xref: /freebsd/contrib/ldns/Changelog (revision af23369a6deaaeb612ab266eb88b8bb8d560c322)
11.7.0	2016-12-20
2	* Fix lookup of relative names in ldns_resolver_search.
3	* bugfix #548: Double free for answers > 4096 in ldns_resolver_send_pkt
4	* Follow CNAME's when tracing with drill (TODO dnssec trace)
5	* Fix #551 change Regent to Copyright holder in BSD license in
6	  some of the headings of the file, to match the opensource.org
7	  BSD license.
8	* -e option makes ldns-compare-zones exit with status code 2 on difference
9	* Filter out specified RR types with ldns-read-zone -e and -E options
10	* bugfix #563: Correct DNSKEY from DSA private key. Thanks Peter Koch.
11	* bugfix #562: ldns-keygen match DSA key maximum size with library.
12	  And check keysizes with all algorithms. Thanks Peter Koch.
13	* ldns-verify-zone accepts only one single zonefile as argument.
14	* bugfix #573: ldns-keygen write private keys with mode 0600.
15	  Thanks Leon Weber
16	* Fix configure to make ldns compile with LibreSSL 2.0
17	* drill now also accepts dig style -y option
18	  (-y <[algo:]name:key> i.s.o. -y <name:key[:algo]>)
19	* OPENPGPKEY draft rr types. Enable with: --enable-rrtype-openpgpkey
20	* bugfix #608: Correct comment about escaped characters
21	* CDS and CDNSKEY rr type from RFC 7344.
22	  --enable-rrtype-cds configure option removed
23	* fix: Memory leak in ldns_pkt_rr_list_by_name()
24	  Thanks Johannes Naab
25	* fix: Memory leak in ldns_dname2buffer_wire_compress()
26	  Thanks Max Liebkies
27	* bugfix #613: Allow tab as whitespace too in last rdata field of types
28	  of variable length.  Thanks Xiali Yan
29	* bugfix: strip trailing whitespace from $ORIGIN lines in zone files
30	* Let ldns-keygen output .ds files only for KSK keys
31	* Parse RFC7218 TLSA mnemonics, but do not output them
32	* Let ldns-dane use SPKI as the default selector i.s.o. Cert
33	* bugfix: Fit left over NSEC3s once more before adding empty non
34	  terminals.  Thanks Stuart Browne
35	* bugfix #605: Determine default trust anchor location at compile time
36	  Thanks Peter Koch
37	* bugfix #697: Double free with ldns-dane create
38	  Thanks Carsten Strotmann
39	* bugfix #623: Do not redefine bool type and boolean values
40	  Thanks Jakob Petsovits
41	* bugfix #570: Add TLSA, CDS, CDNSKEY and OPENPGPKEY RR types to ldnsx
42	  Thanks Shussain
43	* bugfix #575: ldns_pkt_clone() does not copy timestamp field
44	  Thanks Calle Dybedahl
45	* bugfix #584: ldns-update fixes.  Send update to port 53, bring manpage
46	  in sync with the usage text, and don't alter the ldns_resolver passed
47	  to ldns_update_soa_zone_mname().  Created a ldns_resolver_clone()
48	  function in the process.  Thanks Nicholas Riley.
49	* bugfix #633: ldns_pkt_clone() parameter isn't const.
50	  Thanks Jakop Petsovits
51	* bugfix: ldns-dane manpage correction
52	  Thanks Erwin Lansing
53	* Spelling fixes.  Thanks Andreas Schulze
54	* Hyphen used as minus in manpages.  Thanks Andreas Schulze.
55	* RFC7553 RR Type URI is supported by default.
56	* Fix ECDSA signature generation, do not omit leading zeroes.
57	* bugfix: Get rid of superfluous newline in ldns-keyfetcher
58	  Thanks Jan-Piet Mens
59	* bugfix: -U option to ldns-signzone to sign with every algorithm
60	  Thanks Guido Kroon
61	* const function parameters whenever possible.
62	  Thanks Ray Bellis
63	* bugfix #725: allow RR-types on the type bitmap window border
64	  Thanks Pieter Lexis
65	* bugfix #726: 2 typos in drill manpage.
66	  Thanks Hugo Lombard
67	* Add type CSYNC support, RFC 7477.
68	* Prepare for ED25519, ED448 support: todo convert* routines in
69	  dnssec.h, once openssl has support for signing with these algorithms.
70	  The dns algorithm number is not yet allocated. These features are
71	  not fully implemented yet, openssl (1.1) does not support the
72	  algorithms enough to generate keys and sign and verify with them.
73	* Fix _answerfrom comment in ldns_struct_pkt.
74	* Fix drill axfr ipv4/ipv6 queries.
75	* Fix comment referring to mk_query in packet.h to pkt_query_new.
76	* Fix description of QR flag in packet.h.
77	* Fix for openssl 1.1.0 API changes.
78	* Remove commented out macro.  Thanks Thiago Farina
79	* bugfix #641: Include install-sh in .gitignore
80	* bugfix #825: Module import breaks with newer SWIG versions.
81	  Thanks Christoph Egger
82	* bugfix #796 - #792: Fix miscellaneous compiler warning issues.
83	  Thanks Ngie Cooper
84	* bugfix #769: Add support for :: in an IPv6 address
85	  Thanks Hajimu UMEMOTO
86	* bugfix #760: Detect superfluous text in presentation format
87	  Thanks Xiali Yan
88	* bugfix #708: warnings and errors with xcode 6.1/7.0
89	* bugfix #754: Memory leak in ldns_str2rdf_ipseckey
90	  Thanks Xiali Yan
91	* bugfix #661: Fail NSEC3 signing when NSEC domainname length
92	  would overflow.  Thanks Jan-Piet Mens.
93	* bugfix #771: hmac-sha224, hmac-sha384 and hmac-sha512 keys.
94	  Thanks Harald Jenny
95	* bugfix #680: ldns fails to reject invalidly formatted
96	  RFC 7553 URI RRs.  Thanks Robert Edmonds
97	* bugfix #678: Use poll i.s.o. select to support > 1024 fds
98	  Thanks William King
99	* Use OpenSSL DANE functions for verification (unless explicitly
100	  disabled with --disable-dane-ta-usage).
