- New Features
- dnssec-nodes - Many new features, including validation tree
graphing, on-the-wire traffic display, pcap dump
file display, increased data logging and
display, improved simultaneous updating, etc.
- Libval: - Added initial support for the TLSA rrtype
- Added support for ECDSA
- Implemented checking for AI_ADDRCONFIG in getaddrinfo
- Memory optimizations to improve speed-up
- dnssec-check - increased stability across all platforms.
- All Around: - Many bug fixes and other minor improvements
1.13
- New Features
- rollerd: - Added support for the signzone command. Allow
zones to be signed while in the midst of a
rollover wait.
- Added autosigning of modified zone files. Zone
files are considered modified when their "last
modification" timestamp is more recent than that
of the associated signed zone file. This
functionality includes adding the -autosign option
and config field.
- Added additional commands (via rollctl) to allow
greater control over zone rollover actions.
- Added -zsargs option to allow global options to
be passed to zonesigner.
- realms: - Added the realms feature to manage multiple
simultaneous rollover environments. Several
commands and modules (e.g., dtrealms, realms.pm,
buildrealms) were added for the realms feature.
- zonesigner: - Added the -threshold option to specify a signing
threshold.
- Better handling of serial numbers in zone files.
- keymod: - New tool that can be used to modify key
generation parameters in a keyrec file.
- dnssec-check - significant rewrite since the 1.12 release, though
individual updates have been available already.
- Asynchronous support for non-interrupting GUI support
- Letter grades assigned to each resolver
- Various user-interface improvements
- libval: - Bug fixes
- Renamed all validator command-line apps to have
a dt- prefix in order to avoid conflicts with
pre-existing executables in certain platforms.
- dnsval python module
- Add python wrapper module for the validator
library. Code contributed by Bob Novas.
- trustman: - Added an option for use by monitoring systems.
- nagios - Added the dt_donuts plugin for running trustman on
remote machines.
- Added the dt_trustman plugin for monitoring trust
anchors.
- firefox - updated nspr and firefox patches to work with
mozilla-central and nspr-4.9
- webmin: - Added the ability to perform DNSSEC
operations on DNSSEC-Tools managed signed
zones using the Webmin front-end.
- ssh: - Update the patch for enabling local DNSSEC
validation to work with OpenSSH 6.0p1.
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
- Bux fix release
- Rollerd's -alwayssign flag logic had a critical error that could
have caused a zone to be signed with the wrong ZSK at particular
points of the ZSK key rolling process.
- Minor bug fix release
- Fix perl Validator module so it compiles after a header move
- Make all OSes use the new dnssec-check gui as they should have
1.12 (1/26/12)
- New Features:
- libval: - Made improvements to support IPv6,
added the ability to fetch IPv6 glue
- Fixed the EDNS0 fallback behavior.
- Tidied up the locking semantics in libval.
- Added support for hard-coding validator configuration
information that gets used in the absence of other
configuration data. This feature allows the
validator library to be self-contained in
environments where setting up configuration data at
specific locations in the file system is not always
feasible.
- The library has been ported to the Android OS
- rollerd: - Added support for phase-specific commands. This allows
the zone operator to customize processing of the rollerd
utility during different rollerd phases.
- Added support for zone groups. This allows a collection
of zones to be controlled as a group, rather each of
those zones individually.
- Improved the manner in which rollerd indexes the zones
being managed, with the significantly decreased access
times for rollerd's data files. This results in rollerd
being able to support a lot more zones with a single
rollerd instance.
- rollctl and the rollover GUI programs may have new
commands to allow for immediate termination of rollerd.
- apps - Added patch to enable local validation in NTP, with
the ability to handle a specific chicken and egg problem
related to the interdependency between DNSSEC and an
accurate system clock.
- Added a patch to enable DNSSEC validation in Qt
based applications
- dnssec-check - Completely rewritten GUI with many new features
- Now contains the ability to submit the results
to a central DNSSEC-Tools repository. The
results will be analyzed and published on a
regular basis. Please help us get started by
running dnssec-check on your networks! Note
that it explains that it only sends hashed IP
addresses to our servers and the reports
generated will be aggregation summaries of the
data collected.
- It now runs on both Android and Harmattan (N9) devices
- maketestzone - Now produces zones with wildcards and changes to
NSEC record signatures
- dnssec-nodes - parses unbound log files
- Initial work porting to Android
- dnssec-system-tray
- parses unbound log files
1.11 (9/30/11)
- New Features:
- libval: - Significant improvements and bug fixes to the
asynchronous support.
- Added asynchronous version of val_getaddr_info.
- Some reworking of the asynchronous API and callbacks.
Note the asynchronous api is still under development and
subject to changes that break backwards compatibility.
- rollerd: - Added an experimental time-based method for queuing
rollover operations. This original method (full list
of all zones) is the default queuing method, but the
new method can be used by editing the rollerd script.
rollctl and rollrec.pm were also modified to support
this change.
- Added support for merging a set of rollrec files.
rollctl and rollrec.pm were also modified to support
this change.
- dnssec-nodes - This graphical DNS debugging utility was greatly enhanced
- Now parses both bind and libval log files
- Multiple log files can be watched
- Node's represent multiple data sets
internally, which are independently displayed
and tracked.
