Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Update from version 3.1.7 to 3.2.4 - Update of rootfile - find-dependencies run and only thing showing as depending on the libs are knot itself. - Changelog Knot DNS 3.2.4 (2022-12-12) Improvements: - knotd: significant speed-up of catalog zone update processing - knotd: new runtime check if RRSIG lifetime is lower than RRSIG refresh - knotd: reworked zone re-bootstrap scheduling to be less progressive - mod-synthrecord: module can work with CIDR-style reverse zones #826 - python: new libknot wrappers for some dname transformation functions - doc: a few fixes and improvements Bugfixes: - knotd: incomplete zone is received when IXFR falls back to AXFR due to connection timeout if primary puts initial SOA only to the first message - knotd: first zone re-bootstrap is planned after 24 hours - knotd: EDNS EXPIRE option is present in outgoing transfer of a catalog zone - knotd: catalog zone can expire upon EDNS EXPIRE processing - knotd: DNSSEC signing doesn't fail if no offline KSK records available Knot DNS 3.2.3 (2022-11-20) Improvements: - knotd: new per-zone DS push configuration option (see 'zone.ds-push') - libs: upgraded embedded libngtcp2 to 0.11.0 Bugfixes: - knsupdate: program crashes when sending an update - knotd: server drops more responses over UDP under higher load - knotd: missing EDNS padding in responses over QUIC - knotd: some memory issues when handling unusual QUIC traffic - kxdpgun: broken IPv4 source subnet processing - kdig: incorrect handling of unsent data over QUIC Knot DNS 3.2.2 (2022-11-01) Features: - knotd,kxdpgun: support for VLAN (802.1Q) traffic in the XDP mode - knotd: added configurable delay upon D-Bus initialization (see 'server.dbus-init-delay') - kdig: support for JSON (RFC 8427) output format (see '+json') - kdig: support for PROXYv2 (see '+proxy') (Gift for Peter van Dijk) Improvements: - mod-geoip: module respects the server configuration of answer rotation - libs: upgraded embedded libngtcp2 to 0.10.0 - tests: improved robustness of some unit tests - doc: added description of zone bootstrap re-planning Bugfixes: - knotd: catalog confusion when a member is added and immediately deleted #818 - knotd: defective handling of short messages with PROXYv2 header #816 - knotd: inconsistent processing of malformed messages with PROXYv2 header #817 - kxdpgun: incorrect XDP mode is logged - packaging: outdated dependency check in RPM packages Knot DNS 3.2.1 (2022-09-09) Improvements: - libknot: added compatibility with libbpf 1.0 and libxdp - libknot: removed some trailing white space characters from textual RR format - libs: upgraded embedded libngtcp2 to 0.8.1 Bugfixes: - knotd: some non-DNS packets not passed to OS if XDP mode enabled - knotd: inappropriate log about QUIC port change if QUIC not enabled - knotd/kxdpgun: various memory leaks related to QUIC and TCP - kxdpgun: can crash at high rates in emulated XDP mode - tests: broken XDP-TCP test on 32-bit platforms - kdig: failed to build with enabled QUIC on OpenBSD - systemd: failed to start server due to TemporaryFileSystem setting - packaging: missing knot-dnssecutils package on CentOS 7 Knot DNS 3.2.0 (2022-08-22) Features: - knotd: finalized TCP over XDP implementation - knotd: initial implementation of DNS over QUIC in the XDP mode (see 'xdp.quic') - knotd: new incremental DNSKEY management for multi-signer deployment (see 'policy.dnskey-management') - knotd: support for remote grouping in configuration (see 'groups' section) - knotd: implemented EDNS Expire option (RFC 7314) - knotd: NSEC3 salt is changed with every ZSK rollover if lifetime is set to -1 - knotd: support for PROXY v2 protocol over UDP (Thanks to Robert Edmonds) #762 - knotd: support for key labels with PKCS #11 keystore (see 'keystore.key-label') - knotd: SVCB/HTTPS treatment according to draft-ietf-dnsop-svcb-https - keymgr: new JSON output format (see '-j' parameter) for listing keys or zones (Thanks to JP Mens) - kxdpgun: support for DNS over QUIC with some testing modes (see '-U' parameter) - kdig: new DNS over QUIC support (see '+quic') Improvements: - knotd: reduced memory consumption when processing IXFR, DNSSEC, catalog, or DDNS - knotd: RRSIG refresh values don't have to match in the mode Offline KSK - knotd: better decision whether AXFR fallback is needed upon a refresh error - knotd: NSEC3 resalt event was merged with the DNSSEC event - knotd: server logs when the connection to remote was taken from the pool - knotd: server logs zone expiration time when the zone is loaded - knotd: DS check verifies removal of old DS during algorithm rollover - knotd: DNSSEC-related records can be updated via DDNS - knotd: new 'xdp.udp' configuration option for disabling UDP over XDP - knotd: outgoing NOTIFY is replanned if failed - knotd: configuration checks if zone MIN interval values are lower or equal to MAX ones - knotd: DNSSEC-related zone semantic checks use DNSSEC validation - knotd: new configuration value 'query' for setting ACL action - knotd: new check on near end of imported Offline KSK records - knotd/knotc: implemented zone catalog purge, including