1 |
1.6.17 2014-01-10 |
2 |
* Fix ldns_dnssec_zone_new_frm_fp_l to allow the last parsed line of a |
3 |
zone to be an NSEC3 (or its RRSIG) covering an empty non terminal. |
4 |
* Add --disable-dane option to configure and check availability of the |
5 |
for dane needed X509_check_ca function in openssl. |
6 |
* bugfix #490: Get rid of type-punned pointer warnings. |
7 |
Thanks Adam Tkac. |
8 |
* Make sure executables are linked against libcrypto with the |
9 |
LIBSSL_LDFLAGS. Thanks Leo Baltus. |
10 |
* Miscellaneous prototype fixes. Thanks Dag-Erling Smørgrav. |
11 |
* README now shows preferred way to configure for examples and drill. |
12 |
* Bind to source address for resolvers. drill binds to source with -I. |
13 |
Thanks Bryan Duff. |
14 |
* -T option for ldns-dane that has specific exit status for PKIX |
15 |
validated connections without (secure) TLSA records. |
16 |
* Fix b{32,64}_{ntop,pton} detection and handling. |
17 |
* New RR type TKEY, but without operational practice. |
18 |
* New RR types HIP, NINFO, RKEY, CDS, EUI48, EUI64, URI, CAA and TA. |
19 |
* New output format flag (and accompanying functions) to print certain |
20 |
RR's as unknown type |
21 |
* -u and -U parameter for ldns-read-zone to mark/unmark a RR type |
22 |
for printing as unknown type |
23 |
* bugfix #504: GPOS RR has three rdata fields. Thanks Jelte Jansen. |
24 |
* bugfix #497: Properly test for EOF when reading key files with drill. |
25 |
* New functions: ldns_pkt_ixfr_request_new and |
26 |
ldns_pkt_ixfr_request_new_frm_str. |
27 |
* Use SNI with ldns-dane |
28 |
* bugfix #507: ldnsx Fix use of non-existent variables and not |
29 |
properly referring to instance variable. Patch from shussain. |
30 |
* bugfix #508: ldnsx Adding NSEC3PARAM to known/allowable RR type |
31 |
dictionary. Patch from shussain. |
32 |
* bugfix #517: ldns_resolver_new_frm_fp error when invoked using a NULL |
33 |
file pointer. |
34 |
* Fix memory leak in contrib/python: ldns_pkt.new_query. |
35 |
* Fix buffer overflow in fget_token and bget_token. |
36 |
* ldns-verify-zone NSEC3 checking from quadratic to linear performance. |
37 |
Thanks NIC MX (nicmexico.mx) |
38 |
* ldns-dane setup new ssl session for each new connect to prevent hangs |
39 |
* bugfix #521: drill trace continue on empty non-terminals with NSEC3 |
40 |
* bugfix #525: Fix documentation of ldns_resolver_set_retry |
41 |
* Remove unused LDNS_RDF_TYPE_TSIG and associated functions. |
42 |
* Fix ldns_nsec_covers_name for zones with an apex only. Thanks Miek. |
43 |
* Configure option to build perl bindings: --with-p5-dns-ldns |
44 |
(DNS::LDNS is a contribution from Erik Ostlyngen) |
45 |
* bugfix #527: Move -lssl before -lcrypto when linking |
46 |
* Optimize TSIG digest function name comparison (Thanks Marc Buijsman) |
47 |
* Compare names case insensitive with ldns_pkt_rr_list_by_name and |
48 |
ldns_pkt_rr_list_by_name_and_type (thanks Johannes Naab) |
49 |
* A separate --enable for each draft RR type: --enable-rrtype-ninfo, |
50 |
--enable-rrtype-rkey, --enable-rrtype-cds, --enable-rrtype-uri and |
51 |
--enable-rrtype-ta |
52 |
* bugfix #530: Don't sign and verify duplicate RRs (Thanks Jelte Jansen) |
53 |
* bugfix #505: Manpage and usage output fixes (Thanks Tomas Hozza) |
54 |
* Adjust ldns_sha1() so that the input data is not modified (Thanks |
55 |
Marc Buijsman) |
56 |
* Messages to stderr are now off by default and can be reenabled with |
57 |
the --enable-stderr-msgs configure option. |
58 |
|
59 |
1.6.16 2012-11-13 |
60 |
* Fix Makefile to build pyldns with BSD make |
61 |
* Fix typo in exporting b32_* symbols to make pyldns load again |
62 |
* Allow leaving the RR owner name empty in ldns-testns datafiles. |
63 |
* Fix fail to create NSEC3 bitmap for empty non-terminal (bug |
64 |
introduced in 1.6.14). |
65 |
|
66 |
1.6.15 2012-10-25 |
67 |
* Remove LDNS_STATUS_EXISTS_ERR from ldns/error.h to make ldns |
68 |
binary compatible with earlier releases again. |
69 |
|
70 |
1.6.14 2012-10-23 |
71 |
* DANE support (RFC6698), including ldns-dane example tool. |
72 |
* Configurable default CA certificate repository for ldns-dane with |
73 |
--with-ca-file=CAFILE and --with-ca-path=CAPATH |
74 |
* Configurable default trust anchor with --with-trust-anchor=FILE |
75 |
for drill, ldns-verify-zone and ldns-dane |
76 |
* bugfix #474: Define socklen_t when undefined (like in Win32) |
77 |
* bugfix #473: Dead code removal and resource leak fix in drill |
78 |
* bugfix #471: Let ldns_resolver_push_dnssec_anchor accept DS RR's too. |
79 |
* Various bugfixes from code reviews from CZ.NIC and Paul Wouters |
80 |
* ldns-notify TSIG option argument checking |
81 |
* Let ldns_resolver_nameservers_randomize keep nameservers and rtt's |
82 |
in sync. |
83 |
* Let ldns_pkt_push_rr now return false on (memory) errors. |
84 |
* Make buffer_export comply to documentation and fix buffer2str |
85 |
* Various improvements and fixes of pyldns from Katel Slany |
86 |
now documented in their own Changelog. |
87 |
* bugfix: Make ldns_resolver_pop_nameserver clear the array when |
88 |
there was only one. |
89 |
* bugfix #459: Remove ldns_symbols and export symbols based on regex |
90 |
* bugfix #458: Track all newly created signatures when signing. |
91 |
* bugfix #454: Only set -g and -O2 CFLAGS when no CFLAGS was given. |
92 |
