Revision history for Perl extension Net::DNS::SEC.

**** 1.24 Apr 25, 2024

	Eliminate deprecated RSA CRT parameter names.
	Add support for SM3 digest.

**** 1.23 Nov 8, 2023

	Code refactoring of XS component.

**** 1.22 Sep 12, 2023

	Enable Ed25519 sign/verify for BoringSSL & LibreSSL.
	Use EC curve names instead of literal NIDs.
	Circumvent sign/verify test failures on EBCDIC platforms.

Fix: #149643 	
	openssl-SNAP-20230831 breaks RSA sign/verify

**** 1.21 Jun 1, 2023

	Add new t/
	Rework pre-installation test scripts.

Fix: #148367 	
	libressl-3.7.1 breaks DSA verify

**** 1.20 Oct 4, 2022

	Improve Net::DNS::SEC::Keyset tests and error reporting.
	Avoid test failures if/when DSA|MD5|SHA1 become unsupported.

**** 1.19 Oct 11, 2021

	Discontinue support for obsolete ECC-GOST.
	Add LICENSE file to comply with Fedora/RedHat announcement
	and WARNING of restrictions on use of strong cryptography.

**** 1.18 Oct 2, 2020

	Eliminate bareword filehandle usage.
	Eliminate indirect object syntax.
	Eliminate grep/map .

**** 1.17 Jun 26, 2020

	Recognise BIND private key accessed via symbolic link.

**** 1.16 May 11, 2020

	Improve testing of verify() functions.
	Rework code in
	SEC.xs code reduction.

**** 1.15 February 3, 2020

	Provide access to OpenSSL message digest implementations.

**** 1.14 October 14, 2019

	Improve exception capture in test scripts.
	Support more efficient algorithm mapping in Net::DNS.

**** 1.13 May 6, 2019

	Tweaks to resolve compilation errors with BoringSSL.

**** 1.12 Mar 19, 2019

	Avoid use of EC_POINT_set_affine_coordinates_GFp which is
	deprecated in OpenSSL 3.0.0
	Reduce level of support for OpenSSL non-LTS releases.

**** 1.11 Dec 11, 2018

	Explain why compilation aborted in Net::DNS::SEC::DSA et al.
	Fix Makefile.PL to suppress parallel test execution.

**** 1.10 Aug 31, 2018

	Collect test coverage metrics for SEC.xs using gcc and gcov.

**** 1.09 Jun 4, 2018

	Avoid use of EC_GROUP_new, EC_GROUP_set_curve_GFp, and
	EC_GFp_mont_method which are expected to disappear.
	Fix filename conflict when tests run in parallel.

**** 1.08 May 11, 2018

	Internal reorganisation to use OpenSSL EVP interface

**** 1.07 April 5, 2018

Fix: #124880
	1.06 will not install on macOS

	Support for Ed25519 and Ed448 algorithms

**** 1.06 March 22, 2018

	Functionally identical to 1.05
	All changes address build/test issues on some platforms

**** 1.05 March 20, 2018

	Interim support for Ed25519 and Ed448 algorithms

Fix: #124650
	Net::DNS::SEC::Private must not die if attribute is not present

**** 1.04 February 15, 2018

	Cryptographic library access re-engineered using PerlXS
	directly instead of CPAN Crypt::OpenSSL::(DSA|EDSA|RSA)
	distributions which have fallen into disrepair.

**** 1.03 August 26, 2016

Fix: #108908
	Tests break when Net::DNS gets shadowed by existing pre-1.01 version.

**** 1.02 September 16, 2015

Fix:	Bug in t/10-keyset.t raises exception in Net::DNS

**** 1.01 August 3, 2015

	The RRs previously implemented in Net::DNS::SEC are now
	integrated with Net::DNS.

Fix: #105808
	Version test for Pod::Test is broken

Fix: #105698
	Net-DNS 1.01 conflicts with Net-DNS-SEC 0.22

**** 0.22 February 11, 2015

   Fix: #101184
   make siginception and sigexpiration available as time() values

   Fix: #101183
   wrong URL for blog in README

   Fix: #83031
   [RRSIG] lack of ECDSA support

***0.21 October 24, 2014

   Fix: #99250
   [RRSIG] validation fails when Signer's Name is upper case

   Fix: #99106
   Premature end of base64 data  (in 14-misc.t test script)

***0.20 August 15, 2014

   Fix: #97457
   !hex! error when parsing NSEC3 with empty salt

***0.19 Jun 6, 2014

   Remove inappropriate deprecation warning in

***0.18 May 8, 2014

   Recode RR implementations to provide Net::DNS 0.69+ interface.

