11.7.0 2016-12-20 2 * Fix lookup of relative names in ldns_resolver_search. 3 * bugfix #548: Double free for answers > 4096 in ldns_resolver_send_pkt 4 * Follow CNAME's when tracing with drill (TODO dnssec trace) 5 * Fix #551 change Regent to Copyright holder in BSD license in 6 some of the headings of the file, to match the opensource.org 7 BSD license. 8 * -e option makes ldns-compare-zones exit with status code 2 on difference 9 * Filter out specified RR types with ldns-read-zone -e and -E options 10 * bugfix #563: Correct DNSKEY from DSA private key. Thanks Peter Koch. 11 * bugfix #562: ldns-keygen match DSA key maximum size with library. 12 And check keysizes with all algorithms. Thanks Peter Koch. 13 * ldns-verify-zone accepts only one single zonefile as argument. 14 * bugfix #573: ldns-keygen write private keys with mode 0600. 15 Thanks Leon Weber 16 * Fix configure to make ldns compile with LibreSSL 2.0 17 * drill now also accepts dig style -y option 18 (-y <[algo:]name:key> i.s.o. -y <name:key[:algo]>) 19 * OPENPGPKEY draft rr types. Enable with: --enable-rrtype-openpgpkey 20 * bugfix #608: Correct comment about escaped characters 21 * CDS and CDNSKEY rr type from RFC 7344. 22 --enable-rrtype-cds configure option removed 23 * fix: Memory leak in ldns_pkt_rr_list_by_name() 24 Thanks Johannes Naab 25 * fix: Memory leak in ldns_dname2buffer_wire_compress() 26 Thanks Max Liebkies 27 * bugfix #613: Allow tab as whitespace too in last rdata field of types 28 of variable length. Thanks Xiali Yan 29 * bugfix: strip trailing whitespace from $ORIGIN lines in zone files 30 * Let ldns-keygen output .ds files only for KSK keys 31 * Parse RFC7218 TLSA mnemonics, but do not output them 32 * Let ldns-dane use SPKI as the default selector i.s.o. Cert 33 * bugfix: Fit left over NSEC3s once more before adding empty non 34 terminals. Thanks Stuart Browne 35 * bugfix #605: Determine default trust anchor location at compile time 36 Thanks Peter Koch 37 * bugfix #697: Double free with ldns-dane create 38 Thanks Carsten Strotmann 39 * bugfix #623: Do not redefine bool type and boolean values 40 Thanks Jakob Petsovits 41 * bugfix #570: Add TLSA, CDS, CDNSKEY and OPENPGPKEY RR types to ldnsx 42 Thanks Shussain 43 * bugfix #575: ldns_pkt_clone() does not copy timestamp field 44 Thanks Calle Dybedahl 45 * bugfix #584: ldns-update fixes. Send update to port 53, bring manpage 46 in sync with the usage text, and don't alter the ldns_resolver passed 47 to ldns_update_soa_zone_mname(). Created a ldns_resolver_clone() 48 function in the process. Thanks Nicholas Riley. 49 * bugfix #633: ldns_pkt_clone() parameter isn't const. 50 Thanks Jakop Petsovits 51 * bugfix: ldns-dane manpage correction 52 Thanks Erwin Lansing 53 * Spelling fixes. Thanks Andreas Schulze 54 * Hyphen used as minus in manpages. Thanks Andreas Schulze. 55 * RFC7553 RR Type URI is supported by default. 56 * Fix ECDSA signature generation, do not omit leading zeroes. 57 * bugfix: Get rid of superfluous newline in ldns-keyfetcher 58 Thanks Jan-Piet Mens 59 * bugfix: -U option to ldns-signzone to sign with every algorithm 60 Thanks Guido Kroon 61 * const function parameters whenever possible. 62 Thanks Ray Bellis 63 * bugfix #725: allow RR-types on the type bitmap window border 64 Thanks Pieter Lexis 65 * bugfix #726: 2 typos in drill manpage. 66 Thanks Hugo Lombard 67 * Add type CSYNC support, RFC 7477. 68 * Prepare for ED25519, ED448 support: todo convert* routines in 69 dnssec.h, once openssl has support for signing with these algorithms. 70 The dns algorithm number is not yet allocated. These features are 71 not fully implemented yet, openssl (1.1) does not support the 72 algorithms enough to generate keys and sign and verify with them. 73 * Fix _answerfrom comment in ldns_struct_pkt. 74 * Fix drill axfr ipv4/ipv6 queries. 75 * Fix comment referring to mk_query in packet.h to pkt_query_new. 76 * Fix description of QR flag in packet.h. 77 * Fix for openssl 1.1.0 API changes. 78 * Remove commented out macro. Thanks Thiago Farina 79 * bugfix #641: Include install-sh in .gitignore 80 * bugfix #825: Module import breaks with newer SWIG versions. 81 Thanks Christoph Egger 82 * bugfix #796 - #792: Fix miscellaneous compiler warning issues. 83 Thanks Ngie Cooper 84 * bugfix #769: Add support for :: in an IPv6 address 85 Thanks Hajimu UMEMOTO 86 * bugfix #760: Detect superfluous text in presentation format 87 Thanks Xiali Yan 88 * bugfix #708: warnings and errors with xcode 6.1/7.0 89 * bugfix #754: Memory leak in ldns_str2rdf_ipseckey 90 Thanks Xiali Yan 91 * bugfix #661: Fail NSEC3 signing when NSEC domainname length 92 would overflow. Thanks Jan-Piet Mens. 93 * bugfix #771: hmac-sha224, hmac-sha384 and hmac-sha512 keys. 94 Thanks Harald Jenny 95 * bugfix #680: ldns fails to reject invalidly formatted 96 RFC 7553 URI RRs. Thanks Robert Edmonds 97 * bugfix #678: Use poll i.s.o. select to support > 1024 fds 98 Thanks William King 99 * Use OpenSSL DANE functions for verification (unless explicitly 100 disabled with --disable-dane-ta-usage). 101 * Bumb .so version 102 * Include OPENPGPKEY RR type by default 103 * rdata processing for SMIMEA RR type 104 * Fix crash in displaying TLSA RR's. 105 Thanks Andreas Schulze 106 * Update ldns-key2ds man page to mention GOST and SHA384 hash 107 functions. Thanks Harald Jenny 108 * Add sha384 and sha512 tsig algorithm. Thanks Michael Weiser 109 * Clarify data ownership with consts for tsig parameters. 110 Thanks Michael Weiser 111 * bugfix: Fix detection of DSA support with OpenSSL >= 1.1.0 112 * bugfix #1160: Provide sha256 for release tarballs 113 * --enable-gost-anyway compiles GOST support with OpenSSL >= 1.1.0 114 even when the GOST engine is not available. 