1zkt 1.0 -- 15. June 2010
2
3* feat	"/dev/urandom" check added to checkconfig()
4
5* feat	Config compability switch (-C) added to zkt-conf
6
7* feat	zkt-ls has a new switch -s to change sorting of domains from
8	subdomain before parent to subdomain below the parent
9
10* feat	"zkt-ls -T" prints only parent trust anchor
11
12zkt 1.0rc1 -- 1. Apr 2010 (The 1.0 release was sponsored by DOMINIC(r) )
13
14* feat	Several config parameter are printed now in a more consistent and
15	user friendly form.
16	SerialFormat "Incremental" could be abbreviated as "inc" on input.
17
18* bug	use of AC_ARG_ENABLE macros changed in a way that it is possible
19	to use it as a "--disable-FEATURE" switch.
20
21* port	no longer checking for malloc() in configue script.
22	Mainly because it checks only if malloc(0) is allowed and we do
23	not need this.
24
25* port	--disable-color-mode added to configure script
26
27* bug	Makro PRINT_AGE_OF_YEAR renamed to PRINT_AGE_WITH_YEAR in configure.ac
28
29* misc	man page zkt-keyman added
30
31* misc	New command zkt-keyman added as replacement for dnssec-zkt's key
32	management functionality
33
34* misc	man page zkt-ls added
35
36* port	Check for ncurses added to Makefile.in
37
38* misc	Color mode (Option -C) added to zkt-ls (experimental)
39	New source file tcap.c.
40
41* misc	Deprecate "single linked list" version of ZKT. The binary tree
42	version is the default for years, so the VERSION string does no
43	longer contain a "T".  Now, if someone insist on the single link
44	list version (configure --disable-tree) a "S" is added to the
45	version string.
46	Anyway, the code for the single link list version does no longer
47	have the same functionality and will be removed in one of the later
48	releases.
49
50* misc	New command zkt-ls added as replacement for dnssec-zkt's key
51	listing functionality
52
53* func	New key algorithms RSASHA256 and RSAHSHA512 added to dki.[ch]
54	and zconf.c
55	New parameter NSEC3 added. Now it's possible to configure
56	an NSEC3_OPTOUT zone.
57
58* bug	Token parsing function gettok() fixed to recognize tokens
59	with dashes ("zone-statistics" was seen as "zone").
60	Thanks to Andreas Baess for finding this bug.
61	
62* bug	Fixed bug in (re)salting dynamic zones.
63	sig_zone() and gensalt() needs parameter change for this
64
65* func	New option -a added to zkt-conf
66
67* func	In zconf.c CONF_TIMEINT parameter are now able to recognize 
68	"unset" values (which is represented internaly as 0)
69
70* func	Set Max_TTL to sig lifetime for dynamic zones or if Max_TTL
71	is less than 1.
72	max_ttl checks in checkconfig() fixed.
73
74* func	printconfigdiff() added to zconf.c and used by zkt-conf.
75	Now local configs are printed as diff to site wide config.
76
77* misc	man page zkt-signer.8 changed to new command syntax
78
79* func	Per domain logging added. Use parameter LogDomainDir to
80	enable it. For more details see file README.logging.
81
82* func	distribute.sh supports new action type "distkeys" but is
83	currently not used
84
85* misc	LOG_FNAMETMPL changed and moved from config_zkt.h to log.h
86	
87* misc	Default soa serial format changed from "Incremental"
88	to "Unixtime"
89
90* func	dnssec-signer command renamed to zkt-signer. Man page updated.
91
92* func	New command zkt-conf added as replacement for dnssec-zkt -Z
93
94* misc	timeint2str() is now global (zconf.c)
95
96* func	zfparse.c - a rudimentary zone file parser
97	scans minimum and maximum ttl values; adds $INCLUDE dnskey.db
98
99zkt 0.99d -- Not released
100
101* func	Option SIG_DnsKeyKSK for DNSKEY signing with KSK only 
102	added (only useful with BIND9.7)
103
104* misc	For BIND 9.7 compability:
105	Run dnssec-signzone in compability mode ("-C") if
106	SigGenerateDS is true.
107	Run dnssec-keygen in compability mode ("-C -q")
108	Add option -u to dnssec-signzone if NSEC3 chaining is requested
109
110zkt 0.99c -- 1. Aug 2009
111
112* misc	dnssec-signer command line option vars changed to storage
113	class static.
