1 zkt 1.1.3 -- 21. Nov 2014
3 * func New Config Parameter DependFiles added.
4 Contains a (comma separated) list of files which are
5 included into the ZoneFile. The timestamps of this files
6 are checked additional to the timestamp of the ZoneFile.
7 Based on a suggestion from Sven Strickroth
9 * misc Makefile changed to build tar file out of git repository
11 * misc Minimum supported BIND version is now 9.8
13 * bug Fixed bug in BIND version parsing (9.10.1 was parsed as 910
14 which is similar to 9.1.0)
15 Version 9.10.1 is parsed now as 091001
17 * misc Remove flag to request large exponent when creating keys
18 (BIND always creates keys with large exponents since BIND 9.5.0)
20 * misc Project moved to github
21 Thanks to Jakob Schlyter for doing the initial stuff
23 zkt 1.1.2 -- 05. Dec 2012
25 * bug Fixed bug introduced by changes on inc_soa_serial()
27 zkt 1.1.1 -- 27. Nov 2012
29 * bug Error fixed in zkt-conf in parsing the version number
31 * misc inc_soa_serial() now returns 0 on success
33 * bug Fixed bug in inc_serial()
34 The zone file wasn't closed on succesful change of the soa record.
35 Many thanks to Frederik Soderblom for fixing this.
37 zkt 1.1 -- 30. Jan 2012
39 * misc Release numbering changed to three level "major.minor.revison" scheme
41 * bug REMOVE_HOLD_TIME was set to 10 days only (Thanks to Chris Thompson)
43 * doc Improved README file (Thanks to Jan-Piet Mens)
45 * misc Fixed some typos in log messages
47 * bug Fixed error in rollover.c (return code of genfirstkey() wasn't checked)
49 * misc Default of KeySetDir changed from NULL to ".." (best for hierarchical mode)
50 Default Sig Lifetime changed from 10 days to 3 weeks (21 days)
51 Default ZSK lifetime changed from 3 months to 4 times the sig lifetime
52 Default KSK lifetime changed from 1 year to 2 years
53 Parameter checks in checkconfig() adapted.
54 KSK random device changed back from /dev/urandom to BIND default
55 (Be aware of some possibly long delay in key generation)
57 * func New configure option to set the bind utility path manually (--enable-bindutil_path)
58 BIND_UTIL_PATH in config_zkt.h will no longer used
59 (Thanks to Mans Nilsson)
61 * bug If nsec3 is turned on and KeyAlgo (or AddKeyAlgo) is RSHASHA1
62 or DSA, genkey() uses algorithm type NSECRSASHA1 or NSEC3DSA instead.
63 (Thanks to Holger Wirtz)
65 * bug Error in printconfigdiff() fixed. (Thanks to Holger Wirtz)
67 * func Description added to (some of the) dnssec.conf parameters
69 * func Adding a patch from Hrant Dadivanyan to always pre-publish ZSKs
71 * misc Config file syntax changed to parameter names without underscores.
72 zkt-conf uses ZKT_VERSION string as config version
74 * bug "make install-man" now installs all man page
76 * bug Bug fixed in zfparse.c. zkt-conf was unable to detect an already
77 included dnskey.db file if another file was included.
79 * misc destination dnssec-zkt removed from Makefile.in
81 * func dki_prt_managedkeys() added to dki.c
82 zkt_list_managedkeys() added to zkt.c
83 zkt-ls has new option -M to print out a list of managed-keys
85 * bug Bug fixed in the config parser (zconf.c). Couldn't parse
86 agorithm RSASHA512 correctly (Thanks to Michael Sinatra)
88 zkt 1.0 -- 15. June 2010
90 * func "/dev/urandom" check added to checkconfig()
92 * func Config compability switch (-C) added to zkt-conf
94 * func zkt-ls has a new switch -s to change sorting of domains from
95 subdomain before parent to subdomain below the parent
97 * func "zkt-ls -T" prints only parent trust anchor
99 zkt 1.0rc1 -- 1. Apr 2010 (The 1.0 release was sponsored by DOMINIC(r) )
101 * func Several config parameter are printed now in a more consistent and
103 SerialFormat "Incremental" could be abbreviated as "inc" on input.
105 * bug use of AC_ARG_ENABLE macros changed in a way that it is possible
106 to use it as a "--disable-FEATURE" switch.
108 * port no longer checking for malloc() in configue script.
