* New -S option for ldns-verify-zone to chase signatures online.
* New -k option for ldns-verify-zone to validate using a trusted key.
* New inception and expiration margin options (-i and -e) to
ldns-verify-zone.
* New ldns_dnssec_zone_new_frm_fp and ldns_dnssec_zone_new_frm_fp_l
functions.
* New ldns_duration* functions (copied from OpenDNSSEC source)
* fix ldns-verify-zone to allow NSEC3 signatures to come before
the NSEC3 RR in all cases.
* Zero the correct flag (opt-out) when creating NSEC3PARAMS.
* Canonicalize RRSIG's Signer's name too when validating, because
bind and unbound do that too.
* bugfix #433: Allocate rdf using ldns_rdf_new in ldns_dname_label
* bugfix #432: Use LDNS_MALLOC & LDNS_FREE i.s.o. malloc & free
* bugfix #431: Added error message for LDNS_STATUS_INVALID_B32_EXT
* bugfix #427: Explicitely link ssl with the programs that use it.
* Fix reading \DDD: Error on values that are outside range (>255).
* bugfix #429: fix doxyparse.pl fails on NetBSD because specified
path to perl.
* New ECDSA support (RFC 6605), use --disable-ecdsa for older openssl.
* fix verifying denial of existence for DS's in NSEC3 Opt-Out zones.
* bugfix #413: Fix manpage source for srcdir != builddir
* Canonicalize the signers name rdata field in RRSIGs when signing
* Ignore minor version of Private-key-format (so v1.3 may be used)
* Allow a check_time to be given in stead of always checking against
the current time. With ldns-verify-zone the check_time can be set
with the -t option.
* Added functions for updating and manipulating SOA serial numbers.
ldns-read-zone has an option -S for updating and manipulating the
serial numbers.
* The library Makefile is now GNU and BSD make compatible.
* bugfix #419: NSEC3 validation of a name covered by a wildcard with
no data.
* Two new options (--with-drill and --with-examples) to the main
configure script (in the root of the source tree) to build drill
and examples too.
* Fix days_since_epoch to year_yday calculation on 32bits systems.
Pkgsrc changes:
o Sync PLIST, additional man page installed.
Upstream changes:
1.6.11 2011-09-29
* bugfix #394: Fix socket leak on errors
* bugfix #392: Apex only and percentage checks for ldns-verify-zone
(thanks Miek Gieben)
* bugfix #398: Allow NSEC RRSIGs before the NSEC3 in ldns-verify-zone
* Fix python site package path from sitelib to sitearch for pyldns.
* Fix python api to support python2 and python3 (thanks Karel Slany).
* bugfix #401: Correction of date/time functions algorithm and
prevention of an infinite loop therein
* bugfix #402: Correct the minimum and maximum number of rdata fields
in TSIG. (thanks David Keeler)
* bugfix #403: Fix heap overflow (thanks David Keeler)
* bugfix #404: Make parsing APL strings more robust
(thanks David Keeler)
* bugfix #391: Complete library assessment to prevent assertion errors
through ldns_rdf_size usage.
* Slightly more specific error messaging on wrong number of rdata
fields with the LDNS_STATUS_MISSING_RDATA_FIELDS_RRSIG and
LDNS_STATUS_MISSING_RDATA_FIELDS_KEY result codes.
* bugfix #406: More rigorous openssl result code handling to prevent
future crashes within openssl.
* Fix ldns_fetch_valid_domain_keys to search deeper than just one level
for a DNSKEY that signed a DS RR. (this function was used in the
check_dnssec_trace nagios module)
* bugfix #407: Canonicalize TSIG dnames and algorithm fields
* A new output specifier to accommodate configuration of what to show
in comment texts when converting host and/or wire-format data to
string. All conversion to string and printing functions have a new
version that have such a format specifier as an extra argument.
The default is changed so that only DNSKEY RR's are annotated with
an comment show the Key Tag of the DNSKEY.
