Archive for the ‘Uncategorized’ Category
OpenDNSSEC 2.1.14
Version 2.1.14 of OpenDNSSEC has been released on 2024-08-22.
News
This is a mainenance release that fixes some bugs and adds robustness for HSM outages. Apart from a minor fix to the backup keys command and export keys, it solved an issue where keys were not published soon enough in special cases in combination with <SharedKeys> directive. In case you use shared keys, you must update. But this is a good idea anyway.
Download
- https://dist.opendnssec.org/source/opendnssec-2.1.14.tar.gz
- https://dist.opendnssec.org/source/opendnssec-2.1.14.tar.gz.sig
- Checksum SHA256: 5a68d62ea0ea3a6c61e9f4946f462c7b907fbe6bccc9e8a721b7fe0f906f95d0
OpenDNSSEC 2.1.13
Version 2.1.13 of OpenDNSSEC has been released on 2023-06-26.
News
This release fixes a bug that affects both signer and enforcer command
line handling. Under heavy usage of the command line there was a small
change for a crash.
Furthermore there is a small behavioural change for users of the “keep”
policy. The back-off for retrying a sign task change is now equal to
the resign period in case the input file isn’t available or updated.
This because users nearly always will emit an external sign command for
this period. This will reduce logging errors.
Download
- https://dist.opendnssec.org/source/opendnssec-2.1.13.tar.gz
- https://dist.opendnssec.org/source/opendnssec-2.1.13.tar.gz.sig
- Checksum SHA256: 50d7b9b0ccfc6a502784606ca4e5c03680fcf6425fb3947f45d8809ea8503e59
- RPM for RHEL/CentOS, deb and tgz packages will be provided for at the same download location.
OpenDNSSEC 2.1.12
Version 2.1.12 of OpenDNSSEC has been released on 2022-11-08.
News
This is a maintenance release of OpenDNSSEC addressing additional issues relating to the previous bug-fix release. Both installations that use shared keys or want to use salt lengths of zero must use this release. Other installations will benefit to from better reporting in case of issues.
RPM for RHEL/CentOS, deb and tgz packages will be provided for at the same download location.
Issues
- Ensure debug symbols on RPM-style builds;
- Bug fix that prevented restoring state from when salt length was zero;
- Bug fix for enforcer daemon crash after deleting key on some systems.
Download
- https://dist.opendnssec.org/source/opendnssec-2.1.12.tar.gz
- https://dist.opendnssec.org/source/opendnssec-2.1.12.tar.gz.sig
- Checksum SHA256: 50d7b9b0ccfc6a502784606ca4e5c03680fcf6425fb3947f45d8809ea8503e59
- RPMs for RHEL/CentOS and Debian package
OpenDNSSEC 2.1.11
Version 2.1.11 of OpenDNSSEC has been released on 2022-10-17.
News
This is a maintenance release of OpenDNSSEC addressing a number of different issues. Installation that use shared keys should migrate to this version especially. Also installations that want to migrate to a NSEC3 salt of length 0 will benefit (this applies to migration-to only).
RPM for RHEL/CentOS, deb and tgz packages will be provided for at the same download location.
Issues
- Fixed improper re-use of already used keys when using
as a consequence of previous bug in 2.1.6; - Improved reporting upon aborts of daemon process;
- Fix for migration to salt of length 0;
- Fix for empty IXFR cases;
- Degraded log message key_update_failed because this action is retried.
Download
- https://dist.opendnssec.org/source/opendnssec-2.1.11.tar.gz
- https://dist.opendnssec.org/source/opendnssec-2.1.11.tar.gz.sig
- Checksum SHA256: 7dd7e305f74d877586e8bb25c4e3f8069472c6a195fc33a5d9e6f8499154d453
- RPMs for RHEL/CentOS and Debian package (to be provided)
OpenDNSSEC 2.1.10
Version 2.1.10 of OpenDNSSEC has been released on 2021-09-10.
News
This release addresses an automatic re-salting after a migration from 1.4
and an error manifesting as a key_data_update failure in the logs where
a retired key wasn’t removed from the signer configuration in time in
certain circumstances.
Also an RPM is now provided for RHEL/CentOS distros at the same download
location.
Issues
- OPENDNSSEC-955: Prevent concurrency between certain valid PKCS#11 HSM operations to avoid some keys to be (transiently) unavailable.
- OPENDNSSEC-956: Harden signing procedure to still sign zones for which there are unused keys specified in the zone which are unavailable.
- OPENDNSSEC-957: Fix exit code signer daemon to not always report failure.
- OPENDNSSEC-958: Fix immediate resalting after migration from 1.4.
- OPENDNSSEC-959: Emit warning on ods-kaspcheck for NSEC iteration count that is deemed too high.
