./net/knot, Knot (auth) DNS server

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 2.7.6, Package name: knot-2.7.6, Maintainer: pettai

Knot DNS is a high-performance authoritative-only DNS server
which supports all key features of the domain name system including
zone transfers, dynamic updates and DNSSEC.


Required to run:
[security/gnutls] [devel/libidn] [lang/python27] [devel/userspace-rcu] [textproc/jansson]

Required to build:
[pkgtools/cwrappers]

Master sites:

SHA1: d2f313267c2b68b822c5b715927eae9d5268738e
RMD160: fca8c746a783789a1a5c0d1f0fbe2df8f652a250
Filesize: 1124.09 KB

Version history: (Expand)


CVS history: (Expand)


   2019-01-29 16:07:25 by Ryo ONODERA | Files touched by this commit (3) | Package updated
Log message:
Update to 2.7.6

Changelog:
Knot DNS 2.7.6 (2019-01-23)
===========================

Improvements:
-------------
 - Zone status also shows when the zone load is scheduled
 - Server workers status also shows background workers utilization
 - Default control timeout for knotc was increased to 10 seconds
 - Pkg-config files contain auxiliary variable with library filename

Bugfixes:
---------
 - Configuration commit or server reload can drop some pending zone events
 - Nonempty zone journal is created even though it's disabled #635
 - Zone is completely re-signed during empty dynamic update processing
 - Server can crash when storing a big zone difference to the journal
 - Failed to link on FreeBSD 12 with Clang

Knot DNS 2.7.5 (2019-01-07)
===========================

Features:
---------
 - Keymgr supports NSEC3 salt handling

Improvements:
-------------
 - Zone history in journal is dropped apon AXFR-like zone update
 - Libdnssec is no longer linked against libm #628
 - Libdnssec is explicitly linked against libpthread if PKCS #11 enabled #629
 - Better support for libknot packaging in Python
 - Manually generated KSK is 'ready' by default
 - Kdig supports '+timeout' as an alias for '+time'
 - Kdig supports '+nocomments' option
 - Kdig no longer prints empty lines between retries
 - Kdig returns failure if operations not successfully resolved #632
 - Fixed repeating of the 'KSK submission, waiting for confirmation' log
 - Various improvements in documentation, Dockerfile, and tests

Bugfixes:
---------
 - Knotc fails to unset huge configuration section
 - Kjournalprint sometimes fails to display zone journal content
 - Improper timing of ZSK removal during ZSK rollover
 - Missing UTC time zone indication in the 'iso' keymgr list output
 - A race condition in the online signing module

Knot DNS 2.7.4 (2018-11-13)
===========================

Features:
---------
 - Added SNI configuration for TLS in kdig (Thanks to Alexander Schultz)

Improvements:
-------------
 - Added warning log when DNSSEC events not successfully scheduled
 - New semantic check on timer values in keymgr
 - DS query no longer asks other addresses if got a negative answer
 - Reintroduced 'rollover' configuration option for CDS/CDNSKEY publication
 - Extended logging for zone loading
 - Various documentation improvements

Bugfixes:
---------
 - Failed to import module configuration #613
 - Improper Cflags value in libknot.pc if built with embedded LMDB #615
 - IXFR doesn't fall back to AXFR if malformed reply
 - DNSSEC events not correctly scheduled for empty zone updates
 - During algorithm rollover old keys get removed before DS TTL expires #617
 - Maximum zone's RRSIG TTL not considered during algorithm rollover #620

Knot DNS 2.7.3 (2018-10-11)
===========================

Features:
---------
 - New queryacl module for query access control
 - Configurable answer rrset rotation #612
 - Configurable NSEC bitmap in online signing

Improvements:
-------------
 - Better error logging for KASP DB operations #601
 - Some documentation improvements

Bugfixes:
---------
 - Keymgr "list" output doesn't show key size for ECDSA algorithms #602
 - Failed to link statically with embedded LMDB
 - Configuration commit causes zone reload for all zones
 - The statistics module overlooks TSIG record in a request
 - Improper processing of an AXFR-style-IXFR response consisting of one-record \ 
messages
 - Race condition in online signing during key rollover #600
 - Server can crash if geoip module is enabled in the geo mode

