Version 1.3.13 of OpenDNSSEC has now been released:

Bugfixes:

• OPENDNSSEC-388: Signer Engine: Internal serial should take into account  the inbound serial.
• OPENDNSSEC-242: Signer Engine: Could get stuck on load signconf while  signconf was not changed.
• Signer Engine: Fixed locking and notification on the drudge work queue,  signals could be missed so that drudgers would stall when there was work to  be done.

Download:

• opendnssec-1.3.13.tar.gz
• opendnssec-1.3.13.tar.gz.sig
• Checksum sha1: b71bf152efc07c9373f66498d14abb59ffb229d2
• Checksum sha256: 4d587882ffc68bca56d96807592366d1a87147d0b8aa518ccfd85b694c889a3f

**NOTE: This release is signed with the new OpenDNSSEC Distribution key (2013) available from: https://wiki.opendnssec.org/display/OpenDNSSEC/PGP

Version 1.4.0rc2 of OpenDNSSEC has now been released. This version is recommended for testing only, not for use in production environments.

Updates:

• OPENDNSSEC-350: Signer Engine: Better log message when IXFR is not ready for reading.
• OPENDNSSEC-367: ods-ksmutil: Require user confirmation if the algorithm for a key is changed in a policy (as this rollover is not handled cleanly)

Bugfixes:

• SUPPORT-44: Signer Engine: Drop privileges after binding to socket [OPENDNSSEC-364].
• Signer Engine: XFR not ready should not be a fatal status for task read (thanks Ville Mattila).
• OPENDNSSEC-365: Enforcer: Nasty bug where KSKs could get prematurely retired.

Documentation:

• OpenDNSSEC V1.4 Documentation
• New in OpenDNSSEC 1.4

Download:

• opendnssec-1.4.0rc2.tar.gz
• opendnssec-1.4.0rc2.tar.gz.sig
• Checksum sha1: 693fc66d81c39cb4856df59dee518d1224bf5a0f
• Checksum sha256: 0ac30e31f1bd391bc11387e9695918e63a6eb5c707fbe472c580871cd7920bf8

Version 1.4.0rc1 of OpenDNSSEC has now been released. This version is recommended for testing only, not for use in production environments.

Updates:

• OPENDNSSEC-359: Remove eppclient

Documentation:

• OpenDNSSEC V1.4 Documentation
• New in OpenDNSSEC 1.4

Download the tarball from: opendnssec-1.4.0rc1.tar.gz

Version 1.4.0b2 of OpenDNSSEC has now been released. This version is recommended for testing only, not for use in production environments.

Updates:

• ods-ksmutil: Deprecate the one-step ‘key backup’ command
• OPENDNSSEC-292: Provide scripts to convert database between different supported formats
• OPENDNSSEC-299: ods-ksmutil: ods-ksmutil <enter> now includes policy import
• OPENDNSSEC-300: ods-ksmutil: policy purge documented with a warning
• OPENDNSSEC-315: “ods-hsmutil logout” will delete any credentials in the  shared memory.
• OPENDNSSEC-330: Signer Engine: NSEC3PARAM TTL should be set to zero.
• OPENDNSSEC-338: ods-ksmutil: fix zone delete on MySQL (broken by SUPPORT-27)
• OPENDNSSEC-345: ods-ksmutil: use ods-control to HUP the enforcerd process

Bugfixes:

• SUPPORT-40: Signer Engine: Keep occluded data in signed zone files/transfers.
• OPENDNSSEC-349: Enforcer: Fix some memory leaks in the enforcer found by valgrind.
• OPENDNSSEC-353: Signer Engine: Add/remove NSEC3s for empty non-terminals between apex and  delegation when DS is added/removed.
• Signer Engine: Fixed locking and notification on the drudge work queue, signals could be missed  so that drudgers would stall when there was work to be done.
• libhsm: Fixed PIN handling on OpenBSD.
• Enforcer: If enabled enforcer workers and configured number of workers is 1,  make sure that enforcer runs the signer update command after signer  configuration change.
• Signer Engine: Don’t add double RRSIGs generated by the same key for the  DNSKEY RRset.
• Signer Engine: Rollback incompleted zone transfers on disk (could happen  if a connection was reset during transfer).
• Multi-threaded enforcer: various minor fixes including deadlock problems.

Documentation:

• OpenDNSSEC V1.4 Documentation
• New in OpenDNSSEC 1.4

Download the tarball from: opendnssec-1.4.0b2.tar.gz

Version 1.3.12 of OpenDNSSEC has now been released:

Bugfixes:

• SUPPORT-42: ./configure fails on FreeBSD (or if ldns is not installed in a directory in the default search path of the complier).
• OpenDNSSEC does not compile against ldns 1.6.16 on platforms that rely on the OpenDNSSEC implementation of strlcpy/cat

Download the tarball from: opendnssec-1.3.12.tar.gz

(Please note that the distribution site has now moved to http://dist.opendnssec.org/source/)

Version 1.3.4 of SoftHSM has now been released.

