11.6.16 2012-11-13 2 * Fix Makefile to build pyldns with BSD make 3 * Fix typo in exporting b32_* symbols to make pyldns load again 4 * Allow leaving the RR owner name empty in ldns-testns datafiles. 5 * Fix fail to create NSEC3 bitmap for empty non-terminal (bug 6 introduced in 1.6.14). 7 81.6.15 2012-10-25 9 * Remove LDNS_STATUS_EXISTS_ERR from ldns/error.h to make ldns 10 binary compatible with earlier releases again. 11 121.6.14 2012-10-23 13 * DANE support (RFC6698), including ldns-dane example tool. 14 * Configurable default CA certificate repository for ldns-dane with 15 --with-ca-file=CAFILE and --with-ca-path=CAPATH 16 * Configurable default trust anchor with --with-trust-anchor=FILE 17 for drill, ldns-verify-zone and ldns-dane 18 * bugfix #474: Define socklen_t when undefined (like in Win32) 19 * bugfix #473: Dead code removal and resource leak fix in drill 20 * bugfix #471: Let ldns_resolver_push_dnssec_anchor accept DS RR's too. 21 * Various bugfixes from code reviews from CZ.NIC and Paul Wouters 22 * ldns-notify TSIG option argument checking 23 * Let ldns_resolver_nameservers_randomize keep nameservers and rtt's 24 in sync. 25 * Let ldns_pkt_push_rr now return false on (memory) errors. 26 * Make buffer_export comply to documentation and fix buffer2str 27 * Various improvements and fixes of pyldns from Katel Slany 28 now documented in their own Changelog. 29 * bugfix: Make ldns_resolver_pop_nameserver clear the array when 30 there was only one. 31 * bugfix #459: Remove ldns_symbols and export symbols based on regex 32 * bugfix #458: Track all newly created signatures when signing. 33 * bugfix #454: Only set -g and -O2 CFLAGS when no CFLAGS was given. 34 * bugfix #457: Memory leak fix for ldns_key_new_frm_algorithm. 35 * pyldns memory handling fixes and the python3/ldns-signzone.py 36 examples script contribution from Karel Slany. 37 * bugfix #450: Base # bytes for P, G and Y (T) on the guaranteed 38 to be bigger (or equal) P in ldns_key_dsa2bin. 39 * bugfix #449: Deep free cloned rdf's in ldns_tsig_mac_new. 40 * bugfix #448: Copy nameserver value (in stead of reference) of the 41 answering nameserver to the answer packet in ldns_send_buffer, so 42 the original value may be deep freed with the ldns_resolver struct. 43 * New -0 option for ldns-read-zone to replace inception, expiration 44 and signature rdata fields with (null). Thanks Paul Wouters. 45 * New -p option for ldns-read-zone to prepend-pad SOA serial to take 46 up ten characters. 47 * Return error if printing RR fails due to unknown/null RDATA. 48 491.6.13 2012-05-21 50 * New -S option for ldns-verify-zone to chase signatures online. 51 * New -k option for ldns-verify-zone to validate using a trusted key. 52 * New inception and expiration margin options (-i and -e) to 53 ldns-verify-zone. 54 * New ldns_dnssec_zone_new_frm_fp and ldns_dnssec_zone_new_frm_fp_l 55 functions. 56 * New ldns_duration* functions (copied from OpenDNSSEC source) 57 * fix ldns-verify-zone to allow NSEC3 signatures to come before 58 the NSEC3 RR in all cases. Thanks Wolfgang Nagele. 59 * Zero the correct flag (opt-out) when creating NSEC3PARAMS. 60 Thanks Peter van Dijk. 61 * Canonicalize RRSIG's Signer's name too when validating, because 62 bind and unbound do that too. Thanks Peter van Dijk. 63 * bugfix #433: Allocate rdf using ldns_rdf_new in ldns_dname_label 64 * bugfix #432: Use LDNS_MALLOC & LDNS_FREE i.s.o. malloc & free 65 * bugfix #431: Added error message for LDNS_STATUS_INVALID_B32_EXT 66 * bugfix #427: Explicitely link ssl with the programs that use it. 67 * Fix reading \DDD: Error on values that are outside range (>255). 68 * bugfix #429: fix doxyparse.pl fails on NetBSD because specified 69 path to perl. 70 * New ECDSA support (RFC 6605), use --disable-ecdsa for older openssl. 71 * fix verifying denial of existence for DS's in NSEC3 Opt-Out zones. 72 Thanks John Barnitz 73 741.6.12 2012-01-11 75 * bugfix #413: Fix manpage source for srcdir != builddir 76 * Canonicalize the signers name rdata field in RRSIGs when signing 77 * Ignore minor version of Private-key-format (so v1.3 may be used) 78 * Allow a check_time to be given in stead of always checking against 79 the current time. With ldns-verify-zone the check_time can be set 80 with the -t option. 81 * Added functions for updating and manipulating SOA serial numbers. 82 ldns-read-zone has an option -S for updating and manipulating the 83 serial numbers. 84 * The library Makefile is now GNU and BSD make compatible. 