Changelog revision 238104
1238104Sdes1.6.13 2012-05-21 2238104Sdes * New -S option for ldns-verify-zone to chase signatures online. 3238104Sdes * New -k option for ldns-verify-zone to validate using a trusted key. 4238104Sdes * New inception and expiration margin options (-i and -e) to 5238104Sdes ldns-verify-zone. 6238104Sdes * New ldns_dnssec_zone_new_frm_fp and ldns_dnssec_zone_new_frm_fp_l 7238104Sdes functions. 8238104Sdes * New ldns_duration* functions (copied from OpenDNSSEC source) 9238104Sdes * fix ldns-verify-zone to allow NSEC3 signatures to come before 10238104Sdes the NSEC3 RR in all cases. Thanks Wolfgang Nagele. 11238104Sdes * Zero the correct flag (opt-out) when creating NSEC3PARAMS. 12238104Sdes Thanks Peter van Dijk. 13238104Sdes * Canonicalize RRSIG's Signer's name too when validating, because 14238104Sdes bind and unbound do that too. Thanks Peter van Dijk. 15238104Sdes * bugfix #433: Allocate rdf using ldns_rdf_new in ldns_dname_label 16238104Sdes * bugfix #432: Use LDNS_MALLOC & LDNS_FREE i.s.o. malloc & free 17238104Sdes * bugfix #431: Added error message for LDNS_STATUS_INVALID_B32_EXT 18238104Sdes * bugfix #427: Explicitely link ssl with the programs that use it. 19238104Sdes * Fix reading \DDD: Error on values that are outside range (>255). 20238104Sdes * bugfix #429: fix doxyparse.pl fails on NetBSD because specified 21238104Sdes path to perl. 22238104Sdes * New ECDSA support (RFC 6605), use --disable-ecdsa for older openssl. 23238104Sdes * fix verifying denial of existence for DS's in NSEC3 Opt-Out zones. 24238104Sdes Thanks John Barnitz 25238104Sdes 26238104Sdes1.6.12 2012-01-11 27238104Sdes * bugfix #413: Fix manpage source for srcdir != builddir 28238104Sdes * Canonicalize the signers name rdata field in RRSIGs when signing 29238104Sdes * Ignore minor version of Private-key-format (so v1.3 may be used) 30238104Sdes * Allow a check_time to be given in stead of always checking against 31238104Sdes the current time. With ldns-verify-zone the check_time can be set 32238104Sdes with the -t option. 33238104Sdes * Added functions for updating and manipulating SOA serial numbers. 34238104Sdes ldns-read-zone has an option -S for updating and manipulating the 35238104Sdes serial numbers. 36238104Sdes * The library Makefile is now GNU and BSD make compatible. 37238104Sdes * bugfix #419: NSEC3 validation of a name covered by a wildcard with 38238104Sdes no data. 39238104Sdes * Two new options (--with-drill and --with-examples) to the main 40238104Sdes configure script (in the root of the source tree) to build drill 41238104Sdes and examples too. 42238104Sdes * Fix days_since_epoch to year_yday calculation on 32bits systems. 43238104Sdes 44238104Sdes1.6.11 2011-09-29 45238104Sdes * bugfix #394: Fix socket leak on errors 46238104Sdes * bugfix #392: Apex only and percentage checks for ldns-verify-zone 47238104Sdes (thanks Miek Gieben) 48238104Sdes * bugfix #398: Allow NSEC RRSIGs before the NSEC3 in ldns-verify-zone 49238104Sdes * Fix python site package path from sitelib to sitearch for pyldns. 50238104Sdes * Fix python api to support python2 and python3 (thanks Karel Slany). 51238104Sdes * bugfix #401: Correction of date/time functions algorithm and 52238104Sdes prevention of an infinite loop therein 53238104Sdes * bugfix #402: Correct the minimum and maximum number of rdata fields 54238104Sdes in TSIG. (thanks David Keeler) 55238104Sdes * bugfix #403: Fix heap overflow (thanks David Keeler) 56238104Sdes * bugfix #404: Make parsing APL strings more robust 57238104Sdes (thanks David Keeler) 58238104Sdes * bugfix #391: Complete library assessment to prevent assertion errors 59238104Sdes through ldns_rdf_size usage. 60238104Sdes * Slightly more specific error messaging on wrong number of rdata 61238104Sdes fields with the LDNS_STATUS_MISSING_RDATA_FIELDS_RRSIG and 62238104Sdes LDNS_STATUS_MISSING_RDATA_FIELDS_KEY result codes. 63238104Sdes * bugfix #406: More rigorous openssl result code handling to prevent 64238104Sdes future crashes within openssl. 65238104Sdes * Fix ldns_fetch_valid_domain_keys to search deeper than just one level 66238104Sdes for a DNSKEY that signed a DS RR. (this function was used in the 67238104Sdes check_dnssec_trace nagios module) 68238104Sdes * bugfix #407: Canonicalize TSIG dnames and algorithm fields 69238104Sdes * A new output specifier to accommodate configuration of what to show 70238104Sdes in comment texts when converting host and/or wire-format data to 71238104Sdes string. All conversion to string and printing functions have a new 72238104Sdes version that have such a format specifier as an extra argument. 73238104Sdes The default is changed so that only DNSKEY RR's are annotated with 74238104Sdes an comment show the Key Tag of the DNSKEY. 75238104Sdes * Fixed the ldns resolver to not mark a nameserver unreachable when 76238104Sdes edns0 is tried unsuccessfully with size 4096 (no return packet came), 77238104Sdes but to still try TCP. A big UDP packet might have been corrupted by 78238104Sdes fragments dropping firewalls. 