Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


* OPENDNSSEC-315: "ods-hsmutil logout" will delete any credentials in the
shared the shared memory.
* OPENDNSSEC-320: Signer Engine: The <ProvideTransfer>, <Notify>, <AllowNotify>
and <AllowNotify> and <RequestTransfer> elements are now optional, but if provided they require
one require one or more <Peer> or <Remote> elements.
* OPENDNSSEC-226: Change in conf.xml: Configure the DNS listener IP address
with address with /Listener/Interface/Address instead of /Listener/Interface/IPv{4,6}.
* OPENDNSSEC-262: Signer Engine: Make DNS Adapter ACL optional.
* Enforcer: Add indexes for foreign keys. (sqlite only, MySQL already has them.)
* Enforcer: Key label logging upon deletion (#192 Sebastian Castro)
* Enforcer: Stop multiple instances of the Enforcer running by checking for
the for the pidfile at startup. If you want to run multiple instances then a
different a different pidfile will need to be specified with the -P flag.
* Enforcer/ods-ksmutil: Use TTLs from KASP when generating DNSKEY and DS
records DS records for output.
* Enforcer/ods-ksmutil: Give a more descriptive error message if the
<Datastore> the <Datastore> tag in conf.xml does not match the database-backend set at
compile at compile time.
* ods-ksmutil: Add warnings on "key export --ds" if no active or ready keys
were keys were seen, or if both were seen (so a key rollover is happening).
* ods-ksmutil: Prevent MySQL username or password being interpreted by the
shell the shell when running "ods-ksmutil setup"
* ods-ksmutil: "zone delete" renames the signconf file; so that if the zone is
put back the signer will not pick up the old file.
* ods-ksmutil: "key delete" added. It allows keys that are not currently in
in use to be deleted from the database and HSM.
* OPENDNSSEC-1: Enforcer: Check DelegationSignerSubmitCommand exists and can
can be executed by ods-enforcerd.
* OPENDNSSEC-124: ods-ksmutil: Suppress database connection information when
when no -v flag is given.
* OPENDNSSEC-350: Signer Engine: Better log message when IXFR is not ready for
for reading.



* OPENDNSSEC-388: Signer Engine: Internal serial should take into account
the account the inbound serial.
* SUPPORT-50/51: Signer Engine: Inbound DNS Adapter incorrectly updates
* OPENDNSSEC-389: Input DNS Adapter incorrectly updating NSEC3PARAM and DNSKEY RRsets
* SUPPORT-44: Signer Engine: Drop privileges after binding to socket
socket [OPENDNSSEC-364].
* Signer Engine: XFR not ready should not be a fatal status for task read
read (thanks Ville Mattila).
* OPENDNSSEC-365: Enforcer: Nasty bug where KSKs could get prematurely retired.
* SUPPORT-40: Signer Engine: Keep occluded data in signed zone files/transfers.
* OPENDNSSEC-349: Enforcer: Fix some memory leaks in the enforcer found by
valgrindby valgrind.
* OPENDNSSEC-353: Signer Engine: Add/remove NSEC3s for empty non-terminals
between terminals between apex and delegation when DS is added/removed.
* libhsm: Fixed PIN handling on OpenBSD.
* Enforcer: If enabled enforcer workers and configured number of workers is 1,
make  make sure that enforcer runs the signer update command after signer
configuration signer configuration change.
* Signer Engine: Don't add double RRSIGs generated by the same key for the
* Signer Engine: Rollback incompleted zone transfers on disk (could happen
if happen if a connection was reset during transfer).
* Multi-threaded enforcer: various minor fixes including deadlock problems.
* OPENDNSSEC-255: Signer Engine: OpenDNSSEC 1.4.0a1 writes out mangled RRSIG
recordRRSIG record.
* OPENDNSSEC-269: Signer Engine: Crash when multiple threads access ixfr
structixfr struct.
* OPENDNSSEC-281: Commandhandler sometimes unresponsive.
* OPENDNSSEC-318: Signer Engine: Don't stop dns and xfr handlers if these
threads these threads have not yet been started.
* OPENDNSSEC-319: Signer Engine: Fix TSIG segfault on signer shutdown.
* OPENDNSSEC-325: Signer Engine: Don't include RRSIG records when DO bit is
not is not set.
* OPENDNSSEC-326: Signer Engine: Stop serving a zone that could not be
transferred be transferred from master and has been expired.
* SUPPORT-27: ods-ksmutil: simplify zone delete so that it only marks keys
as keys as dead (rather than actually removing them). Leave the key removal to purge
* SUPPORT-29: Signer Engine: Fix ods-signer clear <zone> command exits
prematurely exits prematurely [OPENDNSSEC-289].
* OPENDNSSEC-278: ods-ksmutil processes waiting forever to get DB lock
* OPENDNSSEC-290: Signer Engine: Fix false conflict when changing CNAME into
other into other RRtype.
* Fix assertion error when printing signed zone with empty non-terminals and
* Make setting QUERY ID in XFR requests more random.
* OPENDNSSEC-252: Signer Engine: Mark xfrhandler started, so that we don't
try t try to join a non-existing thread on exit.
* OPENDNSSEC-259: Signer Engine: Fix assertion failure for outbound AXFR for
large for large zones.
* OPENDNSSEC-264: Signer Engine: Fix assertion error on reading IXFR from
backupfrom backup.
* OPENDNSSEC-265: Signer Engine: Fix crash in corner cases when signing zone
with zone with NSEC3 and Opt-out.
* OPENDNSSEC-267: Signer Engine: Sign NOTIFY OK response with TSIG, if present
in present in the query and ACL.
* Bugfix #246: Less confusing text for XML validation in ods-kaspcheck.
* ods-ksmutil: "update kasp" now reflects changes in policy descriptions.
* ods-ksmutil: Policy descriptions now have special characters quoted.
* ods-ksmutil: Fix typo in policy export with NSEC3.