13 January 2014: Matthijs
- Fix a bug where the zone transfer was not stored on disk completely yet,
  and the restore failed.

18 December 2013: Matthijs
- Merged OPENDNSSEC-515 from 1.3 branch.

16 December 2013: Matthijs
- SUPPORT-101: If notify_acquired, then zone transfer in progress: don't
  forward notify to xfr handler.

15 November 2013: Matthijs
- Fix task rescheduling for OPENDNSSEC-467.

14 November 2013: Matthijs
- OPENDNSSEC-435: Fix a memleak when cleaning up signatures.

14 October 2013: Matthijs
- OPENDNSSEC-466: Signer create bad TSIG when falling back to AXFR.

11 October 2013: Matthijs
- OPENDNSSEC-467: After ods-signer clear, signer used inbound serial

9 October 2013: Matthijs
- SUPPORT-72: Improve logging when serial cannot be incremented [OPENDNSSEC-461].
- OPENDNSSEC-330: NSEC3PARAM TTL configurable in kasp.
- OPENDNSSEC-463: Duration PT0S is not printed correctly.

20 August 2013: Matthijs
- SUPPORT-71: Signer crashes on a double free in case of a HSM connection
  problem [OPENDNSSEC-444].
- OPENDNSSEC-330: Signer Engine: NSEC3PARAM TTL is default 0 again, to
  keep similarity with BIND9. Decided it needs a configuration option.

24 July 2013: Matthijs
- OPENDNSSEC-330: Signer Engine: NSEC3PARAM TTL is default TTL again, to
  prevent bad caching effects on resolvers.

23 July 2013: Matthijs
- Set AA bit in SOA response (fix daily tests).
- Better log msg bad rcode notify

10 July 2013: Matthijs
- Signer response to SOA queries from file, instead of memory. Makes
  response non-blocking [OPENDNSSEC-424].

5 July 2013: Matthijs
- Fix invalid free in case of adding a new zone with DNS outbound adapters
  and NotifyCommand (thanks Ville Mattila).

3 July 2013: Matthijs
- SUPPORT-66: Fix file descriptor leak in case of TCP write error
  [OPENDNSSEC-427].

28 June 2013: Matthijs
- Improved XFR checking

17 June 2013: Matthijs
- SUPPORT-60: Fix datecounter in case inbound serial is higher than outbound
  serial [OPENDNSSEC-420].

12 June 2013: Matthijs
- OPENDNSSEC-401: SUPPORT-58: Extend ods-signer sign <zone> with --serial <nr>
  so that the user can specify the SOA serial to use in the signed zone.

10 June 2013: Matthijs
- Bugfix: Fix malform in Outbound IXFR/TCP subsequent packet (thanks Stuart
  Lau).

6 June 2013: Matthijs
- Bugfix: Remove wrongly placed reset of serial disk acquired (thanks 
  Stuart Lau).
- Bugfix: Don't crash if NSEC3 Hash Algo is bogus.

22 April 2013: Matthijs
- OPENDNSSEC-247: TTL NSEC3 was not updated on SOA Minimum change.

15 February 2013: Matthijs
- Coverity report

11 February 2013: Matthijs
- Improve error logging when xfr fails due to xfrd_parse_rrs().

5 February 2013: Matthijs
- Fix deadlock when in corner case denial node has no RRset.
- OPENDNSSEC-389 / SUPPORT-50 / SUPPORT-51

1 February 2013: Matthijs
- OPENDNSSEC-388: Internal serial should take into account inbound
  serial.

29 January 2013: Matthijs
- Fix build warning

23 January 2013: Matthijs
- Always check for max backoff before working sleep/setting task time.

16 January 2013: Matthijs
- Signer should not fail read task if there is no new xfr (thanks
  Ville Mattila)

10 January 2013: Matthijs
- OPENDNSSEC-350: Improve logging when there are problems with inbound xfr
- SUPPORT-44: bind() to sockets before privdrop

10 December 2012: Matthijs
- Better TSIG logging and documentation, return NOTAUTH on TSIG error.

23 November 2012: Matthijs
- Add and remove empty non-terminal NSEC3s when adding/removing signed
  delegation.

20 November 2012: Matthijs
- Only commit zone transfers that are completely stored on disk (a
  connection reset may store half a zone transfer on disk)

7 November 2012: Matthijs
- Don't add double RRSIGs generated by same key for DNSKEY RRset.

29 Oktober 2012: Matthijs
- Put back occluded data in signed zone files/transfers.
  Make sure that their RRtypes don't end up in the NSEC(3) chain.