* bugfix #457: Memory leak fix for ldns_key_new_frm_algorithm. |
93 |
* pyldns memory handling fixes and the python3/ldns-signzone.py |
94 |
examples script contribution from Karel Slany. |
95 |
* bugfix #450: Base # bytes for P, G and Y (T) on the guaranteed |
96 |
to be bigger (or equal) P in ldns_key_dsa2bin. |
97 |
* bugfix #449: Deep free cloned rdf's in ldns_tsig_mac_new. |
98 |
* bugfix #448: Copy nameserver value (in stead of reference) of the |
99 |
answering nameserver to the answer packet in ldns_send_buffer, so |
100 |
the original value may be deep freed with the ldns_resolver struct. |
101 |
* New -0 option for ldns-read-zone to replace inception, expiration |
102 |
and signature rdata fields with (null). Thanks Paul Wouters. |
103 |
* New -p option for ldns-read-zone to prepend-pad SOA serial to take |
104 |
up ten characters. |
105 |
* Return error if printing RR fails due to unknown/null RDATA. |
106 |
|
107 |
1.6.13 2012-05-21 |
108 |
* New -S option for ldns-verify-zone to chase signatures online. |
109 |
* New -k option for ldns-verify-zone to validate using a trusted key. |
110 |
* New inception and expiration margin options (-i and -e) to |
111 |
ldns-verify-zone. |
112 |
* New ldns_dnssec_zone_new_frm_fp and ldns_dnssec_zone_new_frm_fp_l |
113 |
functions. |
114 |
* New ldns_duration* functions (copied from OpenDNSSEC source) |
115 |
* fix ldns-verify-zone to allow NSEC3 signatures to come before |
116 |
the NSEC3 RR in all cases. Thanks Wolfgang Nagele. |
117 |
* Zero the correct flag (opt-out) when creating NSEC3PARAMS. |
118 |
Thanks Peter van Dijk. |
119 |
* Canonicalize RRSIG's Signer's name too when validating, because |
120 |
bind and unbound do that too. Thanks Peter van Dijk. |
121 |
* bugfix #433: Allocate rdf using ldns_rdf_new in ldns_dname_label |
122 |
* bugfix #432: Use LDNS_MALLOC & LDNS_FREE i.s.o. malloc & free |
123 |
* bugfix #431: Added error message for LDNS_STATUS_INVALID_B32_EXT |
124 |
* bugfix #427: Explicitely link ssl with the programs that use it. |
125 |
* Fix reading \DDD: Error on values that are outside range (>255). |
126 |
* bugfix #429: fix doxyparse.pl fails on NetBSD because specified |
127 |
path to perl. |
128 |
* New ECDSA support (RFC 6605), use --disable-ecdsa for older openssl. |
129 |
* fix verifying denial of existence for DS's in NSEC3 Opt-Out zones. |
130 |
Thanks John Barnitz |
131 |
|
132 |
1.6.12 2012-01-11 |
133 |
* bugfix #413: Fix manpage source for srcdir != builddir |
134 |
* Canonicalize the signers name rdata field in RRSIGs when signing |
135 |
* Ignore minor version of Private-key-format (so v1.3 may be used) |
136 |
* Allow a check_time to be given in stead of always checking against |
137 |
the current time. With ldns-verify-zone the check_time can be set |
138 |
with the -t option. |
139 |
* Added functions for updating and manipulating SOA serial numbers. |
140 |
ldns-read-zone has an option -S for updating and manipulating the |
141 |
serial numbers. |
142 |
* The library Makefile is now GNU and BSD make compatible. |
143 |
* bugfix #419: NSEC3 validation of a name covered by a wildcard with |
144 |
no data. |
145 |
* Two new options (--with-drill and --with-examples) to the main |
146 |
configure script (in the root of the source tree) to build drill |
147 |
and examples too. |
148 |
* Fix days_since_epoch to year_yday calculation on 32bits systems. |
149 |
|
150 |
1.6.11 2011-09-29 |
151 |
* bugfix #394: Fix socket leak on errors |
152 |
* bugfix #392: Apex only and percentage checks for ldns-verify-zone |
153 |
(thanks Miek Gieben) |
154 |
* bugfix #398: Allow NSEC RRSIGs before the NSEC3 in ldns-verify-zone |
155 |
* Fix python site package path from sitelib to sitearch for pyldns. |
156 |
* Fix python api to support python2 and python3 (thanks Karel Slany). |
157 |
* bugfix #401: Correction of date/time functions algorithm and |
158 |
prevention of an infinite loop therein |
159 |
* bugfix #402: Correct the minimum and maximum number of rdata fields |
160 |
in TSIG. (thanks David Keeler) |
161 |
* bugfix #403: Fix heap overflow (thanks David Keeler) |
162 |
* bugfix #404: Make parsing APL strings more robust |
163 |
(thanks David Keeler) |
164 |
* bugfix #391: Complete library assessment to prevent assertion errors |
165 |
through ldns_rdf_size usage. |
166 |
* Slightly more specific error messaging on wrong number of rdata |
167 |
fields with the LDNS_STATUS_MISSING_RDATA_FIELDS_RRSIG and |
168 |
LDNS_STATUS_MISSING_RDATA_FIELDS_KEY result codes. |
169 |
* bugfix #406: More rigorous openssl result code handling to prevent |
170 |
future crashes within openssl. |
171 |
* Fix ldns_fetch_valid_domain_keys to search deeper than just one level |
172 |
for a DNSKEY that signed a DS RR. (this function was used in the |
173 |
check_dnssec_trace nagios module) |
174 |
* bugfix #407: Canonicalize TSIG dnames and algorithm fields |
175 |
* A new output specifier to accommodate configuration of what to show |
176 |
in comment texts when converting host and/or wire-format data to |
177 |
string. All conversion to string and printing functions have a new |
178 |
version that have such a format specifier as an extra argument. |
179 |
The default is changed so that only DNSKEY RR's are annotated with |
180 |
an comment show the Key Tag of the DNSKEY. |
181 |