* Fixed the ldns resolver to not mark a nameserver unreachable when
edns0 is tried unsuccessfully with size 4096 (no return packet came),
but to still try TCP. A big UDP packet might have been corrupted by
fragments dropping firewalls.
* Update of libdns.vim (thanks Miek Gieben)
* Added the ldnsx Python module to our contrib section, which adds even
more pythonisticism to the usage of ldns with Python. (Many thanks
to Christpher Olah and Paul Wouters)
The ldnsx module is automatically installed when --with-pyldns is
used with configuring, but may explicitly be excluded with the
--without-pyldnsx option to configure.
* bugfix #410: Fix clearing out temporary data on stack in sha2.c
* bugfix #411: Don't let empty non-terminal NSEC3s cause
assertion failure.
* New example tool added: ldns-gen-zone.
* bugfix #359: Serial-arithmetic for the inception and expiration
fields of a RRSIG and correctly converting them to broken-out time
information.
* bugfix #364: Slight performance increase of ldns-verifyzone.
* bugfix #367: Fix to allow glue records with the same name as the
delegation.
* Fix ldns-verifyzone to allow NSEC3-less records for NS rrsets *and*
glue when the zone is opt-out.
* bugfix #376: Adapt ldns_nsec3_salt, ldns_nsec3_iterations,
ldns_nsec3_flags and ldns_nsec3_algorithm to work for NSEC3PARAMS too.
* pyldns memory leaks fixed by Bedrich Kosata (at the cost of a bit
performance)
* Better handling of reference variables in ldns_rr_new_frm_fp_l from
pyldns, with a very nice generator function by Bedrich Kosata.
* Decoupling of the rdfs in rrs in the python wrappers to enable
the python garbage collector by Bedrich Kosata.
* bugfix #380: Minimizing effect of discrepancies in sizeof(bool) at
build time and when used.
* bugfix #383: Fix detection of empty nonterminals of multiple labels.
* Fixed the ommission of rrsets in nsec(3)s and rrsigs to all occluded
names (in stead of just the ones that contain glue only) and all
occluded records on the delegation points (in stead of just the glue).
* Clarify the operation of ldns_dnssec_mark_glue and the usage of
ldns_dnssec_node_next_nonglue functions in the documentation.
* Added function ldns_dnssec_mark_and_get_glue as an real fast
alternative for ldns_zone_glue_rr_list.
* Fix parse buffer overflow for max length domain names.
* Fix Makefile for U in environment, since wrong U is more common than
deansification necessity.
* Fix creating NSEC(3) bitmaps: make array size 65536,
don't add doubles.
* Fix printout of escaped binary in TXT records.
* Parsing TXT records: don't skip starting whitespace that is quoted.
* bugfix #358: Check if memory was successfully allocated in
ldns_rdf2str().
* Added more memory allocation checks in host2str.c
* python wrapper for ldns_fetch_valid_domain_keys.
* fix to compile python wrapper with swig 2.0.2.
* Don't fallback to SHA-1 when creating NSEC3 hash with another
algorithm identifier, fail instead (no other algorithm identifiers
are assigned yet).
1.6.8
* Fix ldns zone, so that $TTL definition match RFC 2308.
* Fix lots of missing checks on allocation failures and parse of
NSEC with many types and max parse length in hosts_frm_fp routine
and off by one in read_anchor_file routine.
* bugfix #335: Drill: Print both SHA-1 and SHA-256 corresponding DS
records.
* Print correct WHEN in query packet (is not always 1-1-1970)
* ldns-test-edns: new example tool that detects EDNS support.
* fix ldns_resolver_send without openssl.
* bugfix #342: patch for support for more CERT key types (RFC4398).
* bugfix #351: fix udp_send hang if UDP checksum error.
* fix set_bit (from NSEC3 sign).
* EXPERIMENTAL ecdsa implementation, please do not enable on real
servers.
* GOST code enabled by default (RFC 5933).
* bugfix #326: ignore whitespace between directives and their values.