109 Mainly because it checks only if malloc(0) is allowed and we do
112 * port --disable-color-mode added to configure script
114 * bug Makro PRINT_AGE_OF_YEAR renamed to PRINT_AGE_WITH_YEAR in configure.ac
116 * misc man page zkt-keyman added
118 * misc New command zkt-keyman added as replacement for dnssec-zkt's key
119 management functionality
121 * misc man page zkt-ls added
123 * port Check for ncurses added to Makefile.in
125 * misc Color mode (Option -C) added to zkt-ls (experimental)
126 New source file tcap.c.
128 * misc Deprecate "single linked list" version of ZKT. The binary tree
129 version is the default for years, so the VERSION string does no
130 longer contain a "T". Now, if someone insist on the single link
131 list version (configure --disable-tree) a "S" is added to the
133 Anyway, the code for the single link list version does no longer
134 have the same functionality and will be removed in one of the later
137 * misc New command zkt-ls added as replacement for dnssec-zkt's key
138 listing functionality
140 * func New key algorithms RSASHA256 and RSAHSHA512 added to dki.[ch]
142 New parameter NSEC3 added. Now it's possible to configure
143 an NSEC3_OPTOUT zone.
145 * bug Token parsing function gettok() fixed to recognize tokens
146 with dashes ("zone-statistics" was seen as "zone").
147 Thanks to Andreas Baess for finding this bug.
149 * bug Fixed bug in (re)salting dynamic zones.
150 sig_zone() and gensalt() needs parameter change for this
152 * func New option -a added to zkt-conf
154 * func In zconf.c CONF_TIMEINT parameter are now able to recognize
155 "unset" values (which is represented internaly as 0)
157 * func Set Max_TTL to sig lifetime for dynamic zones or if Max_TTL
159 max_ttl checks in checkconfig() fixed.
161 * func printconfigdiff() added to zconf.c and used by zkt-conf.
162 Now local configs are printed as diff to site wide config.
164 * misc man page zkt-signer.8 changed to new command syntax
166 * func Per domain logging added. Use parameter LogDomainDir to
167 enable it. For more details see file README.logging.
169 * func distribute.sh supports new action type "distkeys" but is
172 * misc LOG_FNAMETMPL changed and moved from config_zkt.h to log.h
174 * misc Default soa serial format changed from "Incremental"
177 * func dnssec-signer command renamed to zkt-signer. Man page updated.
179 * func New command zkt-conf added as replacement for dnssec-zkt -Z
181 * misc timeint2str() is now global (zconf.c)
183 * func zfparse.c - a rudimentary zone file parser
184 scans minimum and maximum ttl values; adds $INCLUDE dnskey.db
186 zkt 0.99d -- Not released
188 * func Option SIG_DnsKeyKSK for DNSKEY signing with KSK only
189 added (only useful with BIND9.7)
191 * misc For BIND 9.7 compability:
192 Run dnssec-signzone in compability mode ("-C") if
193 SigGenerateDS is true.
194 Run dnssec-keygen in compability mode ("-C -q")
195 Add option -u to dnssec-signzone if NSEC3 chaining is requested
197 zkt 0.99c -- 1. Aug 2009
199 * misc dnssec-signer command line option vars changed to storage
202 * port setenv() replaced by putenv() in misc.c
204 * misc Install binaries in prefix/bin instead of $HOME/bin.
205 Fixing some spelling errors in dnssec-signzone.8 and
207 Thanks to Mans Nilsson.
209 * port timegm() check added to configure.ac
211 * misc configure.ac, Makefile.in, and doc is now part of distribution
213 * bug off by one error fixed in splitpath()
215 * misc is_dotfile() renamed to is_dotfilename() (misc.c)
217 * misc inc_soaserial() sourced out to soaserial.c
219 * misc reload() functions sourced out to nscomm.c
221 * bug Introducing parameter "KeyAlgorithm" for both ZSK and
222 KSK keys instead of separate KSK and ZSK algorithms.
223 New functions dki_algo() and dki_findalgo().
225 * bug Redirect stderr message (additionally to stdout) of
226 dnssec-signzone command to pipe.
227 Pick up last line of output for logging.
229 * misc "Sig_GenerateDS" is no longer a hidden parameter.