114
115* port	setenv() replaced by putenv() in misc.c
116
117* misc	Install binaries in prefix/bin instead of $HOME/bin.
118	Fixing some spelling errors in dnssec-signzone.8 and
119	dnssec-zkt.8.
120	Thanks to Mans Nilsson.
121
122* port	timegm() check added to configure.ac
123
124* misc	configure.ac, Makefile.in, and doc is now part of distribution
125
126* bug	off by one error fixed in splitpath()
127
128* misc	is_dotfile() renamed to is_dotfilename() (misc.c)
129
130* misc	inc_soaserial() sourced out to soaserial.c
131
132* misc	reload() functions sourced out to nscomm.c
133
134* bug	Introducing parameter "KeyAlgorithm" for both ZSK and
135	KSK keys instead of separate KSK and ZSK algorithms.
136	New functions dki_algo() and dki_findalgo().
137
138* bug	Redirect stderr message (additionally to stdout) of
139	dnssec-signzone command to pipe.
140	Pick up last line of output for logging.
141
142* misc	"Sig_GenerateDS" is no longer a hidden parameter.
143
144* misc	"make clean" now remove the binary files
145	New target "distclean" added to Makefile
146
147* bug	Wrong typecast in zconf.c parsing CONF_TIMEINT (Thanks to Frederick
148	Soderblum and Peter Norin for the patch)
149	Changed all TIMEINT parameter values to long.
150
151* bug	If someone changes the zone.db file in dynamic mode, this will be treated
152	the same way as an initial setup, so the zone.db file will be used as new
153	input file (Thanks to Shane Wegner for this patch)
154
155* bug	Option nsec3_param added to dnssec-signzone command for dynamic zones.
156
157* func	New option "NamedChrootDir" added to dnssec.conf to specify the
158	directory of a chrooted named. Without such an option
159	"dnssec-signer -N named.conf" couldn't find the zone file directory.
160
161* misc 	Default ZSK lifetime set to 12 weeks instead of 3 months (30days) to
162	suppress the warning message about ZSK keysize of 512 bits.
163
164zkt 0.98 -- 28. Dec 2008
165
166* misc 	Target "install-man" added to Makefile
167	man files moved to sub directory "man"
168
169* func	If a BIND version greater equal 9.6.0 is used, option -d doesn't
170	initiate a resigning of a zone. It's just for key rollover.
171
172* func	New pseudo algorithms for NSEC3 DNSKEYS added.
173	Support of NSEC3 hashing if a BIND version greater equal 9.6.0
174	is used. New parameter "SaltBits" added to the config file to
175	set the salt length in bits (default is 24 which means 6 hex nibbles). 
176	The number of hash iterations is set to the default value of
177	dnssec-signzone which depends on key size.
178
179* misc	Renaming of all example zone directories so that the directory
180	name does not end with a dot (Necessary for installing the
181	source tree in an MS-Windows environment).
182	str_tolowerdup() renamed to domain_canonicdup() and code added
183	to append a dot to the domain name if it's not already there.
184
185* misc	Add 'sec' (second) qualifier to debug output in kskrollover().
186
187* bug	Remove a trailing '/' at the -D argument.
188
189* misc	Configure script now uses the BIND_UTIL_PATH out of config_zkt.h
190	if the BIND dnssec-signzone command is not found
191
192* bug	A zone with only a standby key signing key (which means w/o an
193	active ksk) aborts the dnssec-signer command.
194	Fixed by Shane Kerr.
195
196* func	Changed inc_serial() so that the SOA record parser accepts a label
197	other than '@' and an optional ttl value before the class and SOA
198	RR identifier (Both are case insensitive). Thanks to Shane Kerr 
199	for the suggestion.
