./net/knot, Knot (auth) DNS server

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 2.8.3, Package name: knot-2.8.3, Maintainer: pettai

Knot DNS is a high-performance authoritative-only DNS server
which supports all key features of the domain name system including
zone transfers, dynamic updates and DNSSEC.


Required to run:
[security/gnutls] [devel/libidn] [devel/userspace-rcu] [textproc/jansson] [lang/python37]

Required to build:
[pkgtools/cwrappers]

Master sites:

SHA1: 1af4446d9a27d5202dfb5ad20408c3fae9798015
RMD160: ced1cffefdf808a2807b0ba6147a62ffdab4dbe0
Filesize: 1177.902 KB

Version history: (Expand)


CVS history: (Expand)


   2019-11-03 12:45:59 by Roland Illig | Files touched by this commit (255)
Log message:
net: align variable assignments

pkglint -Wall -F --only aligned --only indent -r

No manual corrections.
   2019-08-21 16:19:00 by Ryo ONODERA | Files touched by this commit (2) | Package updated
Log message:
Update to 2.8.3

Changelog:

Features:

        Added cert/key file configuration for TLS in kdig (Thanks to Alexander \ 
Schultz)

Improvements:

        More verbose log message for offline-KSK signing
        Module RRL logs affected source address subnet instead of only one \ 
source address
        Extended DNSSEC policy configuration checks
        Various improvements in the documentation

Bugfixes:

        Excessive server load when maximum TCP clients limit is reached
        Incorrect reply after zone update with a node changed from \ 
non-authoritative to delegation
        Wrong error line number in a config file if it contains leading tab character
        Config file error message contains unrelated parsing context
        NSEC3 salt not updated when reconfigured to zero length
        Kjournalprint sometimes prints a random value for per-zone occupation
        Missing debug log for failed zone refresh triggered by zone notification
        DS check not scheduled when reconfigured
        Broken unit test on NetBSD 8.x
   2019-07-21 00:46:59 by Thomas Klausner | Files touched by this commit (595)
Log message:
*: recursive bump for nettle 3.5.1
   2019-06-14 01:47:05 by Ryo ONODERA | Files touched by this commit (2) | Package updated
Log message:
Update to 2.8.2

Changelog:
Knot DNS 2.8.2 (2019-06-05)
===========================

Features:
---------
 - New blocking mode for zone event triggers in knotc
 - New weighted records mode in the module geoip (Thanks to Conrad Hoffmann)
 - Module noudp allows UDP allow rate configuration

Improvements:
-------------
 - NSEC3 salt lifetime can be set to infinity
 - New 'running' zone event status in the knotc output
 - Knotc in the forced mode returns failure also if zone check emits any warning
 - Ignoring PMTU information for IPv4/UDP via IP_PMTUDISC_OMIT (Thanks to \ 
Daisuke Higashi)
 - Various improvements in the documentation

Bugfixes:
---------
 - Broken setting of CPU affinity for UDP workers
 - Unexpected results with the geoip subnet mode
 - Sometimes insufficient zone adjusting
 - Incoherent DNSKEY RRSIG lifetimes in SKR
 - Confusing output from keymgr if an error occurs during KSR generation
 - Non-functional changeset history depth limitation in kjournalprint
 - Wrong processing of multiple $INCLUDE directives #646
   2019-05-23 21:23:24 by Roland Illig | Files touched by this commit (242)
Log message:
all: replace SUBST_SED with the simpler SUBST_VARS

pkglint -Wall -r --only "substitution command" -F

With manual review and indentation fixes since pkglint doesn't get that
part correct in every case.
   2019-04-25 09:33:32 by Maya Rashish | Files touched by this commit (620)
Log message:
PKGREVISION bump for anything using python without a PYPKGPREFIX.