231 * misc "make clean" now remove the binary files
232 New target "distclean" added to Makefile
234 * bug Wrong typecast in zconf.c parsing CONF_TIMEINT (Thanks to Frederick
235 Soderblum and Peter Norin for the patch)
236 Changed all TIMEINT parameter values to long.
238 * bug If someone changes the zone.db file in dynamic mode, this will be treated
239 the same way as an initial setup, so the zone.db file will be used as new
240 input file (Thanks to Shane Wegner for this patch)
242 * bug Option nsec3_param added to dnssec-signzone command for dynamic zones.
244 * func New option "NamedChrootDir" added to dnssec.conf to specify the
245 directory of a chrooted named. Without such an option
246 "dnssec-signer -N named.conf" couldn't find the zone file directory.
248 * misc Default ZSK lifetime set to 12 weeks instead of 3 months (30days) to
249 suppress the warning message about ZSK keysize of 512 bits.
251 zkt 0.98 -- 28. Dec 2008
253 * misc Target "install-man" added to Makefile
254 man files moved to sub directory "man"
256 * func If a BIND version greater equal 9.6.0 is used, option -d doesn't
257 initiate a resigning of a zone. It's just for key rollover.
259 * func New pseudo algorithms for NSEC3 DNSKEYS added.
260 Support of NSEC3 hashing if a BIND version greater equal 9.6.0
261 is used. New parameter "SaltBits" added to the config file to
262 set the salt length in bits (default is 24 which means 6 hex nibbles).
263 The number of hash iterations is set to the default value of
264 dnssec-signzone which depends on key size.
266 * misc Renaming of all example zone directories so that the directory
267 name does not end with a dot (Necessary for installing the
268 source tree in an MS-Windows environment).
269 str_tolowerdup() renamed to domain_canonicdup() and code added
270 to append a dot to the domain name if it's not already there.
272 * misc Add 'sec' (second) qualifier to debug output in kskrollover().
274 * bug Remove a trailing '/' at the -D argument.
276 * misc Configure script now uses the BIND_UTIL_PATH out of config_zkt.h
277 if the BIND dnssec-signzone command is not found
279 * bug A zone with only a standby key signing key (which means w/o an
280 active ksk) aborts the dnssec-signer command.
283 * func Changed inc_serial() so that the SOA record parser accepts a label
284 other than '@' and an optional ttl value before the class and SOA
285 RR identifier (Both are case insensitive). Thanks to Shane Kerr
288 * bug Change of global configured key liftetime during a zone signing
289 key rollover results in unnecessary additional pre-published
290 zone signing keys (Thanks to Frank Behrens for the patch)
292 * misc Sig_Random config file parameter defaults now to false
294 * bug The man page refers the wrong licence (GPL instead of BSD)
296 zkt 0.97 -- 5. Aug 2008
298 * bug LG_* logging level wasn't mapped to syslog level in lg_mesg().
299 gettock() in ncparse.c did not recognize C single line comments "//"
300 (Thanks to Frank Behrens for finding this out)
302 * misc dist_and_reload () now calls the "Distribute_Cmd" twice:
303 First with argument "distribute" for signed zone file distribution,
304 second with argument "reload" to initiate a reload.
305 Again see example/flat/dist.sh for an example script.
307 * bug full KSK rollover will (mostly) also work for dynamic zones
308 This is a hack and requires further investigation. Currently
309 it will not work if someone is using non standard zone file
312 * misc default ZSK lifetime set to 3 month
314 * misc get_mtime() renamed to file_mtime()
316 * func is_exec_ok() added and called in dist_and_reload ()
318 * func New parameter "Distribute_Cmd" added for specifing a user
319 defined distribution (and reload) command (See example/flat/dist.sh).
321 * misc Changed wording to be a bit more consistent to
322 draft-gudmundsson-life-of-dnskey-00.txt
323 - State of published key will be print as "pub" instead of "pre"
325 - Option --pre-publish of dnssec-zkt changed to --published.
