NEWS

$Id: NEWS 7018 2013-02-05 13:59:43Z sion $


OpenDNSSEC 1.4.0-trunk

Bugfixes:
* OPENDNSSEC-388: Signer Engine: Internal serial should take into account
  the inbound serial.
* SUPPORT-50/51: Signer Engine: Inbound DNS Adapter incorrectly updates 
  NSEC3PARAM and DNSKEY RRset [OPENDNSSEC-389]
* OPENDNSSEC-387: Rollback of multi-threaded enforcer. Due to key allocation 
  issues the usefulness of the threaded enforcer is outweighed by the code
  complications. The option still remains in conf.xml for compatibility with
  existing use; but it will now be silently ignored.


OpenDNSSEC 1.4.0rc2 - 2013-01-25

* OPENDNSSEC-350: Signer Engine: Better log message when IXFR is not ready for
  reading.
* OPENDNSSEC-367: ods-ksmutil: Require user confirmation if the algorithm for
  a key is changed in a policy (as this rollover is not handled cleanly)

Bugfixes:
* SUPPORT-44: Signer Engine: Drop privileges after binding to socket
  [OPENDNSSEC-364].
* Signer Engine: XFR not ready should not be a fatal status for task read
  (thanks Ville Mattila).
* OPENDNSSEC-365: Enforcer: Nasty bug where KSKs could get prematurely retired.


OpenDNSSEC 1.4.0rc1 - 2013-01-10

* OPENDNSSEC-359: Remove eppclient


OpenDNSSEC 1.4.0b2 - 2012-12-17

* OPENDNSSEC-292: Provide scripts to convert database between different 
  supported formats
* OPENDNSSEC-299: ods-ksmutil: ods-ksmutil <enter> now includes policy import
* OPENDNSSEC-300: ods-ksmutil: policy purge documented with a warning
* OPENDNSSEC-315: "ods-hsmutil logout" will delete any credentials in the
  shared memory.
* OPENDNSSEC-330: Signer Engine: NSEC3PARAM TTL should be set to zero.
* OPENDNSSEC-338: ods-ksmutil: fix zone delete on MySQL (broken by SUPPORT-27)
* OPENDNSSEC-345: ods-ksmutil: use ods-control to HUP the enforcerd process
* ods-ksmutil: Deprecate the one-step key backup command

Bugfixes:
* SUPPORT-40: Signer Engine: Keep occluded data in signed zone files/transfers.
* OPENDNSSEC-349: Enforcer: Fix some memory leaks in the enforcer found by
  valgrind.
* OPENDNSSEC-353: Signer Engine: Add/remove NSEC3s for empty non-terminals
  between apex and delegation when DS is added/removed.
* Signer Engine: Fixed locking and notification on the drudge work queue,
  signals could be missed so that drudgers would stall when there was work to
  be done.
* libhsm: Fixed PIN handling on OpenBSD.
* Enforcer: If enabled enforcer workers and configured number of workers is 1,
  make sure that enforcer runs the signer update command after signer
  configuration change.
* Signer Engine: Don't add double RRSIGs generated by the same key for the
  DNSKEY RRset.
* Signer Engine: Rollback incompleted zone transfers on disk (could happen
  if a connection was reset during transfer).
* Multi-threaded enforcer: various minor fixes including deadlock problems.


OpenDNSSEC 1.4.0b1 - 2012-09-06

* OPENDNSSEC-130: libhsm: The PIN is now optional in conf.xml. The PIN can be
  entered using "ods-hsmutil login" and is stored in shared memory. The daemons
  will not start until this has been done by the user.
* OPENDNSSEC-297: Enforcer: Multi-threaded option available for the enforcer to
  improve performance (MySQL only). 
* OPENDNSSEC-320: Signer Engine: The <ProvideTransfer>, <Notify>, <AllowNotify>
  and <RequestTransfer> elements are now optional, but if provided they require
  one or more <Peer> or <Remote> elements.

Bugfixes:
* OPENDNSSEC-255: Signer Engine: OpenDNSSEC 1.4.0a1 writes out mangled RRSIG
  record.
* OPENDNSSEC-261: Signer Engine: Ldns fails to parse RR that seems
  syntactically correct.
* OPENDNSSEC-269: Signer Engine: Crash when multiple threads access ixfr
  struct. 
* OPENDNSSEC-281: Commandhandler sometimes unresponsive.
* OPENDNSSEC-318: Signer Engine: Don't stop dns and xfr handlers if these
  threads have not yet been started.
* OPENDNSSEC-319: Signer Engine: Fix TSIG segfault on signer shutdown.
* OPENDNSSEC-325: Signer Engine: Don't include RRSIG records when DO bit is
  not set.
* OPENDNSSEC-326: Signer Engine: Stop serving a zone that could not be
  transferred from master and has been expired.


OpenDNSSEC 1.4.0a3 - 2012-08-08

* OPENDNSSEC-258: Optionally include cka_id in output to
  DelegationSignerSubmitCommand.

Bugfixes:
* SUPPORT-27: ods-ksmutil: simplify zone delete so that it only marks keys 
  as dead (rather than actually removing them). Leave the key removal to purge
  jobs.
* SUPPORT-29: Signer Engine: Fix ods-signer clear <zone> command exits
  prematurely [OPENDNSSEC-289].
* SUPPORT-30: Signer Engine: RRSIGs are left in the signed zone when
  authoritative RRsets become glue [OPENDNSSEC-282].
* OPENDNSSEC-278: ods-ksmutil processes waiting forever to get DB lock
* OPENDNSSEC-290: Signer Engine: Fix false conflict when changing CNAME into 
  other RRtype.
* OPENDNSSEC-298: Enforcer: Only unlink existing pidfile on exit if we wrote it.
* OPENDNSSEC-304: Signer Engine: Check pidfile on startup, if pidfile exists
  and corresponding process is running, then complain and exit.
* OPENDNSSEC-306: Can't delete zone until Enforcer made signconf.
* Fix assertion error when printing signed zone with empty non-terminals and
  NSEC.
* Make setting QUERY ID in XFR requests more random.