101	* Bumb .so version
102	* Include OPENPGPKEY RR type by default
103	* rdata processing for SMIMEA RR type
104	* Fix crash in displaying TLSA RR's.
105	  Thanks Andreas Schulze
106	* Update ldns-key2ds man page to mention GOST and SHA384 hash
107	  functions.  Thanks Harald Jenny
108	* Add sha384 and sha512 tsig algorithm. Thanks Michael Weiser
109	* Clarify data ownership with consts for tsig parameters.
110	  Thanks Michael Weiser
111	* bugfix: Fix detection of DSA support with OpenSSL >= 1.1.0
112	* bugfix #1160: Provide sha256 for release tarballs
113	* --enable-gost-anyway compiles GOST support with OpenSSL >= 1.1.0
114	  even when the GOST engine is not available.
115
1161.6.17	2014-01-10
117	* Fix ldns_dnssec_zone_new_frm_fp_l to allow the last parsed line of a
118	  zone to be an NSEC3 (or its RRSIG) covering an empty non terminal.
119	* Add --disable-dane option to configure and check availability of the
120	  for dane needed X509_check_ca function in openssl.
121	* bugfix #490: Get rid of type-punned pointer warnings.
122	  Thanks Adam Tkac.
123	* Make sure executables are linked against libcrypto with the
124	  LIBSSL_LDFLAGS. Thanks Leo Baltus.
125	* Miscellaneous prototype fixes. Thanks Dag-Erling Smørgrav.
126	* README now shows preferred way to configure for examples and drill.
127	* Bind to source address for resolvers. drill binds to source with -I.
128	  Thanks Bryan Duff.
129	* -T option for ldns-dane that has specific exit status for PKIX
130	  validated connections without (secure) TLSA records.
131	* Fix b{32,64}_{ntop,pton} detection and handling.
132	* New RR type TKEY, but without operational practice.
133	* New RR types HIP, NINFO, RKEY, CDS, EUI48, EUI64, URI, CAA and TA.
134	* New output format flag (and accompanying functions) to print certain
135	  RR's as unknown type
136	* -u and -U parameter for ldns-read-zone to mark/unmark a RR type
137	  for printing as unknown type
138	* bugfix #504: GPOS RR has three rdata fields. Thanks Jelte Jansen.
139	* bugfix #497: Properly test for EOF when reading key files with drill.
140	* New functions: ldns_pkt_ixfr_request_new and
141	  ldns_pkt_ixfr_request_new_frm_str.
142	* Use SNI with ldns-dane
143	* bugfix #507: ldnsx Fix use of non-existent variables and not
144	  properly referring to instance variable.  Patch from shussain.
145	* bugfix #508: ldnsx Adding NSEC3PARAM to known/allowable RR type
146	  dictionary.  Patch from shussain.
147	* bugfix #517: ldns_resolver_new_frm_fp error when invoked using a NULL
148	  file pointer.
149	* Fix memory leak in contrib/python: ldns_pkt.new_query.
150	* Fix buffer overflow in fget_token and bget_token.
151	* ldns-verify-zone NSEC3 checking from quadratic to linear performance.
152	  Thanks NIC MX (nicmexico.mx)
153	* ldns-dane setup new ssl session for each new connect to prevent hangs
154	* bugfix #521: drill trace continue on empty non-terminals with NSEC3
155	* bugfix #525: Fix documentation of ldns_resolver_set_retry
156	* Remove unused LDNS_RDF_TYPE_TSIG and associated functions.
157	* Fix ldns_nsec_covers_name for zones with an apex only. Thanks Miek.
158	* Configure option to build perl bindings: --with-p5-dns-ldns
159	  (DNS::LDNS is a contribution from Erik Ostlyngen)
160	* bugfix #527: Move -lssl before -lcrypto when linking
161	* Optimize TSIG digest function name comparison (Thanks Marc Buijsman)
162	* Compare names case insensitive with ldns_pkt_rr_list_by_name and
163	  ldns_pkt_rr_list_by_name_and_type (thanks Johannes Naab)
164	* A separate --enable for each draft RR type: --enable-rrtype-ninfo,
165	  --enable-rrtype-rkey, --enable-rrtype-cds, --enable-rrtype-uri and
166	  --enable-rrtype-ta
167	* bugfix #530: Don't sign and verify duplicate RRs (Thanks Jelte Jansen)
168	* bugfix #505: Manpage and usage output fixes (Thanks Tomas Hozza)
169	* Adjust ldns_sha1() so that the input data is not modified (Thanks
170	  Marc Buijsman)
171	* Messages to stderr are now off by default and can be reenabled with
172	  the --enable-stderr-msgs configure option.
173
1741.6.16	2012-11-13
175	* Fix Makefile to build pyldns with BSD make
176	* Fix typo in exporting b32_* symbols to make pyldns load again
177	* Allow leaving the RR owner name empty in ldns-testns datafiles.
178	* Fix fail to create NSEC3 bitmap for empty non-terminal (bug
179	  introduced in 1.6.14).
180
1811.6.15	2012-10-25
182	* Remove LDNS_STATUS_EXISTS_ERR from ldns/error.h to make ldns
183	  binary compatible with earlier releases again.
184
1851.6.14	2012-10-23
186	* DANE support (RFC6698), including ldns-dane example tool.
187	* Configurable default CA certificate repository for ldns-dane with
188	  --with-ca-file=CAFILE and --with-ca-path=CAPATH
189	* Configurable default trust anchor with --with-trust-anchor=FILE
190	  for drill, ldns-verify-zone and ldns-dane
191	* bugfix #474: Define socklen_t when undefined (like in Win32)
192	* bugfix #473: Dead code removal and resource leak fix in drill
193	* bugfix #471: Let ldns_resolver_push_dnssec_anchor accept DS RR's too.
194	* Various bugfixes from code reviews from CZ.NIC and Paul Wouters
195	* ldns-notify TSIG option argument checking
196	* Let ldns_resolver_nameservers_randomize keep nameservers and rtt's
197	  in sync.
198	* Let ldns_pkt_push_rr now return false on (memory) errors.
199	* Make buffer_export comply to documentation and fix buffer2str
200	* Various improvements and fixes of pyldns from Katel Slany
201	  now documented in their own Changelog.
