![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / pkgsrc / security / opendnssec
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.90 / (download) - annotate - [select for diffs], Wed Nov 8 13:20:48 2023 UTC (5 months, 1 week ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2024Q1-base,
pkgsrc-2024Q1,
pkgsrc-2023Q4-base,
pkgsrc-2023Q4,
HEAD
Changes since 1.89: +2 -2
lines
Diff to previous 1.89 (colored) to selected 1.20 (colored)
*: recursive bump for icu 74.1
Revision 1.89 / (download) - annotate - [select for diffs], Tue Oct 24 22:10:53 2023 UTC (5 months, 3 weeks ago) by wiz
Branch: MAIN
Changes since 1.88: +2 -2
lines
Diff to previous 1.88 (colored) to selected 1.20 (colored)
*: bump for openssl 3
Revision 1.88 / (download) - annotate - [select for diffs], Tue Jun 6 12:42:14 2023 UTC (10 months, 1 week ago) by riastradh
Branch: MAIN
CVS Tags: pkgsrc-2023Q3-base,
pkgsrc-2023Q3,
pkgsrc-2023Q2-base,
pkgsrc-2023Q2
Changes since 1.87: +2 -2
lines
Diff to previous 1.87 (colored) to selected 1.20 (colored)
Mass-change BUILD_DEPENDS to TOOL_DEPENDS outside mk/. Almost all uses, if not all of them, are wrong, according to the semantics of BUILD_DEPENDS (packages built for target available for use _by_ tools at build-time) and TOOL_DEPEPNDS (packages built for host available for use _as_ tools at build-time). No change to BUILD_DEPENDS as used correctly inside buildlink3. As proposed on tech-pkg: https://mail-index.netbsd.org/tech-pkg/2023/06/03/msg027632.html
Revision 1.87 / (download) - annotate - [select for diffs], Wed Apr 19 08:11:23 2023 UTC (12 months ago) by adam
Branch: MAIN
Changes since 1.86: +2 -2
lines
Diff to previous 1.86 (colored) to selected 1.20 (colored)
revbump after textproc/icu update
Revision 1.86 / (download) - annotate - [select for diffs], Wed Nov 23 16:21:01 2022 UTC (16 months, 3 weeks ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2023Q1-base,
pkgsrc-2023Q1,
pkgsrc-2022Q4-base,
pkgsrc-2022Q4
Changes since 1.85: +2 -2
lines
Diff to previous 1.85 (colored) to selected 1.20 (colored)
massive revision bump after textproc/icu update
Revision 1.85 / (download) - annotate - [select for diffs], Mon Apr 18 19:12:00 2022 UTC (2 years ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2022Q3-base,
pkgsrc-2022Q3,
pkgsrc-2022Q2-base,
pkgsrc-2022Q2
Changes since 1.84: +2 -2
lines
Diff to previous 1.84 (colored) to selected 1.20 (colored)
revbump for textproc/icu update
Revision 1.84 / (download) - annotate - [select for diffs], Wed Dec 8 16:06:20 2021 UTC (2 years, 4 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2022Q1-base,
pkgsrc-2022Q1,
pkgsrc-2021Q4-base,
pkgsrc-2021Q4
Changes since 1.83: +2 -2
lines
Diff to previous 1.83 (colored) to selected 1.20 (colored)
revbump for icu and libffi
Revision 1.83 / (download) - annotate - [select for diffs], Wed Apr 21 11:42:36 2021 UTC (2 years, 11 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2021Q3-base,
pkgsrc-2021Q3,
pkgsrc-2021Q2-base,
pkgsrc-2021Q2
Changes since 1.82: +2 -2
lines
Diff to previous 1.82 (colored) to selected 1.20 (colored)
revbump for textproc/icu
Revision 1.82 / (download) - annotate - [select for diffs], Thu Nov 5 09:09:03 2020 UTC (3 years, 5 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2021Q1-base,
pkgsrc-2021Q1,
pkgsrc-2020Q4-base,
pkgsrc-2020Q4
Changes since 1.81: +2 -2
lines
Diff to previous 1.81 (colored) to selected 1.20 (colored)
*: Recursive revbump from textproc/icu-68.1
Revision 1.81 / (download) - annotate - [select for diffs], Mon Jun 8 15:07:42 2020 UTC (3 years, 10 months ago) by he
Branch: MAIN
CVS Tags: pkgsrc-2020Q3-base,
pkgsrc-2020Q3,
pkgsrc-2020Q2-base,
pkgsrc-2020Q2
Changes since 1.80: +2 -3
lines
Diff to previous 1.80 (colored) to selected 1.20 (colored)
Add an m4 + configure patch so that -lcrypto is searched for EVP_sha1 and EVP_sha256. Without this, opendnssec would build but would not recognize any of those algorithms for tsig, and therefore be pretty useless. I'll admit that I'm not entirely certain why this is now suddenly required; those functions are in the same library in 9.0 as in 8.0. Bump PKGREVISION.
Revision 1.80 / (download) - annotate - [select for diffs], Tue Jun 2 08:24:41 2020 UTC (3 years, 10 months ago) by adam
Branch: MAIN
Changes since 1.79: +2 -2
lines
Diff to previous 1.79 (colored) to selected 1.20 (colored)
Revbump for icu
Revision 1.79 / (download) - annotate - [select for diffs], Sun Apr 12 08:29:10 2020 UTC (4 years ago) by adam
Branch: MAIN
Changes since 1.78: +2 -2
lines
Diff to previous 1.78 (colored) to selected 1.20 (colored)
Recursive revision bump after textproc/icu update
Revision 1.78 / (download) - annotate - [select for diffs], Sat Jan 18 21:50:41 2020 UTC (4 years, 3 months ago) by jperkin
Branch: MAIN
CVS Tags: pkgsrc-2020Q1-base,
pkgsrc-2020Q1
Changes since 1.77: +2 -1
lines
Diff to previous 1.77 (colored) to selected 1.20 (colored)
*: Recursive revision bump for openssl 1.1.1.
Revision 1.77 / (download) - annotate - [select for diffs], Fri Aug 30 08:08:21 2019 UTC (4 years, 7 months ago) by he
Branch: MAIN
CVS Tags: pkgsrc-2019Q4-base,
pkgsrc-2019Q4,
pkgsrc-2019Q3-base,
pkgsrc-2019Q3
Changes since 1.76: +3 -3
lines
Diff to previous 1.76 (colored) to selected 1.20 (colored)
Update opendnssec to version 1.4.14. Pkgsrc changes: * Adapt patch to enforcer/utils/Makefile.in Upstream changes: * OPENDNSSEC-888: Fixup database conversion script. * OPENDNSSEC-752: Incorrect calculated number of KSKs needed when KSK and ZSK have exactly the same paramaters. * OPENDNSSEC-890: Bogus signatures upon wrong zone input when TTLs for same rrset are mismatching.
Revision 1.76 / (download) - annotate - [select for diffs], Thu May 30 20:04:59 2019 UTC (4 years, 10 months ago) by he
Branch: MAIN
CVS Tags: pkgsrc-2019Q2-base,
pkgsrc-2019Q2
Changes since 1.75: +3 -3
lines
Diff to previous 1.75 (colored) to selected 1.20 (colored)
Add a fix to work with EDNS with cookie support in BIND, from tentative fix submitted at https://issues.opendnssec.org/browse/SUPPORT-242. Bump PKGREVISION.
Revision 1.75 / (download) - annotate - [select for diffs], Thu May 23 19:23:15 2019 UTC (4 years, 10 months ago) by rillig
Branch: MAIN
Changes since 1.74: +2 -2
lines
Diff to previous 1.74 (colored) to selected 1.20 (colored)
all: replace SUBST_SED with the simpler SUBST_VARS pkglint -Wall -r --only "substitution command" -F With manual review and indentation fixes since pkglint doesn't get that part correct in every case.
Revision 1.74 / (download) - annotate - [select for diffs], Wed Apr 3 00:33:05 2019 UTC (5 years ago) by ryoon
Branch: MAIN
Changes since 1.73: +2 -2
lines
Diff to previous 1.73 (colored) to selected 1.20 (colored)
Recursive revbump from textproc/icu
Revision 1.73 / (download) - annotate - [select for diffs], Sun Dec 9 18:52:45 2018 UTC (5 years, 4 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2019Q1-base,
pkgsrc-2019Q1,
pkgsrc-2018Q4-base,
pkgsrc-2018Q4
Changes since 1.72: +2 -2
lines
Diff to previous 1.72 (colored) to selected 1.20 (colored)
revbump after updating textproc/icu
Revision 1.72 / (download) - annotate - [select for diffs], Fri Jul 20 03:34:27 2018 UTC (5 years, 9 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2018Q3-base,
pkgsrc-2018Q3
Changes since 1.71: +2 -2
lines
Diff to previous 1.71 (colored) to selected 1.20 (colored)
Recursive revbump from textproc/icu-62.1
Revision 1.71 / (download) - annotate - [select for diffs], Wed Jul 4 13:40:34 2018 UTC (5 years, 9 months ago) by jperkin
Branch: MAIN
Changes since 1.70: +2 -2
lines
Diff to previous 1.70 (colored) to selected 1.20 (colored)
*: Move SUBST_STAGE from post-patch to pre-configure Performing substitutions during post-patch breaks tools such as mkpatches, making it very difficult to regenerate correct patches after making changes, and often leading to substituted string replacements being committed.