* Header comment to advertise ldns_axfr_complete to check for
successfully completed zone transfers.
* read resolv.conf skips interface labels, e.g. %eth0.
* Fix drill verify NSEC3 denials.
* Use closesocket() on windows.
* Add ldns_get_signing_algorithm_by_name that understand aliases,
names changed to RFC names and aliases for compatibility added.
* bugfix: don't print final dot if the domain is relative.
* bugfix: resolver search continue when packet rcode != NOERROR.
* bugfix: resolver push all domains in search directive to list.
* bugfix: resolver search by default includes the root domain.
* bugfix: tcp read could fail on single octet recv.
* bugfix: read of RR in unknown syntax with missing fields.
* added ldns_pkt_tsig_sign_next() and ldns_pkt_tsig_verify_next()
to sign and verify TSIG RRs on subsequent messages
(section 4.4, RFC 2845).
* bugfix: signer sigs nsecs with zsks only.
* bugfix #333: fix ldns_dname_absolute for name ending with backslash.
* Fix ldns_rr_clone to copy question rrs properly.
* Fix ldns_sign_zone(_nsec3) to clone the soa for the new zone.
* Fix ldns_wire2dname size check from reading 1 byte beyond buffer end.
* Fix ldns_wire2dname from reading 1 byte beyond end for pointer.
* Fix crash using GOST for particular platform configurations.
* extern C declarations used in the header file.
* Removed debug fprintf from resolver.c.
* ldns-signzone checks if public key file is for the right zone.
* NETLDNS, .NET port of ldns functionality, in contrib.
* Fix handling of comments in resolv.conf parse.
* GOST code enabled if SSL recent, RFC 5933.
* bugfix #317: segfault util.c ldns_init_random() fixed.
* Fix ldns_tsig_mac_new: allocate enough memory for the hash, fix use of
b64_pton_calculate_size.
* Fix ldns_dname_cat: size calculation and handling of realloc().
* Fix ldns_rr_pop_rdf: fix handling of realloc().
* Fix ldns-signzone for single type key scheme: sign whole zone if there
are only KSKs.
* Fix ldns_resolver: also close socket if AXFR failed (if you don't,
it would block subsequent transfers).
* Fix drill: allow for a secure trace if you use DS records as trust
anchors.
1.6.5
* Catch \X where X is a digit as an error.
* Fix segfault when ip6 ldns resolver only has ip4 servers.
* Fix NSEC record after DNSKEY at zone apex not properly signed.
* Fix syntax error if last label too long and no dot at end of domain.
* Fix parse of \# syntax with space for type LOC.
* Fix ldns_dname_absolute for escape sequences, fixes some parse errs.
* bugfix #297: linking ssl, bug due to patch submitted as #296.
* bugfix #299: added missing declarations to host2str.h
* ldns-compare-zones -s to not exclude SOA record from comparison.
* --disable-rpath fix
* fix ldns_pkt_empty()
* fix ldns_resolver_new_frm_fp not ignore lines after a comment.
* python code for ldns_rr.new_question_frm_str()
* Fix ldns_dnssec_verify_denial: the signature selection routine.
* Type TALINK parsed (draft-ietf-dnsop-trust-history).
* bugfix #304: fixed dead loop in ldns_tcp_read_wire() and
ldns_tcp_read_wire_timeout().
* GOST support with correct algorithm numbers. The plan is to make it
enabled if openssl support is detected, but it is disabled by
default in this release because the RFC is not ready.
* Fixed comment in rbtree.h about being first member and data ptr.
* Fixed possibly leak in case of out of memory in ldns_native2rdf...
* ldns_dname_is_wildcard added.
* Fixed: signatures over wildcards had the wrong labelcount.
* Fixed ldns_verify() inconsistent return values.
* Fixed ldns_resolver to copy and free tsig name, data and algorithm.
* Fixed ldns_resolver to push search onto searchlist.
* A ldns resolver now defaults to a non-recursive resolver that handles
the TC bit.