326 - Changed wording in all comments and log message from "pre-publish"
329 * func Highly experimental code to do a full automatic ksk rollover
331 ksk_rollover() added in rollover.c; parameter change for ksk_status()
333 * misc Changed name of "dnssec-soaserial" to "zkt-soaserial"
335 * bug Fixed verbose logging error if -N or -D option was used
337 * func Some LG_INFO messages added about key status change
339 * func Remove of function to register a new ksk (zktr.[ch])
341 * misc Changed licence from GNU GPLv2 to BSD licence
343 * bug Fixed bug in logging of ZSK rollover
345 * misc Changed tar file to zipped one and archive the files with
348 * bug Fixed use of uninitialized vars in zconf.c (line)
350 * port Preparation for use of autoconf
351 - config.h renamed to config_zkt.h and change of include directives
352 - conditional include of config.h
353 - ./configure script is able to determine BIND utility path
354 (BIND_UTIL_PATH) and version (BIND_VERSION)
355 - compile time options are settable via configure script (--enable-xxx)
356 - For now, the configure script is not able to set the install dir.
358 * bug ksk rollover phase2 did not trigger resigning of parent
359 (the parent file was copied to the parent directory only
360 after child zone resigning)
362 * bug fixed bad notice message in zskstatus ()
364 * func dnssec-zkt -Z print out syslog facility & level with
365 upper case letter and without quotation marks
367 * func Syslog facility DAEMON added
369 zkt 0.96 -- 19. June 2008
371 * func Config file option "SIG_Parameter" added.
373 * func Function verbmesg() added and used for verbose logging
374 to stdout and/or to syslog resp. file.
375 Config file parameter VerboseLog added to config file.
377 * bug Option -O wasn't recognized by dnssec-signer
379 * func Better support of initial setup of dynamic signed
380 zones (just create an empty "zone.db.dsigned" file
381 and run dnssec-signer with option -d).
383 * func Improved error logging; incr_soa() errors are written
384 as clear text message instead of error number
386 * func elog_mesg() function replaced by a more general
388 ErrorLog config parameter replaced by LogFile,
389 LogLevel and SyslogFacility, SyslogLevel parameter
391 * func New function filesize() added
393 * func dki_prt_trustedkey print out old key id if key
396 * func dki_new() writes gentime (GMT) and proposed key
397 lifetime (days) as comment into the *.key file
399 * bug Doing some housekeeping
401 zkt 0.95 -- 19. April 2008
403 * misc This is not a public released version of zkt.
405 * func All config file option are now settable via
406 commandline option -O (--option or --config-option)
408 * misc Function fatal() now has an exit code of 127.
409 This is necessary because values from 1 to 64 are
410 reflecting the number of errors occured.
412 * func Errorlog functionality added
413 All dnssec-signer errors will be logged in the file
414 specified by the Errorlog config file parameter or
415 specified by the command line option -L (--errorlog).
416 If a directory is given, then the logging will occur
417 in a file within this directory which is named
418 like "zkt-<current-date>.log".
419 The dnssec-signer command has an exit code of 0 if
420 no error occured, an exit code of 127 on fatal errors,
421 an exit code from 1 to 63 reflecting the number of errors
422 occured, or an exit code of 64 if more than 63 errors
425 * func dnssec-signer: Introducing long options
427 * bug New skript added to example/views directory to
428 read in the right config file
430 * func New option -f (--lifetime) and -F (--setlifetime)
433 * func New option -e (--expire) added to dnssec-zkt.
434 (Seems to be that the dnssec-zkt command is a little
435 bit overloaded with options.)
437 * func dki.c and zkt.c supports storage of key lifetime,
438 generation time and expiration time as a comment in the
439 .key file. With this, it's possible to change the default
440 lifetime without any impact on already used keys.
442 zkt 0.94 -- 6. Dec 2007
444 * bug Case mismatch of zone name and key file name prevent
445 dki_read() from reading the key.
446 Thanks to Alan Clegg for finding this out.
447 Added some additional error processing and convert
448 zone name to lower case.
450 * misc Builtin default for KSK_randfile changed
451 from NULL to "/dev/urandom".
453 * bug dnssec-signer has to use private keys for signing
454 even if the revoke bit is set.
455 To achieve this the file pattern K*.private is added
456 to the dnssec-signzone run.
458 * bug Uninitialized variable "len" in sign_zone().
460 * func Default config file is settable via environment
461 variable ZKT_CONFFILE
463 * func Support of views added
464 Link dnssec-zkt to dnssec-zkt-<view> and
465 dnssec-signer to dnssec-signer-<view>.
466 Option -V and --view added to dnssec-zkt.
467 Option -V added to dnssec-signer.
468 View support added to parse_namedconf().
470 zkt 0.93 -- 1. Nov 2007
472 * func The ksk registration mechanism is disabled by
473 default (see REG_URL in config.h).