OpenDNSSEC 1.4.0a2 - 2012-05-24

* OPENDNSSEC-226: Change in conf.xml: Configure the DNS listener IP address
  with /Listener/Interface/Address instead of /Listener/Interface/IPv{4,6}.
* OPENDNSSEC-228: Signer Engine: Make 'ods-signer update' reload signconfs
  even if zonelist has not changed.
* OPENDNSSEC-231: Signer Engine: Allow for Classless IN-ADDR.ARPA names
  (RFC 2317).
* OPENDNSSEC-249: ods-ksmutil: If key export finds nothing to do then say so
  rather than display nothing which might be misinterpreted.
* OPENDNSSEC-262: Signer Engine: Make DNS Adapter ACL optional.
* OPENDNSSEC-263: Signer Engine: Added EDNS0 support, so that zone transfers
  and SOA requests with OPT RRs are possible.
* Enforcer: Add indexes for foreign keys. (sqlite only, MySQL already has them.)

Bugfixes:
* OPENDNSSEC-247: Signer Engine: TTL on NSEC(3) was not updated on SOA
  Minimum change.
* OPENDNSSEC-252: Signer Engine: Mark xfrhandler started, so that we don't
  try to join a non-existing thread on exit.
* OPENDNSSEC-259: Signer Engine: Fix assertion failure for outbound AXFR for
  large zones.
* OPENDNSSEC-264: Signer Engine: Fix assertion error on reading IXFR from
  backup.
* OPENDNSSEC-265: Signer Engine: Fix crash in corner cases when signing zone
  with NSEC3 and Opt-out.
* OPENDNSSEC-267: Signer Engine: Sign NOTIFY OK response with TSIG, if present
  in the query and ACL.


OpenDNSSEC 1.4.0a1 - 2012-03-15

* Auditor: The Auditor has been removed.
* Enforcer: Key label logging upon deletion (#192 Sebastian Castro)
* Enforcer: Stop multiple instances of the Enforcer running by checking for
  the pidfile at startup. If you want to run multiple instances then a
  different pidfile will need to be specified with the -P flag.
* Enforcer/ods-ksmutil: Use TTLs from KASP when generating DNSKEY and DS
  records for output.
* Enforcer/ods-ksmutil: Give a more descriptive error message if the
  <Datastore> tag in conf.xml does not match the database-backend set at
  compile time.
* ods-ksmutil: Add warnings on "key export --ds" if no active or ready keys
  were seen, or if both were seen (so a key rollover is happening).
* ods-ksmutil: Prevent MySQL username or password being interpreted by the
  shell when running "ods-ksmutil setup"
* ods-ksmutil: "zone delete" renames the signconf file; so that if the zone is
  put back the signer will not pick up the old file.
* ods-ksmutil: "key delete" added. It allows keys that are not currently in
  use to be deleted from the database and HSM.
* OPENDNSSEC-1: Enforcer: Check DelegationSignerSubmitCommand exists and can
  be executed by ods-enforcerd.
* OPENDNSSEC-10: ods-ksmutil: Include key size and algorithm in "key list"
  with -v flag.
* OPENDNSSEC-28: ods-ksmutil: "key list" shows next state with -v flag.
* OPENDNSSEC-35: ods-ksmutil: "rollover list -v" now includes more information
  on the KSKs waiting for the ds-seen command.
* OPENDNSSEC-83: ods-ksmutil: "key generate" now displays how many keys will
  be generated and presents the user with the opportunity to stop the
  operation.
* OPENDNSSEC-124: ods-ksmutil: Suppress database connection information when
  no -v flag is given.
* Signer Engine: Input and Output DNS Adapters.
* Signer Engine: Zonefetcher has been removed.

Known issues:
* Signer Engine: The backup files do not work correctly in this alpha release.

Bugfixes:
* Bugfix #246: Less confusing text for XML validation in ods-kaspcheck.
* ods-ksmutil: "update kasp" now reflects changes in policy descriptions.
* ods-ksmutil: Policy descriptions now have special characters quoted.
* ods-ksmutil: Fix typo in policy export with NSEC3.


OpenDNSSEC 1.3.7 - 2012-03-13

* OPENDNSSEC-215: Signer Engine: Always recover serial from backup,
  even if it is corrupted, preventing unnecessary serial decrementals.
* OPENDNSSEC-217: Enforcer: Tries to detect pidfile staleness, so that
  the daemon will start after a power failure.

Bugfixes:
* ods-hsmutil: Fixed a small memory leak when printing a DNSKEY.
* OPENDNSSEC-216: Signer Engine: Fix duplicate NSEC3PARAM bug.
* OPENDNSSEC-218: Signer Engine: Prevent endless loop in case the locators
  in the signer backup files and the HSM are out of sync.
* OPENDNSSEC-225: Fix problem with pid found when not existing.
* SUPPORT-21: HSM SCA 6000 in combination with OpenCryptoki can return RSA key
  material with leading zeroes. DNSSEC does not allow leading zeroes in key
  data. You are affected by this bug if your DNSKEY RDATA e.g. begins with
  "BAABA". Normal keys begin with e.g. "AwEAA". OpenDNSSEC will now sanitize
  incoming data before adding it to the DNSKEY. Do not upgrade to this version
  if you are affected by the bug. You first need to go unsigned, then do the
  upgrade, and finally sign your zone again. SoftHSM and other HSM:s will not
  produce data with leading zeroes and the bug will thus not affect you.