79238104Sdes * Update of libdns.vim (thanks Miek Gieben) 80238104Sdes * Added the ldnsx Python module to our contrib section, which adds even 81238104Sdes more pythonisticism to the usage of ldns with Python. (Many thanks 82238104Sdes to Christpher Olah and Paul Wouters) 83238104Sdes The ldnsx module is automatically installed when --with-pyldns is 84238104Sdes used with configuring, but may explicitly be excluded with the 85238104Sdes --without-pyldnsx option to configure. 86238104Sdes * bugfix #410: Fix clearing out temporary data on stack in sha2.c 87238104Sdes * bugfix #411: Don't let empty non-terminal NSEC3s cause assertion failure. 88238104Sdes 89238104Sdes1.6.10 2011-05-31 90238104Sdes * New example tool added: ldns-gen-zone. 91238104Sdes * bugfix #359: Serial-arithmetic for the inception and expiration 92238104Sdes fields of a RRSIG and correctly converting them to broken-out time 93238104Sdes information. 94238104Sdes * bugfix #364: Slight performance increase of ldns-verifyzone. 95238104Sdes * bugfix #367: Fix to allow glue records with the same name as the 96238104Sdes delegation. 97238104Sdes * Fix ldns-verifyzone to allow NSEC3-less records for NS rrsets *and* 98238104Sdes glue when the zone is opt-out. 99238104Sdes * bugfix #376: Adapt ldns_nsec3_salt, ldns_nsec3_iterations, 100238104Sdes ldns_nsec3_flags and ldns_nsec3_algorithm to work for NSEC3PARAMS too. 101238104Sdes * pyldns memory leaks fixed by Bedrich Kosata (at the cost of a bit 102238104Sdes performance) 103238104Sdes * Better handling of reference variables in ldns_rr_new_frm_fp_l from 104238104Sdes pyldns, with a very nice generator function by Bedrich Kosata. 105238104Sdes * Decoupling of the rdfs in rrs in the python wrappers to enable 106238104Sdes the python garbage collector by Bedrich Kosata. 107238104Sdes * bugfix #380: Minimizing effect of discrepancies in sizeof(bool) at 108238104Sdes build time and when used. 109238104Sdes * bugfix #383: Fix detection of empty nonterminals of multiple labels. 110238104Sdes * Fixed the ommission of rrsets in nsec(3)s and rrsigs to all occluded 111238104Sdes names (in stead of just the ones that contain glue only) and all 112238104Sdes occluded records on the delegation points (in stead of just the glue). 113238104Sdes * Clarify the operation of ldns_dnssec_mark_glue and the usage of 114238104Sdes ldns_dnssec_node_next_nonglue functions in the documentation. 115238104Sdes * Added function ldns_dnssec_mark_and_get_glue as an real fast 116238104Sdes alternative for ldns_zone_glue_rr_list. 117238104Sdes * Fix parse buffer overflow for max length domain names. 118238104Sdes * Fix Makefile for U in environment, since wrong U is more common than 119238104Sdes deansification necessity. 120238104Sdes 121238104Sdes1.6.9 2011-03-16 122238104Sdes * Fix creating NSEC(3) bitmaps: make array size 65536, 123238104Sdes don't add doubles. 124238104Sdes * Fix printout of escaped binary in TXT records. 125238104Sdes * Parsing TXT records: don't skip starting whitespace that is quoted. 126238104Sdes * bugfix #358: Check if memory was successfully allocated in 127238104Sdes ldns_rdf2str(). 128238104Sdes * Added more memory allocation checks in host2str.c 129238104Sdes * python wrapper for ldns_fetch_valid_domain_keys by Bedrich Kosata. 130238104Sdes * fix to compile python wrapper with swig 2.0.2. 131238104Sdes * Don't fallback to SHA-1 when creating NSEC3 hash with another 132238104Sdes algorithm identifier, fail instead (no other algorithm identifiers 133238104Sdes are assigned yet). 134238104Sdes 135238104Sdes1.6.8 2011-01-24 136238104Sdes * Fix ldns zone, so that $TTL definition match RFC 2308. 137238104Sdes * Fix lots of missing checks on allocation failures and parse of 138238104Sdes NSEC with many types and max parse length in hosts_frm_fp routine 139238104Sdes and off by one in read_anchor_file routine (thanks Dan Kaminsky and 140238104Sdes Justin Ferguson). 141238104Sdes * bugfix #335: Drill: Print both SHA-1 and SHA-256 corresponding DS 142238104Sdes records. 143238104Sdes * Print correct WHEN in query packet (is not always 1-1-1970) 144238104Sdes * ldns-test-edns: new example tool that detects EDNS support. 145238104Sdes * fix ldns_resolver_send without openssl. 146238104Sdes * bugfix #342: patch for support for more CERT key types (RFC4398). 147238104Sdes * bugfix #351: fix udp_send hang if UDP checksum error. 148238104Sdes * fix set_bit (from NSEC3 sign) patch from Jan Komissar. 149238104Sdes 150238104Sdes1.6.7 2010-11-08 151238104Sdes * EXPERIMENTAL ecdsa implementation, please do not enable on real 152238104Sdes servers. 153238104Sdes * GOST code enabled by default (RFC 5933). 154238104Sdes * bugfix #326: ignore whitespace between directives and their values. 155238104Sdes * Header comment to advertise ldns_axfr_complete to check for 156238104Sdes successfully completed zone transfers. 157238104Sdes * read resolv.conf skips interface labels, e.g. %eth0. 158238104Sdes * Fix drill verify NSEC3 denials. 159238104Sdes * Use closesocket() on windows. 