From a7e16f63d6711d3d9775619ebeb47661b4ac1e70 Mon Sep 17 00:00:00 2001 From: he Date: Wed, 8 Jun 2016 08:35:10 +0000 Subject: Update OpenDNSSEC to version 1.4.10. News: This release fix targets stability issues which have had a history and had been hard to reproduce. Stability should be improved, running OpenDNSSEC as a long term service. Changes in TTL in the input zone that seem not to be propagated, notifies to slaves under load that where not handled properly and could lead to assertions. NSEC3PARAM that would appear duplicate in the resulting zone, and crashes in the signer daemon in seldom race conditions or re-opening due to a HSM reset. No migration steps needed when upgrading from OpenDNSSEC 1.4.9. Also have a look at our OpenDNSSEC 2.0 beta release, its impending release will help us forward with new development and signal phasing out historic releases. Fixes: * SUPPORT-156 OPENDNSSEC-771: Multiple NSEC3PARAM records in signed zone. After a resalt the signer would fail to remove the old NSEC3PARAM RR until a manual resign or incoming transfer. Old NSEC3PARAMS are removed when inserting a new record, even if they look the same. * OPENDNSSEC-725: Signer did not properly handle new update while still distributing notifies to slaves. An AXFR disconnect looked not to be handled gracefully. * SUPPORT-171: Signer would sometimes hit an assertion using DNS output adapter when .ixfr was missing or corrupt but .backup file available. Above two issues also in part addresses problems with seemingly corrected backup files (SOA serial). Also an crash on badly configured DNS output adapters is averted. * The signer daemon will now refuse to start when failed to open a listen socket for DNS handling. * OPENDNSSEC-478 OPENDNSSEC-750 OPENDNSSEC-581 OPENDNSSEC-582 SUPPORT-88: Segmentation fault in signer daemon when opening and closing hsm multiple times. Also addresses other concurrency access by avoiding a common context to the HSM (a.k.a. NULL context). * OPENDNSSEC-798: Improper use of key handles across hsm reopen, causing keys not to be available after a re-open. * SUPPORT-186: IXFR disregards TTL changes, when only TTL of an RR is changed. TTL changes should be treated like any other changes to records. When OpenDNSSEC now overrides a TTL value, this is now reported in the log files. --- security/opendnssec/Makefile | 5 ++--- security/opendnssec/distinfo | 12 ++++++------ .../opendnssec/patches/patch-enforcer_utils_Makefile.in | 14 +++----------- 3 files changed, 11 insertions(+), 20 deletions(-) diff --git a/security/opendnssec/Makefile b/security/opendnssec/Makefile index 76d017cd290..8c7a0fbd268 100644 --- a/security/opendnssec/Makefile +++ b/security/opendnssec/Makefile @@ -1,8 +1,7 @@ -# $NetBSD: Makefile,v 1.56 2016/04/11 19:02:03 ryoon Exp $ +# $NetBSD: Makefile,v 1.57 2016/06/08 08:35:10 he Exp $ # -DISTNAME= opendnssec-1.4.9 -PKGREVISION= 3 +DISTNAME= opendnssec-1.4.10 CATEGORIES= security net MASTER_SITES= http://www.opendnssec.org/files/source/ diff --git a/security/opendnssec/distinfo b/security/opendnssec/distinfo index e8ebf7b0fea..58cd5ce805d 100644 --- a/security/opendnssec/distinfo +++ b/security/opendnssec/distinfo @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.32 2016/02/25 11:06:57 he Exp $ +$NetBSD: distinfo,v 1.33 2016/06/08 08:35:10 he Exp $ -SHA1 (opendnssec-1.4.9.tar.gz) = 08736372058b5f1e5344261b21cf950243d74abb -RMD160 (opendnssec-1.4.9.tar.gz) = c44ed64fb1471d944d2964ec970d8e498a3927f6 -SHA512 (opendnssec-1.4.9.tar.gz) = 5cf571750ff205667f5162f28c7575e28f15a7367afce5bb3cd3da080f429c3e0457f597abb76ba260f781a340a4ef78e991252404e694a10a051190d50b5c7f -Size (opendnssec-1.4.9.tar.gz) = 1043700 bytes +SHA1 (opendnssec-1.4.10.tar.gz) = c83c452b9951df8dd784d7c39aae90363f1a1213 +RMD160 (opendnssec-1.4.10.tar.gz) = 0ee7e1b282da6839be919b18faf9fbe567bfc130 +SHA512 (opendnssec-1.4.10.tar.gz) = 00ba6ceba595f9d4d7736af982b78779f204eb52fcf92222256792368328647ca1a4c84b4db64dcdd9a0119292f132a4efd15e60436c2a125bf6a8fb3f33540e +Size (opendnssec-1.4.10.tar.gz) = 1036069 bytes SHA1 (patch-aa) = 104e077af6c368cbb5fc3034d58b2f2249fcf991 SHA1 (patch-enforcer_utils_Makefile.am) = 80915dee723535e5854e62bc18f00ba2d5d7496c -SHA1 (patch-enforcer_utils_Makefile.in) = fa37bd2c31594b23a5fd3797361dcd6125678d94 +SHA1 (patch-enforcer_utils_Makefile.in) = 6c1b4ad25956bfcc8b410a8ca22f2581e64198d1 diff --git a/security/opendnssec/patches/patch-enforcer_utils_Makefile.in b/security/opendnssec/patches/patch-enforcer_utils_Makefile.in index 26eeab7fb04..1921312cc08 100644 --- a/security/opendnssec/patches/patch-enforcer_utils_Makefile.in +++ b/security/opendnssec/patches/patch-enforcer_utils_Makefile.in @@ -1,18 +1,10 @@ -$NetBSD: patch-enforcer_utils_Makefile.in,v 1.3 2015/11/16 10:09:08 he Exp $ +$NetBSD: patch-enforcer_utils_Makefile.in,v 1.4 2016/06/08 08:35:10 he Exp $ Regenerate after adding installation of migration scripts to Makefile.am. --- enforcer/utils/Makefile.in.orig 2015-10-05 14:20:51.000000000 +0000 +++ enforcer/utils/Makefile.in -@@ -423,7 +423,6 @@ pkcs11_softhsm_module = @pkcs11_softhsm_ - prefix = @prefix@ - program_transform_name = @program_transform_name@ - psdir = @psdir@ --runstatedir = @runstatedir@ - sbindir = @sbindir@ - sharedstatedir = @sharedstatedir@ - srcdir = @srcdir@ -@@ -798,7 +797,8 @@ info: info-am +@@ -797,7 +797,8 @@ info: info-am info-am: @@ -22,7 +14,7 @@ Regenerate after adding installation of migration scripts to Makefile.am. install-dvi: install-dvi-am -@@ -856,20 +856,27 @@ uninstall-man: uninstall-man1 +@@ -855,20 +856,27 @@ uninstall-man: uninstall-man1 ctags ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-binPROGRAMS \ -- cgit v1.2.3