Problems found locating distfiles:
Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
Package libidea: missing distfile libidea-0.8.2b.tar.gz
Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
Package uvscan: missing distfile vlp4510e.tar.Z
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
- New Features:
- donuts: - Added the ability to summarize information
about a zone in the output, such as the upcoming
entire zone expiry time, etc
- Added the ability to query live zones for
records to analyze. EG:
donuts live:good-a,badsign-a test.dnssec-tools.org
- Added a -V switch to dump records analyzed
- libval: - Add support for conditionally checking all RRSIGs
on an assertion even if one that validates is
already found.
- Look for zonecuts based on NS records, not SOA
- Added initial support for TSIG in order to enable
libval to query recursive name servers that
authorized recursive lookup for only those hosts
that used a particular TSIG key.
- Validator.pm - Store respondent name server information in result
structure.
- Owl - additional sensor modules
- additional data analysis on manager
- logging to the Owl sensors modules
- optimized sensor data organization
(requires software upgrades on both sensor and
manager at the same time)
- added -restart option to owl-sensord for
restarting sensor modules
- improvements to the installation guide
- rollerd - generalized zonegroup entry in rollecs to be lists of tags
- rndc option support added
- dnssec-check - Ported to Qt5
- dnssec-nodes - Ported to Qt5
- lookup - Ported to Qt5
- dnssec-system-tray
- Ported to Qt5
- Bug Fixes
- Fixed bugs in libval, rollerd, blinkenlights, Owl
sensor modules, and Owl manager
- Use rlimits to try and limit file descriptor use in
libsres so we don't run out of available sockets.
- Eliminate a few hardcoded paths in various perl modules
- Fix various compiler warnings
- Update autoconf and related files
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
- New Features
- OWL - The Owl Monitoring System uses timed DNS queries
to monitor basic network functionality. The system
consists of a manager host and a set of sensor hosts.
The Owl sensors perform periodic DNS queries and
report to the Owl manager the time taken for each
query. Over time, this shows the responsiveness of
the DNS infrastructure.
- dnssec-nodes - Many new features have been added:
- The validation tree now supports clicking on
boxes to highlight it and the arrows that derive
from it. Great for use when teaching about
DNSSEC.
- An extensive filter/effect editor now lets you
tailor the look of a graph to color-code, set
the alpha levels, etc of nodes based on their
names, status, data types, etc.
- Right clicking on a node lets you center the
graph on that node.
- More data types are collected and shown in the
data view.
- Support for arguments on the command line for
parsing log files, pcap files and domain names.
- The validation view has received a visual clean-up
- Many other bug fixes
- Bloodhound: - A mozilla-based DNSSEC-enabled browser with DANE support
- Added support for validation of SSL certificates
using the DANE protocol.
- curl - Added support for validation of SSL certificates
using the DANE protocol.
- libval - Added support for local DANE validation
- Extended the dt-danechk commandline tool to check
the X509 cert provided over the SSL connection
against the TLSA record.
- Optimized glue record lookup when the only ip
addresses configured for the host are for a single
address family (ipv4 or ipv6)
- fine tune res_io source management
- dnssec-check - dnssec-check now checks DNAME support
- rollerd - A new set of steps for KSK rollover has been
implemented. A cache-expiration wait phase has
been moved after the publication of DS records in
order to allow name caches to reflect the changes.
In addition to rollerd, supporting program have
been modified to recognize this change.
- rollrec files - A new "information rollrec" has been added to the
rollrec files. This will allow infomration to be
specified for the collection of rollrecs. At this
time, the only information stored in this rollrec
is the version number of the rollrec file.
In addition to the rollrec.pm Perl module, programs
which use this module have been modified to recognize
this change.
If you use the rollrec.pm module, you should test
to see if your code is affected. The modifications
for the info rollrec have been made to minimize
affected programs. If you parse the rollrec files
yourself, you will have to account for this change.
- multiple - The perl-based tools can now use either the
ZoneFile::Fast or the Net::DNS zone file parser,
thanks to a patch from Sebastian Schmidt (yath@yath.de).
- ZoneFile:Fast - Support for TLSA
- Made it compatible with newer Net::DNS releases
- Qt5 - A patch to support DNSSEC checks in Qt5 DNS lookups
- Bug Fixes
- zonesigner - Fixed SOA parsing and serial number update issues
- libval - Properly initialize memory in sockaddr structures
before use.
- New Features
- dnssec-nodes - Many new features, including validation tree
graphing, on-the-wire traffic display, pcap dump
file display, increased data logging and
display, improved simultaneous updating, etc.
- Libval: - Added initial support for the TLSA rrtype
- Added support for ECDSA
- Implemented checking for AI_ADDRCONFIG in getaddrinfo
- Memory optimizations to improve speed-up
- dnssec-check - increased stability across all platforms.
- All Around: - Many bug fixes and other minor improvements
1.13
- New Features
- rollerd: - Added support for the signzone command. Allow
zones to be signed while in the midst of a
rollover wait.