160238104Sdes * Add ldns_get_signing_algorithm_by_name that understand aliases, 161238104Sdes names changed to RFC names and aliases for compatibility added. 162238104Sdes * bugfix: don't print final dot if the domain is relative. 163238104Sdes * bugfix: resolver search continue when packet rcode != NOERROR. 164238104Sdes * bugfix: resolver push all domains in search directive to list. 165238104Sdes * bugfix: resolver search by default includes the root domain. 166238104Sdes * bugfix: tcp read could fail on single octet recv. 167238104Sdes * bugfix: read of RR in unknown syntax with missing fields. 168238104Sdes * added ldns_pkt_tsig_sign_next() and ldns_pkt_tsig_verify_next() 169238104Sdes to sign and verify TSIG RRs on subsequent messages 170238104Sdes (section 4.4, RFC 2845, thanks to Michael Sheldon). 171238104Sdes * bugfix: signer sigs nsecs with zsks only. 172238104Sdes * bugfix #333: fix ldns_dname_absolute for name ending with backslash. 173238104Sdes 174238104Sdes1.6.6 2010-08-09 175238104Sdes * Fix ldns_rr_clone to copy question rrs properly. 176238104Sdes * Fix ldns_sign_zone(_nsec3) to clone the soa for the new zone. 177238104Sdes * Fix ldns_wire2dname size check from reading 1 byte beyond buffer end. 178238104Sdes * Fix ldns_wire2dname from reading 1 byte beyond end for pointer. 179238104Sdes * Fix crash using GOST for particular platform configurations. 180238104Sdes * extern C declarations used in the header file. 181238104Sdes * Removed debug fprintf from resolver.c. 182238104Sdes * ldns-signzone checks if public key file is for the right zone. 183238104Sdes * NETLDNS, .NET port of ldns functionality, by Alex Nicoll, in contrib. 184238104Sdes * Fix handling of comments in resolv.conf parse. 185238104Sdes * GOST code enabled if SSL recent, RFC 5933. 186238104Sdes * bugfix #317: segfault util.c ldns_init_random() fixed. 187238104Sdes * Fix ldns_tsig_mac_new: allocate enough memory for the hash, fix use of 188238104Sdes b64_pton_calculate_size. 189238104Sdes * Fix ldns_dname_cat: size calculation and handling of realloc(). 190238104Sdes * Fix ldns_rr_pop_rdf: fix handling of realloc(). 191238104Sdes * Fix ldns-signzone for single type key scheme: sign whole zone if there 192238104Sdes are only KSKs. 193238104Sdes * Fix ldns_resolver: also close socket if AXFR failed (if you don't, 194238104Sdes it would block subsequent transfers (thanks Roland van Rijswijk). 195238104Sdes * Fix drill: allow for a secure trace if you use DS records as trust 196238104Sdes anchors (thanks Jan Komissar). 197238104Sdes 198238104Sdes1.6.5 2010-06-15 199238104Sdes * Catch \X where X is a digit as an error. 200238104Sdes * Fix segfault when ip6 ldns resolver only has ip4 servers. 201238104Sdes * Fix NSEC record after DNSKEY at zone apex not properly signed. 202238104Sdes * Fix syntax error if last label too long and no dot at end of domain. 203238104Sdes * Fix parse of \# syntax with space for type LOC. 204238104Sdes * Fix ldns_dname_absolute for escape sequences, fixes some parse errs. 205238104Sdes * bugfix #297: linking ssl, bug due to patch submitted as #296. 206238104Sdes * bugfix #299: added missing declarations to host2str.h 207238104Sdes * ldns-compare-zones -s to not exclude SOA record from comparison. 208238104Sdes * --disable-rpath fix 209238104Sdes * fix ldns_pkt_empty(), reported by Alex Nicoll. 210238104Sdes * fix ldns_resolver_new_frm_fp not ignore lines after a comment. 211238104Sdes * python code for ldns_rr.new_question_frm_str() 212238104Sdes * Fix ldns_dnssec_verify_denial: the signature selection routine. 213238104Sdes * Type TALINK parsed (draft-ietf-dnsop-trust-history). 214238104Sdes * bugfix #304: fixed dead loop in ldns_tcp_read_wire() and 215238104Sdes ldns_tcp_read_wire_timeout(). 216238104Sdes * GOST support with correct algorithm numbers. The plan is to make it 217238104Sdes enabled if openssl support is detected, but it is disabled by 218238104Sdes default in this release because the RFC is not ready. 219238104Sdes * Fixed comment in rbtree.h about being first member and data ptr. 220238104Sdes * Fixed possibly leak in case of out of memory in ldns_native2rdf... 221238104Sdes * ldns_dname_is_wildcard added. 222238104Sdes * Fixed: signatures over wildcards had the wrong labelcount. 223238104Sdes * Fixed ldns_verify() inconsistent return values. 224238104Sdes * Fixed ldns_resolver to copy and free tsig name, data and algorithm. 225238104Sdes * Fixed ldns_resolver to push search onto searchlist. 226238104Sdes * A ldns resolver now defaults to a non-recursive resolver that handles 227238104Sdes the TC bit. 228238104Sdes * ldns_resolver_print() prints more details. 229238104Sdes * Fixed ldns_rdf2buffer_str_time(), which did not print timestamps 230238104Sdes on 64bit systems. 231238104Sdes * Make ldns_resolver_nameservers_randomize() more random. 232238104Sdes * bugfix #310: POSIX specifies NULL second argument of gettimeofday. 233238104Sdes * fix compiler warnings from llvm clang compiler. 234238104Sdes * bugfix #309: ldns_pkt_clone did not clone the tsig_rr. 235238104Sdes * Fix gentoo ebuild for drill, 'no m4 directory'. 