* Fixed the ldns resolver to not mark a nameserver unreachable when |
182 |
edns0 is tried unsuccessfully with size 4096 (no return packet came), |
183 |
but to still try TCP. A big UDP packet might have been corrupted by |
184 |
fragments dropping firewalls. |
185 |
* Update of libdns.vim (thanks Miek Gieben) |
186 |
* Added the ldnsx Python module to our contrib section, which adds even |
187 |
more pythonisticism to the usage of ldns with Python. (Many thanks |
188 |
to Christpher Olah and Paul Wouters) |
189 |
The ldnsx module is automatically installed when --with-pyldns is |
190 |
used with configuring, but may explicitly be excluded with the |
191 |
--without-pyldnsx option to configure. |
192 |
* bugfix #410: Fix clearing out temporary data on stack in sha2.c |
193 |
* bugfix #411: Don't let empty non-terminal NSEC3s cause assertion failure. |
194 |
|
195 |
1.6.10 2011-05-31 |
196 |
* New example tool added: ldns-gen-zone. |
197 |
* bugfix #359: Serial-arithmetic for the inception and expiration |
198 |
fields of a RRSIG and correctly converting them to broken-out time |
199 |
information. |
200 |
* bugfix #364: Slight performance increase of ldns-verifyzone. |
201 |
* bugfix #367: Fix to allow glue records with the same name as the |
202 |
delegation. |
203 |
* Fix ldns-verifyzone to allow NSEC3-less records for NS rrsets *and* |
204 |
glue when the zone is opt-out. |
205 |
* bugfix #376: Adapt ldns_nsec3_salt, ldns_nsec3_iterations, |
206 |
ldns_nsec3_flags and ldns_nsec3_algorithm to work for NSEC3PARAMS too. |
207 |
* pyldns memory leaks fixed by Bedrich Kosata (at the cost of a bit |
208 |
performance) |
209 |
* Better handling of reference variables in ldns_rr_new_frm_fp_l from |
210 |
pyldns, with a very nice generator function by Bedrich Kosata. |
211 |
* Decoupling of the rdfs in rrs in the python wrappers to enable |
212 |
the python garbage collector by Bedrich Kosata. |
213 |
* bugfix #380: Minimizing effect of discrepancies in sizeof(bool) at |
214 |
build time and when used. |
215 |
* bugfix #383: Fix detection of empty nonterminals of multiple labels. |
216 |
* Fixed the ommission of rrsets in nsec(3)s and rrsigs to all occluded |
217 |
names (in stead of just the ones that contain glue only) and all |
218 |
occluded records on the delegation points (in stead of just the glue). |
219 |
* Clarify the operation of ldns_dnssec_mark_glue and the usage of |
220 |
ldns_dnssec_node_next_nonglue functions in the documentation. |
221 |
* Added function ldns_dnssec_mark_and_get_glue as an real fast |
222 |
alternative for ldns_zone_glue_rr_list. |
223 |
* Fix parse buffer overflow for max length domain names. |
224 |
* Fix Makefile for U in environment, since wrong U is more common than |
225 |
deansification necessity. |
226 |
|
227 |
1.6.9 2011-03-16 |
228 |
* Fix creating NSEC(3) bitmaps: make array size 65536, |
229 |
don't add doubles. |
230 |
* Fix printout of escaped binary in TXT records. |
231 |
* Parsing TXT records: don't skip starting whitespace that is quoted. |
232 |
* bugfix #358: Check if memory was successfully allocated in |
233 |
ldns_rdf2str(). |
234 |
* Added more memory allocation checks in host2str.c |
235 |
* python wrapper for ldns_fetch_valid_domain_keys by Bedrich Kosata. |
236 |
* fix to compile python wrapper with swig 2.0.2. |
237 |
* Don't fallback to SHA-1 when creating NSEC3 hash with another |
238 |
algorithm identifier, fail instead (no other algorithm identifiers |
239 |
are assigned yet). |
240 |
|
241 |
1.6.8 2011-01-24 |
242 |
* Fix ldns zone, so that $TTL definition match RFC 2308. |
243 |
* Fix lots of missing checks on allocation failures and parse of |
244 |
NSEC with many types and max parse length in hosts_frm_fp routine |
245 |
and off by one in read_anchor_file routine (thanks Dan Kaminsky and |
246 |
Justin Ferguson). |
247 |
* bugfix #335: Drill: Print both SHA-1 and SHA-256 corresponding DS |
248 |
records. |
249 |
* Print correct WHEN in query packet (is not always 1-1-1970) |
250 |
* ldns-test-edns: new example tool that detects EDNS support. |
251 |
* fix ldns_resolver_send without openssl. |
252 |
* bugfix #342: patch for support for more CERT key types (RFC4398). |
253 |
* bugfix #351: fix udp_send hang if UDP checksum error. |
254 |
* fix set_bit (from NSEC3 sign) patch from Jan Komissar. |
255 |
|
256 |
1.6.7 2010-11-08 |
257 |
* EXPERIMENTAL ecdsa implementation, please do not enable on real |
258 |
servers. |
259 |
* GOST code enabled by default (RFC 5933). |
260 |
* bugfix #326: ignore whitespace between directives and their values. |
261 |
* Header comment to advertise ldns_axfr_complete to check for |
262 |
successfully completed zone transfers. |
263 |
* read resolv.conf skips interface labels, e.g. %eth0. |
264 |
* Fix drill verify NSEC3 denials. |
265 |
* Use closesocket() on windows. |
266 |
* Add ldns_get_signing_algorithm_by_name that understand aliases, |
267 |
names changed to RFC names and aliases for compatibility added. |
268 |
* bugfix: don't print final dot if the domain is relative. |
269 |
* bugfix: resolver search continue when packet rcode != NOERROR. |
270 |
* bugfix: resolver push all domains in search directive to list. |
271 |
* bugfix: resolver search by default includes the root domain. |
272 |
* bugfix: tcp read could fail on single octet recv. |