* ldns_resolver_print() prints more details.
* Fixed ldns_rdf2buffer_str_time(), which did not print timestamps
on 64bit systems.
* Make ldns_resolver_nameservers_randomize() more random.
* bugfix #310: POSIX specifies NULL second argument of gettimeofday.
* fix compiler warnings from llvm clang compiler.
* bugfix #309: ldns_pkt_clone did not clone the tsig_rr.
* Fix gentoo ebuild for drill, 'no m4 directory'.
* bugfix #313: drill trace on an empty nonterminal continuation.
* Bugfix: parse PTR target of .tomhendrikx.nl with error not
crash. * Bugfix: handle escaped characters in TXT rdata.
* bug292: no longer crash on malformed domain names where a
label is on position 255, which was a buffer overflow by one.
* Fix ldns_get_rr_list_hosts_frm_fp_l (strncpy to strlcpy
change), which fixes resolv.conf reading badly terminated string
buffers.
* Fix ldns_pkt_set_random_id to be more random, and a little
faster, it did not do value 0 statistically correctly.
* Fix ldns_rdf2native_sockaddr_storage to set sockaddr type to
zeroes, for portability.
* bug295: nsec3-hash routine no longer case sensitive.
* bug298: drill failed nsec3 denial of existence proof.
1.6.3 2009-12-04
* Bugfix: allow for unknown resource records in zonefile with rdlen=0.
* Bugfix: also mark an RR as question if it comes from the wire
* Bugfix: NSEC3 bitmap contained NSEC
* Bugfix: Inherit class when creating signatures
1.6.2 2009-11-12
* Fix Makefile patch from Havard Eidnes, better install.sh usage.
* Fix parse error on SOA serial of 2910532839.
Fix print of ';' and readback of '\;' in names, also for '\\'.
Fix parse of '\(' and '\)' in names. Also for file read. Also '\.'
* Fix signature creation when TTLs are different for RRs in RRset.
* bug273: fix so EDNS rdata is included in pkt to wire conversion.
* bug274: fix use of c++ keyword 'class' for RR class in the code.
* bug275: fix memory leak of packet edns rdata.
* Fix timeout procedure for TCP and AXFR on Solaris.
* Fix occasional NSEC bitmap bogus
* Fix rr comparing (was in reversed order since 1.6.0)
* bug278: fix parsing HINFO rdata (and other cases).
* Fix previous owner name: also pick up if owner name is @.
* RFC5702: enabled sha2 functions by default. This requires OpenSSL 0.9.8 or higher.
Reason for this default is the root to be signed with RSASHA256.
* Fix various LDNS RR parsing issues: IPSECKEY, WKS, NSAP, very long lines
* Fix: Make ldns_dname_is_subdomain case insensitive.
* Fix ldns-verify-zone so that address records at zone NS set are not considered glue
(Or glue records fall below delegation)
* Fix LOC RR altitude printing.
* Feature: Added period (e.g. '3m6d') support at explicit TTLs.
* Feature: DNSKEY rrset by default signed with minimal signatures
but -A option for ldns-signzone to sign it with all keys.
This makes the DNSKEY responses smaller for signed domains.
Pkgsrc changes:
o Adjust the patch to Makefile.in to match, and make sure to use
./install-sh with the "-c" option, to ensure we can reinstall
after an install + deinstall.
o Fix PLIST issues (a few more than in the PR mentioned below).
Should fix PR pkg/41868.
Upstream changes:
1.6.1 2009-09-14
* --enable-gost : use the GOST algorithm (experimental).
* Added some missing options to drill manpage
* Some fixes to --without-ssl option
* Fixed quote parsing withing strings
* Bitmask fix in EDNS handling
* Fixed non-fqdn domain name completion for rdata field domain
names of length 1
* Fixed chain validation with SHA256 DS records
1.6.0
Additions:
* Addition of an ldns-config script which gives cflags and libs
values, for use in configure scripts for applications that use
use ldns. Can be disabled with ./configure --disable-ldns-config
* Added direct sha1, sha256, and sha512 support in ldns.