85 * bugfix #419: NSEC3 validation of a name covered by a wildcard with 86 no data. 87 * Two new options (--with-drill and --with-examples) to the main 88 configure script (in the root of the source tree) to build drill 89 and examples too. 90 * Fix days_since_epoch to year_yday calculation on 32bits systems. 91 921.6.11 2011-09-29 93 * bugfix #394: Fix socket leak on errors 94 * bugfix #392: Apex only and percentage checks for ldns-verify-zone 95 (thanks Miek Gieben) 96 * bugfix #398: Allow NSEC RRSIGs before the NSEC3 in ldns-verify-zone 97 * Fix python site package path from sitelib to sitearch for pyldns. 98 * Fix python api to support python2 and python3 (thanks Karel Slany). 99 * bugfix #401: Correction of date/time functions algorithm and 100 prevention of an infinite loop therein 101 * bugfix #402: Correct the minimum and maximum number of rdata fields 102 in TSIG. (thanks David Keeler) 103 * bugfix #403: Fix heap overflow (thanks David Keeler) 104 * bugfix #404: Make parsing APL strings more robust 105 (thanks David Keeler) 106 * bugfix #391: Complete library assessment to prevent assertion errors 107 through ldns_rdf_size usage. 108 * Slightly more specific error messaging on wrong number of rdata 109 fields with the LDNS_STATUS_MISSING_RDATA_FIELDS_RRSIG and 110 LDNS_STATUS_MISSING_RDATA_FIELDS_KEY result codes. 111 * bugfix #406: More rigorous openssl result code handling to prevent 112 future crashes within openssl. 113 * Fix ldns_fetch_valid_domain_keys to search deeper than just one level 114 for a DNSKEY that signed a DS RR. (this function was used in the 115 check_dnssec_trace nagios module) 116 * bugfix #407: Canonicalize TSIG dnames and algorithm fields 117 * A new output specifier to accommodate configuration of what to show 118 in comment texts when converting host and/or wire-format data to 119 string. All conversion to string and printing functions have a new 120 version that have such a format specifier as an extra argument. 121 The default is changed so that only DNSKEY RR's are annotated with 122 an comment show the Key Tag of the DNSKEY. 123 * Fixed the ldns resolver to not mark a nameserver unreachable when 124 edns0 is tried unsuccessfully with size 4096 (no return packet came), 125 but to still try TCP. A big UDP packet might have been corrupted by 126 fragments dropping firewalls. 127 * Update of libdns.vim (thanks Miek Gieben) 128 * Added the ldnsx Python module to our contrib section, which adds even 129 more pythonisticism to the usage of ldns with Python. (Many thanks 130 to Christpher Olah and Paul Wouters) 131 The ldnsx module is automatically installed when --with-pyldns is 132 used with configuring, but may explicitly be excluded with the 133 --without-pyldnsx option to configure. 134 * bugfix #410: Fix clearing out temporary data on stack in sha2.c 135 * bugfix #411: Don't let empty non-terminal NSEC3s cause assertion failure. 136 1371.6.10 2011-05-31 138 * New example tool added: ldns-gen-zone. 139 * bugfix #359: Serial-arithmetic for the inception and expiration 140 fields of a RRSIG and correctly converting them to broken-out time 141 information. 142 * bugfix #364: Slight performance increase of ldns-verifyzone. 143 * bugfix #367: Fix to allow glue records with the same name as the 144 delegation. 145 * Fix ldns-verifyzone to allow NSEC3-less records for NS rrsets *and* 146 glue when the zone is opt-out. 147 * bugfix #376: Adapt ldns_nsec3_salt, ldns_nsec3_iterations, 148 ldns_nsec3_flags and ldns_nsec3_algorithm to work for NSEC3PARAMS too. 149 * pyldns memory leaks fixed by Bedrich Kosata (at the cost of a bit 150 performance) 151 * Better handling of reference variables in ldns_rr_new_frm_fp_l from 152 pyldns, with a very nice generator function by Bedrich Kosata. 153 * Decoupling of the rdfs in rrs in the python wrappers to enable 154 the python garbage collector by Bedrich Kosata. 155 * bugfix #380: Minimizing effect of discrepancies in sizeof(bool) at 156 build time and when used. 157 * bugfix #383: Fix detection of empty nonterminals of multiple labels. 158 * Fixed the ommission of rrsets in nsec(3)s and rrsigs to all occluded 159 names (in stead of just the ones that contain glue only) and all 160 occluded records on the delegation points (in stead of just the glue). 161 * Clarify the operation of ldns_dnssec_mark_glue and the usage of 162 ldns_dnssec_node_next_nonglue functions in the documentation. 