Version 2.1.4 of OpenDNSSEC has been released on 2019-05-16.

News

The 2.1 release has been quite stable with a few corner case problems. However there is now a need for a release to fix an issue with zone signing that can potentially lead to missing signatures so definitely warrants a release.

The 2.1.4 release is available immediately from the download site, we urge you to upgrade. Also for installations still on the 1.4 release should consider upgrading as a number of incidents reported against 1.4 have not occurred on 2.1 installations due to better stability.

To make sure this release is picked out we will not include a fix that was to the issue for a double KSK roll. This fix is available on our develop branch, but includes more changes, and this fix needs to go out on its own.

Fixes

• OPENDNSSEC-904: autoconfigure fails to properly identify functions in ssl library on some distributions. This caused the “tsig unknown algorithm hmac-sha256″ error.
• OPENDNSSEC-894: repair configuration script to allow excluding the build of the enforcer.

• SUPPORT-229: Missing signatures for key new while signatures for old key still present under certain kasp policies, leading to bogus zones. Root cause for bug existed but made prominent since 2.1.3 release.
• OPENDNSSEC-943: support build on MacOS with missing pthread barriers
• SUPPORT-229: fixed for too early retivement of signatures upon double rrsig key roll signing strategy.
• Strip build directory from doxygen docs, remove bashisms from ods-kasp2html.in
• The ods-signer and ods-signerd man page should be in section 8 not 22. Note that this might mean that package managers should remove the older man pages from the old location.

Download

• https://dist.opendnssec.org/source/opendnssec-2.1.4.tar.gz
• https://dist.opendnssec.org/source/opendnssec-2.1.4.tar.gz.sig
• Checksum SHA256: 77e85e417d1067a5e4529b636248875a9e2d1925d5e90f022449007e59d6a293

Version 2.5.0 of SoftHSM has been released.

Updates:

• Issue #323: Support for EDDSA with vendor defined mechanisms.
  (Patch from Francis Dupont)
• Issue #362: CMake Build System Support for SoftHSM.
  (Patch from Constantine Grantcharov)
• Issue #368: Support migrating 32-bit SoftHSMv1 DB on 64-bit system (LP64).
• Issue #385: Default is not to build EDDSA since it has not been released in OpenSSL.
• Issue #387: Windows: Add VS2017 detection to Configure.py.
  (Patch from Jaroslav Imrich)
• Issue #412: Replace PKCS11 headers with a version from p11-kit.
  (Patch from Alexander Bokovoy)

Bugfixes:

• Issue #366: Support cross-compilation.
  (Patch from Michael Weiser)
• Issue #377: Duplicate symbol error with custom p11test.
• Issue #386: Use RDRAND in OpenSSL if that engine is available.
• Issue #388: Update DBTests.cpp to fix x86 test failure.
  (Patch from tcely)
• Issue #393: Not setting CKA_PUBLIC_KEY_INFO correctly.
  (Patch from pkalapat)
• Issue #401: Wrong key and keyserver mentioned in installation documentation.
  (Patch from Berry A.W. van Halderen)
• Issue #408: Remove mutex callbacks after C_Finalize().
  (Patch from Alexander Bokovoy)

Download:

• softhsm-2.5.0.tar.gz
• softhsm-2.5.0.tar.gz.sig
• Checksum SHA1: 9b1072d9e12e1834e4f9518ec60a3e38aa92bc09
• Checksum SHA256: 92aa56cf45e25892326e98b851c44de9cac8559e208720e579bf8e2cd1c132b2

Version 2.4.0 of SoftHSM has been released.

Updates:

• Issue #135: Support PKCS#8 for GOST.
• Issue #140: Support for CKA_ALLOWED_MECHANISMS.
  (Patch from Brad Hess)
• Issue #141: Support CKA_ALWAYS_AUTHENTICATE for private key objects.
• Issue #220: Support for CKM_DES3_CMAC and CKM_AES_CMAC.
• Issue #226: Configuration option for Windows build to enable build with static CRT (/MT).
• Issue #325: Support for CKM_AES_GCM.
• Issue #334: Document that initialized tokens will be reassigned to another slot (based on the token serial number).
• Issue #335: Support for CKM_RSA_PKCS_PSS.
  (Patch from Nikos Mavrogiannopoulos)
• Issue #341: Import AES keys with softhsm2-util.
  (Patch from Pavel Cherezov)
• Issue #348: Document that OSX needs pkg-config to detect cppunit.
• Issue #349: softhsm2-util will check the configuration and report any issues before loading the PKCS#11 library.

