configuration files for sanity and consistency
* communicated and keygend combined to form "enforcerd" (although this
name will change).
* ksmutil command line changes. Most commands have changed slightly, some
have changed lots.
See http://svn.opendnssec.org/docs/command-tools-syntax.txt .
* enforcer database now has a version number. If it differs from a #define
in the code then the software will not connect to the database.
* "ksmutil list keys" now displays the keytag if the -l flag is passed to it.
* "Emergency Keys" renamed to "Standby Keys" as this better reflects their
role as we use them.
* The behaviour of SOA Serial value 'counter' changed according to Ticket #31.
* changes to the KASP DB, please apply:
If want to use your old database, use the following commands to upgrade:
sqlite3 <PATH_TO_ENFORCER.DB> < enforcer/utils/migrate_090922_1.sqlite3
sqlite3 <PATH_TO_ENFORCER.DB> < enforcer/utils/migrate_090930_1.sqlite3
Or start fresh (with loss of information. User should remove old keys
from the HSM):
ksmutil setup
* move xml/ to conf/ (part of repository clean)
Bugfixes:
* Make sure that parenthesis in zonefiles don't concatenate rdata fields.
Known issues:
* TCP-support for LDNS on Solaris is currently broken due to an issue with
SO_RCVTIMEO. The result is that the zonefetcher doesn't work. No other parts
of OpenDNSSEC is affected by this bug. There is currently no workaround.
that manages the security of domain names on the Internet.
The project intends to drive adoption of Domain Name System Security Extensions
(DNSSEC) to further enhance Internet security.
The Features of OpenDNSSEC
- No manual management is needed (after first configuration)
- Works with all different versions of the Unix operating system
- Multiple zones with shared or individual policies
- Each policy specifies a set of key and signature settings
- Handle zone sizes ranging from a few RRs to millions of RRs
- Unsigned zone file in and signed zone file out.
- Supports RSA/SHA1 signatures ? ready for future algorithms
(e.g.RSA/SHA2, GOST)
- Denial of existence using NSEC or NSEC3
- Automatic key generation in HSMs via the PKCS#11 interface
- Option support for sharing keys between zones
- Automatic key rollover
- Possibility of manual key rollover (emergency key rollover)
- Automatic zone signing using HSMs via the PKCS#11 interface
- Auditing of the signing process and result
- BSD license