202	* bugfix: Make ldns_resolver_pop_nameserver clear the array when
203	  there was only one.
204	* bugfix #459: Remove ldns_symbols and export symbols based on regex
205	* bugfix #458: Track all newly created signatures when signing.
206	* bugfix #454: Only set -g and -O2 CFLAGS when no CFLAGS was given.
207	* bugfix #457: Memory leak fix for ldns_key_new_frm_algorithm.
208	* pyldns memory handling fixes and the python3/ldns-signzone.py
209	  examples script contribution from Karel Slany.
210	* bugfix #450: Base # bytes for P, G and Y (T) on the guaranteed
211	  to be bigger (or equal) P in ldns_key_dsa2bin.
212	* bugfix #449: Deep free cloned rdf's in ldns_tsig_mac_new.
213	* bugfix #448: Copy nameserver value (in stead of reference) of the
214	  answering nameserver to the answer packet in ldns_send_buffer, so
215	  the original value may be deep freed with the ldns_resolver struct.
216	* New -0 option for ldns-read-zone to replace inception, expiration
217	  and signature rdata fields with (null). Thanks Paul Wouters.
218	* New -p option for ldns-read-zone to prepend-pad SOA serial to take
219	  up ten characters.
220	* Return error if printing RR fails due to unknown/null RDATA.
221
2221.6.13	2012-05-21
223	* New -S option for ldns-verify-zone to chase signatures online.
224	* New -k option for ldns-verify-zone to validate using a trusted key.
225	* New inception and expiration margin options (-i and -e) to
226	  ldns-verify-zone.
227	* New ldns_dnssec_zone_new_frm_fp and ldns_dnssec_zone_new_frm_fp_l
228	  functions.
229	* New ldns_duration* functions (copied from OpenDNSSEC source)
230	* fix ldns-verify-zone to allow NSEC3 signatures to come before
231	  the NSEC3 RR in all cases. Thanks Wolfgang Nagele.
232	* Zero the correct flag (opt-out) when creating NSEC3PARAMS.
233	  Thanks Peter van Dijk.
234	* Canonicalize RRSIG's Signer's name too when validating, because
235	  bind and unbound do that too. Thanks Peter van Dijk.
236	* bugfix #433: Allocate rdf using ldns_rdf_new in ldns_dname_label
237	* bugfix #432: Use LDNS_MALLOC & LDNS_FREE i.s.o. malloc & free
238	* bugfix #431: Added error message for LDNS_STATUS_INVALID_B32_EXT
239	* bugfix #427: Explicitely link ssl with the programs that use it.
240	* Fix reading \DDD: Error on values that are outside range (>255).
241	* bugfix #429: fix doxyparse.pl fails on NetBSD because specified
242	  path to perl.
243	* New ECDSA support (RFC 6605), use --disable-ecdsa for older openssl.
244	* fix verifying denial of existence for DS's in NSEC3 Opt-Out zones.
245	  Thanks John Barnitz
246
2471.6.12	2012-01-11
248	* bugfix #413: Fix manpage source for srcdir != builddir
249	* Canonicalize the signers name rdata field in RRSIGs when signing
250	* Ignore minor version of Private-key-format (so v1.3 may be used)
251	* Allow a check_time to be given in stead of always checking against
252	  the current time. With ldns-verify-zone the check_time can be set
253	  with the -t option.
254	* Added functions for updating and manipulating SOA serial numbers.
255	  ldns-read-zone has an option -S for updating and manipulating the
256	  serial numbers.
257	* The library Makefile is now GNU and BSD make compatible.
258	* bugfix #419: NSEC3 validation of a name covered by a wildcard with
259	  no data.
260	* Two new options (--with-drill and --with-examples) to the main
261	  configure script (in the root of the source tree) to build drill
262	  and examples too.
263	* Fix days_since_epoch to year_yday calculation on 32bits systems.
264
2651.6.11	2011-09-29
266	* bugfix #394: Fix socket leak on errors
267	* bugfix #392: Apex only and percentage checks for ldns-verify-zone
268	  (thanks Miek Gieben)
269	* bugfix #398: Allow NSEC RRSIGs before the NSEC3 in ldns-verify-zone
270	* Fix python site package path from sitelib to sitearch for pyldns.
271	* Fix python api to support python2 and python3 (thanks Karel Slany).
272	* bugfix #401: Correction of date/time functions algorithm and
273	  prevention of an infinite loop therein
274	* bugfix #402: Correct the minimum and maximum number of rdata fields
275	  in TSIG. (thanks David Keeler)
276	* bugfix #403: Fix heap overflow (thanks David Keeler)
277	* bugfix #404: Make parsing APL strings more robust
278	  (thanks David Keeler)
279	* bugfix #391: Complete library assessment to prevent assertion errors
280	  through ldns_rdf_size usage.
281	* Slightly more specific error messaging on wrong number of rdata
282	  fields with the LDNS_STATUS_MISSING_RDATA_FIELDS_RRSIG and
283	  LDNS_STATUS_MISSING_RDATA_FIELDS_KEY result codes.
284	* bugfix #406: More rigorous openssl result code handling to prevent
285	  future crashes within openssl.
286	* Fix ldns_fetch_valid_domain_keys to search deeper than just one level
287	  for a DNSKEY that signed a DS RR. (this function was used in the
288	  check_dnssec_trace nagios module)
289	* bugfix #407: Canonicalize TSIG dnames and algorithm fields
290	* A new output specifier to accommodate configuration of what to show
291	  in comment texts when converting host and/or wire-format data to
292	  string. All conversion to string and printing functions have a new
293	  version that have such a format specifier as an extra argument.
294	  The default is changed so that only DNSKEY RR's are annotated with
295	  an comment show the Key Tag of the DNSKEY.
296	* Fixed the ldns resolver to not mark a nameserver unreachable when
297	  edns0 is tried unsuccessfully with size 4096 (no return packet came),
298	  but to still try TCP. A big UDP packet might have been corrupted by
299	  fragments dropping firewalls.
