CHANGELOG

* misc	Eliminate some compiler warnings

* bug	Saltbits can be set to 0 (which is also the default value now).
	Adding salt provides no practical benefits.
	See the man page of dnssec-signzone and RFC 9276.
	Thank you Vladislav Kurz

* misc	Removed the Compiler warning -Wabsolute-value again, because it seems that
	it is only available with newer gcc versions
	Thanks to Othmar Truniger

* misc	Added Compiler warning -Wabsolute-value, which found a long<->int
	missmatch in zkt-soaserial using abs(int).
	In the same source file "char master[]" was defined one byte off.
	Thanks to Frank Behrens

zkt 1.1.6 -- 04. Jan 2023

* misc	New configure.ac file generated by 'autoscan'

* bug	Jan Münnich found out that "-fcommon" is needed to compile ZKT
	with gcc 10.
	This was because of multiple external definition caused by
	including header files while defining "extern" as empty.
	Fixed now by eliminating includes within include files
	so "-fcommon" is not needed.

* misc	Increase of some string vars because of compiler warnings

* bug	Fixed an empty statement (semicolon) in freeconfig()
	(Thank you gcc!)

zkt 1.1.5 -- 17. Jun 2019

* misc	Option -r of dnssec-keygen has been deprecated since 9.13 (or so)
	Usage removed in dki_new()

* func	recursive_file_mtime() function added by Sven Stickroth
	This is useful if several zone files are included in a main zone.db
	file to track a change of any of the input files.
	It is not compiled in by default (use configure --enable-inc-file-tracking
	to enable) because for large zone files this could be a time consuming process.
	It is possible to add all included files to the local config parameter
	"DependFiles" instead. (Use zkt-conf <zonefile> to get a list of files to be added).

* misc	Log name of zone if KSK is expired
	Thanks to Sven Stickroth

* misc	DEST_DIR added to Makefile to install executables at common places
	Thanks to Sven Stickroth

* bug	Fix typos in rollover.c
	make clean also cleans OBJ_KLS files
	Thanks to Sven Stickroth

zkt 1.1.4 -- 9. May 2016

* misc	Hint to mailinglist removed from README file

* bug	pathname wasn't initialized in any case (dist_and_reload() in nscomm.c
	Thanks Jeremy C. Reed

* bug	move $(LIBS) at the end of the ggc link line in Makefile.in

* misc	Exitcode of external command is now visible in log messages
	stderr of each external command is redirected to stdin

* bug	Fixed some potential memory leaks in ncparse.c dki.c zfparse.c
	and zkt-soaserial.c (mostly a missing fclose() on error conditions).
	Thanks to Jeremy C. Reed

* misc	README file changed to Markdown syntax

* bug	running zkt-keyman -3 didn't change anything on the key database
	so a zkt-signer run afterwards didn't see anything to do.
	Now the timestamp of the dnskey.db will be reset to a value less
	than the timestamp of the (new) key signing key.
	Thanks to Sven Strickroth for finding this.

* func	New binary zkt-delegate added
	Because it depends on the ldns library, it is located in
	a separate directory and use a different Makefile 

* func	New Compile time option "--enable-ds-tracking" added.
	Now dig is used on KSK rollover to check if the DS record
	is announced in the parent zone.
	Thanks to Sven Strickroth providing the patch.

zkt 1.1.3 -- 21. Nov 2014

* func	New Config Parameter DependFiles added.
	Contains a (comma separated) list of files which are
	included into the ZoneFile. The timestamps of this files
	are checked additional to the timestamp of the ZoneFile.
	Based on a suggestion from Sven Strickroth

* misc	Makefile changed to build tar file out of git repository

* misc	Minimum supported BIND version is now 9.8

* bug	Fixed bug in BIND version parsing (9.10.1 was parsed as 910
	which is similar to 9.1.0)
	Version 9.10.1 is parsed now as 091001 

* misc	Remove flag to request large exponent when creating keys
	(BIND always creates keys with large exponents since BIND 9.5.0)

