All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2
EVP_sha1 and EVP_sha256. Without this, opendnssec would build
but would not recognize any of those algorithms for tsig, and
therefore be pretty useless. I'll admit that I'm not entirely
certain why this is now suddenly required; those functions are
in the same library in 9.0 as in 8.0.
Bump PKGREVISION.
Pkgsrc changes:
* Adapt patch to enforcer/utils/Makefile.in
Upstream changes:
* OPENDNSSEC-888: Fixup database conversion script.
* OPENDNSSEC-752: Incorrect calculated number of KSKs needed when KSK and ZSK
have exactly the same paramaters.
* OPENDNSSEC-890: Bogus signatures upon wrong zone input when TTLs for
same rrset are mismatching.
Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
Set PKG_SYSCONFSUBDIR where appropriate, and use {MAKE,OWN}_DIRS to
create the directory tree under ${PKG_SYSCONFDIR} instead of using
INSTALLATION_DIRS.
Bump the PKGREVISION of packages that changed due to changes in the
package install scripts.
Pkgsrc changes:
* Remove patch now integrated.
Upstream changes:
OpenDNSSEC 1.4.13 - 2017-01-20
* OPENDNSSEC-778: Double NSEC3PARAM record after resalt.
* OPENDNSSEC-853: Fixed serial_xfr_acquired not updated in state file.
* Wrong error was sometimes being print on failing TCP connect.
* Add support for OpenSSL 1.1.0.
* OPENDNSSEC-866: Script for migration between MySQL and SQLite was outdated.
Local changes (retained from earlier versions):
* Some adaptations of the build setup (conversion scripts etc.)
* in signer/ixfr.c, log the zone name if the soamin assertion trigers
* in signer/zone.c, if there's a bad ixfr journal file, save it, for debug
Upstream changes:
News:
This is a bug fix release targeting a memory leak in the signer
when being used in the "bump in the wire" model where the signer
would send out notify messages and respond to IXFR requests for
the signed zone. This typically would manifest itself with very
frequent outgoing IXFRs over a longer period of time.
When upgrading from 1.4.10 (the 1.4.11 release was skipped) no
migration steps are needed. For upgrading from earlier releases
see the migration steps in the individual releases, most notably
in 1.4.8.2. This version of OpenDNSSEC does however require a
slightly less older minimal version of the library ldns.
Fixes:
* OPENDNSSEC-808: Crash on query with empty query section
(thanks Havard Eidnes).
* SUPPORT-191: Regression, Must accept notify without SOA (thanks
Christos Trochalakis).
* OPENDNSSEC-845: memory leak occuring when responding to IXFR
out when having had multiple updates.
* OPENDNSSEC-805: Avoid full resign due to mismatch in backup file
when upgrading from 1.4.8 or later.
* OPENDNSSEC-828: parsing zone list could show data from next zone
when zones iterated on single line.
* OPENDNSSEC-811,OPENDNSSEC-827,e.o.: compiler warnings and other
static code analysis cleanup
* OPENDNSSEC-847: Broken DNS IN notifications when pkt answer
section is empty.
* OPENDNSSEC-838: Crash in signer after having removed a zone.
* Update dependency to ldns to version 1.6.17 enabling the DNS HIP record.
* Prevent responding to queries when not fully started yet.
installation:
* Log the zone before triggering the "part->soamin" assert.
We've seen this fire with older versions, but it's a while
since I saw it happen. This is to provide more debugging info
should it fire.
* If an .ixfr journal file is detected as "corrupted", rename it
to <zone>.ixfr-bad instead of unlinking it, which would leave
no trace of OpenDNSSEC's own wrongdoing.
* If the signer is exposed, avoid a potential DoS vector with a
crafted message.
Bump PKGREVISION.
News:
This release fix targets stability issues which have had a history
and had been hard to reproduce. Stability should be improved,
running OpenDNSSEC as a long term service.
Changes in TTL in the input zone that seem not to be propagated,
notifies to slaves under load that where not handled properly and
could lead to assertions. NSEC3PARAM that would appear duplicate
in the resulting zone, and crashes in the signer daemon in seldom
race conditions or re-opening due to a HSM reset.
