forked from opendnssec/opendnssec
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ANNOUNCE
102 lines (93 loc) · 5.65 KB
/
ANNOUNCE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
OpenDNSSEC 2.1 development was focused on improving the daemon code for
the Signer and Enforcer. As such it is much more a steady incremental
improvement rather than revolutionary. With this style of development
we hope that a migration from 1.4, for which an end-of-life is to be
given, is facilitated.
Many of these changes are not directly visible but improve the handling
and responsiveness or unify the Signer and Enforcer code bases. These
improvements are not all mentioned in the issue list below because of
their detail. Attention has been given to different roll-over methods
and we now test fully with SoftHSMv2.
MIGRATION
If upgrading from 1.4 or earlier releases you should follow the migration
steps for 2.0. A migration first to 2.0 is not necessary. If upgrading
from a release prior 1.4.10 you should upgrade to 1.4.10 first.
FEATURES
* OPENDNSSEC-779: The Enforcer will now have an 'enforce' and 'signconf'
task scheduled per zone. 'Resalt' tasks are scheduled per policy. This
improves performance and parallelism since no longer all zones need to
be evaluated for work to be done. Further parallelism improvements in
the Enforcer are on our roadmap.
* OPENDNSSEC-681: When daemonizing the Signer and Enforcer daemons fork to the
background. Since they are then no longer able to print messages to the
console startup problems are harder to debug. Now, after the fork() call
the parent process will wait for the daemon to signal successful start and
will print relevant error messages in case it doesn't.
* OPENDNSSEC-479: On sending notifies and initiating zone transfers the
signer will now use the first interface mentioned in the listener section
of conf.xml. This way the interface selection is not left to the OS, which
could cause outgoing packets have an unexpected source address if multiple
interfaces have a route to the destination address.
* OPENDNSSEC-759: The Signer doesn't need to access the HSM for every zone
during startup anymore. This is done later by the worker threads. This way
the signer starts quicker and is earlier available for user input.
* OPENDNSSEC-450: Implement support for ECDSA P-256, P-384 and GOST. To be
able to use this your HSM should have support as well. SoftHSMv2 can be
compiled with support for these.
* OPENDNSSEC-503: When adding a new zone to OpenDNSSEC the Enforcer is a
little less conservative and will add signatures and keys to the zone in
one go. Thereby mimicking OpenDNSSEC 1.4. Effectively new zones are earlier
fully signed by the TTL of the DNSKEY set.
* A bash autocompletion script is included in contrib for ods-enforcer and
ods-signer. Commands, parameters, zone names and key identifiers can be
autocompleted from the command line.
FURTHER IMPROVEMENTS
* OPENDNSSEC-530: The <Interval> tag for the Enforcer in conf.xml has
been unused and deprecated in 2.0. since 2.1 this tag is no longer
allowed to be specified.
* Show help for ods-enforcer-db-setup with -h or --help
* OPENDNSSEC-836: If the listening port for Signer is not set in conf.xml file,
the default value "15354" is used.
* OPENDNSSEC-864: ods-signer didn't print help. Also --version and --socket
options where not processed.
* OPENDNSSEC-858: OpenDNSSEC 2.0 did print "completed in x seconds" to stderr
for enforcer commands. This line is removed.
* SUPPORT-208: Running 'ods-enforcer key export' included a comment string with
key properties. This is dropped to aid parsing.
* OPENDNSSEC-552: By default 'ods-enforcer key export --ds' included the SHA1
version of the DS. SHA1 use is discouraged in favour of SHA256. To get the
SHA1 DS use the --sha1 flag. This flag is immediately deprecated and will be
removed from future versions of OpenDNSSEC.
* OPENDNSSEC-465: ods-kaspcheck warns about algorithm mismatch between keys.
* When a zone is deleted the Enforcer now properly removes all tasks
associated with that zone from its task queue.
* In the key section of the kasp.xml file, the algorithm length is no longer
optional. For ECDSA and GHOST keys this value is ignored.
* The Enforcer and the Signer now have a HSM key cache shared between their
threads so no longer every thread needs to iterate over all keys, which
can potentially be very slow for some HSMs.
* OPENDNSSEC-721: Our integration testing environment now uses SoftHSMv2
instead of version one.
* OPENDNSSEC-844: warning when lifetime of key is smaller than signature
validity time.
* OPENDNSSEC-311: Installation can now set the right permissions on used
files for a configurable user/group when not running OpenDNSSEC as root.
* OPENDNSSEC-593: More gracefully cope when zone configured for signer but
signconf not yet available.
* OPENDNSSEC-600: Log critical error if key is not inserted due to policy
parameters misconfiguration.
* OPENDNSSEC-694: Domain Names in the value/answer part of records (e.g.
named referred to by PTR records) where mapped to lowercase.
* OPENDNSSEC-803 : Extensive logging on aborting the application.
BUGS FIXED
* OPENDNSSEC-778: Double NSEC3PARAM record after resalt.
* SUPPORT-29: signer clear <zone> would assert when signconf wasn't read yet.
* OPENDNSSEC-869: ds-seen command did not give error on badly formatted keytag.
* OPENDNSSEC-849: Crash on free of part of IXFR structure.
* OPENDNSSEC-601: signer and enforcer working dir would not properly fallback to
default when not specified.
* OPENDNSSEC-689: Failure of daemon during startup is not logged.
* OPENDNSSEC-850: Date of new transition could temporarily be incorrect.
* OPENDNSSEC-851: Change in verbosity level not immediately propagated.
* Various memory leaks, resolving compiler warnings, and static code analysis.
* Libxml2 cleanup improvements (Thanks he32).