- OPENDNSSEC-888: Fix up MySQL<->SQLite3 database conversion script.
- OPENDNSSEC-752: Incorrect calculated number of KSKs needed when
KSK and ZSK have exactly the same parameters. This would prevent
KSK rollovers.
- OPENDNSSEC-890: Bogus signatures on mismatching TTLs within the same RRset.
PR: 218994
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
This release fix targets stability issues which have had a history and
have been hard to reproduce. Issues that have been reported over the
past half year have been fixed that may have even come up earlier as
rare occasions.
Stability should be improved, running OpenDNSSEC as a long term service.
Changes in TTL in the input zone that seem not to be propagated,
notifies to slaves under heavy zone activity load that where not handled
properly and could lead to assertions.
NSEC3PARAM that would appear duplicate in the resulting zone, and
crashes in the signer daemon in seldom race conditions or re-opening due
to a HSM reset.
No migration steps needed when upgrading from OpenDNSSEC 1.4.9.
Also have a look at our OpenDNSSEC 2.0 beta release, its impending
release will help us forward with new development and signal phasing out
historic releases.
Fixes:
- SUPPORT-156 OPENDNSSEC-771: Multiple NSEC3PARAM records in signed
zone. After a resalt the signer would fail to remove the old
NSEC3PARAM RR until a manual resign or incoming transfer.
Old NSEC3PARAMS are removed when inserting a new record, even if
they look the same.
- OPENDNSSEC-725: Signer did not properly handle new update while still
distributing notifies to slaves.
An AXFR disconnect looked not to be handled gracefully.
- SUPPORT-171: Signer would sometimes hit an assertion using DNS output
adapter when .ixfr was missing or corrupt but .backup file available.
- Above two issues also in part addresses problems with seemingly
corrected backup files (SOA serial). Also an crash on badly
configured DNS output adapters is averted.
- The signer daemon will now refuse to start when failed to open a
listen socket for DNS handling.
- OPENDNSSEC-478,750,581 and 582 and SUPPORT-88:
Segmentation fault in signer daemon when opening and closing HSM
multiple times. Also addresses other concurrency access by avoiding
a common context to the HSM (a.k.a. NULL context).
- OPENDNSSEC-798: Improper use of key handles across hsm reopen,
causing keys not to be available after a re-open.
- SUPPORT-186: IXFR disregards TTL changes, when only TTL of an RR is
changed. TTL changes should be treated like any other changes to
records.
- When OpenDNSSEC now overrides a TTL value, this is now reported in
the log files.
PR: 209261
Submitted by: jaap@NLnetLabs.nl (mainainer)
Also, USE_MYSQL can't happen after bsd.port.pre.mk because it is a USES.
PR: 208971
Submitted by: mat
Exp-run by: antoine
With hat: portmgr
Sponsored by: Absolight
Differential Revision: https://reviews.freebsd.org/D5951
The main motivations for this release are bug fixes related to use
cases with large number of zones (more than 50 zones) in combination
with an XFR based setup. Too much concurrent zone transfers causes new
transfers to be held back. These excess transfers however were not
properly scheduled for later.
No migration steps needed when upgrading from OpenDNSSEC 1.4.8.
Bugfixes:
* Add TCP waiting queue. Fix signer getting 'stuck' when adding many
zones at once. Thanks to Haavard Eidnes to bringing this to our attention.
* OPENDNSSEC-723: received SOA serial reported as on disk.
* Fix potential locking issue on SOA serial.
* Crash on shutdown. At all times join xfr and dns handler threads.
* Make handling of notifies more consistent. Previous implementation would
bounce between code paths.
Known Issues:
When using SoftHSM2 compiled with OpenSSL, and libmysql with OpenSSL
as database backend for OpenDNSSEC. "ods-ksmutil key list --verbose"
crashes on exit. This is ultimately a bug in OpenSSL and not new for
this particular release. Make sure you don't use this specific
combination.
