This file contains a list of major changes per release.  See the
ChangeLog file for a complete set of changes and their details
details.

2.0
 - New Features
    - OWL           - The Owl Monitoring System uses timed DNS queries
                      to monitor basic network functionality.  The system
                      consists of a manager host and a set of sensor hosts.
                      The Owl sensors perform periodic DNS queries and
                      report to the Owl manager the time taken for each
                      query.  Over time, this shows the responsiveness of
                      the DNS infrastructure.
    - dnssec-nodes  - Many new features have been added:
                    - The validation tree now supports clicking on
                      boxes to highlight it and the arrows that derive
                      from it.  Great for use when teaching about
                      DNSSEC.
                    - An extensive filter/effect editor now lets you
                      tailor the look of a graph to color-code, set
                      the alpha levels, etc of nodes based on their
                      names, status, data types, etc.
                    - Right clicking on a node lets you center the
                      graph on that node.
                    - More data types are collected and shown in the
                      data view.
                    - Support for arguments on the command line for
                      parsing log files, pcap files and domain names.
                    - The validation view has received a visual clean-up
                    - Many other bug fixes
    - Bloodhound:   - A mozilla-based DNSSEC-enabled browser with DANE support
                    - Added support for validation of SSL certificates
                      using the DANE protocol.
    - curl          - Added support for validation of SSL certificates
                      using the DANE protocol.
    - libval        - Added support for local DANE validation
                    - Extended the dt-danechk commandline tool to check
                      the X509 cert provided over the SSL connection
                      against the TLSA record. 
                    - Optimized glue record lookup when the only ip
                      addresses configured for the host are for a single
                      address family (ipv4 or ipv6) 
                    - fine tune res_io source management
    - dnssec-check  - dnssec-check now checks DNAME support
    - rollerd       - A new set of steps for KSK rollover has been
                      implemented.  A cache-expiration wait phase has
                      been moved after the publication of DS records in
                      order to allow name caches to reflect the changes.
                      In addition to rollerd, supporting program have
                      been modified to recognize this change.
    - rollrec files - A new "information rollrec" has been added to the
                      rollrec files.  This will allow infomration to be
                      specified for the collection of rollrecs.  At this
                      time, the only information stored in this rollrec 
                      is the version number of the rollrec file.
                      In addition to the rollrec.pm Perl module, programs
                      which use this module have been modified to recognize
                      this change.
                      If you use the rollrec.pm module, you should test
                      to see if your code is affected.  The modifications
                      for the info rollrec have been made to minimize
                      affected programs.  If you parse the rollrec files
                      yourself, you will have to account for this change.
    - multiple      - The perl-based tools can now use either the
                      ZoneFile::Fast or the Net::DNS zone file parser,
                      thanks to a patch from Sebastian Schmidt (yath@yath.de).
    - ZoneFile:Fast - Support for TLSA
                    - Made it compatible with newer Net::DNS releases
    - Qt5           - A patch to support DNSSEC checks in Qt5 DNS lookups

 - Bug Fixes
    - zonesigner    - Fixed SOA parsing and serial number update issues
    - libval        - Properly initialize memory in sockaddr structures
                      before use.

1.14
 - New Features
    - dnssec-nodes  - Many new features, including validation tree
                      graphing, on-the-wire traffic display, pcap dump
                      file display, increased data logging and
                      display, improved simultaneous updating, etc.
    - Libval:       - Added initial support for the TLSA rrtype 
                    - Added support for ECDSA
                    - Implemented checking for AI_ADDRCONFIG in getaddrinfo
                    - Memory optimizations to improve speed-up
    - dnssec-check  - increased stability across all platforms.

    - All Around:   - Many bug fixes and other minor improvements

1.13
 - New Features

    - rollerd:      - Added support for the signzone command. Allow
                      zones to be signed while in the midst of a
                      rollover wait.
                    - Added autosigning of modified zone files.  Zone
                      files are considered modified when their "last
                      modification" timestamp is more recent than that
                      of the associated signed zone file.  This
                      functionality includes adding the -autosign option
                      and config field.
                    - Added additional commands (via rollctl) to allow
                      greater control over zone rollover actions.
                    - Added -zsargs option to allow global options to
                      be passed to zonesigner.