115 1161.6.17 2014-01-10 117 * Fix ldns_dnssec_zone_new_frm_fp_l to allow the last parsed line of a 118 zone to be an NSEC3 (or its RRSIG) covering an empty non terminal. 119 * Add --disable-dane option to configure and check availability of the 120 for dane needed X509_check_ca function in openssl. 121 * bugfix #490: Get rid of type-punned pointer warnings. 122 Thanks Adam Tkac. 123 * Make sure executables are linked against libcrypto with the 124 LIBSSL_LDFLAGS. Thanks Leo Baltus. 125 * Miscellaneous prototype fixes. Thanks Dag-Erling Sm��rgrav. 126 * README now shows preferred way to configure for examples and drill. 127 * Bind to source address for resolvers. drill binds to source with -I. 128 Thanks Bryan Duff. 129 * -T option for ldns-dane that has specific exit status for PKIX 130 validated connections without (secure) TLSA records. 131 * Fix b{32,64}_{ntop,pton} detection and handling. 132 * New RR type TKEY, but without operational practice. 133 * New RR types HIP, NINFO, RKEY, CDS, EUI48, EUI64, URI, CAA and TA. 134 * New output format flag (and accompanying functions) to print certain 135 RR's as unknown type 136 * -u and -U parameter for ldns-read-zone to mark/unmark a RR type 137 for printing as unknown type 138 * bugfix #504: GPOS RR has three rdata fields. Thanks Jelte Jansen. 139 * bugfix #497: Properly test for EOF when reading key files with drill. 140 * New functions: ldns_pkt_ixfr_request_new and 141 ldns_pkt_ixfr_request_new_frm_str. 142 * Use SNI with ldns-dane 143 * bugfix #507: ldnsx Fix use of non-existent variables and not 144 properly referring to instance variable. Patch from shussain. 145 * bugfix #508: ldnsx Adding NSEC3PARAM to known/allowable RR type 146 dictionary. Patch from shussain. 147 * bugfix #517: ldns_resolver_new_frm_fp error when invoked using a NULL 148 file pointer. 149 * Fix memory leak in contrib/python: ldns_pkt.new_query. 150 * Fix buffer overflow in fget_token and bget_token. 151 * ldns-verify-zone NSEC3 checking from quadratic to linear performance. 152 Thanks NIC MX (nicmexico.mx) 153 * ldns-dane setup new ssl session for each new connect to prevent hangs 154 * bugfix #521: drill trace continue on empty non-terminals with NSEC3 155 * bugfix #525: Fix documentation of ldns_resolver_set_retry 156 * Remove unused LDNS_RDF_TYPE_TSIG and associated functions. 157 * Fix ldns_nsec_covers_name for zones with an apex only. Thanks Miek. 158 * Configure option to build perl bindings: --with-p5-dns-ldns 159 (DNS::LDNS is a contribution from Erik Ostlyngen) 160 * bugfix #527: Move -lssl before -lcrypto when linking 161 * Optimize TSIG digest function name comparison (Thanks Marc Buijsman) 162 * Compare names case insensitive with ldns_pkt_rr_list_by_name and 163 ldns_pkt_rr_list_by_name_and_type (thanks Johannes Naab) 164 * A separate --enable for each draft RR type: --enable-rrtype-ninfo, 165 --enable-rrtype-rkey, --enable-rrtype-cds, --enable-rrtype-uri and 166 --enable-rrtype-ta 167 * bugfix #530: Don't sign and verify duplicate RRs (Thanks Jelte Jansen) 168 * bugfix #505: Manpage and usage output fixes (Thanks Tomas Hozza) 169 * Adjust ldns_sha1() so that the input data is not modified (Thanks 170 Marc Buijsman) 171 * Messages to stderr are now off by default and can be reenabled with 172 the --enable-stderr-msgs configure option. 173 1741.6.16 2012-11-13 175 * Fix Makefile to build pyldns with BSD make 176 * Fix typo in exporting b32_* symbols to make pyldns load again 177 * Allow leaving the RR owner name empty in ldns-testns datafiles. 178 * Fix fail to create NSEC3 bitmap for empty non-terminal (bug 179 introduced in 1.6.14). 180 1811.6.15 2012-10-25 182 * Remove LDNS_STATUS_EXISTS_ERR from ldns/error.h to make ldns 183 binary compatible with earlier releases again. 184 1851.6.14 2012-10-23 186 * DANE support (RFC6698), including ldns-dane example tool. 187 * Configurable default CA certificate repository for ldns-dane with 188 --with-ca-file=CAFILE and --with-ca-path=CAPATH 189 * Configurable default trust anchor with --with-trust-anchor=FILE 190 for drill, ldns-verify-zone and ldns-dane 191 * bugfix #474: Define socklen_t when undefined (like in Win32) 192 * bugfix #473: Dead code removal and resource leak fix in drill 193 * bugfix #471: Let ldns_resolver_push_dnssec_anchor accept DS RR's too. 194 * Various bugfixes from code reviews from CZ.NIC and Paul Wouters 195 * ldns-notify TSIG option argument checking 196 * Let ldns_resolver_nameservers_randomize keep nameservers and rtt's 197 in sync. 198 * Let ldns_pkt_push_rr now return false on (memory) errors. 199 * Make buffer_export comply to documentation and fix buffer2str 200 * Various improvements and fixes of pyldns from Katel Slany 201 now documented in their own Changelog. 202 * bugfix: Make ldns_resolver_pop_nameserver clear the array when 203 there was only one. 204 * bugfix #459: Remove ldns_symbols and export symbols based on regex 205 * bugfix #458: Track all newly created signatures when signing. 206 * bugfix #454: Only set -g and -O2 CFLAGS when no CFLAGS was given. 207 * bugfix #457: Memory leak fix for ldns_key_new_frm_algorithm. 208 * pyldns memory handling fixes and the python3/ldns-signzone.py 209 examples script contribution from Karel Slany. 210 * bugfix #450: Base # bytes for P, G and Y (T) on the guaranteed 211 to be bigger (or equal) P in ldns_key_dsa2bin. 212 * bugfix #449: Deep free cloned rdf's in ldns_tsig_mac_new. 213 * bugfix #448: Copy nameserver value (in stead of reference) of the 214 answering nameserver to the answer packet in ldns_send_buffer, so 215 the original value may be deep freed with the ldns_resolver struct. 