163 * Added function ldns_dnssec_mark_and_get_glue as an real fast 164 alternative for ldns_zone_glue_rr_list. 165 * Fix parse buffer overflow for max length domain names. 166 * Fix Makefile for U in environment, since wrong U is more common than 167 deansification necessity. 168 1691.6.9 2011-03-16 170 * Fix creating NSEC(3) bitmaps: make array size 65536, 171 don't add doubles. 172 * Fix printout of escaped binary in TXT records. 173 * Parsing TXT records: don't skip starting whitespace that is quoted. 174 * bugfix #358: Check if memory was successfully allocated in 175 ldns_rdf2str(). 176 * Added more memory allocation checks in host2str.c 177 * python wrapper for ldns_fetch_valid_domain_keys by Bedrich Kosata. 178 * fix to compile python wrapper with swig 2.0.2. 179 * Don't fallback to SHA-1 when creating NSEC3 hash with another 180 algorithm identifier, fail instead (no other algorithm identifiers 181 are assigned yet). 182 1831.6.8 2011-01-24 184 * Fix ldns zone, so that $TTL definition match RFC 2308. 185 * Fix lots of missing checks on allocation failures and parse of 186 NSEC with many types and max parse length in hosts_frm_fp routine 187 and off by one in read_anchor_file routine (thanks Dan Kaminsky and 188 Justin Ferguson). 189 * bugfix #335: Drill: Print both SHA-1 and SHA-256 corresponding DS 190 records. 191 * Print correct WHEN in query packet (is not always 1-1-1970) 192 * ldns-test-edns: new example tool that detects EDNS support. 193 * fix ldns_resolver_send without openssl. 194 * bugfix #342: patch for support for more CERT key types (RFC4398). 195 * bugfix #351: fix udp_send hang if UDP checksum error. 196 * fix set_bit (from NSEC3 sign) patch from Jan Komissar. 197 1981.6.7 2010-11-08 199 * EXPERIMENTAL ecdsa implementation, please do not enable on real 200 servers. 201 * GOST code enabled by default (RFC 5933). 202 * bugfix #326: ignore whitespace between directives and their values. 203 * Header comment to advertise ldns_axfr_complete to check for 204 successfully completed zone transfers. 205 * read resolv.conf skips interface labels, e.g. %eth0. 206 * Fix drill verify NSEC3 denials. 207 * Use closesocket() on windows. 208 * Add ldns_get_signing_algorithm_by_name that understand aliases, 209 names changed to RFC names and aliases for compatibility added. 210 * bugfix: don't print final dot if the domain is relative. 211 * bugfix: resolver search continue when packet rcode != NOERROR. 212 * bugfix: resolver push all domains in search directive to list. 213 * bugfix: resolver search by default includes the root domain. 214 * bugfix: tcp read could fail on single octet recv. 215 * bugfix: read of RR in unknown syntax with missing fields. 216 * added ldns_pkt_tsig_sign_next() and ldns_pkt_tsig_verify_next() 217 to sign and verify TSIG RRs on subsequent messages 218 (section 4.4, RFC 2845, thanks to Michael Sheldon). 219 * bugfix: signer sigs nsecs with zsks only. 220 * bugfix #333: fix ldns_dname_absolute for name ending with backslash. 221 2221.6.6 2010-08-09 223 * Fix ldns_rr_clone to copy question rrs properly. 224 * Fix ldns_sign_zone(_nsec3) to clone the soa for the new zone. 225 * Fix ldns_wire2dname size check from reading 1 byte beyond buffer end. 226 * Fix ldns_wire2dname from reading 1 byte beyond end for pointer. 227 * Fix crash using GOST for particular platform configurations. 228 * extern C declarations used in the header file. 229 * Removed debug fprintf from resolver.c. 230 * ldns-signzone checks if public key file is for the right zone. 231 * NETLDNS, .NET port of ldns functionality, by Alex Nicoll, in contrib. 232 * Fix handling of comments in resolv.conf parse. 233 * GOST code enabled if SSL recent, RFC 5933. 234 * bugfix #317: segfault util.c ldns_init_random() fixed. 235 * Fix ldns_tsig_mac_new: allocate enough memory for the hash, fix use of 236 b64_pton_calculate_size. 237 * Fix ldns_dname_cat: size calculation and handling of realloc(). 238 * Fix ldns_rr_pop_rdf: fix handling of realloc(). 239 * Fix ldns-signzone for single type key scheme: sign whole zone if there 240 are only KSKs. 241 * Fix ldns_resolver: also close socket if AXFR failed (if you don't, 242 it would block subsequent transfers (thanks Roland van Rijswijk). 243 * Fix drill: allow for a secure trace if you use DS records as trust 244 anchors (thanks Jan Komissar). 245 2461.6.5 2010-06-15 247 * Catch \X where X is a digit as an error. 248 * Fix segfault when ip6 ldns resolver only has ip4 servers. 249 * Fix NSEC record after DNSKEY at zone apex not properly signed. 