Issues reported fixed by upstream (same as 2.1.9):
- OPENDNSSEC-955: Prevent concurrency between certain valid
PKCS#11 HSM operations to avoid some keys to be (transiently)
unavailable.
- OPENDNSSEC-956: Harden signing procedure to still sign zones
for which there are unused keys specified in the zone which are
unavailable.
Issues newly reported fixed:
- OPENDNSSEC-957: Fix exit code signer daemon to not always report
failure.
- OPENDNSSEC-958: Fix immediate resalting after migration from 1.4.
- OPENDNSSEC-959: Emit warning on ods-kaspcheck for NSEC iteration
count that is deemed too high.
- SUPPORT-265: Resolve conflict when deleting keys from HSM whilst
also performing step in key roll process. Typically a message
“key_data_update failed” is present in logs.
Issues solved:
- OPENDNSSEC-955: Prevent concurrency between certain valid
PKCS#11 HSM operations to avoid some keys
to be (transiently) unavailable.
- OPENDNSSEC-956: Harden signing procedure to still sign zones
for which there are unused keys specified in
the zone which are unavailable.
Known issue:
- OPENDNSSEC-957: Signer daemon stops with failure exit code
even when no error occured.
- OPENDNSSEC-949: Fix for migration bug not keeping proper parameters
of NSEC3 signed zones. Amongst others the zone become NSEC. Loading
the policies fixes the situation, migration scripts now corrected. Since
1.4 does not require a salt, a resalt might be automatic after
migrating, as this is a required parameter.
- OPENDNSSEC-948: do not recreate signatures for keys that are moving
out this fixes unexpected double signatures in the zone.
- SUPPORT-253: Incorrect keytag used when using Combined Signing keys
(CSK) (Thanks to Simon Arlott)
- SUPPORT-257: Export keys by locator (Thansk to Simon Arlott)
- SUPPORT-222: Support ED25519/ED448 keys. This requires library ldns
1.7.0 or better, otherwise unavailable. (Thanks again to Simon
Arlott)
- Load libsqlite3.so.0 and fall back on libsqlite3.so.0 to allow to run
migration tool on systems without libsqlite3.so.0 soft link. (Thanks
to Paul Wouters)
- Some compilation warnings, o.a. gcc10 related, code quality and
initialization improvements. (Thanks to Jonas Berlin, and Mathieu
MirMont, and Paul Wouters)
- Update to 1.4.14 as first steop to migrating to 2.x
- Resolves: rhbz#1413254 Move tmpfiles.d config to %%{_tmpfilesdir}, install LICENSE as %%license
- Updated to 1.4.4 (compatibility with non RFC 5155 errata 3441)
- Change the default ZSK policy from 1024 to 2048 bit RSA keys
- Fix post to be quiet when upgrading opendnssec
- Updated to 1.4.3i (rhel#1048449) - minor bugfixes, minor feature enhancements
- rhel#1025985 OpenDNSSEC signer cannot be started due to a typo in service file
- Added BuildRequires: procps-ng for bug OPENDNSSEC-345
- Change RRSIG inception offset to -2h to avoid possible
daylight saving issues on resolvers
- Patch to prevent removal of occluded data
