Changelog:
Features:
Added cert/key file configuration for TLS in kdig (Thanks to Alexander Schultz)
Improvements:
More verbose log message for offline-KSK signing
Module RRL logs affected source address subnet instead of only one source address
Extended DNSSEC policy configuration checks
Various improvements in the documentation
Bugfixes:
Excessive server load when maximum TCP clients limit is reached
Incorrect reply after zone update with a node changed from non-authoritative to delegation
Wrong error line number in a config file if it contains leading tab character
Config file error message contains unrelated parsing context
NSEC3 salt not updated when reconfigured to zero length
Kjournalprint sometimes prints a random value for per-zone occupation
Missing debug log for failed zone refresh triggered by zone notification
DS check not scheduled when reconfigured
Broken unit test on NetBSD 8.x
Changelog:
Knot DNS 2.8.2 (2019-06-05)
===========================
Features:
---------
- New blocking mode for zone event triggers in knotc
- New weighted records mode in the module geoip (Thanks to Conrad Hoffmann)
- Module noudp allows UDP allow rate configuration
Improvements:
-------------
- NSEC3 salt lifetime can be set to infinity
- New 'running' zone event status in the knotc output
- Knotc in the forced mode returns failure also if zone check emits any warning
- Ignoring PMTU information for IPv4/UDP via IP_PMTUDISC_OMIT (Thanks to Daisuke Higashi)
- Various improvements in the documentation
Bugfixes:
---------
- Broken setting of CPU affinity for UDP workers
- Unexpected results with the geoip subnet mode
- Sometimes insufficient zone adjusting
- Incoherent DNSKEY RRSIG lifetimes in SKR
- Confusing output from keymgr if an error occurs during KSR generation
- Non-functional changeset history depth limitation in kjournalprint
- Wrong processing of multiple $INCLUDE directives #646
Changelog:
Knot DNS 2.8.1 (2019-04-09)
===========================
Improvements:
-------------
- Possible zone transaction is aborted by zone events to avoid inconsistency
- Added log message if no persistent config DB is available during 'conf-begin'
- New environment setting 'KNOT_VERSION_FORMAT=release' for extended version suppression
- Various improvements in the documentation
Bugfixes:
---------
- Broken NSEC3-wildcard-nonexistence proof after NSEC3 re-salt
- Glue records under delegation are sometimes signed
- RRL doesn't work correctly on big-endian architectures
- NSEC3 not re-salted during AXFR refresh
- Failed to sign new zone contents if added dynamically #641
- NSEC3 opt-out signing doesn't work in some cases
- Broken NSEC3 chain after adding new sub-delegations
- Redundant SOA RRSIG on slave if RRSIG TTL changed on master
- Sometimes confusing log error message for NOTIFY event
- Improper include for LMDB #638
Knot DNS 2.8.0 (2019-03-05)
===========================
Features:
---------
- New offline-KSK mode of operation
- Configurable multithreaded DNSSEC signing for large zones
- Extended ACL configuration for dynamic updates
- New knotc trigger 'zone-key-rollover' for immediate DNSKEY rollover
- Added support for OPENPGPKEY, CSYNC, SMIMEA, and ZONEMD RR types
- New 'double-ds' option for CDS/CDNSKEY publication
Improvements:
-------------
- Significant speed-up of zone updates
- Knotc supports force option in the interactive mode
- Copy-on-write support for QP-trie (Thanks to Tony Finch)
- Unified and more efficient LMDB layer for journal, timer, and KASP databases
- DS check event is re-planned according to KASP even when purged timers
- Module DNS Cookies supports explicit Server Secret configuration
- Zone mtime is verified against full-precision timestamp (Thanks to Daniel Kahn Gillmor)
- Extended logging (loaded SOA serials, refresh duration, tiny cleanup)
- Relaxed fixed-length condition for DNSSEC key ID
- Extended semantic checks for DNAME and NS RR types
- Added support for FreeBSD's SO_REUSEPORT_LB
- Improved performance of geoip module
- Various improvements in the documentation
Compatibility:
--------------
- Changed configuration default for 'cds-cdnskey-publish' to 'rollover'
- Journal DB format changes are not downgrade-compatible
- Keymgr no longer prints DS for algorithm SHA-1
Changelog:
Knot DNS 2.7.6 (2019-01-23)
===========================
Improvements:
-------------
- Zone status also shows when the zone load is scheduled
- Server workers status also shows background workers utilization
- Default control timeout for knotc was increased to 10 seconds
- Pkg-config files contain auxiliary variable with library filename
Bugfixes:
---------
- Configuration commit or server reload can drop some pending zone events
- Nonempty zone journal is created even though it's disabled #635
- Zone is completely re-signed during empty dynamic update processing
- Server can crash when storing a big zone difference to the journal
- Failed to link on FreeBSD 12 with Clang
Knot DNS 2.7.5 (2019-01-07)
===========================
Features:
---------
- Keymgr supports NSEC3 salt handling
Improvements:
-------------
- Zone history in journal is dropped apon AXFR-like zone update
- Libdnssec is no longer linked against libm #628
- Libdnssec is explicitly linked against libpthread if PKCS #11 enabled #629
- Better support for libknot packaging in Python
- Manually generated KSK is 'ready' by default
- Kdig supports '+timeout' as an alias for '+time'
- Kdig supports '+nocomments' option
- Kdig no longer prints empty lines between retries
- Kdig returns failure if operations not successfully resolved#632
- Fixed repeating of the 'KSK submission, waiting for confirmation' log
- Various improvements in documentation, Dockerfile, and tests
Bugfixes:
---------
- Knotc fails to unset huge configuration section
- Kjournalprint sometimes fails to display zone journal content
- Improper timing of ZSK removal during ZSK rollover