250 * Fix syntax error if last label too long and no dot at end of domain. 251 * Fix parse of \# syntax with space for type LOC. 252 * Fix ldns_dname_absolute for escape sequences, fixes some parse errs. 253 * bugfix #297: linking ssl, bug due to patch submitted as #296. 254 * bugfix #299: added missing declarations to host2str.h 255 * ldns-compare-zones -s to not exclude SOA record from comparison. 256 * --disable-rpath fix 257 * fix ldns_pkt_empty(), reported by Alex Nicoll. 258 * fix ldns_resolver_new_frm_fp not ignore lines after a comment. 259 * python code for ldns_rr.new_question_frm_str() 260 * Fix ldns_dnssec_verify_denial: the signature selection routine. 261 * Type TALINK parsed (draft-ietf-dnsop-trust-history). 262 * bugfix #304: fixed dead loop in ldns_tcp_read_wire() and 263 ldns_tcp_read_wire_timeout(). 264 * GOST support with correct algorithm numbers. The plan is to make it 265 enabled if openssl support is detected, but it is disabled by 266 default in this release because the RFC is not ready. 267 * Fixed comment in rbtree.h about being first member and data ptr. 268 * Fixed possibly leak in case of out of memory in ldns_native2rdf... 269 * ldns_dname_is_wildcard added. 270 * Fixed: signatures over wildcards had the wrong labelcount. 271 * Fixed ldns_verify() inconsistent return values. 272 * Fixed ldns_resolver to copy and free tsig name, data and algorithm. 273 * Fixed ldns_resolver to push search onto searchlist. 274 * A ldns resolver now defaults to a non-recursive resolver that handles 275 the TC bit. 276 * ldns_resolver_print() prints more details. 277 * Fixed ldns_rdf2buffer_str_time(), which did not print timestamps 278 on 64bit systems. 279 * Make ldns_resolver_nameservers_randomize() more random. 280 * bugfix #310: POSIX specifies NULL second argument of gettimeofday. 281 * fix compiler warnings from llvm clang compiler. 282 * bugfix #309: ldns_pkt_clone did not clone the tsig_rr. 283 * Fix gentoo ebuild for drill, 'no m4 directory'. 284 * bugfix #313: drill trace on an empty nonterminal continuation. 285 2861.6.4 2010-01-20 287 * Imported pyldns contribution by Zdenek Vasicek and Karel Slany. 288 Changed its configure and Makefile to fit into ldns. 289 Added its dname_* methods to the rdf_* class (as is the ldns API). 290 Changed swig destroy of ldns_buffer class to ldns_buffer_free. 291 Declared ldns_pkt_all and ldns_pkt_all_noquestion so swig sees them. 292 * Bugfix: parse PTR target of .tomhendrikx.nl with error not crash. 293 * Bugfix: handle escaped characters in TXT rdata. 294 * bug292: no longer crash on malformed domain names where a label is 295 on position 255, which was a buffer overflow by one. 296 * Fix ldns_get_rr_list_hosts_frm_fp_l (strncpy to strlcpy change), 297 which fixes resolv.conf reading badly terminated string buffers. 298 * Fix ldns_pkt_set_random_id to be more random, and a little faster, 299 it did not do value 0 statistically correctly. 300 * Fix ldns_rdf2native_sockaddr_storage to set sockaddr type to zeroes, 301 for portability. 302 * bug295: nsec3-hash routine no longer case sensitive. 303 * bug298: drill failed nsec3 denial of existence proof. 304 3051.6.3 2009-12-04 306 * Bugfix: allow for unknown resource records in zonefile with rdlen=0. 307 * Bugfix: also mark an RR as question if it comes from the wire 308 * Bugfix: NSEC3 bitmap contained NSEC 309 * Bugfix: Inherit class when creating signatures 310 3111.6.2 2009-11-12 312 * Fix Makefile patch from Havard Eidnes, better install.sh usage. 313 * Fix parse error on SOA serial of 2910532839. 314 Fix print of ';' and readback of '\;' in names, also for '\\'. 315 Fix parse of '\(' and '\)' in names. Also for file read. Also '\.' 316 * Fix signature creation when TTLs are different for RRs in RRset. 317 * bug273: fix so EDNS rdata is included in pkt to wire conversion. 318 * bug274: fix use of c++ keyword 'class' for RR class in the code. 319 * bug275: fix memory leak of packet edns rdata. 320 * Fix timeout procedure for TCP and AXFR on Solaris. 321 * Fix occasional NSEC bitmap bogus 322 * Fix rr comparing (was in reversed order since 1.6.0) 323 * bug278: fix parsing HINFO rdata (and other cases). 324 * Fix previous owner name: also pick up if owner name is @. 325 * RFC5702: enabled sha2 functions by default. This requires OpenSSL 0.9.8 or higher. 326 Reason for this default is the root to be signed with RSASHA256. 327 * Fix various LDNS RR parsing issues: IPSECKEY, WKS, NSAP, very long lines 328 * Fix: Make ldns_dname_is_subdomain case insensitive. 