Knot DNS 2.7.2 (2018-08-29)
===========================

Improvements:
-------------
 - Keymgr list command displays also key size
 - Kjournalprint displays total occupied size in the debug mode
 - Server doesn't stop if failed to load a shared module from the module directory
 - Libraries libcap-ng, pthread, and dl are linked selectively if needed

Bugfixes:
---------
 - Sometimes incorrect result from dnssec_nsec_bitmap_contains (libdnssec)
 - Server can crash when loading zone file difference and zone-in-journal is set
 - Incorrect treatment of specific queries in the module RRL
 - Failed to link module Cookies as a shared library

Knot DNS 2.7.1 (2018-08-14)
===========================

Improvements:
-------------
 - Added zone wire size information to zone loading log message
 - Added debug log message for each unsuccessful remote address operation
 - Various improvements for packaging

Bugfixes:
---------
 - Incompatible handling of RRSIG TTL value when creating a DNS message
 - Incorrect RRSIG TTL value in zone differences and knotc zone operation outputs
 - Default configure prefix is ignored

Knot DNS 2.7.0 (2018-08-03)
===========================

Features:
---------
 - New DNS Cookies module and related '+cookie' kdig option
 - New module for response tailoring according to client's subnet or geographic \ 
location
 - General EDNS Client Subnet support in the server
 - OSS-Fuzz integration (Thanks to Jonathan Foote)
 - New '+ednsopt' kdig option (Thanks to Jan Včelák)
 - Online Signing support for automatic key rollover
 - Non-normal file (e.g. pipe) loading support in zscanner #542
 - Automatic SOA serial incrementation if non-empty zone difference
 - New zone file load option for ignoring zone file's SOA serial
 - New build-time option for alternative malloc specification
 - Structured logging for DNSSEC key submission event
 - Empty QNAME support in kdig

Improvements:
-------------
 - Various library and server optimizations
 - Reduced memory consumption of outgoing IXFR processing
 - Linux capabilities use overhaul #546 (Thanks to Robert Edmonds)
 - Online Signing properly signs delegations and CNAME records
 - CDS/CDNSKEY rrset is signed with KSK instead of ZSK
 - DNSSEC-related records are ignored when loading zone difference with signing \ 
enabled
 - Minimum allowed RSA key length was increased to 1024
 - Removed explicit dependency on Nettle

Bugfixes:
---------
 - Possible uninitialized address buffer use in zscanner
 - Possible index overflow during multiline record parsing in zscanner
 - kdig +tls sometimes consumes 100 % CPU #561
 - Single-Type Signing doesn't work with single ZSK key #566
 - Zone not flushed after re-signing during zone load #594
 - Server crashes when committing empty zone transaction
 - Incoming IXFR with on-slave signing sometimes leads to memory corruption #595

Compatibility:
--------------
 - Removed obsolete RRL configuration
 - Removed obsolete module names 'mod-online-sign' and 'mod-synth-record'
 - Removed obsolete 'ixfr-from-differences' configuration option
 - Removed old journal migration
 - Removed module rosedb

Knot DNS 2.6.9 (2018-08-14)
===========================

Improvements:
-------------
 - Added zone wire size to zone loading log message
 - Added debug log message for each unsuccessful remote address operation

Bugfixes:
---------
 - Zone not flushed after re-signing during zone load #594
 - Server crashes when committing empty zone transaction
 - Incoming IXFR with on-slave signing sometimes leads to memory corruption #595

Knot DNS 2.6.8 (2018-07-10)
===========================

Features:
---------
 - New 'import-pkcs11' command in keymgr

Improvements:
-------------
 - Unixtime serial policy mimics Bind – increment if lower #593

Bugfixes:
---------
 - Creeping memory consuption upon server reload #584
 - Kdig incorrectly detects QNAME if 'notify' is a prefix
 - Server crashes when zone sign fails #587
 - CSK->KZSK rollover retires CSK early #588
 - Server crashes when zone expires during outgoing multi-message transfer
 - Kjournalprint doesn't convert zone name argument to lower-case
 - Cannot switch to a previously used ksk-shared dnssec policy #589