OpenDNSSEC 1.3.6 - 2012-02-17

* OPENDNSSEC-33: Signer Engine: Check HSM connection before use, attempt to
  reconnect if it is not valid.
* OPENDNSSEC-178: Signer Engine: Instead of waiting an arbitrary amount of
  time, let worker wait with pushing sign operations until the queue is
  non-full.
* Signer Engine: Adjust some log messages.

Bugfixes:
* ods-control: Wrong exit status if Enforcer was already running.
* OPENDNSSEC-56: ods-ksmutil had the wrong option for config file in the
  help usage text.
* OPENDNSSEC-207: Signer Engine: Fix communication from a process not
  attached to a shell.
* OPENDNSSEC-209: Signer Engine: Make output file adapter atomic by writing
  signed file to an intermediate file first.


OpenDNSSEC 1.3.5 - 2012-01-23

* Auditor: Include the zone name in the log messages.
* ldns 1.6.12 is required for bugfixes.
* ods-ksmutil: Suppress database connection information when no -v flag is
  given.
* ods-enforcerd: Stop multiple instances of the enforcer running by checking
  for the pidfile at startup. If you want to run multiple instances then a
  different pidfile will need to be specified with the -P flag.
* ods-ksmutil: "zone delete" renames the signconf file; so that if the zone is
  put back the signer will not pick up the old file.
* Signer Engine: Verbosity can now be set via conf.xml, default is 3.

Bugfixes:
* Bugfix OPENDNSSEC-174: Configure the location for conf.xml with --config
  or -c when starting the signer.
* Bugfix OPENDNSSEC-192: Signer crashed on deleting NSEC3 for a domain that
  becomes opt-out.
* Bugfix OPENDNSSEC-193: Auditor crashed with certain empty non-terminals.
* Signer Engine: A file descriptor for sockets with value zero is allowed.
* Signer Engine: Only log messages about a full signing queue in debug mode.
* Signer Engine: Fix time issues, make sure that the internal serial does
  not wander off after a failed audit.
* Signer Engine: Upgrade ldns to avoid future problems on 32-bit platforms
  with extra long signature expiration dates. More information in separate
  announcement.


OpenDNSSEC 1.3.4 - 2011-12-09

Bugfixes:
* Signer: Use debug instead of warning for drudgers queue being full, also
  sleep 10ms if it is full to not hog CPU. This increased signing on
  single core machines by a factor of 2.


OpenDNSSEC 1.3.3 - 2011-11-17

Bugfixes:
* Auditor: Handle ruby 1.9 differences in ods-kaspcheck.
* Auditor: Require dnsruby 1.53 for bugfixes.
* Bugfix #262: Drudgers seem to be in a waiting state, but the RRset FIFO
  queue is full. Do an additional broadcast.
* Enforcer: Check HSM connection when waking up from sleep, attempt to
  reconnect if it is not valid. (r5511 in trunk, ported into the branch due
  to issues seen when CKR_DEVICE_ERROR returned by HSM.)
* libhsm: Added hsm_check_context() to check if the associated sessions are
  still alive. (Required for the above.)
* ods-ksmutil: key import was not setting the retire time.
* Signer Engine: Fix a threading issue, that could leave a zone without
  a task.
* Signer Engine: Update the signed zone file if only the $TTL or explicit
  TTL has been changed.
* Signer Engine: Remove the NSEC3PARAM RR when doing NSEC3 to NSEC rollover.
* Signer Engine: Deal with carriage returns (dos format) in zone file.
* Signer Engine: <Refresh> is PT0S means that refresh equals signtime.
* Signer Engine: Defense in depth in signer for duplicate keys.
* Signer Engine: Make sure that all required zonelist elements exist,
  otherwise error.
* Signer Engine: Warn the user if the serial is b0rk, and you can not
  use the serial from the signconf.
* Signer Engine: Log Auditor exit code.
* Fix a similar bug like #257: Error in ods-signerd, where a corrupted
  backup file results in an invalid pointer free().


OpenDNSSEC 1.3.2 - 2011-09-13

Bugfixes:
* Bugfix #257: Error in ods-signerd, where a corrupted backup file results
  in an invalid pointer free().
* Signer Engine: Mark that a zone has a valid signer configuration, after
  recovering the zone from the backup files.


OpenDNSSEC 1.3.1 - 2011-09-07

Bugfixes:
* Auditor: Fix 'ZSK in use too long' message to handle new signer behaviour.
* Bugfix #255: RHEL6 patch to contrib/opendnssec.spec. (Rick van Rein)
* Bugfix #256: Make sure argument in "ods-control signer" is not stripped off.
* Bugfix #259: ods-ksmutil: Prevent MySQL username or password being
  interpreted by the shell when running "ods-ksmutil setup".
* Bugfix #260: "ods-ksmutil zone list" now handles empty zonelists.
* Enforcer: Unsigned comparison resulting in wrong error message.
* ods-ksmutil: fixed issue where first ds-seen command run on a zone would
  work, but return an error code and not send a HUP to the enforcerd.
* Signer Engine: A threading issue occasionally puts the default validity
  on NSEC(3) RRs and the denial validity on other RRs.
* Signer Engine: An update command could interrupt the signing process and the
  zone would get missing signatures.
* Signer Engine: Fix an issue where some systems could not copy the zone file.
* Zonefetcher: Check inbound serial in transferred file, to prevent
  redundant zone transfers.


OpenDNSSEC 1.3.0 - 2011-07-12

* Include simple-dnskey-mailer-plugin in dist.
* Enforcer: Change message about KSK retirement to make it less confusing.