300	* Update of libdns.vim (thanks Miek Gieben)
301	* Added the ldnsx Python module to our contrib section, which adds even
302	  more pythonisticism to the usage of ldns with  Python. (Many thanks
303	  to Christpher Olah and Paul Wouters)
304	  The ldnsx module is automatically installed when --with-pyldns is
305	  used with configuring, but may explicitly be excluded with the
306	  --without-pyldnsx option to configure.
307	* bugfix #410: Fix clearing out temporary data on stack in sha2.c
308	* bugfix #411: Don't let empty non-terminal NSEC3s cause assertion failure.
309
3101.6.10	2011-05-31
311	* New example tool added: ldns-gen-zone.
312	* bugfix #359: Serial-arithmetic for the inception and expiration
313	  fields of a RRSIG and correctly converting them to broken-out time
314	  information.
315	* bugfix #364: Slight performance increase of ldns-verifyzone.
316	* bugfix #367: Fix to allow glue records with the same name as the
317	  delegation.
318	* Fix ldns-verifyzone to allow NSEC3-less records for NS rrsets *and*
319	  glue when the zone is opt-out.
320	* bugfix #376: Adapt ldns_nsec3_salt, ldns_nsec3_iterations,
321	  ldns_nsec3_flags and ldns_nsec3_algorithm to work for NSEC3PARAMS too.
322	* pyldns memory leaks fixed by Bedrich Kosata (at the cost of a bit
323	  performance)
324	* Better handling of reference variables in ldns_rr_new_frm_fp_l from
325	  pyldns, with a very nice generator function by Bedrich Kosata.
326	* Decoupling of the rdfs in rrs in the python wrappers to enable
327	  the python garbage collector by Bedrich Kosata.
328	* bugfix #380: Minimizing effect of discrepancies in sizeof(bool) at
329	  build time and when used.
330	* bugfix #383: Fix detection of empty nonterminals of multiple labels.
331	* Fixed the ommission of rrsets in nsec(3)s and rrsigs to all occluded
332	  names (in stead of just the ones that contain glue only) and all
333	  occluded records on the delegation points (in stead of just the glue).
334	* Clarify the operation of ldns_dnssec_mark_glue and the usage of
335	  ldns_dnssec_node_next_nonglue functions in the documentation.
336	* Added function ldns_dnssec_mark_and_get_glue as an real fast
337	  alternative for ldns_zone_glue_rr_list.
338	* Fix parse buffer overflow for max length domain names.
339	* Fix Makefile for U in environment, since wrong U is more common than
340	  deansification necessity.
341
3421.6.9	2011-03-16
343	* Fix creating NSEC(3) bitmaps: make array size 65536,
344	  don't add doubles.
345	* Fix printout of escaped binary in TXT records.
346	* Parsing TXT records: don't skip starting whitespace that is quoted.
347	* bugfix #358: Check if memory was successfully allocated in
348	  ldns_rdf2str().
349	* Added more memory allocation checks in host2str.c
350	* python wrapper for ldns_fetch_valid_domain_keys by Bedrich Kosata.
351	* fix to compile python wrapper with swig 2.0.2.
352	* Don't fallback to SHA-1 when creating NSEC3 hash with another
353	  algorithm identifier, fail instead (no other algorithm identifiers
354	  are assigned yet).
355
3561.6.8	2011-01-24
357	* Fix ldns zone, so that $TTL definition match RFC 2308.
358	* Fix lots of missing checks on allocation failures and parse of
359	  NSEC with many types and max parse length in hosts_frm_fp routine
360	  and off by one in read_anchor_file routine (thanks Dan Kaminsky and
361	  Justin Ferguson).
362	* bugfix #335: Drill: Print both SHA-1 and SHA-256 corresponding DS
363	  records.
364	* Print correct WHEN in query packet (is not always 1-1-1970)
365	* ldns-test-edns: new example tool that detects EDNS support.
366	* fix ldns_resolver_send without openssl.
367	* bugfix #342: patch for support for more CERT key types (RFC4398).
368	* bugfix #351: fix udp_send hang if UDP checksum error.
369	* fix set_bit (from NSEC3 sign) patch from Jan Komissar.
370
3711.6.7	2010-11-08
372	* EXPERIMENTAL ecdsa implementation, please do not enable on real
373	  servers.
374	* GOST code enabled by default (RFC 5933).
375	* bugfix #326: ignore whitespace between directives and their values.
376	* Header comment to advertise ldns_axfr_complete to check for
377	  successfully completed zone transfers.
378	* read resolv.conf skips interface labels, e.g. %eth0.
379	* Fix drill verify NSEC3 denials.
380	* Use closesocket() on windows.
381	* Add ldns_get_signing_algorithm_by_name that understand aliases,
382	  names changed to RFC names and aliases for compatibility added.
383	* bugfix: don't print final dot if the domain is relative.
384	* bugfix: resolver search continue when packet rcode != NOERROR.
385	* bugfix: resolver push all domains in search directive to list.
386	* bugfix: resolver search by default includes the root domain.
387	* bugfix: tcp read could fail on single octet recv.
388	* bugfix: read of RR in unknown syntax with missing fields.
389	* added ldns_pkt_tsig_sign_next() and ldns_pkt_tsig_verify_next()
390	  to sign and verify TSIG RRs on subsequent messages
391	  (section 4.4, RFC 2845, thanks to Michael Sheldon).
392	* bugfix: signer sigs nsecs with zsks only.
393	* bugfix #333: fix ldns_dname_absolute for name ending with backslash.
394
3951.6.6	2010-08-09
396	* Fix ldns_rr_clone to copy question rrs properly.
397	* Fix ldns_sign_zone(_nsec3) to clone the soa for the new zone.
398	* Fix ldns_wire2dname size check from reading 1 byte beyond buffer end.
399	* Fix ldns_wire2dname from reading 1 byte beyond end for pointer.
400	* Fix crash using GOST for particular platform configurations.
401	* extern C declarations used in the header file.
402	* Removed debug fprintf from resolver.c.
403	* ldns-signzone checks if public key file is for the right zone.
404	* NETLDNS, .NET port of ldns functionality, by Alex Nicoll, in contrib.
405	* Fix handling of comments in resolv.conf parse.
406	* GOST code enabled if SSL recent, RFC 5933.
407	* bugfix #317: segfault util.c ldns_init_random() fixed.
408	* Fix ldns_tsig_mac_new: allocate enough memory for the hash, fix use of
409	  b64_pton_calculate_size.
