forked from CZ-NIC/knot
-
Notifications
You must be signed in to change notification settings - Fork 0
/
NEWS
3378 lines (2895 loc) · 130 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Knot DNS 3.4.0 (2024-09-02)
===========================
Features:
---------
- knotd: full DNS over TLS (DoT, RFC 7858) implementation (see 'DNS over TLS')
- knotd: bidirectional XFR over TLS (XoT) support with opportunistic, strict,
and mutual authentication profiles
- knotd: support for DDNS over QUIC and TLS
- knotd: DNSSEC validation requires the remaining RRSIG validity is longer than 'rrsig-refresh'
- knotd: new event for automatic DNSSEC revalidation
- knotd: if enabled DNSSEC signing, EDNS expire is adjusted to the earliest RRSIG expiration
- knotd: added support for libdbus as an alternative to systemd dbus
(see '--enable-dbus=libdbus' configure parameter)
- knotd: new XDP-related configuration options
(see 'xdp.ring-size', 'xdp.busypoll-budget', and 'xdp.busypoll-timeout')
- knotc: new command for explicit triggering DNSSEC validation (see 'zone-validate' command)
- keymgr: SKR verification requires end of DNSKEY RRSIG validity covers next DNSKEY snapshot
- kdig: +nocrypto applies also to CERT, DS, SSHFP, DHCID, TLSA, ZONEMD, and TSIG
- knsupdate: added support for DDNS over QUIC and TLS (see '-Q' and '-S' parameters)
- kxdpgun: support for reading a binary input file (see '-B' parameter)
- kxdpgun: support for output in JSON (see '-j' parameter)
- kxdpgun: support for periodical output (see '-S' parameter)
- mod-rrl: module offers limiting of non-UDP protocols based on consumed time
(see 'mod-rrl.time-rate-limit' and 'mod-rrl.time-instant-limit')
- utils: -VV option for listing compile time configuration summary
Improvements:
-------------
- knotd: up to eight DDNS queries can be queued per zone when frozen
- knotd: the number of created/validated RRSIGs is logged
- knotd: overhaul of atomic operations usage
- knotd: unified DNAME semantic errors with the CNAME ones
(see 'Handling CNAME and DNAME-related updates')
- knotd: better DDNS pre-check to prevent dropping a bulk of updates
- knotd: extended SOA presence semantic checks
- knotd: disallowed concurrent control zone and config transactions to avoid deadlock
- knotd: disallowed opening zone transaction when blocking command is running to avoid deadlock
- knotd: new XDP statistic counters
- knotd: remote zone serial is logged upon received incoming transfer
- knotd: zone backup stores and zone restore checks the CPU architecture compatibility
- knotd: time configuration options support 'w', 'M', and 'y' units
- knotd: some control commands can be processed asynchronously
- knotc: zone backup overwrites already existing backupdir in the force mode
- kdig: EDNS is enabled by default
- kdig: the default EDNS payload size was lowered to 1232
- mod-rrl: completely reimplemented UDP rate limiting using an efficient
query-counting mechanism on several address prefix lengths
- mod-rrl: module no longer requires explicit configuration
- libknot: various XDP improvements and new configuration parameters
- docker: increased -D_FORTIFY_SOURCE to 3
Bugfixes:
---------
- knotd: deadlock during zone-ksk-submitted processing of a frozen zone
- kxdpgun: race condition in SIGUSR1 signal processing
- doc: parallel build is unreliable #928
Compatibility:
--------------
- configure: increase minimal GnuTLS version to 3.6.10
- configure: removed deprecated libidn 1 support
- configure: removed liburcu search fallback
- configure: required GCC or LLVM Clang compiler with C11 support
- knotd: removed already ignored obsolete configuration options
- keymgr: removed legacy parameter '--brief'
- kjournalprint: removed legacy parameter '--no-color'
- kjournalprint: removed legacy database specification without '--dir'
- kcatalogprint: removed legacy database specification without '--dir'
- packaging: CentOS 7, Debian 10, and Ubuntu 18.04 no longer supported
- doc: removed info pages
Knot DNS 3.3.9 (2024-08-26)
===========================
Improvements:
-------------
- libknot: added EDE code 30
- libknot: improved performance of knot_rrset_to_wire_extra()
- libs: upgraded embedded libngtcp2 to 1.7.0
- doc: various fixes and updates
Bugfixes:
---------
- keymgr: pregenerate clears future timestamps of old keys and creates new keys
- mod-dnsproxy: defective TSIG processing
- mod-dnsproxy: TCP not detected in the XDP mode
- kxdpgun: unsuccessful interface initialization leaks memory
- packaging: libknot not installed with python3-libknot
Knot DNS 3.3.8 (2024-07-22)
===========================
Features:
---------
- libzscanner,libknot: added support for 'dohpath' and 'ohttp' SVCB parameters
- libzscanner,libknot: added support for WALLET rrtype
- keymgr: new commands for keystore testing (see 'keystore-test' and 'keystore-bench')
- knotd: new configuration option for setting default TTL (see 'zone.default-ttl')
Improvements:
-------------
- libknot: added error codes to better describe some failures
Bugfixes:
---------
- knotd: DNSSEC signing doesn't remove NSEC records for non-authoritative nodes
- knotd: DNSSEC signing not scheduled on secondary if nothing to be reloaded
- libknot: TCP over XDP doesn't ignore SYN+ACK packets on the server side
Knot DNS 3.3.7 (2024-06-25)
===========================
Improvements:
-------------
- libs: upgraded embedded libngtcp2 to 1.6.0
Bugfixes:
---------
- knotd: insufficient metadata check can cause journal corruption
- knotd: missing zone timers initialization upon purge
- knotd: missing RCU lock in zone flush and refresh
