jdnssec-tools/ChangeLog

495 lines
18 KiB
Plaintext

2024-04-13 David Blacka <david@blacka.com>
* Remove support for ECC_GOST
* Create a new DSAlgorithm class, move DS creation into that
* Add support for DS algorithms 3 and 4 -- bouncycastle crypto
provider used for DS algoirthm 3 (GOST R 34.11-94)
* Moved support for loading the bouncycastle provider to the new
DSAlgorithm class
2024-04-07 David Blacka <david@blacka.com>
* Released version 0.20
* Removed support for Gradle builds since the gradle config was
out-of-date
* Requires Java 15 or later for EdDSA support
* Supports DNSSEC algorithm 16 using the SunEC provider
* Supports a java properties-formatted config file. See
jdnssec-tools.properties.example for an example
* Updated to dnsjava 3.5.3
* Updated to commons-cli 1.6.0
* Added a "one-jar" distribution method, and a "univeral" CLI to
use with it.
* Formatting and linter suggestions
2024-03-25 David Blacka <davidb@verisign.com>
* Released version 0.19
* Handle duplicate key tags
* jdnssec-keygen can now attempt to generate keys with specified key tags
2023-07-24 David Blacka <davidb@verisign.com>
* Released version 0.17.1
* Add a `-t` option to jdnssec-verifyzone: verify using specified time.
2022-09-21 David Blacka <davidb@verisign.com>
* Released version 0.17
* Updated to dnsjava 3.5.1
* Formatting and linter suggestions
* Use slf4j instead of log4j.
* jdnssec-dstool can now generate CDS records
2019-07-23 David Blacka <davidb@verisign.com>
* Released version 0.16
* Updated to dnsjava 2.1.9
2019-02-26 David Blacka <davidb@verisign.com>
* Released version 0.15
* Ensure when a command line tool throws an exception it exits
with a non-zero exit code.
* Update local dnsjava jar to match actual build for
jdnssec-dnsjava.
2018-11-16 David Blacka <davidb@verisign.com>
* Released version 0.14
2018-07-15 Pallavi Aras
* Add Gradle build support. Adjust ant to use same paths.
2018-07-15 David Blacka <davidb@versigin.com
* Add algorithm 15 support. This included adding a public domain
EdDSA library to the distribution.
* Add minor feature to specify signature inception and expiration
times as UNIX epoch time values.
2017-06-22 Peter van Dijk <peter.van.dijk@powerdns.com>, Kees Monshouwer <mind04@monshouwer.eu>
* Fix leading zero(s) padding in ECDSA sig conversion
2017-01-06 David Blacka <davidb@verisign.com>
* Released version 0.13
* ZoneVerifier: detect duplicate RRSIGs as well as other duplicate
RRs.
* DnsSecVerifier: check that the RRset's TTL <= OrigTTL.
2016-12-09 David Blacka <davidb@verisign.com>
* Add key generation, signing, verification support for elliptic
curve algorithms: ECDSA P-256 (13) and ECDSA P-384 (15).
- Opportunistically load the bouncycastle provider for ECCGOST
support.
* DnsKeyAlgorithms: refactoring, new methods to better support
elliptic curve, alias, knowing what algorithms are supported.
* KeyGen: do not display unsupported algorithms.
2016-08-22 David Blacka <davidb@verisign.com>
* Update internal dnsjava to 2.1.7-vrsn-1.
2014-04-22 David Blacka <davidb@verisign.com>
* ZoneFormat: Make -N also compute original ownernames for empty
non-terminal NSEC3 records.
* ZoneVerifier: Improve the zone verifiers handling of "junk" in a
zone (i.e., ignore resource records that aren't actually in the
zone itself.)
2012-07-16 David Blacka <davidb@verisign.com>
* Released version 0.12.
* TypeMap: fix the fromBytes() method, which was incorrect and add
a static fromString() method.
* ProtoNSEC3: use TypeMap's toString method, rather than fetching
the array of types and rendering them directly.
2012-05-29 David Blacka <davidb@verisign.com>
* Released version 0.11.
