[Opendnssec-user] ldns 1.6.16 released

Sara Dickinson sara at sinodun.com
Wed Nov 14 11:39:52 UTC 2012 

All, 

As a follow up to this please note that version 1.3.11 (and later) of OpenDNSSEC is configured not to support version 1.6.14 or 1.6.15 of ldns.

Sara.


On 13 Nov 2012, at 11:17, Willem Toorop wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Dear maintainers, ldns users and OpenDNSSEC users,
> 
> We have found an issue in ldns releases 1.6.14 and 1.6.15. Both
> versions have a bug whereby during zone-parsing, the NSEC3 generation
> code fails to create an empty bitmap on empty non-terminals. The bug
> was discovered when the new ldns became a part of the OpenDNSSEC test
> environment; the pre-release ldns regression tests did not cover this
> specific case.
> 
> Besides, ldns 1.6.14 and 1.6.15 do not build a working pyldns module
> (the python bindings to ldns).
> 
> 
> Does this affect you?
> - ---------------------
> 
> This affects users that have empty non-terminals in their zones and
> sign their zones NSEC3-style.
> 
> This does not affect users signing there zones NSEC-style, nor does
> this affect users that have no empty non-terminals in their zone, nor
> does this affect users who are running ldns 1.6.13 or lower.
> 
> 
> How to resolve?
> - ---------------
> 
> If you are using ldns 1.6.14 or 1.6.15, please update your systems to
> use ldns version 1.6.16 or higher, available here:
> 
> link: http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.16.tar.gz
> sha1: 5b4fc6c5c3078cd061905c47178478cb1015c62a
> 
> 
> How could this happen?
> - ----------------------
> 
> Thanks to the thorough code reviews, release 1.6.14 fixed a larger
> amount of bugs than before. Fixing bugs always has the risk of
> introducing new bugs or reintroducing old bugs. For long we perform
> the practice of "Continuous integration"; On each commit we
> automatically perform general unit tests and numerous tests that
> verify that earlier detected bugs have not accidentally re-emerged.
> 
> Unfortunately we did not yet run the test suites of software using
> ldns as part of our "Continuous integration". We did thus not detect
> the influence those fixes had on the ldns using software.
> 
> 
> How are we going to prevent this in the future?
> - -----------------------------------------------
> 
> We have added regression tests to the ldns test package that run the
> test cases for Unbound and pyldns with the new version of ldns. This
> way, we can identify changes that introduce faults in software that
> depends on ldns in a early stage.
> 
> The newly added regression tests now check for
> * loading of pyldns and pyldnsx
> * Whether the test suite of Unbound succeeds,
>  - without building it against the new ldns version
>    (so testing for backwards binary compatibility)
>  - and with building it against the new ldns version.
> 
> Regression testing for OpenDNSSEC has been performed manually with this
> release, but a similar setup as for Unbound will be deployed shortly.
> 
> 
> Please let us know if you wish to include regression tests for your
> software in the ldns test suite.
> 
> Best regards,
> 
> For NLnet Labs, Willem and Matthijs
> 
> 
> Changelog:
> ==========
> * Fix Makefile to build pyldns with BSD make
> * Fix typo in exporting b32_* symbols to make pyldns load again
> * Allow leaving the RR owner name empty in ldns-testns datafiles.
> * Fix fail to create NSEC3 bitmap for empty non-terminal (bug
>  introduced in 1.6.14).
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
> 
> iQIcBAEBAgAGBQJQoiw/AAoJEOX4+CEvd6SYQzUP/RUY85SevLCAV4zkL1W84N+V
> IyXWl/ZoitUh+C1XcLW4nCRRuwa1zPmYgpEubZxKHC9kBa3lfQl0n5VlPVohPJxl
> gLfG/0AhNUBigDhedJfo4rVIw2xqDso2M0ljI6fiY7J6DnfvbugPEgbjcnMcfU+e
> IxEHlFrloeT6Opv7Jz4nSlOpqVWx2LaFGR0wrDgEoI7N7wb/93xFEawyNvFIr4b6
> KlzFF+Y6VqG0+DbzWap2+nHqhcKLvpzaYmQhyOtfyRtwabd4LpSAXROgv/LOi5bm
> 7/v45NwlwbCp/mdwVqJ4iwFG2dxrVTbPPHAd93Ko3InkrH+eZGgRQIr4NMI8pFNf
> t6uphJWIoe3zuFlt50WAnOsgzgqZLr8KVQVEsGoue5UANPYlQTg7ZVlOUHUeCgqj
> LIbu5aBDAnJjJk2IkM+sSupWGKgfVxRNtqqZFrsOY0VwI3ELcZEELnfBATunHDsY
> el6rai8XYupWt5VAGsQP8NF5AVqua5hoN0ILYqzBQ0VWWEdAQIGM+fRx9HX645IS
> JJszMlgogzx2lrcsPfnPjVSK5SJ/Y8iuYG+KptvX0R86Q0ZTfC4cBKnyPTOUGTbf
> 8JgbIvbP7cPmEWonfgEMvdStkVrq0HMbzDHtd4eYXM5Vltmlpco2/JNldKSdnKR6
> HW7tS5qddF2wiaRt40Zh
> =4sEk
> -----END PGP SIGNATURE-----
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list