410	* Fix ldns_dname_cat: size calculation and handling of realloc().
411	* Fix ldns_rr_pop_rdf: fix handling of realloc().
412	* Fix ldns-signzone for single type key scheme: sign whole zone if there
413	  are only KSKs.
414	* Fix ldns_resolver: also close socket if AXFR failed (if you don't,
415          it would block subsequent transfers (thanks Roland van Rijswijk).
416        * Fix drill: allow for a secure trace if you use DS records as trust
417	  anchors (thanks Jan Komissar).
418
4191.6.5	2010-06-15
420	* Catch \X where X is a digit as an error.
421	* Fix segfault when ip6 ldns resolver only has ip4 servers.
422	* Fix NSEC record after DNSKEY at zone apex not properly signed.
423	* Fix syntax error if last label too long and no dot at end of domain.
424	* Fix parse of \# syntax with space for type LOC.
425	* Fix ldns_dname_absolute for escape sequences, fixes some parse errs.
426	* bugfix #297: linking ssl, bug due to patch submitted as #296.
427	* bugfix #299: added missing declarations to host2str.h
428	* ldns-compare-zones -s to not exclude SOA record from comparison.
429	* --disable-rpath fix
430	* fix ldns_pkt_empty(), reported by Alex Nicoll.
431	* fix ldns_resolver_new_frm_fp not ignore lines after a comment.
432	* python code for ldns_rr.new_question_frm_str()
433	* Fix ldns_dnssec_verify_denial: the signature selection routine.
434	* Type TALINK parsed (draft-ietf-dnsop-trust-history).
435	* bugfix #304: fixed dead loop in ldns_tcp_read_wire() and
436	  ldns_tcp_read_wire_timeout().
437	* GOST support with correct algorithm numbers.  The plan is to make it
438	  enabled if openssl support is detected, but it is disabled by
439	  default in this release because the RFC is not ready.
440	* Fixed comment in rbtree.h about being first member and data ptr.
441	* Fixed possibly leak in case of out of memory in ldns_native2rdf...
442	* ldns_dname_is_wildcard added.
443	* Fixed: signatures over wildcards had the wrong labelcount.
444	* Fixed ldns_verify() inconsistent return values.
445	* Fixed ldns_resolver to copy and free tsig name, data and algorithm.
446	* Fixed ldns_resolver to push search onto searchlist.
447	* A ldns resolver now defaults to a non-recursive resolver that handles
448	  the TC bit.
449	* ldns_resolver_print() prints more details.
450	* Fixed ldns_rdf2buffer_str_time(), which did not print timestamps
451	  on 64bit systems.
452	* Make ldns_resolver_nameservers_randomize() more random.
453	* bugfix #310: POSIX specifies NULL second argument of gettimeofday.
454	* fix compiler warnings from llvm clang compiler.
455	* bugfix #309: ldns_pkt_clone did not clone the tsig_rr.
456	* Fix gentoo ebuild for drill, 'no m4 directory'.
457	* bugfix #313: drill trace on an empty nonterminal continuation.
458
4591.6.4	2010-01-20
460	* Imported pyldns contribution by Zdenek Vasicek and Karel Slany.
461	  Changed its configure and Makefile to fit into ldns.
462	  Added its dname_* methods to the rdf_* class (as is the ldns API).
463	  Changed swig destroy of ldns_buffer class to ldns_buffer_free.
464	  Declared ldns_pkt_all and ldns_pkt_all_noquestion so swig sees them.
465	* Bugfix: parse PTR target of .tomhendrikx.nl with error not crash.
466	* Bugfix: handle escaped characters in TXT rdata.
467	* bug292: no longer crash on malformed domain names where a label is
468	  on position 255, which was a buffer overflow by one.
469	* Fix ldns_get_rr_list_hosts_frm_fp_l (strncpy to strlcpy change),
470	  which fixes resolv.conf reading badly terminated string buffers.
471	* Fix ldns_pkt_set_random_id to be more random, and a little faster,
472	  it did not do value 0 statistically correctly.
473	* Fix ldns_rdf2native_sockaddr_storage to set sockaddr type to zeroes,
474	  for portability.
475	* bug295: nsec3-hash routine no longer case sensitive.
476	* bug298: drill failed nsec3 denial of existence proof.
477
4781.6.3	2009-12-04
479	* Bugfix: allow for unknown resource records in zonefile with rdlen=0.
480	* Bugfix: also mark an RR as question if it comes from the wire
481	* Bugfix: NSEC3 bitmap contained NSEC
482	* Bugfix: Inherit class when creating signatures
483
4841.6.2	2009-11-12
485	* Fix Makefile patch from Havard Eidnes, better install.sh usage.
486	* Fix parse error on SOA serial of 2910532839.
487	  Fix print of ';' and readback of '\;' in names, also for '\\'.
488	  Fix parse of '\(' and '\)' in names.  Also for file read. Also '\.'
489	* Fix signature creation when TTLs are different for RRs in RRset.
490	* bug273: fix so EDNS rdata is included in pkt to wire conversion.
491	* bug274: fix use of c++ keyword 'class' for RR class in the code.
492	* bug275: fix memory leak of packet edns rdata.
493	* Fix timeout procedure for TCP and AXFR on Solaris.
494	* Fix occasional NSEC bitmap bogus
495	* Fix rr comparing (was in reversed order since 1.6.0)
496	* bug278: fix parsing HINFO rdata (and other cases).
497	* Fix previous owner name: also pick up if owner name is @.
498	* RFC5702: enabled sha2 functions by default. This requires OpenSSL 0.9.8 or higher.
499      Reason for this default is the root to be signed with RSASHA256.
500	* Fix various LDNS RR parsing issues: IPSECKEY, WKS, NSAP, very long lines
501	* Fix: Make ldns_dname_is_subdomain case insensitive.
502	* Fix ldns-verify-zone so that address records at zone NS set are not considered glue
503		(Or glue records fall below delegation)
504    * Fix LOC RR altitude printing.
505	* Feature: Added period (e.g. '3m6d') support at explicit TTLs.
506    * Feature: DNSKEY rrset by default signed with minimal signatures
507		but -A option for ldns-signzone to sign it with all keys.