- Missing UTC time zone indication in the 'iso' keymgr list output
- A race condition in the online signing module
Knot DNS 2.7.4 (2018-11-13)
===========================
Features:
---------
- Added SNI configuration for TLS in kdig (Thanks to Alexander Schultz)
Improvements:
-------------
- Added warning log when DNSSEC events not successfully scheduled
- New semantic check on timer values in keymgr
- DS query no longer asks other addresses if got a negative answer
- Reintroduced 'rollover' configuration option for CDS/CDNSKEY publication
- Extended logging for zone loading
- Various documentation improvements
Bugfixes:
---------
- Failed to import module configuration #613
- Improper Cflags value in libknot.pc if built with embedded LMDB #615
- IXFR doesn't fall back to AXFR if malformed reply
- DNSSEC events not correctly scheduled for empty zone updates
- During algorithm rollover old keys get removed before DS TTL expires #617
- Maximum zone's RRSIG TTL not considered during algorithm rollover #620
Knot DNS 2.7.3 (2018-10-11)
===========================
Features:
---------
- New queryacl module for query access control
- Configurable answer rrset rotation #612
- Configurable NSEC bitmap in online signing
Improvements:
-------------
- Better error logging for KASP DB operations #601
- Some documentation improvements
Bugfixes:
---------
- Keymgr "list" output doesn't show key size for ECDSA algorithms #602
- Failed to link statically with embedded LMDB
- Configuration commit causes zone reload for all zones
- The statistics module overlooks TSIG record in a request
- Improper processing of an AXFR-style-IXFR response consisting of one-record messages
- Race condition in online signing during key rollover #600
- Server can crash if geoip module is enabled in the geo mode
Knot DNS 2.7.2 (2018-08-29)
===========================
Improvements:
-------------
- Keymgr list command displays also key size
- Kjournalprint displays total occupied size in the debug mode
- Server doesn't stop if failed to load a shared module from the module directory
- Libraries libcap-ng, pthread, and dl are linked selectively if needed
Bugfixes:
---------
- Sometimes incorrect result from dnssec_nsec_bitmap_contains (libdnssec)
- Server can crash when loading zone file difference and zone-in-journal is set
- Incorrect treatment of specific queries in the module RRL
- Failed to link module Cookies as a shared library
Knot DNS 2.7.1 (2018-08-14)
===========================
Improvements:
-------------
- Added zone wire size information to zone loading log message
- Added debug log message for each unsuccessful remote address operation
- Various improvements for packaging
Bugfixes:
---------
- Incompatible handling of RRSIG TTL value when creating a DNS message
- Incorrect RRSIG TTL value in zone differences and knotc zone operation outputs
- Default configure prefix is ignored
Knot DNS 2.7.0 (2018-08-03)
===========================
Features:
---------
- New DNS Cookies module and related '+cookie' kdig option
- New module for response tailoring according to client's subnet or geographic location
- General EDNS Client Subnet support in the server
- OSS-Fuzz integration (Thanks to Jonathan Foote)
- New '+ednsopt' kdig option (Thanks to Jan Včelák)
- Online Signing support for automatic key rollover
- Non-normal file (e.g. pipe) loading support in zscanner #542
- Automatic SOA serial incrementation if non-empty zone difference
- New zone file load option for ignoring zone file's SOA serial
- New build-time option for alternative malloc specification
- Structured logging for DNSSEC key submission event
- Empty QNAME support in kdig
Improvements:
-------------
- Various library and server optimizations
- Reduced memory consumption of outgoing IXFR processing
- Linux capabilities use overhaul #546 (Thanks to Robert Edmonds)
- Online Signing properly signs delegations and CNAME records
- CDS/CDNSKEY rrset is signed with KSK instead of ZSK
- DNSSEC-related records are ignored when loading zone difference with signing enabled
- Minimum allowed RSA key length was increased to 1024
- Removed explicit dependency on Nettle
Bugfixes:
---------
- Possible uninitialized address buffer use in zscanner
- Possible index overflow during multiline record parsing in zscanner
- kdig +tls sometimes consumes 100 % CPU #561
- Single-Type Signing doesn't work with single ZSK key #566
- Zone not flushed after re-signing during zone load #594
- Server crashes when committing empty zone transaction
- Incoming IXFR with on-slave signing sometimes leads to memory corruption #595
Compatibility:
--------------
- Removed obsolete RRL configuration
- Removed obsolete module names 'mod-online-sign' and 'mod-synth-record'
- Removed obsolete 'ixfr-from-differences' configuration option
- Removed old journal migration
- Removed module rosedb
Knot DNS 2.6.9 (2018-08-14)
===========================
Improvements:
-------------
- Added zone wire size to zone loading log message
- Added debug log message for each unsuccessful remote address operation
Bugfixes:
---------
- Zone not flushed after re-signing during zone load #594
- Server crashes when committing empty zone transaction
- Incoming IXFR with on-slave signing sometimes leads to memory corruption #595
Knot DNS 2.6.8 (2018-07-10)
===========================
Features:
---------
- New 'import-pkcs11' command in keymgr
Improvements:
-------------
- Unixtime serial policy mimics Bind – increment if lower #593
Bugfixes:
---------
- Creeping memory consuption upon server reload #584
- Kdig incorrectly detects QNAME if 'notify' is a prefix
- Server crashes when zone sign fails #587
- CSK->KZSK rollover retires CSK early #588
- Server crashes when zone expires during outgoing multi-message transfer
- Kjournalprint doesn't convert zone name argument to lower-case
- Cannot switch to a previously used ksk-shared dnssec policy #589
