Created attachment 185400 [details] Patch to upgrade As of today version 2.1.3 of OpenDNSSEC has been released. No special migration steps are required when upgrading from a previous 2.x.x release. It includes fixes to the build system, some regressions w.r.t. OpenDNSSEC 1.4 and a signing bug. Please note that version 2.1.2 was skipped for release. Build fixes: * OPENDNSSEC-904: autoconfigure fails to properly identify functions in ssl library on some distributions. This caused the "tsig unknown algorithm hmac-sha256" error. * OPENDNSSEC-894: repair configuration script to allow excluding the build of the enforcer. Regressions: * OPENDNSSEC-508: Tag <RolloverNotification> was not functioning correctly * OPENDNSSEC-901: Enforcer would ignore <ManualKeyGeneration/> tag in conf.xml * OPENDNSSEC-906: Tag <AllowExtraction> tag included from late 1.4 development Bugs Fixed: * OPENDNSSEC-886: Improper time calculation on 32 bits machine causes purge of keys not being scheduled. The purge would happen but some time later than expected. * OPENDNSSEC-890: Mismatching TTLs in record sets would cause bogus signatures. * OPENDNSSEC-908: Warn when TTL of resource record exceeds KASP's MaxZoneTTL. Formerly the signer would cap such TTLs to prevent situations where those records could get bogus during ZSK rollover. However it has been realized that this can potentially lead to failing IXFRs. We intend to bring back this feature in the near future when our internal data representation allows this.
You changed: ``` SUB_FILES= pkg-message ``` to ``` SUB_FILES+= pkg-message ``` but this makes absolutely no difference to the value of ${SUB_FILES}. Was there some specific reason for doing that?
(In reply to Matthew Seaman from comment #1) No special reason; I giess it is become a habit to do += preventing to wipe out possible previous assignments
(In reply to jaap from comment #2) Ah, well. Avoiding += or := when plain = does the job is a thing we are meant to be doing. Unless you have any huge objections I'll revert that bit.
Committed, thanks!
A commit references this bug: Author: matthew Date: Mon Aug 14 14:46:31 UTC 2017 New revision: 447941 URL: https://svnweb.freebsd.org/changeset/ports/447941 Log: Update to 2.1.3: As of today version 2.1.3 of OpenDNSSEC has been released. No special migration steps are required when upgrading from a previous 2.x.x release. It includes fixes to the build system, some regressions w.r.t. OpenDNSSEC 1.4 and a signing bug. Please note that version 2.1.2 was skipped for release. Build fixes: * OPENDNSSEC-904: autoconfigure fails to properly identify functions in ssl library on some distributions. This caused the "tsig unknown algorithm hmac-sha256" error. * OPENDNSSEC-894: repair configuration script to allow excluding the build of the enforcer. Regressions: * OPENDNSSEC-508: Tag <RolloverNotification> was not functioning correctly * OPENDNSSEC-901: Enforcer would ignore <ManualKeyGeneration/> tag in conf.xml * OPENDNSSEC-906: Tag <AllowExtraction> tag included from late 1.4 development Bugs Fixed: * OPENDNSSEC-886: Improper time calculation on 32 bits machine causes purge of keys not being scheduled. The purge would happen but some time later than expected. * OPENDNSSEC-890: Mismatching TTLs in record sets would cause bogus signatures. * OPENDNSSEC-908: Warn when TTL of resource record exceeds KASP's MaxZoneTTL. Formerly the signer would cap such TTLs to prevent situations where those records could get bogus during ZSK rollover. However it has been realized that this can potentially lead to failing IXFRs. We intend to bring back this feature in the near future when our internal data representation allows this. PR: 221515 Submitted by: jaap@NLnetLabs.nl (maintainer) Changes: head/dns/opendnssec2/Makefile head/dns/opendnssec2/distinfo