- knotd: defective assert in zone refresh
Knot DNS 3.3.6 (2024-06-12)
===========================
Features:
---------
- knotd: configurable control socket backlog size (see 'control.backlog')
- knotd: optional configuration of congruency of generated keytags (see 'policy.keytag-modulo')
- knotc: support for exporting configuration schema in JSON (see 'conf-export') #912
- mod-dnstap: configuration of sink allows TCP address specification
Improvements:
-------------
- knotd: last-signed serial is stored to KASP even if not a secondary zone
- knotd: allowed catalog role member in a catalog template configuration
- knotd: some references in a zone configuration can be set empty to override a template
- knotd: allowed zone backup during a zone transaction
- knotd: add remote TSIG key name to outgoing event logs
- knotc: zone backup with '+keysonly' silently uses all defaults as 'off'
- kxdpgun: host name can be used for target specification
- libs: upgraded embedded libngtcp2 to 1.5.0
- doc: various fixes and updates
Bugfixes:
---------
- knotd: reset TCP connection not removed from a connection pool
- knotd: server wrongly tries to remove removed ZONEMD
- knotd: failed to parse empty list from a textual configuration
- knotd: blocking zone signing in combination with an open transaction causes a deadlock
- knotd: missing RCU lock when sending NOTIFY
- kdig: QNAME letter case isn't preserved if IDN is enabled
- kdig: failed to parse empty QNAME (do not fill question section)
- kxdpgun: floating point exception on SIGUSR1 #927
- libknot: incorrect handling of regular QUIC tokens in incoming initials
- python: failed to set an empty configuration value
Knot DNS 3.3.5 (2024-03-06)
===========================
Features:
---------
- knotd: new module mod-authsignal for automatic authenticated DNSSEC
bootstrapping records synthesis (Thanks to Peter Thomassen)
- kzonecheck: new optional ZONEMD verification (see option '-z')
Improvements:
-------------
- knotd: new DNSSEC key rollover log informs about next planned key action
- knotd, kzonecheck: added limit on non-matching keys with a duplicate keytag
- knot-exporter: added counter-type variant for each metric (Thanks to Marcel Koch)
- libs: upgraded embedded libngtcp2 to 1.3.0
- doc: various fixes and updates
Bugfixes:
---------
- knotd, kzonecheck: failed to validate RRSIG if there are more keys with the same keytag
- knotd, kzonecheck: failed to validate zone with more CSK keys
- libknot: insufficient check for malformed TCP header options over XDP
- libzscanner: incorrect alpn processing #923
Knot DNS 3.3.4 (2024-01-24)
===========================
Features:
---------
- knotd: new configuration item for clearing configuration sections (see 'clear')
- knotc: configuration import can preserve database contents (see '+nopurge' flag)
- kxdpgun: new parameter for setting UDP payload size in EDNS (see '--edns-size') #915
Improvements:
-------------
- knotd: extended configuration check for 'zonefile-load' and 'journal-content'
- knotd: lowered check limit for additional NSEC3 iterations to 0
- knotd: lowered severity level of an informational backup log
- knotd: better log message when flushing the journal
- knotd: zone restore checks if requested contents are in the provided backup
- knotc: '+quic' is default for zone backup, '+noquic' is default for zone restore
- kdig: better processing of timeouts and reduced sent datagrams over QUIC
- kdig: no retries are attempted over QUIC
- keymgr: improved compatibility with bind9-generated keys
- libs: some improvements in XDP buffer allocation
- libs: upgraded embedded libngtcp2 to 1.2.0
- doc: various fixes and updates
Bugfixes:
---------
- knotd: failed to build on macOS #909
- knotd: 'nsec3-salt-lifetime: -1' doesn't work if 'ixfr-from-axfr' is enabled
- knotd: unnecessarily updated RRSIGs if 'ixfr-from-axfr' and signing are enabled
- knotc: zone check complains about missing zone file #913
- kdig: failed to try another target address over QUIC
- libknot: infinite loop in knot_rrset_to_wire_extra() #916
Knot DNS 3.3.3 (2023-12-13)
===========================
Features:
---------
- knotd: new 'pattern' mode of ACL update owner matching (see 'acl.update-owner-match')
- knotc: new '+keysonly' filter for zone backup/restore
Improvements:
-------------
- knotd: zone purging waits for finished zone expiration for better reliability
- knotd: remote configuration considers more 'via' with the same address family
- knotd: refresh doesn't fall back from IXFR to AXFR upon a network error
- knotd: increased default for 'policy.rrsig-refresh' by (0.1 * 'rrsig-lifetime')
- knotd: new control flag 'u' for unix time output format from zone status
- knotd: extended check for inconsistent acl settings
- knotd/libknot: simplified TCP/QUIC sweep logging
- mod-dnsproxy: all configured remote addresses are used for fallback operation
- mod-dnsproxy: module responds locally if forwarding fails instead of SERVFAIL
- libs: upgraded embedded libngtcp2 to 1.1.0
- doc: various fixes and extensions
Bugfixes:
---------
- knotd: zone backup fails due to improper backup context deinitialization #891
- knotd: failed to sign the zone if maximum zone's TTL is too high
- knotd: malformed TCP header if used with QUIC in the generic XDP mode
- knotd: server can crash when processing new TCP connections over XDP
- knotd: incorrect initialization of TCP limits
- knotd: orphaned PEM file not deleted when key generation fails
- knotd/libknot: connection timeouts over QUIC due to incomplete retransfer handling #894