* misc	Project moved to github
	Thanks to Jakob Schlyter for doing the initial stuff

zkt 1.1.2 -- 05. Dec 2012

* bug	Fixed bug introduced by changes on inc_soa_serial()

zkt 1.1.1 -- 27. Nov 2012

* bug	Error fixed in zkt-conf in parsing the version number

* misc	inc_soa_serial() now returns 0 on success

* bug	Fixed bug in inc_serial()
	The zone file wasn't closed on succesful change of the soa record.
	Many thanks to Frederik Soderblom for fixing this.

zkt 1.1 -- 30. Jan 2012

* misc	Release numbering changed to three level "major.minor.revison" scheme

* bug	REMOVE_HOLD_TIME was set to 10 days only (Thanks to Chris Thompson)

* doc	Improved README file (Thanks to Jan-Piet Mens)

* misc	Fixed some typos in log messages

* bug	Fixed error in rollover.c (return code of genfirstkey() wasn't checked)

* misc	Default of KeySetDir changed from NULL to ".." (best for hierarchical mode)
	Default Sig Lifetime changed from 10 days to 3 weeks (21 days)
	Default ZSK lifetime changed from 3 months to 4 times the sig lifetime
	Default KSK lifetime changed from 1 year to 2 years
	Parameter checks in checkconfig() adapted.
	KSK random device changed back from /dev/urandom to BIND default
	(Be aware of some possibly long delay in key generation)

* func	New configure option to set the bind utility path manually (--enable-bindutil_path)
	BIND_UTIL_PATH in config_zkt.h will no longer used
	(Thanks to Mans Nilsson)

* bug	If nsec3 is turned on and KeyAlgo (or AddKeyAlgo) is RSHASHA1
	or DSA, genkey() uses algorithm type NSECRSASHA1 or NSEC3DSA instead.
	(Thanks to Holger Wirtz)

* bug	Error in printconfigdiff() fixed. (Thanks to Holger Wirtz)

* func	Description added to (some of the) dnssec.conf parameters

* func	Adding a patch from Hrant Dadivanyan to always pre-publish ZSKs

* misc	Config file syntax changed to parameter names without underscores.
	zkt-conf uses ZKT_VERSION string as config version

* bug	"make install-man" now installs all man page

* bug	Bug fixed in zfparse.c. zkt-conf was unable to detect an already
	included dnskey.db file if another file was included.

* misc	destination dnssec-zkt removed from Makefile.in

* func  dki_prt_managedkeys() added to dki.c
	zkt_list_managedkeys() added to zkt.c
	zkt-ls has new option -M to print out a list of managed-keys

* bug	Bug fixed in the config parser (zconf.c). Couldn't parse
	agorithm RSASHA512 correctly (Thanks to Michael Sinatra)

zkt 1.0 -- 15. June 2010

* func	"/dev/urandom" check added to checkconfig()

* func	Config compability switch (-C) added to zkt-conf

* func	zkt-ls has a new switch -s to change sorting of domains from
	subdomain before parent to subdomain below the parent

* func	"zkt-ls -T" prints only parent trust anchor

zkt 1.0rc1 -- 1. Apr 2010 (The 1.0 release was sponsored by DOMINIC(r) )

* func	Several config parameter are printed now in a more consistent and
	user friendly form.
	SerialFormat "Incremental" could be abbreviated as "inc" on input.

* bug	use of AC_ARG_ENABLE macros changed in a way that it is possible
	to use it as a "--disable-FEATURE" switch.

* port	no longer checking for malloc() in configue script.
	Mainly because it checks only if malloc(0) is allowed and we do
	not need this.

* port	--disable-color-mode added to configure script

* bug	Makro PRINT_AGE_OF_YEAR renamed to PRINT_AGE_WITH_YEAR in configure.ac

* misc	man page zkt-keyman added

* misc	New command zkt-keyman added as replacement for dnssec-zkt's key
	management functionality

* misc	man page zkt-ls added

* port	Check for ncurses added to Makefile.in

* misc	Color mode (Option -C) added to zkt-ls (experimental)
	New source file tcap.c.

* misc	Deprecate "single linked list" version of ZKT. The binary tree
	version is the default for years, so the VERSION string does no
	longer contain a "T".  Now, if someone insist on the single link
	list version (configure --disable-tree) a "S" is added to the
	version string.
	Anyway, the code for the single link list version does no longer
	have the same functionality and will be removed in one of the later
	releases.

