All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2
**** 1.17 Jun 26, 2020
Recognise BIND private key accessed via symbolic link.
**** 1.16 May 11, 2020
Improve testing of verify() functions.
Rework code in Digest.pm
SEC.xs code reduction.
**** 1.15 February 3, 2020
Provide access to OpenSSL message digest implementations.
**** 1.14 October 14, 2019
Improve exception capture in test scripts.
Support more efficient algorithm mapping in Net::DNS.
**** 1.13 May 6, 2019
Tweaks to resolve compilation errors with BoringSSL.
There is no chance that line 1 contains an include argument, after being
sent through REPLACE_PERL. And even then, including a relative path would
not make sense.
pkglint -r --network --only "migrate"
As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
Upstream changes:
**** 1.12 Mar 19, 2019
Avoid use of EC_POINT_set_affine_coordinates_GFp which is
deprecated in OpenSSL 3.0.0
Reduce level of support for OpenSSL non-LTS releases.
Upstream changes:
**** 1.09 Jun 4, 2018
Avoid use of EC_GROUP_new, EC_GROUP_set_curve_GFp, and
EC_GFp_mont_method which are expected to disappear.
Fix filename conflict when tests run in parallel using make -j
**** 1.08 May 11, 2018
Internal reorganisation to use OpenSSL EVP interface
**** 1.05 March 20, Tuesday
Feature
Support added for Ed25519 and Ed448 algorithms
Fix: rt.cpan.org #124650
Net::DNS::SEC::Private must not die if attribute is not present
**** 1.04 February 15, 2018
Feature
Cryptographic library access re-engineered using PerlXS
directly instead of CPAN Crypt::OpenSSL::(DSA|EDSA|RSA)
distributions which have fallen into disrepair.
- Drop patch-Makefile.PL, see below at 1.01 Feature item.
(Upsteam)
- Updated devel/p5-Net-DNS-SEC 0.22 to 1.02
-----------------------------------------
**** 1.02 September 16, 2015
Fix: Bug in t/10-keyset.t raises exception in Net::DNS
**** 1.01 August 3, 2015
Feature
The RRs previously implemented in Net::DNS::SEC are now
integrated with Net::DNS.
Fix: rt.cpan.org #105808
Version test for Pod::Test is broken
Fix: rt.cpan.org #105698
Net-DNS 1.01 conflicts with Net-DNS-SEC 0.22
Problems found locating distfiles:
Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
Package libidea: missing distfile libidea-0.8.2b.tar.gz
Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
Package uvscan: missing distfile vlp4510e.tar.Z
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
{perl>=5.16.6,p5-ExtUtils-ParseXS>=3.15}:../../devel/p5-ExtUtils-ParseXS
since pkgsrc enforces the newest perl version anyway, so they
should always pick perl, but sometimes (pkg_add) don't due to the
design of the {,} syntax.
No effective change for the above reason.
Ok joerg
**** 0.22 February 11, 2015
Fix: rt.cpan.org #101184
make siginception and sigexpiration available as time() values
Fix: rt.cpan.org #101183
wrong URL for blog in README
Fix: rt.cpan.org #83031
[RRSIG] lack of ECDSA support
***0.21 October 24, 2014
Fix: rt.cpan.org #99250
[RRSIG] validation fails when Signer's Name is upper case
Fix: rt.cpan.org #99106
Premature end of base64 data (in 14-misc.t test script)
***0.20 August 15, 2014
Fix: rt.cpan.org #97457
!hex! error when parsing NSEC3 with empty salt
***0.19 Jun 6, 2014
Remove inappropriate deprecation warning in DNSKEY.pm
***0.18 May 8, 2014
Recode RR implementations to provide Net::DNS 0.69+ interface.
Fix: rt.cpan.org #95034
Failure to parse NSEC3PARAM record with null salt
Fix: rt.cpan.org #81289
Failure to handle GOST DS records
***0.17 November 29, 2013
Fix: rt.cpan.org #90270
NSEC3->covered() should use case-insensitive comparisons
Fix: rt.cpan.org #79606
Lower case zone-name part with DNSKEY::privatename
Allow to specify algorithms with ::Private->new_rsa_private and
::Private->generate_rsa instead of assuming RSASHA1.
Fix: rt.cpan.org #55621
Specify license type (mit) in META.yml
Fix: rt.cpan.org #60269
Remove Digest::SHA1 prerequirement
Fix: rt.cpan.org #62387 & #63273
Typo fixes
Fix: rt.cpan.org #62386
Make Net::DNS::RR::DS::digtype method work
Fix: rt.cpan.org #62385
Do not compress Next Domain Name in NSEC rdata.