   Fix: #95034
   Failure to parse NSEC3PARAM record with null salt

   Fix: #81289
   Failure to handle GOST DS records

***0.17 November 29, 2013

   Fix: #90270
   NSEC3->covered() should use case-insensitive comparisons

   Fix: #79606
   Lower case zone-name part with DNSKEY::privatename

   Allow to specify algorithms with ::Private->new_rsa_private and
   ::Private->generate_rsa instead of assuming RSASHA1.

   Fix: #55621
   Specify license type (mit) in META.yml

   Fix: #60269
   Remove Digest::SHA1 prerequirement

   Fix: #62387 & #63273
   Typo fixes

   Fix: #62386
   Make Net::DNS::RR::DS::digtype method work

   Fix: #62385
   Do not compress Next Domain Name in NSEC rdata.

   Fix: #61104
   Spelling correction in and fix of key2ds demo program

   Fix: #60185
   Make sure %main::SIG hash keeps its values when compiling Net::DNS::RR::SIG
   in perl versions before 5.14.  See also: #76138

   Fix: #64552 and #79606
   Support for private-key-format v1.3

   Fix: #75892
   Do not canonicalize the "Next Domain Name" rdata field of a NSEC RR
   for draft-ietf-dnsext-dnssec-bis-updates-17 compliance.

   BUG FIX/FEATURE: validation of wildcard RRs now available. Duane
   Wessels is acknowledged for submitting the initial code on which
   this fix is based.

   FIX: case sensitivity of ownername during DS generation
        (Acknowledgements Jens Wagner)

***0.16 March 12, 2010

   Feature: KEY inherits DNSKEY
   This helps maintenance in one part of the code.

   Feature: keylength method ( #53468)
   Added keylength method for RSA and DSA
   Acknowledgements Hugo Salgado

   Fix: #51778
   Empty bitmap would cause error about undefined ARRAY in NSEC/NSEC3.
   Now the code will allow empty bitmaps gracefully    

   Feature: New Algorithm Support ( #51092) 
   SHA2 algorithm support, including NSEC3 algorithm parameters updated
   Acknowledgement Jakob Shlyter

   Fix: #42089
   NSEC3 Algorithm support in NSEC3 broken
   patch by Wes Hardaker

***0.15 December 31, 2008

   Fix: digestbin not set when an empty value passed to hash.

   Feature: Added DLV (rfcc 4431). The RR object is simply a clone of
   the DS RR and inherits ... everything

   Feature: Added NSEC3 and NSEC3PARAM support (RFC5155). 
   This adds Mime::Base32 to the module dependency list. 
   The RR type was still experimental at that time and is maintained
   in Net::DNS::RR.

   Fix: Test script recognizes change in Time::Local. Note that
   Time::Local does not deal with dates beyond 03:14:07 UTC on
   Tuesday, 19 January 2038. Therefore this code has a year 2038 

   Fix: DS create_from_hash now produces objects that can create

   Other: minor changes to the debug statements
          added t/05-rr.t (and identified a couple of bugs using it)

   Fix: a few inconsistencies with respect to parsing of trailing dots.

   During development the test signatures generated with the BIND tools
   were re-generated in order to troubleshoot a bug that (most
   probably) was caused by a version incompatibility between Net::DNS
   and Net::DNS::SEC.  Before release the original test from the 0.14
   release were ran against this version too.


0.14 February 14, 2005

   FIX: The introducion of the keytag warning triggered a bug with RSAMD5
        keys, causing RSAMD5 keys not to be loaded. 

0.13 December 9, 2005 

   FEAT: 14588

        Added support for passing (a reference to) an array of keys to the
	RRSIG verify function.

	The Net::DNS::SEC::Private function will for RSA based keys verify if
	the keytag in the filename is actually correct.
	Since at parsing the value of the DNSKEY RR flags is not known we
	test against the currently defined flag values 256 and 257.

	If we cannot find a keytag match a warning is printed and Private
	key generation fails

        This inconsistency was spotted by Jakob Shlyter.

   FEAT: Added support for SHA256 to the DS RR. Assigned the expected 
        digest type2 for SHA256 type hashes.
        Note that this makes the Net::DNS::SEC depend on Digest::SHA instead
        of Digest::SHA1.

        The default digest type is still set to 1.

        NB. The code makes assumptions about the IANA assignment of the 
            digest type. The assignment may change. Do not use SHA256 in 
	    production zones!!

   FIX: #15662

	Roy Arends noticed and patched the label counting did not ignore
        an initial asterisk label.

   FIX: Wes Hardaker noticed the default TTL values for created signatures to
        be different from the TTLs from the data that is being signed.

   FIX: Wes Hardaker reported there was a problem with validating
        RRsets that had ownernames with capitals.
	The fix depends on a fix in Net::DNS::RR that is available in
	version 0.53_03 or later of the Net::DNS distribution.