* misc	New command zkt-ls added as replacement for dnssec-zkt's key
	listing functionality

* func	New key algorithms RSASHA256 and RSAHSHA512 added to dki.[ch]
	and zconf.c
	New parameter NSEC3 added. Now it's possible to configure
	an NSEC3_OPTOUT zone.

* bug	Token parsing function gettok() fixed to recognize tokens
	with dashes ("zone-statistics" was seen as "zone").
	Thanks to Andreas Baess for finding this bug.
	
* bug	Fixed bug in (re)salting dynamic zones.
	sig_zone() and gensalt() needs parameter change for this

* func	New option -a added to zkt-conf

* func	In zconf.c CONF_TIMEINT parameter are now able to recognize 
	"unset" values (which is represented internaly as 0)

* func	Set Max_TTL to sig lifetime for dynamic zones or if Max_TTL
	is less than 1.
	max_ttl checks in checkconfig() fixed.

* func	printconfigdiff() added to zconf.c and used by zkt-conf.
	Now local configs are printed as diff to site wide config.

* misc	man page zkt-signer.8 changed to new command syntax

* func	Per domain logging added. Use parameter LogDomainDir to
	enable it. For more details see file README.logging.

* func	distribute.sh supports new action type "distkeys" but is
	currently not used

* misc	LOG_FNAMETMPL changed and moved from config_zkt.h to log.h
	
* misc	Default soa serial format changed from "Incremental"
	to "Unixtime"

* func	dnssec-signer command renamed to zkt-signer. Man page updated.

* func	New command zkt-conf added as replacement for dnssec-zkt -Z

* misc	timeint2str() is now global (zconf.c)

* func	zfparse.c - a rudimentary zone file parser
	scans minimum and maximum ttl values; adds $INCLUDE dnskey.db

zkt 0.99d -- Not released

* func	Option SIG_DnsKeyKSK for DNSKEY signing with KSK only 
	added (only useful with BIND9.7)

* misc	For BIND 9.7 compability:
	Run dnssec-signzone in compability mode ("-C") if
	SigGenerateDS is true.
	Run dnssec-keygen in compability mode ("-C -q")
	Add option -u to dnssec-signzone if NSEC3 chaining is requested

zkt 0.99c -- 1. Aug 2009

* misc	dnssec-signer command line option vars changed to storage
	class static.

* port	setenv() replaced by putenv() in misc.c

* misc	Install binaries in prefix/bin instead of $HOME/bin.
	Fixing some spelling errors in dnssec-signzone.8 and
	dnssec-zkt.8.
	Thanks to Mans Nilsson.

* port	timegm() check added to configure.ac

* misc	configure.ac, Makefile.in, and doc is now part of distribution

* bug	off by one error fixed in splitpath()

* misc	is_dotfile() renamed to is_dotfilename() (misc.c)

* misc	inc_soaserial() sourced out to soaserial.c

* misc	reload() functions sourced out to nscomm.c

* bug	Introducing parameter "KeyAlgorithm" for both ZSK and
	KSK keys instead of separate KSK and ZSK algorithms.
	New functions dki_algo() and dki_findalgo().

* bug	Redirect stderr message (additionally to stdout) of
	dnssec-signzone command to pipe.
	Pick up last line of output for logging.

* misc	"Sig_GenerateDS" is no longer a hidden parameter.

* misc	"make clean" now remove the binary files
	New target "distclean" added to Makefile

* bug	Wrong typecast in zconf.c parsing CONF_TIMEINT (Thanks to Frederick
	Soderblum and Peter Norin for the patch)
	Changed all TIMEINT parameter values to long.

* bug	If someone changes the zone.db file in dynamic mode, this will be treated
	the same way as an initial setup, so the zone.db file will be used as new
	input file (Thanks to Shane Wegner for this patch)

* bug	Option nsec3_param added to dnssec-signzone command for dynamic zones.

* func	New option "NamedChrootDir" added to dnssec.conf to specify the
	directory of a chrooted named. Without such an option
	"dnssec-signer -N named.conf" couldn't find the zone file directory.