Revision 1.70 / (download) - annotate - [select for diffs], Sat Apr 14 07:34:39 2018 UTC (6 years ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2018Q2-base,
pkgsrc-2018Q2
Changes since 1.69: +2 -2
lines
Diff to previous 1.69 (colored) to selected 1.20 (colored)
revbump after icu update
Revision 1.69 / (download) - annotate - [select for diffs], Tue Mar 27 11:40:22 2018 UTC (6 years ago) by he
Branch: MAIN
CVS Tags: pkgsrc-2018Q1-base,
pkgsrc-2018Q1
Changes since 1.68: +2 -2
lines
Diff to previous 1.68 (colored) to selected 1.20 (colored)
Apply fix from https://github.com/opendnssec/opendnssec/pull/713/files Remove notify handler from netio on zone removal. Bump PKGREVISION.
Revision 1.68 / (download) - annotate - [select for diffs], Thu Nov 30 16:45:37 2017 UTC (6 years, 4 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2017Q4-base,
pkgsrc-2017Q4
Changes since 1.67: +2 -2
lines
Diff to previous 1.67 (colored) to selected 1.20 (colored)
Revbump after textproc/icu update
Revision 1.67 / (download) - annotate - [select for diffs], Mon Sep 18 09:53:34 2017 UTC (6 years, 7 months ago) by maya
Branch: MAIN
CVS Tags: pkgsrc-2017Q3-base,
pkgsrc-2017Q3
Changes since 1.66: +2 -2
lines
Diff to previous 1.66 (colored) to selected 1.20 (colored)
revbump for requiring ICU 59.x
Revision 1.66 / (download) - annotate - [select for diffs], Sun Sep 3 08:53:14 2017 UTC (6 years, 7 months ago) by wiz
Branch: MAIN
Changes since 1.65: +3 -3
lines
Diff to previous 1.65 (colored) to selected 1.20 (colored)
Follow some redirects.
Revision 1.65 / (download) - annotate - [select for diffs], Mon Aug 7 17:56:13 2017 UTC (6 years, 8 months ago) by jlam
Branch: MAIN
Changes since 1.64: +8 -8
lines
Diff to previous 1.64 (colored) to selected 1.20 (colored)
Fix packages that had INSTALLATION_DIRS+=$(PKG_SYSCONFDIR}.
Set PKG_SYSCONFSUBDIR where appropriate, and use {MAKE,OWN}_DIRS to
create the directory tree under ${PKG_SYSCONFDIR} instead of using
INSTALLATION_DIRS.
Bump the PKGREVISION of packages that changed due to changes in the
package install scripts.
Revision 1.64 / (download) - annotate - [select for diffs], Sat Apr 22 21:03:55 2017 UTC (6 years, 11 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2017Q2-base,
pkgsrc-2017Q2
Changes since 1.63: +2 -1
lines
Diff to previous 1.63 (colored) to selected 1.20 (colored)
Revbump after icu update
Revision 1.63 / (download) - annotate - [select for diffs], Fri Jan 20 16:12:39 2017 UTC (7 years, 2 months ago) by he
Branch: MAIN
CVS Tags: pkgsrc-2017Q1-base,
pkgsrc-2017Q1
Changes since 1.62: +2 -3
lines
Diff to previous 1.62 (colored) to selected 1.20 (colored)
Update OpenDNSSEC to version 1.4.13. Pkgsrc changes: * Remove patch now integrated. Upstream changes: OpenDNSSEC 1.4.13 - 2017-01-20 * OPENDNSSEC-778: Double NSEC3PARAM record after resalt. * OPENDNSSEC-853: Fixed serial_xfr_acquired not updated in state file. * Wrong error was sometimes being print on failing TCP connect. * Add support for OpenSSL 1.1.0. * OPENDNSSEC-866: Script for migration between MySQL and SQLite was outdated.
Revision 1.62 / (download) - annotate - [select for diffs], Mon Jan 16 09:21:13 2017 UTC (7 years, 3 months ago) by he
Branch: MAIN
Changes since 1.61: +2 -2
lines
Diff to previous 1.61 (colored) to selected 1.20 (colored)
Update OpenDNSSEC to version 1.4.12nb3. * Apply fix from OPENDNSSEC-778: double NSEC3PARAMS on re-salt.
Revision 1.61 / (download) - annotate - [select for diffs], Sun Dec 4 05:17:40 2016 UTC (7 years, 4 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2016Q4-base,
pkgsrc-2016Q4
Changes since 1.60: +2 -2
lines
Diff to previous 1.60 (colored) to selected 1.20 (colored)
Recursive revbump from textproc/icu 58.1
Revision 1.60 / (download) - annotate - [select for diffs], Sun Nov 27 14:25:41 2016 UTC (7 years, 4 months ago) by he
Branch: MAIN
Changes since 1.59: +2 -1
lines
Diff to previous 1.59 (colored) to selected 1.20 (colored)
Avoid in effect calling xmlCleanupThreads twice, xmlCleanupParser has already internally called the former, and doing it twice causes an abort internally in the pthread library in NetBSD 7.0. Bump PKGREVISION.
Revision 1.59 / (download) - annotate - [select for diffs], Sun Nov 6 12:54:35 2016 UTC (7 years, 5 months ago) by he
Branch: MAIN
Changes since 1.58: +3 -4
lines
Diff to previous 1.58 (colored) to selected 1.20 (colored)
Update OpenDNSSEC to version 1.4.12. Local changes (retained from earlier versions): * Some adaptations of the build setup (conversion scripts etc.) * in signer/ixfr.c, log the zone name if the soamin assertion trigers * in signer/zone.c, if there's a bad ixfr journal file, save it, for debug Upstream changes: News: This is a bug fix release targeting a memory leak in the signer when being used in the "bump in the wire" model where the signer would send out notify messages and respond to IXFR requests for the signed zone. This typically would manifest itself with very frequent outgoing IXFRs over a longer period of time. When upgrading from 1.4.10 (the 1.4.11 release was skipped) no migration steps are needed. For upgrading from earlier releases see the migration steps in the individual releases, most notably in 1.4.8.2. This version of OpenDNSSEC does however require a slightly less older minimal version of the library ldns. Fixes: * OPENDNSSEC-808: Crash on query with empty query section (thanks Havard Eidnes). * SUPPORT-191: Regression, Must accept notify without SOA (thanks Christos Trochalakis). * OPENDNSSEC-845: memory leak occuring when responding to IXFR out when having had multiple updates. * OPENDNSSEC-805: Avoid full resign due to mismatch in backup file when upgrading from 1.4.8 or later. * OPENDNSSEC-828: parsing zone list could show data from next zone when zones iterated on single line. * OPENDNSSEC-811,OPENDNSSEC-827,e.o.: compiler warnings and other static code analysis cleanup * OPENDNSSEC-847: Broken DNS IN notifications when pkt answer section is empty. * OPENDNSSEC-838: Crash in signer after having removed a zone. * Update dependency to ldns to version 1.6.17 enabling the DNS HIP record. * Prevent responding to queries when not fully started yet.
Revision 1.58 / (download) - annotate - [select for diffs], Sat Jul 16 19:49:07 2016 UTC (7 years, 9 months ago) by he
Branch: MAIN
CVS Tags: pkgsrc-2016Q3-base,
pkgsrc-2016Q3
Changes since 1.57: +2 -1
lines
Diff to previous 1.57 (colored) to selected 1.20 (colored)
Add a couple of patches I have been using with opendnssec in our installation: * Log the zone before triggering the "part->soamin" assert. We've seen this fire with older versions, but it's a while since I saw it happen. This is to provide more debugging info should it fire. * If an .ixfr journal file is detected as "corrupted", rename it to <zone>.ixfr-bad instead of unlinking it, which would leave no trace of OpenDNSSEC's own wrongdoing. * If the signer is exposed, avoid a potential DoS vector with a crafted message. Bump PKGREVISION.