329 * Fix ldns-verify-zone so that address records at zone NS set are not considered glue 330 (Or glue records fall below delegation) 331 * Fix LOC RR altitude printing. 332 * Feature: Added period (e.g. '3m6d') support at explicit TTLs. 333 * Feature: DNSKEY rrset by default signed with minimal signatures 334 but -A option for ldns-signzone to sign it with all keys. 335 This makes the DNSKEY responses smaller for signed domains. 336 3371.6.1 2009-09-14 338 * --enable-gost : use the GOST algorithm (experimental). 339 * Added some missing options to drill manpage 340 * Some fixes to --without-ssl option 341 * Fixed quote parsing withing strings 342 * Bitmask fix in EDNS handling 343 * Fixed non-fqdn domain name completion for rdata field domain 344 names of length 1 345 * Fixed chain validation with SHA256 DS records 346 3471.6.0 348 Additions: 349 * Addition of an ldns-config script which gives cflags and libs 350 values, for use in configure scripts for applications that use 351 use ldns. Can be disabled with ./configure --disable-ldns-config 352 * Added direct sha1, sha256, and sha512 support in ldns. 353 With these functions, all NSEC3 functionality can still be 354 used, even if ldns is built without OpenSSL. Thanks to OpenBSD, 355 Steve Reid, and Aaron D. Gifford for the code. 356 * Added reading/writing support for the SPF Resource Record 357 * Base32 functions are now exported 358 Bugfixes: 359 * ldns_is_rrset did not go through the complete rrset, but 360 only compared the first two records. Thanks to Olafur 361 Gudmundsson for report and patch 362 * Fixed a small memory bug in ldns_rr_list_subtype_by_rdf(), 363 thanks to Marius Rieder for finding an patching this. 364 * --without-ssl should now work. Make sure that examples/ and 365 drill also get the --without-ssl flag on their configure, if 366 this is used. 367 * Some malloc() return value checks have been added 368 * NSEC3 creation has been improved wrt to empty nonterminals, 369 and opt-out. 370 * Fixed a bug in the parser when reading large NSEC3 salt 371 values. 372 * Made the allowed length for domain names on wire 373 and presentation format the same. 374 Example tools: 375 * ldns-key2ds can now also generate DS records for keys without 376 the SEP flag 377 * ldns-signzone now equalizes the TTL of the DNSKEY RRset (to 378 the first non-default DNSKEY TTL value it sees) 379 3801.5.1 381 Example tools: 382 * ldns-signzone was broken in 1.5.0 for multiple keys, this 383 has been repaired 384 385 Build system: 386 * Removed a small erroneous output warning in 387 examples/configure and drill/configure 388 3891.5.0 390 Bug fixes: 391 * fixed a possible memory overflow in the RR parser 392 * build flag fix for Sun Studio 393 * fixed a building race condition in the copying of header 394 files 395 * EDNS0 extended rcode; the correct assembled code number 396 is now printed (still in the EDNS0 field, though) 397 * ldns_pkt_rr no longer leaks memory (in fact, it no longer 398 copies anything all) 399 400 API addition: 401 * ldns_key now has support for 'external' data, in which 402 case the OpenSSL EVP structures are not used; 403 ldns_key_set_external_key() and ldns_key_external_key() 404 * added ldns_key_get_file_base_name() which creates a 405 'default' filename base string for key storage, of the 406 form "K<zone>+<algorithm>+<keytag>" 407 * the ldns_dnssec_* family of structures now have deep_free() 408 functions, which also free the ldns_rr's contained in them 409 * there is now an ldns_match_wildcard() function, which checks 410 whether a domain name matches a wildcard name 411 * ldns_sign_public has been split up; this resulted in the 412 addition of ldns_create_empty_rrsig() and 413 ldns_sign_public_buffer() 414 415 Examples: 416 * ldns-signzone can now automatically add DNSKEY records when 417 using an OpenSSL engine, as it already did when using key 418 files 419 * added new example tool: ldns-nsec3-hash 420 * ldns-dpa can now filter on specific query name and types 421 * ldnsd has fixes for the zone name, a fix for the return 422 value of recvfrom(), and an memory initialization fix 423 (Thanks to Colm MacCárthaigh for the patch) 424 * Fixed memory leaks in ldnsd 425 426 427 4281.4.1 429 Bug fixes: 430 * fixed a build issue where ldns lib existence was done too early 431 * removed unnecessary check for pcap.h 432 * NSEC3 optout flag now correctly printed in string output 433 * inttypes.h moved to configured inclusion 434 * fixed NSEC3 type bitmaps for empty