Bugfixes:
* ods-control: If the Enforcer did not close down, you entered an infinite
  loop.
* Signer Engine: Fix log message typos.
* Signer Engine: Fix crash where ods-signer update
* Signer Engine: Also replace DNSKEYs if <DNSKEY><TTL> has changed in policy.
* Zonefetcher: Sometimes invalid 'Address already in use' occurred.
* Bugfix #247: Fixes bug introduced by bugfix #242.


OpenDNSSEC 1.3.0rc3 - 2011-06-12

* Do not distribute trang.

Bugfixes:
* Fix test for java executable and others.
* Auditor: Fix delegation checks.
* Bugfix #242: Race condition when receiving multiple NOTIFIES for a zone.
* ods-kaspcheck: Do not expect resalt in NSEC policy.
* Signer Engine: Ifdef a header file.
* Signer Engine: The default working directory was not specified.
* Signer Engine: Handle stdout console output throttling that would
  truncate daemon output intermittently.


OpenDNSSEC 1.3.0.rc2 - 2011-05-18

* Match the names of the signer pidfile and enforcer pidfile.
* Include check for resign < resalt in ods-kaspcheck.

Bugfixes:
* Bugfix #231: Fix MySQL version check.
* ods-ksmutil: Update now sends a HUP to the enforcerd.
* Signer Engine: Fix assertion failure if zone was just added.
* Signer Engine: Don't hsm_close() on setup error.
* Signer Engine: Fix race condition bug when doing a single run.
* Signer Engine: In case of failure, also mark zone processed (single run).
* Signer Engine: Don't leak backup file descriptor.
* signconf.rnc now allows NSEC3 Iterations of 0


OpenDNSSEC 1.3.0rc1 - 2011-04-21

* <SkipPublicKey/> is enabled for SoftHSM in the default configuration.
  It improves the performance by only using the private key objects.
* Document the <RolloverNotification> tag in conf.xml.
* Include check for resign < resalt in ods-kaspcheck.

Bugfixes:
* Bugfix #221: Segmentation Fault on schedule.c:232
* Enforcer: 'make check' now works.
* Enforcer: Fixed some memory leaks in the tests.
* Signer Engine: Coverity report fixes some leaks and thread issues.
* Signer Engine: Now logs to the correct facility again.


OpenDNSSEC 1.3.0b1 - 2011-03-23

* Support for signing the root. Use the zone name "."
* Enforcer: Stop import of policy if it is not consistent.
* ods-signer: The queue command will now also show what tasks the workers
  are working on.
* Signer Engine: Just warn if occluded zone data was found, don't stop signing
  process.
* Signer Engine: Simpler serial maintenance, reduces the number of conflicts.
  Less chance to hit a 'cannot update: serial too small' error message.
* Signer Engine: Simpler NSEC(3) maintenance.
* Signer Engine: Temperate the number of backup files.
* Signer Engine: Set number of <SignerThreads> in conf.xml to 
  get peak performance from HSMs that can handle multiple threads.

Bugfixes:
* Bugreport #139: ods-auditor fails on root zone.
* Bugreport #198: Zone updates ignored?
* Replace tab with white-space when writing to syslog.
* Signer Engine: Do not block update command while signing.


OpenDNSSEC 1.2.1 - 2011-03-18

* ldns 1.6.9 is required for bugfixes.
* dnsruby-1.52 required for bugfixes.

Bugfixes:
* Auditor: 'make check' now works when srcdir != builddir.
* Auditor: Include the 'make check' files in the tarball.
* Enforcer: Fix the migration script for SQLite.
* Enforcer: Increase size of keypairs(id) field in MySQL to allow more than
  32767 keys; see MIGRATION for details.
* Enforcer: Minor change to NOT_READY_KEY error message.
* libhsm: Increase the maximum number of attached HSM:s from 10 to 100.
* ods-ksmutil: Send trivial MySQL messages to stdout when exporting zonelist
  etc. Otherwise the resulting XML needs to be edited by hand.
* ods-control: Fix for Bourne shell.
* Signer Engine: Prevent race condition when setting up the workers and
  the command handler.
* Signer Engine: Check if the signature exists before recycling it.
* Signer Engine: Quit when there are errors in the configuration.
* Signer Engine: Enable core dump on failure.
* Signer Engine: Explicitly close down log msg with null.
* Signer Engine: Backup state after writing output.
* Signer Engine: Allow update of serial if internal structure is not
  initialized.
* Signer Engine: NSEC chain could become broken if the predecessor domain
  of a deleted domain was a glue domain.


OpenDNSSEC 1.2.0 - 2011-01-13

Bugfixes:
* Enforcer: Fixed a number of build warnings.


OpenDNSSEC 1.2.0rc3 - 2010-12-27

* Moved migration instructions to the file MIGRATION

Bugfixes:
* Bugreport #199: The previous DB schema change made the zone removal broken.
* Enforcer: When retiring old KSK, use TTL(ds) and not TTL(ksk).
* Enforcer: Minimize the set of DS RRs sent to DelegationSignerSubmitCommand.
* Enforcer: Replace tab with a space character in the DNSKEY printed to syslog.
* Enforcer: Fixed pontential format string bug.
* ods-ksmutil: Log to syslog when ds-seen changes a key to active/standby.
* Signer Engine: Don't be smart with RRSIG TTLs, the hsm will set them for you.
* Signer Engine: Set notify command for zone when receiving ods-signer update.
* Signer Engine: Update TTL of NSEC(3) records if SOA Minimum has changed
  in KASP.
* Signer Engine: Now logs to the correct facility.
* Signer Engine: Also remove NSEC records when detecting changes in
  signconf <Denial>
* Signer Engine: Dropped privileges before starting Zonefetcher.