Knot DNS 2.6.7 (2018-05-17)
===========================

Features:
---------
 - Added 'dateserial' (YYYYMMDDnn) serial policy configuration (Thanks to \ 
Wolfgang Jung)

Improvements:
-------------
 - Trailing data indication from the packet parser (libknot)
 - Better configuration check for a problematical option combination

Bugfixes:
---------
 - Incomplete configuration option item name check
 - Possible buffer overflow in 'knot_dname_to_str' (libknot)
 - Module dnsproxy doesn't preserve letter case of QNAME
 - Module dnsproxy duplicates OPT and TSIG in the non-fallback mode

Knot DNS 2.6.6 (2018-04-11)
===========================

Features:
---------
 - New EDNS option counters in the statistics module
 - New '+orphan' filter for the 'zone-purge' operation

Improvements:
-------------
 - Reduced memory consuption of disabled statistics metrics
 - Some spelling fixes (Thanks to Daniel Kahn Gillmor)
 - Server no longer fails to start if MODULE_DIR doesn't exist
 - Configuration include doesn't fail if empty wildcard match
 - Added a configuration check for a problematical option combination

Bugfixes:
---------
 - NSEC3 chain not re-created when SOA minimum TTL changed
 - Failed to start server if no template is configured
 - Possibly incorrect SOA serial upon changed zone reload with DNSSEC signing
 - Inaccurate outgoing zone transfer size in the log message
 - Invalid dname compression if empty question section
 - Missing EDNS in EMALF responses

Knot DNS 2.6.5 (2018-02-12)
===========================

Features:
---------
 - New 'zone-notify' command in knotc
 - Kdig uses '@server' as a hostname for TLS authenticaion if '+tls-ca' is set

Improvements:
-------------
 - Better heap memory trimming for zone operations
 - Added proper polling for TLS operations in kdig
 - Configuration export uses stdout as a default output
 - Simplified detection of atomic operations
 - Added '--disable-modules' configure option
 - Small documentation updates

Bugfixes:
---------
 - Zone retransfer doesn't work well if more masters configured
 - Kdig can leak or double free memory in corner cases
 - Inconsistent error outputs from dynamic configuration operations
 - Failed to generate documentation on OpenBSD

Knot DNS 2.6.4 (2018-01-02)
===========================

Features:
---------
 - Module synthrecord allows multiple 'network' specification
 - New CSK handling support in keymgr

Improvements:
-------------
 - Allowed configuration for infinite zsk lifetime
 - Increased performance and security of the module synthrecord
 - Signing changeset is stored into journal even if 'zonefile-load' is whole

Bugfixes:
---------
 - Unintentional zone re-sign during reload if empty NSEC3 salt
 - Inconsistent zone names in journald structured logs
 - Malformed outgoing transfer for big zone with TSIG
 - Some minor DNSSEC-related issues

Knot DNS 2.6.3 (2017-11-24)
===========================

Bugfixes:
---------
 - Wrong detection of signing scheme rollover

Knot DNS 2.6.2 (2017-11-23)
===========================

Features:
---------
 - CSK algorithm rollover and (KSK, ZSK) <-> CSK rollover support

Improvements:
-------------
 - Allowed explicit configuration for infinite ksk lifetime
 - Proper error messages instead of unclear error codes in server log
 - Better support for old compilers

Bugfixes:
---------
 - Unexpected reply for DS query with an owner below a delegation point
 - Old dependencies in the pkg-config file

Knot DNS 2.6.1 (2017-11-02)
===========================

Features:
---------
 - NSEC3 Opt-Out support in the DNSSEC signing
 - New CDS/CDNSKEY publish configuration option

Improvements:
-------------
 - Simplified DNSSEC log message with DNSKEY details
 - +tls-hostname in kdig implies +tls-ca if neither +tls-ca nor +tls-pin is given
 - New documentation sections for DNSSEC key rollovers and shared keys
 - Keymgr no longer prints useless algorithm number for generated key
 - Kdig prints unknown RCODE in a numeric format
 - Better support for LLVM libFuzzer