508		This makes the DNSKEY responses smaller for signed domains.
509
5101.6.1   2009-09-14
511	* --enable-gost : use the GOST algorithm (experimental).
512	* Added some missing options to drill manpage
513	* Some fixes to --without-ssl option
514	* Fixed quote parsing withing strings
515	* Bitmask fix in EDNS handling
516	* Fixed non-fqdn domain name completion for rdata field domain
517	  names of length 1
518	* Fixed chain validation with SHA256 DS records
519
5201.6.0
521	Additions:
522	* Addition of an ldns-config script which gives cflags and libs
523	  values, for use in configure scripts for applications that use
524	  use ldns. Can be disabled with ./configure --disable-ldns-config
525	* Added direct sha1, sha256, and sha512 support in ldns.
526	  With these functions, all NSEC3 functionality can still be
527	  used, even if ldns is built without OpenSSL. Thanks to OpenBSD,
528	  Steve Reid, and Aaron D. Gifford for the code.
529	* Added reading/writing support for the SPF Resource Record
530	* Base32 functions are now exported
531	Bugfixes:
532	* ldns_is_rrset did not go through the complete rrset, but
533	  only compared the first two records. Thanks to Olafur
534	  Gudmundsson for report and patch
535	* Fixed a small memory bug in ldns_rr_list_subtype_by_rdf(),
536	  thanks to Marius Rieder for finding an patching this.
537	* --without-ssl should now work. Make sure that examples/ and
538	  drill also get the --without-ssl flag on their configure, if
539	  this is used.
540	* Some malloc() return value checks have been added
541	* NSEC3 creation has been improved wrt to empty nonterminals,
542	  and opt-out.
543	* Fixed a bug in the parser when reading large NSEC3 salt
544	  values.
545	* Made the allowed length for domain names on wire
546	  and presentation format the same.
547	Example tools:
548	* ldns-key2ds can now also generate DS records for keys without
549	  the SEP flag
550	* ldns-signzone now equalizes the TTL of the DNSKEY RRset (to
551	  the first non-default DNSKEY TTL value it sees)
552
5531.5.1
554	Example tools:
555	* ldns-signzone was broken in 1.5.0 for multiple keys, this
556	  has been repaired
557
558	Build system:
559	* Removed a small erroneous output warning in
560	  examples/configure and drill/configure
561
5621.5.0
563	Bug fixes:
564	* fixed a possible memory overflow in the RR parser
565	* build flag fix for Sun Studio
566	* fixed a building race condition in the copying of header
567	  files
568	* EDNS0 extended rcode; the correct assembled code number
569	  is now printed (still in the EDNS0 field, though)
570	* ldns_pkt_rr no longer leaks memory (in fact, it no longer
571	  copies anything all)
572
573	API addition:
574	* ldns_key now has support for 'external' data, in which
575	  case the OpenSSL EVP structures are not used;
576	  ldns_key_set_external_key() and ldns_key_external_key()
577	* added ldns_key_get_file_base_name() which creates a
578	  'default' filename base string for key storage, of the
579	  form "K<zone>+<algorithm>+<keytag>"
580	* the ldns_dnssec_* family of structures now have deep_free()
581	  functions, which also free the ldns_rr's contained in them
582	* there is now an ldns_match_wildcard() function, which checks
583	  whether a domain name matches a wildcard name
584	* ldns_sign_public has been split up; this resulted in the
585	  addition of ldns_create_empty_rrsig() and
586	  ldns_sign_public_buffer()
587
588	Examples:
589	* ldns-signzone can now automatically add DNSKEY records when
590	  using an OpenSSL engine, as it already did when using key
591	  files
592	* added new example tool: ldns-nsec3-hash
593	* ldns-dpa can now filter on specific query name and types
594	* ldnsd has fixes for the zone name, a fix for the return
595	  value of recvfrom(), and an memory initialization fix
596	  (Thanks to Colm MacCárthaigh for the patch)
597	* Fixed memory leaks in ldnsd
598
599
600
6011.4.1
602	Bug fixes:
603	* fixed a build issue where ldns lib existence was done too early
604	* removed unnecessary check for pcap.h
605	* NSEC3 optout flag now correctly printed in string output
606	* inttypes.h moved to configured inclusion
607	* fixed NSEC3 type bitmaps for empty nonterminals and unsigned
608	  delegations
609
610	API addition:
611	* for that last fix, we added a new function
612	  ldns_dname_add_from() that can clone parts of a dname
613
6141.4.0
615	Bug fixes:
616	* sig chase return code fix (patch from Rafael Justo, bug id 189)
617	* rdata.c memory leaks on error and allocation checks fixed (patch
618	  from Shane Kerr, bug id 188)
619	* zone.c memory leaks on error and allocation checks fixed (patch
620	from Shane Kerr, bug id 189)
621	* ldns-zplit output and error messages fixed (patch from Shane Kerr,
622	  bug id 190)
623	* Fixed potential buffer overflow in ldns_str2rdf_dname
624	* Signing code no longer signs delegation NS rrsets
625	* Some minor configure/makefile updates
626	* Fixed a bug in the randomness initialization
627	* Fixed a bug in the reading of resolv.conf
628	* Fixed a bug concerning whitespace in zone data (with patch from Ondrej
629	  Sury, bug 213)
630	* Fixed a small fallback problem in axfr client code
631
632	API CHANGES:
633	* added 2str convenience functions:
634		- ldns_rr_type2str
635		- ldns_rr_class2str
636		- ldns_rr_type2buffer_str
637		- ldns_rr_class2buffer_str
638	* buffer2str() is now called ldns_buffer2str
639	* base32 and base64 function names are now also prepended with ldns_
640	* ldns_rr_new_frm_str() now returns an error on missing RDATA fields.
641	  Since you cannot read QUESTION section RRs with this anymore,
642	  there is now a function called ldns_rr_new_question_frm_str()
643
644	LIBRARY FEATURES:
645	* DS RRs string representation now add bubblebabble in a comment
646	  (patch from Jakob Schlyter)
647	* DLV RR type added
648	* TCP fallback system has been improved
649	* HMAC-SHA256 TSIG support has been added.