216 * New -0 option for ldns-read-zone to replace inception, expiration 217 and signature rdata fields with (null). Thanks Paul Wouters. 218 * New -p option for ldns-read-zone to prepend-pad SOA serial to take 219 up ten characters. 220 * Return error if printing RR fails due to unknown/null RDATA. 221 2221.6.13 2012-05-21 223 * New -S option for ldns-verify-zone to chase signatures online. 224 * New -k option for ldns-verify-zone to validate using a trusted key. 225 * New inception and expiration margin options (-i and -e) to 226 ldns-verify-zone. 227 * New ldns_dnssec_zone_new_frm_fp and ldns_dnssec_zone_new_frm_fp_l 228 functions. 229 * New ldns_duration* functions (copied from OpenDNSSEC source) 230 * fix ldns-verify-zone to allow NSEC3 signatures to come before 231 the NSEC3 RR in all cases. Thanks Wolfgang Nagele. 232 * Zero the correct flag (opt-out) when creating NSEC3PARAMS. 233 Thanks Peter van Dijk. 234 * Canonicalize RRSIG's Signer's name too when validating, because 235 bind and unbound do that too. Thanks Peter van Dijk. 236 * bugfix #433: Allocate rdf using ldns_rdf_new in ldns_dname_label 237 * bugfix #432: Use LDNS_MALLOC & LDNS_FREE i.s.o. malloc & free 238 * bugfix #431: Added error message for LDNS_STATUS_INVALID_B32_EXT 239 * bugfix #427: Explicitely link ssl with the programs that use it. 240 * Fix reading \DDD: Error on values that are outside range (>255). 241 * bugfix #429: fix doxyparse.pl fails on NetBSD because specified 242 path to perl. 243 * New ECDSA support (RFC 6605), use --disable-ecdsa for older openssl. 244 * fix verifying denial of existence for DS's in NSEC3 Opt-Out zones. 245 Thanks John Barnitz 246 2471.6.12 2012-01-11 248 * bugfix #413: Fix manpage source for srcdir != builddir 249 * Canonicalize the signers name rdata field in RRSIGs when signing 250 * Ignore minor version of Private-key-format (so v1.3 may be used) 251 * Allow a check_time to be given in stead of always checking against 252 the current time. With ldns-verify-zone the check_time can be set 253 with the -t option. 254 * Added functions for updating and manipulating SOA serial numbers. 255 ldns-read-zone has an option -S for updating and manipulating the 256 serial numbers. 257 * The library Makefile is now GNU and BSD make compatible. 258 * bugfix #419: NSEC3 validation of a name covered by a wildcard with 259 no data. 260 * Two new options (--with-drill and --with-examples) to the main 261 configure script (in the root of the source tree) to build drill 262 and examples too. 263 * Fix days_since_epoch to year_yday calculation on 32bits systems. 264 2651.6.11 2011-09-29 266 * bugfix #394: Fix socket leak on errors 267 * bugfix #392: Apex only and percentage checks for ldns-verify-zone 268 (thanks Miek Gieben) 269 * bugfix #398: Allow NSEC RRSIGs before the NSEC3 in ldns-verify-zone 270 * Fix python site package path from sitelib to sitearch for pyldns. 271 * Fix python api to support python2 and python3 (thanks Karel Slany). 272 * bugfix #401: Correction of date/time functions algorithm and 273 prevention of an infinite loop therein 274 * bugfix #402: Correct the minimum and maximum number of rdata fields 275 in TSIG. (thanks David Keeler) 276 * bugfix #403: Fix heap overflow (thanks David Keeler) 277 * bugfix #404: Make parsing APL strings more robust 278 (thanks David Keeler) 279 * bugfix #391: Complete library assessment to prevent assertion errors 280 through ldns_rdf_size usage. 281 * Slightly more specific error messaging on wrong number of rdata 282 fields with the LDNS_STATUS_MISSING_RDATA_FIELDS_RRSIG and 283 LDNS_STATUS_MISSING_RDATA_FIELDS_KEY result codes. 284 * bugfix #406: More rigorous openssl result code handling to prevent 285 future crashes within openssl. 286 * Fix ldns_fetch_valid_domain_keys to search deeper than just one level 287 for a DNSKEY that signed a DS RR. (this function was used in the 288 check_dnssec_trace nagios module) 289 * bugfix #407: Canonicalize TSIG dnames and algorithm fields 290 * A new output specifier to accommodate configuration of what to show 291 in comment texts when converting host and/or wire-format data to 292 string. All conversion to string and printing functions have a new 293 version that have such a format specifier as an extra argument. 294 The default is changed so that only DNSKEY RR's are annotated with 295 an comment show the Key Tag of the DNSKEY. 296 * Fixed the ldns resolver to not mark a nameserver unreachable when 297 edns0 is tried unsuccessfully with size 4096 (no return packet came), 298 but to still try TCP. A big UDP packet might have been corrupted by 299 fragments dropping firewalls. 300 * Update of libdns.vim (thanks Miek Gieben) 301 * Added the ldnsx Python module to our contrib section, which adds even 302 more pythonisticism to the usage of ldns with Python. (Many thanks 303 to Christpher Olah and Paul Wouters) 304 The ldnsx module is automatically installed when --with-pyldns is 305 used with configuring, but may explicitly be excluded with the 306 --without-pyldnsx option to configure. 307 * bugfix #410: Fix clearing out temporary data on stack in sha2.c 308 * bugfix #411: Don't let empty non-terminal NSEC3s cause assertion failure. 309 3101.6.10 2011-05-31 311 * New example tool added: ldns-gen-zone. 312 * bugfix #359: Serial-arithmetic for the inception and expiration 313 fields of a RRSIG and correctly converting them to broken-out time 314 information. 315 * bugfix #364: Slight performance increase of ldns-verifyzone. 316 * bugfix #367: Fix to allow glue records with the same name as the 317 delegation. 