Revision 1.57 / (download) - annotate - [select for diffs], Wed Jun 8 08:35:10 2016 UTC (7 years, 10 months ago) by he
Branch: MAIN
CVS Tags: pkgsrc-2016Q2-base,
pkgsrc-2016Q2
Changes since 1.56: +2 -3
lines
Diff to previous 1.56 (colored) to selected 1.20 (colored)
Update OpenDNSSEC to version 1.4.10. News: This release fix targets stability issues which have had a history and had been hard to reproduce. Stability should be improved, running OpenDNSSEC as a long term service. Changes in TTL in the input zone that seem not to be propagated, notifies to slaves under load that where not handled properly and could lead to assertions. NSEC3PARAM that would appear duplicate in the resulting zone, and crashes in the signer daemon in seldom race conditions or re-opening due to a HSM reset. No migration steps needed when upgrading from OpenDNSSEC 1.4.9. Also have a look at our OpenDNSSEC 2.0 beta release, its impending release will help us forward with new development and signal phasing out historic releases. Fixes: * SUPPORT-156 OPENDNSSEC-771: Multiple NSEC3PARAM records in signed zone. After a resalt the signer would fail to remove the old NSEC3PARAM RR until a manual resign or incoming transfer. Old NSEC3PARAMS are removed when inserting a new record, even if they look the same. * OPENDNSSEC-725: Signer did not properly handle new update while still distributing notifies to slaves. An AXFR disconnect looked not to be handled gracefully. * SUPPORT-171: Signer would sometimes hit an assertion using DNS output adapter when .ixfr was missing or corrupt but .backup file available. Above two issues also in part addresses problems with seemingly corrected backup files (SOA serial). Also an crash on badly configured DNS output adapters is averted. * The signer daemon will now refuse to start when failed to open a listen socket for DNS handling. * OPENDNSSEC-478 OPENDNSSEC-750 OPENDNSSEC-581 OPENDNSSEC-582 SUPPORT-88: Segmentation fault in signer daemon when opening and closing hsm multiple times. Also addresses other concurrency access by avoiding a common context to the HSM (a.k.a. NULL context). * OPENDNSSEC-798: Improper use of key handles across hsm reopen, causing keys not to be available after a re-open. * SUPPORT-186: IXFR disregards TTL changes, when only TTL of an RR is changed. TTL changes should be treated like any other changes to records. When OpenDNSSEC now overrides a TTL value, this is now reported in the log files.
Revision 1.56 / (download) - annotate - [select for diffs], Mon Apr 11 19:02:03 2016 UTC (8 years ago) by ryoon
Branch: MAIN
Changes since 1.55: +2 -2
lines
Diff to previous 1.55 (colored) to selected 1.20 (colored)
Recursive revbump from textproc/icu 57.1
Revision 1.55 / (download) - annotate - [select for diffs], Sun Mar 13 09:36:59 2016 UTC (8 years, 1 month ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2016Q1-base,
pkgsrc-2016Q1
Changes since 1.54: +2 -2
lines
Diff to previous 1.54 (colored) to selected 1.20 (colored)
Bump PKGREVISION by chaging default version of Ruby.
Revision 1.54 / (download) - annotate - [select for diffs], Sat Mar 5 11:29:22 2016 UTC (8 years, 1 month ago) by jperkin
Branch: MAIN
Changes since 1.53: +2 -1
lines
Diff to previous 1.53 (colored) to selected 1.20 (colored)
Bump PKGREVISION for security/openssl ABI bump.
Revision 1.53 / (download) - annotate - [select for diffs], Thu Feb 25 11:06:57 2016 UTC (8 years, 1 month ago) by he
Branch: MAIN
Changes since 1.52: +2 -2
lines
Diff to previous 1.52 (colored) to selected 1.20 (colored)
Upgrade opendnssec to version 1.4.9. Upstream changes: News: The main motivations for this release are bug fixes related to use cases with large number of zones (more than 50 zones) in combination with an XFR based setup. Too much concurrent zone transfers causes new transfers to be held back. These excess transfers however were not properly scheduled for later. No migration steps needed when upgrading from OpenDNSSEC 1.4.8. Bugfixes: * Add TCP waiting queue. Fix signer getting `stuck' when adding many zones at once. Thanks to Havard Eidnes to bringing this to our attention. * OPENDNSSEC-723: received SOA serial reported as on disk. * Fix potential locking issue on SOA serial. * Crash on shutdown. At all times join xfr and dns handler threads. * Make handling of notifies more consistent. Previous implementation would bounce between code paths.
Revision 1.52 / (download) - annotate - [select for diffs], Mon Nov 16 10:09:08 2015 UTC (8 years, 5 months ago) by he
Branch: MAIN
CVS Tags: pkgsrc-2015Q4-base,
pkgsrc-2015Q4
Changes since 1.51: +2 -3
lines
Diff to previous 1.51 (colored) to selected 1.20 (colored)
Update OpenDNSSEC to version 1.4.8.2.
Pkgsrc changes:
* Adapt patches to match new files.
* Add new migration scripts to PLIST
Upstream changes:
News
* Support for RFC5011 style KSK rollovers. KSK section in the KASP
now accepts element.
* Enforcer: New repository option allows to generate keys with
CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped and
extracted from HSM.
Bugfixes
* SUPPORT-145: EOF handling an ARM architecture caused signer to hang.
* Fixed signer hitting assertion on short reply XFR handler.
* Include revoke bit in keytag calculation.
* Increased stacksize on some systems (thanks Patrik Lundin!).
* Stop ods-signerd on SIGINT.
Note:
* Updating from earlier versions of OpenDNSSEC requires use of the
database migration script(s) included in ${PKG}/share/opendnssec/
as the migrate_1_4_8* scripts.
Revision 1.51 / (download) - annotate - [select for diffs], Sat Oct 10 01:58:18 2015 UTC (8 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.50: +2 -2
lines
Diff to previous 1.50 (colored) to selected 1.20 (colored)
Recursive revbump from textproc/icu
Revision 1.50 / (download) - annotate - [select for diffs], Mon Apr 6 08:17:37 2015 UTC (9 years ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2015Q3-base,
pkgsrc-2015Q3,
pkgsrc-2015Q2-base,
pkgsrc-2015Q2
Changes since 1.49: +2 -1
lines
Diff to previous 1.49 (colored) to selected 1.20 (colored)
Revbump after updating textproc/icu
Revision 1.49 / (download) - annotate - [select for diffs], Thu Dec 4 15:58:21 2014 UTC (9 years, 4 months ago) by he
Branch: MAIN
CVS Tags: pkgsrc-2015Q1-base,
pkgsrc-2015Q1,
pkgsrc-2014Q4-base,
pkgsrc-2014Q4
Changes since 1.48: +2 -3
lines
Diff to previous 1.48 (colored) to selected 1.20 (colored)
Update to version 1.4.7. Changes: * The patch for SUPPORT-147 got integrated upstream. * Regenerate enforcer/utils/Makefile.in diff Upstream changes: * SUPPORT-147: Zone updating via zone transfer can get stuck * Crash on 'retransfer command when not using DNS adapters.
Revision 1.48 / (download) - annotate - [select for diffs], Tue Nov 4 09:41:02 2014 UTC (9 years, 5 months ago) by he
Branch: MAIN
Changes since 1.47: +2 -2
lines
Diff to previous 1.47 (colored) to selected 1.20 (colored)
There's one more useless ntohl(), get rid of that as well. Bump PKGREVISION.
Revision 1.47 / (download) - annotate - [select for diffs], Fri Oct 31 16:32:39 2014 UTC (9 years, 5 months ago) by he
Branch: MAIN
Changes since 1.46: +2 -2
lines
Diff to previous 1.46 (colored) to selected 1.20 (colored)
Fix a bug related to restoring various data from .xfrd-state files: there's no need to byte-swap values read from a local file. This would cause some IXFRs to mysteriously and consistently fail until manual intervention is done, because the wrong (byte-swapped) SOA serial# was being stuffed into the IXFR requests. Ref. https://issues.opendnssec.org/browse/SUPPORT-147. Also fix the rc.d script to not insist that the components must be running to allow "stop" to proceed, so that "restart" or "stop" can be done if one or both of the processes have exited or crashed. Bump PKGREVISION.
Revision 1.46 / (download) - annotate - [select for diffs], Tue Oct 28 13:26:37 2014 UTC (9 years, 5 months ago) by he
Branch: MAIN
Changes since 1.45: +4 -2
lines
Diff to previous 1.45 (colored) to selected 1.20 (colored)
Add an rc.d script for NetBSD.
