4056. [bug] Fixed several small bugs in automatic trust anchor
management, including a memory leak and a possible
loss of key state information. [RT #38458]
3689. [bug] Fixed a bug causing an insecure delegation from one
static-stub zone to another to fail with a broken
trust chain. [RT #35081]
(cherry picked from commit 9b895f30f1)
3686. [func] "dnssec-signzone -Q" drops signatures from keys
that are still published but no longer active.
[RT #34990]
(cherry picked from commit 0bbe3273a2)
3528. [func] New "dnssec-coverage" command scans the timing
metadata for a set of DNSSEC keys and reports if a
lapse in signing coverage has been scheduled
inadvertently. (Note: This tool depends on python;
it will not be built or installed on systems that
do not have a python interpreter.) [RT #28098]
(cherry picked from commit 831f59eb43)
- check for NSEC3 in empty nodes when not due to optout delegations
- fixed typo in output ("Bad record NSEC record")
- incidentally fixed an error in signzone that caused an
incorrect warning about missing DNSKEYs when using -S
and -3 together
3473. [bug] dnssec-signzone/verify could incorrectly report
an error condition due to an empty node above an
opt-out delegation lacking an NSEC3. [RT #32072]
(cherry picked from commit 9a0dd99a75)
[RT #31951]
Squashed commit of the following:
commit 7369da0369e1de1fe6c5b5f84df8848b9a0984eb
Author: Mark Andrews <marka@isc.org>
Date: Fri Nov 23 17:24:04 2012 +1100
dupped/created reversed in log message
commit 0cef5faaf3ac22b00ed0f95b6bb7a146cf4cac15
Author: Mark Andrews <marka@isc.org>
Date: Fri Nov 23 13:40:14 2012 +1100
remove space from DS hash
[RT #31916]
Squashed commit of the following:
commit f47af0ca6793687b9c8d08fd44b0c091ba5a4f9a
Author: Mark Andrews <marka@isc.org>
Date: Wed Nov 21 17:45:21 2012 +1100
dns_dns_zonediff_t -> dns_zonediff_t, clarify comment
commit 344edefc3ee90856a7ff990abe7971925ba843b2
Author: Mark Andrews <marka@isc.org>
Date: Tue Nov 20 13:12:26 2012 +1100
commit the zone changes if a keep was marked as being offline
commit cad2c2446ebfc20b6d8c4f6dd0d6596d7106cc0f
Author: Mark Andrews <marka@isc.org>
Date: Tue Nov 20 13:08:29 2012 +1100
check for looping when re-signing expiring.example
3404. [bug] dnssec-signzone: When re-signing a zone, remove
RRSIG and NSEC records from nodes that used to be
in-zone but are now below a zone cut. [RT #31556]
(cherry picked from commit 4b3d727d96)
3329. [bug] Handle RRSIG signer-name case consistently: We
generate RRSIG records with the signer-name in
lower case. We accept them with any case, but if
they fail to validate, we try again in lower case.
[RT #27451]