273 |
* bugfix: read of RR in unknown syntax with missing fields. |
274 |
* added ldns_pkt_tsig_sign_next() and ldns_pkt_tsig_verify_next() |
275 |
to sign and verify TSIG RRs on subsequent messages |
276 |
(section 4.4, RFC 2845, thanks to Michael Sheldon). |
277 |
* bugfix: signer sigs nsecs with zsks only. |
278 |
* bugfix #333: fix ldns_dname_absolute for name ending with backslash. |
279 |
|
280 |
1.6.6 2010-08-09 |
281 |
* Fix ldns_rr_clone to copy question rrs properly. |
282 |
* Fix ldns_sign_zone(_nsec3) to clone the soa for the new zone. |
283 |
* Fix ldns_wire2dname size check from reading 1 byte beyond buffer end. |
284 |
* Fix ldns_wire2dname from reading 1 byte beyond end for pointer. |
285 |
* Fix crash using GOST for particular platform configurations. |
286 |
* extern C declarations used in the header file. |
287 |
* Removed debug fprintf from resolver.c. |
288 |
* ldns-signzone checks if public key file is for the right zone. |
289 |
* NETLDNS, .NET port of ldns functionality, by Alex Nicoll, in contrib. |
290 |
* Fix handling of comments in resolv.conf parse. |
291 |
* GOST code enabled if SSL recent, RFC 5933. |
292 |
* bugfix #317: segfault util.c ldns_init_random() fixed. |
293 |
* Fix ldns_tsig_mac_new: allocate enough memory for the hash, fix use of |
294 |
b64_pton_calculate_size. |
295 |
* Fix ldns_dname_cat: size calculation and handling of realloc(). |
296 |
* Fix ldns_rr_pop_rdf: fix handling of realloc(). |
297 |
* Fix ldns-signzone for single type key scheme: sign whole zone if there |
298 |
are only KSKs. |
299 |
* Fix ldns_resolver: also close socket if AXFR failed (if you don't, |
300 |
it would block subsequent transfers (thanks Roland van Rijswijk). |
301 |
* Fix drill: allow for a secure trace if you use DS records as trust |
302 |
anchors (thanks Jan Komissar). |
303 |
|
304 |
1.6.5 2010-06-15 |
305 |
* Catch \X where X is a digit as an error. |
306 |
* Fix segfault when ip6 ldns resolver only has ip4 servers. |
307 |
* Fix NSEC record after DNSKEY at zone apex not properly signed. |
308 |
* Fix syntax error if last label too long and no dot at end of domain. |
309 |
* Fix parse of \# syntax with space for type LOC. |
310 |
* Fix ldns_dname_absolute for escape sequences, fixes some parse errs. |
311 |
* bugfix #297: linking ssl, bug due to patch submitted as #296. |
312 |
* bugfix #299: added missing declarations to host2str.h |
313 |
* ldns-compare-zones -s to not exclude SOA record from comparison. |
314 |
* --disable-rpath fix |
315 |
* fix ldns_pkt_empty(), reported by Alex Nicoll. |
316 |
* fix ldns_resolver_new_frm_fp not ignore lines after a comment. |
317 |
* python code for ldns_rr.new_question_frm_str() |
318 |
* Fix ldns_dnssec_verify_denial: the signature selection routine. |
319 |
* Type TALINK parsed (draft-ietf-dnsop-trust-history). |
320 |
* bugfix #304: fixed dead loop in ldns_tcp_read_wire() and |
321 |
ldns_tcp_read_wire_timeout(). |
322 |
* GOST support with correct algorithm numbers. The plan is to make it |
323 |
enabled if openssl support is detected, but it is disabled by |
324 |
default in this release because the RFC is not ready. |
325 |
* Fixed comment in rbtree.h about being first member and data ptr. |
326 |
* Fixed possibly leak in case of out of memory in ldns_native2rdf... |
327 |
* ldns_dname_is_wildcard added. |
328 |
* Fixed: signatures over wildcards had the wrong labelcount. |
329 |
* Fixed ldns_verify() inconsistent return values. |
330 |
* Fixed ldns_resolver to copy and free tsig name, data and algorithm. |
331 |
* Fixed ldns_resolver to push search onto searchlist. |
332 |
* A ldns resolver now defaults to a non-recursive resolver that handles |
333 |
the TC bit. |
334 |
* ldns_resolver_print() prints more details. |
335 |
* Fixed ldns_rdf2buffer_str_time(), which did not print timestamps |
336 |
on 64bit systems. |
337 |
* Make ldns_resolver_nameservers_randomize() more random. |
338 |
* bugfix #310: POSIX specifies NULL second argument of gettimeofday. |
339 |
* fix compiler warnings from llvm clang compiler. |
340 |
* bugfix #309: ldns_pkt_clone did not clone the tsig_rr. |
341 |
* Fix gentoo ebuild for drill, 'no m4 directory'. |
342 |
* bugfix #313: drill trace on an empty nonterminal continuation. |
343 |
|
344 |
1.6.4 2010-01-20 |
345 |
* Imported pyldns contribution by Zdenek Vasicek and Karel Slany. |
346 |
Changed its configure and Makefile to fit into ldns. |
347 |
Added its dname_* methods to the rdf_* class (as is the ldns API). |
348 |
Changed swig destroy of ldns_buffer class to ldns_buffer_free. |
349 |
Declared ldns_pkt_all and ldns_pkt_all_noquestion so swig sees them. |
350 |
* Bugfix: parse PTR target of .tomhendrikx.nl with error not crash. |
351 |
* Bugfix: handle escaped characters in TXT rdata. |
352 |
* bug292: no longer crash on malformed domain names where a label is |
353 |
on position 255, which was a buffer overflow by one. |
354 |
* Fix ldns_get_rr_list_hosts_frm_fp_l (strncpy to strlcpy change), |
355 |
which fixes resolv.conf reading badly terminated string buffers. |
356 |
* Fix ldns_pkt_set_random_id to be more random, and a little faster, |
357 |
it did not do value 0 statistically correctly. |
358 |
* Fix ldns_rdf2native_sockaddr_storage to set sockaddr type to zeroes, |
359 |
for portability. |
360 |