This is a semi-manual PKGREVISION bump.
   2019-04-15 18:23:03 by Ryo ONODERA | Files touched by this commit (3) | Package updated
Log message:
Update to 2.8.1

Changelog:
Knot DNS 2.8.1 (2019-04-09)
===========================

Improvements:
-------------
 - Possible zone transaction is aborted by zone events to avoid inconsistency
 - Added log message if no persistent config DB is available during 'conf-begin'
 - New environment setting 'KNOT_VERSION_FORMAT=release' for extended version \ 
suppression
 - Various improvements in the documentation

Bugfixes:
---------
 - Broken NSEC3-wildcard-nonexistence proof after NSEC3 re-salt
 - Glue records under delegation are sometimes signed
 - RRL doesn't work correctly on big-endian architectures
 - NSEC3 not re-salted during AXFR refresh
 - Failed to sign new zone contents if added dynamically #641
 - NSEC3 opt-out signing doesn't work in some cases
 - Broken NSEC3 chain after adding new sub-delegations
 - Redundant SOA RRSIG on slave if RRSIG TTL changed on master
 - Sometimes confusing log error message for NOTIFY event
 - Improper include for LMDB #638

Knot DNS 2.8.0 (2019-03-05)
===========================

Features:
---------
 - New offline-KSK mode of operation
 - Configurable multithreaded DNSSEC signing for large zones
 - Extended ACL configuration for dynamic updates
 - New knotc trigger 'zone-key-rollover' for immediate DNSKEY rollover
 - Added support for OPENPGPKEY, CSYNC, SMIMEA, and ZONEMD RR types
 - New 'double-ds' option for CDS/CDNSKEY publication

Improvements:
-------------
 - Significant speed-up of zone updates
 - Knotc supports force option in the interactive mode
 - Copy-on-write support for QP-trie (Thanks to Tony Finch)
 - Unified and more efficient LMDB layer for journal, timer, and KASP databases
 - DS check event is re-planned according to KASP even when purged timers
 - Module DNS Cookies supports explicit Server Secret configuration
 - Zone mtime is verified against full-precision timestamp (Thanks to Daniel \ 
Kahn Gillmor)
 - Extended logging (loaded SOA serials, refresh duration, tiny cleanup)
 - Relaxed fixed-length condition for DNSSEC key ID
 - Extended semantic checks for DNAME and NS RR types
 - Added support for FreeBSD's SO_REUSEPORT_LB
 - Improved performance of geoip module
 - Various improvements in the documentation

Compatibility:
--------------
 - Changed configuration default for 'cds-cdnskey-publish' to 'rollover'
 - Journal DB format changes are not downgrade-compatible
 - Keymgr no longer prints DS for algorithm SHA-1
   2019-01-29 16:07:25 by Ryo ONODERA | Files touched by this commit (3) | Package updated
Log message:
Update to 2.7.6

Changelog:
Knot DNS 2.7.6 (2019-01-23)
===========================

Improvements:
-------------
 - Zone status also shows when the zone load is scheduled
 - Server workers status also shows background workers utilization
 - Default control timeout for knotc was increased to 10 seconds
 - Pkg-config files contain auxiliary variable with library filename

Bugfixes:
---------
 - Configuration commit or server reload can drop some pending zone events
 - Nonempty zone journal is created even though it's disabled #635
 - Zone is completely re-signed during empty dynamic update processing
 - Server can crash when storing a big zone difference to the journal
 - Failed to link on FreeBSD 12 with Clang

Knot DNS 2.7.5 (2019-01-07)
===========================

Features:
---------
 - Keymgr supports NSEC3 salt handling

Improvements:
-------------
 - Zone history in journal is dropped apon AXFR-like zone update
 - Libdnssec is no longer linked against libm #628
 - Libdnssec is explicitly linked against libpthread if PKCS #11 enabled #629
 - Better support for libknot packaging in Python
 - Manually generated KSK is 'ready' by default
 - Kdig supports '+timeout' as an alias for '+time'
 - Kdig supports '+nocomments' option
 - Kdig no longer prints empty lines between retries
 - Kdig returns failure if operations not successfully resolved #632
 - Fixed repeating of the 'KSK submission, waiting for confirmation' log
 - Various improvements in documentation, Dockerfile, and tests