Knot DNS 2.6.7 (2018-05-17)
===========================
Features:
---------
- Added 'dateserial' (YYYYMMDDnn) serial policy configuration (Thanks to Wolfgang Jung)
Improvements:
-------------
- Trailing data indication from the packet parser (libknot)
- Better configuration check for a problematical option combination
Bugfixes:
---------
- Incomplete configuration option item name check
- Possible buffer overflow in 'knot_dname_to_str' (libknot)
- Module dnsproxy doesn't preserve letter case of QNAME
- Module dnsproxy duplicates OPT and TSIG in the non-fallback mode
Knot DNS 2.6.6 (2018-04-11)
===========================
Features:
---------
- New EDNS option counters in the statistics module
- New '+orphan' filter for the 'zone-purge' operation
Improvements:
-------------
- Reduced memory consuption of disabled statistics metrics
- Some spelling fixes (Thanks to Daniel Kahn Gillmor)
- Server no longer fails to start if MODULE_DIR doesn't exist
- Configuration include doesn't fail if empty wildcard match
- Added a configuration check for a problematical option combination
Bugfixes:
---------
- NSEC3 chain not re-created when SOA minimum TTL changed
- Failed to start server if no template is configured
- Possibly incorrect SOA serial upon changed zone reload with DNSSEC signing
- Inaccurate outgoing zone transfer size in the log message
- Invalid dname compression if empty question section
- Missing EDNS in EMALF responses
Knot DNS 2.6.5 (2018-02-12)
===========================
Features:
---------
- New 'zone-notify' command in knotc
- Kdig uses '@server' as a hostname for TLS authenticaion if '+tls-ca' is set
Improvements:
-------------
- Better heap memory trimming for zone operations
- Added proper polling for TLS operations in kdig
- Configuration export uses stdout as a default output
- Simplified detection of atomic operations
- Added '--disable-modules' configure option
- Small documentation updates
Bugfixes:
---------
- Zone retransfer doesn't work well if more masters configured
- Kdig can leak or double free memory in corner cases
- Inconsistent error outputs from dynamic configuration operations
- Failed to generate documentation on OpenBSD
Knot DNS 2.6.4 (2018-01-02)
===========================
Features:
---------
- Module synthrecord allows multiple 'network' specification
- New CSK handling support in keymgr
Improvements:
-------------
- Allowed configuration for infinite zsk lifetime
- Increased performance and security of the module synthrecord
- Signing changeset is stored into journal even if 'zonefile-load' is whole
Bugfixes:
---------
- Unintentional zone re-sign during reload if empty NSEC3 salt
- Inconsistent zone names in journald structured logs
- Malformed outgoing transfer for big zone with TSIG
- Some minor DNSSEC-related issues
Knot DNS 2.6.3 (2017-11-24)
===========================
Bugfixes:
---------
- Wrong detection of signing scheme rollover
Knot DNS 2.6.2 (2017-11-23)
===========================
Features:
---------
- CSK algorithm rollover and (KSK, ZSK) <-> CSK rollover support
Improvements:
-------------
- Allowed explicit configuration for infinite ksk lifetime
- Proper error messages instead of unclear error codes in server log
- Better support for old compilers
Bugfixes:
---------
- Unexpected reply for DS query with an owner below a delegation point
- Old dependencies in the pkg-config file
Knot DNS 2.6.1 (2017-11-02)
===========================
Features:
---------
- NSEC3 Opt-Out support in the DNSSEC signing
- New CDS/CDNSKEY publish configuration option
Improvements:
-------------
- Simplified DNSSEC log message with DNSKEY details
- +tls-hostname in kdig implies +tls-ca if neither +tls-ca nor +tls-pin is given
- New documentation sections for DNSSEC key rollovers and shared keys
- Keymgr no longer prints useless algorithm number for generated key
- Kdig prints unknown RCODE in a numeric format
- Better support for LLVM libFuzzer
Bugfixes:
---------
- Faulty DNAME semantic check if present in the zone apex and NSEC3 is used
- Immediate zone flush not scheduled during the zone load event
- Server crashes upon dynamic zone addition if a query module is loaded
- Kdig fails to connect over TLS due to SNI is set to server IP address
- Possible out-of-bounds memory access at the end of the input
- TCP Fast Open enabled by default in kdig breaks TLS connection
Knot DNS 2.6.0 (2017-09-29)
===========================
Features:
---------
- On-slave (inline) signing support
- Automatic DNSSEC key algorithm rollover
- Ed25519 algorithm support in DNSSEC (requires GnuTLS 3.6.0)
- New 'journal-content' and 'zonefile-load' configuration options
- keymgr tries to run as user/group set in the configuration
- Public-only DNSSEC key import into KASP DB via keymgr
- NSEC3 resalt and parent DS query events are persistent in timer DB
- New processing state for a response suppression within a query module
- Enabled server side TCP Fast Open if supported
- TCP Fast Open support in kdig
Improvements:
-------------
- Better record owner compression if related to the previous rdata dname
- NSEC(3) chain is no longer recomputed whole on every update
- Remove inconsistent and unnecessary quoting in log files
- Avoiding of overlapping key rollovers at a time
- More DNSSSEC-related semantic checks
- Extended timestamp format in keymgr
Bugfixes:
---------
- Incorrect journal free space computation causing inefficient space handling
- Interface-automatic broken on Linux in the presence of asymmetric routing
Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
===========================
Bugfixes:
---------
- Unintentional zone re-sign during reload if empty NSEC3 salt
- Inconsistent zone names in journald structured logs
- Malformed outgoing transfer for big zone with TSIG
- Unexpected reply for DS query with an owner below a delegation point
- Old dependencies in the pkg-config file
[...]
