Set PKG_SYSCONFSUBDIR to "knot" to have all of the config files
located in the "knot" subdirectory of ${PKG_SYSCONFBASE}.
Pass ${PKG_SYSCONFBASE} to the configure script since the package's
build infrastructure automatically appends "/knot" to the value
passed in through --sysconfdir.
Remove ${PKG_SYSCONFDIR} from INSTALLATION_DIRS since it is
automatically created by the package install script.
Bump the PKGREVISION due to changes in the package install scripts.
===========================
Bugfixes:
---------
- Double free when failed to apply zone journal
- Zone bootstrap retry interval not preserved upon zone reload
- DNSSEC related records not flushed if not signed
- False semantic checks warning about incorrect type in NSEC bitmap
- Memory leak in kzonecheck
Improvements:
-------------
- All zone names are fully-qualified in log
Features:
---------
- New kjournalprint utility
Knot DNS 2.3.2 (2016-11-04)
===========================
Bugfixes:
---------
- Incorrect %s expansion for the root zone
- Failed to refresh not existing slave zone after restart
- Immediate zone refresh upon restart if refresh already scheduled
- Early zone transfer after restart if transfer already scheduled
- Not ignoring empty non-terminal parents during delegation lookup
- CD bit preservation in responses
- Compilation error on GNU/kFreeBSD
- Server crash after double zone-commit if journal error
Improvements:
-------------
- Speed-up of knotc if control operation and known socket
- Zone purge operation purges also zone timers
Features:
---------
- Simple modules don't require empty configuration section
- New zone journal path configuration option
- New timeout configuration option for module dnsproxy
===========================
Bugfixes:
---------
- Missing glue records in some responses
- Knsupdate prompt printing on non-terminal
- Mismatch between configuration policy item names and documentation
- Segfault on OS X (Sierra)
Improvements:
-------------
- Significant speed-up of conf-commit and conf-diff operations (in most cases)
- New EDNS Client Subnet libknot API
- Better semantic-checks error messages
Features:
---------
- Print TLS certificate hierarchy in kdig verbose mode
- New +subnet alias for +client
- New mod-whoami and mod-noudp modules
- New zone-purge control command
- New log-queries and log-responses options for mod-dnstap
===========================
Bugfixes:
---------
- No wildcard expansion below empty non-terminal for NSEC signed zone
- Avoid multiple loads of the same PKCS #11 module
- Fix kdig IXFR response processing if the transfer content is empty
- Don't ignore non-existing records to be removed in IXFR
Improvements:
-------------
- Refactored semantic checks and improved error messages
- Set TC flag in delegation only if mandatory glue doesn't fit the response
- Separate EDNS(0) payload size configuration for IPv4 and IPv6
Features:
---------
- DNSSEC policy can be defined in server configuration
- Automatic NSEC3 resalt according to DNSSEC policy
- Zone content editing using control interface
- Zone size limit restriction for DDNS, AXFR, and IXFR (CVE-2016-6171)
- DNS-over-TLS support in kdig (RFC 7858)
- EDNS(0) padding and alignment support in kdig (RFC 7830)
===========================
Bugfixes:
---------
- Fix separate logging of server and zone events
- Fix concurrent zone file flushing with many zones
- Fix possible server crash with empty hostname on OpenWRT
- Fix control timeout parsing in knotc
- Fix "Environment maxreaders limit reached" error in knotc
- Don't apply journal changes on modified zone file
- Remove broken LTO option from configure script
- Enable multiple zone names completion in interactive knotc
- Set the TC flag in a response if a glue doesn't fit the response
- Disallow server reload when there is an active configuration transaction
Improvements:
-------------
- Distinguish unavailable zones from zones with zero serial in log messages
- Log warning and error messages to standard error output in all utilities
- Document tested PKCS #11 devices
