| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
* OPENDNSSEC-367: ods-ksmutil: Require user confirmation if the algorithm for
a key is changed in a policy (as this rollover is not handled cleanly)
* OPENDNSSEC-91: Make the keytype flag required when rolling keys
* OPENDNSSEC-403: Signer Engine: new command 'ods-signer locks' that shows
locking information (for debugging purposes).
Bugfixes:
* OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not updated on SOA
Minimum change.
* OPENDNSSEC-396: Use TTLs from kasp when generating DNSKEY and DS records for
output.
* OPENDNSSEC-398: The ods-ksmutil key rollover command does not work correctly
when rolling all keys using the --policy option
* SUPPORT-40: Signer Engine: Keep occluded data in signed zone files/transfers.
|
|
* OPENDNSSEC-228: Signer Engine: Make 'ods-signer update' reload signconfs
even if zonelist has not changed.
* OPENDNSSEC-231: Signer Engine: Allow for Classless IN-ADDR.ARPA names
(RFC 2317).
* OPENDNSSEC-234: Enforcer: Add indexes for foreign keys in kasp DB. (sqlite
only, MySQL already has them.)
* OPENDNSSEC-246: Signer Engine: Warn if <Audit/> is in signer configuration,
but ods-auditor is not installed
* OPENDNSSEC-249: Enforcer: ods-ksmutil: If key export finds nothing to do
then say so rather than display nothing which might be misinterpreted.
Bugfixes:
* OPENDNSSEC-247: Signer Engine: TTL on NSEC(3) was not updated on SOA
Minimum change.
* OPENDNSSEC-253: Enforcer: Fix "ods-ksmutil zone delete --all"
|
|
Bugfixes:
* Signer: Use debug instead of warning for drudgers queue being full,
also sleep 10 ms if it is full to not hog CPU. This increased signing speed
on single core machines by a factor of 2.
|
|
Bugfixes:
* Enforcer: Fixed a number of build warnings.
OpenDNSSEC 1.2.0rc3:
* Moved migration instructions to the file MIGRATION
Bugfixes:
* Bugreport #199: The previous DB schema change made the zone removal broken.
* Enforcer: When retiring old KSK, use TTL(ds) and not TTL(ksk).
* Enforcer: Minimize the set of DS RRs sent to DelegationSignerSubmitCommand.
* Enforcer: Replace tab with a space character in the DNSKEY printed to syslog.
* Enforcer: Fixed pontential format string bug.
* ods-ksmutil: Log to syslog when ds-seen changes a key to active/standby.
* Signer Engine: Don't be smart with RRSIG TTLs, the hsm will set them for you.
* Signer Engine: Set notify command for zone when receiving ods-signer update.
* Signer Engine: Update TTL of NSEC(3) records if SOA Minimum has changed
in KASP.
* Signer Engine: Now logs to the correct facility.
* Signer Engine: Also remove NSEC records when detecting changes in
signconf <Denial>
* Signer Engine: Dropped privileges before starting Zonefetcher.
OpenDNSSEC 1.2.0rc2:
Bugfixes:
* Signer Engine: Use the correct TTL for RRs after the $INCLUDE directive.
* Signer Engine: Also create new signature if TTL of RR has changed.
* Signer Engine: Drop old NSEC/NSEC3 records.
* ods-ksmutil: Fixed some memory leaks.
OpenDNSSEC 1.2.0rc1:
* New commandline option for the signer: ods-signer running.
* Allow connection to different MySQL ports in the Enforcer.
* Tone down and explain warning when converting M or Y to seconds
* ldns 1.6.7 is required for bugfixes
* dnsruby 1.51 is required for bugfixes
Bugfixes:
* Bugreport #187: ods-control signer start will return non-zero if start up
failed (uses ods-signer running).
* Narrow glue at the zone cut is allowed, do not consider it as occluded.
* Move zone fetcher output to correct input adapter file.
* Enforcer shared keys on zones with ShareKeys disabled.
* Make names of key states consistent.
* Signer Engine file descriptor leak fix on engine.sock.
* Set explicit "unlimited" repository capacity to prevent random integer being
read. Requires "ods-ksmutil update conf" to be run if using an existing
database.
* Fix issue with key generation creating too many keys Ticket #194.
* Bugreport #189: Auditor did not handle white-space-seperated substrings
for base64 text
* Bugreport #190: Auditor (and signer) does not handle case correctly
* Signer now silence stdout-output from the notify command
OpenDNSSEC 1.2.0b1:
* A new signer engine, written in c. Zones are maintained in memory, instead of
in files on disk.
* Removed the python and python-4suite-xml dependencies.
* Remove separate autoconf for libhsm/conf/enforcer.
* Add option to disable building the signer.
* Signer logs statistics just after outputting a new signed zone.
* libhsm will skip processing (and not create) any public keys if the
per repository option <SkipPublicKey/> is set.
* Keysharing improved - keys can now exist in different states on each zone
that the key is in use for.
* Backup prepare/commit/rollback added for 2-step backups without taking the
enforcer offline.
* Standby keys are now optional (default to 0) and should be considered
experimental.
Bugfixes:
* Fix semantics of refresh value in Signer Engine.
* Auditor handles chains of empty nonterminals correctly.
* Recalculate salt immediately if the saltlength is changed.
* libhsm connected to slot 0 if the token label was not found.
An error is now returned instead of connecting to the slot.
* Bugreport #102: Removed the obsoleted python-4suite-xml dependency.
* Fixed Known Issue: KSK rollover requires manual timing.
* Fixed Known Issue: Key rollover and reuse of signatures.
* Fixed Known Issue: Issue with sharing keys and adding zones.
* Fixed Known Issue: Quicksorter does not allow certain owner names
(Quicksorter is removed, signer now reads and sorts the zone).
|
|
* Partial Auditor added
* Dnsruby-1.46 required
* Improved error messages when the system runs out of keys
* Optimise communication of signconfs for multiple zones sharing keys.
Group zones in zonelist.xml by policy to get this benefit.
* Bugreport #101: Signer Engine now maintains its own pidfile.
* Jitter redefined: now in the range of [-jitter, ..., +jitter]
* Optimized sorter: quicksorter (sorter becomes obsolete).
* Optimized zone_reader, includes nseccing/nsec3ing (nseccer and nsec3er
become obsolete).
* Enable database selection using --with-database-backend={sqlite3|mysql}
* Enable the EPP-client using --enable-eppclient
For sending DS RR to the parent zone (experimental)
* Turn NSEC3 OptOut off by default
* Install kasp2html XML stylesheet
* Add simple kasp2html conversion script
* DNSKEY records communicated to an external script if configured
* The command 'ods-signer restart' is removed.
* Signer Engine now also reuses signatures after a change in NSEC(3)
configuration or rolling keys.
* Quicksorter defaults to class IN.
And a lot of bugfixes...
|
|
that manages the security of domain names on the Internet.
The project intends to drive adoption of Domain Name System Security Extensions
(DNSSEC) to further enhance Internet security.
|
