Bug 217563 - dns/opendnssec2: Update to version 2.1.0
Summary: dns/opendnssec2: Update to version 2.1.0
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Bartek Rutkowski
URL:
Keywords:
Depends on:
Blocks: 214789
  Show dependency treegraph
 
Reported: 2017-03-05 15:19 UTC by Jaap Akkerhuis
Modified: 2017-03-08 21:04 UTC (History)
1 user (show)

See Also:


Attachments
Patch to update (3.16 KB, patch)
2017-03-05 15:19 UTC, Jaap Akkerhuis
jaap: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jaap Akkerhuis 2017-03-05 15:19:41 UTC
Created attachment 180540 [details]
Patch to update

This update takes also care of https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=214789


MIGRATION

There are no migration steps needed from 2.0.x to 2.1.0. Version 1.4.10
can be migrated directly to 2.1.0 (see MIGRATION text file in tarball).
Any version prior to 1.4.10 should upgrade to 1.4.10 first.

FEATURES

* OPENDNSSEC-779: The Enforcer will now have an 'enforce' and
  'signconf' task scheduled per zone. 'Resalt' tasks are scheduled per
  policy. This improves performance and parallelism since no longer all
  zones need to be evaluated for work to be done. Further parallelism
  improvements in the Enforcer are on our roadmap.
* OPENDNSSEC-681: When daemonizing the Signer and Enforcer daemons fork
  to the background. Since they are then no longer able to print
  messages to the console start up problems are harder to debug. Now,
  after the fork() call the parent process will wait for the daemon to
  signal successful start and will print relevant error messages in
  case it doesn't.
* OPENDNSSEC-479: On sending notifies and initiating zone transfers the
  signer will now use the first interface mentioned in the listener
  section of conf.xml. This way the interface selection is not left to
  the OS, which could cause outgoing packets have an unexpected source
  address if multiple interfaces have a route to the destination
  address.
* OPENDNSSEC-759: The Signer doesn't need to access the HSM for every
  zone during start up any more. This is done later by the worker
  threads. This way the signer starts quicker and is earlier available
  for user input.
* OPENDNSSEC-450: Implement support for ECDSA P-256, P-384 and  GOST.
  To be able to use this your HSM should have support as well.
  SoftHSMv2 can be compiled with support for these.
* OPENDNSSEC-503: When adding a new zone to OpenDNSSEC the Enforcer is
  a little less conservative and will add signatures and keys to the
  zone in one go. Thereby mimicking OpenDNSSEC 1.4. Effectively new
  zones are earlier fully signed by the TTL of the DNSKEY set.
* A bash autocompletion script is included in contrib for ods-enforcer
  and ods-signer. Commands, parameters, zone names and key identifiers
  can be autocompleted from the command line.


FURTHER IMPROVEMENTS

* OPENDNSSEC-530: The <Interval> tag for the Enforcer in conf.xml has
  been unused and deprecated in 2.0.  since 2.1 this tag is no longer
  allowed to be specified.
* Show help for ods-enforcer-db-setup with -h or --help
* OPENDNSSEC-836: If the listening port for Signer is not set in
  conf.xml file, the default value "15354" is used.
* OPENDNSSEC-864: ods-signer didn't print help. Also --version and
  --socket options where not processed.
* OPENDNSSEC-858: OpenDNSSEC 2.0 did print "completed in x seconds" to
  stderr for enforcer commands. This line is removed.
* SUPPORT-208: Running 'ods-enforcer key export' included a comment
  string with key properties. This is dropped to aid parsing.
* OPENDNSSEC-552: By default 'ods-enforcer key export --ds' included
  the SHA1 version of the DS. SHA1 use is discouraged in favour of
  SHA256. To get the SHA1 DS use the --sha1 flag. This flag is
  immediately deprecated and will be removed from future versions of
  OpenDNSSEC.
* OPENDNSSEC-465: ods-kaspcheck warns about algorithm mismatch between
  keys.
* When a zone is deleted the Enforcer now properly removes all tasks
  associated with that zone from its task queue.
* In the key section of the kasp.xml file, the algorithm length is no
  longer optional. For ECDSA and GHOST keys this value is ignored.
* The Enforcer and the Signer now have a HSM key cache shared between
  their threads so no longer every thread needs to iterate over all
  keys, which can potentially be very slow for some HSMs.
* OPENDNSSEC-721: Our integration testing environment now uses
  SoftHSMv2 instead of version one.
* OPENDNSSEC-844: warning when lifetime of key is smaller than
  signature validity time.
* OPENDNSSEC-311: Installation can now set the right permissions on
  used files for a configurable user/group when not running OpenDNSSEC
  as root.
* OPENDNSSEC-593: More gracefully cope when zone configured for signer
  but signconf not yet available.
* OPENDNSSEC-600: Log critical error if key is not inserted due to
  policy parameters misconfiguration.
* OPENDNSSEC-694: Domain Names in the value/answer part of records
  (e.g.  named referred to by PTR records) where mapped to lowercase.
* OPENDNSSEC-803 : Extensive logging on aborting the application.


BUGS FIXED

* OPENDNSSEC-778: Double NSEC3PARAM record after resalt.
* SUPPORT-29: signer clear <zone> would assert when signconf wasn't
  read yet.
* OPENDNSSEC-869: ds-seen command did not give error on badly formatted
  keytag.
* OPENDNSSEC-849: Crash on free of part of IXFR structure.
* OPENDNSSEC-601: signer and enforcer working dir would not properly
  fallback to default when not specified.
* OPENDNSSEC-689: Failure of daemon during start up is not logged.
* OPENDNSSEC-850: Date of new transition could temporarily be incorrect.
* OPENDNSSEC-851: Change in verbosity level not immediately propagated.
* Various memory leaks, resolving compiler warnings, and static code
  analysis.
* Libxml2 clean up improvements (Thanks he32).
Comment 1 commit-hook freebsd_committer freebsd_triage 2017-03-08 11:05:11 UTC
A commit references this bug:

Author: robak
Date: Wed Mar  8 11:04:54 UTC 2017
New revision: 435670
URL: https://svnweb.freebsd.org/changeset/ports/435670

Log:
  dns/opendnssec2: update 2.0.3 -> 2.1.0

  - Fix DB scripts from docs

  PR:		217563
  Submitted by:	Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
  MFH:		2017Q1

Changes:
  head/dns/opendnssec2/Makefile
  head/dns/opendnssec2/distinfo
  head/dns/opendnssec2/pkg-plist
Comment 2 Bartek Rutkowski freebsd_committer freebsd_triage 2017-03-08 11:09:03 UTC
Committed, thanks!
Comment 3 commit-hook freebsd_committer freebsd_triage 2017-03-08 21:04:40 UTC
A commit references this bug:

Author: robak
Date: Wed Mar  8 21:03:45 UTC 2017
New revision: 435728
URL: https://svnweb.freebsd.org/changeset/ports/435728

Log:
  MFH: r435670

  dns/opendnssec2: update 2.0.3 -> 2.1.0

  - Fix DB scripts from docs

  PR:		217563
  Submitted by:	Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)

  Approved by:	ports-secteam

Changes:
_U  branches/2017Q1/
  branches/2017Q1/dns/opendnssec2/Makefile
  branches/2017Q1/dns/opendnssec2/distinfo
  branches/2017Q1/dns/opendnssec2/pkg-plist