3764. [bug] The dnssec-keygen/settime -S and -i options
(to set up a successor key and set the prepublication
interval) were missing from dnssec-keyfromlabel.
[RT #35394]
3730. [cleanup] Added "never" as a synonym for "none" when
configuring key event dates in the dnssec tools.
[RT #35277]
3729. [bug] dnssec-kegeyn could set the publication date
incorrectly when only the activation date was
specified on the command line. [RT #35278]
3705. [func] "configure --enable-native-pkcs11" enables BIND
to use the PKCS#11 API for all cryptographic
functions, so that it can drive a hardware service
module directly without the need to use a modified
OpenSSL as intermediary (so long as the HSM's vendor
provides a complete-enough implementation of the
PKCS#11 interface). This has been tested successfully
with the Thales nShield HSM and with SoftHSMv2 from
the OpenDNSSEC project. [RT #29031]
creating key files if there is a chance that the new
key ID will collide with an existing one after
either of the keys has been revoked. (To override
this in the case of dnssec-keyfromlabel, use the -y
option. dnssec-keygen will simply create a
different, noncolliding key, so an override is
not necessary.) [RT #20838]
to be specified in the label if there is a default
engine or the -E option has been used. Also, it
now uses default algorithms as dnssec-keygen does
(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
[RT #20371]
- Keys without "publish" or "active" dates set will
no longer be used for smart signing. However,
those dates will be set to "now" by default when
a key is created; to generate a key but not use
it yet, use dnssec-keygen -G.
- New "inactive" date (dnssec-keygen/settime -I)
sets the time when a key is no longer used for
signing but is still published.
- The "unpublished" date (-U) is deprecated in
favor of "deleted" (-D).
[rt20247]
dnssec-* tools. Major changes:
- all dnssec-* tools now take a -K option to
specify a directory in which key files will be
stored
- DNSSEC can now store metadata indicating when
they are scheduled to be published, acttivated,
revoked or removed; these values can be set by
dnssec-keygen or overwritten by the new
dnssec-settime command
- dnssec-signzone -S (for "smart") option reads key
metadata and uses it to determine automatically
which keys to publish to the zone, use for
signing, revoke, or remove from the zone
[RT #19816]