* bug295: nsec3-hash routine no longer case sensitive. |
361 |
* bug298: drill failed nsec3 denial of existence proof. |
362 |
|
363 |
1.6.3 2009-12-04 |
364 |
* Bugfix: allow for unknown resource records in zonefile with rdlen=0. |
365 |
* Bugfix: also mark an RR as question if it comes from the wire |
366 |
* Bugfix: NSEC3 bitmap contained NSEC |
367 |
* Bugfix: Inherit class when creating signatures |
368 |
|
369 |
1.6.2 2009-11-12 |
370 |
* Fix Makefile patch from Havard Eidnes, better install.sh usage. |
371 |
* Fix parse error on SOA serial of 2910532839. |
372 |
Fix print of ';' and readback of '\;' in names, also for '\\'. |
373 |
Fix parse of '\(' and '\)' in names. Also for file read. Also '\.' |
374 |
* Fix signature creation when TTLs are different for RRs in RRset. |
375 |
* bug273: fix so EDNS rdata is included in pkt to wire conversion. |
376 |
* bug274: fix use of c++ keyword 'class' for RR class in the code. |
377 |
* bug275: fix memory leak of packet edns rdata. |
378 |
* Fix timeout procedure for TCP and AXFR on Solaris. |
379 |
* Fix occasional NSEC bitmap bogus |
380 |
* Fix rr comparing (was in reversed order since 1.6.0) |
381 |
* bug278: fix parsing HINFO rdata (and other cases). |
382 |
* Fix previous owner name: also pick up if owner name is @. |
383 |
* RFC5702: enabled sha2 functions by default. This requires OpenSSL 0.9.8 or higher. |
384 |
Reason for this default is the root to be signed with RSASHA256. |
385 |
* Fix various LDNS RR parsing issues: IPSECKEY, WKS, NSAP, very long lines |
386 |
* Fix: Make ldns_dname_is_subdomain case insensitive. |
387 |
* Fix ldns-verify-zone so that address records at zone NS set are not considered glue |
388 |
(Or glue records fall below delegation) |
389 |
* Fix LOC RR altitude printing. |
390 |
* Feature: Added period (e.g. '3m6d') support at explicit TTLs. |
391 |
* Feature: DNSKEY rrset by default signed with minimal signatures |
392 |
but -A option for ldns-signzone to sign it with all keys. |
393 |
This makes the DNSKEY responses smaller for signed domains. |
394 |
|
395 |
1.6.1 2009-09-14 |
396 |
* --enable-gost : use the GOST algorithm (experimental). |
397 |
* Added some missing options to drill manpage |
398 |
* Some fixes to --without-ssl option |
399 |
* Fixed quote parsing withing strings |
400 |
* Bitmask fix in EDNS handling |
401 |
* Fixed non-fqdn domain name completion for rdata field domain |
402 |
names of length 1 |
403 |
* Fixed chain validation with SHA256 DS records |
404 |
|
405 |
1.6.0 |
406 |
Additions: |
407 |
* Addition of an ldns-config script which gives cflags and libs |
408 |
values, for use in configure scripts for applications that use |
409 |
use ldns. Can be disabled with ./configure --disable-ldns-config |
410 |
* Added direct sha1, sha256, and sha512 support in ldns. |
411 |
With these functions, all NSEC3 functionality can still be |
412 |
used, even if ldns is built without OpenSSL. Thanks to OpenBSD, |
413 |
Steve Reid, and Aaron D. Gifford for the code. |
414 |
* Added reading/writing support for the SPF Resource Record |
415 |
* Base32 functions are now exported |
416 |
Bugfixes: |
417 |
* ldns_is_rrset did not go through the complete rrset, but |
418 |
only compared the first two records. Thanks to Olafur |
419 |
Gudmundsson for report and patch |
420 |
* Fixed a small memory bug in ldns_rr_list_subtype_by_rdf(), |
421 |
thanks to Marius Rieder for finding an patching this. |
422 |
* --without-ssl should now work. Make sure that examples/ and |
423 |
drill also get the --without-ssl flag on their configure, if |
424 |
this is used. |
425 |
* Some malloc() return value checks have been added |
426 |
* NSEC3 creation has been improved wrt to empty nonterminals, |
427 |
and opt-out. |
428 |
* Fixed a bug in the parser when reading large NSEC3 salt |
429 |
values. |
430 |
* Made the allowed length for domain names on wire |
431 |
and presentation format the same. |
432 |
Example tools: |
433 |
* ldns-key2ds can now also generate DS records for keys without |
434 |
the SEP flag |
435 |
* ldns-signzone now equalizes the TTL of the DNSKEY RRset (to |
436 |
the first non-default DNSKEY TTL value it sees) |
437 |
|
438 |
1.5.1 |
439 |
Example tools: |
440 |
* ldns-signzone was broken in 1.5.0 for multiple keys, this |
441 |
has been repaired |
442 |
|
443 |
Build system: |
444 |
* Removed a small erroneous output warning in |
445 |
examples/configure and drill/configure |
446 |
|
447 |
1.5.0 |
448 |
Bug fixes: |
449 |
* fixed a possible memory overflow in the RR parser |
450 |
* build flag fix for Sun Studio |
451 |
* fixed a building race condition in the copying of header |
452 |
files |
453 |
* EDNS0 extended rcode; the correct assembled code number |
454 |
is now printed (still in the EDNS0 field, though) |
455 |
* ldns_pkt_rr no longer leaks memory (in fact, it no longer |
456 |
copies anything all) |
457 |
|
458 |
API addition: |
459 |
* ldns_key now has support for 'external' data, in which |
460 |
case the OpenSSL EVP structures are not used; |
461 |
ldns_key_set_external_key() and ldns_key_external_key() |
462 |
* added ldns_key_get_file_base_name() which creates a |
463 |
'default' filename base string for key storage, of the |
464 |
form "K<zone>+<algorithm>+<keytag>" |
465 |
* the ldns_dnssec_* family of structures now have deep_free() |
466 |
