This is a summary of the updates available in 1.4 that are not in the 1.3.13 release:
Major Updates:
* Signer Engine: Input and Output DNS Adapters.
* Signer Engine: Zonefetcher has been removed.
* OPENDNSSEC-130: libhsm: The PIN is now optional in conf.xml. The PIN can be entered using "ods-hsmutil login" and is stored in shared memory. The daemons will not start until this has been done by the user.
* Auditor: The Auditor has been removed.
* ods-ksmutil: Deprecate the one-step key backup command
* OPENDNSSEC-292: Provide scripts to convert database between different supported formats
Minor Updates:
* OPENDNSSEC-359: Remove eppclient
* OPENDNSSEC-258: ods-ksmutil:Optionally include cka_id in output to DelegationSignerSubmitCommand.
* OPENDNSSEC-10: ods-ksmutil: Include key size and algorithm in "key list" with -v flag.
* OPENDNSSEC-28: ods-ksmutil: "key list" shows next state with -v flag.
* OPENDNSSEC-35: ods-ksmutil: "rollover list -v" now includes more information on the KSKs waiting for the ds-seen command.
* OPENDNSSEC-83: ods-ksmutil: "key generate" now displays how many keys will be generated and presents the user with the opportunity to stop the operation.
* OPENDNSSEC-367: ods-ksmutil: Require user confirmation if the algorithm for a key is changed in a policy (as this rollover is not handled cleanly)
* ods-ksmutil: Add warnings on "key export --ds" if no active or ready keys were seen, or if both were seen (so a key rollover is happening).
* OPENDNSSEC-263: Signer Engine: Added EDNS0 support, so that zone transfers and SOA requests with OPT RRs are possible.
* ods-ksmutil: "zone delete" renames the signconf file; so that if the zone is put back the signer will not pick up the old file.
* ods-ksmutil: "key delete" added. It allows keys that are not currently in use to be deleted from the database and HSM.
* OPENDNSSEC-1: Enforcer: Check DelegationSignerSubmitCommand exists and can be executed by ods-enforcerd.
* Enforcer: Add indexes for foreign keys. (sqlite only, MySQL already has them.)
* Enforcer: Key label logging upon deletion (#192 Sebastian Castro)
* Enforcer: Stop multiple instances of the Enforcer running by checking for the pidfile at startup. If you want to run multiple instances then a different pidfile will need to be specified with the -P flag.
* Enforcer/ods-ksmutil: Give a more descriptive error message if the <Datastore> tag in conf.xml does not match the database-backend set at compile time.
* ods-ksmutil: Prevent MySQL username or password being interpreted by the shell when running "ods-ksmutil setup"
* OPENDNSSEC-124: ods-ksmutil: Suppress database connection information when no -v flag is given.
Development Updates:
* OPENDNSSEC-315: "ods-hsmutil logout" will delete any credentials in the shared memory.
* OPENDNSSEC-320: Signer Engine: The <ProvideTransfer>, <Notify>, <AllowNotify> and <RequestTransfer> elements are now optional, but if provided they require one or more <Peer> or <Remote> elements.
* OPENDNSSEC-226: Change in conf.xml: Configure the DNS listener IP address with /Listener/Interface/Address instead of /Listener/Interface/IPv{4,6}.
* OPENDNSSEC-262: Signer Engine: Make DNS Adapter ACL optional.
* OPENDNSSEC-350: Signer Engine: Better log message when IXFR is not ready for reading.
Bugfixes:
* Enforcer/ods-ksmutil: Use TTLs from KASP when generating DNSKEY and DS records for output.
* OPENDNSSEC-388: Signer Engine: Internal serial should take into account the inbound serial.
* SUPPORT-50/51: Signer Engine: Inbound DNS Adapter incorrectly updates NSEC3PARAM and DNSKEY RRset [OPENDNSSEC-389]
* OPENDNSSEC-389: Input DNS Adapter incorrectly updating NSEC3PARAM and DNSKEY RRsets
* SUPPORT-44: Signer Engine: Drop privileges after binding to socket [OPENDNSSEC-364].
* Signer Engine: XFR not ready should not be a fatal status for task read (thanks Ville Mattila).
* OPENDNSSEC-365: Enforcer: Nasty bug where KSKs could get prematurely retired.
* SUPPORT-40: Signer Engine: Keep occluded data in signed zone files/transfers.
* OPENDNSSEC-349: Enforcer: Fix some memory leaks in the enforcer found by valgrind.
* OPENDNSSEC-353: Signer Engine: Add/remove NSEC3s for empty non-terminals between apex and delegation when DS is added/removed.
* libhsm: Fixed PIN handling on OpenBSD.
* Enforcer: If enabled enforcer workers and configured number of workers is 1, make sure that enforcer runs the signer update command after signer configuration change.
* Signer Engine: Don't add double RRSIGs generated by the same key for the DNSKEY RRset.
* Signer Engine: Rollback incompleted zone transfers on disk (could happen if a connection was reset during transfer).
* Multi-threaded enforcer: various minor fixes including deadlock problems.
* OPENDNSSEC-255: Signer Engine: OpenDNSSEC 1.4.0a1 writes out mangled RRSIG record.
* OPENDNSSEC-269: Signer Engine: Crash when multiple threads access ixfr struct.
* OPENDNSSEC-281: Commandhandler sometimes unresponsive.
* OPENDNSSEC-318: Signer Engine: Don't stop dns and xfr handlers if these threads have not yet been started.
* OPENDNSSEC-319: Signer Engine: Fix TSIG segfault on signer shutdown.
* OPENDNSSEC-325: Signer Engine: Don't include RRSIG records when DO bit is not set.
* OPENDNSSEC-326: Signer Engine: Stop serving a zone that could not be transferred from master and has been expired.
* SUPPORT-27: ods-ksmutil: simplify zone delete so that it only marks keys as dead (rather than actually removing them). Leave the key removal to purge jobs.
* SUPPORT-29: Signer Engine: Fix ods-signer clear <zone> command exits prematurely [OPENDNSSEC-289].
* OPENDNSSEC-278: ods-ksmutil processes waiting forever to get DB lock
* OPENDNSSEC-290: Signer Engine: Fix false conflict when changing CNAME into other RRtype.
* Fix assertion error when printing signed zone with empty non-terminals and NSEC.
* Make setting QUERY ID in XFR requests more random.
* OPENDNSSEC-252: Signer Engine: Mark xfrhandler started, so that we don't try to join a non-existing thread on exit.
* OPENDNSSEC-259: Signer Engine: Fix assertion failure for outbound AXFR for large zones.
* OPENDNSSEC-264: Signer Engine: Fix assertion error on reading IXFR from backup.
* OPENDNSSEC-265: Signer Engine: Fix crash in corner cases when signing zone with NSEC3 and Opt-out.
* OPENDNSSEC-267: Signer Engine: Sign NOTIFY OK response with TSIG, if present in the query and ACL.
* Bugfix #246: Less confusing text for XML validation in ods-kaspcheck.
* ods-ksmutil: "update kasp" now reflects changes in policy descriptions.
* ods-ksmutil: Policy descriptions now have special characters quoted.
* ods-ksmutil: Fix typo in policy export with NSEC3.
