11aaeb64d4
OpenDNSSEC version 2 is not a drop-in replacement for OpenDNSSEC version 1. See lib/opendnssec/README.md for migration instructions if you were previously using version 1. Upstream changes since OpenDNSSEC version 1.4.x: OpenDNSSEC 2.1.5 - 2019-11-05 * SUPPORT-245: Resolve memory leak in signer introduced in 2.1.4. * SUPPORT-244: Don't require Host and Port to be specified in conf.xml when migrating with a MySQL-based enforcer database backend. * Allow for MySQL database to pre-exist when performing a migration, and be a bit more verbose during migration. * New -f argument to ods-enforcer key list to show the full list of key states, similar to combinining -d and -v. * Fix AllowExtraction tag in configuration file definition (thanks to raixie1A). * SUPPORT-242: Skip over EDNS cookie option (thanks to Håvard Eidne and Ulrich-Lorenz Schlueter). * SUPPORT-240: Prevent exit of enforcer daemon upon interrupted interaction with CLI commands. * Correct some error messages (thanks to Jonas Berlin). OpenDNSSEC 2.1.4 - 2019-05-16 * SUPPORT-229: Missing signatures for key new while signatures for old key still present under certain kasp policies, leading to bogus zones. Root cause for bug existed but made prominent since 2.1.3 release. * OPENDNSSEC-942: time leap command for signer for debugging purposes only, not to be used on actual deployments. * OPENDNSSEC-943: support build on MacOS with missing pthread barriers * SUPPORT-229: fixed for too early retivement of signatures upon double rrsig key roll signing strategy. * Strip build directory from doxygen docs * remove bashisms from ods-kasp2html.in * upgrade developer build scripts to softhsm-2.5.0 update some platform dependent files (only for developers). * The ods-signer and ods-signerd man page should be in section 8 not 22 Note that this might mean that package managers should remove the older man pages from the old location. OpenDNSSEC 2.1.3 - 2017-08-10 * OPENDNSSEC-508: Tag <RolloverNotification> was not functioning correctly * OPENDNSSEC-901: Enforcer would ignore <ManualKeyGeneration/> tag in conf.xml * OPENDNSSEC-906: Tag <AllowExtraction> tag included from late 1.4 development * OPENDNSSEC-894: repair configuration script to allow excluding the build of the enforcer. * OPENDNSSEC-890: Mismatching TTLs in record sets would cause bogus signatures. * OPENDNSSEC-886: Improper time calculation on 32 bits machine causes purge time to be skipped. * OPENDNSSEC-904 / SUPPORT-216 autoconfigure fails to properly identify functions in ssl library on certain distributions causing tsig unknown algorithm hmac-sha256 * OPENDNSSEC-908: Warn when TTL exceeds KASP's MaxZoneTTL instead of capping. OpenDNSSEC 2.1.1 - 2017-04-28 * OPENDNSSEC-882: Signerd exit code always non-zero. * OPENDNSSEC-889: MySQL migration script didn't work for all database and MySQL versions. * OPENDNSSEC-887: Segfault on extraneous <Interval> tag. * OPENDNSSEC-880: Command line parsing for import key command failed. * OPENDNSSEC-890: Bogus signatures upon wrong zone input when TTLs for same rrset are mismatching. OpenDNSSEC 2.1.0 - 2017-02-22 * If listening port for signer is not set in conf file, the default value "15354" is used. * Enforce and signconf tasks are now scheduled individually per zone. Resign per policy. * OPENDNSSEC-450: Implement support for ECDSA P-256, P-384, GOST. Notice: SoftHSMv1 only supports RSA. SoftHSMv2 can be compiled with support for these. * zone delete removes tasks associated with zone from queue. * Show help for ods-enforcer-db-setup * OPENDNSSEC-778: Double NSEC3PARAM record after resalt. * In the kasp file, KSK/ZSK section, the algorithm length MUST be set now. * signer clear <zone> would assert when signconf wasn't read yet. * The <Interval> tag had been deprecated, and is now no longer allowed to be specified in the conf.xml for the Enforcer. * OPENDNSSEC-864: ods-signer