OpenDNSSEC 1.2.0rc2 - 2010-11-24

Bugfixes:
* Signer Engine: Use the correct TTL for RRs after the $INCLUDE directive.
* Signer Engine: Also create new signature if TTL of RR has changed.
* Signer Engine: Drop old NSEC/NSEC3 records.
* ods-ksmutil: Fixed some memory leaks.


OpenDNSSEC 1.2.0rc1 - 2010-11-17

* New commandline option for the signer: ods-signer running.
* Allow connection to different MySQL ports in the Enforcer.
* Tone down and explain warning when converting M or Y to seconds
* ldns 1.6.7 is required for bugfixes
* dnsruby 1.51 is required for bugfixes

Bugfixes:
* Bugreport #187: ods-control signer start will return non-zero if start up 
  failed (uses ods-signer running).
* Narrow glue at the zone cut is allowed, do not consider it as occluded.
* Move zone fetcher output to correct input adapter file.
* Enforcer shared keys on zones with ShareKeys disabled.
* Make names of key states consistent.
* Signer Engine file descriptor leak fix on engine.sock.
* Set explicit "unlimited" repository capacity to prevent random integer being 
  read. Requires "ods-ksmutil update conf" to be run if using an existing 
  database.
* Fix issue with key generation creating too many keys Ticket #194.
* Bugreport #189: Auditor did not handle white-space-seperated substrings
  for base64 text
* Bugreport #190: Auditor (and signer) does not handle case correctly
* Signer now silence stdout-output from the notify command


OpenDNSSEC 1.2.0b1 - 2010-10-18

* A new signer engine, written in c. Zones are maintained in memory, instead of
  in files on disk.
* Signer Engine: Check if the signature exists before recycling it.
* Removed the python and python-4suite-xml dependencies.
* Remove separate autoconf for libhsm/conf/enforcer.
* Add option to disable building the signer.
* Signer logs statistics just after outputting a new signed zone.
* libhsm will skip processing (and not create) any public keys if the
  per repository option <SkipPublicKey/> is set.
* Keysharing improved - keys can now exist in different states on each zone
  that the key is in use for.
* Backup prepare/commit/rollback added for 2-step backups without taking the
  enforcer offline.
* Standby keys are now optional (default to 0) and should be considered
  experimental.

Bugfixes:
* Fix semantics of refresh value in Signer Engine.
* Auditor handles chains of empty nonterminals correctly.
* Recalculate salt immediately if the saltlength is changed.
* libhsm connected to slot 0 if the token label was not found. 
  An error is now returned instead of connecting to the slot.
* Bugreport #102: Removed the obsoleted python-4suite-xml dependency.
* Fixed Known Issue: KSK rollover requires manual timing.
* Fixed Known Issue: Key rollover and reuse of signatures.
* Fixed Known Issue: Issue with sharing keys and adding zones.
* Fixed Known Issue: Quicksorter does not allow certain owner names
  (Quicksorter is removed, signer now reads and sorts the zone).


OpenDNSSEC 1.1.3 - 2010-09-10

Bugfixes:
* Bugreport #183: Partial zone could get signed if zone transfer failed
  when using zone_fetcher


OpenDNSSEC 1.1.2 - 2010-08-24

* Dnsruby 1.49 now required (for correct zone parsing)
* ldns 1.6.6 is required to fix the zone fetcher bug

Bugfixes:
* ods-control stop did not stopped zone fetcher (bug was introduced in 1.1.0)
* Auditor correctly handles chains of empty nonterminals
* Zone fetcher can block zone transfers if AXFR once failed. This is a bug
  in ldns versions 1.6.5 and lower. See KNOWN_ISSUES for more information.
* Bugreport #165: Ensure Output SOA serial is always bigger than Input SOA
  serial.
* Bugreport #166: Correct exit value from signer.
* Bugreport #167: Zone fetcher now also picks up changes when zonelist is
  reloaded (thanks Rick van Rein)
* Bugreport #168: ods-control with tightened control for the Enforcer
* Bugreport #169: Do not include config.h in the distribution
* Bugreport #170: Typo in a man page (ods-signer)
* Bugreport #172: Correction of some macros in a man page (ods-timing)
* Bugreport #173: A man page used a macro that does not exist (ods-ksmutil)


OpenDNSSEC 1.1.1 - 2010-07-08

Bugfixes:
* Bugreport #127: Large SOA serial numbers were not handled properly by signer
* Bugreport #133: Better handling of SOA serial when setting is 'keep'
* Bugreport #136: quicksorter could not handle standard bind format SOA rdata
* The Auditor could not handle the new way of rolling KSKs
* One log message in the Enforcer referred to an old command
* The Enforcer forgot to publish certain keys during transition between states


OpenDNSSEC 1.1.0 - 2010-05-26


OpenDNSSEC 1.1.0rc3 - 2010-05-15

Bugfixes:
* Could not compile quicksorter on FreeBSD.
* Bugreport #131: test suite fails in 1.1.0rc2


OpenDNSSEC 1.1.0rc2 - 2010-05-04

Bugfixes:
* Fix semantics of refresh value in Signer Engine.


OpenDNSSEC 1.1.0rc1 - 2010-04-21

* Partial Auditor added
* Dnsruby-1.46 required
* Improved error messages when the system runs out of keys
* Optimise communication of signconfs for multiple zones sharing keys.
  Group zones in zonelist.xml by policy to get this benefit.
* Bugreport #101: Signer Engine now maintains its own pidfile.
* Jitter redefined: now in the range of [-jitter, ..., +jitter]
* Optimized sorter: quicksorter (sorter becomes obsolete).
* Optimized zone_reader, includes nseccing/nsec3ing (nseccer and nsec3er
  become obsolete).
* Enable database selection using --with-database-backend={sqlite3|mysql}
* Enable the EPP-client using --enable-eppclient
  For sending DS RR to the parent zone (experimental)
* Turn NSEC3 OptOut off by default
* Install kasp2html XML stylesheet
* Add simple kasp2html conversion script
* DNSKEY records communicated to an external script if configured
* The command 'ods-signer restart' is removed.
* Signer Engine now also reuses signatures after a change in NSEC(3)
  configuration or rolling keys.
* Quicksorter defaults to class IN.