* misc 	Default ZSK lifetime set to 12 weeks instead of 3 months (30days) to
	suppress the warning message about ZSK keysize of 512 bits.

zkt 0.98 -- 28. Dec 2008

* misc 	Target "install-man" added to Makefile
	man files moved to sub directory "man"

* func	If a BIND version greater equal 9.6.0 is used, option -d doesn't
	initiate a resigning of a zone. It's just for key rollover.

* func	New pseudo algorithms for NSEC3 DNSKEYS added.
	Support of NSEC3 hashing if a BIND version greater equal 9.6.0
	is used. New parameter "SaltBits" added to the config file to
	set the salt length in bits (default is 24 which means 6 hex nibbles). 
	The number of hash iterations is set to the default value of
	dnssec-signzone which depends on key size.

* misc	Renaming of all example zone directories so that the directory
	name does not end with a dot (Necessary for installing the
	source tree in an MS-Windows environment).
	str_tolowerdup() renamed to domain_canonicdup() and code added
	to append a dot to the domain name if it's not already there.

* misc	Add 'sec' (second) qualifier to debug output in kskrollover().

* bug	Remove a trailing '/' at the -D argument.

* misc	Configure script now uses the BIND_UTIL_PATH out of config_zkt.h
	if the BIND dnssec-signzone command is not found

* bug	A zone with only a standby key signing key (which means w/o an
	active ksk) aborts the dnssec-signer command.
	Fixed by Shane Kerr.

* func	Changed inc_serial() so that the SOA record parser accepts a label
	other than '@' and an optional ttl value before the class and SOA
	RR identifier (Both are case insensitive). Thanks to Shane Kerr 
	for the suggestion.

* bug	Change of global configured key liftetime during a zone signing
	key rollover results in unnecessary additional pre-published
	zone signing keys (Thanks to Frank Behrens for the patch)

* misc	Sig_Random config file parameter defaults now to false

* bug	The man page refers the wrong licence (GPL instead of BSD)

zkt 0.97 -- 5. Aug 2008

* bug	LG_* logging level wasn't mapped to syslog level in lg_mesg().
	gettock() in ncparse.c did not recognize C single line comments "//"
	(Thanks to Frank Behrens for finding this out)

* misc	dist_and_reload () now calls the "Distribute_Cmd" twice:
	First with argument "distribute" for signed zone file distribution,
	second with argument "reload" to initiate a reload.
	Again see example/flat/dist.sh for an example script.

* bug	full KSK rollover will (mostly) also work for dynamic zones
	This is a hack and requires further investigation. Currently
	it will not work if someone is using non standard zone file
	names.

* misc	default ZSK lifetime set to 3 month

* misc	get_mtime() renamed to file_mtime()

* func	is_exec_ok() added and called in dist_and_reload ()

* func	New parameter "Distribute_Cmd" added for specifing a user
	defined distribution (and reload) command (See example/flat/dist.sh).

* misc	Changed wording to be a bit more consistent to
	draft-gudmundsson-life-of-dnskey-00.txt
	- State of published key will be print as "pub" instead of "pre"
	  by dnssec-zkt.
	- Option --pre-publish of dnssec-zkt changed to --published.
	- Changed wording in all comments and log message from "pre-publish"
	  to "published".

* func	Highly experimental code to do a full automatic ksk rollover
	in hierachical mode.
	ksk_rollover() added in rollover.c; parameter change for ksk_status()

* misc	Changed name of "dnssec-soaserial" to "zkt-soaserial"

* bug	Fixed verbose logging error if -N or -D option was used

* func	Some LG_INFO messages added about key status change

* func	Remove of function to register a new ksk (zktr.[ch])

* misc	Changed licence from GNU GPLv2 to BSD licence

* bug	Fixed bug in logging of ZSK rollover

* misc	Changed tar file to zipped one and archive the files with
	toplevel directory

* bug	Fixed use of uninitialized vars in zconf.c (line)

* port	Preparation for use of autoconf
	- config.h renamed to config_zkt.h and change of include directives
	- conditional include of config.h 
	- ./configure script is able to determine BIND utility path
	  (BIND_UTIL_PATH) and version (BIND_VERSION)
	- compile time options are settable via configure script (--enable-xxx)
	- For now, the configure script is not able to set the install dir.