  FEAT: Propper dealing with mnemonics for algorithm and digest type
	added to DS

  FIX/FEAT: Mnemonics were written as RSA/MD5 and RSA/SHA1. This has been
        corrected tp RSASHA1 and RSAMD5, as in the IANA registry.

0.12_02 June 6, 2005 (beta 2 release for 0.13)

   Bug: new_from_hash would not correctly create the RR since internally
	typebm is used to store the data this has been fixed so that
        the following works

                    typelist=>join(" ",@types)

   FEAT: Introduced the "use bytes" pragma to force character interpretation
         of all the scalars. Any utf processing by perl makes the code behave

0.12_01 April 18, 2005. (beta release for version 0.13)

   FEAT (!!!): Changed the symantics of the Net::DNS::Keyset::verify method.
	 Read the perldoc for details. The requirement that each key in a 
         keyset has to be selfsigned has been loosened.

   FEAT: Added a "carp" to the new methods of the NXT RR. Warning that
	 that record is deprecated.

   FEAT: Cleaned the tests so that RRSIG and DNSKEY are used except for 
         SIG0 based tests.

   FEAT: Changed the name of the siginceptation[SIC] to siginception.
	 Thanks Jakob Schlyter for notifying me of this mistyping.
	 An alias for the method remains available. 	

   FEAT: Renamed unset_sep() to clear_sep().

   NOTE: To avoid confusion the Net::DNS::SIG::Private class has been
         removed. Use Net::DNS::SEC::Private!

   DOC:  Added references to RFC 4033, RFC 4034 and RFC 4035. Rewrote parts
         of the perlpod.

0.12 June 2004 "DNSSEC-bis Release"

   FEAT: Added utility function key_difference() to Net::DNS::SEC. See
         perlpod for details. I needed this in other software and
         figured they are generic enough to make them available
         through this module.

   FEAT: Modified some functions to use DNSKEY and RRSIG instead off
         KEY and SIG.
         - Net::DNS::Keyset now uses DNSKEY and RRSIG.
	 - the demo function now uses DNSKEY too.
   FEAT: Added the possibility to create a keyset out of two arrays of
         dnskey and rrsig object.

   FEAT: Added some helperfunctions to Net::DNS::SEC::Private to read X509 
         formated private keys and dump them into bind format.
	 This functionality has not been tested well.

   BUG : When reading a RRSIG from a packet the signame would not have
         a trailing dot.

0.11_4  Apr 24 2004 Development snapshot.

   BUG: - Fixed MANIFEST.

   FEAT:  Removed critical dependency on bubblebabble. It is available to 
          DS if installed but not critically dependend.

0.11_3  Mar 4 2004 Development snapshot.

   BUG: - Fixed minor in signing unknown RR types.

0.11_2  Jan 27 2004 Development snapshot.

   FEAT: - Prelimanary support for draft-ietf-dnssec-nsec-rdata-02. This
	   depends on support for unknown RR types (Net::DNS version

0.11_1  Sep 23 2003 Development snapshot.

   FEAT: - To be able to deal with argument supplied as either mnemonics or
           by value the Net::DNS::SEC::argument method was created. It can
           be used as a class method but it is also inherited by
	   Net::DNS::RR::RRSIG and Net::DNS::RR::DNSKEY.

0.11 August 28 2003

   FEAT: - Implemented draft-ietf-dnsext-dnssec-2535typcode-change-04.txt 
           This document has been through review and will be published
           as standard track RFCs shortly. (Publsished as RFC3755).
           IMPORTANT: the implementation of the typecode roll deprecated 
           the use of SIG->create for any other reason than SIG0. If
           you try to create SIGs over RRsets you will be warned.

   FEAT: - Modified the namespace for the module that holds the name
           of the private key from Net::DNS::RR::SIG::Private to 
           Net::DNS::RR::SIG::Private will be deprecated in a next release.

   CLEAN:- Crypt::OpenSSL::RSA v 0.19 introduced the possibility to
           create keys directly from parameters, although this introduced
           a dependency on Crypt::OpenSSL::Bignum it allowed to get rid
           from converting all parameters to DER/ANS1 encoding. Got rid of 
           a number of lines of code.