functions, which also free the ldns_rr's contained in them |
467 |
* there is now an ldns_match_wildcard() function, which checks |
468 |
whether a domain name matches a wildcard name |
469 |
* ldns_sign_public has been split up; this resulted in the |
470 |
addition of ldns_create_empty_rrsig() and |
471 |
ldns_sign_public_buffer() |
472 |
|
473 |
Examples: |
474 |
* ldns-signzone can now automatically add DNSKEY records when |
475 |
using an OpenSSL engine, as it already did when using key |
476 |
files |
477 |
* added new example tool: ldns-nsec3-hash |
478 |
* ldns-dpa can now filter on specific query name and types |
479 |
* ldnsd has fixes for the zone name, a fix for the return |
480 |
value of recvfrom(), and an memory initialization fix |
481 |
(Thanks to Colm MacCárthaigh for the patch) |
482 |
* Fixed memory leaks in ldnsd |
483 |
|
484 |
|
485 |
|
486 |
1.4.1 |
487 |
Bug fixes: |
488 |
* fixed a build issue where ldns lib existence was done too early |
489 |
* removed unnecessary check for pcap.h |
490 |
* NSEC3 optout flag now correctly printed in string output |
491 |
* inttypes.h moved to configured inclusion |
492 |
* fixed NSEC3 type bitmaps for empty nonterminals and unsigned |
493 |
delegations |
494 |
|
495 |
API addition: |
496 |
* for that last fix, we added a new function |
497 |
ldns_dname_add_from() that can clone parts of a dname |
498 |
|
499 |
1.4.0 |
500 |
Bug fixes: |
501 |
* sig chase return code fix (patch from Rafael Justo, bug id 189) |
502 |
* rdata.c memory leaks on error and allocation checks fixed (patch |
503 |
from Shane Kerr, bug id 188) |
504 |
* zone.c memory leaks on error and allocation checks fixed (patch |
505 |
from Shane Kerr, bug id 189) |
506 |
* ldns-zplit output and error messages fixed (patch from Shane Kerr, |
507 |
bug id 190) |
508 |
* Fixed potential buffer overflow in ldns_str2rdf_dname |
509 |
* Signing code no longer signs delegation NS rrsets |
510 |
* Some minor configure/makefile updates |
511 |
* Fixed a bug in the randomness initialization |
512 |
* Fixed a bug in the reading of resolv.conf |
513 |
* Fixed a bug concerning whitespace in zone data (with patch from Ondrej |
514 |
Sury, bug 213) |
515 |
* Fixed a small fallback problem in axfr client code |
516 |
|
517 |
API CHANGES: |
518 |
* added 2str convenience functions: |
519 |
- ldns_rr_type2str |
520 |
- ldns_rr_class2str |
521 |
- ldns_rr_type2buffer_str |
522 |
- ldns_rr_class2buffer_str |
523 |
* buffer2str() is now called ldns_buffer2str |
524 |
* base32 and base64 function names are now also prepended with ldns_ |
525 |
* ldns_rr_new_frm_str() now returns an error on missing RDATA fields. |
526 |
Since you cannot read QUESTION section RRs with this anymore, |
527 |
there is now a function called ldns_rr_new_question_frm_str() |
528 |
|
529 |
LIBRARY FEATURES: |
530 |
* DS RRs string representation now add bubblebabble in a comment |
531 |
(patch from Jakob Schlyter) |
532 |
* DLV RR type added |
533 |
* TCP fallback system has been improved |
534 |
* HMAC-SHA256 TSIG support has been added. |
535 |
* TTLS are now correcly set in NSEC(3) records when signing zones |
536 |
|
537 |
EXAMPLE TOOLS: |
538 |
* New example: ldns-revoke to revoke DNSKEYs according to RFC5011 |
539 |
* ldns-testpkts has been fixed and updated |
540 |
* ldns-signzone now has the option to not add the DNSKEY |
541 |
* ldns-signzone now has an (full zone only) opt-out option for |
542 |
NSEC3 |
543 |
* ldns-keygen can create HMAC-SHA1 and HMAC-SHA256 symmetric keys |
544 |
* ldns-walk output has been fixed |
545 |
* ldns-compare-zones has been fixed, and now has an option |
546 |
to show all differences (-a) |
547 |
* ldns-read-zone now has an option to print DNSSEC records only |
548 |
|
549 |
1.3 |
550 |
Base library: |
551 |
|
552 |
* Added a new family of functions based around ldns_dnssec_zone, |
553 |
which is a new structure that keeps a zone sorted through an |
554 |
rbtree and links signatures and NSEC(3) records directly to their |
555 |
RRset. These functions all start with ldns_dnssec_ |
556 |
|
557 |
* ldns_zone_sign and ldns_zone_sign_nsec3 are now deprecated, but |
558 |
have been changed to internally use the new |
559 |
ldns_dnssec_zone_sign(_nsec3) |
560 |
|
561 |
* Moved some ldns_buffer functions inline, so a clean rebuild of |
562 |
applications relying on those is needed (otherwise you'll get |
563 |
linker errors) |
564 |
* ldns_dname_label now returns one extra (zero) |
565 |
byte, so it can be seen as an fqdn. |
566 |
* NSEC3 type code update for signing algorithms. |
567 |
* DSA key generation of DNSKEY RRs fixed (one byte too small). |
568 |
|
569 |
* Added support for RSA/SHA256 and RSA/SHA512, as specified in |
570 |
draft-ietf-dnsext-dnssec-rsasha256-04. The typecodes are not |
571 |
final, and this feature is not enabled by default. It can be |
572 |
enabled at compilation time with the flag --with-sha2 |
573 |
|
574 |
* Added 2wire_canonical family of functions that lowercase dnames |
575 |
in rdata fields in resource records of the types in the list in |
576 |
rfc3597 |
577 |
|
578 |
* Added base32 conversion functions. |
579 |
|
580 |
* Fixed DSA RRSIG conversion when calling OpenSSL |
581 |
|
582 |
Drill: |
583 |
|
584 |
* Chase output is completely different, it shows, in ascii, the |
585 |