nonterminals and unsigned 435 delegations 436 437 API addition: 438 * for that last fix, we added a new function 439 ldns_dname_add_from() that can clone parts of a dname 440 4411.4.0 442 Bug fixes: 443 * sig chase return code fix (patch from Rafael Justo, bug id 189) 444 * rdata.c memory leaks on error and allocation checks fixed (patch 445 from Shane Kerr, bug id 188) 446 * zone.c memory leaks on error and allocation checks fixed (patch 447 from Shane Kerr, bug id 189) 448 * ldns-zplit output and error messages fixed (patch from Shane Kerr, 449 bug id 190) 450 * Fixed potential buffer overflow in ldns_str2rdf_dname 451 * Signing code no longer signs delegation NS rrsets 452 * Some minor configure/makefile updates 453 * Fixed a bug in the randomness initialization 454 * Fixed a bug in the reading of resolv.conf 455 * Fixed a bug concerning whitespace in zone data (with patch from Ondrej 456 Sury, bug 213) 457 * Fixed a small fallback problem in axfr client code 458 459 API CHANGES: 460 * added 2str convenience functions: 461 - ldns_rr_type2str 462 - ldns_rr_class2str 463 - ldns_rr_type2buffer_str 464 - ldns_rr_class2buffer_str 465 * buffer2str() is now called ldns_buffer2str 466 * base32 and base64 function names are now also prepended with ldns_ 467 * ldns_rr_new_frm_str() now returns an error on missing RDATA fields. 468 Since you cannot read QUESTION section RRs with this anymore, 469 there is now a function called ldns_rr_new_question_frm_str() 470 471 LIBRARY FEATURES: 472 * DS RRs string representation now add bubblebabble in a comment 473 (patch from Jakob Schlyter) 474 * DLV RR type added 475 * TCP fallback system has been improved 476 * HMAC-SHA256 TSIG support has been added. 477 * TTLS are now correcly set in NSEC(3) records when signing zones 478 479 EXAMPLE TOOLS: 480 * New example: ldns-revoke to revoke DNSKEYs according to RFC5011 481 * ldns-testpkts has been fixed and updated 482 * ldns-signzone now has the option to not add the DNSKEY 483 * ldns-signzone now has an (full zone only) opt-out option for 484 NSEC3 485 * ldns-keygen can create HMAC-SHA1 and HMAC-SHA256 symmetric keys 486 * ldns-walk output has been fixed 487 * ldns-compare-zones has been fixed, and now has an option 488 to show all differences (-a) 489 * ldns-read-zone now has an option to print DNSSEC records only 490 4911.3 492 Base library: 493 494 * Added a new family of functions based around ldns_dnssec_zone, 495 which is a new structure that keeps a zone sorted through an 496 rbtree and links signatures and NSEC(3) records directly to their 497 RRset. These functions all start with ldns_dnssec_ 498 499 * ldns_zone_sign and ldns_zone_sign_nsec3 are now deprecated, but 500 have been changed to internally use the new 501 ldns_dnssec_zone_sign(_nsec3) 502 503 * Moved some ldns_buffer functions inline, so a clean rebuild of 504 applications relying on those is needed (otherwise you'll get 505 linker errors) 506 * ldns_dname_label now returns one extra (zero) 507 byte, so it can be seen as an fqdn. 508 * NSEC3 type code update for signing algorithms. 509 * DSA key generation of DNSKEY RRs fixed (one byte too small). 510 511 * Added support for RSA/SHA256 and RSA/SHA512, as specified in 512 draft-ietf-dnsext-dnssec-rsasha256-04. The typecodes are not 513 final, and this feature is not enabled by default. It can be 514 enabled at compilation time with the flag --with-sha2 515 516 * Added 2wire_canonical family of functions that lowercase dnames 517 in rdata fields in resource records of the types in the list in 518 rfc3597 519 520 * Added base32 conversion functions. 521 522 * Fixed DSA RRSIG conversion when calling OpenSSL 523 524 Drill: 525 526 * Chase output is completely different, it shows, in ascii, the 527 relations in the trust hierarchy. 528 529 Examples: 530 * Added ldns-verify-zone, that can verify the internal DNSSEC records 531 of a signed BIND-style zone file 532 533 * ldns-keygen now takes an -a argument specifying the algorithm, 534 instead of -R or -D. -a list show a list of supported algorithms 535 536 * ldns-keygen now defaults to the exponent RSA_F4 instead of RSA_3 537 for RSA key generation 538 539 * ldns-signzone now has support for HSMs 540 * ldns-signzone uses the new ldns_dnssec_ structures and functions 541 which improves its speed, and output; RRSIGS are now placed 542 directly after their RRset, NSEC(3) records directly after the 543 name they handle 544 545 Contrib: 546 * new contrib/ dir with user contributions 547 * added