Bugfixes:
* Enforcer: Make sure that we read the correct config file when dropping privs
* Enforcer: Prevent int overflow when generating a large number of keys
* Enforcer: Fixed a confusion between standby ZSKs and KSKs
* Fixed various enable-options in the configure scripts
* Respect $DESTDIR for config files
* Looked for the database init script in $prefix/share/opendnssec and not
  datadir.
* More proper memory cleanup in parsing zonefetch.xml
* Zonefetch.xml now accepts hmac-md5, which is an alias for
  hmac-md5.sig-alg.reg.int.
* Zone fetcher logged wrong zone when NOTIFY received.        
* Zone fetcher sometimes did not log when signalling signer engine failed.
* Fix issue of importing keys into kasp leaving random strings in the
  retire date.
* Fix KSK rollover logic to be proper DoubleDNSKEY
* Fix issue with reading repositories from conf.xml
* Fix issue with reading policies from kasp.xml
* Canonicalize RRs before nseccing zone.
* Bugreport #113: zone fetcher started before dropping privileges, so that
  it can bind to socket.
* Signer Engine defaults to working directory if missing.
* libhsm: fixed incorrect label length for wildcards (leftmost wildcard label
  was included in count).


OpenDNSSEC 1.0.0 - 2010-02-09

Bugfixes:
* Fixed broken path in ods-control


OpenDNSSEC 1.0.0rc4 - 2010-02-02

* Added manual pages for ods-auditor(1), ods-control(8), ods-enforcerd(8),
  ods-signerd(8), ods-signer(8), ods-hsmpseed(1), ods-hsmutil(1), 
  ods-kaspcheck(1), ods-ksmutil(1), ods-timing(5), opendnssec(7).
* Move ods-control & ods-signer from PREFIX/bin to PREFIX/sbin.
* Dnsruby-1.43 is now required

Bugfixes:
* Bugreport #89: Signer Engine: bug in logging.c.
* Auditor: Had some problems with escaped characters in domain names


OpenDNSSEC 1.0.0rc3 - 2010-01-25

* A code review was performed by members of the project group. No serious 
  problem was found. The code review resulted in some polishing of the code.
* Dnsruby-1.42 is now required, it fixes issues with TXT and NAPTR record
  parsing.
* ldns 1.6.4 is now required.
* Known issues has been moved from NEWS to KNOWN_ISSUES.

Bugfixes:
* ods-ksmutil: The ksk-roll command did not handle its options correctly
* Auditor: Configured zone SOA TTL now used to track pre-published keys,
  rather than the unsigned zone SOA TTL.
* Enforcer: There was a flaw in the implementation of the timing code (it 
  follows an earlier version of the draft and at one point does not add on 
  the safety margin).
* Enforcer: MySQL memory leaks fixed.
* Signer Engine: When changing policy or rollover a key, the old signed zone
  was not found,
  so always resulting in a fresh resign.
* Signer Engine: RRsets with varying TTLs on the records where considered
  different RRsets, the signer engine now eqaulizes those TTLs.


OpenDNSSEC 1.0.0rc2 - 2009-12-16

Bugfixes:
* Signer Engine: Signer processes could remain open, if they were not close 
  correctly.
* ods-ksmutil: Got a segmentation fault, when an HSM was missing in the 
  configuration. Only applied to versions using MySQL.
* Zone fetcher: Did not close files before moving them.
* Zone fetcher: The serial arithmetic was not correct.
* Auditor: It now ignores unrecognized RR types.
* Signer Engine: Wrong handling of escaped characters in strings 
  (fixed in ldns trunk)
* Set correct permissions on the configuration files.

Known issues:
* Zone fetcher: When using TSIG, an incorrect MAC can be created if the 
  length of the used secret is 'too long' (longer than the maximum digest
  length). This problem is in LDNS 1.6.3 and previous versions. This bug is
  fixed in the upcoming LDNS 1.6.4 release.
* Auditor: Some good NAPTR records may fail to verify with dnsruby-1.41.
  This will be fixed in a future dnsruby release.
* TXT RRs: Some TXT RRs with escape characters may fail to parse correctly 
  with dnsruby-1.41 and ldns 1.6.3. This is fixed in the upcoming releases.


OpenDNSSEC 1.0.0rc1 - 2009-12-04

* Auditor: dnsruby-1.41 should be used (includes fixes for zero length
  salt and RFC3597 unknown classes)
* Signer Engine: ldns 1.6.3 should be used (includes NSEC3 bugfix and class
  inheritance when creating signatures)

Bugfixes:
* Signer Engine: 1.0.0b8 introduced a bug that no signatures where reused.
  Re-fixed.
* Signer Engine: Fix ods-signer start (could hang on MacOSX)
* Signer Engine: Mark a zone in progress if in use by one of the tools.
  Prevents multiple tasks being created for the same zone.
* Signer Engine: Dropped records when zone content changed.
* Signer Engine: Drop inherited groups and set additional groups when dropping
  privileges.
* Zone fetcher: Clean up empty files if AXFR failed
* Zone fetcher: Make syslogging RFC-compliant


OpenDNSSEC 1.0.0b9 - 2009-11-27

* ods-ksmutil: update command split so that individual configuration files can
  be updated separately.
* ods-ksmutil: "ds-seen" renamed to "ksk-roll" which is a more accurate 
  description of its effect. (ds-seen will reappear in v1.1)
* add contributed .spec file for RPM builds
* Signer Engine: verifies signature after creation.