Bugfixes:

• Issue #345: Private objects are presented to security officer in search results.
• Issue #358: Race condition when multiple applications are creating and reading object files.

Download:

• softhsm-2.4.0.tar.gz
• softhsm-2.4.0.tar.gz.sig
• Checksum SHA1: 398502be47a21deb7d10f259a7fc89a357d52ecd
• Checksum SHA256: 26aac12bdeaacd15722dc0a24a5a1981a3b711e61d10ac687a23ff0b7075da07

Version 2.1.3 of OpenDNSSEC has been released on 2017-08-10.

News

As of today version 2.1.3 of OpenDNSSEC has been released. No special migration steps are required when upgrading from a previous 2.x.x release. It includes fixes to the build system, some regressions w.r.t. OpenDNSSEC 1.4 and a signing bug.

Build fixes

• OPENDNSSEC-904: autoconfigure fails to properly identify functions in ssl library on some distributions. This caused the “tsig unknown algorithm hmac-sha256″ error.
• OPENDNSSEC-894: repair configuration script to allow excluding the build of the enforcer.

Regressions

• OPENDNSSEC-508: Tag RolloverNotification was not functioning correctly
• OPENDNSSEC-901: Enforcer would ignore ManualKeyGeneration tag in conf.xml
• OPENDNSSEC-906: Tag AllowExtraction tag included from late 1.4 development

Bugs Fixed

• OPENDNSSEC-886: Improper time calculation on 32 bits machine causes purge of keys not being scheduled. The purge would happen but some time later than expected.
• OPENDNSSEC-890: Mismatching TTLs in record sets would cause bogus signatures.
• OPENDNSSEC-908: Warn when TTL of resource record exceeds KASP’s MaxZoneTTL. Formerly the signer would cap such TTLs to prevent situations where those records could get bogus during ZSK rollover. However it has been realized that this can potentially lead to failing IXFRs. We intend to bring back this feature in the near future when our internal data representation allows this.

Download

• https://dist.opendnssec.org/source/opendnssec-2.1.3.tar.gz
• https://dist.opendnssec.org/source/opendnssec-2.1.3.tar.gz.sig
• Checksum SHA256: 3de2a03edc9e2b8c366bf0ab541004f984777d4813057cbba7a78045d8cbfe7e

Version 2.3.0 of SoftHSM has been released.

Updates:

• Issue #130: Upgraded to PKCS#11 v2.40.
  • Minor changes to some return values.
  • Added CKA_DESTROYABLE to all objects. Used by C_DestroyObject().
  • Added CKA_PUBLIC_KEY_INFO to certificates, private, and public key objects. Will be accepted from application, but SoftHSM will currently not calculate it.
• Issue #142: Support for CKM_AES_CTR.
• Issue #155: Add unit tests for SessionManager.
• Issue #189: C_DigestKey returns CKR_KEY_INDIGESTIBLE when key attribute CKA_EXTRACTABLE = false. Whitelist SHA algorithms to allow C_DigestKey in this case.
• Issue #225: Show slot id after initialization.
• Issue #247: Run AppVeyor (Windows CI) for each PR and merge.
• Issue #257: Set CKA_DECRYPT/CKA_ENCRYPT flags on key import to true. (Patch from Martin Domke)
• Issue #261: Add support for libeaycompat lib for FIPS on Windows. (Patch from Matt Hauck)
• Issue #262: Support importing ECDSA P-521 in softhsm-util.
• Issue #276: Support for Botan 2.0.
• Issue #279: Editorial changes from Mountain Lion to Sierra. (Patch from Mike Neumann)
• Issue #283: More detailed error messages when initializing SoftHSM.
• Issue #285: Support for LibreSSL. (Patch from Alon Bar-Lev)
• Issue #286: Update .gitignore. (Patch from Alon Bar-Lev)
• Issue #291: Change to enable builds and reports on new Jenkinks environment.
• Issue #293: Detect cppunit in autoconf. (Patch from Alon Bar-Lev)
• Issue #309: CKO_CERTIFICATE and CKO_PUBLIC_KEY now defaults to CKA_PRIVATE=false.
• Issue #314: Update README with information about logging.
• Issue #330: Adjust log levels for failing to enumerate object store. (Patch from Nikos Mavrogiannopoulos)

Bugfixes:

• Issue #216: Better handling of CRYPTO_set_locking_callback() for OpenSSL.
• Issue #265: Fix deriving shared secret with ECC.
• Issue #280: HMAC with sizes less than L bytes is strongly discouraged. Set a lower bound equal to L bytes in ulMinKeySize and check it when initializing the operation.
• Issue #281: Fix test of p11 shared library. (Patch from Lars Silvén)
• Issue #289: Minor fix of ‘EVP_CipherFinal_ex’. (Patch from Viktor Tarasov)
• Issue #297: Fix build with cppunit. (Patch from Ludovic Rousseau)
• Issue #302: Export PKCS#11 symbols from the library. (Patch from Ludovic Rousseau)
• Issue #305: Zero pad key to fit the block in CKM_AES_KEY_WRAP.
• Issue #313: Detecting CppUnit when using Macports. (Patch from mouse07410)

Download:

• softhsm-2.3.0.tar.gz
• softhsm-2.3.0.tar.gz.sig
• Checksum SHA1: 3b8bd84704fcec10e8e0571fbdf3d831e7802d14
• Checksum SHA256: 5ed604c89a3a6ef9d7d1ee92c28a2c4b3cd1f86f302c808e2d12c8f39aa2c127

Version 2.1.0 of OpenDNSSEC has been released on 2017-02-22.

News

OpenDNSSEC 2.1 development was focused on improving the daemon code for the Signer and Enforcer. As such it is much more a steady incremental improvement rather than revolutionary. With this style of development we hope that a migration from 1.4, for which an end-of-life is to be given, is facilitated.

Many of these changes are not directly visible but improve the handling and responsiveness or unify the Signer and Enforcer code bases. These improvements are not all mentioned in the issue list below because of their detail. Attention has been given to different roll-over methods and we now test fully with SoftHSMv2.

Migration

There are no migration steps needed from 2.0.x to 2.1.0. Version 1.4.10 can be migrated directly to 2.1.0 (see MIGRATION text file in tarball). Any version prior to 1.4.10 should upgrade to 1.4.10 first.

Features

• OPENDNSSEC-779: The Enforcer will now have an ‘enforce’ and ‘signconf’ task scheduled per zone. ‘Resalt’ tasks are scheduled per policy. This improves performance and parallelism since no longer all zones need to be evaluated for work to be done. Further parallelism improvements in the Enforcer are on our roadmap.
• OPENDNSSEC-681: When daemonizing the Signer and Enforcer daemons fork to the background. Since they are then no longer able to print messages to the console startup problems are harder to debug. Now, after the fork() call the parent process will wait for the daemon to signal successful start and will print relevant error messages in case it doesn’t.
• OPENDNSSEC-479: On sending notifies and initiating zone transfers the signer will now use the first interface mentioned in the listener section of conf.xml. This way the interface selection is not left to the OS, which could cause outgoing packets have an unexpected source address if multiple interfaces have a route to the destination address.
• OPENDNSSEC-759: The Signer doesn’t need to access the HSM for every zone during startup anymore. This is done later by the worker threads. This way the signer starts quicker and is earlier available for user input.
• OPENDNSSEC-450: Implement support for ECDSA P-256, P-384 and GOST. To be able to use this your HSM should have support as well. SoftHSMv2 can be compiled with support for these.
• OPENDNSSEC-503: When adding a new zone to OpenDNSSEC the Enforcer is a little less conservative and will add signatures and keys to the zone in one go. Thereby mimicking OpenDNSSEC 1.4. Effectively new zones are earlier fully signed by the TTL of the DNSKEY set.
• A bash autocompletion script is included in contrib for ods-enforcer and ods-signer. Commands, parameters, zone names and key identifiers can be autocompleted from the command line.