Only new Features & Security fixes of the previous updates are shown below
For a complete of all Improvements & Bugfixes, see:
https://gitlab.labs.nic.cz/knot/knot-dns/blob/2.5/NEWS
Knot DNS 2.5.3 (2017-07-14)
===========================
Features:
---------
- CSK rollover support for Single-Type Signing Scheme
[...]
Knot DNS 2.5.2 (2017-06-23)
===========================
Security:
---------
- CVE-2017-11104: Improper TSIG validity period check can allow TSIG forgery (Thanks to Synacktiv!)
Knot DNS 2.5.0 (2017-06-05)
===========================
Features:
---------
- KASP database switched from JSON files to LMDB database
- KSK rollover support using CDNSKEY and CDS in the automatic DNSSEC signing
- Dynamic module loading support with proper module API
- Journal can store full zone contents (not only differences)
- Zone freeze/thaw support
- Updated knotc zone-status output with optional column filters
- New '[no]crypto' option in kdig
- New keymgr implementation reflecting KASP database changes
- New pykeymgr for JSON-based KASP database migration
- Removed obsolete knot1to2 utility
===========================
Security:
---------
- Improper TSIG validity period check can allow TSIG forgery (Thanks to Synacktiv!)
Bugfixes:
---------
- Corner case journal fixes (huge changesets, OpenWRT operation)
Knot DNS 2.4.4 (2017-06-05)
===========================
Improvements:
-------------
- Improved error handling in kjournalprint
Bugfixes:
---------
- Zone flush not replanned upon unsuccessful flush
- Journal inconsistency after deleting deleted zone
- Zone events not rescheduled upon server reload (Thanks to Mark Warren)
- Unreliable LMDB mapsize detection in kjournalprint
- Some minor issues found by AddressSanitizer
Knot DNS 2.4.3 (2017-04-11)
===========================
Improvements:
-------------
- New 'journal-db-mode' optimization configuration option
- The default TSIG algorithm for utilities input is HMAC-SHA256
- Implemented sensible default EDNS(0) padding policy (Thanks to D. K. Gillmor)
- Added some more semantic checks on the knotc configuration operations
Bugfixes:
---------
- Missing 'zone' keyword in the YAML output
- Missing trailing dot in the keymgr DS owner output
- Journal logs 'invalid parameter' in several cases
- Some minor journal-related problems
Knot DNS 2.4.2 (2017-03-23)
===========================
Features:
---------
- Zscanner can store record comments placed on the same line
- Knotc status extension with version, configure, and workers parameters
Improvements:
-------------
- Significant incoming XFR speed-up in the case of many zones
Bugfixes:
---------
- Double OPT RR insertion when a global module returns KNOT_STATE_FAIL
- User-driven zscanner parsing logic inconsistency
- Lower serial at master doesn't trigger any errors
- Queries with too long DNAME substitution do not return YXDOMAIN response
- Incorrect elapsed time in the DDNS log
- Failed to process forwarded DDNS request with TSIG
Knot DNS 2.4.1 (2017-02-10)
===========================
Improvements:
-------------
- Speed-up of rdata addition into a huge rrset
- Introduce check of minumum timeout for next refresh
- Dnsproxy module can forward all queries without local resolving
Bugfixes:
--------
- Transfer of a huge rrset goes into an infinite loop
- Huge response over TCP contains useless TC bit instead of SERVFAIL
- Failed to build utilities with disabled daemon
- Memory leaks during keys removal
- Rough TSIG packet reservation causes early truncation
- Minor out-of-bounds string termination write in rrset dump
- Server crash during stop if failed to open timers DB
- Failed to compile on OS X older than Sierra
- Poor minimum UDP-max-size configuration check
- Failed to receive one-record-per-message IXFR-style AXFR
- Kdig timeouts when receiving RCODE != NOERROR on subsequent transfer message
Knot DNS 2.4.0 (2017-01-18)
===========================
- Kdig timeouts when receiving RCODE != NOERROR on subsequent transfer message
Knot DNS 2.4.0 (2017-01-18)
===========================
Bugfixes:
--------
- False positive semantic-check warning about invalid bitmap in NSEC
- Unnecessary SOA queries upon notify with up to date serial
- Timers for expired zones are reset on reload
- Zone doesn't expire when the server is down
- Failed to handle keys with duplicate keytags
- Per zone module and global module insconsistency
- Obsolete online signing module configuration
- Malformed output from kjournalprint
- Redundant SO_REUSEPORT activation on the TCP socket
- Failed to use higher number of background workers
Improvements:
-------------
- Lower memory consumption with qp-trie
- Zone events and zone timers improvements
- Print all zone names in the FQDN format
- Simplified query module interface
- Shared TCP connection between SOA query and transfer
- Response Rate Limiting as a module with statistics support
- Key filters in keymgr
Features:
---------
- New unified LMDB-based zone journal
- Server statistics support
- New statistics module for traffic measuring
- Automatic deletion of retired DNSSEC keys
- New control logging category
Set PKG_SYSCONFSUBDIR to "knot" to have all of the config files
located in the "knot" subdirectory of ${PKG_SYSCONFBASE}.
