0.3.1 (UPCOMING RELEASE) ============================= BUG FIXES: * Bugfix #271: Trust anchors were reset to valid upon writing trusted-keys * ZSKs in trust anchor files were not loaded. * typo in configure.ac * don't trim string when reading RRs from file (allowing omitted domain names) * fix fprintf warning * fix space layout in HOWTO FEATURES: * Log to syslog with the option 'use-syslog: yes'. * New option 'resolver-reload:', which you can use to configure a reload call to your nameservers (for example 'unbound-control reload' or 'rndc reload'. OPERATIONAL NOTES: * Options 'ipv4-only:' and 'ipv6-only:' have been replaced by 'do-ip4:' and 'do-ip6:'. * Default value for option 'keep-missing:' has changed from 'forever' to '1 year'. 0.3.0 ============================= BUG FIXES: * Fix segfault in lib/options.c when include: failed. * Configure the autotrust directory with ./configure --with-configdir=<dir>. By default, configuration file goes in /var/lib/autotrust. * Un-ignore the --prefix setting when configuring. * Override config file option verbosity: with commandline option -v. * Fix chattiness when verbosity set to 0. FEATURES: * Added extensive documentation. * Run autotrust as a daemon with the commandline option -d or by specifying daemonize: "yes" in the config file. The daemon can be stopped with kill -TERM 'cat <pidfile>'. OPERATIONAL NOTES: * The autotrust pidfile default is set to '/var/run/autotrust.pid'. KNOWN ISSUES: * Specific add hold-down situation not implemented (see TODO). 0.2.1-beta ============================= BUG FIXES: * Minor bugfix in logging to a logfile. * Fix segfault in lib/options.c when include: failed. * Only remove MISSING keys when timer expired AND other VALID keys are known. * Do not create symlinks when making a new release. FEATURES: * Allow multiple resolver pidfiles to be configured. OPERATIONAL NOTES: * Changed default locations for state-file and config-file from their relative values to '/var/lib/autotrust/autotrust.state' and '/etc/autotrust/autotrust.conf'. KNOWN ISSUES: * No knowledge of query intervals and retry times. * Specific add hold-down situation not implemented (see TODO). 0.2.0-beta ============================= BUG FIXES: * Add missing options in configuration file. * Print keytag in trusted-keys file for clarity. * Fixed some compiler warnings. * Only update trust anchor files when trust anchors validity has changed. Only signal resolver when trust anchor files are correctly updated. * Trust anchors are now sorted in canonical order. * Accept quoted DNSKEY dnames in trusted-keys clause * Also check for self-signed REVOKED keys when answer was secure. * Additional sanity check guarantees that at least two validated answers with the pending key included are seen, prior to moving it to the validated trust anchor set. FEATURES: * DS RRs can be used as trust anchors. They will not be updated, but their corresponding DNSKEY will be fetched and auto-updated as RFC 5011 describes. DS RRs will stay in the trust-anchor file forever. * Show local time in state file. * You can provide multiple trust anchor files. * Allow ZSKs in configuration files. They are removed if valid KSKs are known. * Print alert messages for MISSING trust anchors to the logfile. Can be turned off by setting the configuration option 'alert-missing' to "no". * Included configuration option 'keep-missing', to automatically remove MISSING trust anchors after a while. * Allow includes in configuration file. OPERATIONAL NOTES: * Configuration settings should always be stored in the configfile, configuration settings on the commandline are removed. * The 'trust-anchor' option is removed, you should store trust anchors in a file. KNOWN ISSUES: * No knowledge of query intervals and retry times. * Specific add hold-down situation not implemented (see TODO). 0.1.0-beta ============================= FEATURES: * Updates trust anchor files that can be used by validating resolvers. * Configurable root hints. * Configurable hold-down times. * Accepts Unbound trust anchor file and BIND9 trusted keys clause formats. * Can signal your resolver when you configure the resolvers pidfile. KNOWN ISSUES: * No knowledge of query intervals and retry times. * DS records are not updated yet. * Can only have one trust-anchor.file and only one trusted-keys.file. * some configure checks are missing. * No guarantee that at least two validated DNSKEY RRSets are seen before adding them to the valid trust anchor set, when running autotrust less often than add holddown time. * Specific add hold-down situation not implemented (see TODO). * Memory leaks in dnskeyset_verify_rrset_sig and ldns_rr_new_frm_str.