318 * Fix ldns-verifyzone to allow NSEC3-less records for NS rrsets *and* 319 glue when the zone is opt-out. 320 * bugfix #376: Adapt ldns_nsec3_salt, ldns_nsec3_iterations, 321 ldns_nsec3_flags and ldns_nsec3_algorithm to work for NSEC3PARAMS too. 322 * pyldns memory leaks fixed by Bedrich Kosata (at the cost of a bit 323 performance) 324 * Better handling of reference variables in ldns_rr_new_frm_fp_l from 325 pyldns, with a very nice generator function by Bedrich Kosata. 326 * Decoupling of the rdfs in rrs in the python wrappers to enable 327 the python garbage collector by Bedrich Kosata. 328 * bugfix #380: Minimizing effect of discrepancies in sizeof(bool) at 329 build time and when used. 330 * bugfix #383: Fix detection of empty nonterminals of multiple labels. 331 * Fixed the ommission of rrsets in nsec(3)s and rrsigs to all occluded 332 names (in stead of just the ones that contain glue only) and all 333 occluded records on the delegation points (in stead of just the glue). 334 * Clarify the operation of ldns_dnssec_mark_glue and the usage of 335 ldns_dnssec_node_next_nonglue functions in the documentation. 336 * Added function ldns_dnssec_mark_and_get_glue as an real fast 337 alternative for ldns_zone_glue_rr_list. 338 * Fix parse buffer overflow for max length domain names. 339 * Fix Makefile for U in environment, since wrong U is more common than 340 deansification necessity. 341 3421.6.9 2011-03-16 343 * Fix creating NSEC(3) bitmaps: make array size 65536, 344 don't add doubles. 345 * Fix printout of escaped binary in TXT records. 346 * Parsing TXT records: don't skip starting whitespace that is quoted. 347 * bugfix #358: Check if memory was successfully allocated in 348 ldns_rdf2str(). 349 * Added more memory allocation checks in host2str.c 350 * python wrapper for ldns_fetch_valid_domain_keys by Bedrich Kosata. 351 * fix to compile python wrapper with swig 2.0.2. 352 * Don't fallback to SHA-1 when creating NSEC3 hash with another 353 algorithm identifier, fail instead (no other algorithm identifiers 354 are assigned yet). 355 3561.6.8 2011-01-24 357 * Fix ldns zone, so that $TTL definition match RFC 2308. 358 * Fix lots of missing checks on allocation failures and parse of 359 NSEC with many types and max parse length in hosts_frm_fp routine 360 and off by one in read_anchor_file routine (thanks Dan Kaminsky and 361 Justin Ferguson). 362 * bugfix #335: Drill: Print both SHA-1 and SHA-256 corresponding DS 363 records. 364 * Print correct WHEN in query packet (is not always 1-1-1970) 365 * ldns-test-edns: new example tool that detects EDNS support. 366 * fix ldns_resolver_send without openssl. 367 * bugfix #342: patch for support for more CERT key types (RFC4398). 368 * bugfix #351: fix udp_send hang if UDP checksum error. 369 * fix set_bit (from NSEC3 sign) patch from Jan Komissar. 370 3711.6.7 2010-11-08 372 * EXPERIMENTAL ecdsa implementation, please do not enable on real 373 servers. 374 * GOST code enabled by default (RFC 5933). 375 * bugfix #326: ignore whitespace between directives and their values. 376 * Header comment to advertise ldns_axfr_complete to check for 377 successfully completed zone transfers. 378 * read resolv.conf skips interface labels, e.g. %eth0. 379 * Fix drill verify NSEC3 denials. 380 * Use closesocket() on windows. 381 * Add ldns_get_signing_algorithm_by_name that understand aliases, 382 names changed to RFC names and aliases for compatibility added. 383 * bugfix: don't print final dot if the domain is relative. 384 * bugfix: resolver search continue when packet rcode != NOERROR. 385 * bugfix: resolver push all domains in search directive to list. 386 * bugfix: resolver search by default includes the root domain. 387 * bugfix: tcp read could fail on single octet recv. 388 * bugfix: read of RR in unknown syntax with missing fields. 389 * added ldns_pkt_tsig_sign_next() and ldns_pkt_tsig_verify_next() 390 to sign and verify TSIG RRs on subsequent messages 391 (section 4.4, RFC 2845, thanks to Michael Sheldon). 392 * bugfix: signer sigs nsecs with zsks only. 393 * bugfix #333: fix ldns_dname_absolute for name ending with backslash. 394 3951.6.6 2010-08-09 396 * Fix ldns_rr_clone to copy question rrs properly. 397 * Fix ldns_sign_zone(_nsec3) to clone the soa for the new zone. 398 * Fix ldns_wire2dname size check from reading 1 byte beyond buffer end. 399 * Fix ldns_wire2dname from reading 1 byte beyond end for pointer. 400 * Fix crash using GOST for particular platform configurations. 401 * extern C declarations used in the header file. 402 * Removed debug fprintf from resolver.c. 403 * ldns-signzone checks if public key file is for the right zone. 404 * NETLDNS, .NET port of ldns functionality, by Alex Nicoll, in contrib. 405 * Fix handling of comments in resolv.conf parse. 406 * GOST code enabled if SSL recent, RFC 5933. 407 * bugfix #317: segfault util.c ldns_init_random() fixed. 408 * Fix ldns_tsig_mac_new: allocate enough memory for the hash, fix use of 409 b64_pton_calculate_size. 410 * Fix ldns_dname_cat: size calculation and handling of realloc(). 411 * Fix ldns_rr_pop_rdf: fix handling of realloc(). 412 * Fix ldns-signzone for single type key scheme: sign whole zone if there 413 are only KSKs. 414 * Fix ldns_resolver: also close socket if AXFR failed (if you don't, 415 it would block subsequent transfers (thanks Roland van Rijswijk). 416 * Fix drill: allow for a secure trace if you use DS records as trust 417 anchors (thanks Jan Komissar). 418 4191.6.5 2010-06-15 420 * Catch \X where X is a digit as an error. 421 * Fix segfault when ip6 ldns resolver only has ip4 servers. 