/www/p5-Image-Delivery/

ching TTLs within the same RRset. PR: 218994 Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer) 
- OPENDNSSEC-888: Fix up MySQL<->SQLite3 database conversion script.
- OPENDNSSEC-752: Incorrect calculated number of KSKs needed when
  KSK and ZSK have exactly the same parameters. This would prevent
  KSK rollovers.
- OPENDNSSEC-890: Bogus signatures on mismatching TTLs within the same RRset.

PR:		218994
Submitted by:	Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
dns/opendnssec: update 1.4.10 -> 1.4.12 2016-10-20T09:09:58+00:00 robak robak@FreeBSD.org 2016-10-20T09:09:58+00:00 c7cadbd10d19f77f869388a39208cb98b7a7a8ae PR: 213610 Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer) MFH: 2016Q4 
PR:		213610
Submitted by:	Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
MFH:		2016Q4
dns/opendnssec: 1.4.9 -> 1.4.10 2016-05-05T17:09:42+00:00 pi pi@FreeBSD.org 2016-05-05T17:09:42+00:00 5530ccd5720578d9d1bb9f89cdda777651ecb94a This release fix targets stability issues which have had a history and have been hard to reproduce. Issues that have been reported over the past half year have been fixed that may have even come up earlier as rare occasions. Stability should be improved, running OpenDNSSEC as a long term service. Changes in TTL in the input zone that seem not to be propagated, notifies to slaves under heavy zone activity load that where not handled properly and could lead to assertions. NSEC3PARAM that would appear duplicate in the resulting zone, and crashes in the signer daemon in seldom race conditions or re-opening due to a HSM reset. No migration steps needed when upgrading from OpenDNSSEC 1.4.9. Also have a look at our OpenDNSSEC 2.0 beta release, its impending release will help us forward with new development and signal phasing out historic releases. Fixes: - SUPPORT-156 OPENDNSSEC-771: Multiple NSEC3PARAM records in signed zone. After a resalt the signer would fail to remove the old NSEC3PARAM RR until a manual resign or incoming transfer. Old NSEC3PARAMS are removed when inserting a new record, even if they look the same. - OPENDNSSEC-725: Signer did not properly handle new update while still distributing notifies to slaves. An AXFR disconnect looked not to be handled gracefully. - SUPPORT-171: Signer would sometimes hit an assertion using DNS output adapter when .ixfr was missing or corrupt but .backup file available. - Above two issues also in part addresses problems with seemingly corrected backup files (SOA serial). Also an crash on badly configured DNS output adapters is averted. - The signer daemon will now refuse to start when failed to open a listen socket for DNS handling. - OPENDNSSEC-478,750,581 and 582 and SUPPORT-88: Segmentation fault in signer daemon when opening and closing HSM multiple times. Also addresses other concurrency access by avoiding a common context to the HSM (a.k.a. NULL context). - OPENDNSSEC-798: Improper use of key handles across hsm reopen, causing keys not to be available after a re-open. - SUPPORT-186: IXFR disregards TTL changes, when only TTL of an RR is changed. TTL changes should be treated like any other changes to records. - When OpenDNSSEC now overrides a TTL value, this is now reported in the log files. PR: 209261 Submitted by: jaap@NLnetLabs.nl (mainainer) 
This release fix targets stability issues which have had a history and
have been hard to reproduce.  Issues that have been reported over the
past half year have been fixed that may have even come up earlier as
rare occasions.
Stability should be improved, running OpenDNSSEC as a long term service.

Changes in TTL in the input zone that seem not to be propagated,
notifies to slaves under heavy zone activity load that where not handled
properly and could lead to assertions.
NSEC3PARAM that would appear duplicate in the resulting zone, and
crashes in the signer daemon in seldom race conditions or re-opening due
to a HSM reset.

No migration steps needed when upgrading from OpenDNSSEC 1.4.9.

Also have a look at our OpenDNSSEC 2.0 beta release, its impending
release will help us forward with new development and signal phasing out
historic releases.

