4798. [func] Keys specified in "managed-keys" statements
are tagged as "initializing" until they have been
updated by a key refresh query. If initialization
fails it will be visible from "rndc secroots".
[RT #46267]
This reverts commit 560d8b833e.
This change created a potential race between key refresh queries and
root zone priming queries which could leave the root name servers in
the bad-server cache.
4773. [bug] Keys specified in "managed-keys" statements
can now only be used when validating key refresh
queries during initialization of RFC 5011 key
maintenance. If initialization fails, DNSSEC
validation of normal queries will also fail.
Previously, validation of normal queries could
succeed using the initializing key, potentially
masking problems with managed-keys. [RT #46077]
4750. [func] "rndc managed-keys destroy" shuts down RFC 5011 key
maintenance and deletes the managed-keys database.
If followed by "rndc reconfig" or a server restart,
key maintenance is reinitialized from scratch.
This is primarily intended for testing. [RT #32456]
4594. [func] dnssec-keygen no longer uses RSASHA1 by default;
the signing algorithm must be specified on
the command line with the "-a" option. Signing
scripts that rely on the existing default behavior
will break; use "dnssec-keygen -a RSASHA1" to
repair them. (The goal of this change is to make
it easier to find scripts using RSASHA1 so they
can be changed in the event of that algorithm
being deprecated in the future.) [RT #44755]
4642. [cleanup] Add more logging of RFC 5011 events affecting the
status of managed keys: newly observed keys,
deletion of revoked keys, etc. [RT #45354]
to provide feedback to the trust-anchor administrators
about how key rollovers are progressing as per
draft-ietf-dnsop-edns-key-tag-02. This can be
disabled using 'trust-anchor-telemetry no;'.
[RT #40583]
4056. [bug] Expanded automatic testing of trust anchor
management and fixed several small bugs including
a memory leak and a possible loss of key state
information. [RT #38458]
4055. [func] "rndc managed-keys" can be used to check status
of trust anchors or to force keys to be refreshed,
Also, the managed keys data file has easier-to-read
comments. [RT #38458]
