This file contains a list of major changes per release.  See the
ChangeLog file for a complete set of changes and their details
details.

1.5
 - New Features:
   - zonesigner:   - NSEC3 support: --usensec3     (requires bind 9.6)
   - donuts:       - NSEC3 support
   - rollerd: 	   - Added a -pidfile option
              	   - Added a -singlerun option
              	   - Added a -foreground option
                   - Added a -alwayssign flag
                   - New rollrec fields to partial-support RFC5011 rolling:
                     'istrustanchor' and 'holddowntime'
   - lsdnssec:     - A new tool to display DNSSEC keying/rolling status
   - mapper:  	   - added two new options: --edge-style and --node-style
   - getds:        - a new tool to calculate a DS record from a key lookup
   - dnspktflow:   - Added output options for svg, svgz, and postscript
   - maketestzone: - Added a NSEC3 subzone

 - Bug fixes
   - libval:  	   - should compile better on more OSes
   - rollerd: 	   - Fixed the -zsargs option in most rollerd related tools
              	   - Other minor fixes
   - zonesigner:   - fixed serial number auto-incrementing
            

1.4.1
 - Security Issue:
   The DNSSEC-Tools libval validating resolver library does suffer
   from the same issues that the other DNS resolvers were faced with
   as described by:    http://www.kb.cert.org/vuls/id/800113

   Although DNSSEC will prevent the issues, it is assumed that not
   everyone is using libval with only 100% DNSSEC protected zones.

   The supporting tools that do not use libval are not affected by
   this problem (eg, zonesigner, rollerd, donuts, etc are just fine).

 - NSEC3 value change

   Now that the NSEC3 RFC has been published we've changed the
   internal numeric RR code to the assigned value.  The NSEC3 code,
   however, is still considered experimental and not fully tested.

1.4

 
 - Documentation:
   - Much more extensive documentation has been written about the
     tools and how to get started using them.  See the following web
     page for details:

     http://www.dnssec-tools.org/wiki/index.php/Tutorials

 - Applications:
   - trustman has seen a lot of usability improvements and now has
     more extensive documentation.
   - rollerd and it's controlling scripts can now handle user
     initiated KSK rollovers.
   - zonesigner handles keys stored in other directories better.
   - donuts output has been made more user friendly and the verbosity
     level can now be more finely tuned.
   - donuts rule definitions have been cleaned up and the API for
     writing rules has been simplified.

 - libval
   - There have been a number of minor API changes in libval
   - Support was added for environment and app name-based policies in libval
   - Initial release of the libval_shim library (LD_PRELOAD-based
     approach for transparently enabling validation for various
     applications)
   - The perl Net::DNS::SEC::Validator binding has been updated to
     accomodate the libval changes.

 - Many more minor changes and improvements

1.3

  This release contains a bunch of changes but unfortunately aren't
  well summarized here.  Nearly every tool got at least some update
  in one way or another.

  - Significant libval improvements
  - Minor build improvements
  - New datatypes for the Net::DNS::ZoneFile::Fast module

1.2

  - New default path for configuration files: $(prefix)/etc/dnssec-tools/

  - libval
    - paths/names of resolv.conf, root.hints and dnsval.conf now configurable
    - configure will search for an existing root.hints file and use it.
    - new libval-config script for finding configuration/compile/link options
    - added new policies: for setting the trust status of the provably insecure
      condition and for setting the allowable clock skew on signatures.
    - Added new function to dynamically add validation policy to a validation
      context. 
    - Implemented thread-safe context sharing
    - Added experimental support for DLV (draft-weiler-dnssec-dlv-02.txt)
    - Initial support for NSEC3
    - perl Validator support module for binding perl to libval

  - key rolling
    - improved support in zonesigner
    - improved support in rollerd

  - trustman
    - First support for the timers draft from the DNSEXT IETF working group

  - validate
    - selftest testcases now read from configuration file
    - ability to configure/run 'suites' of testcases

  - maketestzone
    - extremely long-length records added

  - DNSSEC-aware application patches available (multiple states of stability):
    - firefox (improved drastically since 1.1)
    - thunderbird
    - ssh
    - wget
    - sendmail
    - postfix
    - libsp2
    - proftpd
    - ncftp
    - lftp
    - jabberd-2

1.1

  - zonesigner
    - Support for one method of KSK rollover (double signing period)
    - Group keys into signing sets.
    - Allow multiple KSKs to be used in a single signing set. 
    - Other keyrec-related tools were updated to accomodate
      zonesigner changes.
    - Bug fixes.