Pass ${PKG_SYSCONFBASE} to the configure script since the package's
build infrastructure automatically appends "/knot" to the value
passed in through --sysconfdir.
Remove ${PKG_SYSCONFDIR} from INSTALLATION_DIRS since it is
automatically created by the package install script.
Bump the PKGREVISION due to changes in the package install scripts.
===========================
Bugfixes:
---------
- Double free when failed to apply zone journal
- Zone bootstrap retry interval not preserved upon zone reload
- DNSSEC related records not flushed if not signed
- False semantic checks warning about incorrect type in NSEC bitmap
- Memory leak in kzonecheck
Improvements:
-------------
- All zone names are fully-qualified in log
Features:
---------
- New kjournalprint utility
Knot DNS 2.3.2 (2016-11-04)
===========================
Bugfixes:
---------
- Incorrect %s expansion for the root zone
- Failed to refresh not existing slave zone after restart
- Immediate zone refresh upon restart if refresh already scheduled
- Early zone transfer after restart if transfer already scheduled
- Not ignoring empty non-terminal parents during delegation lookup
- CD bit preservation in responses
- Compilation error on GNU/kFreeBSD
- Server crash after double zone-commit if journal error
Improvements:
-------------
- Speed-up of knotc if control operation and known socket
- Zone purge operation purges also zone timers
Features:
---------
- Simple modules don't require empty configuration section
- New zone journal path configuration option
- New timeout configuration option for module dnsproxy
===========================
Bugfixes:
---------
- Missing glue records in some responses
- Knsupdate prompt printing on non-terminal
- Mismatch between configuration policy item names and documentation
- Segfault on OS X (Sierra)
Improvements:
-------------
- Significant speed-up of conf-commit and conf-diff operations (in most cases)
- New EDNS Client Subnet libknot API
- Better semantic-checks error messages
Features:
---------
- Print TLS certificate hierarchy in kdig verbose mode
- New +subnet alias for +client
- New mod-whoami and mod-noudp modules
- New zone-purge control command
- New log-queries and log-responses options for mod-dnstap
===========================
Bugfixes:
---------
- No wildcard expansion below empty non-terminal for NSEC signed zone
- Avoid multiple loads of the same PKCS #11 module
- Fix kdig IXFR response processing if the transfer content is empty
- Don't ignore non-existing records to be removed in IXFR
Improvements:
-------------
- Refactored semantic checks and improved error messages
- Set TC flag in delegation only if mandatory glue doesn't fit the response
- Separate EDNS(0) payload size configuration for IPv4 and IPv6
Features:
---------
- DNSSEC policy can be defined in server configuration
- Automatic NSEC3 resalt according to DNSSEC policy
- Zone content editing using control interface
- Zone size limit restriction for DDNS, AXFR, and IXFR (CVE-2016-6171)
- DNS-over-TLS support in kdig (RFC 7858)
- EDNS(0) padding and alignment support in kdig (RFC 7830)
===========================
Bugfixes:
---------
- Fix separate logging of server and zone events
- Fix concurrent zone file flushing with many zones
- Fix possible server crash with empty hostname on OpenWRT
- Fix control timeout parsing in knotc
- Fix "Environment maxreaders limit reached" error in knotc
- Don't apply journal changes on modified zone file
- Remove broken LTO option from configure script
- Enable multiple zone names completion in interactive knotc
- Set the TC flag in a response if a glue doesn't fit the response
- Disallow server reload when there is an active configuration transaction
Improvements:
-------------
- Distinguish unavailable zones from zones with zero serial in log messages
- Log warning and error messages to standard error output in all utilities
- Document tested PKCS #11 devices
- Extended Python configuration interface
Knot DNS 2.2.0 (2016-04-26)
===========================
Bugfixes:
---------
- Fix build dependencies on FreeBSD
- Fix query/response message type setting in dnstap module
- Fix remote address retrieval from dnstap capture in kdig
- Fix global modules execution for queries hitting existing zones
- Fix execution of semantic checks after an IXFR transfer
- Fix PKCS#11 support detection at build time
- Fix kdig failure when the first AXFR message contains just the SOA record
- Exclude non-authoritative types from NSEC/NSEC3 bitmap at a delegation
- Mark PKCS#11 generated keys as sensitive (required by Luna SA)
- Fix error when removing the only zone from the server
- Don't abort knotc transaction when some check fails
Features:
---------
- URI and CAA resource record types support
- RRL client address based white list
- knotc interactive mode
Improvements:
-------------
- Consistent IXFR error messages
- Various fixes for better compatibility with PKCS#11 devices
- Various keymgr user interface improvements
- Better zone event scheduler performance with many zones
- New server control interface
- kdig uses local resolver if resolv.conf is empty
===========================
Bugfixes:
---------
- DNSSEC: Allow import of duplicate private key into the KASP
- DNSSEC: Avoid duplicate NSEC for Wildcard No Data answer