Fix: rt.cpan.org #61104
Spelling correction in DS.pm and fix of key2ds demo program
Fix: rt.cpan.org #60185
Make sure %main::SIG hash keeps its values when compiling Net::DNS::RR::SIG
in perl versions before 5.14. See also: rt.perl.org #76138
Fix: rt.cpan.org #64552 and rt.cpan.org #79606
Support for private-key-format v1.3
Fix: rt.cpan.org #75892
Do not canonicalize the "Next Domain Name" rdata field of a NSEC RR
for draft-ietf-dnsext-dnssec-bis-updates-17 compliance.
BUG FIX/FEATURE: validation of wildcard RRs now available. Duane
Wessels is acknowledged for submitting the initial code on which
this fix is based.
FIX: case sensitivity of ownername during DS generation
(Acknowledgements Jens Wagner)
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
to trigger/signal a rebuild for the transition 5.10.1 -> 5.12.1.
The list of packages is computed by finding all packages which end
up having either of PERL5_USE_PACKLIST, BUILDLINK_API_DEPENDS.perl,
or PERL5_PACKLIST defined in their make setup (tested via
"make show-vars VARNAMES=..."), minus the packages updated after
the perl package update.
sno@ was right after all, obache@ kindly asked and he@ led the
way. Thanks!
pkgsrc changes:
- Adjust dependencies
- Add license definition
Upstream changes:
***0.16 March 12, 2010
Feature: KEY inherits DNSKEY
This helps maintenance in one part of the code.
Feature: keylength methode rt.cpan.org #53468
Added keylength method for RSA and DSA
Acknowledgements Hugo Salgado
Fix: rt.cpan.org #51778
Empty bitmap would cause error about undefined ARRAY in NSEC/NSEC3.
Now the code will allow empty bitmaps gracefully
Feature: New Algorithm Support (rt.cpan.org #51092)
SHA2 algorithm support, including NSEC3 algorithm parameters updated
Acknowledgement Jakob Shlyter
Fix: rt.cpan.org #42089
NSEC3 Algorithm support in NSEC3 broken
patch by Wes Hardaker
- Updating package for p5 module Net::DNS::SEC from 0.14nb1 to 0.15
- Adjusting / reordering dependencies according to META.yml
Upstream changes:
***0.15 December 31, 2008
Fix: digestbin not set when an empty value passed to hash.
Feature: Added DLV (rfcc 4431). The RR object is simply a clone of
the DS RR and inherits ... everything
Feature: Added NSEC3 and NSEC3PARAM support (RFC5155).
This adds Mime::Base32 to the module dependency list.
The RR type was still experimental at that time and is maintained
in Net::DNS::RR.
Fix: Test script recognizes change in Time::Local. Note that
Time::Local does not deal with dates beyond 03:14:07 UTC on
Tuesday, 19 January 2038. Therefore this code has a year 2038
problem.
Fix: DS create_from_hash now produces objects that can create
wireformat.
Other: minor changes to the debug statements
added t/05-rr.t (and identified a couple of bugs using it)
Fix: a few inconsistencies with respect to parsing of trailing dots.
During development the test signatures generated with the BIND tools
were re-generated in order to troubleshoot a bug that (most
probably) was caused by a version incompatibility between Net::DNS
and Net::DNS::SEC. Before release the original test from the 0.14
release were ran against this version too.
to trigger/signal a rebuild for the transition 5.8.8 -> 5.10.0.
The list of packages is computed by finding all packages which end
up having either of PERL5_USE_PACKLIST, BUILDLINK_API_DEPENDS.perl,
or PERL5_PACKLIST defined in their make setup (tested via
"make show-vars VARNAMES=...").
Pkgsrc changes:
- Added support for installation to DESTDIR.
- p5-Digest-SHA is a new requirement.
Changes since version 0.12:
===========================
0.14 February 14, 2005
FIX: The introducion of the keytag warning triggered a bug with RSAMD5
keys, causing RSAMD5 keys not to be loaded.
0.13 December 9, 2005
FEAT: rt.cpan.org 14588
Added support for passing (a reference to) an array of keys to the
RRSIG verify function.
FIX/FEAT:
The Net::DNS::SEC::Private function will for RSA based keys verify if
the keytag in the filename is actually correct.
Since at parsing the value of the DNSKEY RR flags is not known we
test against the currently defined flag values 256 and 257.
If we cannot find a keytag match a warning is printed and Private
key generation fails
This inconsistency was spotted by Jakob Shlyter.