422 * Fix NSEC record after DNSKEY at zone apex not properly signed. 423 * Fix syntax error if last label too long and no dot at end of domain. 424 * Fix parse of \# syntax with space for type LOC. 425 * Fix ldns_dname_absolute for escape sequences, fixes some parse errs. 426 * bugfix #297: linking ssl, bug due to patch submitted as #296. 427 * bugfix #299: added missing declarations to host2str.h 428 * ldns-compare-zones -s to not exclude SOA record from comparison. 429 * --disable-rpath fix 430 * fix ldns_pkt_empty(), reported by Alex Nicoll. 431 * fix ldns_resolver_new_frm_fp not ignore lines after a comment. 432 * python code for ldns_rr.new_question_frm_str() 433 * Fix ldns_dnssec_verify_denial: the signature selection routine. 434 * Type TALINK parsed (draft-ietf-dnsop-trust-history). 435 * bugfix #304: fixed dead loop in ldns_tcp_read_wire() and 436 ldns_tcp_read_wire_timeout(). 437 * GOST support with correct algorithm numbers. The plan is to make it 438 enabled if openssl support is detected, but it is disabled by 439 default in this release because the RFC is not ready. 440 * Fixed comment in rbtree.h about being first member and data ptr. 441 * Fixed possibly leak in case of out of memory in ldns_native2rdf... 442 * ldns_dname_is_wildcard added. 443 * Fixed: signatures over wildcards had the wrong labelcount. 444 * Fixed ldns_verify() inconsistent return values. 445 * Fixed ldns_resolver to copy and free tsig name, data and algorithm. 446 * Fixed ldns_resolver to push search onto searchlist. 447 * A ldns resolver now defaults to a non-recursive resolver that handles 448 the TC bit. 449 * ldns_resolver_print() prints more details. 450 * Fixed ldns_rdf2buffer_str_time(), which did not print timestamps 451 on 64bit systems. 452 * Make ldns_resolver_nameservers_randomize() more random. 453 * bugfix #310: POSIX specifies NULL second argument of gettimeofday. 454 * fix compiler warnings from llvm clang compiler. 455 * bugfix #309: ldns_pkt_clone did not clone the tsig_rr. 456 * Fix gentoo ebuild for drill, 'no m4 directory'. 457 * bugfix #313: drill trace on an empty nonterminal continuation. 458 4591.6.4 2010-01-20 460 * Imported pyldns contribution by Zdenek Vasicek and Karel Slany. 461 Changed its configure and Makefile to fit into ldns. 462 Added its dname_* methods to the rdf_* class (as is the ldns API). 463 Changed swig destroy of ldns_buffer class to ldns_buffer_free. 464 Declared ldns_pkt_all and ldns_pkt_all_noquestion so swig sees them. 465 * Bugfix: parse PTR target of .tomhendrikx.nl with error not crash. 466 * Bugfix: handle escaped characters in TXT rdata. 467 * bug292: no longer crash on malformed domain names where a label is 468 on position 255, which was a buffer overflow by one. 469 * Fix ldns_get_rr_list_hosts_frm_fp_l (strncpy to strlcpy change), 470 which fixes resolv.conf reading badly terminated string buffers. 471 * Fix ldns_pkt_set_random_id to be more random, and a little faster, 472 it did not do value 0 statistically correctly. 473 * Fix ldns_rdf2native_sockaddr_storage to set sockaddr type to zeroes, 474 for portability. 475 * bug295: nsec3-hash routine no longer case sensitive. 476 * bug298: drill failed nsec3 denial of existence proof. 477 4781.6.3 2009-12-04 479 * Bugfix: allow for unknown resource records in zonefile with rdlen=0. 480 * Bugfix: also mark an RR as question if it comes from the wire 481 * Bugfix: NSEC3 bitmap contained NSEC 482 * Bugfix: Inherit class when creating signatures 483 4841.6.2 2009-11-12 485 * Fix Makefile patch from Havard Eidnes, better install.sh usage. 486 * Fix parse error on SOA serial of 2910532839. 487 Fix print of ';' and readback of '\;' in names, also for '\\'. 488 Fix parse of '\(' and '\)' in names. Also for file read. Also '\.' 489 * Fix signature creation when TTLs are different for RRs in RRset. 490 * bug273: fix so EDNS rdata is included in pkt to wire conversion. 491 * bug274: fix use of c++ keyword 'class' for RR class in the code. 492 * bug275: fix memory leak of packet edns rdata. 493 * Fix timeout procedure for TCP and AXFR on Solaris. 494 * Fix occasional NSEC bitmap bogus 495 * Fix rr comparing (was in reversed order since 1.6.0) 496 * bug278: fix parsing HINFO rdata (and other cases). 497 * Fix previous owner name: also pick up if owner name is @. 498 * RFC5702: enabled sha2 functions by default. This requires OpenSSL 0.9.8 or higher. 499 Reason for this default is the root to be signed with RSASHA256. 500 * Fix various LDNS RR parsing issues: IPSECKEY, WKS, NSAP, very long lines 501 * Fix: Make ldns_dname_is_subdomain case insensitive. 502 * Fix ldns-verify-zone so that address records at zone NS set are not considered glue 503 (Or glue records fall below delegation) 504 * Fix LOC RR altitude printing. 505 * Feature: Added period (e.g. '3m6d') support at explicit TTLs. 506 * Feature: DNSKEY rrset by default signed with minimal signatures 507 but -A option for ldns-signzone to sign it with all keys. 508 This makes the DNSKEY responses smaller for signed domains. 509 5101.6.1 2009-09-14 511 * --enable-gost : use the GOST algorithm (experimental). 