opendnssec (1:1.4.9-1) unstable; urgency=medium * OpenDNSSEC 1.4.8 has upgraded the KASP database version again. This means that if you want to use this version or any after it with a database created earlier you will need to do one of 2 things... 1) wipe and recreate your kasp database (run ods-ksmutil setup) which will lose all of your current state. Or if you need to keep your key information then, 2) run the sql statements given in: /usr/share/opendnssec/migrate_1_4_8.{mysql,sqlite3} against your existing database. -- Ondřej Surý Wed, 24 Feb 2016 14:48:54 +0100 opendnssec (1:1.4.3-1) experimental; urgency=low OpenDNSSEC 1.4 has some kasp database changes to allow for an update to the zonelist.xml schema. This means that if you want to use this version or any after it with a database created earlier you will need to do one of 2 things... 1) wipe and recreate your kasp database (run ods-ksmutl setup) which will lose all of your current state. If you need to keep your key information then, 2) run the sql statements given in: /usr/share/opendnssec/migrate_adapters_1.mysql or /usr/share/opendnssec/migrate_adapters_1.sqlite3 against your existing database. These changes allow flexibility in the input and output adapters. -- Ondřej Surý Tue, 17 Dec 2013 16:17:57 +0100 opendnssec (1.4.0~a1-2) unstable; urgency=low * Upstream has removed Zonefetcher and replaced it with Input and Output DNS Adapters. You will need to change your config files: - zonefetch.xml has been removed and should be saved as zonefetch.xml.dpkg-bak - addns.xml has been added, you will need to add your zones here -- Ondřej Surý Mon, 16 Apr 2012 15:26:09 +0200 opendnssec (1.4.0~a1-1) unstable; urgency=low * OpenDNSSEC Auditor has been removed from the OpenDNSSEC 1.4.0. -- Ondřej Surý Fri, 06 Apr 2012 11:58:51 +0200 opendnssec (1.3.7-1) unstable; urgency=low * HSM SCA 6000 in combination with OpenCryptoki can return RSA key material with leading zeroes. DNSSEC does not allow leading zeroes in key data. You are affected by this bug if your DNSKEY RDATA e.g. begins with "BAABA". Normal keys begin with e.g. "AwEAA". OpenDNSSEC will now sanitize incoming data before adding it to the DNSKEY. Do not upgrade to this version if you are affected by the bug. You first need to go unsigned, then do the upgrade, and finally sign your zone again. SoftHSM and other HSM:s will not produce data with leading zeroes and the bug will thus not affect you. -- Ondřej Surý Tue, 13 Mar 2012 15:23:16 +0100 opendnssec (1.2.1.dfsg-1) unstable; urgency=low If you are migrating from 1.1.x release, you need to run migration scripts located in /usr/share/opendnssec/. There is a script for sqlite called migrate_keyshare_sqlite3.pl and one for mysql called migrate_keyshare_mysql.pl. It's recommended you backup your data- base before the migration, so it's not run automatically. You can read more about migration in /usr/share/opendnssec-common/MIGRATION file. -- Ondřej Surý Sat, 19 Mar 2011 16:12:24 +0100