./security/opendnssec, OSS for a fast and easy DNSSEC deployment

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 1.4.10nb1, Package name: opendnssec-1.4.10nb1, Maintainer: pettai

The OpenDNSSEC project announces the development of Open Source software
that manages the security of domain names on the Internet.
The project intends to drive adoption of Domain Name System Security Extensions
(DNSSEC) to further enhance Internet security.

Required to run:
[textproc/libxml2] [net/ldns] [security/softhsm]

Required to build:

Package options: softhsm

Master sites:

SHA1: c83c452b9951df8dd784d7c39aae90363f1a1213
RMD160: 0ee7e1b282da6839be919b18faf9fbe567bfc130
Filesize: 1011.786 KB

Version history: (Expand)

CVS history: (Expand)

   2016-07-16 21:49:07 by Havard Eidnes | Files touched by this commit (5) | Package updated
Log message:
Add a couple of patches I have been using with opendnssec in our
 * Log the zone before triggering the "part->soamin" assert.
   We've seen this fire with older versions, but it's a while
   since I saw it happen.  This is to provide more debugging info
   should it fire.
 * If an .ixfr journal file is detected as "corrupted", rename it
   to <zone>.ixfr-bad instead of unlinking it, which would leave
   no trace of OpenDNSSEC's own wrongdoing.
 * If the signer is exposed, avoid a potential DoS vector with a
   crafted message.
   2016-06-08 10:35:10 by Havard Eidnes | Files touched by this commit (3) | Package updated
Log message:
Update OpenDNSSEC to version 1.4.10.


  This release fix targets stability issues which have had a history
  and had been hard to reproduce.  Stability should be improved,
  running OpenDNSSEC as a long term service.

  Changes in TTL in the input zone that seem not to be propagated,
  notifies to slaves under load that where not handled properly and
  could lead to assertions.  NSEC3PARAM that would appear duplicate
  in the resulting zone, and crashes in the signer daemon in seldom
  race conditions or re-opening due to a HSM reset.

  No migration steps needed when upgrading from OpenDNSSEC 1.4.9.

  Also have a look at our OpenDNSSEC 2.0 beta release, its impending
  release will help us forward with new development and signal phasing
  out historic releases.


 * SUPPORT-156 OPENDNSSEC-771: Multiple NSEC3PARAM records in signed
   zone.  After a resalt the signer would fail to remove the old
   NSEC3PARAM RR until a manual resign or incoming transfer.  Old
   NSEC3PARAMS are removed when inserting a new record, even if
   they look the same.

 * OPENDNSSEC-725: Signer did not properly handle new update while
   still distributing notifies to slaves.  An AXFR disconnect looked
   not to be handled gracefully.

 * SUPPORT-171: Signer would sometimes hit an assertion using DNS
   output adapter when .ixfr was missing or corrupt but .backup file
   available.  Above two issues also in part addresses problems
   with seemingly corrected backup files (SOA serial).  Also an
   crash on badly configured DNS output adapters is averted.

 * The signer daemon will now refuse to start when failed to open
   a listen socket for DNS handling.

   SUPPORT-88: Segmentation fault in signer daemon when opening and
   closing hsm multiple times.  Also addresses other concurrency
   access by avoiding a common context to the HSM (a.k.a. NULL

 * OPENDNSSEC-798: Improper use of key handles across hsm reopen,
   causing keys not to be available after a re-open.

 * SUPPORT-186: IXFR disregards TTL changes, when only TTL of an
   RR is changed.  TTL changes should be treated like any other
   changes to records.  When OpenDNSSEC now overrides a TTL value,
   this is now reported in the log files.
   2016-04-11 21:02:08 by Ryo ONODERA | Files touched by this commit (527)
Log message:
Recursive revbump from textproc/icu 57.1
   2016-03-13 10:36:59 by Takahiro Kambe | Files touched by this commit (11) | Package updated
Log message:
Bump PKGREVISION by chaging default version of Ruby.
   2016-03-05 12:29:49 by Jonathan Perkin | Files touched by this commit (1813) | Package updated
Log message:
Bump PKGREVISION for security/openssl ABI bump.
   2016-02-25 12:06:57 by Havard Eidnes | Files touched by this commit (2)
Log message:
Upgrade opendnssec to version 1.4.9.

Upstream changes:
  The main motivations for this release are bug fixes related to use
  cases with large number of zones (more than 50 zones) in combination
  with an XFR based setup. Too much concurrent zone transfers causes
  new transfers to be held back. These excess transfers however were
  not properly scheduled for later.

  No migration steps needed when upgrading from OpenDNSSEC 1.4.8.

 * Add TCP waiting queue. Fix signer getting `stuck' when adding
   many zones at once. Thanks to Havard Eidnes to bringing this
   to our attention.
 * OPENDNSSEC-723: received SOA serial reported as on disk.
 * Fix potential locking issue on SOA serial.
 * Crash on shutdown. At all times join xfr and dns handler threads.
 * Make handling of notifies more consistent. Previous implementation
   would bounce between code paths.
   2015-11-16 11:09:08 by Havard Eidnes | Files touched by this commit (5) | Package updated
Log message:
Update OpenDNSSEC to version

Pkgsrc changes:
 * Adapt patches to match new files.
 * Add new migration scripts to PLIST

Upstream changes:

 * Support for RFC5011 style KSK rollovers. KSK section in the KASP
   now accepts element.
 * Enforcer: New repository option allows to generate keys with
   CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped and
   extracted from HSM.

 * SUPPORT-145: EOF handling an ARM architecture caused signer to hang.
 * Fixed signer hitting assertion on short reply XFR handler.
 * Include revoke bit in keytag calculation.
 * Increased stacksize on some systems (thanks Patrik Lundin!).
 * Stop ods-signerd on SIGINT.

 * Updating from earlier versions of OpenDNSSEC requires use of the
   database migration script(s) included in ${PKG}/share/opendnssec/
   as the migrate_1_4_8* scripts.
   2015-11-04 02:18:12 by Alistair G. Crooks | Files touched by this commit (434)
Log message:
Add SHA512 digests for distfiles for security category

Problems found locating distfiles:
	Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
	Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
	Package libidea: missing distfile libidea-0.8.2b.tar.gz
	Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
	Package uvscan: missing distfile vlp4510e.tar.Z

Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden).  All existing
SHA1 digests retained for now as an audit trail.