- Fix server crash when an incomming transfer is in progress and reload is issued
- Fix socket polling when configured with many interfaces and threads
- Fix compilation against Nettle 3.2
Improvements:
-------------
- Select correct source address for UDP messages recieved on ANY address
- Extend documentation of knotc commands
Knot DNS 2.1.0 (2016-01-14)
===========================
Features:
---------
- Per-thread UDP socket binding using SO_REUSEPORT on Linux
- Support for dynamic configuration database
- DNSSEC: Support for cryptographic tokens via PKCS #11 interface
- DNSSEC: Experimental support for online signing
Improvements:
-------------
- Support for zone file name patterns
- Configurable location of zone timer database
- Non-blocking network operations and better timeout handling
- Caching of Critical configuration values for better performance
- Logging of ACL failures
- RRL: Add rate-limit-slip zero support to drop all responses
- RRL: Document behavior for different rate-limit-slip options
- kdig: Warning instead of error on TSIG validation failure
- Cleanup of support libraries interfaces (libknot, libzscanner, libdnssec)
- Remove possibly insecure server control over a network socket
- Remove implementation limit for the number of network interfaces
Bugfixes:
---------
- synth-record module: Fix application of default configuration options
- TSIG: Allow compressed TSIG name when forwarding DDNS updates
- Schedule zone bootstrap after slave zone fails to load from disk
===========================
Bugfixes:
---------
- Do not reload expired zones on 'knotc reload' and server startup
- Fix rare race-condition in event scheduling causing delayed event execution
- Fix skipping of non-authoritative nodes in NSEC proofs
- Fix TC flag setting in RRL slipped answers
- Disable domain name compression for root label
- Log via journald only when running under systemd
- Fix CNAME following when quering for NSEC RR type
- Fix refreshing of DNSSEC signatures for zone keys
- Fix binding an unavailable IPv6 address on Linux (IP_FREEBIND)
- Fix infinite loop in knotc zonestatus and memstats
- Fix memory leak in configuration on server shutdown
- Fix broken dnsproxy module
- Fix DNSSEC KASP timestamps parsing in strict POSIX environment
- fix multi value parsing on big-endian
- Adapt to Nettle 3 API break causing base64 decoding failures on big-endian
Features:
---------
- Add 'keymgr zone key ds' to show key's DS record
- Add 'keymgr tsig generate' to generate TSIG keys
- Add query module scoping to process either all queries or zone queries only
- Add support for file name globbing in config file includes
- Add 'request-edns-option' config option to add custom EDNS0 option into
server initiated queries
Improvements:
-------------
- Send minimal responses (remove NS from Authority section for NOERROR)
- Update persistent timers only on shutdown for better performance
- Allow change of RR TTL over DDNS
- Documentation fixes, updates, and improvements in formatting
- Install yparser and zscanner header files
- Improve lookup of libsystemd build dependencies
- Fix compilation warnings in endian conversion functions on OpenBSD
Knot DNS 2.0.0 (2015-06-26)
===========================
Bugfixes:
---------
- Fix lost NOTIFY message if received during zone transfer
- Disable fast zone parser when compiled in Clang (workaround for Clang bug)
- kdig: Record correct dnstap SocketProtocol when retrying over TCP
- kdig: Hide TSIG section with +noall
- Do not set AA flag for AXFR/IXFR queries
Features:
---------
- DNSSEC: separate library, switch to GnuTLS, new utilities
- DNSSEC: basic KASP support (generate initial keys, ZSK rollover)
- Configuration: New text format in YAML, binary store in LMDB
- Zone parser: Split long TXT/SPF strings into multiple strings
- kdig: Add generic dump style option (+generic)
- Try all master servers in multi-master environment
- Improved remotes and ACLs (multiple addresses, multiple keys)
- Basic support for zone file patterns (%s to substitute zone name)
- Disable zone file synchronization by setting 'zonefile_sync' to '-1'
- knsupdate: Add input prompt in interactive mode and 'quit' command
- knsupdate: Allow TSIG algorithm specification in interactive prompt
Improvements:
-------------
- Zone dump: Do not write class for SOA record (unified with other RR types)
- Zone dump: Do not write master server address into the zone file
- Documentation: Manual pages are included in HTML and PDF
==========================
Bugfixes:
---------
- Some specific incoming IXFRs were causing server to crash
- Rare sychronization error during reload caused read-after-free
- Response synthetization module did not work properly with
DNSSEC-enabled zones
- When Knot sent AXFR when IXFR was requested, message ID and
opcode were wrong
- Knot failed to send large messages to remote control
(present since 1.5.1)
Knot DNS 1.5.2 (2014-09-08)
==========================
Bugfixes:
---------
- Some RR parsing corner cases were not handled properly
- AXFR-style IXFR was refused and had to be retransfered
- Hash character (#) was not properly escaped when storing text zone file
Knot DNS 1.5.1 (2014-08-19)
===========================
Features:
---------
- Basic support for logging using systemd journal
- DDNS: Ability to process updates in bulk
