• OPENDNSSEC-228: Signer Engine: Make ‘ods-signer update’ reload signconfs even if zonelist has not changed.
• OPENDNSSEC-231: Signer Engine: Allow for Classless IN-ADDR.ARPA names (RFC 2317).
• OPENDNSSEC-234: Enforcer: Add indexes for foreign keys in kasp DB. (sqlite only, MySQL already has them.)
• OPENDNSSEC-246: Signer Engine: Warn if is in signer configuration, but ods-auditor is not installed.
• OPENDNSSEC-249: Enforcer: ods-ksmutil: If key export finds nothing to do then say so rather than display nothing which might be misinterpreted.

Bugfixes:

• OPENDNSSEC-247: Signer Engine: TTL on NSEC(3) was not updated on SOA Minimum change.
• OPENDNSSEC-253: Enforcer: Fix “ods-ksmutil zone delete –all”

Download the tarball from: opendnssec-1.3.8.tar.gz

• Increased performance by adding more indexes to the database.
• Describe the usage of SO and user PIN in the README.

Bugfixes:

• Detect if a C++ compiler is missing.

Download the tarball from: softhsm-1.3.3.tar.gz

In collaboration with Nominet among others, .SE jointly developed the free OpenDNSSEC administration tool, which uses open source code, to significantly simplify the implementation of secure DNS, thus making the Internet more reliable. An initial beta version was launched in 2009 and has since been advanced.

The OpenDNSSEC company was formed in 2011 to support other top-level domain administrators in their use of the tool to manage DNSSEC. The company develops the software and offers training and support agreements.

“Nominet’s financial support is valuable to OpenDNSSEC AB in its efforts to develop the software and offer support to other top-level domain administrators who want to implement DNSSEC. OpenDNSSEC significantly simplifies the implementation process and will ultimately entail a more reliable Internet,” says Patrik Wallström, Acting President of OpenDNSSEC.

“It is fitting that as Nominet celebrates reaching 10 million .uk domains, that we are making this investment to protect the continued security and stability of the Internet. We recognise the importance of rolling out DNSSEC as widely as possible and for our own part, we are pleased to have successfully signed .uk at all levels. This investment represents a natural progression of our work as helping other top level domains to follow suit should help to ensure that DNSSEC is implemented more extensively.” says Roy Arends, Head of Research at Nominet.

More about the software and DNSSEC

OpenDNSSEC simplifies the management of DNSSEC, an extension of the Internet’s open directory service DNS, which prevents Internet and e-mail addresses from being manipulated and ensures that they lead to the right online destination. Using OpenDNSSEC, which .SE was involved in the development of, the necessary processes are automated to eliminate the need for manual management.

Under DNSSEC, Internet zones are cryptographically signed. When looking up a domain name, the signature is controlled using a key published by the party responsible for this zone.

OpenDNSSEC is available for free download at: http://www.opendnssec.org

For more information, please contact:

Patrik Wallström, Acting President of OpenDNSSEC AB (svb)
Telephone: +46 733 17 39 56
E-mail: patrik.wallstrom@iis.se

Maria Ekelund, Head of Communications at .SE
Telephone: +46 8-452 35 27, +46 70-777 44 87
E-mail: maria.ekelund@iis.se

For Nominet please contact Patrick Yiu at Brands2Life
nominetuk@brands2life.co.uk
+44 20 7592 1200

About .SE

.SE (The Internet Infrastructure Foundation) is a not-for-profit public-service organization that acts to promote the positive development of the Internet in Sweden. .SE is responsible for the Internet’s Swedish top-level domain, .se, encompassing domain-name registration and administration, as well as the technical operation of the national domain name registry. Proceeds from domain-name registrations are used to support projects that contribute to the Internet development in Sweden, through proprietary operations and the financing of independent projects. Read more at http://www.iis.se

About Nominet

Nominet is the not-for-profit organisation responsible for the smooth and secure running of the .uk infrastructure. A public service ethos drives everything we do – we strive to make the Internet an ever more trusted space for everyone who uses it.

As one of the world’s largest Internet registries, we maintain a ‘directory’ of domain names ending in.uk, and run the technology which locates the computer hosting the website or email address you are looking for.