2012-05-26 David Blacka <davidb@verisign.com>
* Update dnsjava to dnsjava-2.1.3-vrsn-1. Update the code to
adjust for API changes in dnsjava-2.1.x. Highlights:
- no longer use DNSSEC.Failed, DNSSEC.Secure as those constants
are now gone. Instead, any methods returning those constants now
return a boolean, true for DNSSEC.Secure, false for DNSSEC.Failed
or DNSSEC.Insecure.
- No longer use KEYConverter. Instead, uses the new DNSKEYRecord
constructor.
- The NSEC3 digest type is now an int (rather than a byte)
- Algorithm references are now DNSSEC.Algorithm.<alg>
* jdnssec-verifyzone: Add duplicate RR detection (on by default)
and a command line option to disable it.
2011-02-14 David Blacka <davidb@verisign.com>
* Released version 0.10.1.
2011-02-12 David Blacka <davidb@verisign.com>
* Use Java 1.5 generic types when possible. DNSJava itself still
doesn't use them, so we have to suppress warnings when we use
RRset.rrs(), etc.
* Update commons-cli to version 1.2.
* Refactor all of the command line classes. A new command line
base class has been created to eliminate much of the duplicated
code.
2011-02-09 David Blacka <davidb@verisign.com>
* Enable reading and writing from stdin/stdout for most tools. To
do this, use '-' as the zonefile name.
* jdnssec-signzone, jdnssec-signrrset: remove 'multiline' output
as the default and add a command line switch (-m) to enable it.
That is, these tools will output each RR on a single line by
default, adding -m will restore the prior behavior.
2011-02-08 David Blacka <davidb@verisign.com>
* Minor cleanups to usage statement printing across most of the tools.
2011-02-03 David Blacka <davidb@verisign.com>
* Released version 0.10
* jdnssec-keygen: update the default algorithm to 8 (instead of 5).
* Update logging across all command line tools to use a consistent
'-v' option, and consistent, simpler log formatting.
* jdnssec-verifyzone: resume logging the key information at INFO,
but make the default log level WARNING. To see the old logging
behavior, use -v 4.
2011-02-02 David Blacka <davidb@verisign.com>
* DnsKeyConverter: support the new BIND 9.7 private key format,
which only entails recognizing the new version string, since the
new format is a superset of the old format.
2011-01-11 David Blacka <davidb@verisign.com>
* jdnssec-zoneformat: add a -m option for formatting as
multiline. Add a -N option for determining the original
ownernames for NSEC3 signed zones.
2010-12-14 David Blacka <davidb@verisign.com>
* jdnssec-verifyzone: Add options to either fudge or ignore RRSIG
inception and expiration times.
2010-12-06 David Blacka <davidb@verisign.com>
* jdnssec-verifyzone: Complete refactored the verification code to
more comprehensively check a zone for DNSSEC validity. Instead of
just verifying signatures, it will also check to see if the NSEC
or NSEC3 chains are valid.
2010-12-05 David Blacka <davidb@verisign.com>
* jdnssec-signzone: Fix a bug that would incorrectly handle
delgations below delegations (those should be ignored.)
* jdnssec-signzone: Make the signer ignore junk below a DNAME.
This differs from BIND's dnssec-signzone behavior (currently), but
is the correct behavior, as stuff below a DNAME doesn't actually
exist in DNS. Note that if a name in a zone has both a DNAME and
a NS RRset (and is not at the apex), then the behavior is a bit
undefined.
* jdnssec-signzone: Fix a bug that would incorrectly set the RRSIG
bit for NSEC3 RRs corresponding to insecure delegations.
* jdnssec-signzone: add a "verbose signing" option. This will
cause the pre-signed bytes and the raw signature bytes to be
output when signing.
* Other fixes: some minor tweaks and comment fixes.
Unfortunately, also a lot of rewrapping and whitespace changes due
to Eclipse. Sigh.
2010-01-14 David Blacka <davidb@verisign.com>
* Released version 0.9.6
2010-01-09 David Blacka <davidb@verisign.com>
* Upgrade to DNSJava 2.0.8 (plus a few local changes). 2.0.8
fixes a major bug in typemap wire conversion.
2009-11-02 David Blacka <davidb@verisign.com>
* Released version 0.9.5
2009-11-01 David Blacka <davidb@verisign.com>
* Upgrade to DNSJava 2.0.7 (plus a few local changes).