Further Improvements

• OPENDNSSEC-530: The tag for the Enforcer in conf.xml has been unused and deprecated in 2.0. since 2.1 this tag is no longer allowed to be specified.
• Show help for ods-enforcer-db-setup with -h or –help
• OPENDNSSEC-836: If the listening port for Signer is not set in conf.xml file, the default value “15354” is used.
• OPENDNSSEC-864: ods-signer didn’t print help. Also –version and –socket options where not processed.
• OPENDNSSEC-858: OpenDNSSEC 2.0 did print “completed in x seconds” to stderr for enforcer commands. This line is removed.
• SUPPORT-208: Running ‘ods-enforcer key export’ included a comment string with key properties. This is dropped to aid parsing.
• OPENDNSSEC-552: By default ‘ods-enforcer key export –ds’ included the SHA1 version of the DS. SHA1 use is discouraged in favour of SHA256. To get the SHA1 DS use the –sha1 flag. This flag is immediately deprecated and will be removed from future versions of OpenDNSSEC.
• OPENDNSSEC-465: ods-kaspcheck warns about algorithm mismatch between keys.
• When a zone is deleted the Enforcer now properly removes all tasks associated with that zone from its task queue.
• In the key section of the kasp.xml file, the algorithm length is no longer optional. For ECDSA and GHOST keys this value is ignored.
• The Enforcer and the Signer now have a HSM key cache shared between their threads so no longer every thread needs to iterate over all keys, which can potentially be very slow for some HSMs.
• OPENDNSSEC-721: Our integration testing environment now uses SoftHSMv2 instead of version one.
• OPENDNSSEC-844: warning when lifetime of key is smaller than signature validity time.
• OPENDNSSEC-311: Installation can now set the right permissions on used files for a configurable user/group when not running OpenDNSSEC as root.
• OPENDNSSEC-593: More gracefully cope when zone configured for signer but signconf not yet available.
• OPENDNSSEC-600: Log critical error if key is not inserted due to policy parameters misconfiguration.
• OPENDNSSEC-694: Domain Names in the value/answer part of records (e.g. named referred to by PTR records) where mapped to lowercase.
• OPENDNSSEC-803 : Extensive logging on aborting the application.

Bugs Fixed

• OPENDNSSEC-778: Double NSEC3PARAM record after resalt.
• SUPPORT-29: signer clear would assert when signconf wasn’t read yet.
• OPENDNSSEC-869: ds-seen command did not give error on badly formatted keytag.
• OPENDNSSEC-849: Crash on free of part of IXFR structure.
• OPENDNSSEC-601: signer and enforcer working dir would not properly fallback to default when not specified.
• OPENDNSSEC-689: Failure of daemon during startup is not logged.
• OPENDNSSEC-850: Date of new transition could temporarily be incorrect.
• OPENDNSSEC-851: Change in verbosity level not immediately propagated.
• Various memory leaks, resolving compiler warnings, and static code analysis.
• Libxml2 cleanup improvements (Thanks he32).

Download

• https://dist.opendnssec.org/source/opendnssec-2.1.0.tar.gz
• https://dist.opendnssec.org/source/opendnssec-2.1.0.tar.gz.sig
• Checksum SHA256: 0ec6094fd4cded58bcff872b251f1b004876b67c6650c38a4875018a18e38545

Version 2.2.0 of SoftHSM has been released.

Updates:

• Issue #143: Delete a token using softhsm2-util.
• Issue #185: Change access mode bits for /var/lib/softhsm/tokens/ to 1777. All users can now create tokens, but only access their own. (Patch from Rick van Rein)
• Issue #186: Reinitializing a token will now keep the token, but all token objects are deleted, the user PIN is removed and the token label is updated.
• Issue #190: Support for OpenSSL 1.1.0.
• Issue #198: Calling C_GetSlotList with NULL_PTR will make sure that there is always a slot with an uninitialized token available.
• Issue #199: The token serial number will be used when setting the slot number. The serial number is set after the token has been initialized. (Patch from Lars Silvén)
• Issue #203: Update the command utils to use the token label or serial to find the token and its slot number.
• Issue #209: Possibility to test other PKCS#11 implementations with the CppUnit test. (Patch from Lars Silvén)
• Issue #223: Mark public key as non private by default. (Patch from Nikos Mavrogiannopoulos)
• Issue #230: Install p11-kit module, to disable use –disable-p11-kit. (Patch from David Woodhouse)
• Issue #237: Add windows continuous integration build. (Patch from Peter Polačko)

Bugfixes:

• Issue #201: Missing new source file and test configuration in the Windows build project.
• Issue #205: ECDSA P-521 support for OpenSSL and better test coverage.
• Issue #207: Fix segmentation faults in loadLibrary function. (Patch from Jaroslav Imrich)
• Issue #215: Update the Homebrew install notes for OSX.
• Issue #218: Fix build warnings.
• Issue #235: Add the libtool install command for OSX. (Patch from Mark Wylde)
• Issue #236: Use GetEnvironmentVariable instead of getenv on Windows. (Patch from Jaroslav Imrich)
• Issue #239: Crash on module unload with OpenSSL. (Patch from David Woodhouse)
• Issue #241: Added EXTRALIBS to Windows utils project. (Patch from Peter Polačko)
• Issue #250: C++11 not detected.
• Issue #255: API changes in Botan 1.11.27.
• Issue #260: Fix include guard to check WITH_FIPS. (Patch from Matt Hauck)
• Issue #268: p11test fails on 32-bit systems.
• Issue #270: Build warning about “converting a string constant”.
• Issue #272: Fix C++11 check to look for unique_ptr. (Patch from Matt Hauck)

Download:

• softhsm-2.2.0.tar.gz
• softhsm-2.2.0.tar.gz.sig
• Checksum SHA1: e608099deb66c94f6f5ba65bca70ba2402e90a1a
• Checksum SHA256: eb6928ae08da44fca4135d84d6b79ad7345f408193208c54bf69f5b2e71f85f7

Version 1.3.8 of SoftHSM has been released.