    - realms:       - Added the realms feature to manage multiple
                      simultaneous rollover environments.  Several
                      commands and modules (e.g., dtrealms, realms.pm,
                      buildrealms) were added for the realms feature.

    - zonesigner:   - Added the -threshold option to specify a signing
                      threshold.
                    - Better handling of serial numbers in zone files.

    - keymod:       - New tool that can be used to modify key
                      generation parameters in a keyrec file.

    - dnssec-check  - significant rewrite since the 1.12 release, though
                      individual updates have been available already.
                    - Asynchronous support for non-interrupting GUI support 
                    - Letter grades assigned to each resolver
                    - Various user-interface improvements

    - libval:       - Bug fixes
                    - Renamed all validator command-line apps to have
                      a dt- prefix in order to avoid conflicts with
                      pre-existing executables in certain platforms. 

    - dnsval python module
                    - Add python wrapper module for the validator
                      library. Code contributed by Bob Novas. 
                      
    - trustman:     - Added an option for use by monitoring systems.

    - nagios        - Added the dt_donuts plugin for running trustman on
                      remote machines.
                    - Added the dt_trustman plugin for monitoring trust
                      anchors.

    - firefox       - updated nspr and firefox patches to work with
                      mozilla-central and nspr-4.9


    - webmin:       - Added the ability to perform DNSSEC 
                      operations on DNSSEC-Tools managed signed 
                      zones using the Webmin front-end. 

    - ssh:          - Update the patch for enabling local DNSSEC
                      validation to work with OpenSSH 6.0p1.




1.12.2                              (5/3/12)
 - Bux fix release
      - Rollerd's -alwayssign flag logic had a critical error that could
        have caused a zone to be signed with the wrong ZSK at particular
        points of the ZSK key rolling process.
   

1.12.1                              (2/7/12)
 - Minor bug fix release
      - Fix perl Validator module so it compiles after a header move


1.12								(1/26/12)
 - New Features:

    - libval:       - Made improvements to support IPv6,
                      added the ability to fetch IPv6 glue
                    - Fixed the EDNS0 fallback behavior.
                    - Tidied up the locking semantics in libval. 
                    - Added support for hard-coding validator configuration 
                      information that gets used in the absence of other 
                      configuration data. This feature allows the 
                      validator library to be self-contained in 
                      environments where setting up configuration data at
                      specific locations in the file system is not always 
                      feasible.
                    - The library has been ported to the Android OS

    - rollerd:      - Added support for phase-specific commands. This allows
                      the zone operator to customize processing of the rollerd
                      utility during different rollerd phases. 
                    - Added support for zone groups.  This allows a collection
                      of zones to be controlled as a group, rather each of
                      those zones individually.
                    - Improved the manner in which rollerd indexes the zones
                      being managed, with the significantly decreased access
                      times for rollerd's data files.  This results in rollerd
                      being able to support a lot more zones with a single
                      rollerd instance.
                    - rollctl and the rollover GUI programs may have new
                      commands to allow for immediate termination of rollerd.

    - apps          - Added patch to enable local validation in NTP, with
                      the ability to handle a specific chicken and egg problem 
                      related to the interdependency between DNSSEC and an
                      accurate system clock.

                    - Added a patch to enable DNSSEC validation in Qt
                      based applications

    - dnssec-check  - Completely rewritten GUI with many new features
                    - Now contains the ability to submit the results
                      to a central DNSSEC-Tools repository.  The
                      results will be analyzed and published on a
                      regular basis.  Please help us get started by
                      running dnssec-check on your networks!  Note
                      that it explains that it only sends hashed IP
                      addresses to our servers and the reports
                      generated will be aggregation summaries of the
                      data collected.
                    - It now runs on both Android and Harmattan (N9) devices

    - maketestzone  - Now produces zones with wildcards and changes to
                      NSEC  record signatures

    - dnssec-nodes  - parses unbound log files
                    - Initial work porting to Android

    - dnssec-system-tray
                    - parses unbound log files

1.11								(9/30/11)
 - New Features:

    - libval:       - Significant improvements and bug fixes to the 
                      asynchronous support.
                    - Added asynchronous version of val_getaddr_info.
                    - Some reworking of the asynchronous API and callbacks.
                      Note the asynchronous api is still under development and
                      subject to changes that break backwards compatibility.