Improvements:
-------------
- Unified logging messages structure
- DNSSEC: More strict controls for signing keys
Bugfixes:
---------
- DNSSEC: DNAMEs in RDATA were not lowercased before signing
- EDNS: OPT RR were not put into responsing for some errors
- TSIG: DDNS responses were not signed with TSIG
- DDNS: Prerequisite checks failed for some inputs
- knsupdate: Zone origin was not used for deletions
Knot DNS 1.5.0 (2014-07-08)
===========================
Features:
---------
- DDNS forwarding reimplemented
Improvements:
-------------
- Transfer sizes logged in bytes if needed
- Logging outgoing NOTIFY messages
- Logging unauthorized incoming NOTIFYs
Bugfixes:
---------
- Zone flush planning after bootstrap
- Incorrect incoming AXFR message sizes
- DDNS signing changes were freed too soon, posibility of stale data
- knotc remote control key handling
Knot DNS 1.5.0-rc2 (2014-06-18)
===============================
Features:
---------
- edns-client-subnet support in kdig
- Optional asynchronous startup (config "asynchronous-start")
Improvements:
-------------
- Preempt task queue for faster reload
- Lazy zone file write after zone transfer (governed by
"zonefile-sync")
Bugfixes:
---------
- Close zone transfer after SERVFAIL response
- Incremental to full zone transfer fallback, wrong log message
- Zone events corner cases, reload replanning
Knot DNS 1.5.0-rc1 (2014-06-03)
===============================
Features:
---------
- Pluggable query processing modules
- Synthetic IPv4/IPv6 reverse/forward records (optional module)
- dnstap support in both utilities & server (optional module)
- NOTIFY message support and new TSIG section in kdig
- Zone transfer master failover
Improvements:
-------------
- Query processing and core functionality overhaul
- Performance and reduced memory footprint
- Faster zone events scheduling
- RFC compliant queries/responses in some corner cases
- Log messages
- New documentation (Sphinx)
---------------------
Features:
* Server is logging remote control commands
* 'knotc reload' doesn't refresh unchanged zones
* 'knotc -f refresh' forces zone retransfer
Bugfixes:
* Missing notifications after DDNS/automatic resign
* Zone is rebootstrapped if the zone file is unreadable
* Progressive bootstrap retry backoff
* Zone file parser allows asterisk as part of the label
* Journal maximum entry size fixes
* Sign DNSKEYs in non-apex nodes as regular RR sets
* Various spelling and typo fixes
---------------------
Bugfixes:
* Failure when expanding wildcard leading to apex and having DNSKEY records
* Failure for query to wildcard without wildcard expansion
* Bad cleanup when loading a faulty entry from a journal
* Zone file $ORIGIN and configuration comparison is case-insensitive
Features:
* Config "include" statement supports directory and includes all files within
---------------------
Bugfixes:
* AXFR/IXFR compatibility issues with tinydns/axfrdns
* Journal file is created only when needed
* Zone-related log messages are logged into correct category
* DNSSEC: Refresh signatures earlier (3 days before their expiration
with the default signature lifetime)
* Fixed RCU synchronization causing deadlock on 'knotc signzone'
* RRSIG not fitting in the additional records doesn't cause truncation
v1.4.1 - Jan 13, 2014
---------------------
Bugfixes:
* Empty APL record support
* 'zonestatus' when using immediate zone syncing
* Immediate zone syncing after reload
* Race condition writing time values to zone file
v1.4.0 - Jan 6, 2014
---------------------
Features:
* Zone SERIAL policies (INCREMENT, UNIXTIME)
Bugfixes:
* AXFR crash with specific packet
* QNAME case-sensitive since 1.4.0-rc0
* DNSSEC records over DDNS
* Semantic check fail in AXFR is only soft-error
* Journal race condition
* Notifies are sent immediately
v1.4.0-rc2 - Dec 13, 2013
-------------------------
Features:
* IDN support in Knot utilities
* DNSSEC: support for GOST algorithm
Bugfixes:
* Crash in particular additionals processing
* Race condition in event cancelation
* Journal corruption after failed transactions
* DNSSEC: fixed detection of ECDSA support
Other improvements:
* ./configure prints build configuration summary
* Pretty zone file output (DNSSEC-related data separately)
* Lower memory consumption
* config: option 'dnssec-keydir' can be set per zone
* config: option 'storage' can be set per zone
v1.4.0-rc1 - Nov 20, 2013
-------------------------
Features:
* Better logging of automatic DNSSEC events
* Support for DNSSEC key pre-publication
Bugfixes:
* Refactored zone loading
* Improved journal locking and fixed some race conditions
* Various fixes in client utilities
* Fixed memory errors in automatic DNSSEC signing
* 'dnssec-keydir' doesn't auto-enable signing
* Fixed rescheduling of zone resigns
v1.4.0-beta - Oct 28, 2013
--------------------------
Features:
* Experimental automatic DNSSEC signing
* Reduced memory usage
--------------------------
Bugfixes:
* Improved zone loading error messages
* Correct control socket permissions
* Improved log syntax documentation
* Fixed wrong assertions in DDNS prerequisites checking
* Fixed processing of some malformed DNS packets
* Fixed notify messages being ignored in some cases
v1.3.2 - Sep 30, 2013
---------------------
Bugfixes:
* Configuration option for EDNS0 max UDP payload.