  - trustman
    - now at version 0.9
    - new keys are now added to named.conf and dnsval.conf
      when holddown time has been reached
    - storage of data in order to survive reboots/restarts has
      been started

  - libval
    - A threaded or non-threaded version can now be created
         (--without-threads)
    - Added support for anti-pollution rules; libval no longer caches out- 
      of-bailiwick answers
    - Made return values for validation status consistent across all
      high-level API functions. It is now possible to detect in
      val_getaddrinfo() if an RRset is provably missing
    - fix val_res_query() to properly return the size of the received
      response;

1.0

  - zonesigner 
    - Support for simultaneous signing with multiple keys
        
  - Key Rollover Tools
    - Support for automated/manual ZSK rollover operations
        
  - trustman (different from TrustMan.pl)
    - Initial support of the IETF "Timers" draft for
      automated monitoring of DNSSEC keys used as trust
      anchors.

  - Added more test case resource records to the test zone at 
    test.dnssec-tools.org (see http://www.dnssec-tools.org/testzone/ )
        
  - An improved validator library (dnssec-tools/validator)
    - The apps/validate utility provides many more features for
      controlling logging levels and redirection of its output
    - Supports ability to selectively trust and not trust specific 
      zones during the validation process
    - Support for NSEC3
    - Ported to many more platforms, including Solaris
    - Added support for checking expiration time on cached rrsets
    - Many bug and memory-leak fixes
        
  - A perl module (Net::DNS::SEC::Validator) for DNSSEC-aware query resolution
    - Binds with the validator library above and exports 
      DNSSEC-aware query resolution functions such as 
      val_gethostbyname, val_res_query, etc. 

  - Updated RPMs for DNSSEC-enabled Firefox 

  - Updated Operator Guides
    - Step by Step Guide for zone maintenance operations using 
      the utilities from DNSSEC-Tools
    - Step by Step Guide for zone maintenance operations using 
      the utilities provided with the BIND distribution.
    - Developers guide for DNSSEC-aware application development
    - DNSSEC Troubleshooting Guide 

  - Miscellaneous:
        - Many other bug fixes.  See the ChangeLog file for full details.

0.9.1:
  - validator library (dnssec-tools/validator):
    - code has been re-structured within the following 
      sub-directories: 
      libsres/ libval/ doc/ etc/ apps/ and include/
    - configures and builds cleanly on the following systems: 
      Fedora, MacOSX, FreeBSD
      (should configure and build on Solaris -- not actually tested)   
    - includes support for tuning "off" DNSSEC using the
      "zone-security-expectation" policy construct. 
    - APIs modified to comply with (upcoming version of) 
      draft-draft-hayatnagarkar-dnsext-validator-api
 
  - dtinitconf, dtconfchk, dtdefs:
    - these tools are used to create, check and consult the 
      file dnssec-tools.conf which is used by many of the
      dnssec tools. dtconfchk was previously known as confchk.
     
    - modules/defaults.pm was also added to provide defaults
      for the above tools.

  - rollinit, rollctl, rollchk, rollerd, lsroll:
    - these tools are used to create, check, and list the roll
      rec files to be used by rollerd and rollctl.

    - rollerd is a daemon to manage DNSSEC key roll-over.

    - rollctl is used to send commands to a rollerd daemon.

  - TrustMan:
    - manages keys used as trust anchors in named.conf and
      dnsval.conf
    - can be run as a daemon or as a one-time check
    - configuration is placed in dnssec-tools.conf

  - donuts:
    - supports a --show-gui flag to display a graphical
      error browser (requires perl QWizard and Gtk2 modules).
    - A better (optional) GUI interface for new users

  - Most tools should report a --version flag. 

  - Other minor improvements have been made to other tools and
    supporting files.