SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for opendnssec-2.1.3-2.50.x86_64.rpm :

* Fri Jun 28 2013 johann.luceAATTwanadoo.fr- Update in 1.4.1 Updates: SUPPORT-58: Extend ods-signer sign with –serial so that the user can specify the SOA serial to use in the signed zone [OPENDNSSEC-401]. OPENDNSSEC-91: Make the keytype flag required when rolling keys Bugfixes: SUPPORT-60: Fix datecounter in case inbound serial is higher than outbound serial [OPENDNSSEC-420]. OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not updated on SOA Minimum change. OPENDNSSEC-421: Signer Engine: Fix assertion error in case NSEC3 hash algorithm in signconf is not SHA1. OPENDNSSEC-421: ods-kaspcheck: Check whether NSEC3 hash algorithm in kasp is valid. Bugfix: The time when inbound serial is acquired was reset invalidly, could cause OpenDNSSEC wanting AXFR responses while requesting IXFR (thanks Stuart Lau). Bugfix: Fix malform in Outbound IXFR/TCP subsequent packet (thanks Stuart Lau). OPENDNSSEC-398: The ods-ksmutil key rollover command does not work correctly when rolling all keys using the –policy option
* Wed Apr 24 2013 johann.luceAATTwanadoo.fr-Update in 1.4.0 Updates since 1.4.0rc3: Production release of 1.4 Versioning scheme and release support policies updated Summary of changes in 1.4 vs 1.3 can be found on the wiki: New in OpenDNSSEC 1.4
* 1;4.0rc3 Updates: OPENDNSSEC-387: Rollback of multi-threaded enforcer. Due to key allocation issues the usefulness of the threaded enforcer is outweighed by the code complications. The option still remains in conf.xml for compatibility with existing use; but it will now be silently ignored. Bugfixes: OPENDNSSEC-388: Signer Engine: Internal serial should take into account the inbound serial. SUPPORT-50/51: Signer Engine: Inbound DNS Adapter incorrectly updates NSEC3PARAM and DNSKEY RRset [OPENDNSSEC-389] OPENDNSSEC-389: Input DNS Adapter incorrectly updating NSEC3PARAM and DNSKEY RRsets
* 1.4.0rc2 Updates: OPENDNSSEC-350: Signer Engine: Better log message when IXFR is not ready for reading. OPENDNSSEC-367: ods-ksmutil: Require user confirmation if the algorithm for a key is changed in a policy (as this rollover is not handled cleanly) Bugfixes: SUPPORT-44: Signer Engine: Drop privileges after binding to socket [OPENDNSSEC-364]. Signer Engine: XFR not ready should not be a fatal status for task read (thanks Ville Mattila). OPENDNSSEC-365: Enforcer: Nasty bug where KSKs could get prematurely retired.
* Tue Jan 15 2013 johann.luceAATTwanadoo.fr-Update in 1.4.0rc1 OPENDNSSEC-359: Remove eppclient
* Thu Sep 27 2012 johann.luceAATTwanadoo.fr-Update in 1.4.0b2 Updates: OPENDNSSEC-130: libhsm: The PIN is now optional in conf.xml. The PIN can be entered using “ods-hsmutil login” and is stored in shared memory. The daemons will not start until this has been donr by the user. OPENDNSSEC-297: Enforcer: Multi-threaded option available for the enforcer to improve performance (MySQL only). OPENDNSSEC-320: Signer Engine: The , , and elements are now optional, but if provided they require one or more or elements. Bugfixes: OPENDNSSEC-255: Signer Engine: OpenDNSSEC 1.4.0a1 writes out mangled RRSIG record. OPENDNSSEC-261: Signer Engine: Ldns fails to parse RR that seems syntactically correct. OPENDNSSEC-269: Signer Engine: Crash when multiple threads access ixfr struct. OPENDNSSEC-281: Commandhandler sometimes unresponsive. OPENDNSSEC-318: Signer Engine: Don’t stop dns and xfr handlers if these threads have not yet been started. OPENDNSSEC-319: Signer Engine: Fix TSIG segfault on signer shutdown. OPENDNSSEC-325: Signer Engine: Don’t include RRSIG records when DO bit is not set. OPENDNSSEC-326: Signer Engine: Stop serving a zone that could not be transferred from master and has been expired.
* Mon Jun 04 2012 johann.luceAATTwanadoo.fr-Version 1.4.0a2 of OpenDNSSEC has now been released. OPENDNSSEC-226: Change in conf.xml: Configure the DNS listener IP address with /Listener/Interface/Address instead of /Listener/Interface/IPv{4,6}. OPENDNSSEC-249: ods-ksmutil: If key export finds nothing to do then say so rather than display nothing which might be misinterpreted. OPENDNSSEC-262: Signer Engine: Make DNS Adapter ACL optional. OPENDNSSEC-263: Signer Engine: Added EDNS0 support, so that zone transfers and SOA requests with OPT RRs are possible. Enforcer: Add indexes for foreign keys. (sqlite only, MySQL already has them.) Bugfixes: OPENDNSSEC-259: Signer Engine: Fix assertion failure for outbound AXFR for large zones. OPENDNSSEC-264: Signer Engine: Fix assertion error on reading IXFR from backup. OPENDNSSEC-265: Signer Engine: Fix crash in corner cases when signing zone with NSEC3 and Opt-out. OPENDNSSEC-267: Signer Engine: Sign NOTIFY OK response with TSIG, if present in the query and ACL.