From <https://www.opendnssec.org>
PR: 206491
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Sponsored by: DK Hostmaster A/S
NEWS:
* Support for RFC5011 style KSK rollovers. KSK section in the KASP now
accepts <RFC5011/> element.
* Enforcer: New repository option <AllowExtraction/> allows to generate
keys with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped
and extracted from HSM.
Bugfixes:
* SUPPORT-145: EOF handling an ARM architecture caused signer to hang.
* Fixed signer hitting assertion on short reply XFR handler.
* Include revoke bit in keytag calculation.
* Increased stacksize on some systems (thanks Patrik Lundin!).
* Stop ods-signerd on SIGINT.
Fixes port problem (reported by *geoffroy desvernay*)
* Now also installs previous missing migration script convert_database.pl
PR: 203574
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Sponsored by: DK Hostmaster A/S
- Add --localstatedir=/var to _LATE_CONFIGURE_ARGS (like --mandir) but not
when CONFIGURE_ARGS already sets it. (GNU configure scripts set it to
PREFIX/var when PREFIX != /usr.)
- Add --localstatedir="${PREFIX}/var" to CONFIGURE_ARGS in some ports so
they aren't affected by this change (for now at least). This commit is
meant to ensure that new ports don't make the same mistake.
- games/acm: the configure script in this port is very old; instead of
patching it more, just replace GNU_CONFIGURE with HAS_CONFIGURE.
- irc/charybdis: it already used /var but adding --localstatedir=/var
changed the behaviour of the configure script; adjust the port to this.
PR: 199506
Exp-run by: antoine
Approved by: portmgr (antoine)
- Fix depency on sqlite with non-default LOCALBASE [2]
- Update to 1.4.6
Updates:
Signer Engine: Print secondary server address when logging notify reply errors.
Build: Fixed various OpenBSD compatibility issues found by Patrik Lundin <patrik.lundin.swe () gmail.com>.
OPENDNSSEC-621: conf.xml: New options: <PidFile> for both enforcer and signer, and <SocketFile> for the signer.
New tool: ods-getconf: to retrieve a configuration value from conf.xml given an expression.
Bugfixes:
OPENDNSSEC-469: ods-ksmutil: 'zone add' command when zonelist.xml.backup can't be written zone is still added to database, solved it by checking the zonelist.xml.backup is writable before adding zones, and add error message when add zone failed.
OPENDNSSEC-617: Signer Engine: Fix DNS Input Adapter to not reject zone the first time due to RFC 1982 serial arethmetic.
OPENDNSSEC-619: memory leak when signer failed, solved it by add ldns_rr_free(signature) in libhsm.c
OPENDNSSEC-627: Signer Engine: Unable to update serial after restart when the backup files has been removed.
OPENDNSSEC-628: Signer Engine: Ingored notifies log level is changed from debug to info.
OPENDNSSEC-630: Signer Engine: Fix inbound zone transfer for root zone.
libhsm: Fixed a few other memory leaks.
simple-dnskey-mailer.sh: Fix syntax error. (by Patrik Lundin https://github.com/eest)
PR: 191272 [1], 192021 [2], 192023 [3]
Submitted by: Andrew Fyfe <andrew@neptune-one.net> [1],
jhujhiti@adjectivism.org [2],
Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer) [3]
Added Staging support;
Modern options handling where possible.
Bugfixes:
OPENDNSSEC-607: libhsm not using all mandatory attributes for GOST key generation.
OPENDNSSEC-609: ods-ksmutil: 'key list' command fails with error in 1.4.4 on MySQL. Reported by Mark Elkins <mje@posix.co.za>
Includes the update to 1.4.4:
Updates:
SUPPORT-114: libhsm: Optimize storage in HSM by deleting the public key directly if SkipPublicKey is used [OPENDNSSEC-574].
OPENDNSSEC-358: ods-ksmutil: Extend 'key list' command with options to filter on key type and state. This allows keys in the GENERATE and DEAD state to be output.
