* Default TTL in case of $TTL or explicit RR TTL becomes the SOA Minimum value (
was 3600).
* The signer engine will check if another engine is already running before start
ing.
* Startup scripts for Solaris (SMF).
* Auditor gives an error if key moves to "in use" without sufficient "prepublish
ed" time.
Bugfixes:
* Trailing spaces are not part of the domain name/ include file/ ttl in directiv
es.
* nsec3er: Print final RRset, even if no NSEC3 was needed at that RRset.
* Proper privileges dropping when creating the command socket
* Signer sometimes didn't terminate if socket shutdown failed.
Known issues:
* The Signer Engine fails with broken pipes sometimes.
* The auditor now tracks the SOA serial over time
* The auditor (dnsruby) supports RSA/SHA256 and RSA/SHA512
Bugfixes:
* The LDNS bug that affected SRV records has been fixed in ldns-trunk.
* Bugreport #41: Fix for SOA serial 'keep'.
* Allow for SOA Serial/TTL/Minimum values of zero.
* Correct socket binding of NotifyListen.
* Systems with older SQLite had problem rolling keys on a policy.
* Auditor now handles SSHFP and NAPTR records correctly (but needs Dnsruby 1.39)
* Auditor now handles TTLs in zone file with suffix s, m, h, d, and w.
* Added experimental support for RSA/SHA256 and RSA/SHA512 to KASP enforcer
and the signer engine.
* SignerThreads and KeygenInterval has been deprecated (actually removed
just before 1.0.0b1).
* Added support for RSA/SHA256 and RSA/SHA512 to libhsm. No API changes.
Bugfixes:
* Bugreport #33 (#35): Output a signed zone if only the SOA record changed.
* Zone fetcher did not start correctly
* Create the pid / socket directory if it not yet exists, with the correct
privileges.
* Signer Engine now catches exception if running with incorrect permission.
* TCP-support for LDNS on Solaris is fixed in LDNS trunk.
Known issues:
* LDNS is having problem with SRV records. The main effect is that these
records are given non-valid RRSIGs. This is still under investigation.
configuration files for sanity and consistency
* communicated and keygend combined to form "enforcerd" (although this
name will change).
* ksmutil command line changes. Most commands have changed slightly, some
have changed lots.
See http://svn.opendnssec.org/docs/command-tools-syntax.txt .
* enforcer database now has a version number. If it differs from a #define
in the code then the software will not connect to the database.
* "ksmutil list keys" now displays the keytag if the -l flag is passed to it.
* "Emergency Keys" renamed to "Standby Keys" as this better reflects their
role as we use them.
* The behaviour of SOA Serial value 'counter' changed according to Ticket #31.
* changes to the KASP DB, please apply:
If want to use your old database, use the following commands to upgrade:
sqlite3 <PATH_TO_ENFORCER.DB> < enforcer/utils/migrate_090922_1.sqlite3
sqlite3 <PATH_TO_ENFORCER.DB> < enforcer/utils/migrate_090930_1.sqlite3
Or start fresh (with loss of information. User should remove old keys
from the HSM):
ksmutil setup
* move xml/ to conf/ (part of repository clean)
Bugfixes:
* Make sure that parenthesis in zonefiles don't concatenate rdata fields.
Known issues:
* TCP-support for LDNS on Solaris is currently broken due to an issue with
SO_RCVTIMEO. The result is that the zonefetcher doesn't work. No other parts
of OpenDNSSEC is affected by this bug. There is currently no workaround.
that manages the security of domain names on the Internet.
The project intends to drive adoption of Domain Name System Security Extensions
(DNSSEC) to further enhance Internet security.
The Features of OpenDNSSEC
- No manual management is needed (after first configuration)
- Works with all different versions of the Unix operating system
- Multiple zones with shared or individual policies
- Each policy specifies a set of key and signature settings
- Handle zone sizes ranging from a few RRs to millions of RRs
- Unsigned zone file in and signed zone file out.
- Supports RSA/SHA1 signatures ? ready for future algorithms
(e.g.RSA/SHA2, GOST)
- Denial of existence using NSEC or NSEC3
- Automatic key generation in HSMs via the PKCS#11 interface
- Option support for sharing keys between zones
- Automatic key rollover
- Possibility of manual key rollover (emergency key rollover)
- Automatic zone signing using HSMs via the PKCS#11 interface
- Auditing of the signing process and result
- BSD license