0.10 January 8 2003

   BUG:  - Crypt::OpenSSL::RSA::new method has been deprecated. Code has
	   been modified to deal with the new constructors

0.09 January 6 2003

   FEAT: - Added Net::DNS::RR::SIG::Private. The class provides 
           an abstraction to the private key material. The SIG create
	   method now either takes a filename, like previously, or a 
	   Private key object as an argument. If you have to create
	   many signatures the latter is preferred because you only have
	   to read the file with the private key material once.
	   Note that by adding this feature a modification to
	   Net::DNS::Resolver was needed to properly do SIG0.  Use
	   Net::DNS version 0.32 or later in combination with this

   FEAT: - Wes Griffen added a parameter change to keyset:

  	   'Attached is a diff for Net::DNS::SEC v0.8 that adds a
	   parameter changes keyset->writekeyset($path) to
	   keyset->writekeyset($prefix,$path) where prefix is an
	   optional string that is prepended to the filename of the
	   keyset. That way I can keep my unsigned keyset in
	   keyset-. and have the signed keyset in

   FEAT: - Babblebubble, handy for telephone confirmation of hashes.
           Added babblebubble string as comment to DS RR.
           DS->babble returns the babble bubble string

   FEAT: - Miek Gieben contributed demo/key2ds

0.08 November 4 2002

   BUG:  - DSA signature verification failed at random about 1 per 10
           sigatures. Corrected allignment problem that lead to this.
	   Added 'stresstest' that loops over creation and verification
	   of signatures to spot these kind of seldomly occuring errors.
           On my VAIO PII 500Mhz the take about a minute:
 	   Files=3, Tests=3056, 69 wallclock secs 
                               (63.30 cusr +  0.70 csys = 63.99 CPU)

   FEAT: - Added Test::More as dependency as on some systems diag was failing.

0.07 October 2 2002

   FEAT: - Added demo/make-signed-keyset, a contribution by Wes Griffin.

   FEAT: - Removed dependency on Math::Pari by porting away from
	   Crypt::DSA to Crypt::OpenSSL::DSA (version 0.10). This should
	   increase portability over platform.

           T.J. Mather, the Crypt::OpenSSL::DSA maintainer has been
	   particularly helpfull and responsive by adding a few
	   methods to the DSA modules.

0.06 August 16 2002

   NOTE: In one of ther versions prior to Net::DNS 0.26 a bug
         got introduced that made Net::DNS::SEC break. The bug was fixed in
	 version 0.27.

   BUG:  - Check on the existence of the private file improved in

         - signame got trailing dot with the create methods and not with

   FEAT: - Added privatekeyname method to
         - Started work on Net::DNS::Keyset.
         - Added RSA/SHA1 (algorithm ID 5) to Patch supplied by
	   Andy Vaskys,  Network Associates Laboratories.
	 - Rewrote regexp's to not use $' (Postmatch).

0.05 and 0.04 June 17, 2002

    BUG:  Makefile.PL needed a fix for unused dependency. This failed
	  made the installation fail :-(. 0.04 introduced another failing

    DOC:  Clarified the documentation at points. 

0.03 June 14, 2002
    DOC: Few Clarifications

0.02 June 4, 2002

    First CPAN Release.
    Some modifications to the packaging.

0.01 May 25, 2002  

    Version 0.01 of the package is an alpha for CPAN release.

The extensions used to be published as a modified version of
Net::DNS. The history of those is documented below.

  Branched off Net::DNS version 0.20 release (CPAN May 15, 2002)


  This version had limited distribution
  First patch against a version 0.20 snapshot (2002-03-27).

  Modified t/09-dnssec.t; uses Test::More now and includes a number of
  self consistency checks.

  DOC   Cleaned up the documentation and removed some references to functions
	and libraries that where not used anyway.

  FIX   'aesthetic' patch supplied by Simon Josefsson reordering the NXT
        RR map for the  print  method.
  FEAT  Added checks on keytype and updated to latest specs for DS 
        Added SIG0 support. See Net::DNS::Packet for details. The verify and
	create methods of where modified somewhat to cope with the 
        Changed RSA backend from Crypt::RSA to Crypt::OpenSSL::RSA because
	Crypt::RSA failed during a 'loss of Math::Pari precision in 


  BUG   DS create method: Hash calculation was done over concatenation of name
        and key material while the hash should be taken over concatenation of
        canonical name and key rdata. (Fix by Mike Schiraldi)

  Added CERT support: Courtesy of Mike Schiraldi  
        for VeriSign
  BUG Fixed MANIFEST file. make dist will result in proper module tar ball

  Solved patch problems that where due to the $ Id $ in headers not 
  being from the original distribution.

  Added DSA signature creation

  Added DS support 
        You have to uncomment line 77 in Net/ to fully enable DS
	This will assign QTYPE 93 to the DS RR.
	That value is not assigned by IANA. 

  Added this README.DNSSEC file

  Added t/09-dnssec.t to the test script with a number of consistency checks.
        after patching the original distribution direction
        perl Makefile.PL
        make test 
        will call this function among other things.

  BUG   KeyID set to 0 for null keys.

  BUG   Sorting of canonical RDATA; 
	Data over which SIG was created was not sorted properly (RFC2535 
        sect 8.3) causing signature verification errors for RDATA within 
	a RRset having different length (e.g. some NS RRsets would not 

  First somewhat public release.

$Id: Changes 1976 2024-04-25 09:05:27Z willem $