512 * Added some missing options to drill manpage 513 * Some fixes to --without-ssl option 514 * Fixed quote parsing withing strings 515 * Bitmask fix in EDNS handling 516 * Fixed non-fqdn domain name completion for rdata field domain 517 names of length 1 518 * Fixed chain validation with SHA256 DS records 519 5201.6.0 521 Additions: 522 * Addition of an ldns-config script which gives cflags and libs 523 values, for use in configure scripts for applications that use 524 use ldns. Can be disabled with ./configure --disable-ldns-config 525 * Added direct sha1, sha256, and sha512 support in ldns. 526 With these functions, all NSEC3 functionality can still be 527 used, even if ldns is built without OpenSSL. Thanks to OpenBSD, 528 Steve Reid, and Aaron D. Gifford for the code. 529 * Added reading/writing support for the SPF Resource Record 530 * Base32 functions are now exported 531 Bugfixes: 532 * ldns_is_rrset did not go through the complete rrset, but 533 only compared the first two records. Thanks to Olafur 534 Gudmundsson for report and patch 535 * Fixed a small memory bug in ldns_rr_list_subtype_by_rdf(), 536 thanks to Marius Rieder for finding an patching this. 537 * --without-ssl should now work. Make sure that examples/ and 538 drill also get the --without-ssl flag on their configure, if 539 this is used. 540 * Some malloc() return value checks have been added 541 * NSEC3 creation has been improved wrt to empty nonterminals, 542 and opt-out. 543 * Fixed a bug in the parser when reading large NSEC3 salt 544 values. 545 * Made the allowed length for domain names on wire 546 and presentation format the same. 547 Example tools: 548 * ldns-key2ds can now also generate DS records for keys without 549 the SEP flag 550 * ldns-signzone now equalizes the TTL of the DNSKEY RRset (to 551 the first non-default DNSKEY TTL value it sees) 552 5531.5.1 554 Example tools: 555 * ldns-signzone was broken in 1.5.0 for multiple keys, this 556 has been repaired 557 558 Build system: 559 * Removed a small erroneous output warning in 560 examples/configure and drill/configure 561 5621.5.0 563 Bug fixes: 564 * fixed a possible memory overflow in the RR parser 565 * build flag fix for Sun Studio 566 * fixed a building race condition in the copying of header 567 files 568 * EDNS0 extended rcode; the correct assembled code number 569 is now printed (still in the EDNS0 field, though) 570 * ldns_pkt_rr no longer leaks memory (in fact, it no longer 571 copies anything all) 572 573 API addition: 574 * ldns_key now has support for 'external' data, in which 575 case the OpenSSL EVP structures are not used; 576 ldns_key_set_external_key() and ldns_key_external_key() 577 * added ldns_key_get_file_base_name() which creates a 578 'default' filename base string for key storage, of the 579 form "K<zone>+<algorithm>+<keytag>" 580 * the ldns_dnssec_* family of structures now have deep_free() 581 functions, which also free the ldns_rr's contained in them 582 * there is now an ldns_match_wildcard() function, which checks 583 whether a domain name matches a wildcard name 584 * ldns_sign_public has been split up; this resulted in the 585 addition of ldns_create_empty_rrsig() and 586 ldns_sign_public_buffer() 587 588 Examples: 589 * ldns-signzone can now automatically add DNSKEY records when 590 using an OpenSSL engine, as it already did when using key 591 files 592 * added new example tool: ldns-nsec3-hash 593 * ldns-dpa can now filter on specific query name and types 594 * ldnsd has fixes for the zone name, a fix for the return 595 value of recvfrom(), and an memory initialization fix 596 (Thanks to Colm MacC��rthaigh for the patch) 597 * Fixed memory leaks in ldnsd 598 599 600 6011.4.1 602 Bug fixes: 603 * fixed a build issue where ldns lib existence was done too early 604 * removed unnecessary check for pcap.h 605 * NSEC3 optout flag now correctly printed in string output 606 * inttypes.h moved to configured inclusion 607 * fixed NSEC3 type bitmaps for empty nonterminals and unsigned 608 delegations 609 610 API addition: 611 * for that last fix, we added a new function 612 ldns_dname_add_from() that can clone parts of a dname 613 6141.4.0 615 Bug fixes: 616 * sig chase return code fix (patch from Rafael Justo, bug id 189) 617 * rdata.c memory leaks on error and allocation checks fixed (patch 618 from Shane Kerr, bug id 188) 619 * zone.c memory leaks on error and allocation checks fixed (patch 620 from Shane Kerr, bug id 189) 621 * ldns-zplit output and error messages fixed (patch from Shane Kerr, 622 bug id 190) 623 * Fixed potential buffer overflow in ldns_str2rdf_dname 624 * Signing code no longer signs delegation NS rrsets 625 * Some minor configure/makefile updates 626 * Fixed a bug in the randomness initialization 627 * Fixed a bug in the reading of resolv.conf 628 * Fixed a bug concerning whitespace in zone data (with patch from Ondrej 629 Sury, bug 213) 630 * Fixed a small fallback problem in axfr client code 631 632 API CHANGES: 633 * added 2str convenience functions: 634 - ldns_rr_type2str 635 - ldns_rr_class2str 636 - ldns_rr_type2buffer_str 637 - ldns_rr_class2buffer_str 638 * buffer2str() is now called ldns_buffer2str 639 * base32 and base64 function names are now also prepended with ldns_ 640 * ldns_rr_new_frm_str() now returns an error on missing RDATA fields. 641 Since you cannot read QUESTION section RRs with this anymore, 642 there is now a function called ldns_rr_new_question_frm_str() 643 644 LIBRARY FEATURES: 645 * DS RRs string representation now add bubblebabble in a comment 646 (patch from Jakob Schlyter) 647 * DLV RR type added 648 * TCP fallback system has been improved 649 * HMAC-SHA256 TSIG support has been added. 