19 Oktober 2012: Matthijs
- Fix issue where IXFRs are coming too fast and some are lost.

19 September 2012: Matthijs
- Catch signals, instead of crashing.

13 September 2012: Matthijs
- OPENDNSSEC-330: NSEC3PARAM TTL should be set to zero.
- Allow multiple KSKs

12 September 2012: Matthijs
- Code review Ondrej Sury.

6 September 2012: Matthijs
- OPENDNSSEC-325: Don't include RRSIG records when DO bit is not set.
- OPENDNSSEC-326: Stop serving a zone that could not be transferred from master
  and has been expired.

5 September 2012: Matthijs
- OPENDNSSEC-318: Don't stop dns and xfr handlers if these threads have not
  yet been started.
- OPENDNSSEC-319: Fix TSIG segfault on signer shutdown.

4 September 2012: Matthijs
- OPENDNSSEC-320: The <ProvideTransfer>, <Notify>, <AllowNotify> and
  <RequestTransfer> elements are now optional, but if provided they require
  one or more <Peer> or <Remote> elements.

28 August 2012: Matthijs
- Fix resource leaks and code ineffeciences.

9 August 2012: Matthijs
- More sophisticated wait() on execvp().

8 August 2012: Matthijs
- OPENDNSSEC-304: Split check pidfile and write pidfile. So that we can exit
more early. Also, doing it early, the error will end up in stderr. Is nicer
than in syslog.

7 August 2012: Matthijs
- Fix serial check, so that signer does not retry fetch a newer zone if
  serial on disk and serial in memory are equal.

6 August 2012: Matthijs
- Replace system() function call with execvp().

2 August 2012: Matthijs
- Better error message when reading large zone file (OPENDNSSEC-261)
- Explicit shutdown to ods-signer client to prevent hanging clients
- Added warning messages when serial unixtime or datecounter cannot be used.

30 July 2012: Matthijs
- Make random_id() more random.

24 July 2012: Matthijs
- Fix assertion error when printing signed zone with empty non-terminals
  and NSEC.

23 July 2012: Matthijs
- OPENDNSSEC-304: Check pidfile on startup, complain and exit if pidfile
  exists and corresponding process is running.

6 July 2012: Matthijs
- OPENDNSSEC-269: Fix crash in ldns_rr_list_push_rr() due to missing lock
  in ixfr structure.

28 June 2012: Matthijs
- OPENDNSSEC-290: Fix false conflict detected when changing CNAME into A.

27 June 2012: Matthijs
- SUPPORT-29/ OPENDNSSEC-289: Fix ods-signer clear command exits prematurely.

21 June 2012: Matthijs
- OPENDNSSEC-255: Defense mechanism for writing out mangled RRSIGs.
- OPENDNSSEC-260: if hsm_create_context() fails, reload so that hsm_reopen()
  will be called.
- OPENDNSSEC-261: <Peer/> element does not require <Prefix/>, so that you
  can have an ACL based on a TSIG <Key/> only.

20 June 2012: Matthijs
- OPENDNSSEC-282/SUPPORT-30: Cleanup RRSIGs for RRsets that become glue

4 June 2012: Matthijs
- SUPPORT-28: Fix build warnings on NetBSD (thanks Fredrik Pettai).

24 May 2012: Matthijs
- OPENDNSSEC-267: Sign NOTIFY OK response with TSIG.

21 May 2012: Matthijs
- OPENDNSSEC-263: Add EDNS support: Bind9 sends zone transfer and soa requests
  with EDNS, OpenDNSSEC did not expect OPT RRs.

16 May 2012: Matthijs
- OPENDNSSEC-264: fixes assertion error when writing out IXFR file.
- OPENDNSSEC-265: Fix crash when deleting denial node without RRset (may
  happen in policies with NSEC3/ Optout).