relations in the trust hierarchy. |
586 |
|
587 |
Examples: |
588 |
* Added ldns-verify-zone, that can verify the internal DNSSEC records |
589 |
of a signed BIND-style zone file |
590 |
|
591 |
* ldns-keygen now takes an -a argument specifying the algorithm, |
592 |
instead of -R or -D. -a list show a list of supported algorithms |
593 |
|
594 |
* ldns-keygen now defaults to the exponent RSA_F4 instead of RSA_3 |
595 |
for RSA key generation |
596 |
|
597 |
* ldns-signzone now has support for HSMs |
598 |
* ldns-signzone uses the new ldns_dnssec_ structures and functions |
599 |
which improves its speed, and output; RRSIGS are now placed |
600 |
directly after their RRset, NSEC(3) records directly after the |
601 |
name they handle |
602 |
|
603 |
Contrib: |
604 |
* new contrib/ dir with user contributions |
605 |
* added compilation script for solaris (thanks to Jakob Schlyter) |
606 |
|
607 |
28 Nov 2007 1.2.2: |
608 |
* Added support for HMAC-MD5 keys in generator |
609 |
* Added a new example tool (written by Ondrej Sury): ldns-compare-zones |
610 |
* ldns-keygen now checks key sizes for rfc conformancy |
611 |
* ldns-signzone outputs SSL error if present |
612 |
* Fixed manpages (thanks to Ondrej Sury) |
613 |
* Fixed Makefile for -j <x> |
614 |
* Fixed a $ORIGIN error when reading zones |
615 |
* Fixed another off-by-one error |
616 |
|
617 |
03 Oct 2007 1.2.1: |
618 |
* Fixed an offset error in rr comparison |
619 |
* Fixed ldns-read-zone exit code |
620 |
* Added check for availability of SHA256 hashing algorithm |
621 |
* Fixed ldns-key2ds -2 argument |
622 |
* Fixed $ORIGIN bug in .key files |
623 |
* Output algorithms as an integer instead of their mnemonic |
624 |
* Fixed a memory leak in dnssec code when SHA256 is not available |
625 |
* Updated fedora .spec file |
626 |
|
627 |
11 Apr 2007 1.2.0: |
628 |
* canonicalization of rdata in DNSSEC functions now adheres to the |
629 |
rr type list in rfc3597, not rfc4035, which will be updated |
630 |
(see http://www.ops.ietf.org/lists/namedroppers/namedroppers.2007/msg00183.html) |
631 |
* ldns-walk now support dnames with maximum label length |
632 |
* ldnsd now takes an extra argument containing the address to listen on |
633 |
* signing no longer signs every rrset with KSK's, but only the DNSKEY rrset |
634 |
* ported to Solaris 10 |
635 |
* added ldns_send_buffer() function |
636 |
* added ldns-testpkts fake packet server |
637 |
* added ldns-notify to send NOTIFY packets |
638 |
* ldns-dpa can now accurately calculate the number of matches per |
639 |
second |
640 |
* libtool is now used for compilation too (still gcc, but not directly) |
641 |
* Bugfixes: |
642 |
- TSIG signing buffer size |
643 |
- resolv.conf reading (comments) |
644 |
- dname comparison off by one error |
645 |
- typo in keyfetchers output file name fixed (a . too much) |
646 |
- fixed zone file parser when comments contain ( or ) |
647 |
- fixed LOC RR type |
648 |
- fixed CERT RR type |
649 |
|
650 |
Drill: |
651 |
* drill prints error on failed axfr. |
652 |
* drill now accepts mangled packets with -f |
653 |
* old -c option (use tcp) changed to -t |
654 |
* -c option to specify alternative resolv.conf file added |
655 |
* feedback of signature chase improved |
656 |
* chaser now stops at root when no trusted keys are found |
657 |
instead of looping forever trying to find the DS for . |
658 |
* Fixed bugs: |
659 |
- wildcard on multiple labels signature verification |
660 |
- error in -f packet writing for malformed packets |
661 |
- made KSK check more resilient |
662 |
|
663 |
7 Jul 2006: 1.1.0: ldns-team |
664 |
* Added tutorials and an introduction to the documentation |
665 |
* Added include/ and lib/ dirs so that you can compile against ldns |
666 |
without installing ldns on your system |
667 |
* Makefile updates |
668 |
* Starting usage of assert throughout the library to catch illegal calls |
669 |
* Solaris 9 testing was carried out. Ldns now compiles on that |
670 |
platform; some gnuism were identified and fixed. |
671 |
* The ldns_zone structure was stress tested. The current setup |
672 |
(ie. just a list of rrs) can scale to zone file in order of |
673 |
megabytes. Sorting such zone is still difficult. |
674 |
* Reading multiline b64 encoded rdata works. |
675 |
* OpenSSL was made optional, configure --without-ssl. |
676 |
Ofcourse all dnssec/tsig related functions are disabled |
677 |
* Building of examples and drill now happens with the same |
678 |
defines as the building of ldns itself. |
679 |
* Preliminary sha-256 support was added. Currently is your |
680 |
OpenSSL supports it, it is supported in the DS creation. |
681 |
* ldns_resolver_search was implemented |
682 |
* Fixed a lot of bugs |
683 |
|
684 |
Drill: |
685 |
* -r was killed in favor of -o <header bit mnemonic> which |
686 |
allows for a header bits setting (and maybe more in the |
687 |
future) |
688 |
* DNSSEC is never automaticaly set, even when you query |
689 |
for DNSKEY/RRSIG or DS. |
690 |
* Implement a crude RTT check, it now distinguishes between |
691 |
reachable and unreachable. |
692 |
* A form of secure tracing was added |
693 |
* Secure Chasing has been improved |
694 |
* -x does a reverse lookup for the given IP address |
695 |
|
696 |
Examples: |
697 |
* ldns-dpa was added to the examples - this is the Dns Packet |