- kdig: crashed when querying DNS over TLS if TLS handshake times out #896
- kzonecheck: failed to check DS with SHA-1 or GOST if not supported by local policy
- libdnssec: failed to compile with GnuTLS if PKCS #11 support is disabled
Knot DNS 3.3.2 (2023-10-20)
===========================
Features:
---------
- knotd: support for IXFR from AXFR computation (see 'zone.ixfr-from-axfr')
- knotd: support benevolent IXFR (see 'zone.ixfr-benevolent')
- knot-exporter: new configuration option '--no-zone-serial' #880
Improvements:
-------------
- libs: upgraded embedded libngtcp2 to 1.0.0
- knotd: added logging of new SOA serial when signing is finished
- knotd: unified some XDP-related logging
- keymgr: improved error message if a key file is not accessible
- keymgr: added offline RRSIGs validation at the end of their validity intervals
- kdig: upgraded EDNS presentation format to draft version -02
- kdig: simplified QUIC connection without extra PING frames
- kzonecheck: removed requirement that DS is at delegation point
- doc: various fixes and improvements
Bugfixes:
---------
- knotd: logged incorrect new SOA serial if 'zonefile-load: difference' is set #875
- knotd: more signing threads with a PKCS #11 keystore has no effect #876
- knotd: DNAME record returned with query domain name instead of actual name #873
- knotd: failed to import configuration file if mod-geoip is in use #881
- knotd: failed to sign RRSet that fits to 64k only if compressed
- knotd: broken zone update context upon failed operation over control interface
- keymgr: offline RRSIGs not refreshed if 'rrsig-refresh' is not set
- knsupdate: incorrect processing of @ in the delete operation #879
- knot-exporter: failed to parse knotd PIDs on FreeBSD
Packaging:
----------
- docker: added support for (inter-container) D-Bus signaling
Knot DNS 3.3.1 (2023-09-11)
===========================
Improvements:
-------------
- knotd: multiple catalog groups per member are tolerated, but only one is used
- modules: added const qualifier to various function parameters #877 (Thanks to Robert Edmonds)
- libs: upgraded embedded libngtcp2 to 0.19.1
Bugfixes:
---------
- knotd: TCP over XDP fails to respond
- knotd: server can crash when adjusting a wildcard glue
- knotd: failed to forward DDNS if 'zone.master' points to 'remotes'
- knotd: broken YAML statistics if more modules are configured #874
- knotd: DDNS forwarding isn't RFC 8945 compliant
Knot DNS 3.3.0 (2023-08-28)
===========================
Features:
---------
- knotd: full DNS over QUIC (DoQ, RFC 9250) implementation, also without XDP
- knotd: bidirectional XFR over QUIC (XoQ) support with opportunistic, strict,
and mutual authentication profiles
- knotd: automatic reverse PTR records pre-generation (see 'zone.reverse-generate')
- knotd: new per zone statistic counters 'zone.size' and 'zone.max-ttl'
- knotd: new primary server pinning (see 'zone.master-pin-tolerance')
- knotd: new SOA serial modulo policy (see 'zone.serial-modulo')
- knotd: new multi-signer operation mode (see 'policy.dnskey-sync' and 'DNSSEC multi-signer')
- kdig: support for EDNS presentation format, also in JSON mode (see '+optpresent')
- kxdpgun: new TCP/QUIC debug mode 'R' for connection reuse
- kxdpgun: new XDP mode parameter '--mode' (Thanks to Jan Včelák)
- kxdpgun: new parameter '--qlog' for qlog destination specification
- kzonecheck: new '--print' parameter for dumping the zone on stdout
Improvements:
-------------
- knotd: secondary can be configured not to forward DDNS (see 'zone.ddns-master')
- knotd: extended support for UNIX socket configuration (remote, acl)
- knotd: stats no longer dump empty or zero counters
- knotd: new 'keys-updated' D-Bus event
- knotd: added transport protocol information to outgoing event and nameserver logs
- knotd: server cleans up stale LMDB readers when opening a RW transaction
- knotd,kzonecheck: semantic check allows DS only at delegation point
- knotc: new zone backup filters '+quic' and '+noquic' for QUIC key backup
- mod-dnstap: DNS over QUIC traffic is marked as QUIC
- kxdpgun: QUIC connections are closed by default
- libs: upgraded embedded libngtcp2 to 0.18.0
- kdig: QUIC, TLS, or HTTPS protocol is printed in the final statistics
- doc: new sections 'DNS over QUIC' and 'DNSSEC multi-signer'
- doc: various improvements
Bugfixes:
---------
- knotd: server can crash if a shared module is loaded and dynamic configuration used
- knotd: inaccurate transfer size is logged if EDNS EXPIRE, PADDING, or TSIG is present
- knotd: subsequent addition and removal to catalog zone isn't handled properly
- knotc: configuration import fails if an explicit shared module is configured
- utils: database transactions not properly closed when terminated prematurely
- kdig: double-free on some malformed responses over QUIC #869
- kdig: some TLS parameters override QUIC parameters
- libs: NULL record with empty RDATA isn't allowed
- tests: dthreads destructor test sometimes fails
Compatibility:
--------------
- knotd: responses to forwarded DDNS requests are signed with local TSIG key
- knotd: NOTIFY-initiated refresh tries all configured addresses of the remote
- knotd: configuration option 'xdp.quic-log' was replaced with 'log.quic'
- libs: removed embedded libbpf, an external one is necessary for XDP
- libs: DNS over QUIC implementation only supports 'doq' ALPN
- ctl: removed 'Version: ' prefix from 'status version' output
- modules: reduced parameters of 'knotd_qdata_local_addr()'
Packaging:
----------
- knot-exporter: Prometheus exporter imported from GitHub
- knot-exporter: packages for Debian, Ubuntu, and PyPI