    - rollerd:      - Added an experimental time-based method for queuing
                      rollover operations.  This original method (full list
                      of all zones) is the default queuing method, but the
                      new method can be used by editing the rollerd script.
                      rollctl and rollrec.pm were also modified to support
                      this change.
                    - Added support for merging a set of rollrec files.
                      rollctl and rollrec.pm were also modified to support
                      this change.

    - dnssec-nodes  - This graphical DNS debugging utility was greatly enhanced
                    - Now parses both bind and libval log files
                    - Multiple log files can be watched
                    - Node's represent multiple data sets
                      internally, which are independently displayed
                      and tracked.
                    - Added support for searching for and
                      highlighting DNS data and DNSSEC status
                      results

    - dnssec-system-tray
                    - This utility can now report on BOGUS responses
                      detected in both libval and bind log files.
                    - Summary window revamped to group similar
                      messages together.

 Plus many more minor features and bug fixes

1.10
 - New Features:
    - New Apps:     (see the validator/apps directory for details)
                    - dnssec-check: check dnssec support from your ISP
                    - dnssec-nodes: graphically displays a DNS
                      hierarchy, color coded by each node's DNSSEC status
                    - dnssec-system-tray: displays pop-up
                      notifications when a libval-enabled application
                      triggers a DNSSEC error
                    - lookup: a graphical DNS lookup utility that
                      displays the results in a hierarchical tree and
                      color codes the window according to DNSSEC status
    - libval:       - Added support for building on Windows.
      & libsres     - added support for falling back to recursion when
                      the caching name server does not appear to 
                      support DNSSEC. This also works as a mechanism
                      to work around a poisoned or misbehaving cache. 
                    - Significant improvements to the asynchronous support. 
    - lsdnssec:     - Improvements to lsdnssec to display different
                      output depending on whether a zone is a
                      stand-alone zone or under control of rollerd.
    - nagios:       - Plugins for the nagios monitoring system which
                      enable monitoring of zone rollover states.
    - firefox:      - Updated patches that work with the most recent firefox

 Plus many more minor features and bug fixes

1.9
 - New Features:
    - lsdnssec:     - Added a new flag (-p) to show only zones in a
                      particular rollerd phase.
                    - fixed bugs to align timing output with rollerd.
    - rollerd:      - Added a -logtz flag for logging timezones
                    - fixed bugs related to the -alwayssign flag.
                    - zonesigner's path is taken from the config file.
    - rollctl:      - Added -rollall and -rollzone options.
    - zonesigner:   - Assumes keys need to be generated for new zones
                      (Assumes -genkeys option was given if a keyrec file
                      can't be found.)
                    - Exits with unique exit codes if a failure occurs.
                      ("zonesigner -xc CODE" can lookup a description for it.")
                    - Added the -phase option so rollover options could be
                      more easily specified.
    - lights:       - A simple GUI to check the status of rollover states
    - blinkenlights:- Added hide/show commands for rollrec names and zone
                      names, for split-zone support
    - cleankrf:	    - Fixed deletion of obsolete set keyrecs.
    - GUI commands: - Fixed how the Exit command works so they don't coredump.
    - libsres
      & libval:     - New beta support for issuing asynchronous requests.
                      This can speed up queries by up to 4 times if used.
                      (see example code in validator/apps/validator_selftest.c)
                    - NSEC3, DLV and IPv6 are enabled by default.
                    - improved logging and logging-callback support.
    - drawvalmap    - Can output PNG files now

 - Packaging:
                    - Our download page now allows you to download
                      the C validator libraries independently of the
                      full DNNSEC-Tools tool-suite.

 - Many bugs were also fixed in the 240+ changes.