- Extended Python configuration interface
Knot DNS 2.2.0 (2016-04-26)
===========================
Bugfixes:
---------
- Fix build dependencies on FreeBSD
- Fix query/response message type setting in dnstap module
- Fix remote address retrieval from dnstap capture in kdig
- Fix global modules execution for queries hitting existing zones
- Fix execution of semantic checks after an IXFR transfer
- Fix PKCS#11 support detection at build time
- Fix kdig failure when the first AXFR message contains just the SOA record
- Exclude non-authoritative types from NSEC/NSEC3 bitmap at a delegation
- Mark PKCS#11 generated keys as sensitive (required by Luna SA)
- Fix error when removing the only zone from the server
- Don't abort knotc transaction when some check fails
Features:
---------
- URI and CAA resource record types support
- RRL client address based white list
- knotc interactive mode
Improvements:
-------------
- Consistent IXFR error messages
- Various fixes for better compatibility with PKCS#11 devices
- Various keymgr user interface improvements
- Better zone event scheduler performance with many zones
- New server control interface
- kdig uses local resolver if resolv.conf is empty
===========================
Bugfixes:
---------
- DNSSEC: Allow import of duplicate private key into the KASP
- DNSSEC: Avoid duplicate NSEC for Wildcard No Data answer
- Fix server crash when an incomming transfer is in progress and reload is issued
- Fix socket polling when configured with many interfaces and threads
- Fix compilation against Nettle 3.2
Improvements:
-------------
- Select correct source address for UDP messages recieved on ANY address
- Extend documentation of knotc commands
Knot DNS 2.1.0 (2016-01-14)
===========================
Features:
---------
- Per-thread UDP socket binding using SO_REUSEPORT on Linux
- Support for dynamic configuration database
- DNSSEC: Support for cryptographic tokens via PKCS #11 interface
- DNSSEC: Experimental support for online signing
Improvements:
-------------
- Support for zone file name patterns
- Configurable location of zone timer database
- Non-blocking network operations and better timeout handling
- Caching of Critical configuration values for better performance
- Logging of ACL failures
- RRL: Add rate-limit-slip zero support to drop all responses
- RRL: Document behavior for different rate-limit-slip options
- kdig: Warning instead of error on TSIG validation failure
- Cleanup of support libraries interfaces (libknot, libzscanner, libdnssec)
- Remove possibly insecure server control over a network socket
- Remove implementation limit for the number of network interfaces
Bugfixes:
---------
- synth-record module: Fix application of default configuration options
- TSIG: Allow compressed TSIG name when forwarding DDNS updates
- Schedule zone bootstrap after slave zone fails to load from disk
===========================
Bugfixes:
---------
- Do not reload expired zones on 'knotc reload' and server startup
- Fix rare race-condition in event scheduling causing delayed event execution
- Fix skipping of non-authoritative nodes in NSEC proofs
- Fix TC flag setting in RRL slipped answers
- Disable domain name compression for root label
- Log via journald only when running under systemd
- Fix CNAME following when quering for NSEC RR type
- Fix refreshing of DNSSEC signatures for zone keys
- Fix binding an unavailable IPv6 address on Linux (IP_FREEBIND)
- Fix infinite loop in knotc zonestatus and memstats
- Fix memory leak in configuration on server shutdown
- Fix broken dnsproxy module
- Fix DNSSEC KASP timestamps parsing in strict POSIX environment
- fix multi value parsing on big-endian
- Adapt to Nettle 3 API break causing base64 decoding failures on big-endian
Features:
---------
- Add 'keymgr zone key ds' to show key's DS record
- Add 'keymgr tsig generate' to generate TSIG keys
- Add query module scoping to process either all queries or zone queries only
- Add support for file name globbing in config file includes