- debian,ubuntu: new self-hosted repository (see https://pkg.labs.nic.cz/doc/)
- docker: upgraded to Debian bookworm-slim
Knot DNS 3.2.13 (2024-06-25)
============================
Bugfixes:
---------
- knotd: insufficient metadata check can cause journal corruption
- knotd: failed to build on macOS #909
- knotd: early NSEC3 salt replanning if 'nsec3-salt-lifetime: -1'
- knotc: zone check complains about missing zone file #913
- kdig: failed to parse empty QNAME (do not fill question section)
- python: failed to set an empty configuration value
- libzscanner: incorrect alpn processing #923
- libknot: insufficient check for malformed TCP header options over XDP
- libknot: infinite loop in knot_rrset_to_wire_extra() #916
Knot DNS 3.2.12 (2023-12-19)
============================
Improvements:
-------------
- knotd: zone purging waits for finished zone expiration for better reliability
- doc: various fixes and extensions
Bugfixes:
---------
- knotd: zone backup fails due to improper backup context deinitialization #891
- knotd: failed to sign the zone if maximum zone's TTL is too high
- knotd: malformed TCP header if used with QUIC in the generic XDP mode
- knotd: incorrect initialization of TCP limits
- knotd: orphaned PEM file not deleted when key generation fails
- knotd: server can crash when processing new TCP connections over XDP
- kdig: crashed when querying DNS over TLS if TLS handshake times out #896
- kzonecheck: failed to check DS with SHA-1 or GOST if not supported by local policy
Knot DNS 3.2.11 (2023-10-30)
============================
Improvements:
-------------
- keymgr: improved error message if a key file is not accessible
- keymgr: added offline RRSIGs validation at the end of their validity intervals
- doc: fixed some typos
Bugfixes:
---------
- knotd: DNAME record returned with query domain name instead of actual name #873
- knotd: failed to import configuration file if mod-geoip is in use #881
- knotd: failed to sign RRSet that fits to 64k only if compressed
- keymgr: offline RRSIGs not refreshed if 'rrsig-refresh' is not set
- knsupdate: incorrect processing of @ in the delete operation #879
Knot DNS 3.2.10 (2023-09-11)
============================
Improvements:
-------------
- knotd: multiple catalog groups per member are tolerated, but only one is used
- knotd: server cleans up stale LMDB readers when opening a RW transaction
Bugfixes:
---------
- knotd: server can crash when adjusting a wildcard glue
- knotd: failed to forward DDNS if 'zone.master' points to 'remotes'
- knotd: subsequent addition and removal to catalog zone isn't handled properly
- knotd: server can crash if a shared module is loaded and dynamic configuration used
- knotc: configuration import fails if an explicit shared module is configured
- kdig: double-free on some malformed responses over QUIC #869
- kdig: some TLS parameters override QUIC parameters
- libs: NULL record with empty RDATA isn't allowed
Knot DNS 3.2.9 (2023-07-27)
===========================
Improvements:
-------------
- keymgr: 'import-pkcs11' not allowed if no PKCS #11 keystore backend is configured
- keymgr: more verbose key import errors
- doc: extended migration notes
- doc: various improvements
Bugfixes:
---------
- knotd: server may crash when storing changeset of a big zone migrating to/from NSEC3
- knotd: zone refresh loop when all masters are outdated and timers cleared
- knotd: failed to active D-Bus notifications if not started as systemd service
- kjournalprint: database transaction not properly closed when terminated prematurely
Knot DNS 3.2.8 (2023-06-26)
===========================
Improvements:
-------------
- kdig: malformed messages are parsed and printed using a best-effort approach
- python: new dname from wire initialization
Bugfixes:
---------
- knotd: missing outgoing NOTIFY upon refresh if one of more primaries is up-to-date
- knotd: journal loop detection can prevent zone from loading
- knotd: cryptic error message when journal is full #842
- knotd: failed to query catalog zone over UDP
- configure: libngtcp2 check wrongly requires version 0.13.0 instead of 0.13.1
Knot DNS 3.2.7 (2023-06-06)
===========================
Features:
---------
- knotd: new configuration option for preserving incoming IXFR changeset history
(see 'zone.ixfr-by-one')
Improvements:
-------------
- knotd: journal ensures the stored changeset's SOA serials are strictly increasing
- knotd: more effective handling of zero KNOT_ZONE_LOAD_TIMEOUT_SEC environment value
- knotd, kdig: incoming transfer fails if a message has the TC bit set
- knotd, kjournalprint: store or print the timestamp of changeset creation
- kxdpgun: load only necessary number of queries (Thanks to Petr Špaček)
- kxdpgun: print ratio of sent vs. requested queries (Thanks to Petr Špaček)
- kxdpgun: print percentages as floats (Thanks to Petr Špaček)
- kjournalprint: ability to print a changeset loop
- kjournalprint: added changset serials information to '-z -d' output
- packaging: RHEL9 requires libxdp like fedora since RHEL 9.2 #844
- doc: various improvements
Bugfixes:
---------
- knotd: journal loading can get stuck in a multi-changeset loop
- knotd: missing RCU lock when reading zone through the control interface
- knotd: server start D-Bus signaling doesn't work well if the zone file is
missing, catalog zones are used, or in the async-start mode
- knotd: test suite fails on 32bit architectures on musl 1.2 and newer #843
- knotd: failed to process zero-length messages over QUIC
- libs: compilation with embedded ngtcp2 fails if there is another ngtcp2 in the path