OPENDNSSEC-549: Signer Engine: Put NSEC3 records on empty non-terminals derived from unsigned delegations (be compatible with servers that are incompatible with RFC 5155 errata 3441).
Bugfixes:
SUPPORT-86: Fixed build on OS X [OPENDNSSEC-512].
SUPPORT-97: Signer Engine: Fix after restart signer thinks zone has expired [OPENDNSSEC-526].
SUPPORT-101: Signer Engine: Fix multiple zone transfer to single file bug [OPENDNSSEC-529].
SUPPORT-102: Signer Engine: Fix statistics (count can be negative)/
SUPPORT-108: Signer Engine: Don't replace tabs in RRs with whitespace [OPENDNSSEC-520].
SUPPORT-116: ods-ksmutil: 'key import' date validation fails on certain dates [OPENDNSSEC-553].
SUPPORT-128: ods-ksmutil. Man page had incorrect formatting [OPENDNSSEC-576].
SUPPORT-127: ods-signer: Fix manpage sections.
OPENDNSSEC-457: ods-ksmutil: Add a check on the 'zone add' input/output type parameter to allow only File or DNS.
OPENDNSSEC-481: libhsm: Fix an off-by-one length check error.
OPENDNSSEC-482: libhsm: Improved cleanup for C_FindObjects.
OPENDNSSEC-531: ods-ksmutil: Exported value of in 'policy export' output could be wrong on MySQL.
OPENDNSSEC-537: libhsm: Possible memory corruption in hsm_get_slot_id.
OPENDNSSEC-544: Signer Engine: Fix assertion error that happens on an IXFR request with EDNS.
OPENDNSSEC-546: enforcer & ods-ksmutil: Improve logging on key creation and alloctaion.
OPENDNSSEC-560: Signer Engine: Don't crash when unsigned zone has no SOA.
Signer Engine: Fix a race condition when stopping daemon.
PR: 188482
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl>
Sponsored by: DK Hostmaster A/S
a zeising, kwm production, with help from dumbbell, bdrewery:
NEW XORG ON FREEBSD 9-STABLE AND 10-STABLE
This update switches over to use the new xorg stack by default on FreeBSD 9
and 10 stable, on osversions where vt(9) is available.
It is still possible to use the old stack by specifying WITHOUT_NEW_XORG in
/etc/make.conf .
FreeBSD 8-STABLE and released versions of FreeBSD still use
the old version.
A package repository with binary packages for new xorg will
be available soon.
This patch also contains updates of libxcb and related ports, pixman, as well
as some drivers and utilities.
Bump portrevisions for xf86-* ports, as well as virtualbox-ose-additions due
to xserver version change.
Apart from these updates, the way shared libraries are handled has been
changed for all xorg ports, as well as libxml2 and freetype, which means
ltverhack is gone and as a consequence shared libraries have been bumped.
The plan is that this change will make library bumps less likely in the
future.
All affected ports have had their portrevisions bumped as a consequence of
this.
Fix some issues where WITH_NEW_XORG weren't detected properly on CURRENT.
Update instructions, hardware support, and more notes can be found on
https://wiki.freebsd.org/Graphics
Thanks to: all testers, bdrewery and the FreeBSD x11@ team
exp-run by: bdrewery [1]
PR: ports/187602 [1]
Approved by: portmgr (bdrewery), core (jhb)
- Add an entry to UPDATING about binary incompatibility in previous version of ldns
- Fix OptionsNG
- Bump PORTREVISION for all ports dependent on dns/ldns
- Remove ABI version numbers from LIB_DEPENDS while I'm here
PR: ports/173080 [1]
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer) [1]
Approved by: portmgr (erwin)
Feature safe: yes
literal name_enable wherever possible, and ${name}_enable
when it's not, to prepare for the demise of set_rcvar().
In cases where I had to hand-edit unusual instances also
modify formatting slightly to be more uniform (and in
some cases, correct). This includes adding some $FreeBSD$
tags, and most importantly moving rcvar= to right after
name= so it's clear that one is derived from the other.