orphaned member zones - knotc: interactive mode supports catalog zone completion, value completion, and more - knotc: new default brief and colorized output from zone status - knotc: unified empty values in zone status output - keymgr: DNSKEY TTL is taken from KSR in the Offline KSK mode - kjournalprint: path to journal DB is automatically taken from the configuration, which can be specified using '-c', '-C' (or '-D') - kcatalogprint: path to catalog DB is automatically taken from the configuration, which can be specified using '-c', '-C' (or '-D') - kzonesign: added automatic configuration file detection and '-C' parameter for configuration DB specificaion - kzonesign: all CPU threads are used for DNSSEC validation - libknot: dname pointer cannot point to another dname pointer when encoding RRsets #765 - libknot: QNAME case is preserved in knot_pkt_t 'wire' field (Thanks to Robert Edmonds) #780 - libknot: reduced memory consumption of the XDP mode - libknot: XDP filter supports up to 256 NIC queues - kxdpgun: new options for specifying source and remote MAC addresses - utils: extended logging of LMDB-related errors - utils: improved error outputs - kdig: query has AD bit set by default - doc: various improvements Bugfixes: - knotd: zone changeset is stored to journal even if disabled - knotd: journal not applied to zone file if zone file changed during reload - knotd: possible out-of-order processing or postponed zone events to far future - knotd: incorrect TTL is used if updated RRSet is empty over control interface - knotd/libs: serial arithmetics not used for RRSIG expiration processing - knsupdate: incorrect RRTYPE in the question section Compatibility: - knotd: default value for 'zone.journal-max-depth' was lowered to 20 - knotd: default value for 'policy.nsec3-iterations' was lowered to 0 - knotd: default value for 'policy.rrsig-refresh' is propagation delay + zone maximum TTL - knotd: server fails to load configuration if 'policy.rrsig-refresh' is too low - knotd: configuration option 'server.listen-xdp' has no effect - knotd: new configuration check on deprecated DNSSEC algorithm - knotc: new '-e' parameter for full zone status output - keymgr: new '-e' parameter for full key list output - keymgr: brief key listing mode is enabled by default - keymgr: renamed parameter '-d' to '-D' - knsupdate: default TTL is set to 3600 - knsupdate: default zone is empty - kjournalprint: renamed parameter '-c' to '-H' - python/libknot: removed compatibility with Python 2 Packaging: - systemd: removed knot.tmpfile - systemd: added some hardening options - distro: Debian 9 and Ubuntu 16.04 no longer supported - distro: packages for CentOS 7 are built in a separate COPR repository - kzonecheck/kzonesign/knsec3hash: moved to new package knot-dnssecutils Knot DNS 3.1.9 (2022-08-10) Improvements: - knotd: new configuration checks on unsupported catalog settings - knotd: semantic check issues have notice log level in the soft mode - keymgr: command generate-ksr automatically sets 'from' parameter to last offline KSK records' timestamp if it's not specified - keymgr: command show-offline starts from the first offline KSK record set if 'from' parameter isn't specified - kcatalogprint: new parameters for filtering catalog or member zone - mod-probe: default rate limit was increased to 100000 - libknot: default control timeout was increased to 30 seconds - python/libknot: various exceptions are raised from class KnotCtl - doc: some improvements Bugfixes: - knotd: incomplete outgoing IXFR is responded if journal history is inconsistent - knotd: manually triggered zone flush is suppressed if disabled zone synchronization - knotd: failed to configure XDP listen interface without port specification - knotd: de-cataloged member zone's file isn't deleted #805 - knotd: member zone leaks memory when reloading catalog during dynamic configuration change - knotd: server can crash when reloading modules with DNSSEC signing (Thanks to iqinlongfei) - knotd: server crashes during shutdown if PKCS #11 keystore is used - keymgr: command del-all-old isn't applied to all keys in the removed state - kxdpgun: user specified network interface isn't used - libs: fixed compilation on illumos derivatives (Thanks to Nick Ewins) Knot DNS 3.1.8 (2022-04-28) Features: - knotd: optional automatic ACL for XFR and NOTIFY (see 'remote.automatic-acl') - knotd: new soft zone semantic check mode for allowing defective zone loading - knotc: added zone transfer freeze state to the zone status output Improvements: - knotd: added configuration check for serial policy of generated catalogs Bugfixes: - knotd/libknot: the server can crash when validating a malformed TSIG record - knotd: outgoing zone transfer freeze not preserved during server reload - knotd: catalog UPDATE not processed if previous UPDATE processing not finished #790 - knotd: zone refresh not started if planned during server reload - knotd: generated catalogs can be queried over UDP - knotd/utils: failed to open LMDB database if too many stale slots occupy the lock table Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Loading branch information