As of today version 2.1.3 of OpenDNSSEC has been released. No special
migration steps are required when upgrading from a previous 2.x.x
release. It includes fixes to the build system, some regressions w.r.t.
OpenDNSSEC 1.4 and a signing bug. Please note that version 2.1.2 was
skipped for release.
Build fixes:
* OPENDNSSEC-904: autoconfigure fails to properly identify functions in
ssl library on some distributions. This caused the "tsig unknown
algorithm hmac-sha256" error.
* OPENDNSSEC-894: repair configuration script to allow excluding the
build of the enforcer.
Regressions:
* OPENDNSSEC-508: Tag <RolloverNotification> was not functioning
correctly
* OPENDNSSEC-901: Enforcer would ignore <ManualKeyGeneration/> tag in
conf.xml
* OPENDNSSEC-906: Tag <AllowExtraction> tag included from late 1.4
development
Bugs Fixed:
* OPENDNSSEC-886: Improper time calculation on 32 bits machine causes
purge of keys not being scheduled. The purge would happen but some
time later than expected.
* OPENDNSSEC-890: Mismatching TTLs in record sets would cause bogus
signatures.
* OPENDNSSEC-908: Warn when TTL of resource record exceeds KASP's
MaxZoneTTL. Formerly the signer would cap such TTLs to prevent
situations where those records could get bogus during ZSK rollover.
However it has been realized that this can potentially lead to failing
IXFRs. We intend to bring back this feature in the near future when
our internal data representation allows this.
PR: 221515
Submitted by: jaap@NLnetLabs.nl (maintainer)
- OPENDNSSEC-889: MySQL migration script didnt work for all database
and MySQL versions.
- OPENDNSSEC-887: Segfault on extraneous tag.
- OPENDNSSEC-880: Command line parsing for import key command failed.
- OPENDNSSEC-890: Bogus signatures upon wrong zone input when TTLs
for same rrset are mismatching.
PR: 218995
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
- Switch to options helpers
This release is primarily focused on ironing out the issues on the migration path from 1.4 to 2.0. Besides that there are no functional changes.
* Fixed crash and linking issue in ods-migrate.
* Fixed case where 2.0.0 could not read backup files from 1.4.10.
* Fixed bug in migration script where key state in the database wasn't transformed properly.
PR: 211403
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Sponsored by: DK Hostmaster A/S
so it was rechristened opendnssec Version 2.
To quote the announcement at <https://www.opendnssec.org>:
"OpenDNSSEC got a entire re-write of the enforcer. This part of
OpenDNSSEC controls changing signing keys in the right way to perform
a roll-over. Before, the enforcer would perform a roll-over according
to a strict paradigm. One scenario in which deviations would not be
possible.
The new enforcer is more aware of the zone changes being propagated in
the Internet. It can therefore decide when it is safe to make changes,
rather than to rely upon a given scenario.
PR: 211018
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl>
Sponsored by: DK Hostmaster A/S