Our public purpose is manifest in two principal investments – the independently run Nominet Trust and knowthenet.org.uk

• Auditor: The Auditor has been removed.
• Enforcer: Key label logging upon deletion (#192 Sebastian Castro)
• Enforcer: Stop multiple instances of the Enforcer running by checking for the pidfile at startup. If you want to run multiple instances then a different pidfile will need to be specified with the -P flag.
• Enforcer/ods-ksmutil: Use TTLs from KASP when generating DNSKEY and DS records for output.
• Enforcer/ods-ksmutil: Give a more descriptive error message if the tag in conf.xml does not match the database-backend set at compile time.
• ods-ksmutil: Add warnings on “key export –ds” if no active or ready keys were seen, or if both were seen (so a key rollover is happening).
• ods-ksmutil: Prevent MySQL username or password being interpreted by the shell when running “ods-ksmutil setup”
• ods-ksmutil: “zone delete” renames the signconf file; so that if the zone is put back the signer will not pick up the old file.
• ods-ksmutil: “key delete” added. It allows keys that are not currently in use to be deleted from the database and HSM.
• OPENDNSSEC-1: Enforcer: Check DelegationSignerSubmitCommand exists and can be executed by ods-enforcerd.
• OPENDNSSEC-10: ods-ksmutil: Include key size and algorithm in “key list” with -v flag.
• OPENDNSSEC-28: ods-ksmutil: “key list” shows next state with -v flag.
• OPENDNSSEC-35: ods-ksmutil: “rollover list -v” now includes more information on the KSKs waiting for the ds-seen command.
• OPENDNSSEC-83: ods-ksmutil: “key generate” now displays how many keys will be generated and presents the user with the opportunity to stop the operation.
• OPENDNSSEC-124: ods-ksmutil: Suppress database connection information when no -v flag is given.
• Signer Engine: Input and Output DNS Adapters.
• Signer Engine: Zonefetcher has been removed.

Known issues:

• Signer Engine: The backup files do not work correctly in this alpha release.

Bugfixes:

• Bugfix #246: Less confusing text for XML validation in ods-kaspcheck.
• ods-ksmutil: “update kasp” now reflects changes in policy descriptions.
• ods-ksmutil: Policy descriptions now have special characters quoted.
• ods-ksmutil: Fix typo in policy export with NSEC3.

The documentation for the new DNS adapters can be found here:
DOCSTRUNK/conf.xml
DOCSTRUNK/zonelist.xml
DOCSTRUNK/addns.xml

Download the tarball from: opendnssec-1.4.0a1.tar.gz

• OPENDNSSEC-215: Signer Engine: Always recover serial from backup, even if it is corrupted, preventing unnecessary serial decrementals.
• OPENDNSSEC-217: Enforcer: Tries to detect pidfile staleness, so that the daemon will start after a power failure.

Bugfixes:

• ods-hsmutil: Fixed a small memory leak when printing a DNSKEY.
• OPENDNSSEC-216: Signer Engine: Fix duplicate NSEC3PARAM bug.
• OPENDNSSEC-218: Signer Engine: Prevent endless loop in case the locators in the signer backup files and the HSM are out of sync.
• OPENDNSSEC-225: Fix problem with pid found when not existing.
• SUPPORT-21: HSM SCA 6000 in combination with OpenCryptoki can return RSA key material with leading zeroes. DNSSEC does not allow leading zeroes in key data. You are affected by this bug if your DNSKEY RDATA e.g. begins with “BAABA”. Normal keys begin with e.g. “AwEAA”. OpenDNSSEC will now sanitize incoming data before adding it to the DNSKEY. Do not upgrade to this version if you are affected by the bug. You first need to go unsigned, then do the upgrade, and finally sign your zone again. SoftHSM and other HSM:s will not produce data with leading zeroes and the bug will thus not affect you.

Download the tarball from: opendnssec-1.3.7.tar.gz

• Update the README with information on moving the database between different architectures.

Bugfixes:

• Fix the destruction order of the Singleton objects.