* DnsKeyAlogorithm: change the RSASHA512 number to 10.
2009-08-23 David Blacka <davidb@verisign.com>
* Released version 0.9.4
2009-07-15 David Blacka <davidb@verisign.com>
* SignUtils: Fix major issue where the code that generates that
canonical RRset given signature data wasn't obeying the "Orig TTL"
and "Labels" fields. This is a major issue with verification,
although it doesn't affect signature generation.
* VerifyZone: Fix bug where the whole-zone security status was
still wrong: unsigned RRsets shouldn't make the zone Bogus.
2009-06-12 David Blacka <davidb@verisign.com>
* VerifyZone: Fix bug in verification logic so that RRsets that
never find a valid signature (i.e., only have signatures by keys
that aren't in the zone) are considered Bogus. Note that
VerifyZone still can't tell if a RRset that should be signed
wasn't (or vice versa).
* dnsjava: Update local copy of dnsjava library. This version
adds NSEC3 agorithms to DNSSECVerifier and KEYConverter, emulates
DiG's "OPT PSEUDOSECTION" formatting in Message.toString(), and
adds a minimal DHCIDRecord type. Note that the DNSjava trunk has
a different (although functional similar) version of this type.
2009-06-09 David Blacka <davidb@verisign.com>
* VerifyZone: Improve the output.
* SignKeyset: Add a command line tool for just signing DNSKEY RRsets.
2009-02-10 David Blacka <davidb@verisign.com>
* Released version 0.9.0
2009-02-08 David Blacka <davidb@verisign.com>
* KeyGen: make RSA large exponent the default. Make it possible
to select small exponent.
* KeyInfoTool: add more info to the output, handle multiple files
on the command line.
* DnsKeyAlgorithm: use DNSjava constants, BIND 9.6 mnemonics for
NSEC3 key aliases.
2009-02-07 David Blacka <davidb@verisign.com>
* SignZone: add argument for setting the TTL of the NSEC3PARAM
record. This is so we can match current dnssec-signzone
(9.6.0-p1) behavior of using a TTL of zero.
* Update dnsjava to 2.0.6-vrsn-2, commons-cli to 1.1
* SignUtils: fix bug where NSEC3 algorithm and flags were transposed.
* SignUtils: Make sure to use the SOA minimum value for NSEC TTLs,
instead of the ttl of the "node".
2009-02-04 David Blacka <davidb@verisign.com>
* update to dnsjava-2.0.1-vrsn-4 (updated typecodes for
NSEC3/NSEC3PARAM).
* SignUtils: use JDK-native SHA-256 code instead of broken
contributed implementation.
* DnsKeyAlgorithm: Add RSASHA256 and RSASHA512 algorithm, guessing
at the code points. Note, these require Java 5 or later, or an
alternate crypto provider.
* ZoneUtils: add a method to find specific RRs in a list of RRs
or RRsets.
* SignZone: make jdnssec-signzone a bit more aggressive in finding
keys. Now it will look for keyfiles matching keys at the zone
apex, and, failing that, just look for keyfiles named after the
zone. Specifying any keys at all on the command line will
override this behavior.
2009-02-01 David Blacka <davidb@verisign.com>
* DnsKeyAlgorithm: add official aliases from RFC 5155.
* JCEDnsSecSigner: refactor zone signing methods to remove
duplicate code.
* SignZone: move the signZone() methods to JCEDnsSecSigner
* BINDKeyUtils: close the private key file after reading it.
Patch by Wolfgang Nagele.
2006-12-15 David Blacka <davidb@verisignlabs.com>
* Release version 0.8.4
* SignZone: updated internals (and dnsjava lib) to match wire
format changes introduced by the nsec3-08 draft.
2006-10-10 David Blacka <davidb@verisignlabs.com>
* Released version 0.8.3
* ZoneFormat: fix RRSIG ordering issue when dealing with multiple
RRSIGs for a given RRset.
* ZoneFormat: lowercase all names in the zone.
* Fix packaging errors.
2006-09-12 David Blacka <davidb@verisignlabs.com>
* Released version 0.8.0.
2006-09-10 David Blacka <davidb@fury.blacka.com>
* Added the "KeyInfoTool" command line tool as the start of a tool
for decoding DNSKEY information. Right now, mostly just useful
for checking the public exponenent of RSA keys.