236238104Sdes * bugfix #313: drill trace on an empty nonterminal continuation. 237238104Sdes 238238104Sdes1.6.4 2010-01-20 239238104Sdes * Imported pyldns contribution by Zdenek Vasicek and Karel Slany. 240238104Sdes Changed its configure and Makefile to fit into ldns. 241238104Sdes Added its dname_* methods to the rdf_* class (as is the ldns API). 242238104Sdes Changed swig destroy of ldns_buffer class to ldns_buffer_free. 243238104Sdes Declared ldns_pkt_all and ldns_pkt_all_noquestion so swig sees them. 244238104Sdes * Bugfix: parse PTR target of .tomhendrikx.nl with error not crash. 245238104Sdes * Bugfix: handle escaped characters in TXT rdata. 246238104Sdes * bug292: no longer crash on malformed domain names where a label is 247238104Sdes on position 255, which was a buffer overflow by one. 248238104Sdes * Fix ldns_get_rr_list_hosts_frm_fp_l (strncpy to strlcpy change), 249238104Sdes which fixes resolv.conf reading badly terminated string buffers. 250238104Sdes * Fix ldns_pkt_set_random_id to be more random, and a little faster, 251238104Sdes it did not do value 0 statistically correctly. 252238104Sdes * Fix ldns_rdf2native_sockaddr_storage to set sockaddr type to zeroes, 253238104Sdes for portability. 254238104Sdes * bug295: nsec3-hash routine no longer case sensitive. 255238104Sdes * bug298: drill failed nsec3 denial of existence proof. 256238104Sdes 257238104Sdes1.6.3 2009-12-04 258238104Sdes * Bugfix: allow for unknown resource records in zonefile with rdlen=0. 259238104Sdes * Bugfix: also mark an RR as question if it comes from the wire 260238104Sdes * Bugfix: NSEC3 bitmap contained NSEC 261238104Sdes * Bugfix: Inherit class when creating signatures 262238104Sdes 263238104Sdes1.6.2 2009-11-12 264238104Sdes * Fix Makefile patch from Havard Eidnes, better install.sh usage. 265238104Sdes * Fix parse error on SOA serial of 2910532839. 266238104Sdes Fix print of ';' and readback of '\;' in names, also for '\\'. 267238104Sdes Fix parse of '\(' and '\)' in names. Also for file read. Also '\.' 268238104Sdes * Fix signature creation when TTLs are different for RRs in RRset. 269238104Sdes * bug273: fix so EDNS rdata is included in pkt to wire conversion. 270238104Sdes * bug274: fix use of c++ keyword 'class' for RR class in the code. 271238104Sdes * bug275: fix memory leak of packet edns rdata. 272238104Sdes * Fix timeout procedure for TCP and AXFR on Solaris. 273238104Sdes * Fix occasional NSEC bitmap bogus 274238104Sdes * Fix rr comparing (was in reversed order since 1.6.0) 275238104Sdes * bug278: fix parsing HINFO rdata (and other cases). 276238104Sdes * Fix previous owner name: also pick up if owner name is @. 277238104Sdes * RFC5702: enabled sha2 functions by default. This requires OpenSSL 0.9.8 or higher. 278238104Sdes Reason for this default is the root to be signed with RSASHA256. 279238104Sdes * Fix various LDNS RR parsing issues: IPSECKEY, WKS, NSAP, very long lines 280238104Sdes * Fix: Make ldns_dname_is_subdomain case insensitive. 281238104Sdes * Fix ldns-verify-zone so that address records at zone NS set are not considered glue 282238104Sdes (Or glue records fall below delegation) 283238104Sdes * Fix LOC RR altitude printing. 284238104Sdes * Feature: Added period (e.g. '3m6d') support at explicit TTLs. 285238104Sdes * Feature: DNSKEY rrset by default signed with minimal signatures 286238104Sdes but -A option for ldns-signzone to sign it with all keys. 287238104Sdes This makes the DNSKEY responses smaller for signed domains. 288238104Sdes 289238104Sdes1.6.1 2009-09-14 290238104Sdes * --enable-gost : use the GOST algorithm (experimental). 291238104Sdes * Added some missing options to drill manpage 292238104Sdes * Some fixes to --without-ssl option 293238104Sdes * Fixed quote parsing withing strings 294238104Sdes * Bitmask fix in EDNS handling 295238104Sdes * Fixed non-fqdn domain name completion for rdata field domain 296238104Sdes names of length 1 297238104Sdes * Fixed chain validation with SHA256 DS records 298238104Sdes 299238104Sdes1.6.0 300238104Sdes Additions: 301238104Sdes * Addition of an ldns-config script which gives cflags and libs 302238104Sdes values, for use in configure scripts for applications that use 303238104Sdes use ldns. Can be disabled with ./configure --disable-ldns-config 304238104Sdes * Added direct sha1, sha256, and sha512 support in ldns. 305238104Sdes With these functions, all NSEC3 functionality can still be 306238104Sdes used, even if ldns is built without OpenSSL. Thanks to OpenBSD, 307238104Sdes Steve Reid, and Aaron D. Gifford for the code. 308238104Sdes * Added reading/writing support for the SPF Resource Record 309238104Sdes * Base32 functions are now exported 310238104Sdes Bugfixes: 311238104Sdes * ldns_is_rrset did not go through the complete rrset, but 312238104Sdes only compared the first two records. Thanks to Olafur 313238104Sdes Gudmundsson for report and patch 314238104Sdes * Fixed a small memory bug in ldns_rr_list_subtype_by_rdf(), 315238104Sdes thanks to Marius Rieder for finding an patching this. 316238104Sdes * --without-ssl should now work. Make sure that examples/ and 317238104Sdes drill also get the --without-ssl flag on their configure, if 318238104Sdes this is used. 319238104Sdes * Some malloc() return value checks have been added 320238104Sdes * NSEC3 creation has been improved wrt to empty nonterminals, 321238104Sdes and opt-out. 322238104Sdes * Fixed a bug in the parser when reading large NSEC3 salt 323238104Sdes values. 