Knot DNS 3.2.6 (2023-04-04)
===========================
Improvements:
-------------
- libs: upgraded embedded libngtcp2 to 0.13.1
- libs: added support for building on Cygwin and MSYS (Thanks to Christopher Ng)
- mod-dnstap: improved precision of stored time values
- kdig: added option for EDNS EXPIRE (see '+expire') #836
- kdig: extended description of SOA timers in the multiline mode
- kdig: reduced latency of TLS communication
- libknot: added EDE codes 28 and 29
- doc: various improvements
Bugfixes:
---------
- knotd: generated catalog zone not updated upon server reload #834
- knotd: failed to check shared module configuration
- knotd: missing RCU registration of the statistics thread (Thanks to Qin Longfei)
- knotd: server logs failed to send QUIC packets in the XDP mode
- libs: inconsistent transformation of IPv4-Compatible IPv6 Addresses
- utils: failed to load configuration if dnstap module is enabled #831
- libknot: missing include string.h
Knot DNS 3.2.5 (2023-02-02)
===========================
Features:
---------
- knotd: new configuration option for enforcing IXFR fallback (see 'zone.provide-ixfr')
Improvements:
-------------
- knotd: changed UNIX socket file mode to 0222 for answering and 0220 for control
- mod-probe: new support for communication over a UNIX socket
- kdig: new support for communication over a UNIX socket
- libs: upgraded embedded libngtcp2 to 0.13.0
- doc: various improvements
Bugfixes:
---------
- knotd: failed to get catalog member configuration if catalog template is in a template
- knotd: failed to respond over a UNIX socket with EDNS
- knotd: unexpected zone update upon restart or zone reload if ZONEMD generation is enabled
- knotd: redundant zone flush of unchanged zone if zone file load is 'difference-no-serial'
- knotd/kxdpgun: failed to receive messages over XDP with drivers tap or ena
- knotc: zone check doesn't report missing zone file #829
- kxdpgun: program crashes when remote closes QUIC connection instead of resumption
- mod-geoip: configuration check leaks memory in the geodb mode
- utils: unwanted color reset sequences in non-color output
Knot DNS 3.2.4 (2022-12-12)
===========================
Improvements:
-------------
- knotd: significant speed-up of catalog zone update processing
- knotd: new runtime check if RRSIG lifetime is lower than RRSIG refresh
- knotd: reworked zone re-bootstrap scheduling to be less progressive
- mod-synthrecord: module can work with CIDR-style reverse zones #826
- python: new libknot wrappers for some dname transformation functions
- doc: a few fixes and improvements
Bugfixes:
---------
- knotd: incomplete zone is received when IXFR falls back to AXFR due to
connection timeout if primary puts initial SOA only to the first message
- knotd: first zone re-bootstrap is planned after 24 hours
- knotd: EDNS EXPIRE option is present in outgoing transfer of a catalog zone
- knotd: catalog zone can expire upon EDNS EXPIRE processing
- knotd: DNSSEC signing doesn't fail if no offline KSK records available
Knot DNS 3.2.3 (2022-11-20)
===========================
Improvements:
-------------
- knotd: new per-zone DS push configuration option (see 'zone.ds-push')
- libs: upgraded embedded libngtcp2 to 0.11.0
Bugfixes:
---------
- knsupdate: program crashes when sending an update
- knotd: server drops more responses over UDP under higher load
- knotd: missing EDNS padding in responses over QUIC
- knotd: some memory issues when handling unusual QUIC traffic
- kxdpgun: broken IPv4 source subnet processing
- kdig: incorrect handling of unsent data over QUIC
Knot DNS 3.2.2 (2022-11-01)
===========================
Features:
---------
- knotd,kxdpgun: support for VLAN (802.1Q) traffic in the XDP mode
- knotd: added configurable delay upon D-Bus initialization (see 'server.dbus-init-delay')
- kdig: support for JSON (RFC 8427) output format (see '+json')
- kdig: support for PROXYv2 (see '+proxy') (Gift for Peter van Dijk)
Improvements:
-------------
- mod-geoip: module respects the server configuration of answer rotation
- libs: upgraded embedded libngtcp2 to 0.10.0
- tests: improved robustness of some unit tests
- doc: added description of zone bootstrap re-planning
Bugfixes:
---------
- knotd: catalog confusion when a member is added and immediately deleted #818
- knotd: defective handling of short messages with PROXYv2 header #816
- knotd: inconsistent processing of malformed messages with PROXYv2 header #817
- kxdpgun: incorrect XDP mode is logged
- packaging: outdated dependency check in RPM packages
Knot DNS 3.2.1 (2022-09-09)
===========================
Improvements:
-------------
- libknot: added compatibility with libbpf 1.0 and libxdp
- libknot: removed some trailing white space characters from textual RR format
- libs: upgraded embedded libngtcp2 to 0.8.1
Bugfixes:
---------
- knotd: some non-DNS packets not passed to OS if XDP mode enabled
- knotd: inappropriate log about QUIC port change if QUIC not enabled
- knotd/kxdpgun: various memory leaks related to QUIC and TCP
- kxdpgun: can crash at high rates in emulated XDP mode
- tests: broken XDP-TCP test on 32-bit platforms
- kdig: failed to build with enabled QUIC on OpenBSD
- systemd: failed to start server due to TemporaryFileSystem setting
- packaging: missing knot-dnssecutils package on CentOS 7
Knot DNS 3.2.0 (2022-08-22)
===========================
Features:
---------
- knotd: finalized TCP over XDP implementation
- knotd: initial implementation of DNS over QUIC in the XDP mode (see 'xdp.quic')
- knotd: new incremental DNSKEY management for multi-signer deployment (see 'policy.dnskey-management')