* bug	ksk rollover phase2 did not trigger resigning of parent
	(the parent file was copied to the parent directory only
	after child zone resigning)

* bug	fixed bad notice message in zskstatus ()

* func	dnssec-zkt -Z print out syslog facility & level with
	upper case letter and without quotation marks

* func	Syslog facility DAEMON added

zkt 0.96 -- 19. June 2008

* func	Config file option "SIG_Parameter" added.

* func	Function verbmesg() added and used for verbose logging
	to stdout and/or to syslog resp. file.
	Config file parameter VerboseLog added to config file.

* bug 	Option -O wasn't recognized by dnssec-signer

* func	Better support of initial setup of dynamic signed
	zones (just create an empty "zone.db.dsigned" file
	and run dnssec-signer with option -d).

* func	Improved error logging; incr_soa() errors are written
	as clear text message instead of error number

* func	elog_mesg() function replaced by a more general
	logging mechanism.
	ErrorLog config parameter replaced by LogFile,
	LogLevel and SyslogFacility, SyslogLevel parameter

* func	New function filesize() added

* func	dki_prt_trustedkey print out old key id if key
	is revoked 

* func	dki_new() writes gentime (GMT) and proposed key
	lifetime (days) as comment into the *.key file

* bug	Doing some housekeeping

zkt 0.95 -- 19. April 2008

* misc	This is not a public released version of zkt.

* func	All config file option are now settable via
	commandline option -O (--option or --config-option)

* misc	Function fatal() now has an exit code of 127.
	This is necessary because values from 1 to 64 are
	reflecting the number of errors occured.

* func	Errorlog functionality added
	All dnssec-signer errors will be logged in the file
	specified by the Errorlog config file parameter or
	specified by the command line option -L (--errorlog).
	If a directory is given, then the logging will occur
	in a file within this directory which is named
	like "zkt-<current-date>.log".
	The dnssec-signer command has an exit code of 0 if
	no error occured, an exit code of 127 on fatal errors,
	an exit code from 1 to 63 reflecting the number of errors
	occured, or an exit code of 64 if more than 63 errors
	occured.

* func	dnssec-signer: Introducing long options

* bug	New skript added to example/views directory to
	read in the right config file

* func	New option -f (--lifetime) and -F (--setlifetime)
	added to dnssec-zkt.

* func	New option -e (--expire) added to dnssec-zkt.
	(Seems to be that the dnssec-zkt command is a little
	bit overloaded with options.)

* func	dki.c and zkt.c supports storage of key lifetime,
	generation time and expiration time as a comment in the
	.key file.  With this, it's possible to change the default
	lifetime without any impact on already used keys.

zkt 0.94 -- 6. Dec 2007

* bug	Case mismatch of zone name and key file name prevent
	dki_read() from reading the key.
	Thanks to Alan Clegg for finding this out.
	Added some additional error processing and convert
	zone name to lower case.

* misc	Builtin default for KSK_randfile changed
	from NULL to "/dev/urandom".

* bug	dnssec-signer has to use private keys for signing
	even if the revoke bit is set.
	To achieve this the file pattern K*.private is added
	to the dnssec-signzone run.

* bug	Uninitialized variable "len" in sign_zone().

* func	Default config file is settable via environment
	variable ZKT_CONFFILE

* func	Support of views added
	Link dnssec-zkt to dnssec-zkt-<view> and
	dnssec-signer to dnssec-signer-<view>.
	Option -V and --view added to dnssec-zkt.
	Option -V added to dnssec-signer.
	View support added to parse_namedconf().

zkt 0.93 -- 1. Nov 2007

* func	The ksk registration mechanism is disabled by
	default (see REG_URL in config.h).

* func	Basic support for revoke flag added (RFC5011).
	Semantic of option -R of dnssec-zkt changed.

* func	Undocumented option -S changed to lower case.
	Pre-pulished KSK will be shown as "standby" key.
	New Option -S (standby) for pre-publish KSK.

* func	New command dnssec-soaserial added.

* bug	dnssec-signer do not print the incremented serial
	number anymore.
	time2str() fixed bug in time format (HAS_STRFTIME=0).