1.8
 - New Features:
    - zonesigner, rollerd
                    - Made changes so that these tools are more compatible 
                      with recent versions of Bind
                    - The zone_errors configuration parameter allows a zone-
                      specific maximum to be set.  Once exceeded, that zone
                      will be skipped rather than allowing rollover to continue.
    - blinkenlights
                    - Recognizes when rollerd abruptly quits, so error messages
                      aren't spewed interminably.
    - ZonFile::Fast - Fixed parsing of DS records containing spaces and 
                      parsing of mname and rname SOA fields
                    - Added support for parsing KEY records
    - keyrec.pm     - Made changes to properly lock keyrec files before 
                      writing to them.
                    - Begun process of deprecating keyrec_open().
    - mapper:       - added a new option: --node-size for mapping
                      complex zones.
    - dnspktflow:   - added two new options:
                      --layout-style for selecting the layout style to use
                      --node-size for mapping complex zones.
                    - Add new (default) option to cluster
                      authoritative nodes together to help better
                      understand the relationships between traffic
                      patterns and authoritative name server/zone arrangement.
    - libval:       - Now distributed with the Root TA.
                    - Added stricter checks for openssl SHA-256 support in 
                      configure. 
                    - Added several improvements that allow the validator to 
                      lookup information within provably insecure zones that 
                      do not handle EDNS0 requests nicely. This includes 
                      adding support for turning off EDNS0 when traversing a 
                      name hierarchy that leads to a provably insecure zone, 
                      EDNS0 fallback support, and additional checks to check 
                      the sanity of response data.
                    - Fixed certain bugs in CNAME handling and in the 
                      validation of proofs accompanying wildcard responses, 
                      referrals and alias chains.
                    - Fixed support for RSADSA and RSASHA-512 signature 
                      validation.
    - Mac OSX:      - Added a Ports file for mac ports
                    - updated the fink build spec

 - many other miscellaneous bug fixes and improvements.

1.7
 - New Features:
    - zonesigner:   - Added support for split-views. 
    - rollerd:      - supports the ability to run as a given (non-root) user-id.
                    - Refined the status messages generated for various 
                      rollover phases.
                    - logging  more information when an error is returned 
                      by various rollerd functions and sub-processes.
    - libval:       - Added support for RSA/SHA256-512 validation 
    - test suite:   - Added new test cases for trustman
                    - Many other refinements. 
    - applications: - Most application patches updated so that they apply 
                      to the current upstream release version.
    - convertar:    - added a --tods flag for converting keys to DS records

 - Bug Fixes
    - libval:       - Fixed a number of issues in the validator library 
                      for NSEC3 validation, execution on 64-bit
                      machines, and in the treatment of NODATA and 
                      referral conditions. 
                    - Fixed an issue in the where it was not correctly 
                      down-casing the names prior to validating DNSSEC
                      signatures. 
    - trustman:     - Fixed trustman's operation when revoking and 
                      replacing keys during a RFC 5011 revoke
                      operation.
    - rollerd:      - Fixed a problem where the path exceeded the maximum 
                      length for Unix socket names. 
                    - Modified the rollerd GUI so that it did not
                      print out error messages when it was invoked
                      when rollerd wasn't running.
                    - fixed rollerd support for nsec3 zones

1.6
 - New Features:
    - convertar:    - A new tool to translate a trust-anchor-repository
                      (TAR) from one format to another.  Supports
                      itar, xml, csv, bind, and libval TA formats.
    - rollerd:      - A new -noreload option to rollerd to not call rndc
    - dtconfchk     - Improved support for checking dnssec-tools.conf
                      content validity
    - dtinitconf:   - -genroothints supports fetching root.hints from the web
    - zonesigner:   - Supports setting the revoke bit
    - rollmgr:      - Supports Solaris now
    - lskrf         - Supports output of revoked keys
    - test suite:   - A new test suite for testing the tools (cd testing;
                      make test)
    - binaries:     - Support for producing self-contained
                      packed-binaries of the tools.  You can download
                      ones we build from http://www.dnssec-tools.org/download/
    - dtreqmods:    - A new script to check for DNSSEC-Tools required
                      perl modules.