200
201* bug	Change of global configured key liftetime during a zone signing
202	key rollover results in unnecessary additional pre-published
203	zone signing keys (Thanks to Frank Behrens for the patch)
204
205* misc	Sig_Random config file parameter defaults now to false
206
207* bug	The man page refers the wrong licence (GPL instead of BSD)
208
209zkt 0.97 -- 5. Aug 2008
210
211* bug	LG_* logging level wasn't mapped to syslog level in lg_mesg().
212	gettock() in ncparse.c did not recognize C single line comments "//"
213	(Thanks to Frank Behrens for finding this out)
214
215* misc	dist_and_reload () now calls the "Distribute_Cmd" twice:
216	First with argument "distribute" for signed zone file distribution,
217	second with argument "reload" to initiate a reload.
218	Again see example/flat/dist.sh for an example script.
219
220* bug	full KSK rollover will (mostly) also work for dynamic zones
221	This is a hack and requires further investigation. Currently
222	it will not work if someone is using non standard zone file
223	names.
224
225* misc	default ZSK lifetime set to 3 month
226
227* misc	get_mtime() renamed to file_mtime()
228
229* func	is_exec_ok() added and called in dist_and_reload ()
230
231* func	New parameter "Distribute_Cmd" added for specifing a user
232	defined distribution (and reload) command (See example/flat/dist.sh).
233
234* misc	Changed wording to be a bit more consistent to
235	draft-gudmundsson-life-of-dnskey-00.txt
236	- State of published key will be print as "pub" instead of "pre"
237	  by dnssec-zkt.
238	- Option --pre-publish of dnssec-zkt changed to --published.
239	- Changed wording in all comments and log message from "pre-publish"
240	  to "published".
241
242* func	Highly experimental code to do a full automatic ksk rollover
243	in hierachical mode.
244	ksk_rollover() added in rollover.c; parameter change for ksk_status()
245
246* misc	Changed name of "dnssec-soaserial" to "zkt-soaserial"
247
248* bug	Fixed verbose logging error if -N or -D option was used
249
250* func	Some LG_INFO messages added about key status change
251
252* func	Remove of function to register a new ksk (zktr.[ch])
253
254* misc	Changed licence from GNU GPLv2 to BSD licence
255
256* bug	Fixed bug in logging of ZSK rollover
257
258* misc	Changed tar file to zipped one and archive the files with
259	toplevel directory
260
261* bug	Fixed use of uninitialized vars in zconf.c (line)
262
263* port	Preparation for use of autoconf
264	- config.h renamed to config_zkt.h and change of include directives
265	- conditional include of config.h 
266	- ./configure script is able to determine BIND utility path
267	  (BIND_UTIL_PATH) and version (BIND_VERSION)
268	- compile time options are settable via configure script (--enable-xxx)
269	- For now, the configure script is not able to set the install dir.
270
271* bug	ksk rollover phase2 did not trigger resigning of parent
272	(the parent file was copied to the parent directory only
273	after child zone resigning)
274
275* bug	fixed bad notice message in zskstatus ()
276
277* func	dnssec-zkt -Z print out syslog facility & level with
278	upper case letter and without quotation marks
279
280* func	Syslog facility DAEMON added
281
282zkt 0.96 -- 19. June 2008
283
284* func	Config file option "SIG_Parameter" added.
285
286* func	Function verbmesg() added and used for verbose logging
287	to stdout and/or to syslog resp. file.
288	Config file parameter VerboseLog added to config file.
289
290* bug 	Option -O wasn't recognized by dnssec-signer
291
292* func	Better support of initial setup of dynamic signed
293	zones (just create an empty "zone.db.dsigned" file
294	and run dnssec-signer with option -d).
295
296* func	Improved error logging; incr_soa() errors are written
297	as clear text message instead of error number
298
299* func	elog_mesg() function replaced by a more general
300	logging mechanism.
301	ErrorLog config parameter replaced by LogFile,
302	LogLevel and SyslogFacility, SyslogLevel parameter
303
304* func	New function filesize() added
305
306* func	dki_prt_trustedkey print out old key id if key
307	is revoked 
308
309* func	dki_new() writes gentime (GMT) and proposed key
310	lifetime (days) as comment into the *.key file
311
312* bug	Doing some housekeeping
313
314zkt 0.95 -- 19. April 2008
315
316* misc	This is not a public released version of zkt.