Bugfixes:
---------
 - Knotc fails to unset huge configuration section
 - Kjournalprint sometimes fails to display zone journal content
 - Improper timing of ZSK removal during ZSK rollover
 - Missing UTC time zone indication in the 'iso' keymgr list output
 - A race condition in the online signing module

Knot DNS 2.7.4 (2018-11-13)
===========================

Features:
---------
 - Added SNI configuration for TLS in kdig (Thanks to Alexander Schultz)

Improvements:
-------------
 - Added warning log when DNSSEC events not successfully scheduled
 - New semantic check on timer values in keymgr
 - DS query no longer asks other addresses if got a negative answer
 - Reintroduced 'rollover' configuration option for CDS/CDNSKEY publication
 - Extended logging for zone loading
 - Various documentation improvements

Bugfixes:
---------
 - Failed to import module configuration #613
 - Improper Cflags value in libknot.pc if built with embedded LMDB #615
 - IXFR doesn't fall back to AXFR if malformed reply
 - DNSSEC events not correctly scheduled for empty zone updates
 - During algorithm rollover old keys get removed before DS TTL expires #617
 - Maximum zone's RRSIG TTL not considered during algorithm rollover #620

Knot DNS 2.7.3 (2018-10-11)
===========================

Features:
---------
 - New queryacl module for query access control
 - Configurable answer rrset rotation #612
 - Configurable NSEC bitmap in online signing

Improvements:
-------------
 - Better error logging for KASP DB operations #601
 - Some documentation improvements

Bugfixes:
---------
 - Keymgr "list" output doesn't show key size for ECDSA algorithms #602
 - Failed to link statically with embedded LMDB
 - Configuration commit causes zone reload for all zones
 - The statistics module overlooks TSIG record in a request
 - Improper processing of an AXFR-style-IXFR response consisting of one-record \ 
messages
 - Race condition in online signing during key rollover #600
 - Server can crash if geoip module is enabled in the geo mode

Knot DNS 2.7.2 (2018-08-29)
===========================

Improvements:
-------------
 - Keymgr list command displays also key size
 - Kjournalprint displays total occupied size in the debug mode
 - Server doesn't stop if failed to load a shared module from the module directory
 - Libraries libcap-ng, pthread, and dl are linked selectively if needed

Bugfixes:
---------
 - Sometimes incorrect result from dnssec_nsec_bitmap_contains (libdnssec)
 - Server can crash when loading zone file difference and zone-in-journal is set
 - Incorrect treatment of specific queries in the module RRL
 - Failed to link module Cookies as a shared library

Knot DNS 2.7.1 (2018-08-14)
===========================

Improvements:
-------------
 - Added zone wire size information to zone loading log message
 - Added debug log message for each unsuccessful remote address operation
 - Various improvements for packaging

Bugfixes:
---------
 - Incompatible handling of RRSIG TTL value when creating a DNS message
 - Incorrect RRSIG TTL value in zone differences and knotc zone operation outputs
 - Default configure prefix is ignored

Knot DNS 2.7.0 (2018-08-03)
===========================

Features:
---------
 - New DNS Cookies module and related '+cookie' kdig option
 - New module for response tailoring according to client's subnet or geographic \ 
location
 - General EDNS Client Subnet support in the server
 - OSS-Fuzz integration (Thanks to Jonathan Foote)
 - New '+ednsopt' kdig option (Thanks to Jan Včelák)
 - Online Signing support for automatic key rollover
 - Non-normal file (e.g. pipe) loading support in zscanner #542
 - Automatic SOA serial incrementation if non-empty zone difference
 - New zone file load option for ignoring zone file's SOA serial
 - New build-time option for alternative malloc specification
 - Structured logging for DNSSEC key submission event
 - Empty QNAME support in kdig