475 * func Basic support for revoke flag added (RFC5011).
476 Semantic of option -R of dnssec-zkt changed.
478 * func Undocumented option -S changed to lower case.
479 Pre-pulished KSK will be shown as "standby" key.
480 New Option -S (standby) for pre-publish KSK.
482 * func New command dnssec-soaserial added.
484 * bug dnssec-signer do not print the incremented serial
486 time2str() fixed bug in time format (HAS_STRFTIME=0).
488 * port New build dependencies "solaris", "macos" and "help"
491 zkt 0.92 -- 1. Oct 2007
493 * func Parameter "Serialformat" in dnssec.conf added .
494 Now it is possible to use the unixtime format for
495 the SOA serial number. If you use BIND 9.4 or
496 greater in conjunction with this, than there is no
497 need for the special SOA serial formating in
498 the zonefile. (Thanks to Jakob Schlyter for the
499 -N option of dnssec-signzone and the suggestion to
500 add the unixtime support to zkt)
502 * func Option --ksk-roll-stat added.
504 * port Added macro HAS_GETOPT_LONG to support OS with
505 lack of getopt_long() (e.g. solaris).
506 Options -[01239] added.
508 * misc Unused macro HAS_ULONG removed from config.h.
509 Deklaration of unsigned types moved from dki.h to
510 config.h (so it will be available in _all_ source
511 files). Thanks to Mans Nilsson.
512 Unused macro isblank() (ncparse.c) removed.
514 * bug In dosigning(): freeze the dynamic zone _before_ copying
517 zkt 0.91 -- 1. Apr 2007
519 * doc --ksk-rollover option added to usage().
521 * func some experimental code for dynamic zones added.
522 new functions added: copyzonefile(), dyn_update_freeze().
523 New option "-d" added.
525 zkt 0.90 -- 6. Dec 2006
527 * func CHECK_RESIGN interval added to config.h.
528 This is the dnssec-signer calling interval (at least 1 day or 86400 sec).
530 * func new function dki_destroy() added; semantic of dk_remove()
531 changed to rename the key files instead of physical deletion.
533 * doc Setup of new example directory (flat and hierarchical).
535 * doc dnssec-zkt man page updated.
536 Added some comments in misc.c
538 * misc function strtaint() renamed to str_untaint(),
539 dki_keycmp() renamed to dki_tagcmp().
541 * func New parameter key_ttl added to dnssec.conf.
542 New func dki_prt_dnskeyttl () added.
543 Now dnskey.db is written with key_ttl value.
545 * func dnssec-signer: In hierarchical mode sign_zone() copies the
546 parent-file (if such a file exist) instead of the
547 keyset-file to the parent directory.
549 * func dnssec-zkt: Option --ksk-roll-phase[123] and function
550 ksk_rollover() added.
552 * misc zconf: default values for sigvalidity, resign_int etc. changed,
553 new dnssec.conf example file created.
555 * func dnssec-zkt: Long option support added.
557 zkt 0.83 -- 11. Sep 2006
559 * bug dosigning(): Fixed bug in the bug fixing of printing undefined
560 serial number if incr_serial() failed. (Thanks to Randy McCasskill).
562 zkt 0.82 -- 8. Sep 2006
564 * bug Use option -e for dnssec-keygen calls in dki_new(), because
565 an RSA exponent of 3 is vulnerable.
567 * bug dosigning(): Fixed bug in printing undefined serial
568 number if incr_serial() failed.
570 an RSA exponent of 3 is vulnerable.
572 * bug dosigning(): Fixed bug in printing undefined serial
573 number if incr_serial() failed.
575 zkt 0.81 -- 13. July 2006
577 * bug The function ceatekey() won't work with USE_TREE.
578 Size of MAX_DNAME increased.
580 zkt 0.8 -- 09. July 2006
582 * func Now a hierarchical directory structure with subdomains stored in
583 subfolders of the parent domain are allowed. Added copyfile(),
584 cmpfile() and new_keysetfiles() for that.
586 * func Config parameter added to choose if the domain name is
587 right or left justified listed by dnssec-zkt (printkeyinfo).
589 * func New class of key added ("sep"). A SEP key is a (public) key file
590 without the private counterpart. So we could use the key solely
591 as an secure entry point. (dki.h, dki_read).