- knotd: support for remote grouping in configuration (see 'groups' section)
- knotd: implemented EDNS Expire option (RFC 7314)
- knotd: NSEC3 salt is changed with every ZSK rollover if lifetime is set to -1
- knotd: support for PROXY v2 protocol over UDP (Thanks to Robert Edmonds) #762
- knotd: support for key labels with PKCS #11 keystore (see 'keystore.key-label')
- knotd: SVCB/HTTPS treatment according to draft-ietf-dnsop-svcb-https
- keymgr: new JSON output format (see '-j' parameter) for listing keys or zones (Thanks to JP Mens)
- kxdpgun: support for DNS over QUIC with some testing modes (see '-U' parameter)
- kdig: new DNS over QUIC support (see '+quic')
Improvements:
-------------
- knotd: reduced memory consumption when processing IXFR, DNSSEC, catalog, or DDNS
- knotd: RRSIG refresh values don't have to match in the mode Offline KSK
- knotd: better decision whether AXFR fallback is needed upon a refresh error
- knotd: NSEC3 resalt event was merged with the DNSSEC event
- knotd: server logs when the connection to remote was taken from the pool
- knotd: server logs zone expiration time when the zone is loaded
- knotd: DS check verifies removal of old DS during algorithm rollover
- knotd: DNSSEC-related records can be updated via DDNS
- knotd: new 'xdp.udp' configuration option for disabling UDP over XDP
- knotd: outgoing NOTIFY is replanned if failed
- knotd: configuration checks if zone MIN interval values are lower or equal to MAX ones
- knotd: DNSSEC-related zone semantic checks use DNSSEC validation
- knotd: new configuration value 'query' for setting ACL action
- knotd: new check on near end of imported Offline KSK records
- knotd/knotc: implemented zone catalog purge, including orphaned member zones
- knotc: interactive mode supports catalog zone completion, value completion, and more
- knotc: new default brief and colorized output from zone status
- knotc: unified empty values in zone status output
- keymgr: DNSKEY TTL is taken from KSR in the Offline KSK mode
- kjournalprint: path to journal DB is automatically taken from the configuration,
which can be specified using '-c', '-C' (or '-D')
- kcatalogprint: path to catalog DB is automatically taken from the configuration,
which can be specified using '-c', '-C' (or '-D')
- kzonesign: added automatic configuration file detection and '-C' parameter
for configuration DB specificaion
- kzonesign: all CPU threads are used for DNSSEC validation
- libknot: dname pointer cannot point to another dname pointer when encoding RRsets #765
- libknot: QNAME case is preserved in knot_pkt_t 'wire' field (Thanks to Robert Edmonds) #780
- libknot: reduced memory consumption of the XDP mode
- libknot: XDP filter supports up to 256 NIC queues
- kxdpgun: new options for specifying source and remote MAC addresses
- utils: extended logging of LMDB-related errors
- utils: improved error outputs
- kdig: query has AD bit set by default
- doc: various improvements
Bugfixes:
---------
- knotd: zone changeset is stored to journal even if disabled
- knotd: journal not applied to zone file if zone file changed during reload
- knotd: possible out-of-order processing or postponed zone events to far future
- knotd: incorrect TTL is used if updated RRSet is empty over control interface
- knotd/libs: serial arithmetics not used for RRSIG expiration processing
- knsupdate: incorrect RRTYPE in the question section
Compatibility:
--------------
- knotd: default value for 'zone.journal-max-depth' was lowered to 20
- knotd: default value for 'policy.nsec3-iterations' was lowered to 0
- knotd: default value for 'policy.rrsig-refresh' is propagation delay + zone maximum TTL
- knotd: server fails to load configuration if 'policy.rrsig-refresh' is too low
- knotd: configuration option 'server.listen-xdp' has no effect
- knotd: new configuration check on deprecated DNSSEC algorithm
- knotc: new '-e' parameter for full zone status output
- keymgr: new '-e' parameter for full key list output
- keymgr: brief key listing mode is enabled by default
- keymgr: renamed parameter '-d' to '-D'
- knsupdate: default TTL is set to 3600
- knsupdate: default zone is empty
- kjournalprint: renamed parameter '-c' to '-H'
- python/libknot: removed compatibility with Python 2
Packaging:
----------
- systemd: removed knot.tmpfile
- systemd: added some hardening options
- distro: Debian 9 and Ubuntu 16.04 no longer supported
- distro: packages for CentOS 7 are built in a separate COPR repository
- kzonecheck/kzonesign/knsec3hash: moved to new package knot-dnssecutils
Knot DNS 3.1.9 (2022-08-10)
===========================
Improvements:
-------------
- knotd: new configuration checks on unsupported catalog settings
- knotd: semantic check issues have notice log level in the soft mode
- keymgr: command generate-ksr automatically sets 'from' parameter to last
offline KSK records' timestamp if it's not specified
- keymgr: command show-offline starts from the first offline KSK record set
if 'from' parameter isn't specified
- kcatalogprint: new parameters for filtering catalog or member zone
- mod-probe: default rate limit was increased to 100000
- libknot: default control timeout was increased to 30 seconds
- python/libknot: various exceptions are raised from class KnotCtl
- doc: some improvements
Bugfixes:
---------
- knotd: incomplete outgoing IXFR is responded if journal history is inconsistent
- knotd: manually triggered zone flush is suppressed if disabled zone synchronization
- knotd: failed to configure XDP listen interface without port specification