- Added autosigning of modified zone files. Zone
files are considered modified when their "last
modification" timestamp is more recent than that
of the associated signed zone file. This
functionality includes adding the -autosign option
and config field.
- Added additional commands (via rollctl) to allow
greater control over zone rollover actions.
- Added -zsargs option to allow global options to
be passed to zonesigner.
- realms: - Added the realms feature to manage multiple
simultaneous rollover environments. Several
commands and modules (e.g., dtrealms, realms.pm,
buildrealms) were added for the realms feature.
- zonesigner: - Added the -threshold option to specify a signing
threshold.
- Better handling of serial numbers in zone files.
- keymod: - New tool that can be used to modify key
generation parameters in a keyrec file.
- dnssec-check - significant rewrite since the 1.12 release, though
individual updates have been available already.
- Asynchronous support for non-interrupting GUI support
- Letter grades assigned to each resolver
- Various user-interface improvements
- libval: - Bug fixes
- Renamed all validator command-line apps to have
a dt- prefix in order to avoid conflicts with
pre-existing executables in certain platforms.
- dnsval python module
- Add python wrapper module for the validator
library. Code contributed by Bob Novas.
- trustman: - Added an option for use by monitoring systems.
- nagios - Added the dt_donuts plugin for running trustman on
remote machines.
- Added the dt_trustman plugin for monitoring trust
anchors.
- firefox - updated nspr and firefox patches to work with
mozilla-central and nspr-4.9
- webmin: - Added the ability to perform DNSSEC
operations on DNSSEC-Tools managed signed
zones using the Webmin front-end.
- ssh: - Update the patch for enabling local DNSSEC
validation to work with OpenSSH 6.0p1.
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
- Bux fix release
- Rollerd's -alwayssign flag logic had a critical error that could
have caused a zone to be signed with the wrong ZSK at particular
points of the ZSK key rolling process.
- Minor bug fix release
- Fix perl Validator module so it compiles after a header move
- Make all OSes use the new dnssec-check gui as they should have
1.12 (1/26/12)
- New Features:
- libval: - Made improvements to support IPv6,
added the ability to fetch IPv6 glue
- Fixed the EDNS0 fallback behavior.
- Tidied up the locking semantics in libval.
- Added support for hard-coding validator configuration
information that gets used in the absence of other
configuration data. This feature allows the
validator library to be self-contained in
environments where setting up configuration data at
specific locations in the file system is not always
feasible.
- The library has been ported to the Android OS
- rollerd: - Added support for phase-specific commands. This allows
the zone operator to customize processing of the rollerd
utility during different rollerd phases.
- Added support for zone groups. This allows a collection
of zones to be controlled as a group, rather each of
those zones individually.
- Improved the manner in which rollerd indexes the zones
being managed, with the significantly decreased access
times for rollerd's data files. This results in rollerd
being able to support a lot more zones with a single
rollerd instance.
- rollctl and the rollover GUI programs may have new
commands to allow for immediate termination of rollerd.
- apps - Added patch to enable local validation in NTP, with
the ability to handle a specific chicken and egg problem
related to the interdependency between DNSSEC and an
accurate system clock.
- Added a patch to enable DNSSEC validation in Qt
based applications
- dnssec-check - Completely rewritten GUI with many new features
- Now contains the ability to submit the results
to a central DNSSEC-Tools repository. The
results will be analyzed and published on a
regular basis. Please help us get started by
running dnssec-check on your networks! Note
that it explains that it only sends hashed IP
addresses to our servers and the reports
generated will be aggregation summaries of the
data collected.
- It now runs on both Android and Harmattan (N9) devices
- maketestzone - Now produces zones with wildcards and changes to
NSEC record signatures
- dnssec-nodes - parses unbound log files
- Initial work porting to Android
- dnssec-system-tray
- parses unbound log files
1.11 (9/30/11)
- New Features:
- libval: - Significant improvements and bug fixes to the
asynchronous support.
- Added asynchronous version of val_getaddr_info.
- Some reworking of the asynchronous API and callbacks.
Note the asynchronous api is still under development and
subject to changes that break backwards compatibility.
- rollerd: - Added an experimental time-based method for queuing
rollover operations. This original method (full list
of all zones) is the default queuing method, but the
new method can be used by editing the rollerd script.
rollctl and rollrec.pm were also modified to support
this change.
- Added support for merging a set of rollrec files.
rollctl and rollrec.pm were also modified to support
this change.
- dnssec-nodes - This graphical DNS debugging utility was greatly enhanced
- Now parses both bind and libval log files
- Multiple log files can be watched
- Node's represent multiple data sets
internally, which are independently displayed
and tracked.
- Added support for searching for and
highlighting DNS data and DNSSEC status
results
- dnssec-system-tray
- This utility can now report on BOGUS responses
detected in both libval and bind log files.