650 * TTLS are now correcly set in NSEC(3) records when signing zones 651 652 EXAMPLE TOOLS: 653 * New example: ldns-revoke to revoke DNSKEYs according to RFC5011 654 * ldns-testpkts has been fixed and updated 655 * ldns-signzone now has the option to not add the DNSKEY 656 * ldns-signzone now has an (full zone only) opt-out option for 657 NSEC3 658 * ldns-keygen can create HMAC-SHA1 and HMAC-SHA256 symmetric keys 659 * ldns-walk output has been fixed 660 * ldns-compare-zones has been fixed, and now has an option 661 to show all differences (-a) 662 * ldns-read-zone now has an option to print DNSSEC records only 663 6641.3 665 Base library: 666 667 * Added a new family of functions based around ldns_dnssec_zone, 668 which is a new structure that keeps a zone sorted through an 669 rbtree and links signatures and NSEC(3) records directly to their 670 RRset. These functions all start with ldns_dnssec_ 671 672 * ldns_zone_sign and ldns_zone_sign_nsec3 are now deprecated, but 673 have been changed to internally use the new 674 ldns_dnssec_zone_sign(_nsec3) 675 676 * Moved some ldns_buffer functions inline, so a clean rebuild of 677 applications relying on those is needed (otherwise you'll get 678 linker errors) 679 * ldns_dname_label now returns one extra (zero) 680 byte, so it can be seen as an fqdn. 681 * NSEC3 type code update for signing algorithms. 682 * DSA key generation of DNSKEY RRs fixed (one byte too small). 683 684 * Added support for RSA/SHA256 and RSA/SHA512, as specified in 685 draft-ietf-dnsext-dnssec-rsasha256-04. The typecodes are not 686 final, and this feature is not enabled by default. It can be 687 enabled at compilation time with the flag --with-sha2 688 689 * Added 2wire_canonical family of functions that lowercase dnames 690 in rdata fields in resource records of the types in the list in 691 rfc3597 692 693 * Added base32 conversion functions. 694 695 * Fixed DSA RRSIG conversion when calling OpenSSL 696 697 Drill: 698 699 * Chase output is completely different, it shows, in ascii, the 700 relations in the trust hierarchy. 701 702 Examples: 703 * Added ldns-verify-zone, that can verify the internal DNSSEC records 704 of a signed BIND-style zone file 705 706 * ldns-keygen now takes an -a argument specifying the algorithm, 707 instead of -R or -D. -a list show a list of supported algorithms 708 709 * ldns-keygen now defaults to the exponent RSA_F4 instead of RSA_3 710 for RSA key generation 711 712 * ldns-signzone now has support for HSMs 713 * ldns-signzone uses the new ldns_dnssec_ structures and functions 714 which improves its speed, and output; RRSIGS are now placed 715 directly after their RRset, NSEC(3) records directly after the 716 name they handle 717 718 Contrib: 719 * new contrib/ dir with user contributions 720 * added compilation script for solaris (thanks to Jakob Schlyter) 721 72228 Nov 2007 1.2.2: 723 * Added support for HMAC-MD5 keys in generator 724 * Added a new example tool (written by Ondrej Sury): ldns-compare-zones 725 * ldns-keygen now checks key sizes for rfc conformancy 726 * ldns-signzone outputs SSL error if present 727 * Fixed manpages (thanks to Ondrej Sury) 728 * Fixed Makefile for -j <x> 729 * Fixed a $ORIGIN error when reading zones 730 * Fixed another off-by-one error 731 73203 Oct 2007 1.2.1: 733 * Fixed an offset error in rr comparison 734 * Fixed ldns-read-zone exit code 735 * Added check for availability of SHA256 hashing algorithm 736 * Fixed ldns-key2ds -2 argument 737 * Fixed $ORIGIN bug in .key files 738 * Output algorithms as an integer instead of their mnemonic 739 * Fixed a memory leak in dnssec code when SHA256 is not available 740 * Updated fedora .spec file 741 74211 Apr 2007 1.2.0: 743 * canonicalization of rdata in DNSSEC functions now adheres to the 744 rr type list in rfc3597, not rfc4035, which will be updated 745 (see http://www.ops.ietf.org/lists/namedroppers/namedroppers.2007/msg00183.html) 746 * ldns-walk now support dnames with maximum label length 747 * ldnsd now takes an extra argument containing the address to listen on 748 * signing no longer signs every rrset with KSK's, but only the DNSKEY rrset 749 * ported to Solaris 10 750 * added ldns_send_buffer() function 751 * added ldns-testpkts fake packet server 752 * added ldns-notify to send NOTIFY packets 753 * ldns-dpa can now accurately calculate the number of matches per 754 second 755 * libtool is now used for compilation too (still gcc, but not directly) 756 * Bugfixes: 757 - TSIG signing buffer size 758 - resolv.conf reading (comments) 759 - dname comparison off by one error 760 - typo in keyfetchers output file name fixed (a . too much) 761 - fixed zone file parser when comments contain ( or ) 762 - fixed LOC RR type 763 - fixed CERT RR type 764 765 Drill: 766 * drill prints error on failed axfr. 767 * drill now accepts mangled packets with -f 768 * old -c option (use tcp) changed to -t 769 * -c option to specify alternative resolv.conf file added 770 * feedback of signature chase improved 771 * chaser now stops at root when no trusted keys are found 772 instead of looping forever trying to find the DS for . 773 * Fixed bugs: 774 - wildcard on multiple labels signature verification 775 - error in -f packet writing for malformed packets 776 - made KSK check more resilient 777 7787 Jul 2006: 1.1.0: ldns-team 779 * Added tutorials and an introduction to the documentation 780 * Added include/ and lib/ dirs so that you can compile against ldns 781 without installing ldns on your system 782 * Makefile updates 783 * Starting usage of assert throughout the library to catch illegal calls 784 * Solaris 9 testing was carried out. Ldns now compiles on that 785 platform; some gnuism were identified and fixed. 786 * The ldns_zone structure was stress tested. The current setup 787 (ie. just a list of rrs) can scale to zone file in order of 788 megabytes. Sorting such zone is still difficult. 789 * Reading multiline b64 encoded rdata works. 790 * OpenSSL was made optional, configure --without-ssl. 791 Ofcourse all dnssec/tsig related functions are disabled 792 * Building of examples and drill now happens with the same 793 defines as the building of ldns itself. 