No migration steps needed when upgrading from OpenDNSSEC 1.4.9.
Also have a look at our OpenDNSSEC 2.0 beta release, its impending
release will help us forward with new development and signal phasing
out historic releases.
Fixes:
* SUPPORT-156 OPENDNSSEC-771: Multiple NSEC3PARAM records in signed
zone. After a resalt the signer would fail to remove the old
NSEC3PARAM RR until a manual resign or incoming transfer. Old
NSEC3PARAMS are removed when inserting a new record, even if
they look the same.
* OPENDNSSEC-725: Signer did not properly handle new update while
still distributing notifies to slaves. An AXFR disconnect looked
not to be handled gracefully.
* SUPPORT-171: Signer would sometimes hit an assertion using DNS
output adapter when .ixfr was missing or corrupt but .backup file
available. Above two issues also in part addresses problems
with seemingly corrected backup files (SOA serial). Also an
crash on badly configured DNS output adapters is averted.
* The signer daemon will now refuse to start when failed to open
a listen socket for DNS handling.
* OPENDNSSEC-478 OPENDNSSEC-750 OPENDNSSEC-581 OPENDNSSEC-582
SUPPORT-88: Segmentation fault in signer daemon when opening and
closing hsm multiple times. Also addresses other concurrency
access by avoiding a common context to the HSM (a.k.a. NULL
context).
* OPENDNSSEC-798: Improper use of key handles across hsm reopen,
causing keys not to be available after a re-open.
* SUPPORT-186: IXFR disregards TTL changes, when only TTL of an
RR is changed. TTL changes should be treated like any other
changes to records. When OpenDNSSEC now overrides a TTL value,
this is now reported in the log files.
Upstream changes:
News:
The main motivations for this release are bug fixes related to use
cases with large number of zones (more than 50 zones) in combination
with an XFR based setup. Too much concurrent zone transfers causes
new transfers to be held back. These excess transfers however were
not properly scheduled for later.
No migration steps needed when upgrading from OpenDNSSEC 1.4.8.
Bugfixes:
* Add TCP waiting queue. Fix signer getting `stuck' when adding
many zones at once. Thanks to Havard Eidnes to bringing this
to our attention.
* OPENDNSSEC-723: received SOA serial reported as on disk.
* Fix potential locking issue on SOA serial.
* Crash on shutdown. At all times join xfr and dns handler threads.
* Make handling of notifies more consistent. Previous implementation
would bounce between code paths.
Pkgsrc changes:
* Adapt patches to match new files.
* Add new migration scripts to PLIST
Upstream changes:
News
* Support for RFC5011 style KSK rollovers. KSK section in the KASP
now accepts element.
* Enforcer: New repository option allows to generate keys with
CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped and
extracted from HSM.
Bugfixes
* SUPPORT-145: EOF handling an ARM architecture caused signer to hang.
* Fixed signer hitting assertion on short reply XFR handler.
* Include revoke bit in keytag calculation.
* Increased stacksize on some systems (thanks Patrik Lundin!).
* Stop ods-signerd on SIGINT.
Note:
* Updating from earlier versions of OpenDNSSEC requires use of the
database migration script(s) included in ${PKG}/share/opendnssec/
as the migrate_1_4_8* scripts.
Problems found locating distfiles:
Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
Package libidea: missing distfile libidea-0.8.2b.tar.gz
Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
Package uvscan: missing distfile vlp4510e.tar.Z
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
Changes:
* The patch for SUPPORT-147 got integrated upstream.
* Regenerate enforcer/utils/Makefile.in diff
Upstream changes:
* SUPPORT-147: Zone updating via zone transfer can get stuck
* Crash on 'retransfer command when not using DNS adapters.
there's no need to byte-swap values read from a local file.
This would cause some IXFRs to mysteriously and consistently fail
until manual intervention is done, because the wrong (byte-swapped)
SOA serial# was being stuffed into the IXFR requests.
Ref. https://issues.opendnssec.org/browse/SUPPORT-147.