- knotd: de-cataloged member zone's file isn't deleted #805
- knotd: member zone leaks memory when reloading catalog during dynamic configuration change
- knotd: server can crash when reloading modules with DNSSEC signing (Thanks to iqinlongfei)
- knotd: server crashes during shutdown if PKCS #11 keystore is used
- keymgr: command del-all-old isn't applied to all keys in the removed state
- kxdpgun: user specified network interface isn't used
- libs: fixed compilation on illumos derivatives (Thanks to Nick Ewins)
Knot DNS 3.1.8 (2022-04-28)
===========================
Features:
---------
- knotd: optional automatic ACL for XFR and NOTIFY (see 'remote.automatic-acl')
- knotd: new soft zone semantic check mode for allowing defective zone loading
- knotc: added zone transfer freeze state to the zone status output
Improvements:
-------------
- knotd: added configuration check for serial policy of generated catalogs
Bugfixes:
---------
- knotd/libknot: the server can crash when validating a malformed TSIG record
- knotd: outgoing zone transfer freeze not preserved during server reload
- knotd: catalog UPDATE not processed if previous UPDATE processing not finished #790
- knotd: zone refresh not started if planned during server reload
- knotd: generated catalogs can be queried over UDP
- knotd/utils: failed to open LMDB database if too many stale slots occupy the lock table
Knot DNS 3.1.7 (2022-03-30)
===========================
Features:
---------
- knotd: new configuration items for restricting minimum and maximum zone expire
and retry intervals (see 'zone.expire-min-interval', 'zone.expire-max-interval',
'zone.retry-min-interval', 'zone.retry-max-interval') #785
- knotc: added catalog information to zone status
Improvements:
-------------
- knotd: better warning message if SOA serial comparison failed when loading from zone file
- knotc: zone status shows all zone events when frozen
- keymgr: better error message is returned when importing SKR with insufficient permissions
- kdig: transfer status is also printed if failed
Bugfixes:
---------
- knotd: incomplete implementation of the Offline KSK mode in the IXFR and DDNS processing
- knotd: catalog zone accepts duplicate members via UPDATE #786
- knotd: server crashes if catalog database contains orphaned member zones
- knotd: old journal is scraped when restoring just the zone file
- knotd: some planned zone events can be lost during server reload
- knotd: frozen zone gets thawed during server reload
- knsupdate: missing section names in the show output
- knsupdate: inappropriate log message if called from a script
Knot DNS 3.1.6 (2022-02-08)
===========================
Features:
---------
- knotd: optional D-Bus notifications for significant server and zone events
(see 'server.dbus-event')
- knotd: new submission configuration option for delayed KSK post-activation
(see 'submission.parent-delay')
- knotc: new commands for outgoing XFR freeze (see 'zone-xfr-freeze' and 'zone-xfr-thaw')
- kzonesign: added multithreaded DNSSEC validation mode (see '--verify')
Improvements:
-------------
- kdig: trailing data in reply packet is accepted with a warning
- kdig: XFR responses are checked if SOA owners match
- knotd: failed remote operations are logged as info instead of debug
- knsec3hash: added alternative and more natural parameter semantics
- knsupdate: interactive mode is newly based on library Editline
- Dockerfile: added UID argument to facilitate the use of unprivileged container #783
- doc: various fixes and improvements
Bugfixes:
---------
- libknot: inaccurate KNOT_DNAME_TXT_MAXLEN constant value #781
- knotd: propagation delay not considered before DS push
- knotd: excessive refresh retry delay when a few early attemps fail
- knotd: duplicate KSK submission log message during a KSK rollover
- kdig: dname letter case not preserved in XFR and Dnstap outputs
- mod-cookies: missing server cookie in responses over TCP
Knot DNS 3.1.5 (2021-12-20)
===========================
Features:
---------
- knotd: optional outgoing TCP connection pool for faster communication with remotes
(see 'server.remote-pool-limit' and 'server.remote-pool-timeout')
- knotd: optional unreachable remote tracking to avoid zone events clogging
(see 'server.remote-retry-delay')
- knotd: new ZONEMD generation mode for the record removal from the zone apex #760
(see 'zone.zonemd-generate: remove')
- mod-dnsproxy: new source address match option (see 'mod-dnsproxy.address')
- scripts/probe_dump: simple mod-probe client
Improvements:
-------------
- knotd: DS push sets DS TTL equal to DNSKEY TTL
- knotd: extended zone purge error logging
- knotd: zone file parsing error message was extended by the file name
- knotd: improved debug log message when TCP timeout is reached
- knotd: new configuration check for using the default number of NSEC3 iterations
- knotd: new configuration check for insufficient RRSIG refresh time
- mod-geoip: configuration check newly verifies the module configuration file #778
- kdig: option +notimeout or +timeout=0 is interpreted as infinity
- kdig: option +noretry is interpreted as zero retries
- python/probe: more detailed default output format
- doc: many spelling fixes (Thanks to Josh Soref)
- doc: various fixes and improvements
Bugfixes:
---------
- knotd: imperfect TCP connection closing in the XDP mode
- knotd: TCP reset packets are wrongly checked for ackno in the XDP mode
- knotd: only first zone name is logged for multi-zone control operations #776
- knotd: minor memory leak when full zone update fails to write to journal
