forked from CZ-NIC/knot
-
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathNEWS
3003 lines (2570 loc) · 114 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Knot DNS 3.3.0 (2023-08-28)
===========================
Features:
---------
- knotd: full DNS over QUIC (DoQ, RFC 9250) implementation, also without XDP
- knotd: bidirectional XFR over QUIC (XoQ) support with opportunistic, strict,
and mutual authentication profiles
- knotd: automatic reverse PTR records pre-generation (see 'zone.reverse-generate')
- knotd: new per zone statistic counters 'zone.size' and 'zone.max-ttl'
- knotd: new primary server pinning (see 'zone.master-pin-tolerance')
- knotd: new SOA serial modulo policy (see 'zone.serial-modulo')
- knotd: new multi-signer operation mode (see 'policy.dnskey-sync' and 'DNSSEC multi-signer')
- kdig: support for EDNS presentation format, also in JSON mode (see '+optpresent')
- kxdpgun: new TCP/QUIC debug mode 'R' for connection reuse
- kxdpgun: new XDP mode parameter '--mode' (Thanks to Jan Včelák)
- kxdpgun: new parameter '--qlog' for qlog destination specification
- kzonecheck: new '--print' parameter for dumping the zone on stdout
Improvements:
-------------
- knotd: secondary can be configured not to forward DDNS (see 'zone.ddns-master')
- knotd: extended support for UNIX socket configuration (remote, acl)
- knotd: stats no longer dump empty or zero counters
- knotd: new 'keys-updated' D-Bus event
- knotd: added transport protocol information to outgoing event and nameserver logs
- knotd: server cleans up stale LMDB readers when opening a RW transaction
- knotd,kzonecheck: semantic check allows DS only at delegation point
- knotc: new zone backup filters '+quic' and '+noquic' for QUIC key backup
- mod-dnstap: DNS over QUIC traffic is marked as QUIC
- kxdpgun: QUIC connections are closed by default
- libs: upgraded embedded libngtcp2 to 0.18.0
- kdig: QUIC, TLS, or HTTPS protocol is printed in the final statistics
- doc: new sections 'DNS over QUIC' and 'DNSSEC multi-signer'
- doc: various improvements
Bugfixes:
---------
- knotd: server can crash if a shared module is loaded and dynamic configuration used
- knotd: inaccurate transfer size is logged if EDNS EXPIRE, PADDING, or TSIG is present
- knotd: subsequent addition and removal to catalog zone isn't handled properly
- knotc: configuration import fails if an explicit shared module is configured
- utils: database transactions not properly closed when terminated prematurely
- kdig: double-free on some malformed responses over QUIC #869
- kdig: some TLS parameters override QUIC parameters
- libs: NULL record with empty RDATA isn't allowed
- tests: dthreads destructor test sometimes fails
Compatibility:
--------------
- knotd: responses to forwarded DDNS requests are signed with local TSIG key
- knotd: NOTIFY-initiated refresh tries all configured addresses of the remote
- knotd: configuration option 'xdp.quic-log' was replaced with 'log.quic'
- libs: removed embedded libbpf, an external one is necessary for XDP
- libs: DNS over QUIC implementation only supports 'doq' ALPN
- ctl: removed 'Version: ' prefix from 'status version' output
- modules: reduced parameters of 'knotd_qdata_local_addr()'
Packaging:
----------
- knot-exporter: Prometheus exporter imported from GitHub
- knot-exporter: packages for Debian, Ubuntu, and PyPI
- debian,ubuntu: new self-hosted repository (see https://pkg.labs.nic.cz/doc/)
- docker: upgraded to Debian bookworm-slim
Knot DNS 3.2.9 (2023-07-27)
===========================
Improvements:
-------------
- keymgr: 'import-pkcs11' not allowed if no PKCS #11 keystore backend is configured
- keymgr: more verbose key import errors
- doc: extended migration notes
- doc: various improvements
Bugfixes:
---------
- knotd: server may crash when storing changeset of a big zone migrating to/from NSEC3
- knotd: zone refresh loop when all masters are outdated and timers cleared
- knotd: failed to active D-Bus notifications if not started as systemd service
- kjournalprint: database transaction not properly closed when terminated prematurely
Knot DNS 3.2.8 (2023-06-26)
===========================
Improvements:
-------------
- kdig: malformed messages are parsed and printed using a best-effort approach
- python: new dname from wire initialization
Bugfixes:
---------
- knotd: missing outgoing NOTIFY upon refresh if one of more primaries is up-to-date
- knotd: journal loop detection can prevent zone from loading
- knotd: cryptic error message when journal is full #842
- knotd: failed to query catalog zone over UDP
- configure: libngtcp2 check wrongly requires version 0.13.0 instead of 0.13.1
Knot DNS 3.2.7 (2023-06-06)
===========================
Features:
---------
- knotd: new configuration option for preserving incoming IXFR changeset history
(see 'zone.ixfr-by-one')
Improvements:
-------------
- knotd: journal ensures the stored changeset's SOA serials are strictly increasing
- knotd: more effective handling of zero KNOT_ZONE_LOAD_TIMEOUT_SEC environment value
- knotd, kdig: incoming transfer fails if a message has the TC bit set
- knotd, kjournalprint: store or print the timestamp of changeset creation
- kxdpgun: load only necessary number of queries (Thanks to Petr Špaček)
- kxdpgun: print ratio of sent vs. requested queries (Thanks to Petr Špaček)
- kxdpgun: print percentages as floats (Thanks to Petr Špaček)
- kjournalprint: ability to print a changeset loop
- kjournalprint: added changset serials information to '-z -d' output
- packaging: RHEL9 requires libxdp like fedora since RHEL 9.2 #844
- doc: various improvements
Bugfixes:
---------