Revision 1.45 / (download) - annotate - [select for diffs], Tue Oct 7 16:47:35 2014 UTC (9 years, 6 months ago) by adam
Branch: MAIN
Changes since 1.44: +2 -1
lines
Diff to previous 1.44 (colored) to selected 1.20 (colored)
Revbump after updating libwebp and icu
Revision 1.44 / (download) - annotate - [select for diffs], Sat Sep 27 19:41:06 2014 UTC (9 years, 6 months ago) by pettai
Branch: MAIN
CVS Tags: pkgsrc-2014Q3-base,
pkgsrc-2014Q3
Changes since 1.43: +2 -2
lines
Diff to previous 1.43 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.4.6 - 2014-07-21 * Signer Engine: Print secondary server address when logging notify reply errors. * Build: Fixed various OpenBSD compatibility issues. * OPENDNSSEC-621: conf.xml: New options: <PidFile> for both enforcer and signer, and <SocketFile> for the signer. * New tool: ods-getconf: to retrieve a configuration value from conf.xml given an expression. Bugfixes: * OPENDNSSEC-469: ods-ksmutil: 'zone add' command when zonelist.xml.backup can't be written zone is still added to database, solved it by checking the zonelist.xml.backup is writable before adding zones, and add error message when add zone failed. * OPENDNSSEC-617: Signer Engine: Fix DNS Input Adapter to not reject zone the first time due to RFC 1982 serial arethmetic. * OPENDNSSEC-619: memory leak when signer failed, solved it by add ldns_rr_free(signature) in libhsm.c * OPENDNSSEC-627: Signer Engine: Unable to update serial after restart when the backup files has been removed. * OPENDNSSEC-628: Signer Engine: Ingored notifies log level is changed from debug to info. * OPENDNSSEC-630: Signer Engine: Fix inbound zone transfer for root zone. * libhsm: Fixed a few other memory leaks. * simple-dnskey-mailer.sh: Fix syntax error.
Revision 1.43 / (download) - annotate - [select for diffs], Mon Jun 9 10:18:12 2014 UTC (9 years, 10 months ago) by pettai
Branch: MAIN
CVS Tags: pkgsrc-2014Q2-base,
pkgsrc-2014Q2
Changes since 1.42: +9 -3
lines
Diff to previous 1.42 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.4.5 Bugfixes: * OPENDNSSEC-607: libhsm not using all mandatory attributes for GOST key generation. * OPENDNSSEC-609: ods-ksmutil: 'key list' command fails with error in 1.4.4 on MySQL.
Revision 1.42 / (download) - annotate - [select for diffs], Wed Apr 9 07:27:16 2014 UTC (10 years ago) by obache
Branch: MAIN
Changes since 1.41: +2 -1
lines
Diff to previous 1.41 (colored) to selected 1.20 (colored)
recursive bump from icu shlib major bump.
Revision 1.41 / (download) - annotate - [select for diffs], Thu Mar 27 19:51:06 2014 UTC (10 years ago) by pettai
Branch: MAIN
CVS Tags: pkgsrc-2014Q1-base,
pkgsrc-2014Q1
Changes since 1.40: +2 -3
lines
Diff to previous 1.40 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.4.4: * SUPPORT-114: libhsm: Optimize storage in HSM by deleting the public key directly if SkipPublicKey is used [OPENDNSSEC-574]. * OPENDNSSEC-358: ods-ksmutil:Extend 'key list' command with options to filter on key type and state. This allows keys in the GENERATE and DEAD state to be output. * OPENDNSSEC-457: ods-ksmutil: Add a check on the 'zone add' input/output type parameter to allow only File or DNS. * OPENDNSSEC-549: Signer Engine: Put NSEC3 records on empty non-terminals derived from unsigned delegations (be compatible with servers that are incompatible with RFC 5155 errata 3441). * Make/build: Include README.md in dist tar-ball. Bugfixes: * SUPPORT-86: Fixed build on OS X [OPENDNSSEC-512]. * SUPPORT-97: Signer Engine: Fix after restart signer thinks zone has expired [OPENDNSSEC-526]. * SUPPORT-101: Signer Engine: Fix multiple zone transfer to single file bug [OPENDNSSEC-529]. * SUPPORT-102: Signer Engine: Fix statistics (count can be negative)/ * SUPPORT-108: Signer Engine: Don't replace tabs in RRs with whitespace [OPENDNSSEC-520]. * SUPPORT-116: ods-ksmutil: 'key import' date validation fails on certain dates [OPENDNSSEC-553]. * SUPPORT-128: ods-ksmutil. Man page had incorrect formatting [OPENDNSSEC-576]. * SUPPORT-127: ods-signer: Fix manpage sections. * OPENDNSSEC-481: libhsm: Fix an off-by-one length check error. * OPENDNSSEC-482: libhsm: Improved cleanup for C_FindObjects. * OPENDNSSEC-531: ods-ksmutil: Exported value of <Parent><SOA><TTL> in 'policy export' output could be wrong on MySQL. * OPENDNSSEC-537: libhsm: Possible memory corruption in hsm_get_slot_id. * OPENDNSSEC-544: Signer Engine: Fix assertion error that happens on an IXFR request with EDNS. * OPENDNSSEC-546: enforcer & ods-ksmutil: Improve logging on key creation and alloctaion. * OPENDNSSEC-560: Signer Engine: Don't crash when unsigned zone has no SOA. * Signer Engine: Fix a race condition when stopping daemon.
Revision 1.40 / (download) - annotate - [select for diffs], Wed Feb 12 23:18:34 2014 UTC (10 years, 2 months ago) by tron
Branch: MAIN
Changes since 1.39: +2 -1
lines
Diff to previous 1.39 (colored) to selected 1.20 (colored)
Recursive PKGREVISION bump for OpenSSL API version bump.
Revision 1.39 / (download) - annotate - [select for diffs], Thu Dec 5 12:56:14 2013 UTC (10 years, 4 months ago) by pettai
Branch: MAIN
CVS Tags: pkgsrc-2013Q4-base,
pkgsrc-2013Q4
Changes since 1.38: +2 -3
lines
Diff to previous 1.38 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.4.3: Updates: * SUPPORT-72: Improve logging when failed to increment serial in case of key rollover and serial value "keep" [OPENDNSSEC-461]. * OPENDNSSEC-106: Add 'ods-enforcerd -p <policy>' option. This prompts the enforcer to run once and only process the specified policy and associated zones. * OPENDNSSEC-330: NSEC3PARAM TTL can now be optionally configured in kasp.xml. Default value remains PT0S. * OPENDNSSEC-390: ods-ksmutil: Add an option to the 'ods-ksmutil key ds-seen' command so the user can choose not to notify the enforcer. * OPENDNSSEC-430: ods-ksmutil: Improve 'zone add' - Zone add command could warn if a specified zone file or adapter file does not exits. * OPENDNSSEC-431: ods-ksmutil: Improve 'zone add' - Support default <input> and <output> values for DNS adapters. * OPENDNSSEC-454: ods-ksmutil: Add option for 'ods-ksmutil key import' to check if there is a matching key in the repository before import. Bugfixes: * OPENDNSSEC-435: Signer Engine: Fix a serious memory leak in signature cleanup. * OPENDNSSEC-463: Signer Engine: Duration PT0S is now printed correctly. * OPENDNSSEC-466: Signer Engine: Created bad TSIG signature when falling back to AXFR. * OPENDNSSEC-467: Signer Engine: After ods-signer clear, signer should not use inbound serial.
Revision 1.38 / (download) - annotate - [select for diffs], Wed Dec 4 17:03:02 2013 UTC (10 years, 4 months ago) by jperkin
Branch: MAIN
Changes since 1.37: +6 -5
lines
Diff to previous 1.37 (colored) to selected 1.20 (colored)
Pull in OpenSSL to fix non-builtin case. Use C99. Fixes SunOS build. Patches from Sebastian Wiedenroth.