- SUPPORT-265: Resolve conflict when deleting keys from HSM whilst also performing step in key roll process. Typically a message “key_data_update failed” is present in logs.
- Provided RedHat/CentOS spec file in contrib directory.
Download
- https://dist.opendnssec.org/source/opendnssec-2.1.10.tar.gz
- https://dist.opendnssec.org/source/opendnssec-2.1.10.tar.gz.sig
- Checksum SHA256: c0a8427de241118dccbf7abc508e4dd53fb75b45e9f386addbadae7ecc092756
- RPMs for RHEL/CentOS
OpenDNSSEC 2.1.9
Version 2.1.9 of OpenDNSSEC has been released on 2021-05-03.
News
This release contains two changes that avoid some problems with certain HSM configuration, one of them is SoftHSMv2 in database back-end mode.
This can lead to temporarily not being able to sign zones, hence upgrading is really recommended.
It does not occur on all systems and configurations though.
Issues
- OPENDNSSEC-955: Prevent concurrency between certain valid PKCS#11 HSM operations to avoid some keys to be (transiently) unavailable.
- OPENDNSSEC-956: Harden signing procedure to still sign zones for which there are unused keys specified in the zone which are unavailable.
Download
- https://dist.opendnssec.org/source/opendnssec-2.1.9.tar.gz
- https://dist.opendnssec.org/source/opendnssec-2.1.9.tar.gz.sig
- Checksum SHA256: 6d1d466c8d7f507f3e665f4bfe4d16a68d6bff9d7c2ab65f852e2b2a821c28b5
OpenDNSSEC 2.1.8
Version 2.1.8 of OpenDNSSEC has been released on 2020-02-20.
News
This release of 2.1.8 fixes a number of bugs related to the purging of keys, a potential denial of service vulnerability in some installations, and a few rarer but nasty potential crashes. Earlier versions of OpenDNSSEC 2.1 might not have all keys purged from the HSM if instructed to do so. Since this is now done automatically this is worth pointing out that this was a bug and old keys will be permanently removed from the HSM.
Either when manually purging keys, or having
specified ain your key policy (kasp.xml), the keys are supposed
to be removed from the HSM. However, for some time, the keys were marked
for deletion, and became invisible, but the removal from the HSM was
skipped. In this release candidate this is fixed, but still allowing
keys not to be removed entirely. When you specify an automatic purge
then the keys will, after the specified period, will be completely
removed. When you purge manually, keys are not removed from the HSM
unless you specify an additional flag (the –delete or -d flag).
Special thanks to the people that help us in making OpenDNSSEC better
and better, mentioned in the NEWS file as always. Two of the bugs
were only traceable using this help.
The 2.1.8 release is available immediately from the download site.
Issues
- OPENDNSSEC-954: Upgrade autoconf/automake configuration chain for version 2.69/1.16.2.
- SUPPORT-261: Fix to crash when using ods-enforcer set-policy command.
- OPENDNSSEC-953: Fix to crash in case zone file not present while getting a signconf update and state flush command.
Thanks to Stefan Ubbink from SIDN for the co-operation in this fix. - OPENDNSSEC-951: Modify the purging of keys, to make it automatic to purge keys from the HSM.
Thanks to Stefan Ubbink from SIDN for the co-operation in this fix. - OPENDNSSEC-950: Fix that caused crash when signer was offline for a prolonged period (but the enforcer wasn’t) in the middle of a ZSK roll.
- OPENDNSSEC-952: memory leak in when receiving NOTIFY for non-existent zone (Thanks Sébastien Tisserant to for reporting).
Download
- https://dist.opendnssec.org/source/opendnssec-2.1.8.tar.gz
- https://dist.opendnssec.org/source/opendnssec-2.1.8.tar.gz.sig
- Checksum SHA256: 900a213103ff19a405e446327fbfcea9ec13e405283d87b6ffc24a10d9a268f5
OpenDNSSEC 2.1.7
Version 2.1.7 of OpenDNSSEC has been released on 2020-10-05.
News
This release of 2.1.7 fixes a bug in the migration script to migrate from 1.4 to 2.1. Additionally a bug in creating unnecessary signatures during a ZSK roll was fixed. We also had some contributions regarding edward curves and exporting keys by CKA identifier and other corrections and improvements, see the full list below.
The 2.1.7 release is available immediately from the download site.
Issues
- OPENDNSSEC-949: Fix for migration bug not keeping proper parameters of NSEC3 signed zones. Amongst others the zone become NSEC. Loading the policies
fixes the situation, migration scripts now corrected. Since 1.4 does not require a salt, a resalt might be automatic after migrating, as this is
a required parameter. - OPENDNSSEC-948: do not recreate signatures for keys that are moving out this fixes unexpected double signatures in the zone.