Fixes:
- SUPPORT-156 OPENDNSSEC-771: Multiple NSEC3PARAM records in signed
  zone.  After a resalt the signer would fail to remove the old
  NSEC3PARAM RR until a manual resign or incoming transfer.
  Old NSEC3PARAMS are removed when inserting a new record, even if
  they look the same.
- OPENDNSSEC-725: Signer did not properly handle new update while still
  distributing notifies to slaves.
  An AXFR disconnect looked not to be handled gracefully.
- SUPPORT-171: Signer would sometimes hit an assertion using DNS output
  adapter when .ixfr was missing or corrupt but .backup file available.
- Above two issues also in part addresses problems with seemingly
  corrected backup files (SOA serial).  Also an crash on badly
  configured DNS output adapters is averted.
- The signer daemon will now refuse to start when failed to open a
  listen socket for DNS handling.
- OPENDNSSEC-478,750,581 and 582 and SUPPORT-88:
  Segmentation fault in signer daemon when opening and closing HSM
  multiple times. Also addresses other concurrency access by avoiding
  a common context to the HSM (a.k.a. NULL context).
- OPENDNSSEC-798: Improper use of key handles across hsm reopen,
  causing keys not to be available after a re-open.
- SUPPORT-186: IXFR disregards TTL changes, when only TTL of an RR is
  changed.  TTL changes should be treated like any other changes to
  records.
- When OpenDNSSEC now overrides a TTL value, this is now reported in
  the log files.

PR:		209261
Submitted by:	jaap@NLnetLabs.nl (mainainer)
Update to 1.4.9 2016-03-16T13:33:52+00:00 erwin erwin@FreeBSD.org 2016-03-16T13:33:52+00:00 3635f2624ae973047efd889b6ef69f5b31917a89 The main motivations for this release are bug fixes related to use cases with large number of zones (more than 50 zones) in combination with an XFR based setup. Too much concurrent zone transfers causes new transfers to be held back. These excess transfers however were not properly scheduled for later. No migration steps needed when upgrading from OpenDNSSEC 1.4.8. Bugfixes: * Add TCP waiting queue. Fix signer getting 'stuck' when adding many zones at once. Thanks to Haavard Eidnes to bringing this to our attention. * OPENDNSSEC-723: received SOA serial reported as on disk. * Fix potential locking issue on SOA serial. * Crash on shutdown. At all times join xfr and dns handler threads. * Make handling of notifies more consistent. Previous implementation would bounce between code paths. Known Issues: When using SoftHSM2 compiled with OpenSSL, and libmysql with OpenSSL as database backend for OpenDNSSEC. "ods-ksmutil key list --verbose" crashes on exit. This is ultimately a bug in OpenSSL and not new for this particular release. Make sure you don't use this specific combination. From <https://www.opendnssec.org> PR: 206491 Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer) Sponsored by: DK Hostmaster A/S 
The main motivations for this release are bug fixes related to use
cases with large number of zones (more than 50 zones) in combination
with an XFR based setup. Too much concurrent zone transfers causes new
transfers to be held back. These excess transfers however were not
properly scheduled for later.

No migration steps needed when upgrading from OpenDNSSEC 1.4.8.

Bugfixes:

* Add TCP waiting queue. Fix signer getting 'stuck' when adding many
  zones at once. Thanks to Haavard Eidnes to bringing this to our attention.
* OPENDNSSEC-723: received SOA serial reported as on disk.
* Fix potential locking issue on SOA serial.
* Crash on shutdown. At all times join xfr and dns handler threads.
* Make handling of notifies more consistent. Previous implementation would
  bounce between code paths.

Known Issues:

When using SoftHSM2 compiled with OpenSSL, and libmysql with OpenSSL
as database backend for OpenDNSSEC. "ods-ksmutil key list --verbose"
crashes on exit. This is ultimately a bug in OpenSSL and not new for
this particular release. Make sure you don't use this specific
combination.

From <https://www.opendnssec.org>

PR:             206491
Submitted by:   Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Sponsored by:   DK Hostmaster A/S
Upgrade from version 1.4.7 to 1.4.8.2 2015-10-06T13:54:31+00:00 erwin erwin@FreeBSD.org 2015-10-06T13:54:31+00:00 ca68576aeb425aba6beb0ba3e3ec5fdff587b667 NEWS: * Support for RFC5011 style KSK rollovers. KSK section in the KASP now accepts <RFC5011/> element. * Enforcer: New repository option <AllowExtraction/> allows to generate keys with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped and extracted from HSM. Bugfixes: * SUPPORT-145: EOF handling an ARM architecture caused signer to hang. * Fixed signer hitting assertion on short reply XFR handler. * Include revoke bit in keytag calculation. * Increased stacksize on some systems (thanks Patrik Lundin!). * Stop ods-signerd on SIGINT. Fixes port problem (reported by *geoffroy desvernay*) * Now also installs previous missing migration script convert_database.pl PR: 203574 Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer) Sponsored by: DK Hostmaster A/S 
NEWS:

    * Support for RFC5011 style KSK rollovers. KSK section in the KASP now
      accepts <RFC5011/> element.
    * Enforcer: New repository option <AllowExtraction/> allows to generate
      keys with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped
      and extracted from HSM.