    - libval changes:
                     - Changed function prototypes and error codes to keep 
                       them compliant with the current (-07) Validator API 
                       draft 
                     - Added initial RFC 5155 NSEC3 support 
                       (configure --with-nsec3)
                     - Optimized the referral processing and glue fetching 
                       logic so that libval does a better job in trying to 
                       determine the referral zonecut, and so that it is less 
                       aggressive in fetching missing glue. Also allow for glue 
                       to be fetched on demand. 
                     - Miscellaneous bug fixes 

 - Many miscellaneous small enhancements and bug fixes

1.5
 - New Features:
   - zonesigner:   - NSEC3 support: --usensec3     (requires bind 9.6)
   - donuts:       - NSEC3 support
   - rollerd:      - Added a -pidfile option
                   - Added a -singlerun option
                   - Added a -foreground option
                   - Added a -alwayssign flag
                   - New rollrec fields to partial-support RFC5011 rolling:
                     'istrustanchor' and 'holddowntime'
   - lsdnssec:     - A new tool to display DNSSEC keying/rolling status
   - mapper:       - added two new options: --edge-style and --node-style
   - getds:        - a new tool to calculate a DS record from a key lookup
                     (also checks the parent for proper publication)
   - dnspktflow:   - Added output options for svg, svgz, and postscript

 - Bug fixes
   - libval:       - should compile better on more OSes
   - rollerd:      - Fixed the -zsargs option in most rollerd related tools
                   - Other minor fixes
   - zonesigner:   - fixed serial number auto-incrementing
            

1.4.1
 - Security Issue:
   The DNSSEC-Tools libval validating resolver library does suffer
   from the same issues that the other DNS resolvers were faced with
   as described by:    http://www.kb.cert.org/vuls/id/800113

   Although DNSSEC will prevent the issues, it is assumed that not
   everyone is using libval with only 100% DNSSEC protected zones.

   The supporting tools that do not use libval are not affected by
   this problem (eg, zonesigner, rollerd, donuts, etc are just fine).

 - NSEC3 value change

   Now that the NSEC3 RFC has been published we've changed the
   internal numeric RR code to the assigned value.  The NSEC3 code,
   however, is still considered experimental and not fully tested.

1.4

 
 - Documentation:
   - Much more extensive documentation has been written about the
     tools and how to get started using them.  See the following web
     page for details:

     http://www.dnssec-tools.org/wiki/index.php/Tutorials

 - Applications:
   - trustman has seen a lot of usability improvements and now has
     more extensive documentation.
   - rollerd and it's controlling scripts can now handle user
     initiated KSK rollovers.
   - zonesigner handles keys stored in other directories better.
   - donuts output has been made more user friendly and the verbosity
     level can now be more finely tuned.
   - donuts rule definitions have been cleaned up and the API for
     writing rules has been simplified.

 - libval
   - There have been a number of minor API changes in libval
   - Support was added for environment and app name-based policies in libval
   - Initial release of the libval_shim library (LD_PRELOAD-based
     approach for transparently enabling validation for various
     applications)
   - The perl Net::DNS::SEC::Validator binding has been updated to
     accomodate the libval changes.

 - Many more minor changes and improvements

1.3

  This release contains a bunch of changes but unfortunately aren't
  well summarized here.  Nearly every tool got at least some update
  in one way or another.

 - general
                         - Significant libval improvements
     			 - Minor build improvements
    			 - New datatypes for the Net::DNS::ZoneFile::Fast module

1.2

  - New default path for configuration files: $(prefix)/etc/dnssec-tools/

  - libval
    - paths/names of resolv.conf, root.hints and dnsval.conf now configurable
    - configure will search for an existing root.hints file and use it.
    - new libval-config script for finding configuration/compile/link options
    - added new policies: for setting the trust status of the provably insecure
      condition and for setting the allowable clock skew on signatures.
    - Added new function to dynamically add validation policy to a validation
      context. 
    - Implemented thread-safe context sharing
    - Added experimental support for DLV (draft-weiler-dnssec-dlv-02.txt)
    - Initial support for NSEC3
    - perl Validator support module for binding perl to libval

  - key rolling
    - improved support in zonesigner
    - improved support in rollerd

  - trustman
    - First support for the timers draft from the DNSEXT IETF working group

  - validate
    - selftest testcases now read from configuration file
    - ability to configure/run 'suites' of testcases

  - maketestzone
    - extremely long-length records added

  - DNSSEC-aware application patches available (multiple states of stability):
    - firefox (improved drastically since 1.1)
    - thunderbird
    - ssh
    - wget
    - sendmail
    - postfix
    - libsp2
    - proftpd
    - ncftp
    - lftp
    - jabberd-2

1.1

  - zonesigner
    - Support for one method of KSK rollover (double signing period)
    - Group keys into signing sets.
    - Allow multiple KSKs to be used in a single signing set. 
    - Other keyrec-related tools were updated to accomodate
      zonesigner changes.
    - Bug fixes.