324238104Sdes * Made the allowed length for domain names on wire 325238104Sdes and presentation format the same. 326238104Sdes Example tools: 327238104Sdes * ldns-key2ds can now also generate DS records for keys without 328238104Sdes the SEP flag 329238104Sdes * ldns-signzone now equalizes the TTL of the DNSKEY RRset (to 330238104Sdes the first non-default DNSKEY TTL value it sees) 331238104Sdes 332238104Sdes1.5.1 333238104Sdes Example tools: 334238104Sdes * ldns-signzone was broken in 1.5.0 for multiple keys, this 335238104Sdes has been repaired 336238104Sdes 337238104Sdes Build system: 338238104Sdes * Removed a small erroneous output warning in 339238104Sdes examples/configure and drill/configure 340238104Sdes 341238104Sdes1.5.0 342238104Sdes Bug fixes: 343238104Sdes * fixed a possible memory overflow in the RR parser 344238104Sdes * build flag fix for Sun Studio 345238104Sdes * fixed a building race condition in the copying of header 346238104Sdes files 347238104Sdes * EDNS0 extended rcode; the correct assembled code number 348238104Sdes is now printed (still in the EDNS0 field, though) 349238104Sdes * ldns_pkt_rr no longer leaks memory (in fact, it no longer 350238104Sdes copies anything all) 351238104Sdes 352238104Sdes API addition: 353238104Sdes * ldns_key now has support for 'external' data, in which 354238104Sdes case the OpenSSL EVP structures are not used; 355238104Sdes ldns_key_set_external_key() and ldns_key_external_key() 356238104Sdes * added ldns_key_get_file_base_name() which creates a 357238104Sdes 'default' filename base string for key storage, of the 358238104Sdes form "K<zone>+<algorithm>+<keytag>" 359238104Sdes * the ldns_dnssec_* family of structures now have deep_free() 360238104Sdes functions, which also free the ldns_rr's contained in them 361238104Sdes * there is now an ldns_match_wildcard() function, which checks 362238104Sdes whether a domain name matches a wildcard name 363238104Sdes * ldns_sign_public has been split up; this resulted in the 364238104Sdes addition of ldns_create_empty_rrsig() and 365238104Sdes ldns_sign_public_buffer() 366238104Sdes 367238104Sdes Examples: 368238104Sdes * ldns-signzone can now automatically add DNSKEY records when 369238104Sdes using an OpenSSL engine, as it already did when using key 370238104Sdes files 371238104Sdes * added new example tool: ldns-nsec3-hash 372238104Sdes * ldns-dpa can now filter on specific query name and types 373238104Sdes * ldnsd has fixes for the zone name, a fix for the return 374238104Sdes value of recvfrom(), and an memory initialization fix 375238104Sdes (Thanks to Colm MacC��rthaigh for the patch) 376238104Sdes * Fixed memory leaks in ldnsd 377238104Sdes 378238104Sdes 379238104Sdes 380238104Sdes1.4.1 381238104Sdes Bug fixes: 382238104Sdes * fixed a build issue where ldns lib existence was done too early 383238104Sdes * removed unnecessary check for pcap.h 384238104Sdes * NSEC3 optout flag now correctly printed in string output 385238104Sdes * inttypes.h moved to configured inclusion 386238104Sdes * fixed NSEC3 type bitmaps for empty nonterminals and unsigned 387238104Sdes delegations 388238104Sdes 389238104Sdes API addition: 390238104Sdes * for that last fix, we added a new function 391238104Sdes ldns_dname_add_from() that can clone parts of a dname 392238104Sdes 393238104Sdes1.4.0 394238104Sdes Bug fixes: 395238104Sdes * sig chase return code fix (patch from Rafael Justo, bug id 189) 396238104Sdes * rdata.c memory leaks on error and allocation checks fixed (patch 397238104Sdes from Shane Kerr, bug id 188) 398238104Sdes * zone.c memory leaks on error and allocation checks fixed (patch 399238104Sdes from Shane Kerr, bug id 189) 400238104Sdes * ldns-zplit output and error messages fixed (patch from Shane Kerr, 401238104Sdes bug id 190) 402238104Sdes * Fixed potential buffer overflow in ldns_str2rdf_dname 403238104Sdes * Signing code no longer signs delegation NS rrsets 404238104Sdes * Some minor configure/makefile updates 405238104Sdes * Fixed a bug in the randomness initialization 406238104Sdes * Fixed a bug in the reading of resolv.conf 407238104Sdes * Fixed a bug concerning whitespace in zone data (with patch from Ondrej 408238104Sdes Sury, bug 213) 409238104Sdes * Fixed a small fallback problem in axfr client code 410238104Sdes 411238104Sdes API CHANGES: 412238104Sdes * added 2str convenience functions: 413238104Sdes - ldns_rr_type2str 414238104Sdes - ldns_rr_class2str 415238104Sdes - ldns_rr_type2buffer_str 416238104Sdes - ldns_rr_class2buffer_str 417238104Sdes * buffer2str() is now called ldns_buffer2str 418238104Sdes * base32 and base64 function names are now also prepended with ldns_ 419238104Sdes * ldns_rr_new_frm_str() now returns an error on missing RDATA fields. 