Bugfixes:
* Signer Engine: Output better information if the HSM fails with the signing.
* ods-ksmutil: update zonelist correctly links keys to new zones if key sharing 
  is turned on.
* Bugreport #59: Problem starting ods-signer on a 64-bit machine
* ods-ksmutil: update zonelist command now correctly adds and deletes zones
  (and sorts out their keys).

OpenDNSSEC 1.0.0b8 - 2009-11-23

* ods-ksmutil: KSK rollover now holds at the point where the new key is made
  active until the command "ds-seen" is issued.
* ods-ksmutil: "database backup" implemented to safely make a copy of the
  SQLite enforcer database.

Bugfixes:
* Auditor: Crashed on unknown RR class.
* Signer Engine: NSEC3 RR included wrong information in bitmap (fixed in ldns
  trunk).
* Signer Engine: Force a new signed zone if input is reread. Necessary because
  we cannot recognize if
  glue or unsigned delegations have been added and/or removed (yet).
* Signer Engine: Fix adding duplicate signatures in case of single key is
  being used as both ZSK and KSK.
* Bugreport #46: Vanishing records
* KASP Enforcer: Could not handle zones with names longer than 30 characters.


OpenDNSSEC 1.0.0b7 - 2009-11-16

* ods-auditor: Dnsruby version 1.40 or later required.
* ods-kaspcheck: Checks Enforcer SQLite datastore to ensure writable
* Signer Engine: LDNS 1.6.2 is recommended (bugfixes)
* The supported RRs are documented on the wiki

Bugfixes:
* ods-ksmutil: Segmentation fault when missing arguments to "key import"
* KASP Enforcer: Improved support for MySQL (experimental)
* Signer Engine: DLV is included in NSEC RR (fixed in LDNS 1.6.2)
* Signer Engine: Better handling of removed zones
* Signer Engine: Correct handling of zero length rdata - RFC3597 style (fixed
  in LDNS trunk)
* Signer Engine: Inherit class of zone to DNSSEC-related RRs


OpenDNSSEC 1.0.0b6 - 2009-11-06

* ods-hsmutil now has a command ("purge") to remove ALL keys from a given
  repository.

Bugfixes:
* Some minor bugfixes for the auditor
* Better detection for MySQL (now requires --enable-mysql to build)
* Init PKCS#11 library with CKF_OS_LOCKING_OK
* Change config file flag to hsmspeed


OpenDNSSEC 1.0.0b5 - 2009-10-31

* Reintroduce MySQL for enforcer back-end on an experimental footing

Bugfixes:
* Auditor: Fixed TXT parsing.
* ods-ksmutil: Database could not be created for first time users.
* ods-ksmutil: Set the correct privileges on the database.
* Signer Engine: Tweek log levels.
* Signer Engine: Fixed segmentation fault with WKS RR (in LDNS trunk).
* Signer Engine: Fixed NSAP, IPSECKEY, and SIG parsing (in LDNS trunk).
* Signer Engine: Disable multiline parsing when the line is commented out.
* Signer Engine: The tools are not hanging any more. Better pipe handling.
* Signer Engine: NSEC zone even if only 1 NSEC is needed.
* Signer Engine: Don't create NSEC3 records for empty non terminals that
  lead to glue.
* Signer Engine: LDNS can now parse explicit TTLs that are non-numbers
  (for example 3d2h, in LDNS trunk).
* Bugreport #43: ods-signer: The command parser was too strict with white
  spaces.

OpenDNSSEC 1.0.0b4 - 2009-10-23

* Default TTL in case of $TTL or explicit RR TTL becomes the SOA Minimum
  value (was 3600).
* The signer engine will check if another engine is already running before
  starting.
* Startup scripts for Solaris (SMF).
* Auditor gives an error if key moves to "in use" without sufficient
  "prepublished" time.

Bugfixes:
* Trailing spaces are not part of the domain name/ include file/ ttl in
  directives.
* nsec3er: Print final RRset, even if no NSEC3 was needed at that RRset.
* Proper privileges dropping when creating the command socket
* Signer sometimes didn't terminate if socket shutdown failed.

Known issues:
* The Signer Engine fails with broken pipes sometimes.


OpenDNSSEC 1.0.0b3 - 2009-10-16

* The auditor now tracks the SOA serial over time
* The auditor (dnsruby) supports RSA/SHA256 and RSA/SHA512

Bugfixes:
* The LDNS bug that affected SRV records has been fixed in ldns-trunk.
* Bugreport #41: Fix for SOA serial 'keep'.
* Allow for SOA Serial/TTL/Minimum values of zero.
* Correct socket binding of NotifyListen.
* Systems with older SQLite had problem rolling keys on a policy.
* Auditor now handles SSHFP and NAPTR records correctly
  (but needs Dnsruby 1.39)
* Auditor now handles TTLs in zone file with suffix s, m, h, d, and w.


OpenDNSSEC 1.0.0b2 - 2009-10-09

* Added experimental support for RSA/SHA256 and RSA/SHA512 to KASP auditor.
  Dnsruby version 1.38 or higher required for SHA2 support.
* Added experimental support for RSA/SHA256 and RSA/SHA512 to KASP enforcer
  and the signer engine.
* SignerThreads and KeygenInterval has been deprecated (actually removed
  just before 1.0.0b1).
* Added support for RSA/SHA256 and RSA/SHA512 to libhsm. No API changes.

Bugfixes:
* Bugreport #33 (#35): Output a signed zone if only the SOA record changed. 
* Zone fetcher did not start correctly
* Create the pid / socket directory if it not yet exists, with the correct
  privileges.
* Signer Engine now catches exception if running with incorrect permission.
* TCP-support for LDNS on Solaris is fixed in LDNS trunk.

