[ldns-users] ldns 1.6.16 released

Willem Toorop willem at nlnetlabs.nl
Tue Nov 13 11:17:19 UTC 2012

Hash: SHA1

Dear maintainers, ldns users and OpenDNSSEC users,

We have found an issue in ldns releases 1.6.14 and 1.6.15. Both
versions have a bug whereby during zone-parsing, the NSEC3 generation
code fails to create an empty bitmap on empty non-terminals. The bug
was discovered when the new ldns became a part of the OpenDNSSEC test
environment; the pre-release ldns regression tests did not cover this
specific case.

Besides, ldns 1.6.14 and 1.6.15 do not build a working pyldns module
(the python bindings to ldns).

Does this affect you?
- ---------------------

This affects users that have empty non-terminals in their zones and
sign their zones NSEC3-style.

This does not affect users signing there zones NSEC-style, nor does
this affect users that have no empty non-terminals in their zone, nor
does this affect users who are running ldns 1.6.13 or lower.

How to resolve?
- ---------------

If you are using ldns 1.6.14 or 1.6.15, please update your systems to
use ldns version 1.6.16 or higher, available here:

link: http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.16.tar.gz
sha1: 5b4fc6c5c3078cd061905c47178478cb1015c62a

How could this happen?
- ----------------------

Thanks to the thorough code reviews, release 1.6.14 fixed a larger
amount of bugs than before. Fixing bugs always has the risk of
introducing new bugs or reintroducing old bugs. For long we perform
the practice of "Continuous integration"; On each commit we
automatically perform general unit tests and numerous tests that
verify that earlier detected bugs have not accidentally re-emerged.

Unfortunately we did not yet run the test suites of software using
ldns as part of our "Continuous integration". We did thus not detect
the influence those fixes had on the ldns using software.

How are we going to prevent this in the future?
- -----------------------------------------------

We have added regression tests to the ldns test package that run the
test cases for Unbound and pyldns with the new version of ldns. This
way, we can identify changes that introduce faults in software that
depends on ldns in a early stage.

The newly added regression tests now check for
* loading of pyldns and pyldnsx
* Whether the test suite of Unbound succeeds,
  - without building it against the new ldns version
    (so testing for backwards binary compatibility)
  - and with building it against the new ldns version.

Regression testing for OpenDNSSEC has been performed manually with this
release, but a similar setup as for Unbound will be deployed shortly.

Please let us know if you wish to include regression tests for your
software in the ldns test suite.

Best regards,

For NLnet Labs, Willem and Matthijs

* Fix Makefile to build pyldns with BSD make
* Fix typo in exporting b32_* symbols to make pyldns load again
* Allow leaving the RR owner name empty in ldns-testns datafiles.
* Fix fail to create NSEC3 bitmap for empty non-terminal (bug
  introduced in 1.6.14).
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/


More information about the ldns-users mailing list