698 |
Analyzer tool. |
699 |
* ldnsd - as very, very simple nameserver impl. |
700 |
* ldns-zsplit - split zones for parrallel signing |
701 |
* ldns-zcat - cat split zones back together |
702 |
* ldns-keyfetcher - Fetches DNSKEY records with a few (non-strong, |
703 |
non-DNSSEC) anti-spoofing techniques. |
704 |
* ldns-walk - 'Walks' a DNSSEC signed zone |
705 |
* Added an all-static target to the makefile so you can use examples |
706 |
without installing the library |
707 |
* When building in the source tree or in a direct subdirectory of |
708 |
the build dir, configure does not need --with-ldns=../ anymore |
709 |
|
710 |
Code: |
711 |
* All networking code was moved to net.c |
712 |
* rdata.c: added asserts to the rdf set/get functions |
713 |
* const keyword was added to pointer arguments that |
714 |
aren't changed |
715 |
|
716 |
API: |
717 |
Changed: |
718 |
* renamed ldns/dns.h to ldns/ldns.h |
719 |
* ldns_rr_new_frm_str() is extented with an extra variable which |
720 |
in common use may be NULL. This trickles through to: |
721 |
o ldns_rr_new_frm_fp |
722 |
o ldns_rr_new_frm_fp_l |
723 |
Which also get an extra variable |
724 |
Also the function has been changed to return a status message. |
725 |
The compiled RR is returned in the first argument. |
726 |
* ldns_zone_new_frm_fp_l() and ldns_zone_new_frm_fp() are |
727 |
changed to return a status msg. |
728 |
* ldns_key_new_frm_fp is changed to return ldns_status and |
729 |
the actual key list in the first argument |
730 |
* ldns_rdata_new_frm_fp[_l]() are changed to return a status. |
731 |
the rdf is return in the first argument |
732 |
* ldns_resolver_new_frm_fp: same treatment: return status and |
733 |
the new resolver in the first argument |
734 |
* ldns_pkt_query_new_frm_str(): same: return status and the |
735 |
packet in the first arg |
736 |
* tsig.h: internal used functions are now static: |
737 |
ldns_digest_name and ldns_tsig_mac_new |
738 |
* ldns_key_rr2ds has an extra argument to specify the hash to |
739 |
use. |
740 |
* ldns_pkt_rcode() is renamed to ldns_pkt_get_rcode, ldns_pkt_rcode |
741 |
is now the rcode type, like ldns_pkt_opcode |
742 |
New: |
743 |
* ldns_resolver_searchlist_count: return the searchlist counter |
744 |
* ldns_zone_sort: Sort a zone |
745 |
* ldns_bgsend(): background send, returns a socket. |
746 |
* ldns_pkt_empty(): check is a packet is empty |
747 |
* ldns_rr_list_pop_rr_list(): pop multiple rr's from another rr_list |
748 |
* ldns_rr_list_push_rr_list(): push multiple rr's to an rr_list |
749 |
* ldns_rr_list_compare(): compare 2 ldns_rr_lists |
750 |
* ldns_pkt_push_rr_list: rr_list equiv for rr |
751 |
* ldns_pkt_safe_push_rr_list: rr_list equiv for rr |
752 |
Removed: |
753 |
* ldns_resolver_bgsend(): was not used in 1.0.0 and is not used now |
754 |
* ldns_udp_server_connect(): was faulty and isn't really part of |
755 |
the core ldns idea any how. |
756 |
* ldns_rr_list_insert_rr(): obsoleted, because not used. |
757 |
* char *_when was removed from the ldns_pkt structure |
758 |
|
759 |
18 Oct 2005: 1.0.0: ldns-team |
760 |
* Commited a patch from Håkan Olsson |
761 |
* Added UPDATE support (Jakob Schlyter and Håkan Olsson) |
762 |
* License change: ldns is now BSD licensed |
763 |
* ldns now depends on SSL |
764 |
* Networking code cleanup, added (some) server udp/tcp support |
765 |
* A zone type is introduced. Currently this is a list |
766 |
of RRs, so it will not scale well. |
767 |
* [beta] Zonefile parsing was added |
768 |
* [tools] Drill was added to ldns - see drill/ |
769 |
* [tools] experimental signer was added |
770 |
* [building] better check for ssl |
771 |
* [building] major revision of build system |
772 |
* [building] added rpm .spec in packaging/ (thanks to Paul Wouters) |
773 |
* [building] A lot of cleanup in the build scripts (thanks to Jakob Schlyter |
774 |
and Paul Wouters) |
775 |
|
776 |
28 Jul 2005: 0.70: ldns-team |
777 |
* [func] ldns_pkt_get_section now returns copies from the rrlists |
778 |
in the packet. This can be freed by the user program |
779 |
* [code] added ldns_ prefixes to function from util.h |
780 |
* [inst] removed documentation from default make install |
781 |
* Usual fixes in documentation and code |
782 |
|
783 |
20 Jun 2005: 0.66: ldns-team |
784 |
Rel. Focus: drill-pre2 uses some functions which are |
785 |
not in 0.65 |
786 |
* dnssec_cd bit function was added |
787 |
* Zone infrastructure was added |
788 |
* Usual fixes in documentation and code |
789 |
|
790 |
13 Jun 2005: 0.65: ldns-team |
791 |
* Repository is online at: |
792 |
http://www.nlnetlabs.nl/ldns/svn/ |
793 |
* Apply reference copying throuhgout ldns, except in 2 |
794 |
places in the ldns_resolver structure (._domain and |
795 |
._nameservers) |
796 |
* Usual array of bugfixes |
797 |
* Documentation added |
798 |
* keygen.c added as an example for DNSSEC programming |
799 |
|
800 |
23 May 2005: 0.60: ldns-team |
801 |
* Removed config.h from the header installed files |
802 |
(you're not supposed to include that in a libary) |
803 |
* Further tweaking |
804 |
- DNSSEC signing/verification works |
805 |
- Assorted bug fixes and tweaks (memory management) |
806 |
|
807 |
May 2005: 0.50: ldns-team |
808 |
* First usable release |
809 |
* Basic DNS functionality works |
810 |
* DNSSEC validation works |