Bugfixes:
---------
 - Faulty DNAME semantic check if present in the zone apex and NSEC3 is used
 - Immediate zone flush not scheduled during the zone load event
 - Server crashes upon dynamic zone addition if a query module is loaded
 - Kdig fails to connect over TLS due to SNI is set to server IP address
 - Possible out-of-bounds memory access at the end of the input
 - TCP Fast Open enabled by default in kdig breaks TLS connection

Knot DNS 2.6.0 (2017-09-29)
===========================

Features:
---------
 - On-slave (inline) signing support
 - Automatic DNSSEC key algorithm rollover
 - Ed25519 algorithm support in DNSSEC (requires GnuTLS 3.6.0)
 - New 'journal-content' and 'zonefile-load' configuration options
 - keymgr tries to run as user/group set in the configuration
 - Public-only DNSSEC key import into KASP DB via keymgr
 - NSEC3 resalt and parent DS query events are persistent in timer DB
 - New processing state for a response suppression within a query module
 - Enabled server side TCP Fast Open if supported
 - TCP Fast Open support in kdig

Improvements:
-------------
 - Better record owner compression if related to the previous rdata dname
 - NSEC(3) chain is no longer recomputed whole on every update
 - Remove inconsistent and unnecessary quoting in log files
 - Avoiding of overlapping key rollovers at a time
 - More DNSSSEC-related semantic checks
 - Extended timestamp format in keymgr

Bugfixes:
---------
 - Incorrect journal free space computation causing inefficient space handling
 - Interface-automatic broken on Linux in the presence of asymmetric routing
   2018-07-04 15:40:45 by Jonathan Perkin | Files touched by this commit (423)
Log message:
*: Move SUBST_STAGE from post-patch to pre-configure

Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
   2018-04-18 00:29:53 by Thomas Klausner | Files touched by this commit (286)
Log message:
Add p11-kit to gnutls/bl3.mk and bump dependencies.
   2018-03-08 15:30:37 by Fredrik Pettai | Files touched by this commit (4) | Package updated
Log message:
Knot DNS 2.5.7 (2018-01-02)
===========================

Bugfixes:
---------
 - Unintentional zone re-sign during reload if empty NSEC3 salt
 - Inconsistent zone names in journald structured logs
 - Malformed outgoing transfer for big zone with TSIG
 - Unexpected reply for DS query with an owner below a delegation point
 - Old dependencies in the pkg-config file

[...]

Only new Features & Security fixes of the previous updates are shown below

For a complete of all Improvements & Bugfixes, see:
https://gitlab.labs.nic.cz/knot/knot-dns/blob/2.5/NEWS

Knot DNS 2.5.3 (2017-07-14)
===========================

Features:
---------
 - CSK rollover support for Single-Type Signing Scheme

[...]

Knot DNS 2.5.2 (2017-06-23)
===========================

Security:
---------
 - CVE-2017-11104: Improper TSIG validity period check can allow TSIG forgery \ 
(Thanks to Synacktiv!)

Knot DNS 2.5.0 (2017-06-05)
===========================

Features:
---------
 - KASP database switched from JSON files to LMDB database
 - KSK rollover support using CDNSKEY and CDS in the automatic DNSSEC signing
 - Dynamic module loading support with proper module API
 - Journal can store full zone contents (not only differences)
 - Zone freeze/thaw support
 - Updated knotc zone-status output with optional column filters
 - New '[no]crypto' option in kdig
 - New keymgr implementation reflecting KASP database changes
 - New pykeymgr for JSON-based KASP database migration
 - Removed obsolete knot1to2 utility
   2018-03-07 17:42:10 by Fredrik Pettai | Files touched by this commit (3)
Log message:
Knot DNS 2.4.5 (2017-06-23)
===========================

Security:
---------
 - Improper TSIG validity period check can allow TSIG forgery (Thanks to Synacktiv!)