- Add 'request-edns-option' config option to add custom EDNS0 option into
server initiated queries
Improvements:
-------------
- Send minimal responses (remove NS from Authority section for NOERROR)
- Update persistent timers only on shutdown for better performance
- Allow change of RR TTL over DDNS
- Documentation fixes, updates, and improvements in formatting
- Install yparser and zscanner header files
- Improve lookup of libsystemd build dependencies
- Fix compilation warnings in endian conversion functions on OpenBSD
Knot DNS 2.0.0 (2015-06-26)
===========================
Bugfixes:
---------
- Fix lost NOTIFY message if received during zone transfer
- Disable fast zone parser when compiled in Clang (workaround for Clang bug)
- kdig: Record correct dnstap SocketProtocol when retrying over TCP
- kdig: Hide TSIG section with +noall
- Do not set AA flag for AXFR/IXFR queries
Features:
---------
- DNSSEC: separate library, switch to GnuTLS, new utilities
- DNSSEC: basic KASP support (generate initial keys, ZSK rollover)
- Configuration: New text format in YAML, binary store in LMDB
- Zone parser: Split long TXT/SPF strings into multiple strings
- kdig: Add generic dump style option (+generic)
- Try all master servers in multi-master environment
- Improved remotes and ACLs (multiple addresses, multiple keys)
- Basic support for zone file patterns (%s to substitute zone name)
- Disable zone file synchronization by setting 'zonefile_sync' to '-1'
- knsupdate: Add input prompt in interactive mode and 'quit' command
- knsupdate: Allow TSIG algorithm specification in interactive prompt
Improvements:
-------------
- Zone dump: Do not write class for SOA record (unified with other RR types)
- Zone dump: Do not write master server address into the zone file
- Documentation: Manual pages are included in HTML and PDF
==========================
Bugfixes:
---------
- Some specific incoming IXFRs were causing server to crash
- Rare sychronization error during reload caused read-after-free
- Response synthetization module did not work properly with
DNSSEC-enabled zones
- When Knot sent AXFR when IXFR was requested, message ID and
opcode were wrong
- Knot failed to send large messages to remote control
(present since 1.5.1)
Knot DNS 1.5.2 (2014-09-08)
==========================
Bugfixes:
---------
- Some RR parsing corner cases were not handled properly
- AXFR-style IXFR was refused and had to be retransfered
- Hash character (#) was not properly escaped when storing text zone file
Knot DNS 1.5.1 (2014-08-19)
===========================
Features:
---------
- Basic support for logging using systemd journal
- DDNS: Ability to process updates in bulk
Improvements:
-------------
- Unified logging messages structure
- DNSSEC: More strict controls for signing keys
Bugfixes:
---------
- DNSSEC: DNAMEs in RDATA were not lowercased before signing
- EDNS: OPT RR were not put into responsing for some errors
- TSIG: DDNS responses were not signed with TSIG
- DDNS: Prerequisite checks failed for some inputs
- knsupdate: Zone origin was not used for deletions
Knot DNS 1.5.0 (2014-07-08)
===========================
Features:
---------
- DDNS forwarding reimplemented
Improvements:
-------------
- Transfer sizes logged in bytes if needed
- Logging outgoing NOTIFY messages
- Logging unauthorized incoming NOTIFYs
Bugfixes:
---------
- Zone flush planning after bootstrap
- Incorrect incoming AXFR message sizes
- DDNS signing changes were freed too soon, posibility of stale data
- knotc remote control key handling
Knot DNS 1.5.0-rc2 (2014-06-18)
===============================
Features:
---------
- edns-client-subnet support in kdig
- Optional asynchronous startup (config "asynchronous-start")
Improvements:
-------------
- Preempt task queue for faster reload
- Lazy zone file write after zone transfer (governed by
"zonefile-sync")
Bugfixes:
---------
- Close zone transfer after SERVFAIL response
- Incremental to full zone transfer fallback, wrong log message
- Zone events corner cases, reload replanning
Knot DNS 1.5.0-rc1 (2014-06-03)