- knotd: journal loading can get stuck in a multi-changeset loop
- knotd: missing RCU lock when reading zone through the control interface
- knotd: server start D-Bus signaling doesn't work well if the zone file is
missing, catalog zones are used, or in the async-start mode
- knotd: test suite fails on 32bit architectures on musl 1.2 and newer #843
- knotd: failed to process zero-length messages over QUIC
- libs: compilation with embedded ngtcp2 fails if there is another ngtcp2 in the path
Knot DNS 3.2.6 (2023-04-04)
===========================
Improvements:
-------------
- libs: upgraded embedded libngtcp2 to 0.13.1
- libs: added support for building on Cygwin and MSYS (Thanks to Christopher Ng)
- mod-dnstap: improved precision of stored time values
- kdig: added option for EDNS EXPIRE (see '+expire') #836
- kdig: extended description of SOA timers in the multiline mode
- kdig: reduced latency of TLS communication
- libknot: added EDE codes 28 and 29
- doc: various improvements
Bugfixes:
---------
- knotd: generated catalog zone not updated upon server reload #834
- knotd: failed to check shared module configuration
- knotd: missing RCU registration of the statistics thread (Thanks to Qin Longfei)
- knotd: server logs failed to send QUIC packets in the XDP mode
- libs: inconsistent transformation of IPv4-Compatible IPv6 Addresses
- utils: failed to load configuration if dnstap module is enabled #831
- libknot: missing include string.h
Knot DNS 3.2.5 (2023-02-02)
===========================
Features:
---------
- knotd: new configuration option for enforcing IXFR fallback (see 'zone.provide-ixfr')
Improvements:
-------------
- knotd: changed UNIX socket file mode to 0222 for answering and 0220 for control
- mod-probe: new support for communication over a UNIX socket
- kdig: new support for communication over a UNIX socket
- libs: upgraded embedded libngtcp2 to 0.13.0
- doc: various improvements
Bugfixes:
---------
- knotd: failed to get catalog member configuration if catalog template is in a template
- knotd: failed to respond over a UNIX socket with EDNS
- knotd: unexpected zone update upon restart or zone reload if ZONEMD generation is enabled
- knotd: redundant zone flush of unchanged zone if zone file load is 'difference-no-serial'
- knotd/kxdpgun: failed to receive messages over XDP with drivers tap or ena
- knotc: zone check doesn't report missing zone file #829
- kxdpgun: program crashes when remote closes QUIC connection instead of resumption
- mod-geoip: configuration check leaks memory in the geodb mode
- utils: unwanted color reset sequences in non-color output
Knot DNS 3.2.4 (2022-12-12)
===========================
Improvements:
-------------
- knotd: significant speed-up of catalog zone update processing
- knotd: new runtime check if RRSIG lifetime is lower than RRSIG refresh
- knotd: reworked zone re-bootstrap scheduling to be less progressive
- mod-synthrecord: module can work with CIDR-style reverse zones #826
- python: new libknot wrappers for some dname transformation functions
- doc: a few fixes and improvements
Bugfixes:
---------
- knotd: incomplete zone is received when IXFR falls back to AXFR due to
connection timeout if primary puts initial SOA only to the first message
- knotd: first zone re-bootstrap is planned after 24 hours
- knotd: EDNS EXPIRE option is present in outgoing transfer of a catalog zone
- knotd: catalog zone can expire upon EDNS EXPIRE processing
- knotd: DNSSEC signing doesn't fail if no offline KSK records available
Knot DNS 3.2.3 (2022-11-20)
===========================
Improvements:
-------------
- knotd: new per-zone DS push configuration option (see 'zone.ds-push')
- libs: upgraded embedded libngtcp2 to 0.11.0
Bugfixes:
---------
- knsupdate: program crashes when sending an update
- knotd: server drops more responses over UDP under higher load
- knotd: missing EDNS padding in responses over QUIC
- knotd: some memory issues when handling unusual QUIC traffic
- kxdpgun: broken IPv4 source subnet processing
- kdig: incorrect handling of unsent data over QUIC
Knot DNS 3.2.2 (2022-11-01)
===========================
Features:
---------
- knotd,kxdpgun: support for VLAN (802.1Q) traffic in the XDP mode
- knotd: added configurable delay upon D-Bus initialization (see 'server.dbus-init-delay')
- kdig: support for JSON (RFC 8427) output format (see '+json')
- kdig: support for PROXYv2 (see '+proxy') (Gift for Peter van Dijk)
Improvements:
-------------
- mod-geoip: module respects the server configuration of answer rotation
- libs: upgraded embedded libngtcp2 to 0.10.0
- tests: improved robustness of some unit tests
- doc: added description of zone bootstrap re-planning
Bugfixes:
---------
- knotd: catalog confusion when a member is added and immediately deleted #818
- knotd: defective handling of short messages with PROXYv2 header #816
- knotd: inconsistent processing of malformed messages with PROXYv2 header #817
- kxdpgun: incorrect XDP mode is logged
- packaging: outdated dependency check in RPM packages
Knot DNS 3.2.1 (2022-09-09)
===========================
Improvements:
-------------
- libknot: added compatibility with libbpf 1.0 and libxdp
- libknot: removed some trailing white space characters from textual RR format
- libs: upgraded embedded libngtcp2 to 0.8.1
Bugfixes:
---------
- knotd: some non-DNS packets not passed to OS if XDP mode enabled
- knotd: inappropriate log about QUIC port change if QUIC not enabled
- knotd/kxdpgun: various memory leaks related to QUIC and TCP
- kxdpgun: can crash at high rates in emulated XDP mode
- tests: broken XDP-TCP test on 32-bit platforms
- kdig: failed to build with enabled QUIC on OpenBSD