420238104Sdes Since you cannot read QUESTION section RRs with this anymore, 421238104Sdes there is now a function called ldns_rr_new_question_frm_str() 422238104Sdes 423238104Sdes LIBRARY FEATURES: 424238104Sdes * DS RRs string representation now add bubblebabble in a comment 425238104Sdes (patch from Jakob Schlyter) 426238104Sdes * DLV RR type added 427238104Sdes * TCP fallback system has been improved 428238104Sdes * HMAC-SHA256 TSIG support has been added. 429238104Sdes * TTLS are now correcly set in NSEC(3) records when signing zones 430238104Sdes 431238104Sdes EXAMPLE TOOLS: 432238104Sdes * New example: ldns-revoke to revoke DNSKEYs according to RFC5011 433238104Sdes * ldns-testpkts has been fixed and updated 434238104Sdes * ldns-signzone now has the option to not add the DNSKEY 435238104Sdes * ldns-signzone now has an (full zone only) opt-out option for 436238104Sdes NSEC3 437238104Sdes * ldns-keygen can create HMAC-SHA1 and HMAC-SHA256 symmetric keys 438238104Sdes * ldns-walk output has been fixed 439238104Sdes * ldns-compare-zones has been fixed, and now has an option 440238104Sdes to show all differences (-a) 441238104Sdes * ldns-read-zone now has an option to print DNSSEC records only 442238104Sdes 443238104Sdes1.3 444238104Sdes Base library: 445238104Sdes 446238104Sdes * Added a new family of functions based around ldns_dnssec_zone, 447238104Sdes which is a new structure that keeps a zone sorted through an 448238104Sdes rbtree and links signatures and NSEC(3) records directly to their 449238104Sdes RRset. These functions all start with ldns_dnssec_ 450238104Sdes 451238104Sdes * ldns_zone_sign and ldns_zone_sign_nsec3 are now deprecated, but 452238104Sdes have been changed to internally use the new 453238104Sdes ldns_dnssec_zone_sign(_nsec3) 454238104Sdes 455238104Sdes * Moved some ldns_buffer functions inline, so a clean rebuild of 456238104Sdes applications relying on those is needed (otherwise you'll get 457238104Sdes linker errors) 458238104Sdes * ldns_dname_label now returns one extra (zero) 459238104Sdes byte, so it can be seen as an fqdn. 460238104Sdes * NSEC3 type code update for signing algorithms. 461238104Sdes * DSA key generation of DNSKEY RRs fixed (one byte too small). 462238104Sdes 463238104Sdes * Added support for RSA/SHA256 and RSA/SHA512, as specified in 464238104Sdes draft-ietf-dnsext-dnssec-rsasha256-04. The typecodes are not 465238104Sdes final, and this feature is not enabled by default. It can be 466238104Sdes enabled at compilation time with the flag --with-sha2 467238104Sdes 468238104Sdes * Added 2wire_canonical family of functions that lowercase dnames 469238104Sdes in rdata fields in resource records of the types in the list in 470238104Sdes rfc3597 471238104Sdes 472238104Sdes * Added base32 conversion functions. 473238104Sdes 474238104Sdes * Fixed DSA RRSIG conversion when calling OpenSSL 475238104Sdes 476238104Sdes Drill: 477238104Sdes 478238104Sdes * Chase output is completely different, it shows, in ascii, the 479238104Sdes relations in the trust hierarchy. 480238104Sdes 481238104Sdes Examples: 482238104Sdes * Added ldns-verify-zone, that can verify the internal DNSSEC records 483238104Sdes of a signed BIND-style zone file 484238104Sdes 485238104Sdes * ldns-keygen now takes an -a argument specifying the algorithm, 486238104Sdes instead of -R or -D. -a list show a list of supported algorithms 487238104Sdes 488238104Sdes * ldns-keygen now defaults to the exponent RSA_F4 instead of RSA_3 489238104Sdes for RSA key generation 490238104Sdes 491238104Sdes * ldns-signzone now has support for HSMs 492238104Sdes * ldns-signzone uses the new ldns_dnssec_ structures and functions 493238104Sdes which improves its speed, and output; RRSIGS are now placed 494238104Sdes directly after their RRset, NSEC(3) records directly after the 495238104Sdes name they handle 496238104Sdes 497238104Sdes Contrib: 498238104Sdes * new contrib/ dir with user contributions 499238104Sdes * added compilation script for solaris (thanks to Jakob Schlyter) 500238104Sdes 501238104Sdes28 Nov 2007 1.2.2: 502238104Sdes * Added support for HMAC-MD5 keys in generator 503238104Sdes * Added a new example tool (written by Ondrej Sury): ldns-compare-zones 504238104Sdes * ldns-keygen now checks key sizes for rfc conformancy 505238104Sdes * ldns-signzone outputs SSL error if present 506238104Sdes * Fixed manpages (thanks to Ondrej Sury) 507238104Sdes * Fixed Makefile for -j <x> 508238104Sdes * Fixed a $ORIGIN error when reading zones 509238104Sdes * Fixed another off-by-one error 510238104Sdes 511238104Sdes03 Oct 2007 1.2.1: 512238104Sdes * Fixed an offset error in rr comparison 513238104Sdes * Fixed ldns-read-zone exit code 514238104Sdes * Added check for availability of SHA256 hashing algorithm 515238104Sdes * Fixed ldns-key2ds -2 argument 516238104Sdes * Fixed $ORIGIN bug in .key files 517238104Sdes * Output algorithms as an integer