  - trustman
    - now at version 0.9
    - new keys are now added to named.conf and dnsval.conf
      when holddown time has been reached
    - storage of data in order to survive reboots/restarts has
      been started

  - libval
    - A threaded or non-threaded version can now be created
         (--without-threads)
    - Added support for anti-pollution rules; libval no longer caches out- 
      of-bailiwick answers
    - Made return values for validation status consistent across all
      high-level API functions. It is now possible to detect in
      val_getaddrinfo() if an RRset is provably missing
    - fix val_res_query() to properly return the size of the received
      response;

1.0

  - zonesigner 
    - Support for simultaneous signing with multiple keys
        
  - Key Rollover Tools
    - Support for automated/manual ZSK rollover operations
        
  - trustman (different from TrustMan.pl)
    - Initial support of the IETF "Timers" draft for
      automated monitoring of DNSSEC keys used as trust
      anchors.

  - Added more test case resource records to the test zone at 
    test.dnssec-tools.org (see http://www.dnssec-tools.org/testzone/ )
        
  - An improved validator library (dnssec-tools/validator)
    - The apps/validate utility provides many more features for
      controlling logging levels and redirection of its output
    - Supports ability to selectively trust and not trust specific 
      zones during the validation process
    - Support for NSEC3
    - Ported to many more platforms, including Solaris
    - Added support for checking expiration time on cached rrsets
    - Many bug and memory-leak fixes
        
  - A perl module (Net::DNS::SEC::Validator) for DNSSEC-aware query resolution
    - Binds with the validator library above and exports 
      DNSSEC-aware query resolution functions such as 
      val_gethostbyname, val_res_query, etc. 

  - Updated RPMs for DNSSEC-enabled Firefox 

  - Updated Operator Guides
    - Step by Step Guide for zone maintenance operations using 
      the utilities from DNSSEC-Tools
    - Step by Step Guide for zone maintenance operations using 
      the utilities provided with the BIND distribution.
    - Developers guide for DNSSEC-aware application development
    - DNSSEC Troubleshooting Guide 

  - Miscellaneous:
        - Many other bug fixes.  See the ChangeLog file for full details.

0.9.1:
  - validator library (dnssec-tools/validator):
    - code has been re-structured within the following 
      sub-directories: 
      libsres/ libval/ doc/ etc/ apps/ and include/
    - configures and builds cleanly on the following systems: 
      Fedora, MacOSX, FreeBSD
      (should configure and build on Solaris -- not actually tested)   
    - includes support for tuning "off" DNSSEC using the
      "zone-security-expectation" policy construct. 
    - APIs modified to comply with (upcoming version of) 
      draft-draft-hayatnagarkar-dnsext-validator-api
 
  - dtinitconf, dtconfchk, dtdefs:
    - these tools are used to create, check and consult the 
      file dnssec-tools.conf which is used by many of the
      dnssec tools. dtconfchk was previously known as confchk.
     
    - modules/defaults.pm was also added to provide defaults
      for the above tools.

  - rollinit, rollctl, rollchk, rollerd, lsroll:
    - these tools are used to create, check, and list the roll
      rec files to be used by rollerd and rollctl.

    - rollerd is a daemon to manage DNSSEC key roll-over.

    - rollctl is used to send commands to a rollerd daemon.

  - TrustMan:
    - manages keys used as trust anchors in named.conf and
      dnsval.conf
    - can be run as a daemon or as a one-time check
    - configuration is placed in dnssec-tools.conf

  - donuts:
    - supports a --show-gui flag to display a graphical
      error browser (requires perl QWizard and Gtk2 modules).
    - A better (optional) GUI interface for new users

  - Most tools should report a --version flag. 

  - Other minor improvements have been made to other tools and
    supporting files.
