 601 As a result, it's not possible anymore to search on key tags only. You have 602 to specify the domain name plus the tag. :-( 603 604* func Function parseurl added. 605 606* func Experimental code to register a new ksk. Currently it's more like 607 a key announcement because of the lack of identification and 608 authentication. 609 610zkt 0.65 -- 22. Aug 2005 611 612* misc Rewrite of the domaincmp() function. Now it's round about 2 times faster. 613 After some additional changes and the compiler option -O3 the dnssec-zkt 614 on the ~ 12000 zones requires only a minute 615 $ time dnssec-zkt -z -r sec > /dev/null 616 real 0m58.287s 617 user 0m54.610s 618 sys 0m3.680s 619 620* func A keyset directory is introduced (experimental) 621 The parameter -d is added to the call of the dnssec-signzone command 622 if the config option KeySetDir is set. 623 As a result, all dsset-, keyset- and dlvset- files are stored in one directory. 624 The advantage is, that the chain of trust of all local subzone is build 625 automatically (This is the reason why we sort the zones with the child zones 626 first). 627 The disadvantage is that we store many files in single directory (3 files 628 per zone). 629 630zkt 0.64 -- 1. Aug 2005 631 632* bug The code for option -Z of dnssec-zkt should be executed before we read the 633 complete directory tree. This is usefull if we have a very deep directory 634 structure and the recursive flag is switched on. 635 636* func SIG_Pseudorand parameter added. 637 638* func ([KZ]SK)|(SIG)_randfile parameter added. 639 640* func measure the time used for signing of each zone. 641 642* bug function logflush() added to misc.c and called by dosigning(). 643 644* misc some perfomance test made: 645 - Directory structure "sec/<firstletter>/domain" with round about 12200 domains 646 - One of the domain is a big one (~ 820000 RRs), the others are mostly very small ones 647 - We use a dsa with 704 bits as ksk and a rsamd5 with 512 bits as zsk on each domain. 648 - All test made on Sun Fire V440 with 4 CPU and 4x2GB main memory 649 650 # sequential signing of all zones 651 $ time dnssec-signer -v -v -f -D sec 652 real 434m (~ 7h 14min) 653 user 188 654 sys 175 655 656 # with option -p and -r /dev/urandom 657 $ time dnssec-signer -v -v -f -D sec > log 658 real 96m28.306s 659 user 290m41.980s 660 sys 6m13.790s 661 662 # one process for each firstletter subdirectory 663 $ time par_signer.sh 664 real 394m12.334s 665 user 295m58.390s 666 sys 786m42.479s 667 668 # with option -p and -r /dev/urandom 669 $ time par_signer.sh 670 real 78m49.323s 671 user 284m58.350s 672 sys 5m39.340s 673 674 675 $ time dnssec-zkt -z -r sec > /dev/null 676 real 2m5.722s 677 user 2m0.060s 678 sys 0m4.510s 679 680 681 # signing the big (820000 RR) domain only 682 $ time dnssec-signer -v -v -f -D sec/b/big-domain 683 real 196m23.165 (~ 3h 16min) 684 user 176m57.610 685 sys 167m27.570 686 687 # with option -p and -r /dev/urandom 688 $ time dnssec-signer -v -v -f -D sec/b/big-domain 689 real 49m53.152 690 user 173m59.520 691 sys 1m40.150 692 693zkt 0.63 -- 14. June 2005 694 695* bug allow TTL value in keyfiles (see TTL_IN_KEYFILES_ALLOWED 696 in dki_readfile()). 697 698* misc function strchop() added to misc.c. 699 700zkt 0.62 -- 13. May 2005 701 702* func dnssec-signer: Option -o added. 703 Now it works a bit more like dnssec-signzone. 704 705* func strlist.c: prepstrlist and unprepstrlist functions get a 706 second parameter for the delimiter. 707 708* bug fixed some typos and inaccurate usage of symbolic constants. 709 Doing some housekeeping. 710 711zkt 0.61 -- 3. May 2005 712 713* bug local config file will not be mentioned if -N switch is used. 714 715zkt 0.6 -- 1. May 2005 716 717* doc dnssec-signer: man page added. 718 719* func dnssec-signer: Print out a warning message if ksk lifetime is exceeded. 720 721* func dnssec-signer: Remaining arguments will be interpreted as zone names 722 (in_strarr () added). 723 724* func dnssec-signer: Option -D added. 725 726 727zkt 0.51 -- 8. April 2005 728 729* func dnssec-signer: Option -N added. 730 731* func dnssec-signer: change of keystatus from pre-published to active 732 resets timestamp of key, thus age of active key counts 0. 733 734* bug prepstrlist: resulting string was not terminated with '\0'. 735 736* bug dnssec-signer: do signing if there are additional keys, or the 737 status of any key is changed (function check_keytimestamp). 738 739* func dnssec-zkt: -l <list> option added. 740 741* func dnssec-zkt: -p flag defaults to on in key creation mode (-C). 742