validns (0.11.0-1~unstable+1) unstable; urgency=low

  * Release 0.11.0

    Added:
    - Detect NSEC3 records with flags, iterations, or salt inconsistent with NSEC3PARAM.
    - Support for EUI48 and EUI64 records (RFC 7043)
    - Verbose output (-v) shows complete RRSIG record data
    - Render full rdata for HINFO, TXT, SPF, WALLET, ISDN, X25 and NAPTR in verbose output
    - Render full rdata for LOC records in verbose output
    - New -L flag lists all record types validns can render.
    - Report unsigned RR sets in signed zones; new all-algorithms-signed policy check
    - New occluded-records policy check reports records hidden below delegations
    - New missing-glue policy check reports delegations lacking mandatory glue

    Fixed:
    - Parse \DDD string escapes per RFC 1035, fixing false signature errors on BIND-signed zones
    - Verbose output now renders complete NSEC3 records
    - Verbose output now renders DNSKEY, CERT, DHCID, and IPSECKEY rdata in full
    - LOC records omitting size/precision fields no longer emit uninitialized data
    - L64 and NID now handle the full 64-bit locator/node identifier
    - verbose output renders full NSAP, TLSA, SMIMEA, RP, L64 and NID rdata
    - L32 records are now rendered and validated correctly on little-endian systems.
    - Fix crash when reporting results for a signer key that failed to build
    - Fix data race in multi-threaded signature verification
    - Fix memory leaks in DNSSEC key building and RRSIG parsing

    Security:
    - Fix a buffer overflow when parsing overlong quoted strings
    - Fix buffer overflows when rendering RRSIG, IPSECKEY and NSEC/NSEC3 records in verbose (-v) output

 -- Jerry Lundström <lundstrom.jerry@gmail.com>  Wed, 15 Jul 2026 10:19:02 +0200

validns (0.10.0-1~unstable+1) unstable; urgency=low

  * Release 0.10.0

    Added:
    - Validate zones signed with Ed25519 and Ed448 (RFC 8080)
    - Validate SVCB (TYPE 64) and HTTPS (TYPE 65) records per RFC 9460, including all nine IANA-registered SvcParam keys.
    - CAA tag-value validation and RFC 8657 contact tags.
    - Support the optional $INCLUDE <domain-name> argument: overrides $ORIGIN for the included file only.

    Fixed:
    - ksk-exists policy now recognizes Combined Signing Key (CSK) configurations
    - do not flag a typemap mismatch when an owner name shares its label with an NSEC3 chain owner
    - Suppress cascading errors when DS/CDS/DLV references an unrecognized or policy-disabled algorithm.
    - Accept RRSIG inception/expiration timestamps past 2038-01-19 03:14:07 UTC and compute them in UTC per RFC 4034.
    - Signature count in -s summary no longer inflated when multiple DNSKEYs share a key tag.
    - PTR records report "PTR domain name" in error messages instead of the misleading "name server domain name".
    - Zone names containing unescaped commas, raw 8-bit bytes, or quoted-string (`"..."`) form now parse, matching BIND and ldns.
    - RRSIG validity checks (-t) accept post-2038 epochs on 32-bit hosts

 -- Jerry Lundström <lundstrom.jerry@gmail.com>  Mon, 18 May 2026 14:34:31 +0200

validns (0.9.0-1~unstable+1) unstable; urgency=low

  * Release 0.9.0

    Added:
    - Support for WALLET RR type 262
    - Internal txtlike infrastructure for TXT-like RR types, removing 20-segment limit for SPF
    - Full hex data display in generic record verbose output
    - Support for ZoneMD (RFC 8976)
    - Quiet mode for test programs (-v for verbose output)
    - Changie for changelog management
    - -V option to print version

    Changed:
    - License updated
    - CI infrastructure updates
    - Migration to Codeberg
    - Build system migrated to autotools

    Fixed:
    - Root zone membership check now correctly allows TLDs
    - Include txtlike.h in distribution tarball
    - Memory management issues (file_info initialization, generate template cleanup)
    - Coredump in NSEC3 handling when zone apex is NULL
    - Coredump when zone has DNSSEC records but no valid SOA
    - Scan-build warnings
    - Prevent crash in KSK policy check when zone has no DNSKEY records
    - Resolve clang scan-build warnings (dead stores, missing noreturn attributes)
    - Prevent crash in NSEC3PARAM policy check when record storage fails
    - Detect and report when DNSSEC signature algorithms are disabled by system crypto policy (RHEL 9/CentOS 9)

 -- Jerry Lundström <lundstrom.jerry@gmail.com>  Fri, 30 Jan 2026 14:24:40 +0100

validns (0.8.0-1~unstable+1) unstable; urgency=low

  * Release 0.8.0

    Added:
    - Support ECDSA and SHA-256 in SSHFP
    - Support for SHA-384 digests in DS (RFC 6605)
    - Support multiple -t options

    Fixed:
    - Miscellaneous bug fixes
    - Miscellaneous portability fixes

 -- Anton Berezin <tobez@tobez.org>  Tue, 11 Feb 2014 00:00:00 +0100