Revision 1.37 / (download) - annotate - [select for diffs], Sat Oct 19 09:07:11 2013 UTC (10 years, 6 months ago) by adam
Branch: MAIN
Changes since 1.36: +2 -1
lines
Diff to previous 1.36 (colored) to selected 1.20 (colored)
Revbump after updating textproc/icu
Revision 1.36 / (download) - annotate - [select for diffs], Fri Sep 13 21:59:51 2013 UTC (10 years, 7 months ago) by pettai
Branch: MAIN
CVS Tags: pkgsrc-2013Q3-base,
pkgsrc-2013Q3
Changes since 1.35: +2 -2
lines
Diff to previous 1.35 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.4.2 - 2013-09-11 * OPENDNSSEC-428: ods-ksmutil: Add option for 'ods-ksmutil key generate' to take number of zones as a parameter Bugfixes: * SUPPORT-66: Signer Engine: Fix file descriptor leak in case of TCP write error [OPENDNSSEC-427]. * SUPPORT-71: Signer Engine: Fix double free crash in case of HSM connection error during signing [OPENDNSSEC-444]. * OPENDNSSEC-401: 'ods-signer sign <zone> --serial <nr>' command produces seg fault when run directly on command line (i.e. not via interactive mode) * OPENDNSSEC-440: 'ods-ksmutil key generate' and the enforcer can create too many keys if there are keys already available and the KSK and ZSK use same algorithm and length * OPENDNSSEC-424: Signer Engine: Respond to SOA queries from file instead of memory. Makes response non-blocking. * OPENDNSSEC-425 Change "hsmutil list" output so that the table header goes to stdout not stderr * OPENDNSSEC-438: 'ods-ksmutil key generate' and the enforcer can create too many keys for <SharedKeys/> policies when KSK and ZSK use same algorithm and length * OPENDNSSEC-443: ods-ksmutil: Clean up of hsm connection handling * Signer Engine: Improved Inbound XFR checking. * Signer Engine: Fix double free corruption in case of adding zone with DNS Outbound Adapters and NotifyCommand enabled.
Revision 1.35 / (download) - annotate - [select for diffs], Thu Aug 22 11:05:45 2013 UTC (10 years, 7 months ago) by he
Branch: MAIN
Changes since 1.34: +5 -17
lines
Diff to previous 1.34 (colored) to selected 1.20 (colored)
Update OpenDNSSEC from version 1.3.14nb1 to 1.4.1.
Pkgsrc changes:
* Get rid of ruby dependencies, since the validator is no longer
included in OpenDNSSEC
* Adapt PLIST to changes in installed files
* Add a patch so that the database migration scripts are installed
as part of the package
Upstream notable changes:
* SUPPORT-58: Extend ods-signer sign <zone> with -serial <nr> so
that the user can specify the SOA serial to use in the signed
zone [OPENDNSSEC-401].
* OPENDNSSEC-91: Make the keytype flag required when rolling keys
Bugfixes:
* SUPPORT-60: Fix datecounter in case inbound serial is higher
than outbound serial [OPENDNSSEC-420].
* OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not updated on
SOA Minimum change.
* OPENDNSSEC-421: Signer Engine: Fix assertion error in case
NSEC3 hash algorithm in signconf is not SHA1.
* OPENDNSSEC-421: ods-kaspcheck: Check whether NSEC3 hash algorithm
in kasp is valid.
* Bugfix: The time when inbound serial is acquired was reset
invalidly, could cause OpenDNSSEC wanting AXFR responses while
requesting IXFR (thanks Stuart Lau).
* Bugfix: Fix malform in Outbound IXFR/TCP subsequent packet
(thanks Stuart Lau).
* OPENDNSSEC-398: The ods-ksmutil key rollover command does not
work correctly when rolling all keys using the -policy option
Revision 1.34 / (download) - annotate - [select for diffs], Fri Jul 12 10:45:02 2013 UTC (10 years, 9 months ago) by jperkin
Branch: MAIN
Changes since 1.33: +2 -1
lines
Diff to previous 1.33 (colored) to selected 1.20 (colored)
Bump PKGREVISION of all packages which create users, to pick up change of sysutils/user_* packages.
Revision 1.33 / (download) - annotate - [select for diffs], Sat Jun 15 16:42:48 2013 UTC (10 years, 10 months ago) by pettai
Branch: MAIN
CVS Tags: pkgsrc-2013Q2-base,
pkgsrc-2013Q2
Changes since 1.32: +2 -3
lines
Diff to previous 1.32 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.3.14 - 2013-05-16 * OPENDNSSEC-367: ods-ksmutil: Require user confirmation if the algorithm for a key is changed in a policy (as this rollover is not handled cleanly) * OPENDNSSEC-91: Make the keytype flag required when rolling keys * OPENDNSSEC-403: Signer Engine: new command 'ods-signer locks' that shows locking information (for debugging purposes). Bugfixes: * OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not updated on SOA Minimum change. * OPENDNSSEC-396: Use TTLs from kasp when generating DNSKEY and DS records for output. * OPENDNSSEC-398: The ods-ksmutil key rollover command does not work correctly when rolling all keys using the --policy option * SUPPORT-40: Signer Engine: Keep occluded data in signed zone files/transfers.
Revision 1.32 / (download) - annotate - [select for diffs], Thu May 9 07:40:30 2013 UTC (10 years, 11 months ago) by adam
Branch: MAIN
Changes since 1.31: +2 -1
lines
Diff to previous 1.31 (colored) to selected 1.20 (colored)
Massive revbump after updating graphics/ilmbase, graphics/openexr, textproc/icu.
Revision 1.31 / (download) - annotate - [select for diffs], Thu Feb 21 15:51:17 2013 UTC (11 years, 1 month ago) by pettai
Branch: MAIN
CVS Tags: pkgsrc-2013Q1-base,
pkgsrc-2013Q1
Changes since 1.30: +2 -3
lines
Diff to previous 1.30 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.3.13 - 2013-02-20 Bugfixes: * OPENDNSSEC-388: Signer Engine: Internal serial should take into account the inbound serial. * OPENDNSSEC-242: Signer Engine: Could get stuck on load signconf while signconf was not changed. * Signer Engine: Fixed locking and notification on the drudge work queue, signals could be missed so that drudgers would stall when there was work to be done.
Revision 1.30 / (download) - annotate - [select for diffs], Mon Feb 11 05:01:13 2013 UTC (11 years, 2 months ago) by taca
Branch: MAIN
Changes since 1.29: +4 -3
lines
Diff to previous 1.29 (colored) to selected 1.20 (colored)
Depends on rubygems when ruby's version is 1.8.7. Bump PKGREVISION.
Revision 1.29 / (download) - annotate - [select for diffs], Sat Jan 26 21:38:48 2013 UTC (11 years, 2 months ago) by adam
Branch: MAIN
Changes since 1.28: +2 -1
lines
Diff to previous 1.28 (colored) to selected 1.20 (colored)
Revbump after graphics/jpeg and textproc/icu
Revision 1.28 / (download) - annotate - [select for diffs], Wed Dec 5 20:03:59 2012 UTC (11 years, 4 months ago) by pettai
Branch: MAIN
CVS Tags: pkgsrc-2012Q4-base,
pkgsrc-2012Q4
Changes since 1.27: +3 -3
lines
Diff to previous 1.27 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.3.12 - 2012-12-03 Bugfixes: * SUPPORT-42: ./configure fails on FreeBSD (or if ldns is not installed in a directory in the default search path of the complier). * OpenDNSSEC does not compile against ldns 1.6.16 on platforms that rely on the OpenDNSSEC implementation of strlcpy/cat
Revision 1.27 / (download) - annotate - [select for diffs], Tue Nov 13 16:32:25 2012 UTC (11 years, 5 months ago) by pettai
Branch: MAIN
Changes since 1.26: +2 -2
lines
Diff to previous 1.26 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.3.11 * OPENDNSSEC-330: NSEC3PARAM TTL should be set to zero. Bugfixes: * OPENDNSSEC-306: Cant delete zone until Enforcer made signerconf. * OPENDNSSEC-281: Commandhandler sometimes unresponsive. * OPENDNSSEC-299: ods-ksmutil <enter> now includes policy import * OPENDNSSEC-300: ods-ksmutil policy purge documented with a warning * OPENDNSSEC-338: ods-ksmutil: fix zone delete on MySQL (broken by SUPPORT-27) * OPENDNSSEC-342: Auditor comparisons made case-insensitive * OPENDNSSEC-345: ods-ksmutil: use ods-control to HUP the enforcerd process
Revision 1.26 / (download) - annotate - [select for diffs], Tue Oct 23 18:16:38 2012 UTC (11 years, 5 months ago) by asau
Branch: MAIN
Changes since 1.25: +1 -3
lines
Diff to previous 1.25 (colored) to selected 1.20 (colored)
Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.