* Wed May 02 2012 johann.luceAATTwanadoo.fr-Version 1.4.0a1 of OpenDNSSEC has now been released. Auditor: The Auditor has been removed. Enforcer: Key label logging upon deletion (#192 Sebastian Castro) Enforcer: Stop multiple instances of the Enforcer running by checking for the pidfile at startup. If you want to run multiple instances then a different pidfile will need to be specified with the -P flag. Enforcer/ods-ksmutil: Use TTLs from KASP when generating DNSKEY and DS records for output. Enforcer/ods-ksmutil: Give a more descriptive error message if the tag in conf.xml does not match the database-backend set at compile time. ods-ksmutil: Add warnings on “key export –ds” if no active or ready keys were seen, or if both were seen (so a key rollover is happening). ods-ksmutil: Prevent MySQL username or password being interpreted by the shell when running “ods-ksmutil setup” ods-ksmutil: “zone delete” renames the signconf file; so that if the zone is put back the signer will not pick up the old file. ods-ksmutil: “key delete” added. It allows keys that are not currently in use to be deleted from the database and HSM. OPENDNSSEC-1: Enforcer: Check DelegationSignerSubmitCommand exists and can be executed by ods-enforcerd. OPENDNSSEC-10: ods-ksmutil: Include key size and algorithm in “key list” with -v flag. OPENDNSSEC-28: ods-ksmutil: “key list” shows next state with -v flag. OPENDNSSEC-35: ods-ksmutil: “rollover list -v” now includes more information on the KSKs waiting for the ds-seen command. OPENDNSSEC-83: ods-ksmutil: “key generate” now displays how many keys will be generated and presents the user with the opportunity to stop the operation. OPENDNSSEC-124: ods-ksmutil: Suppress database connection information when no -v flag is given. Signer Engine: Input and Output DNS Adapters. Signer Engine: Zonefetcher has been removed. Known issues: Signer Engine: The backup files do not work correctly in this alpha release. Bugfixes: Bugfix #246: Less confusing text for XML validation in ods-kaspcheck. ods-ksmutil: “update kasp” now reflects changes in policy descriptions. ods-ksmutil: Policy descriptions now have special characters quoted. ods-ksmutil: Fix typo in policy export with NSEC3.
* Wed Mar 14 2012 johann.luceAATTwanadoo.fr-Update in 1.3.7 OPENDNSSEC-215: Signer Engine: Always recover serial from backup, even if it is corrupted, preventing unnecessary serial decrementals. OPENDNSSEC-217: Enforcer: Tries to detect pidfile staleness, so that the daemon will start after a power failure.-Bugfixes: ods-hsmutil: Fixed a small memory leak when printing a DNSKEY. OPENDNSSEC-216: Signer Engine: Fix duplicate NSEC3PARAM bug. OPENDNSSEC-218: Signer Engine: Prevent endless loop in case the locators in the signer backup files and the HSM are out of sync. OPENDNSSEC-225: Fix problem with pid found when not existing. SUPPORT-21: HSM SCA 6000 in combination with OpenCryptoki can return RSA key material with leading zeroes. DNSSEC does not allow leading zeroes in key data. You are affected by this bug if your DNSKEY RDATA e.g. begins with “BAABA”. Normal keys begin with e.g. “AwEAA”. OpenDNSSEC will now sanitize incoming data before adding it to the DNSKEY. Do not upgrade to this version if you are affected by the bug. You first need to go unsigned, then do the upgrade, and finally sign your zone again. SoftHSM and other HSM:s will not produce data with leading zeroes and the bug will thus not affect you.
* Tue Feb 21 2012 johann.luceAATTwanadoo.fr-Update in 1.3.6 Version 1.3.6 of OpenDNSSEC has now been released. OPENDNSSEC-33: Signer Engine: Check HSM connection before use, attempt to reconnect if it is not valid. OPENDNSSEC-178: Signer Engine: Instead of waiting an arbitrary amount of time, let worker wait with pushing sign operations until the queue is non-full. Signer Engine: Adjust some log messages. Bugfixes: ods-control: Wrong exit status if Enforcer was already running. OPENDNSSEC-56: ods-ksmutil had the wrong option for config file in the help usage text. OPENDNSSEC-207: Signer Engine: Fix communication from a process not attached to a shell. OPENDNSSEC-209: Signer Engine: Make output file adapter atomic by writing signed file to an intermediate file first.
* Thu Jan 26 2012 johann.luceAATTwanadoo.fr-Update in 1.3.5 Auditor: Include the zone name in the log messages. ldns 1.6.12 is required for bugfixes. - ods-ksmutil: Suppress database connection information when no -v flag is given. - ods-enforcerd: Stop multiple instances of the enforcer running by checking for the pidfile at startup. If you want to run multiple instances then a different pidfile will need to be specified with the -P flag. - ods-ksmutil: “zone delete” renames the signconf file; so that if the zone is put back the signer will not pick up the old file. - Signer Engine: Verbosity can now be set via conf.xml, default is 3.-Bugfixes: - Bugfix OPENDNSSEC-174: Configure the location for conf.xml with –config or -c when starting the signer. - Bugfix OPENDNSSEC-192: Signer crashed on deleting NSEC3 for a domain that becomes opt-out. - Bugfix OPENDNSSEC-193: Auditor crashed with certain empty non-terminals. - Signer Engine: A file descriptor for sockets with value zero is allowed. - Signer Engine: Only log messages about a full signing queue in debug mode. - Signer Engine: Fix time issues, make sure that the internal serial does not wander off after a failed audit. - Signer Engine: Upgrade ldns to avoid future problems on 32-bit platforms with extra long signature expiration dates. More information in separate announcement.
* Mon Jan 09 2012 johann.luceAATTwanadoo.fr-Prob with ldns 1.6.11
  
ICM