- Keys without "publish" or "active" dates set will
no longer be used for smart signing. However,
those dates will be set to "now" by default when
a key is created; to generate a key but not use
it yet, use dnssec-keygen -G.
- New "inactive" date (dnssec-keygen/settime -I)
sets the time when a key is no longer used for
signing but is still published.
- The "unpublished" date (-U) is deprecated in
favor of "deleted" (-D).
[rt20247]
- sync_keyzone() could leak ISC_R_NOMORE, causing zone_postload() to think
it had failed
- journal roll-forward on key zones complained about having the wrong
number of SOA records
- dns_soa_buildrdata() could return a pointer to memory allocated on the
stack
- define BIND9 in config.h.win32
- fix problems in mem.h caused by the win32 preprocessor failing to
expand macros used within macros
- silence a win32 compiler warning in hip_55.c
- dnssec-keygen and dnssec-settime can now set key
metadata fields 0 (to unset a value, use "none")
- dnssec-revoke sets the revocation date in
addition to the revoke bit
- dnssec-settime can now print individual metadata
fields instead of always printing all of them,
and can print them in unix epoch time format for
use by scripts
[RT #19942]
dnssec-* tools. Major changes:
- all dnssec-* tools now take a -K option to
specify a directory in which key files will be
stored
- DNSSEC can now store metadata indicating when
they are scheduled to be published, acttivated,
revoked or removed; these values can be set by
dnssec-keygen or overwritten by the new
dnssec-settime command
- dnssec-signzone -S (for "smart") option reads key
metadata and uses it to determine automatically
which keys to publish to the zone, use for
signing, revoke, or remove from the zone
[RT #19816]
maintenance. The new "managed-keys" statement can
be used in place of "trusted-keys" for zones which
support this protocol. (Note: this syntax is
expected to change prior to 9.7.0 final.) [RT #19248]
dnssec-keygen. Without arguments, it will now
generate a 1024-bit RSASHA1 zone-signing key,
or with the -f KSK option, a 2048-bit RSASHA1
key-signing key. [RT #19300]
2611. [func] Add -l option to dnssec-dsfromkey to generate
DLV records instead of DS records. [RT #19300]