Revision 1.25 / (download) - annotate - [select for diffs], Mon Aug 13 13:50:06 2012 UTC (11 years, 8 months ago) by pettai
Branch: MAIN
CVS Tags: pkgsrc-2012Q3-base,
pkgsrc-2012Q3
Changes since 1.24: +2 -2
lines
Diff to previous 1.24 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.3.10 Bugfixes: * SUPPORT-30: RRSIGs are left in the signed zone when authoritative RRsets become glue [OPENDNSSEC-282]. * OPENDNSSEC-261: Ldns fails to parse RR that seems syntactically correct. Was due to memory allocation issues. Provided better log message. * OPENDNSSEC-285: Signer segfault for 6 or more -v options * OPENDNSSEC-298: Only unlink existing pidfile on exit if we wrote it. * OPENDNSSEC-303: Return if open/parse of zonelist.xml fails in ksmutil.c update_zones() and cmd_listzone(). * OPENDNSSEC-304: Signer Engine: Check pidfile on startup, if pidfile exists and corresponding process is running, then complain and exit. * Signer seems to hang on a ods-signer command. Shutdown client explicitly with shutdown(). * opendnssec.spec file removed
Revision 1.24 / (download) - annotate - [select for diffs], Thu Jun 21 12:46:12 2012 UTC (11 years, 9 months ago) by pettai
Branch: MAIN
CVS Tags: pkgsrc-2012Q2-base,
pkgsrc-2012Q2
Changes since 1.23: +2 -3
lines
Diff to previous 1.23 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.3.9 * OPENDNSSEC-277: Enforcer: Performance optimisation of database access. Bugfixes: * SUPPORT-27: ods-ksmutil: simplify zone delete so that it only marks keys as dead (rather than actually removing them). Leave the key removal to purge jobs. (Ok'ed by wiz@)
Revision 1.23 / (download) - annotate - [select for diffs], Thu Jun 14 07:45:29 2012 UTC (11 years, 10 months ago) by sbd
Branch: MAIN
Changes since 1.22: +2 -1
lines
Diff to previous 1.22 (colored) to selected 1.20 (colored)
Recursive PKGREVISION bump for libxml2 buildlink addition.
Revision 1.22 / (download) - annotate - [select for diffs], Wed May 23 10:09:21 2012 UTC (11 years, 10 months ago) by pettai
Branch: MAIN
Changes since 1.21: +2 -3
lines
Diff to previous 1.21 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.3.8 * OPENDNSSEC-228: Signer Engine: Make 'ods-signer update' reload signconfs even if zonelist has not changed. * OPENDNSSEC-231: Signer Engine: Allow for Classless IN-ADDR.ARPA names (RFC 2317). * OPENDNSSEC-234: Enforcer: Add indexes for foreign keys in kasp DB. (sqlite only, MySQL already has them.) * OPENDNSSEC-246: Signer Engine: Warn if <Audit/> is in signer configuration, but ods-auditor is not installed * OPENDNSSEC-249: Enforcer: ods-ksmutil: If key export finds nothing to do then say so rather than display nothing which might be misinterpreted. Bugfixes: * OPENDNSSEC-247: Signer Engine: TTL on NSEC(3) was not updated on SOA Minimum change. * OPENDNSSEC-253: Enforcer: Fix "ods-ksmutil zone delete --all"
Revision 1.21 / (download) - annotate - [select for diffs], Fri Apr 27 12:32:02 2012 UTC (11 years, 11 months ago) by obache
Branch: MAIN
Changes since 1.20: +2 -2
lines
Diff to previous 1.20 (colored)
Recursive bump from icu shlib major bumped to 49.
Revision 1.20 / (download) - annotate - [selected], Thu Mar 22 14:25:26 2012 UTC (12 years ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2012Q1-base,
pkgsrc-2012Q1
Changes since 1.19: +2 -1
lines
Diff to previous 1.19 (colored)
Bump PKGREVISION reflecting the default Ruby's version change.
Revision 1.19 / (download) - annotate - [select for diffs], Sun Mar 18 17:38:46 2012 UTC (12 years, 1 month ago) by pettai
Branch: MAIN
Changes since 1.18: +2 -2
lines
Diff to previous 1.18 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.3.7 * OPENDNSSEC-215: Signer Engine: Always recover serial from backup, even if it is corrupted, preventing unnecessary serial decrementals. * OPENDNSSEC-217: Enforcer: Tries to detect pidfile staleness, so that the daemon will start after a power failure. Bugfixes: * ods-hsmutil: Fixed a small memory leak when printing a DNSKEY. * OPENDNSSEC-216: Signer Engine: Fix duplicate NSEC3PARAM bug. * OPENDNSSEC-218: Signer Engine: Prevent endless loop in case the locators in the signer backup files and the HSM are out of sync. * OPENDNSSEC-225: Fix problem with pid found when not existing. * SUPPORT-21: HSM SCA 6000 in combination with OpenCryptoki can return RSA key material with leading zeroes. DNSSEC does not allow leading zeroes in key data. You are affected by this bug if your DNSKEY RDATA e.g. begins with "BAABA". Normal keys begin with e.g. "AwEAA". OpenDNSSEC will now sanitize incoming data before adding it to the DNSKEY. Do not upgrade to this version if you are affected by the bug. You first need to go unsigned, then do the upgrade, and finally sign your zone again. SoftHSM and other HSM:s will not produce data with leading zeroes and the bug will thus not affect you. OpenDNSSEC 1.3.6 * OPENDNSSEC-33: Signer Engine: Check HSM connection before use, attempt to reconnect if it is not valid. * OPENDNSSEC-178: Signer Engine: Instead of waiting an arbitrary amount of time, let worker wait with pushing sign operations until the queue is non-full. * Signer Engine: Adjust some log messages. Bugfixes: * ods-control: Wrong exit status if Enforcer was already running. * OPENDNSSEC-56: ods-ksmutil had the wrong option for config file in the help usage text. * OPENDNSSEC-207: Signer Engine: Fix communication from a process not attached to a shell. * OPENDNSSEC-209: Signer Engine: Make output file adapter atomic by writing signed file to an intermediate file first.
Revision 1.18 / (download) - annotate - [select for diffs], Mon Jan 23 11:19:26 2012 UTC (12 years, 2 months ago) by pettai
Branch: MAIN
Changes since 1.17: +3 -3
lines
Diff to previous 1.17 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.3.5 * Auditor: Include the zone name in the log messages. * ldns 1.6.12 is required for bugfixes. * ods-ksmutil: Suppress database connection information when no -v flag is given. * ods-enforcerd: Stop multiple instances of the enforcer running by checking for the pidfile at startup. If you want to run multiple instances then a different pidfile will need to be specified with the -P flag. * ods-ksmutil: "zone delete" renames the signconf file; so that if the zone is put back the signer will not pick up the old file. * Signer Engine: Verbosity can now be set via conf.xml, default is 3. Bugfixes: * Bugfix OPENDNSSEC-174: Configure the location for conf.xml with --config or -c when starting the signer. * Bugfix OPENDNSSEC-192: Signer crashed on deleting NSEC3 for a domain that becomes opt-out. * Bugfix OPENDNSSEC-193: Auditor crashed with certain empty non-terminals. * Signer Engine: A file descriptor for sockets with value zero is allowed. * Signer Engine: Only log messages about a full signing queue in debug mode. * Signer Engine: Fix time issues, make sure that the internal serial does not wander off after a failed audit. * Signer Engine: Upgrade ldns to avoid future problems on 32-bit platforms with extra long signature expiration dates. More information in separate announcement.
Revision 1.17 / (download) - annotate - [select for diffs], Mon Dec 12 09:07:22 2011 UTC (12 years, 4 months ago) by pettai
Branch: MAIN
CVS Tags: pkgsrc-2011Q4-base,
pkgsrc-2011Q4
Changes since 1.16: +2 -2
lines
Diff to previous 1.16 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.3.4 Bugfixes: * Signer: Use debug instead of warning for drudgers queue being full, also sleep 10 ms if it is full to not hog CPU. This increased signing speed on single core machines by a factor of 2.
Revision 1.16 / (download) - annotate - [select for diffs], Thu Nov 24 13:05:44 2011 UTC (12 years, 4 months ago) by taca
Branch: MAIN
Changes since 1.15: +7 -2
lines
Diff to previous 1.15 (colored) to selected 1.20 (colored)
Enable build with ruby19/193 with dependency to net/ruby-soap4r.
Revision 1.15 / (download) - annotate - [select for diffs], Fri Nov 18 21:42:45 2011 UTC (12 years, 5 months ago) by pettai
Branch: MAIN
Changes since 1.14: +4 -3
lines
Diff to previous 1.14 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.3.3 Bugfixes: * Auditor: Handle ruby 1.9 differences in ods-kaspcheck. * Auditor: Require dnsruby 1.53 for bugfixes. * Bugfix #262: Drudgers seem to be in a waiting state, but the RRset FIFO queue is full. Do an additional broadcast. * Enforcer: Check HSM connection when waking up from sleep, attempt to reconnect if it is not valid. (r5511 in trunk, ported into the branch due to issues seen when CKR_DEVICE_ERROR returned by HSM.) * libhsm: Added hsm_check_context() to check if the associated sessions are still alive. (Required for the above.) * ods-ksmutil: key import was not setting the retire time. * Signer Engine: Fix a threading issue, that could leave a zone without a task. * Signer Engine: Update the signed zone file if only the $TTL or explicit TTL has been changed. * Signer Engine: Remove the NSEC3PARAM RR when doing NSEC3 to NSEC rollover. * Signer Engine: Deal with carriage returns (dos format) in zone file. * Signer Engine: is PT0S means that refresh equals signtime. * Signer Engine: Defense in depth in signer for duplicate keys. * Signer Engine: Make sure that all required zonelist elements exist, otherwise error. * Signer Engine: Warn the user if the serial is b0rk, and you can not use the serial from the signconf. * Signer Engine: Log Auditor exit code. * Fix a similar bug like #257: Error in ods-signerd, where a corrupted backup file results in an invalid pointer free().