* port	New build dependencies "solaris", "macos" and "help"
	added to Makefile.

zkt 0.92 -- 1. Oct 2007

* func	Parameter "Serialformat" in dnssec.conf added .
	Now it is possible to use the unixtime format for
	the SOA serial number. If you use BIND 9.4 or
	greater in conjunction with this, than there is no
	need for the special SOA serial formating in
	the zonefile. (Thanks to Jakob Schlyter for the
	-N option of dnssec-signzone and the suggestion to
	add the unixtime support to zkt)
	
* func	Option --ksk-roll-stat added.

* port	Added macro HAS_GETOPT_LONG to support OS with
	lack of getopt_long() (e.g. solaris).
	Options -[01239] added.

* misc	Unused macro HAS_ULONG removed from config.h.
	Deklaration of unsigned types moved from dki.h to
	config.h (so it will be available in _all_ source
	files). Thanks to Mans Nilsson.
	Unused macro isblank() (ncparse.c) removed.

* bug	In dosigning(): freeze the dynamic zone _before_ copying
	the zone file.

zkt 0.91 -- 1. Apr 2007

* doc	--ksk-rollover option added to usage().

* func	some experimental code for dynamic zones added.
	new functions added: copyzonefile(), dyn_update_freeze().
	New option "-d" added. 

zkt 0.90 -- 6. Dec 2006

* func 	CHECK_RESIGN interval added to config.h.
	This is the dnssec-signer calling interval (at least 1 day or 86400 sec).

* func 	new function dki_destroy() added; semantic of dk_remove()
	changed to rename the key files instead of physical deletion.

* doc	Setup of new example directory (flat and hierarchical).

* doc	dnssec-zkt man page updated.
	Added some comments in misc.c

* misc	function strtaint() renamed to str_untaint(),
	dki_keycmp() renamed to dki_tagcmp().

* func	New parameter key_ttl added to dnssec.conf.
	New func dki_prt_dnskeyttl () added.
	Now dnskey.db is written with key_ttl value.

* func	dnssec-signer: In hierarchical mode sign_zone() copies the
	parent-file (if such a file exist) instead of the
	keyset-file to the parent directory.

* func	dnssec-zkt: Option --ksk-roll-phase[123] and function
	ksk_rollover() added.

* misc	zconf: default values for sigvalidity, resign_int etc. changed,
	new dnssec.conf example file created.

* func	dnssec-zkt: Long option support added.

zkt 0.83 -- 11. Sep 2006

* bug	dosigning(): Fixed bug in the bug fixing of printing undefined
	serial number if incr_serial() failed. (Thanks to Randy McCasskill).

zkt 0.82 -- 8. Sep 2006

* bug	Use option -e for dnssec-keygen calls in dki_new(), because
	an RSA exponent of 3 is vulnerable.

* bug	dosigning(): Fixed bug in printing undefined serial
	number if incr_serial() failed.

	an RSA exponent of 3 is vulnerable.

* bug	dosigning(): Fixed bug in printing undefined serial
	number if incr_serial() failed.

zkt 0.81 -- 13. July 2006

* bug	The function ceatekey() won't work with USE_TREE.
	Size of MAX_DNAME increased.

zkt 0.8 -- 09. July 2006

* func	Now a hierarchical directory structure with subdomains stored in
	subfolders of the parent domain are allowed. Added copyfile(),
	cmpfile() and new_keysetfiles() for that.

* func	Config parameter added to choose if the domain name is
	right or left justified listed by dnssec-zkt (printkeyinfo).

* func	New class of key added ("sep"). A SEP key is a (public) key file
	without the private counterpart. So we could use the key solely
	as an secure entry point. (dki.h, dki_read).

zkt 0.70 -- 15. Sep 2005

* func	Experimental code added to use a binary search tree instead of a
	single linked list. This is mainly for performance improvement for large
	sites. If you don't want to use it, set USE_TREE in config.h to zero.
	In the first step only dnssec-zkt use the new data structure.
	The tree is build over the domain names and each node is the starting point
	of a linked list of keys.
	As a result, it's not possible anymore to search on key tags only. You have
	to specify the domain name plus the tag. :-(

* func	Function parseurl added.