Known issues:
* LDNS is having problem with SRV records. The main effect is that these
  records are given non-valid RRSIGs. This is still under investigation.


OpenDNSSEC 1.0.0b1 - 2009-10-02

* <Purge> tag added to automatically delete keys that have been dead
  for some interval.
* Rename all OpenDNSSEC command line tools and daemons to ods-XXX (e.g.
  ksmutil becomes ods-ksmutil).
* kasp_check command added to check the conf.xml and kasp.xml configuration
  files for sanity and consistency.
* communicated and keygend combined to form "ods-enforcerd".
* ksmutil command line changes. Most commands have changed slightly, but
  there are some significant changes (see
  http://svn.opendnssec.org/docs/command-tools-syntax.txt for details.)
* Enforcer database now has a version number. If it differs from the version
  number in the code (specified via a #define statement), the software will
  issue an error message and not connect to the database.
* "ksmutil list keys" now displays the keytag if the -l flag is passed to it.
* "Emergency Keys" renamed to "Standby Keys" as this better reflects their
  role in OpenDNSSEC.
* The behaviour of SOA Serial value 'counter' has changed according to
  Ticket #31.
* The directory "xml" and been renamed to "conf". (This is part of repository
  clean.)
* There are changes to the KASP DB:
* Zone fetcher added, that will do AXFR from the master.

  If want to use your old database, use the following commands to upgrade:

    sqlite3 <PATH_TO_ENFORCER.DB> < enforcer/utils/migrate_090922_1.sqlite3
    sqlite3 <PATH_TO_ENFORCER.DB> < enforcer/utils/migrate_090930_1.sqlite3
    sqlite3 <PATH_TO_ENFORCER.DB> < enforcer/utils/migrate_091002_1.sqlite3

  Or, to start a new (with loss of information), remove old keys from the HSM
  and issue the command:

    ksmutil setup

Bugfixes:
* Make sure that parenthesis in zonefiles don't concatenate rdata fields.

Known issues:
* TCP-support for LDNS on Solaris is currently broken due to an issue with
  SO_RCVTIMEO. The result is that the zonefetcher doesn't work. No other
  parts of OpenDNSSEC is affected by this bug.
  There is currently no workaround.


OpenDNSSEC 1.0a5 - 2009-09-21

Features:
* support %zonefile expansion in the signer engine NotifyCommand 

Bugfixes:
* Read <OptOut/> correctly from the kasp.xml
* Correctly discover Empty Non-Terminals when reading input zonefile
* Don't error on space-only lines in input zonefile


OpenDNSSEC 1.0a4 - 2009-09-10

Features:
* warn (by sending a message to the log) about:
    - impending key rollover
    - Rollover occurrance
    - when it is safe to remove a DS record
* add export of DNSKEY and DS records to ksmutil
* add configure option '--disable-auditor' to disable building the auditor
* Added <ManualRollover/> tag to kasp.xml; this allows automatic rollovers
    to be turned off in a policy for either keytype.
* Changes to the KASP DB, please apply:
  If want to use your old DB:
    sqlite3 <PATH_TO_ENFORCER.DB> < enforcer/utils/migrate_090901_1.sqlite3
  Or start fresh (with loss of information. User should remove old keys
  from the HSM):
    ksmutil setup

Bugfixes:
* "signer_engine_cli clear <ZONE>" dont crash on missing files anymore
  and removes all internal files now
* Bugreport #18, #19: Fix segfault at nseccer, nsec3er or finalizer when 
  handling large zones.
* Signer Engine starts correctly (problem was python 2.4, not RHEL5).


OpenDNSSEC 1.0a3 - 2009-08-26

Features:
* ksmutil import key implemented for importing key ID of existing keys
* "hsmspeed" will test the speed of the HSM.
* "hsmutil test" will test the HSM against OpenDNSSEC.
* Changes to the KASP DB, please apply:
  If want to use your old DB:
    sqlite3 <PATH_TO_ENFORCER.DB> < enforcer/utils/migrate_090820_1.sqlite3
  Or start fresh (with loss of information. User should remove old keys
  from the HSM):
    ksmutil setup

Bugfixes:
* Better display of null backups (i.e. backup required) in ksmutil list
* Don't show historical rollovers in ksmutil list
* Fix key counting routines so that they all agree
* Missing SQLite includes in the Enforcer

Known bugs:
* Signer Engine not starting correctly in RHEL5.
  Use "signer_engine -d" for now
* "signer_engine_cli clear <ZONE>" crashes on missing files


OpenDNSSEC 1.0a2 - 2009-08-14

Features:
* conf.xml format changed
* Read the default path to kasp.xml from conf.xml
* libksm integrated into enforcer (and no longer installed)
* Dropping privileges as specified
* Option to specify that a key from a specific repository 
  should not be used if it has not been backed up
* ksmutil backup done, to signal that the keys are backed up
* KASP Auditor should now function properly
* A quick start script is available
* XSLT to translate KASP into readable text (HTML)
* Changes to the KASP DB, please apply:
  If want to use your old DB:
    sqlite3 <PATH_TO_ENFORCER.DB> < enforcer/utils/migrate_090812_1.sqlite3
    sqlite3 <PATH_TO_ENFORCER.DB> < enforcer/utils/migrate_090813_1.sqlite3
  Or start fresh (with loss of information):
    ksmutil setup

Bugfixes:
* Signer Engine can now read standard bind format correctly
* make install creates an incorrectly named directory
* ksmutil addzone defaults to wrong path
* SoftHSM links libsofthsm to build directory
* libksm install problem when builddir == srcdir
* Missing include of header file in SoftHSM
* Text about a problem with Botan on some systems.


OpenDNSSEC 1.0a1 - 2009-07-30

* Initial release (aka "Technology Preview")