317
318* func	All config file option are now settable via
319	commandline option -O (--option or --config-option)
320
321* misc	Function fatal() now has an exit code of 127.
322	This is necessary because values from 1 to 64 are
323	reflecting the number of errors occured.
324
325* func	Errorlog functionality added
326	All dnssec-signer errors will be logged in the file
327	specified by the Errorlog config file parameter or
328	specified by the command line option -L (--errorlog).
329	If a directory is given, then the logging will occur
330	in a file within this directory which is named
331	like "zkt-<current-date>.log".
332	The dnssec-signer command has an exit code of 0 if
333	no error occured, an exit code of 127 on fatal errors,
334	an exit code from 1 to 63 reflecting the number of errors
335	occured, or an exit code of 64 if more than 63 errors
336	occured.
337
338* func	dnssec-signer: Introducing long options
339
340* bug	New skript added to example/views directory to
341	read in the right config file
342
343* func	New option -f (--lifetime) and -F (--setlifetime)
344	added to dnssec-zkt.
345
346* func	New option -e (--expire) added to dnssec-zkt.
347	(Seems to be that the dnssec-zkt command is a little
348	bit overloaded with options.)
349
350* func	dki.c and zkt.c supports storage of key lifetime,
351	generation time and expiration time as a comment in the
352	.key file.  With this, it's possible to change the default
353	lifetime without any impact on already used keys.
354
355zkt 0.94 -- 6. Dec 2007
356
357* bug	Case mismatch of zone name and key file name prevent
358	dki_read() from reading the key.
359	Thanks to Alan Clegg for finding this out.
360	Added some additional error processing and convert
361	zone name to lower case.
362
363* misc	Builtin default for KSK_randfile changed
364	from NULL to "/dev/urandom".
365
366* bug	dnssec-signer has to use private keys for signing
367	even if the revoke bit is set.
368	To achieve this the file pattern K*.private is added
369	to the dnssec-signzone run.
370
371* bug	Uninitialized variable "len" in sign_zone().
372
373* func	Default config file is settable via environment
374	variable ZKT_CONFFILE
375
376* func	Support of views added
377	Link dnssec-zkt to dnssec-zkt-<view> and
378	dnssec-signer to dnssec-signer-<view>.
379	Option -V and --view added to dnssec-zkt.
380	Option -V added to dnssec-signer.
381	View support added to parse_namedconf().
382
383zkt 0.93 -- 1. Nov 2007
384
385* func	The ksk registration mechanism is disabled by
386	default (see REG_URL in config.h).
387
388* func	Basic support for revoke flag added (RFC5011).
389	Semantic of option -R of dnssec-zkt changed.
390
391* func	Undocumented option -S changed to lower case.
392	Pre-pulished KSK will be shown as "standby" key.
393	New Option -S (standby) for pre-publish KSK.
394
395* func	New command dnssec-soaserial added.
396
397* bug	dnssec-signer do not print the incremented serial
398	number anymore.
399	time2str() fixed bug in time format (HAS_STRFTIME=0).
400
401* port	New build dependencies "solaris", "macos" and "help"
402	added to Makefile.
403
404zkt 0.92 -- 1. Oct 2007
405
406* func	Parameter "Serialformat" in dnssec.conf added .
407	Now it is possible to use the unixtime format for
408	the SOA serial number. If you use BIND 9.4 or
409	greater in conjunction with this, than there is no
410	need for the special SOA serial formating in
411	the zonefile. (Thanks to Jakob Schlyter for the
412	-N option of dnssec-signzone and the suggestion to
413	add the unixtime support to zkt)
414	
415* func	Option --ksk-roll-stat added.
416
417* port	Added macro HAS_GETOPT_LONG to support OS with
418	lack of getopt_long() (e.g. solaris).
419	Options -[01239] added.
420
421* misc	Unused macro HAS_ULONG removed from config.h.
422	Deklaration of unsigned types moved from dki.h to
423	config.h (so it will be available in _all_ source
424	files). Thanks to Mans Nilsson.
425	Unused macro isblank() (ncparse.c) removed.
426
427* bug	In dosigning(): freeze the dynamic zone _before_ copying
428	the zone file.