- Added support for searching for and
highlighting DNS data and DNSSEC status
results
- dnssec-system-tray
- This utility can now report on BOGUS responses
detected in both libval and bind log files.
- Summary window revamped to group similar
messages together.
Plus many more minor features and bug fixes
* use perl5/module.mk and its stuff for perl module build
* using packlist, so PLIST entries for perl modules are not required.
* PKG_SYSCONFSUBDIR is handled automatically, no need to be in PLIST.
* fix substitute handling with USE_DESTDIR=yes.
Bump PKGREVISION.
- New Features:
- New Apps: (see the validator/apps directory for details)
- dnssec-check: check dnssec support from your ISP
- dnssec-nodes: graphically displays a DNS
hierarchy, color coded by each node's DNSSEC status
- dnssec-system-tray: displays pop-up
notifications when a libval-enabled application
triggers a DNSSEC error
- lookup: a graphical DNS lookup utility that
displays the results in a hierarchical tree and
color codes the window according to DNSSEC status
- libval: - Added support for building on Windows.
- added support for falling back to recursion when
the caching name server does not appear to
support DNSSEC. This also works as a mechanism
to work around poisoned or misbehaving cache.
- Significant improvements to the the asynchronous support.
- lsdnssec: - Improvements to lsdnssec to display different
output depending on whether a zone is a
stand-alone zone or under control of rollerd.
- nagios: - Plugins for the nagios monitoring system which
enable monitoring of zone rollerover states.
- firefox: - Improved patches that work with the most recent firefox
Plus many more minor features and bug fixes
1.9:
- New Features:
- lsdnssec: - Added a new flag (-p) to show only zones in a
particular rollerd phase.
- fixed bugs to align timing output with rollerd.
- rollerd: - Added a -logtz flag for logging timezones
- fixed bugs related to the -alwayssign flag.
- zonesigner's path is taken from the config file.
- rollctl: - Added -rollall and -rollzone options.
- zonesigner: - Assumes keys need to be generated for new zones
(Assumes -genkeys option was given if a keyrec file
can't be found.)
- Exits with unique exit codes if a failure occurs.
("zonesigner -xc CODE" can lookup a description for it.")
- Added the -phase option so rollover options could be
more easily specified.
- lights: - A simple GUI to check the status of rollover states
- blinkenlights:- Added hide/show commands for rollrec names and zone
names, for split-zone support
- cleankrf: - Fixed deletion of obsolete set keyrecs.
- GUI commands: - Fixed how the Exit command works so they don't coredump.
- libsres
& libval: - New beta support for issuing asynchronous requests.
This can speed up queries by up to 4 times if used.
(see example code in validator/apps/validator_selftest.c)
- NSEC3, DLV and IPv6 are enabled by default.
- improved logging and logging-callback support.
- drawvalmap - Can output PNG files now
- Packaging:
- Our download page now allows you to download
the C validator libraries independently of the
full DNNSEC-Tools tool-suite.
- Many bugs were also fixed in the 240+ changes.
- New Features:
- zonesigner, rollerd
- Made changes so that these tools are more compatible
with recent versions of Bind
- The zone_errors configuration parameter allows a zone-
specific maximum to be set. Once exceeded, that zone
will be skipped rather than allowing rollover to continue.
- blinkenlights
- Recognizes when rollerd abruptly quits, so error messages
aren't spewed interminably.
- ZonFile::Fast - Fixed parsing of DS records containing spaces and
parsing of mname and rname SOA fields
- Added support for parsing KEY records
- keyrec.pm - Made changes to properly lock keyrec files before
writing to them.
- Begun process of deprecating keyrec_open().
- mapper: - added a new option: --node-size for mapping
complex zones.
- dnspktflow: - added two new options:
--layout-style for selecting the layout style to use
--node-size for mapping complex zones.
- Add new (default) option to cluster
authoritative nodes together to help better
understand the relationships between traffic
patterns and authoritative name server/zone arrangement.
- libval: - Now distributed with the Root TA.
- Added stricter checks for openssl SHA-256 support in
configure.
- Added several improvements that allow the validator to
lookup information within provably insecure zones that
do not handle EDNS0 requests nicely. This includes
adding support for turning off EDNS0 when traversing a
name hierarchy that leads to a provably insecure zone,
EDNS0 fallback support, and additional checks to check
the sanity of response data.
- Fixed certain bugs in CNAME handling and in the
validation of proofs accompanying wildcard responses,
referrals and alias chains.
- Fixed support for RSADSA and RSASHA-512 signature
validation.
- Mac OSX: - Added a Ports file for mac ports
- updated the fink build spec
- many other miscellaneous bug fixes and improvements.
to trigger/signal a rebuild for the transition 5.10.1 -> 5.12.1.
The list of packages is computed by finding all packages which end
up having either of PERL5_USE_PACKLIST, BUILDLINK_API_DEPENDS.perl,
or PERL5_PACKLIST defined in their make setup (tested via
"make show-vars VARNAMES=..."), minus the packages updated after
the perl package update.
sno@ was right after all, obache@ kindly asked and he@ led the
way. Thanks!