Improvements:
-------------
 - Various library and server optimizations
 - Reduced memory consumption of outgoing IXFR processing
 - Linux capabilities use overhaul #546 (Thanks to Robert Edmonds)
 - Online Signing properly signs delegations and CNAME records
 - CDS/CDNSKEY rrset is signed with KSK instead of ZSK
 - DNSSEC-related records are ignored when loading zone difference with signing \ 
enabled
 - Minimum allowed RSA key length was increased to 1024
 - Removed explicit dependency on Nettle

Bugfixes:
---------
 - Possible uninitialized address buffer use in zscanner
 - Possible index overflow during multiline record parsing in zscanner
 - kdig +tls sometimes consumes 100 % CPU #561
 - Single-Type Signing doesn't work with single ZSK key #566
 - Zone not flushed after re-signing during zone load #594
 - Server crashes when committing empty zone transaction
 - Incoming IXFR with on-slave signing sometimes leads to memory corruption #595

Compatibility:
--------------
 - Removed obsolete RRL configuration
 - Removed obsolete module names 'mod-online-sign' and 'mod-synth-record'
 - Removed obsolete 'ixfr-from-differences' configuration option
 - Removed old journal migration
 - Removed module rosedb

Knot DNS 2.6.9 (2018-08-14)
===========================

Improvements:
-------------
 - Added zone wire size to zone loading log message
 - Added debug log message for each unsuccessful remote address operation

Bugfixes:
---------
 - Zone not flushed after re-signing during zone load #594
 - Server crashes when committing empty zone transaction
 - Incoming IXFR with on-slave signing sometimes leads to memory corruption #595

Knot DNS 2.6.8 (2018-07-10)
===========================

Features:
---------
 - New 'import-pkcs11' command in keymgr

Improvements:
-------------
 - Unixtime serial policy mimics Bind – increment if lower #593

Bugfixes:
---------
 - Creeping memory consuption upon server reload #584
 - Kdig incorrectly detects QNAME if 'notify' is a prefix
 - Server crashes when zone sign fails #587
 - CSK->KZSK rollover retires CSK early #588
 - Server crashes when zone expires during outgoing multi-message transfer
 - Kjournalprint doesn't convert zone name argument to lower-case
 - Cannot switch to a previously used ksk-shared dnssec policy #589

Knot DNS 2.6.7 (2018-05-17)
===========================

Features:
---------
 - Added 'dateserial' (YYYYMMDDnn) serial policy configuration (Thanks to \ 
Wolfgang Jung)

Improvements:
-------------
 - Trailing data indication from the packet parser (libknot)
 - Better configuration check for a problematical option combination

Bugfixes:
---------
 - Incomplete configuration option item name check
 - Possible buffer overflow in 'knot_dname_to_str' (libknot)
 - Module dnsproxy doesn't preserve letter case of QNAME
 - Module dnsproxy duplicates OPT and TSIG in the non-fallback mode

Knot DNS 2.6.6 (2018-04-11)
===========================

Features:
---------
 - New EDNS option counters in the statistics module
 - New '+orphan' filter for the 'zone-purge' operation

Improvements:
-------------
 - Reduced memory consuption of disabled statistics metrics
 - Some spelling fixes (Thanks to Daniel Kahn Gillmor)
 - Server no longer fails to start if MODULE_DIR doesn't exist
 - Configuration include doesn't fail if empty wildcard match
 - Added a configuration check for a problematical option combination

Bugfixes:
---------
 - NSEC3 chain not re-created when SOA minimum TTL changed
 - Failed to start server if no template is configured
 - Possibly incorrect SOA serial upon changed zone reload with DNSSEC signing
 - Inaccurate outgoing zone transfer size in the log message
 - Invalid dname compression if empty question section
 - Missing EDNS in EMALF responses

Knot DNS 2.6.5 (2018-02-12)
===========================

Features:
---------
 - New 'zone-notify' command in knotc
 - Kdig uses '@server' as a hostname for TLS authenticaion if '+tls-ca' is set