Bugfixes:

    * SUPPORT-145: EOF handling an ARM architecture caused signer to hang.
    * Fixed signer hitting assertion on short reply XFR handler.
    * Include revoke bit in keytag calculation.
    * Increased stacksize on some systems (thanks Patrik Lundin!).
    * Stop ods-signerd on SIGINT.

Fixes port problem (reported by *geoffroy desvernay*)

    * Now also installs previous missing migration script convert_database.pl

PR:		203574
Submitted by:	Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Sponsored by:	DK Hostmaster A/S
Update to 1.4.7 which fixes a bug when using DNS adapters 2014-12-10T15:14:13+00:00 erwin erwin@FreeBSD.org 2014-12-10T15:14:13+00:00 987882cd85a79a9c5d8a00b7c20ec3b88c8fc7df PR: 195686 Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer) 
PR:		195686
Submitted by:	Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
- Fix location of libsofthsm.so [1] 2014-07-23T08:30:09+00:00 erwin erwin@FreeBSD.org 2014-07-23T08:30:09+00:00 81a33940b5320f07244e9249c8a780b8742c71ab - Fix depency on sqlite with non-default LOCALBASE [2] - Update to 1.4.6 Updates: Signer Engine: Print secondary server address when logging notify reply errors. Build: Fixed various OpenBSD compatibility issues found by Patrik Lundin <patrik.lundin.swe () gmail.com>. OPENDNSSEC-621: conf.xml: New options: <PidFile> for both enforcer and signer, and <SocketFile> for the signer. New tool: ods-getconf: to retrieve a configuration value from conf.xml given an expression. Bugfixes: OPENDNSSEC-469: ods-ksmutil: 'zone add' command when zonelist.xml.backup can't be written zone is still added to database, solved it by checking the zonelist.xml.backup is writable before adding zones, and add error message when add zone failed. OPENDNSSEC-617: Signer Engine: Fix DNS Input Adapter to not reject zone the first time due to RFC 1982 serial arethmetic. OPENDNSSEC-619: memory leak when signer failed, solved it by add ldns_rr_free(signature) in libhsm.c OPENDNSSEC-627: Signer Engine: Unable to update serial after restart when the backup files has been removed. OPENDNSSEC-628: Signer Engine: Ingored notifies log level is changed from debug to info. OPENDNSSEC-630: Signer Engine: Fix inbound zone transfer for root zone. libhsm: Fixed a few other memory leaks. simple-dnskey-mailer.sh: Fix syntax error. (by Patrik Lundin https://github.com/eest) PR: 191272 [1], 192021 [2], 192023 [3] Submitted by: Andrew Fyfe <andrew@neptune-one.net> [1], jhujhiti@adjectivism.org [2], Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer) [3] 
- Fix depency on sqlite with non-default LOCALBASE [2]
- Update to 1.4.6

Updates:
Signer Engine: Print secondary server address when logging notify reply errors.
Build: Fixed various OpenBSD compatibility issues found by Patrik Lundin <patrik.lundin.swe () gmail.com>.
OPENDNSSEC-621: conf.xml: New options: <PidFile> for both enforcer and signer, and <SocketFile> for the signer.
New tool: ods-getconf: to retrieve a configuration value from conf.xml given an expression.

Bugfixes:
OPENDNSSEC-469: ods-ksmutil: 'zone add' command when zonelist.xml.backup can't be written zone is still added to database, solved it by checking the zonelist.xml.backup is writable before adding zones, and add error message when add zone failed.
OPENDNSSEC-617: Signer Engine: Fix DNS Input Adapter to not reject zone the first time due to RFC 1982 serial arethmetic.
OPENDNSSEC-619: memory leak when signer failed, solved it by add ldns_rr_free(signature) in libhsm.c
OPENDNSSEC-627: Signer Engine: Unable to update serial after restart when the backup files has been removed.
OPENDNSSEC-628: Signer Engine: Ingored notifies log level is changed from debug to info.
OPENDNSSEC-630: Signer Engine: Fix inbound zone transfer for root zone.
libhsm: Fixed a few other memory leaks.
simple-dnskey-mailer.sh: Fix syntax error. (by Patrik Lundin https://github.com/eest)

PR:		191272 [1], 192021 [2], 192023 [3]
Submitted by:	Andrew Fyfe <andrew@neptune-one.net> [1],
		jhujhiti@adjectivism.org [2],
		Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer) [3]