429
430zkt 0.91 -- 1. Apr 2007
431
432* doc	--ksk-rollover option added to usage().
433
434* func	some experimental code for dynamic zones added.
435	new functions added: copyzonefile(), dyn_update_freeze().
436	New option "-d" added. 
437
438zkt 0.90 -- 6. Dec 2006
439
440* func 	CHECK_RESIGN interval added to config.h.
441	This is the dnssec-signer calling interval (at least 1 day or 86400 sec).
442
443* func 	new function dki_destroy() added; semantic of dk_remove()
444	changed to rename the key files instead of physical deletion.
445
446* doc	Setup of new example directory (flat and hierarchical).
447
448* doc	dnssec-zkt man page updated.
449	Added some comments in misc.c
450
451* misc	function strtaint() renamed to str_untaint(),
452	dki_keycmp() renamed to dki_tagcmp().
453
454* func	New parameter key_ttl added to dnssec.conf.
455	New func dki_prt_dnskeyttl () added.
456	Now dnskey.db is written with key_ttl value.
457
458* func	dnssec-signer: In hierarchical mode sign_zone() copies the
459	parent-file (if such a file exist) instead of the
460	keyset-file to the parent directory.
461
462* func	dnssec-zkt: Option --ksk-roll-phase[123] and function
463	ksk_rollover() added.
464
465* misc	zconf: default values for sigvalidity, resign_int etc. changed,
466	new dnssec.conf example file created.
467
468* func	dnssec-zkt: Long option support added.
469
470zkt 0.83 -- 11. Sep 2006
471
472* bug	dosigning(): Fixed bug in the bug fixing of printing undefined
473	serial number if incr_serial() failed. (Thanks to Randy McCasskill).
474
475zkt 0.82 -- 8. Sep 2006
476
477* bug	Use option -e for dnssec-keygen calls in dki_new(), because
478	an RSA exponent of 3 is vulnerable.
479
480* bug	dosigning(): Fixed bug in printing undefined serial
481	number if incr_serial() failed.
482
483	an RSA exponent of 3 is vulnerable.
484
485* bug	dosigning(): Fixed bug in printing undefined serial
486	number if incr_serial() failed.
487
488zkt 0.81 -- 13. July 2006
489
490* bug	The function ceatekey() won't work with USE_TREE.
491	Size of MAX_DNAME increased.
492
493zkt 0.8 -- 09. July 2006
494
495* func	Now a hierarchical directory structure with subdomains stored in
496	subfolders of the parent domain are allowed. Added copyfile(),
497	cmpfile() and new_keysetfiles() for that.
498
499* func	Config parameter added to choose if the domain name is
500	right or left justified listed by dnssec-zkt (printkeyinfo).
501
502* func	New class of key added ("sep"). A SEP key is a (public) key file
503	without the private counterpart. So we could use the key solely
504	as an secure entry point. (dki.h, dki_read).
505
506zkt 0.70 -- 15. Sep 2005
507
508* func	Experimental code added to use a binary search tree instead of a
509	single linked list. This is mainly for performance improvement for large
510	sites. If you don't want to use it, set USE_TREE in config.h to zero.
511	In the first step only dnssec-zkt use the new data structure.
512	The tree is build over the domain names and each node is the starting point
513	of a linked list of keys.
514	As a result, it's not possible anymore to search on key tags only. You have
515	to specify the domain name plus the tag. :-(
516
517* func	Function parseurl added.
518
519* func	Experimental code to register a new ksk. Currently it's more like
520	a key announcement because of the lack of identification and
521	authentication.
522
523zkt 0.65 -- 22. Aug 2005
524
525* misc	Rewrite of the domaincmp() function. Now it's round about 2 times faster.
526	After some additional changes and the compiler option -O3 the dnssec-zkt
527	on the ~ 12000 zones requires only a minute
528		$ time dnssec-zkt -z -r sec > /dev/null
529		real    0m58.287s
530		user    0m54.610s
531		sys     0m3.680s
532
533* func	A keyset directory is introduced (experimental)
534	The parameter -d is added to the call of the dnssec-signzone command
535	if the config option KeySetDir is set.