• SOFTHSM-28: Support RSASSA-PSS signature scheme. (Patch from Aleksander Trofimowicz)
• SOFTHSM-29: The default location of the token database is now $localstatedir/lib/softhsm/

Download the tarball from: softhsm-1.3.4.tar.gz

Version 1.3.11 of OpenDNSSEC has now been released:

Updates:

• OPENDNSSEC-330: NSEC3PARAM TTL should be set to zero.

Bugfixes:

• OPENDNSSEC-306: Cant delete zone until Enforcer made signerconf.
• OPENDNSSEC-281: Commandhandler sometimes unresponsive.
• OPENDNSSEC-299: ods-ksmutil <enter> now includes policy import
• OPENDNSSEC-300: ods-ksmutil policy purge documented with a warning
• OPENDNSSEC-338: ods-ksmutil: fix zone delete on MySQL (broken by SUPPORT-27)
• OPENDNSSEC-342: Auditor comparisons made case-insensitive
• OPENDNSSEC-345: ods-ksmutil: use ods-control to HUP the enforcerd process

Download the tarball from: opendnssec-1.3.11.tar.gz

Version 1.4.0b1 of OpenDNSSEC has now been released. This version is recommended for testing only, not for use in production environments.

Updates:

• OPENDNSSEC-130: libhsm: The PIN is now optional in conf.xml. The PIN can be entered using “ods-hsmutil login” and is stored in shared memory. The daemons will not start until this has been donr by the user.
• OPENDNSSEC-297: Enforcer: Multi-threaded option available for the enforcer to improve performance (MySQL only).
• OPENDNSSEC-320: Signer Engine: The <ProvideTransfer>, <Notify>, <AllowNotify> and <RequestTransfer> elements are now optional, but if provided they require one or more <Peer> or <Remote> elements.

Bugfixes:

• OPENDNSSEC-255: Signer Engine: OpenDNSSEC 1.4.0a1 writes out mangled RRSIG record.
• OPENDNSSEC-261: Signer Engine: Ldns fails to parse RR that seems syntactically correct.
• OPENDNSSEC-269: Signer Engine: Crash when multiple threads access ixfr struct.
• OPENDNSSEC-281: Commandhandler sometimes unresponsive.
• OPENDNSSEC-318: Signer Engine: Don’t stop dns and xfr handlers if these threads have not yet been started.
• OPENDNSSEC-319: Signer Engine: Fix TSIG segfault on signer shutdown.
• OPENDNSSEC-325: Signer Engine: Don’t include RRSIG records when DO bit is not set.
• OPENDNSSEC-326: Signer Engine: Stop serving a zone that could not be transferred from master and has been expired.

Documentation:

• OpenDNSSEC V1.4 Documentation

Download the tarball from: opendnssec-1.4.0b1.tar.gz

Version 1.3.10 of OpenDNSSEC has now been released:

Bugfixes:

• SUPPORT-30: RRSIGs are left in the signed zone when authoritative RRsets become glue [OPENDNSSEC-282].
• OPENDNSSEC-261: Ldns fails to parse RR that seems syntactically correct. Was due to memory allocation issues. Provided better log message.
• OPENDNSSEC-285: Signer segfault for 6 or more -v options
• OPENDNSSEC-298: Only unlink existing pidfile on exit if we wrote it.
• OPENDNSSEC-303: Return if open/parse of zonelist.xml fails in ksmutil.c update_zones() and cmd_listzone().
• OPENDNSSEC-304: Signer Engine: Check pidfile on startup, if pidfile exists and corresponding process is running, then complain and exit.
• Signer seems to hang on a ods-signer command. Shutdown client explicitly with shutdown().
• opendnssec.spec file removed

Download the tarball from: opendnssec-1.3.10.tar.gz

Version 1.4.0a3 of OpenDNSSEC has now been released. This version is recommended for testing only, not for use in production environments.

Updates:

• OPENDNSSEC-258: Optionally include cka_id in output to DelegationSignerSubmitCommand.

Bugfixes:

• SUPPORT-27: ods-ksmutil: simplify zone delete so that it only marks keys as dead (rather than actually removing them). Leave the key removal to purge jobs.
• SUPPORT-29: Signer Engine: Fix ods-signer clear <zone> command exits prematurely [OPENDNSSEC-289].
• SUPPORT-30: Signer Engine: RRSIGs are left in the signed zone when authoritative RRsets become glue [OPENDNSSEC-282].
• OPENDNSSEC-278: ods-ksmutil processes waiting forever to get DB lock
• OPENDNSSEC-290: Signer Engine: Fix false conflict when changing CNAME into other RRtype.
• OPENDNSSEC-298: Enforcer: Only unlink existing pidfile on exit if we wrote it.
• OPENDNSSEC-304: Signer Engine: Check pidfile on startup, if pidfile exists and corresponding process is running, then complain and exit.
• OPENDNSSEC-306: Can’t delete zone until Enforcer made signconf.
• Fix assertion error when printing signed zone with empty non-terminals and NSEC.
• Make setting QUERY ID in XFR requests more random.

The documentation for the new DNS adapters can be found here:
DOCSTRUNK/conf.xml
DOCSTRUNK/zonelist.xml
DOCSTRUNK/addns.xml

Download the tarball from: opendnssec-1.4.0a3.tar.gz