- systemd: failed to start server due to TemporaryFileSystem setting
- packaging: missing knot-dnssecutils package on CentOS 7
Knot DNS 3.2.0 (2022-08-22)
===========================
Features:
---------
- knotd: finalized TCP over XDP implementation
- knotd: initial implementation of DNS over QUIC in the XDP mode (see 'xdp.quic')
- knotd: new incremental DNSKEY management for multi-signer deployment (see 'policy.dnskey-management')
- knotd: support for remote grouping in configuration (see 'groups' section)
- knotd: implemented EDNS Expire option (RFC 7314)
- knotd: NSEC3 salt is changed with every ZSK rollover if lifetime is set to -1
- knotd: support for PROXY v2 protocol over UDP (Thanks to Robert Edmonds) #762
- knotd: support for key labels with PKCS #11 keystore (see 'keystore.key-label')
- knotd: SVCB/HTTPS treatment according to draft-ietf-dnsop-svcb-https
- keymgr: new JSON output format (see '-j' parameter) for listing keys or zones (Thanks to JP Mens)
- kxdpgun: support for DNS over QUIC with some testing modes (see '-U' parameter)
- kdig: new DNS over QUIC support (see '+quic')
Improvements:
-------------
- knotd: reduced memory consumption when processing IXFR, DNSSEC, catalog, or DDNS
- knotd: RRSIG refresh values don't have to match in the mode Offline KSK
- knotd: better decision whether AXFR fallback is needed upon a refresh error
- knotd: NSEC3 resalt event was merged with the DNSSEC event
- knotd: server logs when the connection to remote was taken from the pool
- knotd: server logs zone expiration time when the zone is loaded
- knotd: DS check verifies removal of old DS during algorithm rollover
- knotd: DNSSEC-related records can be updated via DDNS
- knotd: new 'xdp.udp' configuration option for disabling UDP over XDP
- knotd: outgoing NOTIFY is replanned if failed
- knotd: configuration checks if zone MIN interval values are lower or equal to MAX ones
- knotd: DNSSEC-related zone semantic checks use DNSSEC validation
- knotd: new configuration value 'query' for setting ACL action
- knotd: new check on near end of imported Offline KSK records
- knotd/knotc: implemented zone catalog purge, including orphaned member zones
- knotc: interactive mode supports catalog zone completion, value completion, and more
- knotc: new default brief and colorized output from zone status
- knotc: unified empty values in zone status output
- keymgr: DNSKEY TTL is taken from KSR in the Offline KSK mode
- kjournalprint: path to journal DB is automatically taken from the configuration,
which can be specified using '-c', '-C' (or '-D')
- kcatalogprint: path to catalog DB is automatically taken from the configuration,
which can be specified using '-c', '-C' (or '-D')
- kzonesign: added automatic configuration file detection and '-C' parameter
for configuration DB specificaion
- kzonesign: all CPU threads are used for DNSSEC validation
- libknot: dname pointer cannot point to another dname pointer when encoding RRsets #765
- libknot: QNAME case is preserved in knot_pkt_t 'wire' field (Thanks to Robert Edmonds) #780
- libknot: reduced memory consumption of the XDP mode
- libknot: XDP filter supports up to 256 NIC queues
- kxdpgun: new options for specifying source and remote MAC addresses
- utils: extended logging of LMDB-related errors
- utils: improved error outputs
- kdig: query has AD bit set by default
- doc: various improvements
Bugfixes:
---------
- knotd: zone changeset is stored to journal even if disabled
- knotd: journal not applied to zone file if zone file changed during reload
- knotd: possible out-of-order processing or postponed zone events to far future
- knotd: incorrect TTL is used if updated RRSet is empty over control interface
- knotd/libs: serial arithmetics not used for RRSIG expiration processing
- knsupdate: incorrect RRTYPE in the question section
Compatibility:
--------------
- knotd: default value for 'zone.journal-max-depth' was lowered to 20
- knotd: default value for 'policy.nsec3-iterations' was lowered to 0
- knotd: default value for 'policy.rrsig-refresh' is propagation delay + zone maximum TTL
- knotd: server fails to load configuration if 'policy.rrsig-refresh' is too low
- knotd: configuration option 'server.listen-xdp' has no effect
- knotd: new configuration check on deprecated DNSSEC algorithm
- knotc: new '-e' parameter for full zone status output
- keymgr: new '-e' parameter for full key list output
- keymgr: brief key listing mode is enabled by default
- keymgr: renamed parameter '-d' to '-D'
- knsupdate: default TTL is set to 3600
- knsupdate: default zone is empty
- kjournalprint: renamed parameter '-c' to '-H'
- python/libknot: removed compatibility with Python 2
Packaging:
----------
- systemd: removed knot.tmpfile
- systemd: added some hardening options
- distro: Debian 9 and Ubuntu 16.04 no longer supported
- distro: packages for CentOS 7 are built in a separate COPR repository
- kzonecheck/kzonesign/knsec3hash: moved to new package knot-dnssecutils
Knot DNS 3.1.9 (2022-08-10)
===========================
Improvements:
-------------
- knotd: new configuration checks on unsupported catalog settings
- knotd: semantic check issues have notice log level in the soft mode
- keymgr: command generate-ksr automatically sets 'from' parameter to last
offline KSK records' timestamp if it's not specified
- keymgr: command show-offline starts from the first offline KSK record set
if 'from' parameter isn't specified
- kcatalogprint: new parameters for filtering catalog or member zone
- mod-probe: default rate limit was increased to 100000
- libknot: default control timeout was increased to 30 seconds