compilation script for solaris (thanks to Jakob Schlyter) 548 54928 Nov 2007 1.2.2: 550 * Added support for HMAC-MD5 keys in generator 551 * Added a new example tool (written by Ondrej Sury): ldns-compare-zones 552 * ldns-keygen now checks key sizes for rfc conformancy 553 * ldns-signzone outputs SSL error if present 554 * Fixed manpages (thanks to Ondrej Sury) 555 * Fixed Makefile for -j <x> 556 * Fixed a $ORIGIN error when reading zones 557 * Fixed another off-by-one error 558 55903 Oct 2007 1.2.1: 560 * Fixed an offset error in rr comparison 561 * Fixed ldns-read-zone exit code 562 * Added check for availability of SHA256 hashing algorithm 563 * Fixed ldns-key2ds -2 argument 564 * Fixed $ORIGIN bug in .key files 565 * Output algorithms as an integer instead of their mnemonic 566 * Fixed a memory leak in dnssec code when SHA256 is not available 567 * Updated fedora .spec file 568 56911 Apr 2007 1.2.0: 570 * canonicalization of rdata in DNSSEC functions now adheres to the 571 rr type list in rfc3597, not rfc4035, which will be updated 572 (see http://www.ops.ietf.org/lists/namedroppers/namedroppers.2007/msg00183.html) 573 * ldns-walk now support dnames with maximum label length 574 * ldnsd now takes an extra argument containing the address to listen on 575 * signing no longer signs every rrset with KSK's, but only the DNSKEY rrset 576 * ported to Solaris 10 577 * added ldns_send_buffer() function 578 * added ldns-testpkts fake packet server 579 * added ldns-notify to send NOTIFY packets 580 * ldns-dpa can now accurately calculate the number of matches per 581 second 582 * libtool is now used for compilation too (still gcc, but not directly) 583 * Bugfixes: 584 - TSIG signing buffer size 585 - resolv.conf reading (comments) 586 - dname comparison off by one error 587 - typo in keyfetchers output file name fixed (a . too much) 588 - fixed zone file parser when comments contain ( or ) 589 - fixed LOC RR type 590 - fixed CERT RR type 591 592 Drill: 593 * drill prints error on failed axfr. 594 * drill now accepts mangled packets with -f 595 * old -c option (use tcp) changed to -t 596 * -c option to specify alternative resolv.conf file added 597 * feedback of signature chase improved 598 * chaser now stops at root when no trusted keys are found 599 instead of looping forever trying to find the DS for . 600 * Fixed bugs: 601 - wildcard on multiple labels signature verification 602 - error in -f packet writing for malformed packets 603 - made KSK check more resilient 604 6057 Jul 2006: 1.1.0: ldns-team 606 * Added tutorials and an introduction to the documentation 607 * Added include/ and lib/ dirs so that you can compile against ldns 608 without installing ldns on your system 609 * Makefile updates 610 * Starting usage of assert throughout the library to catch illegal calls 611 * Solaris 9 testing was carried out. Ldns now compiles on that 612 platform; some gnuism were identified and fixed. 613 * The ldns_zone structure was stress tested. The current setup 614 (ie. just a list of rrs) can scale to zone file in order of 615 megabytes. Sorting such zone is still difficult. 616 * Reading multiline b64 encoded rdata works. 617 * OpenSSL was made optional, configure --without-ssl. 618 Ofcourse all dnssec/tsig related functions are disabled 619 * Building of examples and drill now happens with the same 620 defines as the building of ldns itself. 621 * Preliminary sha-256 support was added. Currently is your 622 OpenSSL supports it, it is supported in the DS creation. 623 * ldns_resolver_search was implemented 624 * Fixed a lot of bugs 625 626 Drill: 627 * -r was killed in favor of -o <header bit mnemonic> which 628 allows for a header bits setting (and maybe more in the 629 future) 630 * DNSSEC is never automaticaly set, even when you query 631 for DNSKEY/RRSIG or DS. 632 * Implement a crude RTT check, it now distinguishes between 633 reachable and unreachable. 634 * A form of secure tracing was added 635 * Secure Chasing has been improved 636 * -x does a reverse lookup for the given IP address 637 638 Examples: 639 * ldns-dpa was added to the examples - this is the Dns Packet 640 Analyzer tool. 641 * ldnsd - as very, very simple nameserver impl. 642 * ldns-zsplit - split zones for parrallel signing 643 * ldns-zcat - cat split zones back together 644 * ldns-keyfetcher - Fetches DNSKEY records with a few (non-strong, 645 non-DNSSEC) anti-spoofing techniques. 