* Added the "-e" option to jdnssec-keygen, to instruct the key
generator to use the (common) large exponent in RSA key
generation.
2006-08-31 David Blacka <davidb@fury.blacka.com>
* Modified jdnssec-signzone to set the ttls of NSEC3 records (so
far) to the SOA minimum value.
* Add NSEC3PARAM support for compatibility with the -07 NSEC3
draft.
2006-05-24 David Blacka <davidb@verisignlabs.com>
* Add some error checking for the NSEC3 command line parameters
for jdnssec-signzone.
* Update local dnsjava build to 2.0.1. This also contains a
change to the NSEC3 rdata format (as per the -06pre NSEC3 draft).
The change is the addition of a "next hashed owner name" length
octet.
* Modified the jdnssec-* shell wrappers to also use the local
build area version of the jdnssec-tools.jar file. This allows the
standard jdnssec-* wrappers to work right from the build area.
* Add support of the SHA256 algorithm for DS records. This uses
the SHA256 class that I obtained from Scott Rose (thanks Scott!).
* Change the name of the package and jar file to jdnssec-tools
(from java-dnssec-tools) for consistency.
* release version 0.7.0.
2006-05-23 David Blacka <davidb@verisignlabs.com>
* Add support for algorithm aliases. This feature is so that the
user can declare the DNSKEY algorithm x is the same as algorithm 5
(e.g.). So far, this only works with straight integer algorithm
identifiers (no private alg support yet).
* Fix jdnssec-signzone so that you can specify multiple KSKs on
the command line. Apparently, commons-cli actually does handle
repeating command line options correctly.
2006-05-03 David Blacka <davidb@verisignlabs.com>
* Add preliminary implementation of jdnssec-dstool. This is a
simple command line tool that takes a DNSKEY record and converts
it into a DS record (or a DLV record). Right now, it requires
that the key is stored in a file ending with '.key'.
* release version 0.6.0.
2006-03-15 David Blacka <davidb@verisignlabs.com>
* Type map changes for NSEC3, corresponding to changes in draft
-05pre. Essentially: NSEC3 and RRSIG bits are not set for most
(all) NSEC3 records any longer.
2006-03-06 David Blacka <davidb@verisignlabs.com>
* release version 0.5.0.
2006-02-16 David Blacka <davidb@verisignlabs.com>
* Make RecordComparator also compare RDATA so the removeDuplicates
step actually works reliabled. This was masked by the dupicate
suppression in org.xbill.DNS.RRset.
* Only allow one command line specified KSK since commons-cli
doesn't seem to handle multi-arg options correctly.
* Do not croak on the lack of the command-line keys for now.
* New version of local dnsjava build containing NSEC3 changes
corresponding to the -04pre draft.
2005-11-16 David Blacka <davidb@verisignlabs.com>
* Make jdnssec-verifyzone work with just the zone (which is
self-signed anyway).
* release version 0.4.2.
2005-11-09 David Blacka <davidb@verisignlabs.com>
* Add original ownername comments to the NSEC3 generation.
2005-11-08 David Blacka <davidb@verisignlabs.com>
* New zone formatter.
* Misc bug fixes.
* release version 0.4.1.
2005-11-07 David Blacka <davidb@verisignlabs.com>
* Update the local dnsjava build with a bugfix.
* Fix ordering problem with ProtoNSEC3s.
2005-11-06 David Blacka <davidb@verisignlabs.com>
* Actually use the --iterations command line option of
jdnssec-signzone.
2005-10-27 David Blacka <davidb@verisignlabs.com>
* Add NSEC3 support for jdnssec-signzone.
* Remove support for plain Opt-In (until private algorithms work).
* release version 0.4.0.
2005-08-14 David Blacka <davidb@verisignlabs.com>
* Move the signZone function into the SignZone class (from the
SignUtils) class.
* General cleanup.
* Add local _jdnssec-* shell wrappers. These use build/classes in
the classpath so can be used to run the tools right out of the
build area.
2005-08-13 David Blacka <davidb@verisignlabs.com>
* Update to DNSjava 2.0.0
* Refactor command line parsing.
* Switch to using java.util.logging for logging.