- Summary window revamped to group similar
messages together.
Plus many more minor features and bug fixes
* use perl5/module.mk and its stuff for perl module build
* using packlist, so PLIST entries for perl modules are not required.
* PKG_SYSCONFSUBDIR is handled automatically, no need to be in PLIST.
* fix substitute handling with USE_DESTDIR=yes.
Bump PKGREVISION.
- New Features:
- New Apps: (see the validator/apps directory for details)
- dnssec-check: check dnssec support from your ISP
- dnssec-nodes: graphically displays a DNS
hierarchy, color coded by each node's DNSSEC status
- dnssec-system-tray: displays pop-up
notifications when a libval-enabled application
triggers a DNSSEC error
- lookup: a graphical DNS lookup utility that
displays the results in a hierarchical tree and
color codes the window according to DNSSEC status
- libval: - Added support for building on Windows.
- added support for falling back to recursion when
the caching name server does not appear to
support DNSSEC. This also works as a mechanism
to work around poisoned or misbehaving cache.
- Significant improvements to the the asynchronous support.
- lsdnssec: - Improvements to lsdnssec to display different
output depending on whether a zone is a
stand-alone zone or under control of rollerd.
- nagios: - Plugins for the nagios monitoring system which
enable monitoring of zone rollerover states.
- firefox: - Improved patches that work with the most recent firefox
Plus many more minor features and bug fixes
1.9:
- New Features:
- lsdnssec: - Added a new flag (-p) to show only zones in a
particular rollerd phase.
- fixed bugs to align timing output with rollerd.
- rollerd: - Added a -logtz flag for logging timezones
- fixed bugs related to the -alwayssign flag.
- zonesigner's path is taken from the config file.
- rollctl: - Added -rollall and -rollzone options.
- zonesigner: - Assumes keys need to be generated for new zones
(Assumes -genkeys option was given if a keyrec file
can't be found.)
- Exits with unique exit codes if a failure occurs.
("zonesigner -xc CODE" can lookup a description for it.")
- Added the -phase option so rollover options could be
more easily specified.
- lights: - A simple GUI to check the status of rollover states
- blinkenlights:- Added hide/show commands for rollrec names and zone
names, for split-zone support
- cleankrf: - Fixed deletion of obsolete set keyrecs.
- GUI commands: - Fixed how the Exit command works so they don't coredump.
- libsres
& libval: - New beta support for issuing asynchronous requests.
This can speed up queries by up to 4 times if used.
(see example code in validator/apps/validator_selftest.c)
- NSEC3, DLV and IPv6 are enabled by default.
- improved logging and logging-callback support.
- drawvalmap - Can output PNG files now
- Packaging:
- Our download page now allows you to download
the C validator libraries independently of the
full DNNSEC-Tools tool-suite.
- Many bugs were also fixed in the 240+ changes.
- New Features:
- zonesigner, rollerd
- Made changes so that these tools are more compatible
with recent versions of Bind
- The zone_errors configuration parameter allows a zone-
specific maximum to be set. Once exceeded, that zone
will be skipped rather than allowing rollover to continue.
- blinkenlights
- Recognizes when rollerd abruptly quits, so error messages
aren't spewed interminably.
- ZonFile::Fast - Fixed parsing of DS records containing spaces and
parsing of mname and rname SOA fields
- Added support for parsing KEY records
- keyrec.pm - Made changes to properly lock keyrec files before
writing to them.
- Begun process of deprecating keyrec_open().
- mapper: - added a new option: --node-size for mapping
complex zones.
- dnspktflow: - added two new options:
--layout-style for selecting the layout style to use
--node-size for mapping complex zones.
- Add new (default) option to cluster
authoritative nodes together to help better
understand the relationships between traffic
patterns and authoritative name server/zone arrangement.
- libval: - Now distributed with the Root TA.
- Added stricter checks for openssl SHA-256 support in
configure.
- Added several improvements that allow the validator to
lookup information within provably insecure zones that
do not handle EDNS0 requests nicely. This includes
adding support for turning off EDNS0 when traversing a
name hierarchy that leads to a provably insecure zone,
EDNS0 fallback support, and additional checks to check
the sanity of response data.
- Fixed certain bugs in CNAME handling and in the
validation of proofs accompanying wildcard responses,
referrals and alias chains.
- Fixed support for RSADSA and RSASHA-512 signature
validation.
- Mac OSX: - Added a Ports file for mac ports
- updated the fink build spec
- many other miscellaneous bug fixes and improvements.
to trigger/signal a rebuild for the transition 5.10.1 -> 5.12.1.
The list of packages is computed by finding all packages which end
up having either of PERL5_USE_PACKLIST, BUILDLINK_API_DEPENDS.perl,
or PERL5_PACKLIST defined in their make setup (tested via
"make show-vars VARNAMES=..."), minus the packages updated after
the perl package update.
sno@ was right after all, obache@ kindly asked and he@ led the
way. Thanks!
