./security/opendnssec, OSS for a fast and easy DNSSEC deployment

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 1.4.12nb2, Package name: opendnssec-1.4.12nb2, Maintainer: pettai

The OpenDNSSEC project announces the development of Open Source software
that manages the security of domain names on the Internet.
The project intends to drive adoption of Domain Name System Security Extensions
(DNSSEC) to further enhance Internet security.


Required to run:
[textproc/libxml2] [net/ldns] [security/softhsm]

Required to build:
[devel/cunit] [pkgtools/cwrappers]

Package options: softhsm

Master sites:

SHA1: feab78605d2c49a2788a4b65e7eb4416777e9610
RMD160: dc91f862691218ca99b3496a7340ef16f29e37aa
Filesize: 1012.102 KB

Version history: (Expand)


CVS history: (Expand)


   2016-12-04 06:17:46 by Ryo ONODERA | Files touched by this commit (667)
Log message:
Recursive revbump from textproc/icu 58.1
   2016-11-27 15:25:41 by Havard Eidnes | Files touched by this commit (4) | Package updated
Log message:
Avoid in effect calling xmlCleanupThreads twice, xmlCleanupParser
has already internally called the former, and doing it twice causes
an abort internally in the pthread library in NetBSD 7.0.
Bump PKGREVISION.
   2016-11-06 13:54:35 by Havard Eidnes | Files touched by this commit (3) | Package updated
Log message:
Update OpenDNSSEC to version 1.4.12.

Local changes (retained from earlier versions):
 * Some adaptations of the build setup (conversion scripts etc.)
 * in signer/ixfr.c, log the zone name if the soamin assertion trigers
 * in signer/zone.c, if there's a bad ixfr journal file, save it, for debug

Upstream changes:

News:

  This is a bug fix release targeting a memory leak in the signer
  when being used in the "bump in the wire" model where the signer
  would send out notify messages and respond to IXFR requests for
  the signed zone. This typically would manifest itself with very
  frequent outgoing IXFRs over a longer period of time.

  When upgrading from 1.4.10 (the 1.4.11 release was skipped) no
  migration steps are needed. For upgrading from earlier releases
  see the migration steps in the individual releases, most notably
  in 1.4.8.2. This version of OpenDNSSEC does however require a
  slightly less older minimal version of the library ldns.

Fixes:

 * OPENDNSSEC-808: Crash on query with empty query section
   (thanks Havard Eidnes).
 * SUPPORT-191: Regression, Must accept notify without SOA (thanks
   Christos Trochalakis).
 * OPENDNSSEC-845: memory leak occuring when responding to IXFR
   out when having had multiple updates.
 * OPENDNSSEC-805: Avoid full resign due to mismatch in backup file
   when upgrading from 1.4.8 or later.
 * OPENDNSSEC-828: parsing zone list could show data from next zone
   when zones iterated on single line.
 * OPENDNSSEC-811,OPENDNSSEC-827,e.o.: compiler warnings and other
   static code analysis cleanup
 * OPENDNSSEC-847: Broken DNS IN notifications when pkt answer
   section is empty.
 * OPENDNSSEC-838: Crash in signer after having removed a zone.
 * Update dependency to ldns to version 1.6.17 enabling the DNS HIP record.
 * Prevent responding to queries when not fully started yet.
   2016-07-16 21:49:07 by Havard Eidnes | Files touched by this commit (5) | Package updated
Log message:
Add a couple of patches I have been using with opendnssec in our
installation:
 * Log the zone before triggering the "part->soamin" assert.
   We've seen this fire with older versions, but it's a while
   since I saw it happen.  This is to provide more debugging info
   should it fire.
 * If an .ixfr journal file is detected as "corrupted", rename it
   to <zone>.ixfr-bad instead of unlinking it, which would leave
   no trace of OpenDNSSEC's own wrongdoing.
 * If the signer is exposed, avoid a potential DoS vector with a
   crafted message.
Bump PKGREVISION.
   2016-06-08 10:35:10 by Havard Eidnes | Files touched by this commit (3) | Package updated
Log message:
Update OpenDNSSEC to version 1.4.10.

News:

  This release fix targets stability issues which have had a history
  and had been hard to reproduce.  Stability should be improved,
  running OpenDNSSEC as a long term service.

  Changes in TTL in the input zone that seem not to be propagated,
  notifies to slaves under load that where not handled properly and
  could lead to assertions.  NSEC3PARAM that would appear duplicate
  in the resulting zone, and crashes in the signer daemon in seldom
  race conditions or re-opening due to a HSM reset.

  No migration steps needed when upgrading from OpenDNSSEC 1.4.9.

  Also have a look at our OpenDNSSEC 2.0 beta release, its impending
  release will help us forward with new development and signal phasing
  out historic releases.

Fixes:

 * SUPPORT-156 OPENDNSSEC-771: Multiple NSEC3PARAM records in signed
   zone.  After a resalt the signer would fail to remove the old
   NSEC3PARAM RR until a manual resign or incoming transfer.  Old
   NSEC3PARAMS are removed when inserting a new record, even if
   they look the same.

 * OPENDNSSEC-725: Signer did not properly handle new update while
   still distributing notifies to slaves.  An AXFR disconnect looked
   not to be handled gracefully.

 * SUPPORT-171: Signer would sometimes hit an assertion using DNS
   output adapter when .ixfr was missing or corrupt but .backup file
   available.  Above two issues also in part addresses problems
   with seemingly corrected backup files (SOA serial).  Also an
   crash on badly configured DNS output adapters is averted.

 * The signer daemon will now refuse to start when failed to open
   a listen socket for DNS handling.

 * OPENDNSSEC-478 OPENDNSSEC-750 OPENDNSSEC-581 OPENDNSSEC-582
   SUPPORT-88: Segmentation fault in signer daemon when opening and
   closing hsm multiple times.  Also addresses other concurrency
   access by avoiding a common context to the HSM (a.k.a. NULL
   context).

 * OPENDNSSEC-798: Improper use of key handles across hsm reopen,
   causing keys not to be available after a re-open.

 * SUPPORT-186: IXFR disregards TTL changes, when only TTL of an
   RR is changed.  TTL changes should be treated like any other
   changes to records.  When OpenDNSSEC now overrides a TTL value,
   this is now reported in the log files.
   2016-04-11 21:02:08 by Ryo ONODERA | Files touched by this commit (527)
Log message:
Recursive revbump from textproc/icu 57.1
   2016-03-13 10:36:59 by Takahiro Kambe | Files touched by this commit (11) | Package updated
Log message:
Bump PKGREVISION by chaging default version of Ruby.
   2016-03-05 12:29:49 by Jonathan Perkin | Files touched by this commit (1813) | Package updated
Log message:
Bump PKGREVISION for security/openssl ABI bump.