593 zkt 0.70 -- 15. Sep 2005
595 * func Experimental code added to use a binary search tree instead of a
596 single linked list. This is mainly for performance improvement for large
597 sites. If you don't want to use it, set USE_TREE in config.h to zero.
598 In the first step only dnssec-zkt use the new data structure.
599 The tree is build over the domain names and each node is the starting point
600 of a linked list of keys.
601 As a result, it's not possible anymore to search on key tags only. You have
602 to specify the domain name plus the tag. :-(
604 * func Function parseurl added.
606 * func Experimental code to register a new ksk. Currently it's more like
607 a key announcement because of the lack of identification and
610 zkt 0.65 -- 22. Aug 2005
612 * misc Rewrite of the domaincmp() function. Now it's round about 2 times faster.
613 After some additional changes and the compiler option -O3 the dnssec-zkt
614 on the ~ 12000 zones requires only a minute
615 $ time dnssec-zkt -z -r sec > /dev/null
620 * func A keyset directory is introduced (experimental)
621 The parameter -d is added to the call of the dnssec-signzone command
622 if the config option KeySetDir is set.
623 As a result, all dsset-, keyset- and dlvset- files are stored in one directory.
624 The advantage is, that the chain of trust of all local subzone is build
625 automatically (This is the reason why we sort the zones with the child zones
627 The disadvantage is that we store many files in single directory (3 files
630 zkt 0.64 -- 1. Aug 2005
632 * bug The code for option -Z of dnssec-zkt should be executed before we read the
633 complete directory tree. This is usefull if we have a very deep directory
634 structure and the recursive flag is switched on.
636 * func SIG_Pseudorand parameter added.
638 * func ([KZ]SK)|(SIG)_randfile parameter added.
640 * func measure the time used for signing of each zone.
642 * bug function logflush() added to misc.c and called by dosigning().
644 * misc some perfomance test made:
645 - Directory structure "sec/<firstletter>/domain" with round about 12200 domains
646 - One of the domain is a big one (~ 820000 RRs), the others are mostly very small ones
647 - We use a dsa with 704 bits as ksk and a rsamd5 with 512 bits as zsk on each domain.
648 - All test made on Sun Fire V440 with 4 CPU and 4x2GB main memory
650 # sequential signing of all zones
651 $ time dnssec-signer -v -v -f -D sec
652 real 434m (~ 7h 14min)
656 # with option -p and -r /dev/urandom
657 $ time dnssec-signer -v -v -f -D sec > log
662 # one process for each firstletter subdirectory
668 # with option -p and -r /dev/urandom
675 $ time dnssec-zkt -z -r sec > /dev/null
681 # signing the big (820000 RR) domain only
682 $ time dnssec-signer -v -v -f -D sec/b/big-domain
683 real 196m23.165 (~ 3h 16min)
687 # with option -p and -r /dev/urandom
688 $ time dnssec-signer -v -v -f -D sec/b/big-domain
693 zkt 0.63 -- 14. June 2005
695 * bug allow TTL value in keyfiles (see TTL_IN_KEYFILES_ALLOWED
698 * misc function strchop() added to misc.c.
700 zkt 0.62 -- 13. May 2005
702 * func dnssec-signer: Option -o added.
703 Now it works a bit more like dnssec-signzone.
705 * func strlist.c: prepstrlist and unprepstrlist functions get a
706 second parameter for the delimiter.
708 * bug fixed some typos and inaccurate usage of symbolic constants.
709 Doing some housekeeping.
711 zkt 0.61 -- 3. May 2005
713 * bug local config file will not be mentioned if -N switch is used.
715 zkt 0.6 -- 1. May 2005
717 * doc dnssec-signer: man page added.
719 * func dnssec-signer: Print out a warning message if ksk lifetime is exceeded.
721 * func dnssec-signer: Remaining arguments will be interpreted as zone names
722 (in_strarr () added).
724 * func dnssec-signer: Option -D added.
727 zkt 0.51 -- 8. April 2005
729 * func dnssec-signer: Option -N added.
731 * func dnssec-signer: change of keystatus from pre-published to active
732 resets timestamp of key, thus age of active key counts 0.
734 * bug prepstrlist: resulting string was not terminated with '\0'.
736 * bug dnssec-signer: do signing if there are additional keys, or the
737 status of any key is changed (function check_keytimestamp).
739 * func dnssec-zkt: -l <list> option added.
741 * func dnssec-zkt: -p flag defaults to on in key creation mode (-C).