- knotc: configuration check doesn't check a configuration database
- mod-dnstap: incorrect QNAME case restore in some corner cases (Thanks to Robert Edmonds) #777
Knot DNS 3.1.4 (2021-11-04)
===========================
Features:
---------
- mod-dnstap: added 'responses-with-queries' configuration option (Thanks to Robert Edmonds) #764
Improvements:
-------------
- knotd: DNSSEC keys are logged in sorted order by timestamp
- mod-cookies: added statistics counter for dropped queries due to the slip limit
- mod-dnstap: restored the original query QNAME case #773 (Thanks to Robert Edmonds)
- configure: improved compatibility of some scripts on macOS and BSDs
- doc: updates on DNSSEC signing
Bugfixes:
---------
- knotd: server can crash when receiving queries with NSID EDNS flag #774 (Thanks to Romain Labolle)
- knotd: server crashes on reload when no interfaces configured #770
- knotd: ZONEMD without DNSSEC not handled correctly
- knotd: generated catalog zone not updated on config reload #772
- knotd: zone catalog not verified before its interpretation
- knotd: ds-push fails to update the parent zone if a CNAME exists for a non-terminal node
Knot DNS 3.1.3 (2021-10-18)
===========================
Improvements:
-------------
- knotd: added simple error logging to orphaned zone purge
- knotd: allow manual public-only keys for unused algorithm
- kdig: send ALPN when using DoT or XoT #769
- doc: various fixes and improvements #767
Bugfixes:
---------
- knotd: catalog backup doesn't preserve version of the catalog implementation
- knotd: NOTIFY is scheduled even when DNSSEC signing is up-to-date
- knotd: server can crash when zone difference is inconsistent upon cold start
- knotd: zone not bootstrapped when zone file load failed due to an error
- knotd: broken AXFR with knot as slave and dnsmasq as master (Thanks to Daniel Gröber)
- knotd: journal not able to free up space when zone-in-journal present and zonefile written
- mod-stats: missing protocol counters for TCP over XDP
- kzonesign: input zone name not lower-cased
Knot DNS 3.1.2 (2021-09-08)
===========================
Features:
---------
- knotd: new policy configuration for postponing complete deletion of previous keys
- keymgr: new optional pretty mode (-b) of listing keys
- kdig: added support for TCP keepopen #503
Improvements:
-------------
- knotd: configuration item values can contain UTF-8 characters
- knotd: added configuration check for database storage writability
- knotd: better error reporting if zone is empty
- knotd: smaller journal database chunks in order to mitigate LMDB fragmentation
- knotd/kxdpgun: CAP_SYS_RESOURCE capability no longer needed for XDP on Linux >= 5.11
Bugfixes:
---------
- knotd: incomplete NSEC3 proof in response to opt-outed empty non-terminal
- knotd: wrong SOA serial handling when enabling signing on already existing secondary zone
- knotd: defective ZONEMD verification error reporting when loading zone #759
- knotd: server can crash when reloading catalog zone #761
- knotd: DNSSEC validation doesn't work when only NSEC3 chain changes
- knotd: DNSSEC validation doesn't check if empty non-terminal over non-opt-outed
delegation isn't opt-outed too
- knotd: ZONEMD generation doesn't cause flushing zone to disk #758
- knotd: incorrect evaluation of ACL deny rule in combination with TSIG
- knotd: failed DS-check is replaned even if no key is ready
- kdig: abort when query times out #763
- libzscanner: missing output overflow check in the SVCB parsing
Compatibility:
--------------
- keymgr: parameter -d is marked deprecated in favor of new parameter -D
- kjournalprint: parameter -n is marked deprecated in favor of new parameter -x
Knot DNS 3.1.1 (2021-08-10)
===========================
Improvements:
-------------
- keymgr: import-bind sets publish and active timers to now if missing timers #747
- mod-rrl: added QNAME, which triggered an action, to log messages #757
- systemd: added environment variable for setting maximum configuration DB size
Bugfixes:
---------
- knotd: adding RRSIGs to a signed zone can lead to redundant RRSIGs for some NSEC(3)s
- knotd: code not compiled correctly for ARM on Fedora >= 33
- knotd: server can crash when opening catalog DB on startup
- knotd: incorrect catalog update counts in logs
- knotd: journal discontinuity and zone-in-journal result in incorrectly calculated journal occupation
- kdig: +noall does not filter out AUTHORITY comment #749
- tests: journal unit test not passing if memory page size is different from 4096
Reverts:
--------
- libzscanner: reverted "omitted TTL value is correctly set to the last explicitly stated value (RFC 1035)" #751
Knot DNS 3.1.0 (2021-08-02)
===========================
Features:
---------
- knotd: automatic zone catalog generation based on actual configuration
- knotd: zone catalog supports configuration groups
- knotd: support for ZONEMD validation and generation
- knotd: basic support for TCP over XDP processing
- knotd: configuration option for enabling IP route check in the XDP mode
- knotd: support for epoll (Linux) and kqueue (*BSD, macOS) socket polling
- knotd: extended EDNS error (EDE) is added to the response if appropriate
- knotd: DNSSEC operation with extra ready public-only KSK is newly allowed
- knotd: new zone backup/restore filters for more variable component specification
- knotd: adaptive systemd service start timeout and new zone loading status #733
- knotd: configuration option for enabling TCP Fast Open on outbound communication
- knotd: when the server starts, zone NOTIFY is send only if not sent already