Improvements:
-------------
 - Better heap memory trimming for zone operations
 - Added proper polling for TLS operations in kdig
 - Configuration export uses stdout as a default output
 - Simplified detection of atomic operations
 - Added '--disable-modules' configure option
 - Small documentation updates

Bugfixes:
---------
 - Zone retransfer doesn't work well if more masters configured
 - Kdig can leak or double free memory in corner cases
 - Inconsistent error outputs from dynamic configuration operations
 - Failed to generate documentation on OpenBSD

Knot DNS 2.6.4 (2018-01-02)
===========================

Features:
---------
 - Module synthrecord allows multiple 'network' specification
 - New CSK handling support in keymgr

Improvements:
-------------
 - Allowed configuration for infinite zsk lifetime
 - Increased performance and security of the module synthrecord
 - Signing changeset is stored into journal even if 'zonefile-load' is whole

Bugfixes:
---------
 - Unintentional zone re-sign during reload if empty NSEC3 salt
 - Inconsistent zone names in journald structured logs
 - Malformed outgoing transfer for big zone with TSIG
 - Some minor DNSSEC-related issues

Knot DNS 2.6.3 (2017-11-24)
===========================

Bugfixes:
---------
 - Wrong detection of signing scheme rollover

Knot DNS 2.6.2 (2017-11-23)
===========================

Features:
---------
 - CSK algorithm rollover and (KSK, ZSK) <-> CSK rollover support

Improvements:
-------------
 - Allowed explicit configuration for infinite ksk lifetime
 - Proper error messages instead of unclear error codes in server log
 - Better support for old compilers

Bugfixes:
---------
 - Unexpected reply for DS query with an owner below a delegation point
 - Old dependencies in the pkg-config file

Knot DNS 2.6.1 (2017-11-02)
===========================

Features:
---------
 - NSEC3 Opt-Out support in the DNSSEC signing
 - New CDS/CDNSKEY publish configuration option

Improvements:
-------------
 - Simplified DNSSEC log message with DNSKEY details
 - +tls-hostname in kdig implies +tls-ca if neither +tls-ca nor +tls-pin is given
 - New documentation sections for DNSSEC key rollovers and shared keys
 - Keymgr no longer prints useless algorithm number for generated key
 - Kdig prints unknown RCODE in a numeric format
 - Better support for LLVM libFuzzer

Bugfixes:
---------
 - Faulty DNAME semantic check if present in the zone apex and NSEC3 is used
 - Immediate zone flush not scheduled during the zone load event
 - Server crashes upon dynamic zone addition if a query module is loaded
 - Kdig fails to connect over TLS due to SNI is set to server IP address
 - Possible out-of-bounds memory access at the end of the input
 - TCP Fast Open enabled by default in kdig breaks TLS connection

Knot DNS 2.6.0 (2017-09-29)
===========================

Features:
---------
 - On-slave (inline) signing support
 - Automatic DNSSEC key algorithm rollover
 - Ed25519 algorithm support in DNSSEC (requires GnuTLS 3.6.0)
 - New 'journal-content' and 'zonefile-load' configuration options
 - keymgr tries to run as user/group set in the configuration
 - Public-only DNSSEC key import into KASP DB via keymgr
 - NSEC3 resalt and parent DS query events are persistent in timer DB
 - New processing state for a response suppression within a query module
 - Enabled server side TCP Fast Open if supported
 - TCP Fast Open support in kdig

Improvements:
-------------
 - Better record owner compression if related to the previous rdata dname
 - NSEC(3) chain is no longer recomputed whole on every update
 - Remove inconsistent and unnecessary quoting in log files
 - Avoiding of overlapping key rollovers at a time
 - More DNSSSEC-related semantic checks
 - Extended timestamp format in keymgr

Bugfixes:
---------
 - Incorrect journal free space computation causing inefficient space handling
 - Interface-automatic broken on Linux in the presence of asymmetric routing