didn't print help. Also --version and --socket options where not processed. * OPENDNSSEC-869: ds-seen command did not give error on badly formatted keytag. * OPENDNSSEC-681: After fork() allow child process to pass error messages to parent so they can be printed to the console in case of failed start. * OPENDNSSEC-849: Crash on free of part of IXFR structure. * OPENDNSSEC-759: Reduce HSM access during ods-signerd start. Daemon should start quicker and earlier available for user input. * OPENDNSSEC-479: Transferring zones and sending notifies through a bound socket , using the same interface as listener. * Key cache is now shared between threads. * OPENDNSSEC-858: Don't print "completed in x seconds" to stderr for enforcer commands. * Various memory leaks * OPENDNSSEC-601: signer and enforcer working dir would not properly fallback to default when not specified. * OPENDNSSEC-503: Speed up initial signing and algorithm rollover. * A bash autocompletion script is included in contrib for ods-enforcer and ods-signer. * SUPPORT-208: Strip comment from key export. * OPENDNSSEC-552: On key export don't print SHA1 DS by default. (introduced --sha1 option to key export.) Usage of sha1 is deprecated and will be removed from future versions of OpenDNSSEC. OpenDNSSEC 2.0.1 - 2016-07-21 * Fixed crash and linking issue in ods-migrate. * Fixed case where 2.0.0 could not read backup files from 1.4.10. * Fixed bug in migration script where key state wasn't transformed properly. OpenDNSSEC 2.0.0-1 * include db creation scripts in dist tarball needed for migration from 1.4. OpenDNSSEC 2.0.0 - 2016-07-07 * OpenDNSSEC-99: Skip "are you sure" messages. Add --force and -f flag to ods-enforcer-db-setup and hsmutil purge * OPENDNSSEC-808: Crash on query with empty query section (thanks Havard Eidnes) * OpenDNSSEC-771: Signer. Do not log warning on deleting a missing NSEC3PARAM RR. * OPENDNSSEC-801: Set AA flag on outgoing AXFR. * SUPPORT-191: Regression, Must accept notify without SOA (thanks Christos Trochalakis) OpenDNSSEC 2.0b1 - 2016-04-14 First public release of OpenDNSSEC. Initial pre-releases have been made to a smaller audience, this pre-release is explicitly made available to all. At this moment, there are no known functional bugs. There are naturally issues, especially to make working with OpenDNSSEC easier, however none should prevent you to use OpenDNSSEC in production for the average case, even though this is a pre-release. Which is because of the still limited documentation, and is not being run in production yet. * The enforcer can no longer be run on a single policy at a time anymore. An enforce run will always process all zones. * The key generate method is at this time not available. * The key export method will not allow you to export keys for all zones at once (--all flag) or for a particular type of key (--keystate). It will not export ZSK keys. * The zonelist.xml in etc/opendnssec is no longer updated automatically, and by default works as if the --no-xml flag was specified. Use --xml to the zone add command to update the zonelist.xml. If updating the zonelist fails, the zone will still be added and not updated in the xml with future zone adds. * Plugins directory renamed to contrib. * Default signer working directory renamed from tmp to signer. * Configure option --with-database-backend renamed --with-enforcer-database * Zones on a manual rollover policy will not get a key assigned to them immediately. OpenDNSSEC 2.0.0a5 Project transfer to NLnetLabs, performing code drop as-is for evaluation purposes only. OpenDNSSEC 2.0.0a4 (EnforcerNG branch) * SUPPORT-72: Improve logging when failed to increment serial in case of key rollover and serial value "keep" [OPENDNSSEC-461]. * SUPPORT-114: libhsm: Optimize storage in HSM by deleting the public key directly if SkipPublicKey is used [OPENDNSSEC-573]. * OPENDNSSEC-106: Add 'ods-enforcerd -p <policy>' option. This prompts the enforcer to run once and only process the specified policy and associated zones. * OPENDNSSEC-330: NSEC3PARAM TTL can now be optionally configured in kasp.xml. Default value remains PT0S. * OPENDNSSEC-390: ods-ksmutil: Add an option to the 'ods-ksmutil key ds-seen' command so the user can choose not to notify the enforcer. * OPENDNSSEC-430: ods-ksmutil: Improve 'zone add' - Zone add command could warn if a specified zone file or adapter file does not exits. * OPENDNSSEC-431: ods-ksmutil: Improve 'zone add' - Support default <input> and <output> values for DNS adapters. * OPENDNSSEC-454: ods-ksmutil: Add option for 'ods-ksmutil key import' to check if there is a matching key in the repository before import. * OPENDNSSEC-281: Enforcer NG: Commandhandler sometimes unresponsive. * OPENDNSSEC-276, Enforcer NG: HSM initialized after fork(). * OPENDNSSEC-330: Signer Engine: NSEC3PARAM TTL is default TTL again, to prevent bad caching effects on resolvers. * OPENDNSSEC-428: Add option for 'ods-ksmutil key generate' to take number of zones as a parameter * OPENDNSSEC-515: Signer Engine: Don't replace tabs in RR with whitespace. Bugfixes: * OPENDNSSEC-435: Signer Engine: Fix a serious memory leak in signature cleanup. * OPENDNSSEC-463: Signer Engine: Duration PT0S is now printed correctly. * OPENDNSSEC-466: Signer Engine: Created bad TSIG signature when falling back to AXFR. * OPENDNSSEC-467: Signer Engine: After ods-signer clear, signer should not use inbound serial. OpenDNSSEC 2.0.0a3 (EnforcerNG branch) - 2012-06-18 Bugfixes: * SUPPORT-66: Signer Engine: Fix file descriptor leak in case of TCP write error [OPENDNSSEC-427]. * SUPPORT-71: Signer Engine: Fix double free crash in case of HSM connection error during signing [OPENDNSSEC-444]. * OPENDNSSEC-401: 'ods-signer sign <zone> --serial <nr>' command produces seg fault when run directly on command line (i.e. not via interactive mode) * OPENDNSSEC-440: 'ods-ksmutil key generate' and the enforcer can create too many keys if there are keys already available and the KSK and ZSK use same algorithm and length * OPENDNSSEC-424: Signer Engine: Respond to SOA queries from file instead of memory. Makes response non-blocking. * OPENDNSSEC-425 Change "hsmutil list" output so that the table header goes to stdout not stderr * OPENDNSSEC-438: 'ods-ksmutil key generate' and the enforcer can create too many keys for <SharedKeys/> policies when KSK and ZSK use same algorithm and length * OPENDNSSEC-443: ods-ksmutil: Clean up of hsm connection handling * Signer Engine: Improved Inbound XFR checking. * Signer Engine: Fix double free corruption in case of adding zone with DNS Outbound Adapters and NotifyCommand enabled. * Enforcer: Limit number of pregenerated keys when using <SharedKeys>. * Enforcer: MySQL database backend implemented. * Enforcer: New directive <MaxZoneTTL> to make safe assumptions about zonefile. * Enforcer: New zone add command, allow specifying adapters. * Enforcer: New zone del command, use --force for still signed zones. * Enforcer: Pre-generate keys on the HSM. * Enforcer: SQLite database backend implemented. * OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not updated on SOA Minimum change. Bugfixes: * OPENDNSSEC-481: libhsm: Fix an off-by-one length check error. * OPENDNSSEC-482: libhsm: Improved cleanup for C_FindObjects.
10 lines
448 B
Text
10 lines
448 B
Text
===========================================================================
|
|
$NetBSD: MESSAGE,v 1.1 2019/11/06 13:44:38 he Exp $
|
|
|
|
For latest information about configuring OpenDNSSEC, see:
|
|
https://wiki.opendnssec.org/display/DOCS20
|
|
|
|
If you are upgrading OpenDNSSEC from release 1.4, please see
|
|
at the included lib/opendnssec/README.md file and the files in that directory.
|
|
|
|
===========================================================================
|