FEAT: Added support for SHA256 to the DS RR. Assigned the expected
digest type2 for SHA256 type hashes.
Note that this makes the Net::DNS::SEC depend on Digest::SHA instead
of Digest::SHA1.
The default digest type is still set to 1.
NB. The code makes assumptions about the IANA assignment of the
digest type. The assignment may change. Do not use SHA256 in
production zones!!
FIX: rt.cpan.org #15662
Roy Arends noticed and patched the label counting did not ignore
an initial asterisk label.
FIX: Wes Hardaker noticed the default TTL values for created signatures to
be different from the TTLs from the data that is being signed.
FIX: Wes Hardaker reported there was a problem with validating
RRsets that had ownernames with capitals.
The fix depends on a fix in Net::DNS::RR that is available in
version 0.53_03 or later of the Net::DNS distribution.
FEAT: Propper dealing with mnemonics for algorithm and digest type
added to DS
FIX/FEAT: Mnemonics were written as RSA/MD5 and RSA/SHA1. This has been
corrected tp RSASHA1 and RSAMD5, as in the IANA registry.
0.12_02 June 6, 2005 (beta 2 release for 0.13)
Bug: new_from_hash would not correctly create the RR since internally
typebm is used to store the data this has been fixed so that
the following works
Net::DNS::RR->new(name=>$name,
ttl=>$ttl,
type=>"NSEC",
nxtdname=>$nxtdname,
typelist=>join(" ",@types)
);
FEAT: Introduced the "use bytes" pragma to force character interpretation
of all the scalars. Any utf processing by perl makes the code behave
unpredictable.
0.12_01 April 18, 2005. (beta release for version 0.13)
FEAT (!!!): Changed the symantics of the Net::DNS::Keyset::verify method.
Read the perldoc for details. The requirement that each key in a
keyset has to be selfsigned has been loosened.
FEAT: Added a "carp" to the new methods of the NXT RR. Warning that
that record is depricated.
FEAT: Cleaned the tests so that RRSIG and DNSKEY are used except for
SIG0 based tests.
FEAT: Changed the name of the siginceptation[SIC] to siginception.
Thanks Jakob Schlyter for notifying me of this mistyping.
An alias for the method remains available.
FEAT: Renamed unset_sep() to clear_sep().
NOTE: To avoid confusion the Net::DNS::SIG::Private class has been
removed. Use Net::DNS::SEC::Private!
DOC: Added references to RFC 4033, RFC 4034 and RFC 4035. Rewrote parts
of the perlpod.
RECOMMENDED is removed. It becomes ABI_DEPENDS.
BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.
BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.
BUILDLINK_DEPENDS does not change.
IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".
Added to obsolete.mk checking for IGNORE_RECOMMENDED.
I did not manually go through and fix any aesthetic tab/spacing issues.
I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.
I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.
As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.
As discussed on tech-pkg.
I will commit to revbump, pkglint, pkg_install, createbuildlink separately.
Note that if you use wip, it will fail! I will commit to pkgsrc-wip
later (within day).
OWN_DIRS was incorrectly used (did not work when PKG_CONFIG=no).
INSTALLATION_DIRS creates the directories now and the PLIST removes them.
Needs at least net/p5-Net-DNS 0.44 (see changes below).
--
Changes since 0.11
==================
FEAT: Added utility function key_difference() to Net::DNS::SEC. See
perlpod for details. I needed this in other software and
figured they are generic enough to make them available
through this module.
FEAT: Modified some functions to use DNSKEY and RRSIG instead off
KEY and SIG.
- Net::DNS::Keyset now uses DNSKEY and RRSIG.
- the demo function getkeyset.pl now uses DNSKEY too.
FEAT: Added the possibility to create a keyset out of two arrays of
dnskey and rrsig object.
FEAT: Added some helperfunctions to Net::DNS::SEC::Private to read X509
formated private keys and dump them into bind format.
This functionality has not been tested well.
BUG : When reading a RRSIG from a packet the signame would not have
a trailing dot.
FEAT: Removed critical dependency on bubblebabble. It is available to
DS if installed but not critically dependend.
BUG: - Fixed minor in signing unknown RR types.
FEAT: - Prelimanary support for draf-ietf-dnssec-nsec-rdata-02. This
depends on support for unknown RR types (Net::DNS version
0.44)
FEAT: - To be able to deal with argument supplied as either mnemonics or
by value the Net::DNS::SEC::argument method was created. It can
be used as a class method but it is also inherited by
Net::DNS::RR::RRSIG and Net::DNS::RR::DNSKEY.