instead of their mnemonic 518238104Sdes * Fixed a memory leak in dnssec code when SHA256 is not available 519238104Sdes * Updated fedora .spec file 520238104Sdes 521238104Sdes11 Apr 2007 1.2.0: 522238104Sdes * canonicalization of rdata in DNSSEC functions now adheres to the 523238104Sdes rr type list in rfc3597, not rfc4035, which will be updated 524238104Sdes (see http://www.ops.ietf.org/lists/namedroppers/namedroppers.2007/msg00183.html) 525238104Sdes * ldns-walk now support dnames with maximum label length 526238104Sdes * ldnsd now takes an extra argument containing the address to listen on 527238104Sdes * signing no longer signs every rrset with KSK's, but only the DNSKEY rrset 528238104Sdes * ported to Solaris 10 529238104Sdes * added ldns_send_buffer() function 530238104Sdes * added ldns-testpkts fake packet server 531238104Sdes * added ldns-notify to send NOTIFY packets 532238104Sdes * ldns-dpa can now accurately calculate the number of matches per 533238104Sdes second 534238104Sdes * libtool is now used for compilation too (still gcc, but not directly) 535238104Sdes * Bugfixes: 536238104Sdes - TSIG signing buffer size 537238104Sdes - resolv.conf reading (comments) 538238104Sdes - dname comparison off by one error 539238104Sdes - typo in keyfetchers output file name fixed (a . too much) 540238104Sdes - fixed zone file parser when comments contain ( or ) 541238104Sdes - fixed LOC RR type 542238104Sdes - fixed CERT RR type 543238104Sdes 544238104Sdes Drill: 545238104Sdes * drill prints error on failed axfr. 546238104Sdes * drill now accepts mangled packets with -f 547238104Sdes * old -c option (use tcp) changed to -t 548238104Sdes * -c option to specify alternative resolv.conf file added 549238104Sdes * feedback of signature chase improved 550238104Sdes * chaser now stops at root when no trusted keys are found 551238104Sdes instead of looping forever trying to find the DS for . 552238104Sdes * Fixed bugs: 553238104Sdes - wildcard on multiple labels signature verification 554238104Sdes - error in -f packet writing for malformed packets 555238104Sdes - made KSK check more resilient 556238104Sdes 557238104Sdes7 Jul 2006: 1.1.0: ldns-team 558238104Sdes * Added tutorials and an introduction to the documentation 559238104Sdes * Added include/ and lib/ dirs so that you can compile against ldns 560238104Sdes without installing ldns on your system 561238104Sdes * Makefile updates 562238104Sdes * Starting usage of assert throughout the library to catch illegal calls 563238104Sdes * Solaris 9 testing was carried out. Ldns now compiles on that 564238104Sdes platform; some gnuism were identified and fixed. 565238104Sdes * The ldns_zone structure was stress tested. The current setup 566238104Sdes (ie. just a list of rrs) can scale to zone file in order of 567238104Sdes megabytes. Sorting such zone is still difficult. 568238104Sdes * Reading multiline b64 encoded rdata works. 569238104Sdes * OpenSSL was made optional, configure --without-ssl. 570238104Sdes Ofcourse all dnssec/tsig related functions are disabled 571238104Sdes * Building of examples and drill now happens with the same 572238104Sdes defines as the building of ldns itself. 573238104Sdes * Preliminary sha-256 support was added. Currently is your 574238104Sdes OpenSSL supports it, it is supported in the DS creation. 575238104Sdes * ldns_resolver_search was implemented 576238104Sdes * Fixed a lot of bugs 577238104Sdes 578238104Sdes Drill: 579238104Sdes * -r was killed in favor of -o <header bit mnemonic> which 580238104Sdes allows for a header bits setting (and maybe more in the 581238104Sdes future) 582238104Sdes * DNSSEC is never automaticaly set, even when you query 583238104Sdes for DNSKEY/RRSIG or DS. 584238104Sdes * Implement a crude RTT check, it now distinguishes between 585238104Sdes reachable and unreachable. 586238104Sdes * A form of secure tracing was added 587238104Sdes * Secure Chasing has been improved 588238104Sdes * -x does a reverse lookup for the given IP address 589238104Sdes 590238104Sdes Examples: 591238104Sdes * ldns-dpa was added to the examples - this is the Dns Packet 592238104Sdes Analyzer tool. 593238104Sdes * ldnsd - as very, very simple nameserver impl. 594238104Sdes * ldns-zsplit - split zones for parrallel signing 595238104Sdes * ldns-zcat - cat split zones back together 596238104Sdes * ldns-keyfetcher - Fetches DNSKEY records with a few (non-strong, 597238104Sdes non-DNSSEC) anti-spoofing techniques. 598238104Sdes * ldns-walk - 'Walks' a DNSSEC signed zone 599238104Sdes * Added an all-static target to the makefile so you can use examples 600238104Sdes without installing the library 601238104Sdes * When building in the source tree or in a direct subdirectory of 602238104Sdes the build dir, configure does not need --with-ldns=../ anymore 603238104Sdes 604238104Sdes Code: 605238104Sdes * All networking code was moved to net.c 606238104Sdes * rdata.c: added asserts to the rdf set/get functions 607238104Sdes * const keyword was added to pointer arguments that 608238104Sdes aren't changed 609238104Sdes 610238104Sdes API: 611238104Sdes Changed: 612238104Sdes * renamed ldns/dns.h to ldns/ldns.h 613238104Sdes * ldns_rr_new_frm_str() is extented with an extra variable which 614238104Sdes in common use may be NULL. This trickles through to: 615238104Sdes o ldns_rr_new_frm_fp 616238104Sdes o ldns_rr_new_frm_fp_l 617238104Sdes Which also get an extra variable 618238104Sdes Also the function has been changed to return a status message. 