Revision 1.14 / (download) - annotate - [select for diffs], Sat Sep 17 22:35:25 2011 UTC (12 years, 7 months ago) by pettai
Branch: MAIN
CVS Tags: pkgsrc-2011Q3-base,
pkgsrc-2011Q3
Changes since 1.13: +2 -3
lines
Diff to previous 1.13 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.3.2 Bugfixes: * Bugfix #257: Error in ods-signerd, where a corrupted backup file results in an invalid pointer free(). * Signer Engine: Mark that a zone has a valid signer configuration, after recovering the zone from the backup files. OpenDNSSEC 1.3.1 Bugfixes: * Auditor: Fix 'ZSK in use too long' message to handle new signer behaviour. * Bugfix #255: RHEL6 patch to contrib/opendnssec.spec. (Rick van Rein) * Bugfix #256: Make sure argument in "ods-control signer" is not stripped off. * Bugfix #259: ods-ksmutil: Prevent MySQL username or password being interpreted by the shell when running "ods-ksmutil setup". * Bugfix #260: "ods-ksmutil zone list" now handles empty zonelists. * Enforcer: Unsigned comparison resulting in wrong error message. * ods-ksmutil: fixed issue where first ds-seen command run on a zone would work, but return an error code and not send a HUP to the enforcerd. * Signer Engine: A threading issue occasionally puts the default validity on NSEC(3) RRs and the denial validity on other RRs. * Signer Engine: An update command could interrupt the signing process and the zone would get missing signatures. * Signer Engine: Fix an issue where some systems could not copy the zone file. * Zonefetcher: Check inbound serial in transferred file, to prevent redundant zone transfers.
Revision 1.13 / (download) - annotate - [select for diffs], Fri Sep 16 02:26:45 2011 UTC (12 years, 7 months ago) by obache
Branch: MAIN
Changes since 1.12: +2 -1
lines
Diff to previous 1.12 (colored) to selected 1.20 (colored)
Bump PKGREVISION from RUBY_VERSION_DEFAULT changes.
Revision 1.12 / (download) - annotate - [select for diffs], Wed Jul 27 03:13:25 2011 UTC (12 years, 8 months ago) by pettai
Branch: MAIN
Changes since 1.11: +2 -3
lines
Diff to previous 1.11 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.3.0 * Include simple-dnskey-mailer-plugin in dist. * Enforcer: Change message about KSK retirement to make it less confusing. Bugfixes: * ods-control: If the Enforcer did not close down, you entered an infinite loop. * Signer Engine: Fix log message typos. * Signer Engine: Fix crash where ods-signer update * Signer Engine: Also replace DNSKEYs if <DNSKEY><TTL> has changed in policy. * Zonefetcher: Sometimes invalid 'Address already in use' occurred. * Bugfix #247: Fixes bug introduced by bugfix #242. OpenDNSSEC 1.3.0rc3 * Do not distribute trang. Bugfixes: * Fix test for java executable and others. * Auditor: Fix delegation checks. * Bugfix #242: Race condition when receiving multiple NOTIFIES for a zone. * ods-kaspcheck: Do not expect resalt in NSEC policy. * Signer Engine: Ifdef a header file. * Signer Engine: The default working directory was not specified. * Signer Engine: Handle stdout console output throttling that would truncate daemon output intermittently. OpenDNSSEC 1.3.0.rc2 * Match the names of the signer pidfile and enforcer pidfile. * Include check for resign < resalt in ods-kaspcheck. Bugfixes: * Bugfix #231: Fix MySQL version check. * ods-ksmutil: Update now sends a HUP to the enforcerd. * Signer Engine: Fix assertion failure if zone was just added. * Signer Engine: Don't hsm_close() on setup error. * Signer Engine: Fix race condition bug when doing a single run. * Signer Engine: In case of failure, also mark zone processed (single run). * Signer Engine: Don't leak backup file descriptor. * signconf.rnc now allows NSEC3 Iterations of 0 OpenDNSSEC 1.3.0rc1 * <SkipPublicKey/> is enabled for SoftHSM in the default configuration. It improves the performance by only using the private key objects. * Document the <RolloverNotification> tag in conf.xml. Bugfixes: * Bugfix #221: Segmentation Fault on schedule.c:232 * Enforcer: 'make check' now works. * Enforcer: Fixed some memory leaks in the tests. * Signer Engine: Coverity report fixes some leaks and thread issues. * Signer Engine: Now logs to the correct facility again. OpenDNSSEC 1.3.0b1 * Support for signing the root. Use the zone name "." * Enforcer: Stop import of policy if it is not consistent. * ods-signer: The queue command will now also show what tasks the workers are working on. * Signer Engine: Just warn if occluded zone data was found, don't stop signing p rocess. * Signer Engine: Simpler serial maintenance, reduces the number of conflicts. Less chance to hit a 'cannot update: serial too small' error message. * Signer Engine: Simpler NSEC(3) maintenance. * Signer Engine: Temperate the number of backup files. * Signer Engine: Set number of <SignerThreads> in conf.xml to get peak performance from HSMs that can handle multiple threads. Bugfixes: * Bugreport #139: ods-auditor fails on root zone. * Bugreport #198: Zone updates ignored? * Replace tab with white-space when writing to syslog. * Signer Engine: Do not block update command while signing.
Revision 1.11 / (download) - annotate - [select for diffs], Fri Jun 10 09:40:00 2011 UTC (12 years, 10 months ago) by obache
Branch: MAIN
CVS Tags: pkgsrc-2011Q2-base,
pkgsrc-2011Q2
Changes since 1.10: +2 -1
lines
Diff to previous 1.10 (colored) to selected 1.20 (colored)
recursive bump from textproc/icu shlib major bump.
Revision 1.10 / (download) - annotate - [select for diffs], Mon Mar 21 15:52:25 2011 UTC (13 years, 1 month ago) by pettai
Branch: MAIN
CVS Tags: pkgsrc-2011Q1-base,
pkgsrc-2011Q1
Changes since 1.9: +10 -5
lines
Diff to previous 1.9 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.2.1: * ldns 1.6.9 is required for bugfixes. * dnsruby-1.52 required for bugfixes. Bugfixes: * Auditor: 'make check' now works when srcdir != builddir. * Auditor: Include the 'make check' files in the tarball. * Enforcer: Fix the migration script for SQLite. * Enforcer: Increase size of keypairs(id) field in MySQL to allow more than 32767 keys; see MIGRATION for details. * Enforcer: Minor change to NOT_READY_KEY error message. * libhsm: Increase the maximum number of attached HSM:s from 10 to 100. * ods-ksmutil: Send trivial MySQL messages to stdout when exporting zonelist etc. Otherwise the resulting XML needs to be edited by hand. * ods-control: Fix for Bourne shell. * Signer Engine: Prevent race condition when setting up the workers and the command handler. * Signer Engine: Check if the signature exists before recycling it. * Signer Engine: Quit when there are errors in the configuration. * Signer Engine: Enable core dump on failure. * Signer Engine: Explicitly close down log msg with null. * Signer Engine: Backup state after writing output. * Signer Engine: Allow update of serial if internal structure is not initialized.