* Max UDP payload from EDNS0 affected TCP responses.
* Fixed build on SLE 10.
* knotc reload did not close files included from config.
---------------------
Bugfixes:
* Response with NSID contained extra bytes after reload
* List of remotes is scanned for longest prefix match
* Multipacket TSIG signatures for transfers
* Wrongly parsed TSIG key secret without quotes
* Removed autoconf checks for extended instruction sets
v1.3.0 - Aug 5, 2013
--------------------
Features:
* Defaults for CH TXT id.server,version.server (see doc)
Bugfixes:
* Progressive interval for bootstrap retry
* Transfers randomly cancelled
* Disabling RRL on reload
* Secondary groups not initialized when dropping privileges
* Responding to DS queries for names at or below delegation points
v1.3.0-rc5 - Jul 29, 2013
-------------------------
Features:
* Much faster bootstrap of many zones
Bugfixes:
* Removed deprecated 'knotc -w' option
* Slave ignores out-of-zone records in zone
* Support for obsolete types in zone transfers
* Slave zone file names fixes
* Long transfers being randomly dropped
v1.3.0-rc4 - Jul 15, 2013
-------------------------
Features:
* --with-configdir option for default config path
* Reintroducted 'pidfile' config option
Bugfixes:
* AXFR/IXFR subsystem performance improvements
* Rescheduling of AXFR in some cases
* RRSIGs not in the same section for DS records
* Log messages leaking to syslog
* 'knotc restart' option removed due to several limitations
v1.3.0-rc3 - Jun 28, 2013
-------------------------
Features:
* Utility to estimate memory consumption (see 'knotc memstats')
* PID file is not created when running on foreground
* UNIX sockets support for knotc
* Configurable 'rundir' and 'storage'
Bugfixes:
* IXFR with an arbitrary number of diffs
* Processing of knotc TSIG keyfile
* Atomic PID file writing, removed deprecated 'knotc start'
* Performance regression when RRSIGs came before covered RRs in AXFR
v1.3.0-rc2 - Jun 14, 2013
-------------------------
Bugfixes:
* Label compression related bug
* Proper resolution of some CNAME chains
* Unstable response rate in rare cases
* Several log messages
v1.3.0-rc1 - Jun 4, 2013
---------------------------
Features:
* Faster zone parser
* Full support for EUI and ILNP resource records
* Lower memory footprint for large zones
* No compilation of zones
* Improved scheduling of zone transfers
* Logging of serials and timing information for zone transfers
* Config: 'groups' keyword allowing to create groups of remotes
* Config: 'include' keyword allowing other file includes
* Client utilities: kdig, khost, knsupdate
* Server identification using TXT/CH queries (RFC 4892)
* Improved build scripts
* Improved dname compression and performance
Bugfixes:
* Fixed creating of PID file when dropping privileges
---------------------
Bugfixes
* Updated manpage.
v1.1.3-rc1 - Dec 6, 2012
------------------------
Bugfixes
* Fixed answering DS queries (RRSIGs not together with DS, AA bit
missing).
* Fixed setting ARCOUNT in some error responses with EDNS enabled.
* Fixed crash when compiling zone zone with NSEC3PARAM but no NSEC3
and semantic checks enabled.
---------------------
Bugfixes:
* Fixed assertion failing when asking directly for a wildcard name.
v1.1.1-rc1 - Oct 23, 2012
-------------------------
Bugfixes:
* Crash after IXFR in certain cases when adding RRSIG in an IXFR.
* Fixed behaviour when incoming IXFR removes a zone cut. Previously
occluded names now become properly visible. Previously lead to a
crash when the server was asked for the previously occluded name.
* Fixed handling of zero-length strings in text zone dump. Caused the
compilation to fail.
* Fixed TSIG algorithm name comparison - the names should be in
canonical form.
* Fixed handling unknown RR types with type less than 251.
Features:
* Improved compression of packets. Out-of-zone dnames present in RDATA
were not compressed.
* Slave zones are now automatically refreshed after startup.
* Proper response to IXFR/UDP query (returns SOA in Authority section).