- python/libknot: various exceptions are raised from class KnotCtl
- doc: some improvements
Bugfixes:
---------
- knotd: incomplete outgoing IXFR is responded if journal history is inconsistent
- knotd: manually triggered zone flush is suppressed if disabled zone synchronization
- knotd: failed to configure XDP listen interface without port specification
- knotd: de-cataloged member zone's file isn't deleted #805
- knotd: member zone leaks memory when reloading catalog during dynamic configuration change
- knotd: server can crash when reloading modules with DNSSEC signing (Thanks to iqinlongfei)
- knotd: server crashes during shutdown if PKCS #11 keystore is used
- keymgr: command del-all-old isn't applied to all keys in the removed state
- kxdpgun: user specified network interface isn't used
- libs: fixed compilation on illumos derivatives (Thanks to Nick Ewins)
Knot DNS 3.1.8 (2022-04-28)
===========================
Features:
---------
- knotd: optional automatic ACL for XFR and NOTIFY (see 'remote.automatic-acl')
- knotd: new soft zone semantic check mode for allowing defective zone loading
- knotc: added zone transfer freeze state to the zone status output
Improvements:
-------------
- knotd: added configuration check for serial policy of generated catalogs
Bugfixes:
---------
- knotd/libknot: the server can crash when validating a malformed TSIG record
- knotd: outgoing zone transfer freeze not preserved during server reload
- knotd: catalog UPDATE not processed if previous UPDATE processing not finished #790
- knotd: zone refresh not started if planned during server reload
- knotd: generated catalogs can be queried over UDP
- knotd/utils: failed to open LMDB database if too many stale slots occupy the lock table
Knot DNS 3.1.7 (2022-03-30)
===========================
Features:
---------
- knotd: new configuration items for restricting minimum and maximum zone expire
and retry intervals (see 'zone.expire-min-interval', 'zone.expire-max-interval',
'zone.retry-min-interval', 'zone.retry-max-interval') #785
- knotc: added catalog information to zone status
Improvements:
-------------
- knotd: better warning message if SOA serial comparison failed when loading from zone file
- knotc: zone status shows all zone events when frozen
- keymgr: better error message is returned when importing SKR with insufficient permissions
- kdig: transfer status is also printed if failed
Bugfixes:
---------
- knotd: incomplete implementation of the Offline KSK mode in the IXFR and DDNS processing
- knotd: catalog zone accepts duplicate members via UPDATE #786
- knotd: server crashes if catalog database contains orphaned member zones
- knotd: old journal is scraped when restoring just the zone file
- knotd: some planned zone events can be lost during server reload
- knotd: frozen zone gets thawed during server reload
- knsupdate: missing section names in the show output
- knsupdate: inappropriate log message if called from a script
Knot DNS 3.1.6 (2022-02-08)
===========================
Features:
---------
- knotd: optional D-Bus notifications for significant server and zone events
(see 'server.dbus-event')
- knotd: new submission configuration option for delayed KSK post-activation
(see 'submission.parent-delay')
- knotc: new commands for outgoing XFR freeze (see 'zone-xfr-freeze' and 'zone-xfr-thaw')
- kzonesign: added multithreaded DNSSEC validation mode (see '--verify')
Improvements:
-------------
- kdig: trailing data in reply packet is accepted with a warning
- kdig: XFR responses are checked if SOA owners match
- knotd: failed remote operations are logged as info instead of debug
- knsec3hash: added alternative and more natural parameter semantics
- knsupdate: interactive mode is newly based on library Editline
- Dockerfile: added UID argument to facilitate the use of unprivileged container #783
- doc: various fixes and improvements
Bugfixes:
---------
- libknot: inaccurate KNOT_DNAME_TXT_MAXLEN constant value #781
- knotd: propagation delay not considered before DS push
- knotd: excessive refresh retry delay when a few early attemps fail
- knotd: duplicate KSK submission log message during a KSK rollover
- kdig: dname letter case not preserved in XFR and Dnstap outputs
- mod-cookies: missing server cookie in responses over TCP
Knot DNS 3.1.5 (2021-12-20)
===========================
Features:
---------
- knotd: optional outgoing TCP connection pool for faster communication with remotes
(see 'server.remote-pool-limit' and 'server.remote-pool-timeout')
- knotd: optional unreachable remote tracking to avoid zone events clogging
(see 'server.remote-retry-delay')
- knotd: new ZONEMD generation mode for the record removal from the zone apex #760
(see 'zone.zonemd-generate: remove')
- mod-dnsproxy: new source address match option (see 'mod-dnsproxy.address')
- scripts/probe_dump: simple mod-probe client
Improvements:
-------------
- knotd: DS push sets DS TTL equal to DNSKEY TTL
- knotd: extended zone purge error logging
- knotd: zone file parsing error message was extended by the file name
- knotd: improved debug log message when TCP timeout is reached
- knotd: new configuration check for using the default number of NSEC3 iterations
- knotd: new configuration check for insufficient RRSIG refresh time
- mod-geoip: configuration check newly verifies the module configuration file #778
- kdig: option +notimeout or +timeout=0 is interpreted as infinity
- kdig: option +noretry is interpreted as zero retries
- python/probe: more detailed default output format
- doc: many spelling fixes (Thanks to Josh Soref)
- doc: various fixes and improvements
Bugfixes:
---------