650	* TTLS are now correcly set in NSEC(3) records when signing zones
651
652	EXAMPLE TOOLS:
653	* New example: ldns-revoke to revoke DNSKEYs according to RFC5011
654	* ldns-testpkts has been fixed and updated
655	* ldns-signzone now has the option to not add the DNSKEY
656	* ldns-signzone now has an (full zone only) opt-out option for
657	                NSEC3
658	* ldns-keygen can create HMAC-SHA1 and HMAC-SHA256 symmetric keys
659	* ldns-walk output has been fixed
660	* ldns-compare-zones has been fixed, and now has an option
661	  to show all differences (-a)
662	* ldns-read-zone now has an option to print DNSSEC records only
663
6641.3
665	Base library:
666
667	* Added a new family of functions based around ldns_dnssec_zone,
668	which is a new structure that keeps a zone sorted through an
669	rbtree and links signatures and NSEC(3) records directly to their
670	RRset. These functions all start with ldns_dnssec_
671
672	* ldns_zone_sign and ldns_zone_sign_nsec3 are now deprecated, but
673	have been changed to internally use the new
674	ldns_dnssec_zone_sign(_nsec3)
675
676	* Moved some ldns_buffer functions inline, so a clean rebuild of
677	applications relying on those is needed (otherwise you'll get
678	linker errors)
679	* ldns_dname_label now returns one extra (zero)
680	byte, so it can be seen as an fqdn.
681	* NSEC3 type code update for signing algorithms.
682	* DSA key generation of DNSKEY RRs fixed (one byte too small).
683
684	* Added support for RSA/SHA256 and RSA/SHA512, as specified in
685	draft-ietf-dnsext-dnssec-rsasha256-04. The typecodes are not
686	final, and this feature is not enabled by default. It can be
687	enabled at compilation time with the flag --with-sha2
688
689	* Added 2wire_canonical family of functions that lowercase dnames
690	in rdata fields in resource records of the types in the list in
691	rfc3597
692
693	* Added base32 conversion functions.
694
695	* Fixed DSA RRSIG conversion when calling OpenSSL
696
697	Drill:
698
699	* Chase output is completely different, it shows, in ascii, the
700	relations in the trust hierarchy.
701
702	Examples:
703	* Added ldns-verify-zone, that can verify the internal DNSSEC records
704	of a signed BIND-style zone file
705
706	* ldns-keygen now takes an -a argument specifying the algorithm,
707	instead of -R or -D. -a list show a list of supported algorithms
708
709	* ldns-keygen now defaults to the exponent RSA_F4 instead of RSA_3
710	for RSA key generation
711
712	* ldns-signzone now has support for HSMs
713	* ldns-signzone uses the new ldns_dnssec_ structures and functions
714	which improves its speed, and output; RRSIGS are now placed
715	directly after their RRset, NSEC(3) records directly after the
716	name they handle
717
718	Contrib:
719	* new contrib/ dir with user contributions
720	* added compilation script for solaris (thanks to Jakob Schlyter)
721
72228 Nov 2007 1.2.2:
723	* Added support for HMAC-MD5 keys in generator
724	* Added a new example tool (written by Ondrej Sury): ldns-compare-zones
725	* ldns-keygen now checks key sizes for rfc conformancy
726	* ldns-signzone outputs SSL error if present
727	* Fixed manpages (thanks to Ondrej Sury)
728	* Fixed Makefile for -j <x>
729	* Fixed a $ORIGIN error when reading zones
730	* Fixed another off-by-one error
731
73203 Oct 2007 1.2.1:
733	* Fixed an offset error in rr comparison
734	* Fixed ldns-read-zone exit code
735	* Added check for availability of SHA256 hashing algorithm
736	* Fixed ldns-key2ds -2 argument
737	* Fixed $ORIGIN bug in .key files
738	* Output algorithms as an integer instead of their mnemonic
739	* Fixed a memory leak in dnssec code when SHA256 is not available
740	* Updated fedora .spec file
741
74211 Apr 2007 1.2.0:
743	* canonicalization of rdata in DNSSEC functions now adheres to the
744	  rr type list in rfc3597, not rfc4035, which will be updated
745	  (see http://www.ops.ietf.org/lists/namedroppers/namedroppers.2007/msg00183.html)
746	* ldns-walk now support dnames with maximum label length
747	* ldnsd now takes an extra argument containing the address to listen on
748	* signing no longer signs every rrset with KSK's, but only the DNSKEY rrset
749	* ported to Solaris 10
750	* added ldns_send_buffer() function
751	* added ldns-testpkts fake packet server
752	* added ldns-notify to send NOTIFY packets
753	* ldns-dpa can now accurately calculate the number of matches per
754	  second
755	* libtool is now used for compilation too (still gcc, but not directly)
756	* Bugfixes:
757		- TSIG signing buffer size
758		- resolv.conf reading (comments)
759		- dname comparison off by one error
760		- typo in keyfetchers output file name fixed (a . too much)
761		- fixed zone file parser when comments contain ( or )
762		- fixed LOC RR type
763		- fixed CERT RR type
764
765	Drill:
766	* drill prints error on failed axfr.
767	* drill now accepts mangled packets with -f
768	* old -c option (use tcp) changed to -t
769	* -c option to specify alternative resolv.conf file added
770	* feedback of signature chase improved
771	* chaser now stops at root when no trusted keys are found
772	  instead of looping forever trying to find the DS for .
773	* Fixed bugs:
774		- wildcard on multiple labels signature verification
775		- error in -f packet writing for malformed packets
776		- made KSK check more resilient
777
7787 Jul 2006: 1.1.0: ldns-team
779	* Added tutorials and an introduction to the documentation
780	* Added include/ and lib/ dirs so that you can compile against ldns
781	  without installing ldns on your system
782	* Makefile updates
783	* Starting usage of assert throughout the library to catch illegal calls
784	* Solaris 9 testing was carried out. Ldns now compiles on that
785	  platform; some gnuism were identified and fixed.
786	* The ldns_zone structure was stress tested. The current setup
787	 (ie. just a list of rrs) can scale to zone file in order of
788	  megabytes. Sorting such zone is still difficult.
789	* Reading multiline b64 encoded rdata works.
790	* OpenSSL was made optional, configure --without-ssl.