536	As a result, all dsset-, keyset- and dlvset- files are stored in one directory.
537	The advantage is, that the chain of trust of all local subzone is build
538	automatically (This is the reason why we sort the zones with the child zones
539	first).
540	The disadvantage is that we store many files in single directory (3 files
541	per zone).
542
543zkt 0.64 -- 1. Aug 2005
544
545* bug	The code for option -Z of dnssec-zkt should be executed before we read the
546	complete directory tree. This is usefull if we have a very deep directory
547	structure and the recursive flag is switched on.
548
549* func	SIG_Pseudorand parameter added.
550
551* func	([KZ]SK)|(SIG)_randfile parameter added.
552
553* func	measure the time used for signing of each zone.
554
555* bug	function logflush() added to misc.c and called by dosigning().
556
557* misc	some perfomance test made:
558	- Directory structure "sec/<firstletter>/domain" with round about 12200 domains
559	- One of the domain is a big one (~ 820000 RRs), the others are mostly very small ones
560	- We use a dsa with 704 bits as ksk and a rsamd5 with 512 bits as zsk on each domain.
561	- All test made on Sun Fire V440 with 4 CPU and 4x2GB main memory
562
563		# sequential signing of all zones 
564		$ time dnssec-signer -v -v -f -D sec
565		real	434m	(~ 7h 14min)
566		user	188
567		sys	175
568
569		# with option -p and -r /dev/urandom
570		$ time dnssec-signer -v -v -f -D sec > log
571		real	96m28.306s
572		user	290m41.980s
573		sys	6m13.790s
574
575		# one process for each firstletter subdirectory
576		$ time par_signer.sh
577		real	394m12.334s
578		user	295m58.390s
579		sys	786m42.479s
580
581		# with option -p and -r /dev/urandom
582		$ time par_signer.sh
583		real	78m49.323s
584		user	284m58.350s
585		sys	5m39.340s
586
587
588		$ time dnssec-zkt -z -r sec > /dev/null
589		real	2m5.722s
590		user	2m0.060s
591		sys	0m4.510s
592
593	
594		# signing the big (820000 RR) domain only
595		$ time dnssec-signer -v -v -f -D sec/b/big-domain
596		real	196m23.165	(~ 3h 16min)
597		user	176m57.610
598		sys	167m27.570
599
600		# with option -p and -r /dev/urandom
601		$ time dnssec-signer -v -v -f -D sec/b/big-domain
602		real	49m53.152
603		user	173m59.520
604		sys	1m40.150
605
606zkt 0.63 -- 14. June 2005
607
608* bug	allow TTL value in keyfiles (see TTL_IN_KEYFILES_ALLOWED
609	in dki_readfile()).
610
611* misc	function strchop() added to misc.c.
612
613zkt 0.62 -- 13. May 2005
614
615* func	dnssec-signer: Option -o added.
616	Now it works a bit more like dnssec-signzone.
617
618* func	strlist.c: prepstrlist and unprepstrlist functions get a
619	second parameter for the delimiter.
620
621* bug	fixed some typos and inaccurate usage of symbolic constants.
622	Doing some housekeeping.
623
624zkt 0.61 -- 3. May 2005
625
626* bug	local config file will not be mentioned if -N switch is used.
627
628zkt 0.6 -- 1. May 2005
629
630* doc	dnssec-signer: man page added.
631
632* func	dnssec-signer: Print out a warning message if ksk lifetime is exceeded.
633
634* func	dnssec-signer: Remaining arguments will be interpreted as zone names
635	(in_strarr () added).
636
637* func	dnssec-signer: Option -D added.
638
639
640zkt 0.51 -- 8. April 2005
641
642* func	dnssec-signer: Option -N added.
643
644* func	dnssec-signer: change of keystatus from pre-published to active
645	resets timestamp of key, thus age of active key counts 0.
646
647* bug	prepstrlist: resulting string was not terminated with '\0'.
648
649* bug	dnssec-signer: do signing if there are additional keys, or the
650	status of any key is changed (function check_keytimestamp).
651
652* func	dnssec-zkt: -l <list> option added.
653
654* func	dnssec-zkt: -p flag defaults to on in key creation mode (-C).
655