794 * Preliminary sha-256 support was added. Currently is your 795 OpenSSL supports it, it is supported in the DS creation. 796 * ldns_resolver_search was implemented 797 * Fixed a lot of bugs 798 799 Drill: 800 * -r was killed in favor of -o <header bit mnemonic> which 801 allows for a header bits setting (and maybe more in the 802 future) 803 * DNSSEC is never automaticaly set, even when you query 804 for DNSKEY/RRSIG or DS. 805 * Implement a crude RTT check, it now distinguishes between 806 reachable and unreachable. 807 * A form of secure tracing was added 808 * Secure Chasing has been improved 809 * -x does a reverse lookup for the given IP address 810 811 Examples: 812 * ldns-dpa was added to the examples - this is the Dns Packet 813 Analyzer tool. 814 * ldnsd - as very, very simple nameserver impl. 815 * ldns-zsplit - split zones for parrallel signing 816 * ldns-zcat - cat split zones back together 817 * ldns-keyfetcher - Fetches DNSKEY records with a few (non-strong, 818 non-DNSSEC) anti-spoofing techniques. 819 * ldns-walk - 'Walks' a DNSSEC signed zone 820 * Added an all-static target to the makefile so you can use examples 821 without installing the library 822 * When building in the source tree or in a direct subdirectory of 823 the build dir, configure does not need --with-ldns=../ anymore 824 825 Code: 826 * All networking code was moved to net.c 827 * rdata.c: added asserts to the rdf set/get functions 828 * const keyword was added to pointer arguments that 829 aren't changed 830 831 API: 832 Changed: 833 * renamed ldns/dns.h to ldns/ldns.h 834 * ldns_rr_new_frm_str() is extented with an extra variable which 835 in common use may be NULL. This trickles through to: 836 o ldns_rr_new_frm_fp 837 o ldns_rr_new_frm_fp_l 838 Which also get an extra variable 839 Also the function has been changed to return a status message. 840 The compiled RR is returned in the first argument. 841 * ldns_zone_new_frm_fp_l() and ldns_zone_new_frm_fp() are 842 changed to return a status msg. 843 * ldns_key_new_frm_fp is changed to return ldns_status and 844 the actual key list in the first argument 845 * ldns_rdata_new_frm_fp[_l]() are changed to return a status. 846 the rdf is return in the first argument 847 * ldns_resolver_new_frm_fp: same treatment: return status and 848 the new resolver in the first argument 849 * ldns_pkt_query_new_frm_str(): same: return status and the 850 packet in the first arg 851 * tsig.h: internal used functions are now static: 852 ldns_digest_name and ldns_tsig_mac_new 853 * ldns_key_rr2ds has an extra argument to specify the hash to 854 use. 855 * ldns_pkt_rcode() is renamed to ldns_pkt_get_rcode, ldns_pkt_rcode 856 is now the rcode type, like ldns_pkt_opcode 857 New: 858 * ldns_resolver_searchlist_count: return the searchlist counter 859 * ldns_zone_sort: Sort a zone 860 * ldns_bgsend(): background send, returns a socket. 861 * ldns_pkt_empty(): check is a packet is empty 862 * ldns_rr_list_pop_rr_list(): pop multiple rr's from another rr_list 863 * ldns_rr_list_push_rr_list(): push multiple rr's to an rr_list 864 * ldns_rr_list_compare(): compare 2 ldns_rr_lists 865 * ldns_pkt_push_rr_list: rr_list equiv for rr 866 * ldns_pkt_safe_push_rr_list: rr_list equiv for rr 867 Removed: 868 * ldns_resolver_bgsend(): was not used in 1.0.0 and is not used now 869 * ldns_udp_server_connect(): was faulty and isn't really part of 870 the core ldns idea any how. 871 * ldns_rr_list_insert_rr(): obsoleted, because not used. 872 * char *_when was removed from the ldns_pkt structure 873 87418 Oct 2005: 1.0.0: ldns-team 875 * Commited a patch from H��kan Olsson 876 * Added UPDATE support (Jakob Schlyter and H��kan Olsson) 877 * License change: ldns is now BSD licensed 878 * ldns now depends on SSL 879 * Networking code cleanup, added (some) server udp/tcp support 880 * A zone type is introduced. Currently this is a list 881 of RRs, so it will not scale well. 882 * [beta] Zonefile parsing was added 883 * [tools] Drill was added to ldns - see drill/ 884 * [tools] experimental signer was added 885 * [building] better check for ssl 886 * [building] major revision of build system 887 * [building] added rpm .spec in packaging/ (thanks to Paul Wouters) 888 * [building] A lot of cleanup in the build scripts (thanks to Jakob Schlyter 889 and Paul Wouters) 890 89128 Jul 2005: 0.70: ldns-team 892 * [func] ldns_pkt_get_section now returns copies from the rrlists 893 in the packet. This can be freed by the user program 894 * [code] added ldns_ prefixes to function from util.h 895 * [inst] removed documentation from default make install 896 * Usual fixes in documentation and code 897 89820 Jun 2005: 0.66: ldns-team 899 Rel. Focus: drill-pre2 uses some functions which are 900 not in 0.65 901 * dnssec_cd bit function was added 902 * Zone infrastructure was added 903 * Usual fixes in documentation and code 904 90513 Jun 2005: 0.65: ldns-team 906 * Repository is online at: 907 http://www.nlnetlabs.nl/ldns/svn/ 908 * Apply reference copying throuhgout ldns, except in 2 909 places in the ldns_resolver structure (._domain and 910 ._nameservers) 911 * Usual array of bugfixes 912 * Documentation added 913 * keygen.c added as an example for DNSSEC programming 914 91523 May 2005: 0.60: ldns-team 916 * Removed config.h from the header installed files 917 (you're not supposed to include that in a libary) 918 * Further tweaking 919 - DNSSEC signing/verification works 920 - Assorted bug fixes and tweaks (memory management) 921 922May 2005: 0.50: ldns-team 923 * First usable release 924 * Basic DNS functionality works 925 * DNSSEC validation works 926