Download the tarball from: softhsm-1.3.2.tar.gz

• OPENDNSSEC-33: Signer Engine: Check HSM connection before use, attempt to reconnect if it is not valid.
• OPENDNSSEC-178: Signer Engine: Instead of waiting an arbitrary amount of time, let worker wait with pushing sign operations until the queue is non-full.
• Signer Engine: Adjust some log messages.

Bugfixes:

• ods-control: Wrong exit status if Enforcer was already running.
• OPENDNSSEC-56: ods-ksmutil had the wrong option for config file in the help usage text.
• OPENDNSSEC-207: Signer Engine: Fix communication from a process not attached to a shell.
• OPENDNSSEC-209: Signer Engine: Make output file adapter atomic by writing signed file to an intermediate file first.

Download the tarball from: opendnssec-1.3.6.tar.gz

• Auditor: Include the zone name in the log messages.
• ldns 1.6.12 is required for bugfixes.
• ods-ksmutil: Suppress database connection information when no -v flag is given.
• ods-enforcerd: Stop multiple instances of the enforcer running by checking for the pidfile at startup. If you want to run multiple instances then a different pidfile will need to be specified with the -P flag.
• ods-ksmutil: “zone delete” renames the signconf file; so that if the zone is put back the signer will not pick up the old file.
• Signer Engine: Verbosity can now be set via conf.xml, default is 3.

Bugfixes:

• Bugfix OPENDNSSEC-174: Configure the location for conf.xml with –config or -c when starting the signer.
• Bugfix OPENDNSSEC-192: Signer crashed on deleting NSEC3 for a domain that becomes opt-out.
• Bugfix OPENDNSSEC-193: Auditor crashed with certain empty non-terminals.
• Signer Engine: A file descriptor for sockets with value zero is allowed.
• Signer Engine: Only log messages about a full signing queue in debug mode.
• Signer Engine: Fix time issues, make sure that the internal serial does not wander off after a failed audit.
• Signer Engine: Upgrade ldns to avoid future problems on 32-bit platforms with extra long signature expiration dates. More information in separate announcement.

Download the tarball from: opendnssec-1.3.5.tar.gz

• The library is now installed in $libdir/softhsm/

Bugfixes:

• Do not give a warning about the schema version if the token  has not been initialized yet.
• The tools now return the correct exit code.

Download the tarball from: softhsm-1.3.1.tar.gz

Affected versions: ldns < 1.6.12 (32-bit)
Fixed versions: ldns >= 1.6.12 (32-bit)

Description:
The 32-bit version of ldns has code for converting days since epoch to the day of year. That code had a bug which handled the end of the year in the wrong way. The result of the bug was that some signatures got the intended validity period extended by a year. The signature will be reused by the Signer Engine until the key is rolled. However, the Enforcer is not aware that there exist signatures with such a long validity period. Any affected signature will thus have no post-publication of its corresponding DNSKEY, possibly resulting in validation failure. There is also the risk that the affected signature will be used in a replay attack.

Test for affected signatures:
The affected signatures can be spotted by reviewing your signed zone. E.g. by using the following command:
> grep “20121231[0-9]\{6\} 2011″ signed.zone.file

Remove the affected signatures:
If there are signatures in the zone with extra long validity periods, then it is recommended to recreate all of the signatures. This is done by clearing the internal storage of the Signer Engine. You then wait for the next scheduled re-sign, but you can also force an immediate re-sign (the second command below) to speed up the process:
> ods-signer clear <zone>
> ods-signer sign <zone>

Mitigate replay attacks:
Once the affected signatures are removed from the zone, it may also be advisable to roll your keys. If you have a non-static zone and are changing your zone data, then there is a chance for an attacker to replay old data since the signature is still valid. You need to assess the risk and possible cost of such an attack. If you need to mitigate such an attack, then you need to roll your keys. Rolling keys will invalidate any signatures that an attacker may have stored for later use. If the signature of the DNSKEY RRset was affected, then you also need to roll the KSK:
> ods-ksmutil key rollover –zone <zone> –keytype ZSK
> ods-ksmutil key rollover –zone <zone> –keytype KSK

Solution:
The issue has been fixed in ldns 1.6.12. You should upgrade ldns before the end of this year.