===============================
Features:
---------
- Pluggable query processing modules
- Synthetic IPv4/IPv6 reverse/forward records (optional module)
- dnstap support in both utilities & server (optional module)
- NOTIFY message support and new TSIG section in kdig
- Zone transfer master failover
Improvements:
-------------
- Query processing and core functionality overhaul
- Performance and reduced memory footprint
- Faster zone events scheduling
- RFC compliant queries/responses in some corner cases
- Log messages
- New documentation (Sphinx)
---------------------
Features:
* Server is logging remote control commands
* 'knotc reload' doesn't refresh unchanged zones
* 'knotc -f refresh' forces zone retransfer
Bugfixes:
* Missing notifications after DDNS/automatic resign
* Zone is rebootstrapped if the zone file is unreadable
* Progressive bootstrap retry backoff
* Zone file parser allows asterisk as part of the label
* Journal maximum entry size fixes
* Sign DNSKEYs in non-apex nodes as regular RR sets
* Various spelling and typo fixes
---------------------
Bugfixes:
* Failure when expanding wildcard leading to apex and having DNSKEY records
* Failure for query to wildcard without wildcard expansion
* Bad cleanup when loading a faulty entry from a journal
* Zone file $ORIGIN and configuration comparison is case-insensitive
Features:
* Config "include" statement supports directory and includes all files within
---------------------
Bugfixes:
* AXFR/IXFR compatibility issues with tinydns/axfrdns
* Journal file is created only when needed
* Zone-related log messages are logged into correct category
* DNSSEC: Refresh signatures earlier (3 days before their expiration
with the default signature lifetime)
* Fixed RCU synchronization causing deadlock on 'knotc signzone'
* RRSIG not fitting in the additional records doesn't cause truncation
v1.4.1 - Jan 13, 2014
---------------------
Bugfixes:
* Empty APL record support
* 'zonestatus' when using immediate zone syncing
* Immediate zone syncing after reload
* Race condition writing time values to zone file
v1.4.0 - Jan 6, 2014
---------------------
Features:
* Zone SERIAL policies (INCREMENT, UNIXTIME)
Bugfixes:
* AXFR crash with specific packet
* QNAME case-sensitive since 1.4.0-rc0
* DNSSEC records over DDNS
* Semantic check fail in AXFR is only soft-error
* Journal race condition
* Notifies are sent immediately
v1.4.0-rc2 - Dec 13, 2013
-------------------------
Features:
* IDN support in Knot utilities
* DNSSEC: support for GOST algorithm
Bugfixes:
* Crash in particular additionals processing
* Race condition in event cancelation
* Journal corruption after failed transactions
* DNSSEC: fixed detection of ECDSA support
Other improvements:
* ./configure prints build configuration summary
* Pretty zone file output (DNSSEC-related data separately)
* Lower memory consumption
* config: option 'dnssec-keydir' can be set per zone
* config: option 'storage' can be set per zone
v1.4.0-rc1 - Nov 20, 2013
-------------------------
Features:
* Better logging of automatic DNSSEC events
* Support for DNSSEC key pre-publication
Bugfixes:
* Refactored zone loading
* Improved journal locking and fixed some race conditions
* Various fixes in client utilities
* Fixed memory errors in automatic DNSSEC signing
* 'dnssec-keydir' doesn't auto-enable signing
* Fixed rescheduling of zone resigns
v1.4.0-beta - Oct 28, 2013
--------------------------
Features:
* Experimental automatic DNSSEC signing
* Reduced memory usage
--------------------------
Bugfixes:
* Improved zone loading error messages
* Correct control socket permissions
* Improved log syntax documentation
* Fixed wrong assertions in DDNS prerequisites checking
* Fixed processing of some malformed DNS packets
* Fixed notify messages being ignored in some cases
v1.3.2 - Sep 30, 2013
---------------------
Bugfixes:
* Configuration option for EDNS0 max UDP payload.
* Max UDP payload from EDNS0 affected TCP responses.
* Fixed build on SLE 10.
* knotc reload did not close files included from config.
