opendnssec (1.3.7-1) unstable; urgency=low

  * HSM SCA 6000 in combination with OpenCryptoki can return RSA
    key material with leading zeroes. DNSSEC does not allow
    leading zeroes in key data. You are affected by this bug if
    your DNSKEY RDATA e.g. begins with "BAABA". Normal keys begin
    with e.g. "AwEAA".  OpenDNSSEC will now sanitize incoming
    data before adding it to the DNSKEY. Do not upgrade to this
    version if you are affected by the bug.  You first need to go
    unsigned, then do the upgrade, and finally sign your zone
    again. SoftHSM and other HSM:s will not produce data with
    leading zeroes and the bug will thus not affect you.

 -- Ondřej Surý <ondrej@debian.org>  Tue, 13 Mar 2012 15:23:16 +0100