- SUPPORT-253: Incorrect keytag used when using Combined Signing keys (CSK) (Thanks to Simon Arlott)
- SUPPORT-257: Export keys by locator (Thansk to Simon Arlott)
- SUPPORT-222: Support ED25519/ED448 keys. This requires library ldns 1.7.0 or better, otherwise unavailable. (Thanks again to Simon Arlott)
- Load libsqlite3.so.0 and fall back on libsqlite3.so.0 to allow to run migration tool on systems without libsqlite3.so.0 soft link. (Thanks to Paul Wouters)
- Some compilation warnings, o.a. gcc10 related, code quality and initialization improvements. (Thanks to Jonas Berlin, and Mathieu MirMont, and Paul Wouters)
Download
- https://dist.opendnssec.org/source/opendnssec-2.1.7.tar.gz
- https://dist.opendnssec.org/source/opendnssec-2.1.7.tar.gz.sig
- Checksum SHA256: 4cf3a797b8ff9fb0c02432187ef22adeb03d007074d70ec2b48b18ae6c1d09a4
SoftHSM 2.6.1
SoftHSM version 2.6.1 was released on 2020-04-29.
Issues:
- Issue #542: Support Ed448/X448 for OpenSSL.
- Issue #538: Improved warning and compilation issues for GCC10
- Issue #527: Fixed compilation issues for MacOS 10.15.4/Xcode 11.4
- softhsm-2.6.1.tar.gz
- softhsm-2.6.1.tar.gz.sig
- Checksum SHA256: 61249473054bcd1811519ef9a989a880a7bdcc36d317c9c25457fc614df475f2
Download:
SoftHSM 2.6.0
SoftHSM version 2.6.0 was released on March 17. This is mostly a continued development of SoftHSMv2, and thus should replace the 2.5 branch to receive any patches.
Even though this is continuation of the development, we should point out that we have upgraded the optional dependency to Botan to version 2. Other fixes and improvements should not influence existing functionality. For a more complete list of improvements see below and the NEWS file inside the package.
No migration, configuration changes or path changes are necessary and the build configuration should not need changing.
Improvements:
- Issue #493: Upgrade to Botan 2.
- Issue #530: Update appveyor build.
- Issue #438: Detect crypto algorithms by default. (Patch from Alon Bar-Lev)
- Issue #455: Provide a new configuration option to allow enabling and disabling various mechanisms (slots.mechanisms in the softhsm2.conf). (Thanks to Jakub Jelen)
- Issue #479: Increase SQLite busy timeout from 15 seconds to 3 minutes. (Patch from Jan Luebbe)
- Issue #513: Add configuration option to reset state on fork closing all sessions rather than keeping all sessions open in duplicate process. (Thanks to Anderson Toshiyuki Sasaki)
- Issue #500: C_WaitForSlotEvent implementation. (Patch from massey101)
- Issue #445: Add wrap support with CKM_AES_CBC.
Bugfixes:
- Issue #418: Set fields to NULL to avoid double free. (Patch from Brian J Murray)
- Issue #423: ENGINE_load_rdrand is not supported with older openssl. (Patch from Alon Bar-Lev)
- Issue #429: Updated prerequisite to build from repository. (Patch from Dharmesh Khandelwal)
- Issue #434: Fix build issues with CMake. (Patch from Peter Wu)
- Issue #435: Fix botan build without EDDSA. (Patch from Peter Wu)
- Issue #442: Release resources from OSSLEVPSymmetricAlgorithm. (Patch from Petr Menšík)
- Issue #449/#502: Do not copy zero sized buffer avoid null pointer reference. (Patch from space88man)
- Issue #464: Race condition with multiple threads closing last session and opening a newer sessions. (Patch from Takarth)
- Issue #452: Fixes to automake build fir undefined macros.
- Issue #462: User PIN count wrongly calculated. (Patch from Ondřej Hlavatý)
- Issue #516: Fix memory leak in OSSLCryptoFactory. (Patch from Anderson Sasaki)
- Issue #494: Allow null pointers as arguments when count is zero. (Patch from Yunjong Jeong)
- Issue #518: Sporadic problem in closing sessions because of lookup of object without prior locking.
- Issue #506: Check key type for C_EncryptInit and C_DecryptInit. (Patch from Yunjong Jeong)
- Issue #526: Adjust EDDSA code to return valid EC_PARAMS. (Patch from Jakub Jelen)
- Issue #452: Autogen failure on undefined macro AC_MSG_ERROR.
- Issue #527: Fixed some build errors for GCC 10.
- Issue #470: Null pointer arguments validation for C_EncryptFinal, etc.
Download:
- softhsm-2.6.0.tar.gz
- softhsm-2.6.0.tar.gz.sig
- Checksum SHA256: 19c2500f22c547b69d314fda55a91c40b0d2a9c269496a5da5d32ae1b835d6d1
You are currently browsing the archives for the Uncategorized category.