- knotd: imperfect TCP connection closing in the XDP mode
- knotd: TCP reset packets are wrongly checked for ackno in the XDP mode
- knotd: only first zone name is logged for multi-zone control operations #776
- knotd: minor memory leak when full zone update fails to write to journal
- knotc: configuration check doesn't check a configuration database
- mod-dnstap: incorrect QNAME case restore in some corner cases (Thanks to Robert Edmonds) #777
Knot DNS 3.1.4 (2021-11-04)
===========================
Features:
---------
- mod-dnstap: added 'responses-with-queries' configuration option (Thanks to Robert Edmonds) #764
Improvements:
-------------
- knotd: DNSSEC keys are logged in sorted order by timestamp
- mod-cookies: added statistics counter for dropped queries due to the slip limit
- mod-dnstap: restored the original query QNAME case #773 (Thanks to Robert Edmonds)
- configure: improved compatibility of some scripts on macOS and BSDs
- doc: updates on DNSSEC signing
Bugfixes:
---------
- knotd: server can crash when receiving queries with NSID EDNS flag #774 (Thanks to Romain Labolle)
- knotd: server crashes on reload when no interfaces configured #770
- knotd: ZONEMD without DNSSEC not handled correctly
- knotd: generated catalog zone not updated on config reload #772
- knotd: zone catalog not verified before its interpretation
- knotd: ds-push fails to update the parent zone if a CNAME exists for a non-terminal node
Knot DNS 3.1.3 (2021-10-18)
===========================
Improvements:
-------------
- knotd: added simple error logging to orphaned zone purge
- knotd: allow manual public-only keys for unused algorithm
- kdig: send ALPN when using DoT or XoT #769
- doc: various fixes and improvements #767
Bugfixes:
---------
- knotd: catalog backup doesn't preserve version of the catalog implementation
- knotd: NOTIFY is scheduled even when DNSSEC signing is up-to-date
- knotd: server can crash when zone difference is inconsistent upon cold start
- knotd: zone not bootstrapped when zone file load failed due to an error
- knotd: broken AXFR with knot as slave and dnsmasq as master (Thanks to Daniel Gröber)
- knotd: journal not able to free up space when zone-in-journal present and zonefile written
- mod-stats: missing protocol counters for TCP over XDP
- kzonesign: input zone name not lower-cased
Knot DNS 3.1.2 (2021-09-08)
===========================
Features:
---------
- knotd: new policy configuration for postponing complete deletion of previous keys
- keymgr: new optional pretty mode (-b) of listing keys
- kdig: added support for TCP keepopen #503
Improvements:
-------------
- knotd: configuration item values can contain UTF-8 characters
- knotd: added configuration check for database storage writability
- knotd: better error reporting if zone is empty
- knotd: smaller journal database chunks in order to mitigate LMDB fragmentation
- knotd/kxdpgun: CAP_SYS_RESOURCE capability no longer needed for XDP on Linux >= 5.11
Bugfixes:
---------
- knotd: incomplete NSEC3 proof in response to opt-outed empty non-terminal
- knotd: wrong SOA serial handling when enabling signing on already existing secondary zone
- knotd: defective ZONEMD verification error reporting when loading zone #759
- knotd: server can crash when reloading catalog zone #761
- knotd: DNSSEC validation doesn't work when only NSEC3 chain changes
- knotd: DNSSEC validation doesn't check if empty non-terminal over non-opt-outed
delegation isn't opt-outed too
- knotd: ZONEMD generation doesn't cause flushing zone to disk #758
- knotd: incorrect evaluation of ACL deny rule in combination with TSIG
- knotd: failed DS-check is replaned even if no key is ready
- kdig: abort when query times out #763
- libzscanner: missing output overflow check in the SVCB parsing
Compatibility:
--------------
- keymgr: parameter -d is marked deprecated in favor of new parameter -D
- kjournalprint: parameter -n is marked deprecated in favor of new parameter -x
Knot DNS 3.1.1 (2021-08-10)
===========================
Improvements:
-------------
- keymgr: import-bind sets publish and active timers to now if missing timers #747
- mod-rrl: added QNAME, which triggered an action, to log messages #757
- systemd: added environment variable for setting maximum configuration DB size
Bugfixes:
---------
- knotd: adding RRSIGs to a signed zone can lead to redundant RRSIGs for some NSEC(3)s
- knotd: code not compiled correctly for ARM on Fedora >= 33
- knotd: server can crash when opening catalog DB on startup
- knotd: incorrect catalog update counts in logs
- knotd: journal discontinuity and zone-in-journal result in incorrectly calculated journal occupation
- kdig: +noall does not filter out AUTHORITY comment #749
- tests: journal unit test not passing if memory page size is different from 4096
Reverts:
--------
- libzscanner: reverted "omitted TTL value is correctly set to the last explicitly stated value (RFC 1035)" #751
Knot DNS 3.1.0 (2021-08-02)
===========================
Features:
---------
- knotd: automatic zone catalog generation based on actual configuration
- knotd: zone catalog supports configuration groups
- knotd: support for ZONEMD validation and generation
- knotd: basic support for TCP over XDP processing
- knotd: configuration option for enabling IP route check in the XDP mode
- knotd: support for epoll (Linux) and kqueue (*BSD, macOS) socket polling
- knotd: extended EDNS error (EDE) is added to the response if appropriate
- knotd: DNSSEC operation with extra ready public-only KSK is newly allowed
- knotd: new zone backup/restore filters for more variable component specification
- knotd: adaptive systemd service start timeout and new zone loading status #733