15 May 2012: Matthijs
- OPENDNSSEC-259: Fix assertion error in wire/sock.c when doing outbound axfr
  for large zones.

20 April 2012: Matthijs
- OPENDNSSEC-247: TTL on NSEC(3) was not updated on SOA Minimum change.

3 April 2012: Matthijs
- OPENDNSSEC-228: Make 'ods-signer update' reload signconfs even if zonelist
  has not changed. 
- OPENDNSSEC-231: Allow for Classless IN-ADDR.ARPA names (RFC 2317).

20 March 2012: Matthijs
- OPENDNSSEC-164: A new way to backup
- OPENDNSSEC-226: Listener should be configured with Address, not IPv{4,6}.

29 February 2012: Matthijs
- OPENDNSSEC-218: Prevent loop when backup files and HSM are not in sync.

14 February 2012: Matthijs
- Fix build warnings

8 February 2012: Matthijs
- Set AA bit on responses

7 February 2012: Matthijs
- OPENDNSSEC-212: pselect compatability code

2 February 2012: Matthijs
- OPENDNSSEC-33: Signer check if HSM connection is still open
- OPENDNSSEC-178: Make worker wait pushing on sign queue if queue is full

31 January 2012: Matthijs
- OPENDNSSEC-204: Warn on missing Listener
- OPENDNSSEC-207: Fix bug in signer command channel and stdin
- OPENDNSSEC-209: Make File Output Adapter atomic

25 January 2012: Matthijs
- OPENDNSSEC-149: Implement IXFR as part of DNS Output Adapter

6 January 2012: Matthijs
- OPENDNSSEC-149: Remove auditor from signer

2 January 2012: Matthijs
- OPENDNSSEC-174: --config option not caught
- Define PF_INET and PF_INET6 if undeclared

30 November 2011: Matthijs
- Zonefetcher deprecated

29 November 2011: Matthijs
- OPENDNSSEC-156: Always update the new addns config
- OPENDNSSEC-163: better ixfr handling
- OPENDNSSEC-165: Print the name of the RCODE in error message
- OPENDNSSEC-166: No error log if tsig is missing for notify

28 November 2011: Matthijs
- OPENDNSSEC-26: Write SOA in outgoing notifies and ixfr requests

25 November 2011: Matthijs
- A notify handler
- OPENDNSSEC-147: Implement a notify handler that awaits NOTIFY OK
  responses and is TSIG signed (if configured)

24 November 2011: Matthijs
- OPENDNSSEC-150: TSIG for DNS Input Adapter (OPENDNSSEC-24)

21 November 2011: Matthijs
- OPENDNSSEC-23: Update addns.rnc
- TSIG signing and verifying

18 November 2011: Matthijs
- OPENDNSSEC-11: A fd of 0 is legal (self pipe trick failed issue?)

17 November 2011: Matthijs
- TSIG
- B64 compatability functions

16 November 2011: Matthijs
- Examine soa record in notify and forward to xfrd process

14 November 2011: Matthijs
- OPENDNSSEC-8: Signer should log auditor exit code
- Handle incoming queries

7 November 2011: Matthijs
- Write XFR to disk first to a tmp file (so we don't block xfr requests
  when writing a new signed file)

1 November 2011: Matthijs
- Maintain a ixfr journal of 3 parts, purge after each succesfull write
- Make sure that signatures that are deleted make it to the ixfr journal
- Send NOTIFY after succesful write of zone

28 October 2011: Matthijs
- Trac #262: Drudgers seem to be in a waiting state, but the RRset FIFO
  queue is full. Do an additional broadcast.

27 October 2011: Matthijs
- Warn the user if the serial is b0rk, and you can not use the serial
  from the signconf

26 October 2011: Matthijs
- Make sure that all required zonelist elements exist, otherwise error.
  Resolves Paul Wouters ods-signer crash where the input adapter was
  commented out.

25 October 2011: Matthijs
- Allow for <Refresh/> of 0 seconds
- Defense in depth in signer for duplicate keys

19 October 2011: Matthijs
- Print xfr to disk

18 October 2011: Matthijs
- Always remove records that are not added (currently all axfr)

14 October 2011: Matthijs
- Pivotal #19686881: NSEC3PARAM left in records after switch NSEC3->NSEC

13 October 2011: Matthijs
- Inbound soa serial refresh retry management

12 October 2011: Matthijs
- Don't block incoming notifies

10 October 2011: Matthijs
- The wire
- An addns parser
- A dns handler
- DNS Adapters

4 October 2011: Matthijs
- Pivotal #19168315: Signer does not update TTL on RRs unless there is
  change in RDATA

30 September 2011: Matthijs
- Fix a similar bug like Trac #257: Error in ods-signerd, where a corrupted
  backup file results in an invalid pointer free().