Bugfixes:

• SOFTHSM-101: softhsm-keyconv creates files with sensitive material in insecure way. Also applies to softhsm-util when using –export or –optimize.
• SOFTHSM-104: Inconsistencies between v1 and v2.
• Issue #17: Use the MutexFactory wrapper functions correctly.

Download:

• softhsm-1.3.8.tar.gz
• softhsm-1.3.8.tar.gz.sig
• Checksum SHA1: f57b48adef2c50b14cd8b600043fe6e8ef8d2413
• Checksum SHA256: 2eaae3a01ec30241dacbc6c46abf1a78d7e54643e7793cf8a9be98fbe6b5953a

Version 1.4.12 of OpenDNSSEC has been released on 2016-10-17.

News

Hereby we announce the OpenDNSSEC 1.4.12 release. This is a bug fix release targeting a memory leak in the signer when being used in the “bump in the wire” model where the signer would send out notify messages and respond to IXFR requests for the signed zone. This typically would manifest itself with very frequent outgoing IXFRs over a longer period of time.
When upgrading from 1.4.10 (the 1.4.11 release was skipped) no migration steps are needed. For upgrading from earlier releases see the migration steps in the individual releases, most notably in 1.4.8.2. This version of OpenDNSSEC does however require a slightly less older minimal version of the library ldns.

Fixes

• OPENDNSSEC-808: Crash on query with empty query section (thanks HÃ¥vard Eidnes).
• SUPPORT-191: Regression, Must accept notify without SOA (thanks Christos Trochalakis).
• OPENDNSSEC-845: memory leak occuring when responding to IXFR out when having had multiple updates.
• OPENDNSSEC-805: Avoid full resign due to mismatch in backup file when upgrading from 1.4.8 or later.
• OPENDNSSEC-828: parsing zone list could show data from next zone when zones iterated on single line.
• OPENDNSSEC-811,OPENDNSSEC-827,e.o.: compiler warnings and other static code analysis cleanup
• OPENDNSSEC-847: Broken DNS IN notifications when pkt answer section is empty.
• OPENDNSSEC-838: Crash in signer after having removed a zone.
• Update dependency to ldns to version 1.6.17 enabling the DNS HIP record.
• Prevent responding to queries when not fully started yet.

Download

• https://dist.opendnssec.org/source/opendnssec-1.4.12.tar.gz
• https://dist.opendnssec.org/source/opendnssec-1.4.12.tar.gz.sig
• Checksum SHA256: 4ba6cf06fcd1131c1ed913d61959ddc90726ed5e4f153c90f45ec64445528a0c

Version 2.0.3 of OpenDNSSEC has been released on 2016-10-17.

News

Hereby we announce the OpenDNSSEC 2.0.3 release. Most of the changes are related to further smoothing the migration path from OpenDNSSEC 1.4 to 2.0. If you still need to migrate from 1.4.10 please migrate to 2.0.3 directly rather than via 2.0.1. Another important fix is a memory leak in the signer. It would cause a high memory usage for installations with very frequent outgoing IXFR’s.

Fixes

• OpenDNSSEC-839: update all no longer deletes zones or policies. Policy import now has a –remove-missing-policies option. (thanks David Peall)
• OpenDNSSEC-840: Fix migration script to correctly interpret SOA serial strategy.
• OPENDNSSEC-843: MaxZoneTTL defaults to 0 instead of 1 day.
• Migration script can handle converting a database with zones in rollover better.
• Fixed incorrect behaviour when more than 2 ZSKs involved in roll.
• SUPPORT-201: Remove old keys from converted DB.
• OPENDNSSEC-845: Memory leak on IXFR out.

Download

• https://dist.opendnssec.org/source/opendnssec-2.0.3.tar.gz
• https://dist.opendnssec.org/source/opendnssec-2.0.3.tar.gz.sig
• Checksum SHA256: ebeb5481d696cf83c21c5dfbecce6ab5dcc73df1a08573ef257f2f6fe10f6214