[Opendnssec-announce] OpenDNSSEC 1.3.7

Rickard Bellgrim rickard at opendnssec.org
Tue Mar 13 14:12:15 UTC 2012


Hi

Version 1.3.7 of OpenDNSSEC has now been released.

* OPENDNSSEC-215: Signer Engine: Always recover serial from backup,
even if it is corrupted, preventing unnecessary serial decrementals.
* OPENDNSSEC-217: Enforcer: Tries to detect pidfile staleness, so that
the daemon will start after a power failure.

Bugfixes:
* ods-hsmutil: Fixed a small memory leak when printing a DNSKEY.
* OPENDNSSEC-216: Signer Engine: Fix duplicate NSEC3PARAM bug.
* OPENDNSSEC-218: Signer Engine: Prevent endless loop in case the
locators in the signer backup files and the HSM are out of sync.
* OPENDNSSEC-225: Fix problem with pid found when not existing.
* SUPPORT-21: HSM SCA 6000 in combination with OpenCryptoki can return
RSA key material with leading zeroes. DNSSEC does not allow leading
zeroes in key data. You are affected by this bug if your DNSKEY RDATA
e.g. begins with "BAABA". Normal keys begin with e.g. "AwEAA".
OpenDNSSEC will now sanitize incoming data before adding it to the
DNSKEY. Do not upgrade to this version if you are affected by the bug.
You first need to go unsigned, then do the upgrade, and finally sign
your zone again. SoftHSM and other HSM:s will not produce data with
leading zeroes and the bug will thus not affect you.

Download the tarball from:
http://www.opendnssec.org/files/source/opendnssec-1.3.7.tar.gz

// OpenDNSSEC team



More information about the Opendnssec-announce mailing list