With these functions, all NSEC3 functionality can still be
used, even if ldns is built without OpenSSL. Thanks to OpenBSD,
Steve Reid, and Aaron D. Gifford for the code.
* Added reading/writing support for the SPF Resource Record
* Base32 functions are now exported
Bugfixes:
* ldns_is_rrset did not go through the complete rrset, but
only compared the first two records. Thanks to Olafur
Gudmundsson for report and patch
* Fixed a small memory bug in ldns_rr_list_subtype_by_rdf(),
thanks to Marius Rieder for finding an patching this.
* --without-ssl should now work. Make sure that examples/ and
drill also get the --without-ssl flag on their configure, if
this is used.
* Some malloc() return value checks have been added
* NSEC3 creation has been improved wrt to empty nonterminals,
and opt-out.
* Fixed a bug in the parser when reading large NSEC3 salt
values.
* Made the allowed length for domain names on wire
and presentation format the same.
Example tools:
* ldns-key2ds can now also generate DS records for keys without
the SEP flag
* ldns-signzone now equalizes the TTL of the DNSKEY RRset (to
the first non-default DNSKEY TTL value it sees)
OK'ed by wiz@
Pkgsrc changes:
o Explicitly mark dependency on openssl >= 0.9.7, should fix PR#41633
Upstream changes:
1.5.1
Example tools:
* ldns-signzone was broken in 1.5.0 for multiple keys, this
has been repaired
Build system:
* Removed a small erroneous output warning in
examples/configure and drill/configure
1.5.0
Bug fixes:
* fixed a possible memory overflow in the RR parser
* build flag fix for Sun Studio
* fixed a building race condition in the copying of header
files
* EDNS0 extended rcode; the correct assembled code number
is now printed (still in the EDNS0 field, though)
* ldns_pkt_rr no longer leaks memory (in fact, it no longer
copies anything all)
API addition:
* ldns_key now has support for 'external' data, in which
case the OpenSSL EVP structures are not used;
ldns_key_set_external_key() and ldns_key_external_key()
* added ldns_key_get_file_base_name() which creates a
'default' filename base string for key storage, of the
form "K<zone>+<algorithm>+<keytag>"
* the ldns_dnssec_* family of structures now have deep_free()
functions, which also free the ldns_rr's contained in them
* there is now an ldns_match_wildcard() function, which checks
whether a domain name matches a wildcard name
* ldns_sign_public has been split up; this resulted in the
addition of ldns_create_empty_rrsig() and
ldns_sign_public_buffer()
Examples:
* ldns-signzone can now automatically add DNSKEY records when
using an OpenSSL engine, as it already did when using key
files
* added new example tool: ldns-nsec3-hash
* ldns-dpa can now filter on specific query name and types
* ldnsd has fixes for the zone name, a fix for the return
value of recvfrom(), and an memory initialization fix
(Thanks to Colm MacCárthaigh for the patch)
* Fixed memory leaks in ldnsd
1.4.1
Bug fixes:
* fixed a build issue where ldns lib existence was done too early
* removed unnecessary check for pcap.h
* NSEC3 optout flag now correctly printed in string output
* inttypes.h moved to configured inclusion
* fixed NSEC3 type bitmaps for empty nonterminals and unsigned
delegations
API addition:
* for that last fix, we added a new function
ldns_dname_add_from() that can clone parts of a dname
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
- better TCP fallback, improved TSIG support
- namespace cleanup
- bugfixes
Require the new version and switch to normal runtime dependencies as it
is normally linked dynamically.
The goal of ldns is to simplify DNS programming, it supports recent
RFCs like the DNSSEC documents, and allows developers to easily
create software conforming to current RFCs, and experimental software
for current Internet Drafts. A secondary benefit of using ldns is
speed; ldns is written in C it should be a lot faster than Perl.