23 August 2011: Matthijs
- Introduce halted_when: make sure that the halted task is continued at
  the correct time
- Log functions for RR and domain name
- Move zonedata to new namedb structure
- Move NSEC3 Parameters and keylist into signconf structure

16 August 2011: Matthijs
- Fix assertion failure: No valid signconf, yet want to sign
- Pivotal #17052469: Enters a deadlock if it is stopped while signing

12 August 2011: Matthijs
- Pivotal #16881025: No signatures in signed zone

8 August 2011: Matthijs
- Check the inbound serial in the .axfr file to prevent redundant AXFRs

4 August 2011: Matthijs
- Pivotal #16517425: Signature lifetime too long/short

26 July 2011: Matthijs
- Trac #256: Make sure arguments in ods-control signer are not ignored

5 July 2011: Matthijs
- Pivotal #15342489: Return better error codes from ods_file_copy

30 June 2011: Matthijs
- Trac #247: Fixes bug introduced by bugfix #242
- Zonefetcher: Sometimes invalid 'Address already in use' occurred

27 June 2011: Matthijs
- Pivotal #15021787: Not updating TTL of DNSKEY RRset

23 June 2011: Matthijs
- Pivotal #14922121: Crashing when ods-signer update unknown zone

6 June 2011: Matthijs
- Handle stdout console output throttling that would truncate
  daemon output intermittently

26 May 2011: Matthijs
- Trac #242: Lock axfr file when reading/writing
- Read IXFR from file

6 May 2011: Matthijs
- Fix a race condition when doing a single run

26 April 2011: Matthijs
- Fix assertion failure if zone was just added.

20 April 2011: Matthijs
- A journal for IXFR serving

18 April 2011: Matthijs
- Remove Dummy Adapter, introduce File DNS Adapter

11 April 2011: Matthijs
- Coverity report
- Fallback backup recovery

7 April 2011: Matthijs
- Adjust zonelist.xml for new adapters

24 March 2011: Matthijs
- Trac #221: Segmentation Fault on schedule.c:232
- Introduce the Dummy Adapter

23 March 2011: Matthijs
- Pivotal #11398785: Only recover nsec3params if nsec_type is NSEC3
- Pivotal #11399873: Republish dnskey and nsec3params after flush

22 March 2011: Matthijs
- Pivotal #11348469: Read serials from backup
- Pivotal #11387763: Use outbound serial as previous, reset internal serial
  if not outputted
- Pivotal #11396309: Unset needs_signing when recovering a signature

21 March 2011: Matthijs
- Pivotal #11336393: Maintain flush count and return first flush-task if
  flushcount > 0

18 March 2011: Matthijs
- Rollback serial if signing failed
- Only update stats if signing was ok
- Get NSEC3PARAM in zone after switching from NSEC to NSEC3
- Only publish DNSKEYs if not already published
- <Serial>counter</Serial> will use inbound serial + 1

16 March 2011: Matthijs
- Bump to ldns 1.6.9
- Pivotal #11131107: Publish dnskeys and nsec3params after loading
  signconf (not before reading)
- Pivotal #11131385: Only reset interrupt here if not is load signconf
- Pivotal #11167453: Initialize stats start time when re-signing

14 March 2011: Matthijs
- Pivotal #11073405: Create ctx before publishing dnskeys

11 March 2011: Matthijs
- Different backup approach 

9 March 2011: Matthijs
- Lock zone stats when accessing, preventing weird statistics

17 February 2011: Matthijs
- Allow for duplicates in the unsigned zone input
- Introduce RRset queue, signer threads (OpenDNSSEC 1.3)

16 February 2011: Matthijs
- Pivotal #9218653: Make signer ready for signing the root
- Pivotal #9960235: Enable core dumps
- Pivotal #10013459: Text "critical" in alert logs
- Pivotal #10016809: Override DNSKEY and SOA values with those of the
  policy
- Trac #198: zone updates ignored?
- Prevent race condition when setting up the workers and cmdhandler
- Quit when there are errors in the configuration
- NSEC chain could become broken if the predecessor domain
  of a deleted domain was a glue domain
- Use SOA MINIMUM as NSEC(3) TTL

14 February 2011: Matthijs
- Prepare for a more generic adapter approach

9 February 2011: Matthijs
- Simplify serial maintenance

8 February 2011: Matthijs
- Pivotal #7813483: Replace tabs with white space when logging RRs
- Do not block update command while signing
- Check if zone is ready for signing (does it have a valid signconf?)