* func	Experimental code to register a new ksk. Currently it's more like
	a key announcement because of the lack of identification and
	authentication.

zkt 0.65 -- 22. Aug 2005

* misc	Rewrite of the domaincmp() function. Now it's round about 2 times faster.
	After some additional changes and the compiler option -O3 the dnssec-zkt
	on the ~ 12000 zones requires only a minute
		$ time dnssec-zkt -z -r sec > /dev/null
		real    0m58.287s
		user    0m54.610s
		sys     0m3.680s

* func	A keyset directory is introduced (experimental)
	The parameter -d is added to the call of the dnssec-signzone command
	if the config option KeySetDir is set.
	As a result, all dsset-, keyset- and dlvset- files are stored in one directory.
	The advantage is, that the chain of trust of all local subzone is build
	automatically (This is the reason why we sort the zones with the child zones
	first).
	The disadvantage is that we store many files in single directory (3 files
	per zone).

zkt 0.64 -- 1. Aug 2005

* bug	The code for option -Z of dnssec-zkt should be executed before we read the
	complete directory tree. This is usefull if we have a very deep directory
	structure and the recursive flag is switched on.

* func	SIG_Pseudorand parameter added.

* func	([KZ]SK)|(SIG)_randfile parameter added.

* func	measure the time used for signing of each zone.

* bug	function logflush() added to misc.c and called by dosigning().

* misc	some perfomance test made:
	- Directory structure "sec/<firstletter>/domain" with round about 12200 domains
	- One of the domain is a big one (~ 820000 RRs), the others are mostly very small ones
	- We use a dsa with 704 bits as ksk and a rsamd5 with 512 bits as zsk on each domain.
	- All test made on Sun Fire V440 with 4 CPU and 4x2GB main memory

		# sequential signing of all zones 
		$ time dnssec-signer -v -v -f -D sec
		real	434m	(~ 7h 14min)
		user	188
		sys	175

		# with option -p and -r /dev/urandom
		$ time dnssec-signer -v -v -f -D sec > log
		real	96m28.306s
		user	290m41.980s
		sys	6m13.790s

		# one process for each firstletter subdirectory
		$ time par_signer.sh
		real	394m12.334s
		user	295m58.390s
		sys	786m42.479s

		# with option -p and -r /dev/urandom
		$ time par_signer.sh
		real	78m49.323s
		user	284m58.350s
		sys	5m39.340s


		$ time dnssec-zkt -z -r sec > /dev/null
		real	2m5.722s
		user	2m0.060s
		sys	0m4.510s

	
		# signing the big (820000 RR) domain only
		$ time dnssec-signer -v -v -f -D sec/b/big-domain
		real	196m23.165	(~ 3h 16min)
		user	176m57.610
		sys	167m27.570

		# with option -p and -r /dev/urandom
		$ time dnssec-signer -v -v -f -D sec/b/big-domain
		real	49m53.152
		user	173m59.520
		sys	1m40.150

zkt 0.63 -- 14. June 2005

* bug	allow TTL value in keyfiles (see TTL_IN_KEYFILES_ALLOWED
	in dki_readfile()).

* misc	function strchop() added to misc.c.

zkt 0.62 -- 13. May 2005

* func	dnssec-signer: Option -o added.
	Now it works a bit more like dnssec-signzone.

* func	strlist.c: prepstrlist and unprepstrlist functions get a
	second parameter for the delimiter.

* bug	fixed some typos and inaccurate usage of symbolic constants.
	Doing some housekeeping.

zkt 0.61 -- 3. May 2005

* bug	local config file will not be mentioned if -N switch is used.

zkt 0.6 -- 1. May 2005

* doc	dnssec-signer: man page added.

* func	dnssec-signer: Print out a warning message if ksk lifetime is exceeded.

* func	dnssec-signer: Remaining arguments will be interpreted as zone names
	(in_strarr () added).

* func	dnssec-signer: Option -D added.


zkt 0.51 -- 8. April 2005

* func	dnssec-signer: Option -N added.

* func	dnssec-signer: change of keystatus from pre-published to active
	resets timestamp of key, thus age of active key counts 0.

* bug	prepstrlist: resulting string was not terminated with '\0'.

* bug	dnssec-signer: do signing if there are additional keys, or the
	status of any key is changed (function check_keytimestamp).

* func	dnssec-zkt: -l <list> option added.

* func	dnssec-zkt: -p flag defaults to on in key creation mode (-C).