646 * ldns-walk - 'Walks' a DNSSEC signed zone 647 * Added an all-static target to the makefile so you can use examples 648 without installing the library 649 * When building in the source tree or in a direct subdirectory of 650 the build dir, configure does not need --with-ldns=../ anymore 651 652 Code: 653 * All networking code was moved to net.c 654 * rdata.c: added asserts to the rdf set/get functions 655 * const keyword was added to pointer arguments that 656 aren't changed 657 658 API: 659 Changed: 660 * renamed ldns/dns.h to ldns/ldns.h 661 * ldns_rr_new_frm_str() is extented with an extra variable which 662 in common use may be NULL. This trickles through to: 663 o ldns_rr_new_frm_fp 664 o ldns_rr_new_frm_fp_l 665 Which also get an extra variable 666 Also the function has been changed to return a status message. 667 The compiled RR is returned in the first argument. 668 * ldns_zone_new_frm_fp_l() and ldns_zone_new_frm_fp() are 669 changed to return a status msg. 670 * ldns_key_new_frm_fp is changed to return ldns_status and 671 the actual key list in the first argument 672 * ldns_rdata_new_frm_fp[_l]() are changed to return a status. 673 the rdf is return in the first argument 674 * ldns_resolver_new_frm_fp: same treatment: return status and 675 the new resolver in the first argument 676 * ldns_pkt_query_new_frm_str(): same: return status and the 677 packet in the first arg 678 * tsig.h: internal used functions are now static: 679 ldns_digest_name and ldns_tsig_mac_new 680 * ldns_key_rr2ds has an extra argument to specify the hash to 681 use. 682 * ldns_pkt_rcode() is renamed to ldns_pkt_get_rcode, ldns_pkt_rcode 683 is now the rcode type, like ldns_pkt_opcode 684 New: 685 * ldns_resolver_searchlist_count: return the searchlist counter 686 * ldns_zone_sort: Sort a zone 687 * ldns_bgsend(): background send, returns a socket. 688 * ldns_pkt_empty(): check is a packet is empty 689 * ldns_rr_list_pop_rr_list(): pop multiple rr's from another rr_list 690 * ldns_rr_list_push_rr_list(): push multiple rr's to an rr_list 691 * ldns_rr_list_compare(): compare 2 ldns_rr_lists 692 * ldns_pkt_push_rr_list: rr_list equiv for rr 693 * ldns_pkt_safe_push_rr_list: rr_list equiv for rr 694 Removed: 695 * ldns_resolver_bgsend(): was not used in 1.0.0 and is not used now 696 * ldns_udp_server_connect(): was faulty and isn't really part of 697 the core ldns idea any how. 698 * ldns_rr_list_insert_rr(): obsoleted, because not used. 699 * char *_when was removed from the ldns_pkt structure 700 70118 Oct 2005: 1.0.0: ldns-team 702 * Commited a patch from Håkan Olsson 703 * Added UPDATE support (Jakob Schlyter and Håkan Olsson) 704 * License change: ldns is now BSD licensed 705 * ldns now depends on SSL 706 * Networking code cleanup, added (some) server udp/tcp support 707 * A zone type is introduced. Currently this is a list 708 of RRs, so it will not scale well. 709 * [beta] Zonefile parsing was added 710 * [tools] Drill was added to ldns - see drill/ 711 * [tools] experimental signer was added 712 * [building] better check for ssl 713 * [building] major revision of build system 714 * [building] added rpm .spec in packaging/ (thanks to Paul Wouters) 715 * [building] A lot of cleanup in the build scripts (thanks to Jakob Schlyter 716 and Paul Wouters) 717 71828 Jul 2005: 0.70: ldns-team 719 * [func] ldns_pkt_get_section now returns copies from the rrlists 720 in the packet. This can be freed by the user program 721 * [code] added ldns_ prefixes to function from util.h 722 * [inst] removed documentation from default make install 723 * Usual fixes in documentation and code 724 72520 Jun 2005: 0.66: ldns-team 726 Rel. Focus: drill-pre2 uses some functions which are 727 not in 0.65 728 * dnssec_cd bit function was added 729 * Zone infrastructure was added 730 * Usual fixes in documentation and code 731 73213 Jun 2005: 0.65: ldns-team 733 * Repository is online at: 734 http://www.nlnetlabs.nl/ldns/svn/ 735 * Apply reference copying throuhgout ldns, except in 2 736 places in the ldns_resolver structure (._domain and 737 ._nameservers) 738 * Usual array of bugfixes 739 * Documentation added 740 * keygen.c added as an example for DNSSEC programming 741 74223 May 2005: 0.60: ldns-team 743 * Removed config.h from the header installed files 744 (you're not supposed to include that in a libary) 745 * Further tweaking 746 - DNSSEC signing/verification works 747 - Assorted bug fixes and tweaks (memory management) 748 749May 2005: 0.50: ldns-team 750 * First usable release 751 * Basic DNS functionality works 752 * DNSSEC validation works 753