Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


* Signer Engine: Input and Output DNS Adapters.
* Signer Engine: Zonefetcher has been removed.
* OPENDNSSEC-130: libhsm: The PIN is now optional in conf.xml. The PIN can be entered using "ods-hsmutil login" and is stored in shared memory. The daemons will not start until this has been done by the user.
* Auditor: The Auditor has been removed.
* ods-ksmutil: Deprecate the one-step key backup command
* OPENDNSSEC-292: Provide scripts to convert database between different supported formats

Minor Updates:

* OPENDNSSEC-359: Remove eppclient
* OPENDNSSEC-367: ods-ksmutil: Require user confirmation if the algorithm for a key is changed in a policy (as this rollover is not handled cleanly)
* OPENDNSSEC-258: ods-ksmutil:Optionally include cka_id in output to DelegationSignerSubmitCommand.
* OPENDNSSEC-10: ods-ksmutil: Include key size and algorithm in "key list" with -v flag.
* OPENDNSSEC-28: ods-ksmutil: "key list" shows next state with -v flag.
* OPENDNSSEC-35: ods-ksmutil: "rollover list -v" now includes more information on the KSKs waiting for the ds-seen command.
* OPENDNSSEC-83: ods-ksmutil: "key generate" now displays how many keys will be generated and presents the user with the opportunity to stop the operation.
* OPENDNSSEC-367: ods-ksmutil: Require user confirmation if the algorithm for a key is changed in a policy (as this rollover is not handled cleanly)
* OPENDNSSEC-263: Signer Engine: Added EDNS0 support, so that zone transfers and SOA requests with OPT RRs are possible.

Minor Development Updates:

* OPENDNSSEC-315: "ods-hsmutil logout" will delete any credentials in the shared memory.
* OPENDNSSEC-320: Signer Engine: The <ProvideTransfer>, <Notify>, <AllowNotify> and <RequestTransfer> elements are now optional, but if provided they require one or more <Peer> or <Remote> elements.
* OPENDNSSEC-226: Change in conf.xml: Configure the DNS listener IP address with /Listener/Interface/Address instead of /Listener/Interface/IPv{4,6}.
* OPENDNSSEC-262: Signer Engine: Make DNS Adapter ACL optional.
* Enforcer: Add indexes for foreign keys. (sqlite only, MySQL already has them.)
* Enforcer: Key label logging upon deletion (#192 Sebastian Castro)
* Enforcer: Stop multiple instances of the Enforcer running by checking for the pidfile at startup. If you want to run multiple instances then a different pidfile will need to be specified with the -P flag.
* Enforcer/ods-ksmutil: Use TTLs from KASP when generating DNSKEY and DS records for output.
* Enforcer/ods-ksmutil: Give a more descriptive error message if the <Datastore> tag in conf.xml does not match the database-backend set at compile time.
* ods-ksmutil: Add warnings on "key export --ds" if no active or ready keys were seen, or if both were seen (so a key rollover is happening).
* ods-ksmutil: Prevent MySQL username or password being interpreted by the shell when running "ods-ksmutil setup"
* ods-ksmutil: "zone delete" renames the signconf file; so that if the zone is
put back the signer will not pick up the old file.
* ods-ksmutil: "key delete" added. It allows keys that are not currently in use to be deleted from the database and HSM.
* OPENDNSSEC-1: Enforcer: Check DelegationSignerSubmitCommand exists and can be executed by ods-enforcerd.
* OPENDNSSEC-124: ods-ksmutil: Suppress database connection information when no -v flag is given.
* OPENDNSSEC-350: Signer Engine: Better log message when IXFR is not ready for reading.