7 February 2011: Matthijs
- Denial of existence tree
- Redesign of zone data structure, to handle commit/rollback updates
- A function to calculate zone data differences

3 February 2011: Matthijs
- Adapter utilities and API

31 January 2011: Matthijs
- Introduce a task independent schedule

27 January 2011: Matthijs
- Shared code

25 January 2011: Matthijs
- Trac #207: quicksorter fails on new line comments

20 December 2010: Matthijs
- Pivotal #7533929: Start zonefetcher before dropping privileges

6 December 2010: Matthijs
- Pivotal #6999729: When rolling NSEC to NSEC3, you get both denial records
  in the zone

2 December 2010: Matthijs
- Pivotal #6838873: TTL of NSEC(3)s are not changed

1 December 2010: Matthijs
- Pivotal #6872139: Remove minimize TTL code
- Pivotal #6916711: Set notify command when reloading zonelist

23 November 2010: Matthijs
- Pivotal #6619421: TTL of signature is not changed

22 November 2010: Matthijs
- Pivotal #6619971: TTL for RR in include file and RRs after the statement
- Pivotal #6619659: NSEC is now dropped when RR is removed.
  Also, don't delete NSEC3 node that has become empty non-terminal

12 November 2010: Matthijs
- Pivotal #6266045: Redirect notify command output to /dev/null
- Pivotal #6267237: canonicalize owner RRSIG

8 November 2010: Matthijs
- Coverity report

3 November 2010: Matthijs
- Fixed several memleaks

25 October 2010: Matthijs
- Trac #187: ods-signer running
- Narrow glue at the zone cut is allowed
- Move zone fetcher output to correct input adapter file

15 October 2010: Matthijs
- Signer logs statistics just after outputting a new signed zone

14 October 2010: Matthijs
- Pivotal #5677996: Cancel update if read zone failed
- Don't allow for glue below DNAME

13 October 2010: Matthijs
- Add manpages

11 October 2010: Matthijs
- Function to examine zonedata

6 October 2010: Matthijs
- Don't delete empty non-terminal domains
- When signing, skip glue that exists *at* the delegation

5 October 2010: Matthijs
- Signature recycle logic revised

29 September 2010: Matthijs
- Apply Roland van Rijswijk patch to zonefetcher

28 September 2010: Matthijs
- Announce new signer (OpenDNSSEC 1.2)

23 September 2010: Matthijs
- Handle out of zone data
- CNAME and DNAME are singleton types

22 September 2010: Matthijs
- Subdomain count management

21 September 2010: Matthijs
- Drop SOA RRSIGs when doing ods-signer sign <zone>
- Fix task compare and task queue flush
- Fix NSEC3 rdata count

17 September 2010: Matthijs
- Update backup magic
- Make sure that all zones have been processed once in single run mode

16 September 2010: Matthijs
- NotifyCommand

25 Aug 2010: Matthijs
- Speed up signing (Pivotal 4661967)

22 July 2010: Matthijs
- goto trunk

15 July 2010: Matthijs
- Integrate zone fetcher

28 June 2010: Matthijs
- Implement timeshift

23 June 2010: Matthijs
- Run once option

16 June 2010: Matthijs
- Integrate ods-auditor
- clear command

20 May 2010: Matthijs
- NSEC (3)
- sign command
- SOA SERIAL arethmetic

29 April 2010: Matthijs
- Pend updates
- Print zone

22 April 2010: Matthijs
- queue, flush, reload commands
- Task queue
- Parse signer configurations

20 April 2010: Matthijs
- Parse zonelist
- help, start, stop, verbosity, zones commands

19 April 2010: Matthijs
- Privdrop
- Signer client

15 April 2010: Matthijs
- Daemonize

14 April 2010: Matthijs
- Command handler

13 April 2010: Matthijs
- Parse conf.xml
- Import utilities

12 April 2010: Matthijs
- Initial signer daemon
