dns/opendnssec: 1.4.9 -> 1.4.10

This release fix targets stability issues which have had a history and
have been hard to reproduce.  Issues that have been reported over the
past half year have been fixed that may have even come up earlier as
rare occasions.
Stability should be improved, running OpenDNSSEC as a long term service.

Changes in TTL in the input zone that seem not to be propagated,
notifies to slaves under heavy zone activity load that where not handled
properly and could lead to assertions.
NSEC3PARAM that would appear duplicate in the resulting zone, and
crashes in the signer daemon in seldom race conditions or re-opening due
to a HSM reset.

No migration steps needed when upgrading from OpenDNSSEC 1.4.9.

Also have a look at our OpenDNSSEC 2.0 beta release, its impending
release will help us forward with new development and signal phasing out
historic releases.

Fixes:
- SUPPORT-156 OPENDNSSEC-771: Multiple NSEC3PARAM records in signed
  zone.  After a resalt the signer would fail to remove the old
  NSEC3PARAM RR until a manual resign or incoming transfer.
  Old NSEC3PARAMS are removed when inserting a new record, even if
  they look the same.
- OPENDNSSEC-725: Signer did not properly handle new update while still
  distributing notifies to slaves.
  An AXFR disconnect looked not to be handled gracefully.
- SUPPORT-171: Signer would sometimes hit an assertion using DNS output
  adapter when .ixfr was missing or corrupt but .backup file available.
- Above two issues also in part addresses problems with seemingly
  corrected backup files (SOA serial).  Also an crash on badly
  configured DNS output adapters is averted.
- The signer daemon will now refuse to start when failed to open a
  listen socket for DNS handling.
- OPENDNSSEC-478,750,581 and 582 and SUPPORT-88:
  Segmentation fault in signer daemon when opening and closing HSM
  multiple times. Also addresses other concurrency access by avoiding
  a common context to the HSM (a.k.a. NULL context).
- OPENDNSSEC-798: Improper use of key handles across hsm reopen,
  causing keys not to be available after a re-open.
- SUPPORT-186: IXFR disregards TTL changes, when only TTL of an RR is
  changed.  TTL changes should be treated like any other changes to
  records.
- When OpenDNSSEC now overrides a TTL value, this is now reported in
  the log files.

PR:		209261
Submitted by:	jaap@NLnetLabs.nl (mainainer)
This commit is contained in:
Kurt Jaeger 2016-05-05 17:09:42 +00:00
parent dbfd2dcda5
commit 1f076abb3b
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=414652
2 changed files with 3 additions and 3 deletions

View file

@ -2,7 +2,7 @@
# $FreeBSD$ # $FreeBSD$
PORTNAME= opendnssec PORTNAME= opendnssec
PORTVERSION= 1.4.9 PORTVERSION= 1.4.10
CATEGORIES= dns CATEGORIES= dns
MASTER_SITES= http://dist.opendnssec.org/source/ MASTER_SITES= http://dist.opendnssec.org/source/

View file

@ -1,2 +1,2 @@
SHA256 (opendnssec-1.4.9.tar.gz) = 50a157d26d8b9ae370cd7fa52c7c6f43f4c77aeeb5d0fccd6a2e92c7dfc1d88e SHA256 (opendnssec-1.4.10.tar.gz) = 55b44c1da3a665eef0af1d1b3f4d1c57d20f50f77858b1dd3d03ca6ebc1df7cb
SIZE (opendnssec-1.4.9.tar.gz) = 1043700 SIZE (opendnssec-1.4.10.tar.gz) = 1036069