Also fix the rc.d script to not insist that the components must be
running to allow "stop" to proceed, so that "restart" or "stop" can
be done if one or both of the processes have exited or crashed.
Bump PKGREVISION.
* Signer Engine: Print secondary server address when logging notify reply
errors.
* Build: Fixed various OpenBSD compatibility issues.
* OPENDNSSEC-621: conf.xml: New options: <PidFile> for both enforcer and
signer, and <SocketFile> for the signer.
* New tool: ods-getconf: to retrieve a configuration value from conf.xml
given an expression.
Bugfixes:
* OPENDNSSEC-469: ods-ksmutil: 'zone add' command when zonelist.xml.backup
can't be written zone is still added to database, solved it by checking the
zonelist.xml.backup is writable before adding zones, and add error message
when add zone failed.
* OPENDNSSEC-617: Signer Engine: Fix DNS Input Adapter to not reject zone
the first time due to RFC 1982 serial arethmetic.
* OPENDNSSEC-619: memory leak when signer failed, solved it by add
ldns_rr_free(signature) in libhsm.c
* OPENDNSSEC-627: Signer Engine: Unable to update serial after restart
when the backup files has been removed.
* OPENDNSSEC-628: Signer Engine: Ingored notifies log level is changed
from debug to info.
* OPENDNSSEC-630: Signer Engine: Fix inbound zone transfer for root zone.
* libhsm: Fixed a few other memory leaks.
* simple-dnskey-mailer.sh: Fix syntax error.
Bugfixes:
* OPENDNSSEC-607: libhsm not using all mandatory attributes for GOST key
generation.
* OPENDNSSEC-609: ods-ksmutil: 'key list' command fails with error in 1.4.4
on MySQL.
* SUPPORT-114: libhsm: Optimize storage in HSM by deleting the public
key directly if SkipPublicKey is used [OPENDNSSEC-574].
* OPENDNSSEC-358: ods-ksmutil:Extend 'key list' command with options to filter
on key type and state. This allows keys in the GENERATE and DEAD state to be
output.
* OPENDNSSEC-457: ods-ksmutil: Add a check on the 'zone add' input/output
type parameter to allow only File or DNS.
* OPENDNSSEC-549: Signer Engine: Put NSEC3 records on empty non-terminals
derived from unsigned delegations (be compatible with servers that are
incompatible with RFC 5155 errata 3441).
* Make/build: Include README.md in dist tar-ball.
Bugfixes:
* SUPPORT-86: Fixed build on OS X [OPENDNSSEC-512].
* SUPPORT-97: Signer Engine: Fix after restart signer thinks zone has expired
[OPENDNSSEC-526].
* SUPPORT-101: Signer Engine: Fix multiple zone transfer to single file bug
[OPENDNSSEC-529].
* SUPPORT-102: Signer Engine: Fix statistics (count can be negative)/
* SUPPORT-108: Signer Engine: Don't replace tabs in RRs with whitespace
[OPENDNSSEC-520].
* SUPPORT-116: ods-ksmutil: 'key import' date validation fails on certain
dates [OPENDNSSEC-553].
* SUPPORT-128: ods-ksmutil. Man page had incorrect formatting [OPENDNSSEC-576].
* SUPPORT-127: ods-signer: Fix manpage sections.
* OPENDNSSEC-481: libhsm: Fix an off-by-one length check error.
* OPENDNSSEC-482: libhsm: Improved cleanup for C_FindObjects.
* OPENDNSSEC-531: ods-ksmutil: Exported value of <Parent><SOA><TTL> in
'policy export' output could be wrong on MySQL.
* OPENDNSSEC-537: libhsm: Possible memory corruption in hsm_get_slot_id.
* OPENDNSSEC-544: Signer Engine: Fix assertion error that happens on an IXFR
request with EDNS.
* OPENDNSSEC-546: enforcer & ods-ksmutil: Improve logging on key creation
and alloctaion.
* OPENDNSSEC-560: Signer Engine: Don't crash when unsigned zone has no SOA.
* Signer Engine: Fix a race condition when stopping daemon.