---------------------
Bugfixes:
* Response with NSID contained extra bytes after reload
* List of remotes is scanned for longest prefix match
* Multipacket TSIG signatures for transfers
* Wrongly parsed TSIG key secret without quotes
* Removed autoconf checks for extended instruction sets
v1.3.0 - Aug 5, 2013
--------------------
Features:
* Defaults for CH TXT id.server,version.server (see doc)
Bugfixes:
* Progressive interval for bootstrap retry
* Transfers randomly cancelled
* Disabling RRL on reload
* Secondary groups not initialized when dropping privileges
* Responding to DS queries for names at or below delegation points
v1.3.0-rc5 - Jul 29, 2013
-------------------------
Features:
* Much faster bootstrap of many zones
Bugfixes:
* Removed deprecated 'knotc -w' option
* Slave ignores out-of-zone records in zone
* Support for obsolete types in zone transfers
* Slave zone file names fixes
* Long transfers being randomly dropped
v1.3.0-rc4 - Jul 15, 2013
-------------------------
Features:
* --with-configdir option for default config path
* Reintroducted 'pidfile' config option
Bugfixes:
* AXFR/IXFR subsystem performance improvements
* Rescheduling of AXFR in some cases
* RRSIGs not in the same section for DS records
* Log messages leaking to syslog
* 'knotc restart' option removed due to several limitations
v1.3.0-rc3 - Jun 28, 2013
-------------------------
Features:
* Utility to estimate memory consumption (see 'knotc memstats')
* PID file is not created when running on foreground
* UNIX sockets support for knotc
* Configurable 'rundir' and 'storage'
Bugfixes:
* IXFR with an arbitrary number of diffs
* Processing of knotc TSIG keyfile
* Atomic PID file writing, removed deprecated 'knotc start'
* Performance regression when RRSIGs came before covered RRs in AXFR
v1.3.0-rc2 - Jun 14, 2013
-------------------------
Bugfixes:
* Label compression related bug
* Proper resolution of some CNAME chains
* Unstable response rate in rare cases
* Several log messages
v1.3.0-rc1 - Jun 4, 2013
---------------------------
Features:
* Faster zone parser
* Full support for EUI and ILNP resource records
* Lower memory footprint for large zones
* No compilation of zones
* Improved scheduling of zone transfers
* Logging of serials and timing information for zone transfers
* Config: 'groups' keyword allowing to create groups of remotes
* Config: 'include' keyword allowing other file includes
* Client utilities: kdig, khost, knsupdate
* Server identification using TXT/CH queries (RFC 4892)
* Improved build scripts
* Improved dname compression and performance
Bugfixes:
* Fixed creating of PID file when dropping privileges
---------------------
Bugfixes
* Updated manpage.
v1.1.3-rc1 - Dec 6, 2012
------------------------
Bugfixes
* Fixed answering DS queries (RRSIGs not together with DS, AA bit
missing).
* Fixed setting ARCOUNT in some error responses with EDNS enabled.
* Fixed crash when compiling zone zone with NSEC3PARAM but no NSEC3
and semantic checks enabled.
---------------------
Bugfixes:
* Fixed assertion failing when asking directly for a wildcard name.
v1.1.1-rc1 - Oct 23, 2012
-------------------------
Bugfixes:
* Crash after IXFR in certain cases when adding RRSIG in an IXFR.
* Fixed behaviour when incoming IXFR removes a zone cut. Previously
occluded names now become properly visible. Previously lead to a
crash when the server was asked for the previously occluded name.
* Fixed handling of zero-length strings in text zone dump. Caused the
compilation to fail.
* Fixed TSIG algorithm name comparison - the names should be in
canonical form.
* Fixed handling unknown RR types with type less than 251.
Features:
* Improved compression of packets. Out-of-zone dnames present in RDATA
were not compressed.
* Slave zones are now automatically refreshed after startup.
* Proper response to IXFR/UDP query (returns SOA in Authority section).