619238104Sdes The compiled RR is returned in the first argument. 620238104Sdes * ldns_zone_new_frm_fp_l() and ldns_zone_new_frm_fp() are 621238104Sdes changed to return a status msg. 622238104Sdes * ldns_key_new_frm_fp is changed to return ldns_status and 623238104Sdes the actual key list in the first argument 624238104Sdes * ldns_rdata_new_frm_fp[_l]() are changed to return a status. 625238104Sdes the rdf is return in the first argument 626238104Sdes * ldns_resolver_new_frm_fp: same treatment: return status and 627238104Sdes the new resolver in the first argument 628238104Sdes * ldns_pkt_query_new_frm_str(): same: return status and the 629238104Sdes packet in the first arg 630238104Sdes * tsig.h: internal used functions are now static: 631238104Sdes ldns_digest_name and ldns_tsig_mac_new 632238104Sdes * ldns_key_rr2ds has an extra argument to specify the hash to 633238104Sdes use. 634238104Sdes * ldns_pkt_rcode() is renamed to ldns_pkt_get_rcode, ldns_pkt_rcode 635238104Sdes is now the rcode type, like ldns_pkt_opcode 636238104Sdes New: 637238104Sdes * ldns_resolver_searchlist_count: return the searchlist counter 638238104Sdes * ldns_zone_sort: Sort a zone 639238104Sdes * ldns_bgsend(): background send, returns a socket. 640238104Sdes * ldns_pkt_empty(): check is a packet is empty 641238104Sdes * ldns_rr_list_pop_rr_list(): pop multiple rr's from another rr_list 642238104Sdes * ldns_rr_list_push_rr_list(): push multiple rr's to an rr_list 643238104Sdes * ldns_rr_list_compare(): compare 2 ldns_rr_lists 644238104Sdes * ldns_pkt_push_rr_list: rr_list equiv for rr 645238104Sdes * ldns_pkt_safe_push_rr_list: rr_list equiv for rr 646238104Sdes Removed: 647238104Sdes * ldns_resolver_bgsend(): was not used in 1.0.0 and is not used now 648238104Sdes * ldns_udp_server_connect(): was faulty and isn't really part of 649238104Sdes the core ldns idea any how. 650238104Sdes * ldns_rr_list_insert_rr(): obsoleted, because not used. 651238104Sdes * char *_when was removed from the ldns_pkt structure 652238104Sdes 653238104Sdes18 Oct 2005: 1.0.0: ldns-team 654238104Sdes * Commited a patch from H��kan Olsson 655238104Sdes * Added UPDATE support (Jakob Schlyter and H��kan Olsson) 656238104Sdes * License change: ldns is now BSD licensed 657238104Sdes * ldns now depends on SSL 658238104Sdes * Networking code cleanup, added (some) server udp/tcp support 659238104Sdes * A zone type is introduced. Currently this is a list 660238104Sdes of RRs, so it will not scale well. 661238104Sdes * [beta] Zonefile parsing was added 662238104Sdes * [tools] Drill was added to ldns - see drill/ 663238104Sdes * [tools] experimental signer was added 664238104Sdes * [building] better check for ssl 665238104Sdes * [building] major revision of build system 666238104Sdes * [building] added rpm .spec in packaging/ (thanks to Paul Wouters) 667238104Sdes * [building] A lot of cleanup in the build scripts (thanks to Jakob Schlyter 668238104Sdes and Paul Wouters) 669238104Sdes 670238104Sdes28 Jul 2005: 0.70: ldns-team 671238104Sdes * [func] ldns_pkt_get_section now returns copies from the rrlists 672238104Sdes in the packet. This can be freed by the user program 673238104Sdes * [code] added ldns_ prefixes to function from util.h 674238104Sdes * [inst] removed documentation from default make install 675238104Sdes * Usual fixes in documentation and code 676238104Sdes 677238104Sdes20 Jun 2005: 0.66: ldns-team 678238104Sdes Rel. Focus: drill-pre2 uses some functions which are 679238104Sdes not in 0.65 680238104Sdes * dnssec_cd bit function was added 681238104Sdes * Zone infrastructure was added 682238104Sdes * Usual fixes in documentation and code 683238104Sdes 684238104Sdes13 Jun 2005: 0.65: ldns-team 685238104Sdes * Repository is online at: 686238104Sdes http://www.nlnetlabs.nl/ldns/svn/ 687238104Sdes * Apply reference copying throuhgout ldns, except in 2 688238104Sdes places in the ldns_resolver structure (._domain and 689238104Sdes ._nameservers) 690238104Sdes * Usual array of bugfixes 691238104Sdes * Documentation added 692238104Sdes * keygen.c added as an example for DNSSEC programming 693238104Sdes 694238104Sdes23 May 2005: 0.60: ldns-team 695238104Sdes * Removed config.h from the header installed files 696238104Sdes (you're not supposed to include that in a libary) 697238104Sdes * Further tweaking 698238104Sdes - DNSSEC signing/verification works 699238104Sdes - Assorted bug fixes and tweaks (memory management) 700238104Sdes 701238104SdesMay 2005: 0.50: ldns-team 702238104Sdes * First usable release 703238104Sdes * Basic DNS functionality works 704238104Sdes * DNSSEC validation works 705