- knotd: configuration option for enabling TCP Fast Open on outbound communication
- knotd: when the server starts, zone NOTIFY is send only if not sent already
- knotc: zone reload with the force flag triggers reload of the zone and its modules
- libs: support for parsing and dumping SVCB and HTTPS resource records
- kdig: support for TCP Fast Open along with DoT/DoH #549
- kxdpgun: basic support for DNS over TCP processing
- kxdpgun: current traffic statistics can be printed using a USR1 signal
- python: new libknot/probe API wrapper
Improvements:
-------------
- knotd: PID file is created even in the foreground mode
- knotd: more robust and enhanced zone data backup and restore operations
- knotd: maximum length of an XFR message is limited to 16 KiB for better compression
- knotd: maximum CNAME/DNAME chain depth per reply was decreased from 20 to 5
- knotd: improved performance of processing domain names with many short labels
- knotd: adaptive limit on the number of LMDB readers to avoid problems with many workers
- knotd: TTL of generated NSEC(3) records is set to min(SOA TTL, SOA minimum)
- knotd: TTL of generated NSEC3PARAM is equal to TTL of NSEC3 records
- knotd: maximum TCP segment size is restricted to 1220 octets on Linux #468
- knotc: various improvements in error reporting
- knotc: default control timeout is infinity in the blocking mode
- dnssec: dnskey generator tries to return a key with a unique keytag
- kxdpgun: RLIMIT_MEMLOCK is increased only if not high enough
- kxdpgun: RTNETLINK is used for getting network information instead of the ip command
Bugfixes:
---------
- knotd: DNAME not applied more than once to resolve the query #714
- knotd: root zone not correctly purged from the journal
- kzonecheck: incorrect check for opt-outed empty non-terminal nodes
- libzscanner: wrong error line number
- libzscanner: broken multiline rdata processing if an error occurs
- mod-geoip: NXDOMAIN is responded instead of NODATA #745
- make: build fails with undefined references if building using slibtool #722
Packaging:
----------
- knotd: systemd service reload uses 'kill -HUP' instead of 'knotc reload'
- kxdpgun: new library dependency libmnl
- mod-dnstap: new package separate from the knot package
- mod-geoip: new package separate from the knot package
Compatibility:
--------------
- configure: option '--enable-xdp=yes' means use an external libbpf if available
or use the embedded one
- libzscanner: omitted TTL value is correctly set to the last explicitly stated value (RFC 1035)
- knotc: zone restore from an old backup (3.0.x) requires forced operation
- knotd: configuration option 'server.listen-xdp' is replaced with 'xdp.listen'
- knotd: zone file loading with automatic SOA serial incrementation newly
requires having full zone in the journal
- knotd: obsolete configuration options 'zone.disable-any', 'server.tcp-handshake-timeout'
are silently ignored
- knotd: obsolete configuration options 'zone.max-zone-size', 'zone.max-journal-depth',
'zone.max-journal-usage', 'zone.max-refresh-interval', 'zone.min-refresh-interval'
'server.max-ipv4-udp-payload', 'server.max-ipv6-udp-payload', 'server.max-udp-payload',
'server.tcp-reply-timeout', 'server.max-tcp-clients' are ignored
- knotd: obsolete default template options 'template.journal-db',
'template.kasp-db', 'template.timer-db', 'template.max-journal-db-size',
'template.journal-db-mode', 'template.max-timer-db-size',
'template.max-kasp-db-size' are ignored
Knot DNS 3.0.11 (2022-04-28)
============================
Improvements:
-------------
- doc: various fixes and improvements
Bugfixes:
---------
- knotd/libknot: the server can crash when validating a malformed TSIG record
- knotd: public-only key makes DNSSEC signing fail
- knotd: frozen zone gets thawed during server reload
- knotd: zone refresh not started if planned during server reload
- knotd: some planned zone events can be lost during server reload
- knotd: propagation delay not considered before DS push
- knotd: duplicate KSK submission log message during a KSK rollover
- mod-cookies: missing server cookie in responses over TCP
- knsupdate: missing section names in the show output
Knot DNS 3.0.10 (2021-11-04)
============================
Improvements:
-------------
- doc: various fixes and improvements
Bugfixes:
---------
- knotd: server can crash when receiving queries with NSID EDNS flag #774 (Thanks to Romain Labolle)
- knotd: ds-push fails to update the parent zone if a CNAME exists for a non-terminal node
- knotd: server crashes on reload when no interfaces configured #770
- knotd: journal not able to free up space when zone-in-journal present and zonefile written
- knotd: broken AXFR with knot as slave and dnsmasq as master (Thanks to Daniel Gröber)
- knotd: server can crash when zone difference is inconsistent upon cold start
- mod-stats: missing protocol counters for TCP over XDP
- kzonesign: input zone name not lower-cased
Knot DNS 3.0.9 (2021-09-09)
===========================
Improvements:
-------------
- keymgr: import-bind sets publish and active timers to now if missing timers #747
Bugfixes:
---------
- knotd: incomplete NSEC3 proof in response to opt-outed empty non-terminal
- knotd: journal discontinuity and zone-in-journal result in incorrectly calculated journal occupation
- knotd: incorrect evaluation of ACL deny rule in combination with TSIG
- knotd: failed DS-check is replanned even if no key is ready
- knotd: root zone not correctly purged from the journal
- kdig: +noall does not filter out AUTHORITY comment #749
Knot DNS 3.0.8 (2021-07-16)
===========================
Features:
---------
- knotc: new command for loading DNSSEC keys without dropping all RRSIGs when re-signing
- knotd: new policy configuration option for disabling some DNSSEC safety features #741
- mod-geoip: new dnssec and policy configuration options
Bugfixes:
---------
- knotd: early KSK removal during a KSK rollover if automatic KSK submission check
is enabled and DNSKEY TTL is lower than the corresponding DS TTL
- knotd: failed to generate a new DNSKEY if previously generated shared key not available
- knotd: periodical error logging when a PKCS #11 keystore failed to initialize #742
- knotd: zone commit doesn't check for missing SOA record
Knot DNS 3.0.7 (2021-06-16)
===========================
Features:
---------
- knotd: new configuration policy option for CDS digest algorithm setting #738
- keymgr: new command for primary SOA serial manipulation in on-secondary signing mode
Improvements:
-------------
- knotd: improved algorithm rollover to shorten the last step of old RRSIG publication
Bugfixes:
---------
- knotd: zone is flushed upon server start, despite DNSSEC signing is up-to-date
- knotd: wildcard nonexistence is proved on empty-non-terminal query
- knotd: redundant wildcard proof for non-authoritative data in a reply
- knotd: missing wildcard proofs in a wildcard-cname loop reply
- knotd: incorrectly synthesized CNAME owner from a wildcard record #715
- knotd: zone-in-journal changeset ignores journal-max-usage limit #736
- knotd: incorrect processing of zone-in-journal changeset with SOA serial 0
- knotd: broken initialization of processing workers if SO_REUSEPORT(_LB) not available
- kjournalprint: reported journal usage is incorrect #736
- keymgr: cannot parse algorithm name ed448 #739
- keymgr: default key size not set properly
- kdig: failed to process huge DoH responses
- libknot/probe: some corner-case bugs
Knot DNS 3.0.6 (2021-05-12)
===========================
Features:
---------
- mod-probe: new module for simple traffic logging (Python API not yet included)
Improvements:
-------------
- keymgr: new mode for listing zones with at least one key stored
- keymgr: the pregenerate command accepts optional timestamp-from parameter
- kzonecheck: accept '-' as substitution for standard input #727
- knotd: print an error when unable to change owner of a logging file
- knotd: new warning log if no interface is configured
- knotd: new signing policy check for NSEC3 iterations higher than 20
- knotd: don't allow backup to/restore from the DB storage directory
- Various code (mostly zone backup/restore), tests, and documentation improvements
Bugfixes:
---------
- knotd: secondary fails to load zone file if HTTPS or SVCB record is present #725
- knotd: (KSK roll-over) new KSK is not signing DNSKEY long enough before DS submission
- knotd: (KSK roll-over) old KSK uselessly published after roll-over finished
- knotd: malformed address in TCP-related logs when listening on a UNIX socket
- knotd: server responds FORMERR instead of BADTIME if TSIG signed time is zero #730
- modules: incorrect local and remote addresses in the XDP mode
- modules: failed to read configuration from a section without identifiers
- mod-synthrecord: queries on synthesized empty-non-terminals not answered with NODATA
- keymgr: confusing error if del-all-old command fails
Knot DNS 3.0.5 (2021-03-25)
===========================
Improvements:
-------------
- kdig: added support for TCP Fast Open on FreeBSD
- keymgr: the SEP flag can be changed on already generated keys
- Some documentation improvements
Bugfixes:
---------
- knotd: journal contents can be considered malformed after changeset merge
- knotd: broken detection of TCP Fast Open availability
- knotd: zone restore can stuck in an infinite loop if zone configuration changed
- knotd: failed zone backup makes control socket unavailable
- knotd: zone not stored to journal after reload if difference-no-serial is enabled
- knotd: old key is being used after an algorithm rollover with a shared policy #721
- keymgr: keytag not recomputed upon key flag change
- kdig: TCP not used if +fastopen is set
- mod-dnstap: the local address is empty
- kzonecheck: missing letter lower-casing of the origin parameter
- XDP mode wrongly detected on NetBSD
- Failed to build knotd_stdio fuzzing utility
Knot DNS 3.0.4 (2021-01-20)
===========================
Improvements:
-------------
- Sockets to CPUs binding is no longer enabled by default but can be enabled
via new configuration option 'server.socket-affinity'
- Some documentation improvements
Bugfixes:
---------
- DNS queries without EDNS to the root zone apex are dropped in the XDP mode
- Deterministic ECDSA signing leaks memory
- Zone not stored to journal if zonefile-load isn't ZONEFILE_LOAD_WHOLE
- Server crashes if the catalog zone isn't configured for registered member zones
- Server crashes when loading conflicting catalog member zones
- CNAME and DNAME records below delegation are not ignored #713
- Not all udp/tcp workers are used if the number of NIC queues is lower than
the number of udp/tcp workers
- Failed to load statistics and geoip modules if built as shared
Knot DNS 3.0.3 (2020-12-15)
===========================
Features:
---------
- Kjournalprint can display changesets starting from specific SOA serial
Improvements:
-------------
- New configuration check on ambiguous 'storage' specification #706
- New configuration check on problematic 'zonefile-load' with 'journal-contents' combination
- Server logs positive ACL check in debug severity level (Thanks to Andreas Schrägle)
- More verbose logging of failed zone backup
- Extended documentation for catalog zones
Bugfixes:
---------
- On-slave signing produces broken NSEC(3) chain if glue node becomes (un-)orphaned #705
- Server responds CNAME query with NXDOMAIN for CNAME synthesized from DNAME
- Kdig crashes if source address and dnstap logging are specified together #702
- Knotc fails to display error returned from zone freeze or zone thaw
- Dynamically reconfigured zone isn't loaded upon configuration commit
- Keymgr is unable to import BIND-style private key if it contains empty lines
- Zone backup fails to backup keys if any of them is public-only
- Failed to build with XDP support on Debian testing
Knot DNS 3.0.2 (2020-11-11)
===========================
Features:
---------
- kdig prints Extended DNS Error (Gift for Marek Vavruša)
- kxdpgun allows source IP address/subnet specification
Improvements:
-------------
- Server doesn't start if any of listen addresses fails to bind
- knotc no longer stores empty and adjacent identical commands to interactive history
- Depth of interactive history of knotc was increased to 1000 commands
- keymgr prints error messages to stderr instead of stdout
- keymgr checks for proper offline-ksk configuration before processing KSR or SKR
- keymgr imports Revoked timer from BIND keys
- Additional XDP support detection in server
- Lots of spelling and grammar fixes in documentation (Thanks to Paul Dee)
- Some documentation improvements
Bugfixes:
---------
- If more masters configured, zone retransfer triggers AXFR from all masters
- Server can fail to bind address during restart due to missing SO_REUSEADDR
- KSK imported from BIND doesn't roll over automatically
- libdnssec respects local GnuTLS policy — affects DNSSEC operations and Knot Resolver
- kdig can stuck in infinite loop when solving BADCOOKIE responses
- Zone names received over control interface are not lower-cased
- Zone attributes not secured with multi-threaded changes
- kzonecheck ignores forced dnssec checks if zone not signed
- kzonecheck fails on case-sensitivity of owner names in NSEC records #699
- kdig fails to establish TLS connection #700
- Server responds NOTIMPL to queries with QDCOUNT 0 and known OPCODE
Knot DNS 3.0.1 (2020-10-10)
===========================
Features:
---------
- New command in keymgr for validation of RRSIGs in SKR
- Keymgr validates RRSIGs in SKR during import
- New option in kzonecheck to skip DNSSEC-related checks
Improvements:
-------------
- Module noudp has new configuration option for UDP truncation rate
- Better detection of reproducible signing availability
- Kxdpgun allows setting of network interface
- Default control timeout in knotc was increased to 60 seconds
- DNSSEC validation searches for invalid redundant RRSIGs
- Configuration source detection no longer considers empty confdb directory as active configuration
- Zone backup preserves original zone file if zone file synchronization is disabled
Bugfixes:
---------
- NSEC3 re-salt can cause server crash due to possible zone inconsistencies
- Zone reload logs 'invalid parameter' if zone file not changed
- Outgoing multi-message transfer can contain invalid compression pointers under specific conditions
- Improper handling of file descriptors in libdnssec
- Server crashes if no policy is configured with DNSSEC validation
- Server crashes if DNSSEC validation is enabled for unsigned zone
- Failed to build with libnghttp2 (Thanks to Robert Edmonds)
- Various bugs in zone data backup/restore
Knot DNS 3.0.0 (2020-09-09)
===========================
Features:
---------
- High-performance networking mode using XDP sockets (requires Linux 4.18+)
- Support for Catalog zones including kcatalogprint utility
- New DNSSEC validation mode
- New kzonesign utility — an interface for manual DNSSEC signing
- New kxdpgun utility — high-performance DNS over UDP traffic generator for Linux
- DoH support in kdig using GnuTLS and libnghttp2
- New KSK revoked state (RFC 5011) in manual DNSSEC key management mode
- Deterministic signing with ECDSA algorithms (requires GnuTLS 3.6.10+)
- Module synthrecord supports reverse pointer shortening
- Safe persistent zone data backup and restore
Improvements:
-------------
- Processing depth of CNAME and DNAME chains is limited to 20
- Non-FQDN is allowed as 'update-owner-name' configuration option value
- Kdig prints detailed algorithm identifier for PRIVATEDNS and PRIVATEOID
in multiline mode #334
- Queries with QTYPE ANY or RRSIG are always responded with at most one random RRSet
- The statistics module has negligible performance overhead on modern CPUs
- If multithreaded zone signing is enabled, some additional zone maintenance
steps are newly parallelized
- ACL can be configured by reference to a remote
- Better CPU cache locality for higher query processing performance
- Logging to non-syslog streams contains timestamps with the timezone
- Keeping initial DNSKEY TTL and zone maximum TTL in KASP database to ensure
proper rollover timing in case of TTL changes during the rollover
- Responding FORMERR to queries with more OPT or TSIG records
Bugfixes:
---------
- Module onlinesign responds NXDOMAIN instead of NOERROR (NODATA) if DNSSEC not requested
- Outgoing multi-message transfer can contain invalid compression pointers under specific conditions
Knot DNS 2.9.9 (2021-04-01)
===========================
Improvements:
-------------
- keymgr: the SEP flag can be changed on already generated keys
- Some documentation improvements
Bugfixes:
---------
- knotd: journal contents can be considered malformed after changeset merge
- knotd: old key is being used after an algorithm rollover with a shared policy #721
- keymgr: keytag not recomputed upon key flag change