Revision 1.9 / (download) - annotate - [select for diffs], Mon Jan 24 20:30:28 2011 UTC (13 years, 2 months ago) by pettai
Branch: MAIN
Changes since 1.8: +9 -12
lines
Diff to previous 1.8 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.2.0: Bugfixes: * Enforcer: Fixed a number of build warnings. OpenDNSSEC 1.2.0rc3: * Moved migration instructions to the file MIGRATION Bugfixes: * Bugreport #199: The previous DB schema change made the zone removal broken. * Enforcer: When retiring old KSK, use TTL(ds) and not TTL(ksk). * Enforcer: Minimize the set of DS RRs sent to DelegationSignerSubmitCommand. * Enforcer: Replace tab with a space character in the DNSKEY printed to syslog. * Enforcer: Fixed pontential format string bug. * ods-ksmutil: Log to syslog when ds-seen changes a key to active/standby. * Signer Engine: Don't be smart with RRSIG TTLs, the hsm will set them for you. * Signer Engine: Set notify command for zone when receiving ods-signer update. * Signer Engine: Update TTL of NSEC(3) records if SOA Minimum has changed in KASP. * Signer Engine: Now logs to the correct facility. * Signer Engine: Also remove NSEC records when detecting changes in signconf <Denial> * Signer Engine: Dropped privileges before starting Zonefetcher. OpenDNSSEC 1.2.0rc2: Bugfixes: * Signer Engine: Use the correct TTL for RRs after the $INCLUDE directive. * Signer Engine: Also create new signature if TTL of RR has changed. * Signer Engine: Drop old NSEC/NSEC3 records. * ods-ksmutil: Fixed some memory leaks. OpenDNSSEC 1.2.0rc1: * New commandline option for the signer: ods-signer running. * Allow connection to different MySQL ports in the Enforcer. * Tone down and explain warning when converting M or Y to seconds * ldns 1.6.7 is required for bugfixes * dnsruby 1.51 is required for bugfixes Bugfixes: * Bugreport #187: ods-control signer start will return non-zero if start up failed (uses ods-signer running). * Narrow glue at the zone cut is allowed, do not consider it as occluded. * Move zone fetcher output to correct input adapter file. * Enforcer shared keys on zones with ShareKeys disabled. * Make names of key states consistent. * Signer Engine file descriptor leak fix on engine.sock. * Set explicit "unlimited" repository capacity to prevent random integer being read. Requires "ods-ksmutil update conf" to be run if using an existing database. * Fix issue with key generation creating too many keys Ticket #194. * Bugreport #189: Auditor did not handle white-space-seperated substrings for base64 text * Bugreport #190: Auditor (and signer) does not handle case correctly * Signer now silence stdout-output from the notify command OpenDNSSEC 1.2.0b1: * A new signer engine, written in c. Zones are maintained in memory, instead of in files on disk. * Removed the python and python-4suite-xml dependencies. * Remove separate autoconf for libhsm/conf/enforcer. * Add option to disable building the signer. * Signer logs statistics just after outputting a new signed zone. * libhsm will skip processing (and not create) any public keys if the per repository option <SkipPublicKey/> is set. * Keysharing improved - keys can now exist in different states on each zone that the key is in use for. * Backup prepare/commit/rollback added for 2-step backups without taking the enforcer offline. * Standby keys are now optional (default to 0) and should be considered experimental. Bugfixes: * Fix semantics of refresh value in Signer Engine. * Auditor handles chains of empty nonterminals correctly. * Recalculate salt immediately if the saltlength is changed. * libhsm connected to slot 0 if the token label was not found. An error is now returned instead of connecting to the slot. * Bugreport #102: Removed the obsoleted python-4suite-xml dependency. * Fixed Known Issue: KSK rollover requires manual timing. * Fixed Known Issue: Key rollover and reuse of signatures. * Fixed Known Issue: Issue with sharing keys and adding zones. * Fixed Known Issue: Quicksorter does not allow certain owner names (Quicksorter is removed, signer now reads and sorts the zone).
Revision 1.8 / (download) - annotate - [select for diffs], Mon Sep 13 07:53:06 2010 UTC (13 years, 7 months ago) by pettai
Branch: MAIN
CVS Tags: pkgsrc-2010Q4-base,
pkgsrc-2010Q4,
pkgsrc-2010Q3-base,
pkgsrc-2010Q3
Changes since 1.7: +2 -2
lines
Diff to previous 1.7 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.1.3: Bugfixes: * Bugreport #183: Partial zone could get signed if zone transfer failed when using zone_fetcher
Revision 1.7 / (download) - annotate - [select for diffs], Fri Sep 10 07:40:32 2010 UTC (13 years, 7 months ago) by taca
Branch: MAIN
Changes since 1.6: +2 -2
lines
Diff to previous 1.6 (colored) to selected 1.20 (colored)
* Ajust new ruby package's framework.
Revision 1.6 / (download) - annotate - [select for diffs], Mon Aug 30 13:51:57 2010 UTC (13 years, 7 months ago) by pettai
Branch: MAIN
Changes since 1.5: +4 -4
lines
Diff to previous 1.5 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.1.2: Dnsruby 1.49 now required (for correct zone parsing) ldns 1.6.6 is required to fix the zone fetcher bug Bugfixes: * ods-control stop did not stopped zone fetcher (bug was introduced in 1.1.0) * Auditor correctly handles chains of empty nonterminals * Zone fetcher can block zone transfers if AXFR once failed. This is a bug in ldns versions 1.6.5 and lower. See KNOWN_ISSUES for more information. * Bugreport #165: Ensure Output SOA serial is always bigger than Input SOA serial. * Bugreport #166: Correct exit value from signer. * Bugreport #167: Zone fetcher now also picks up changes when zonelist is reloaded * Bugreport #168: ods-control with tightened control for the Enforcer * Bugreport #169: Do not include config.h in the distribution * Bugreport #170: Typo in a man page (ods-signer) * Bugreport #172: Correction of some macros in a man page (ods-timing) * Bugreport #173: A man page used a macro that does not exist (ods-ksmutil)
Revision 1.5 / (download) - annotate - [select for diffs], Fri Jul 16 22:22:38 2010 UTC (13 years, 9 months ago) by pettai
Branch: MAIN
Changes since 1.4: +2 -2
lines
Diff to previous 1.4 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.1.1: Bugfixes: * Bugreport #127: Large SOA serial numbers were not handled properly by signer * Bugreport #133: Better handling of SOA serial when setting is 'keep' * Bugreport #136: quicksorter could not handle standard bind format SOA rdata * The Auditor could not handle the new way of rolling KSKs * One log message in the Enforcer referred to an old command * The Enforcer forgot to publish certain keys during transition between states
Revision 1.4 / (download) - annotate - [select for diffs], Sat Jun 19 14:21:57 2010 UTC (13 years, 10 months ago) by joerg
Branch: MAIN
CVS Tags: pkgsrc-2010Q2-base,
pkgsrc-2010Q2
Changes since 1.3: +2 -2
lines
Diff to previous 1.3 (colored) to selected 1.20 (colored)
Fix dependency pattern
Revision 1.3 / (download) - annotate - [select for diffs], Wed Jun 16 00:19:08 2010 UTC (13 years, 10 months ago) by pettai
Branch: MAIN
Changes since 1.2: +17 -4
lines
Diff to previous 1.2 (colored) to selected 1.20 (colored)
OpenDNSSEC 1.1.0:
* Partial Auditor added
* Dnsruby-1.46 required
* Improved error messages when the system runs out of keys
* Optimise communication of signconfs for multiple zones sharing keys.
Group zones in zonelist.xml by policy to get this benefit.
* Bugreport #101: Signer Engine now maintains its own pidfile.
* Jitter redefined: now in the range of [-jitter, ..., +jitter]
* Optimized sorter: quicksorter (sorter becomes obsolete).
* Optimized zone_reader, includes nseccing/nsec3ing (nseccer and nsec3er
become obsolete).
* Enable database selection using --with-database-backend={sqlite3|mysql}
* Enable the EPP-client using --enable-eppclient
For sending DS RR to the parent zone (experimental)
* Turn NSEC3 OptOut off by default
* Install kasp2html XML stylesheet
* Add simple kasp2html conversion script
* DNSKEY records communicated to an external script if configured
* The command 'ods-signer restart' is removed.
* Signer Engine now also reuses signatures after a change in NSEC(3)
configuration or rolling keys.
* Quicksorter defaults to class IN.
And a lot of bugfixes...
Revision 1.2 / (download) - annotate - [select for diffs], Thu May 6 14:56:16 2010 UTC (13 years, 11 months ago) by pettai
Branch: MAIN
Changes since 1.1: +2 -2
lines
Diff to previous 1.1 (colored) to selected 1.20 (colored)
fixed email
Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Thu May 6 12:50:17 2010 UTC (13 years, 11 months ago) by pettai
Branch: TNF
CVS Tags: pkgsrc-base
Changes since 1.1: +0 -0
lines
Diff to previous 1.1 (colored) to selected 1.20 (colored)
The OpenDNSSEC project announces the development of Open Source software that manages the security of domain names on the Internet. The project intends to drive adoption of Domain Name System Security Extensions (DNSSEC) to further enhance Internet security.
Revision 1.1 / (download) - annotate - [select for diffs], Thu May 6 12:50:17 2010 UTC (13 years, 11 months ago) by pettai
Branch: MAIN
Diff to selected 1.20 (colored)
Initial revision