791	  Ofcourse all dnssec/tsig related functions are disabled
792	* Building of examples and drill now happens with the same
793	  defines as the building of ldns itself.
794	* Preliminary sha-256 support was added. Currently is your
795	  OpenSSL supports it, it is supported in the DS creation.
796	* ldns_resolver_search was implemented
797	* Fixed a lot of bugs
798
799	Drill:
800	* -r was killed in favor of -o <header bit mnemonic> which
801	  allows for a header bits setting (and maybe more in the
802	  future)
803	* DNSSEC is never automaticaly set, even when you query
804	  for DNSKEY/RRSIG or DS.
805	* Implement a crude RTT check, it now distinguishes between
806	  reachable and unreachable.
807	* A form of secure tracing was added
808	* Secure Chasing has been improved
809	* -x does a reverse lookup for the given IP address
810
811	Examples:
812	* ldns-dpa was added to the examples - this is the Dns Packet
813	  Analyzer tool.
814	* ldnsd - as very, very simple nameserver impl.
815	* ldns-zsplit - split zones for parrallel signing
816	* ldns-zcat - cat split zones back together
817	* ldns-keyfetcher - Fetches DNSKEY records with a few (non-strong,
818	  non-DNSSEC) anti-spoofing techniques.
819	* ldns-walk - 'Walks' a DNSSEC signed zone
820	* Added an all-static target to the makefile so you can use examples
821	  without installing the library
822	* When building in the source tree or in a direct subdirectory of
823	  the build dir, configure does not need --with-ldns=../ anymore
824
825	Code:
826	* All networking code was moved to net.c
827	* rdata.c: added asserts to the rdf set/get functions
828	* const keyword was added to pointer arguments that
829	  aren't changed
830
831	API:
832	Changed:
833	* renamed ldns/dns.h to ldns/ldns.h
834	* ldns_rr_new_frm_str() is extented with an extra variable which
835	  in common use may be NULL. This trickles through to:
836	  o ldns_rr_new_frm_fp
837	  o ldns_rr_new_frm_fp_l
838	  Which also get an extra variable
839	  Also the function has been changed to return a status message.
840	  The compiled RR is returned in the first argument.
841	* ldns_zone_new_frm_fp_l()  and ldns_zone_new_frm_fp() are
842	  changed to return a status msg.
843	* ldns_key_new_frm_fp is changed to return ldns_status and
844	  the actual key list in the first argument
845	* ldns_rdata_new_frm_fp[_l]() are changed to return a status.
846	  the rdf is return in the first argument
847	* ldns_resolver_new_frm_fp: same treatment: return status and
848	  the new resolver in the first argument
849	* ldns_pkt_query_new_frm_str(): same: return status and the
850	  packet in the first arg
851	* tsig.h: internal used functions are now static:
852	  ldns_digest_name and ldns_tsig_mac_new
853	* ldns_key_rr2ds has an extra argument to specify the hash to
854	  use.
855	* ldns_pkt_rcode() is renamed to ldns_pkt_get_rcode, ldns_pkt_rcode
856	  is now the rcode type, like ldns_pkt_opcode
857	New:
858	* ldns_resolver_searchlist_count: return the searchlist counter
859	* ldns_zone_sort: Sort a zone
860	* ldns_bgsend(): background send, returns a socket.
861	* ldns_pkt_empty(): check is a packet is empty
862	* ldns_rr_list_pop_rr_list(): pop multiple rr's from another rr_list
863	* ldns_rr_list_push_rr_list(): push multiple rr's to an rr_list
864	* ldns_rr_list_compare(): compare 2 ldns_rr_lists
865	* ldns_pkt_push_rr_list: rr_list equiv for rr
866	* ldns_pkt_safe_push_rr_list: rr_list equiv for rr
867	Removed:
868	* ldns_resolver_bgsend(): was not used in 1.0.0 and is not used now
869	* ldns_udp_server_connect(): was faulty and isn't really part of
870	  the core ldns idea any how.
871	* ldns_rr_list_insert_rr(): obsoleted, because not used.
872	* char *_when was removed from the ldns_pkt structure
873
87418 Oct 2005: 1.0.0: ldns-team
875	* Commited a patch from Håkan Olsson
876	* Added UPDATE support (Jakob Schlyter and Håkan Olsson)
877	* License change: ldns is now BSD licensed
878	* ldns now depends on SSL
879	* Networking code cleanup, added (some) server udp/tcp support
880	* A zone type is introduced. Currently this is a list
881	  of RRs, so it will not scale well.
882	* [beta] Zonefile parsing was added
883	* [tools] Drill was added to ldns - see drill/
884	* [tools] experimental signer was added
885	* [building] better check for ssl
886	* [building] major revision of build system
887	* [building] added rpm .spec in packaging/ (thanks to Paul Wouters)
888	* [building] A lot of cleanup in the build scripts (thanks to Jakob Schlyter
889	and Paul Wouters)
890
89128 Jul 2005: 0.70: ldns-team
892	* [func] ldns_pkt_get_section now returns copies from the rrlists
893	  in the packet. This can be freed by the user program
894	* [code] added ldns_ prefixes to function from util.h
895	* [inst] removed documentation from default make install
896	* Usual fixes in documentation and code
897
89820 Jun 2005: 0.66: ldns-team
899	Rel. Focus: drill-pre2 uses some functions which are
900	not in 0.65
901	* dnssec_cd bit function was added
902	* Zone infrastructure was added
903	* Usual fixes in documentation and code
904
90513 Jun 2005: 0.65: ldns-team
906	* Repository is online at:
907	  http://www.nlnetlabs.nl/ldns/svn/
908	* Apply reference copying throuhgout ldns, except in 2
909	  places in the ldns_resolver structure (._domain and
910	 ._nameservers)
911	* Usual array of bugfixes
912	* Documentation added
913	* keygen.c added as an example for DNSSEC programming
914
91523 May 2005: 0.60: ldns-team
916	* Removed config.h from the header installed files
917	  (you're not supposed to include that in a libary)
918	* Further tweaking
919	  - DNSSEC signing/verification works
920	  - Assorted bug fixes and tweaks (memory management)
921
922May 2005: 0.50: ldns-team
923	* First usable release
924	* Basic DNS functionality works
925	* DNSSEC validation works
926