Bugfixes:
---------
 - Corner case journal fixes (huge changesets, OpenWRT operation)

Knot DNS 2.4.4 (2017-06-05)
===========================

Improvements:
-------------
 - Improved error handling in kjournalprint

Bugfixes:
---------
 - Zone flush not replanned upon unsuccessful flush
 - Journal inconsistency after deleting deleted zone
 - Zone events not rescheduled upon server reload (Thanks to Mark Warren)
 - Unreliable LMDB mapsize detection in kjournalprint
 - Some minor issues found by AddressSanitizer

Knot DNS 2.4.3 (2017-04-11)
===========================

Improvements:
-------------
 - New 'journal-db-mode' optimization configuration option
 - The default TSIG algorithm for utilities input is HMAC-SHA256
 - Implemented sensible default EDNS(0) padding policy (Thanks to D. K. Gillmor)
 - Added some more semantic checks on the knotc configuration operations

Bugfixes:
---------
 - Missing 'zone' keyword in the YAML output
 - Missing trailing dot in the keymgr DS owner output
 - Journal logs 'invalid parameter' in several cases
 - Some minor journal-related problems

Knot DNS 2.4.2 (2017-03-23)
===========================

Features:
---------
 - Zscanner can store record comments placed on the same line
 - Knotc status extension with version, configure, and workers parameters

Improvements:
-------------
 - Significant incoming XFR speed-up in the case of many zones

Bugfixes:
---------
 - Double OPT RR insertion when a global module returns KNOT_STATE_FAIL
 - User-driven zscanner parsing logic inconsistency
 - Lower serial at master doesn't trigger any errors
 - Queries with too long DNAME substitution do not return YXDOMAIN response
 - Incorrect elapsed time in the DDNS log
 - Failed to process forwarded DDNS request with TSIG

Knot DNS 2.4.1 (2017-02-10)
===========================

Improvements:
-------------
 - Speed-up of rdata addition into a huge rrset
 - Introduce check of minumum timeout for next refresh
 - Dnsproxy module can forward all queries without local resolving

Bugfixes:
--------
 - Transfer of a huge rrset goes into an infinite loop
 - Huge response over TCP contains useless TC bit instead of SERVFAIL
 - Failed to build utilities with disabled daemon
 - Memory leaks during keys removal
 - Rough TSIG packet reservation causes early truncation
 - Minor out-of-bounds string termination write in rrset dump
 - Server crash during stop if failed to open timers DB
 - Failed to compile on OS X older than Sierra
 - Poor minimum UDP-max-size configuration check
 - Failed to receive one-record-per-message IXFR-style AXFR
 - Kdig timeouts when receiving RCODE != NOERROR on subsequent transfer message

Knot DNS 2.4.0 (2017-01-18)
===========================
 - Kdig timeouts when receiving RCODE != NOERROR on subsequent transfer message

Knot DNS 2.4.0 (2017-01-18)
===========================

Bugfixes:
--------
 - False positive semantic-check warning about invalid bitmap in NSEC
 - Unnecessary SOA queries upon notify with up to date serial
 - Timers for expired zones are reset on reload
 - Zone doesn't expire when the server is down
 - Failed to handle keys with duplicate keytags
 - Per zone module and global module insconsistency
 - Obsolete online signing module configuration
 - Malformed output from kjournalprint
 - Redundant SO_REUSEPORT activation on the TCP socket
 - Failed to use higher number of background workers

Improvements:
-------------
 - Lower memory consumption with qp-trie
 - Zone events and zone timers improvements
 - Print all zone names in the FQDN format
 - Simplified query module interface
 - Shared TCP connection between SOA query and transfer
 - Response Rate Limiting as a module with statistics support
 - Key filters in keymgr

Features:
---------
 - New unified LMDB-based zone journal
 - Server statistics support
 - New statistics module for traffic measuring
 - Automatic deletion of retired DNSSEC keys
 - New control logging category
   2017-08-16 22:21:18 by Thomas Klausner | Files touched by this commit (180)
Log message:
Follow some http redirects.
   2017-08-07 10:44:14 by Johnny C. Lam | Files touched by this commit (1)
Log message:
Use PKG_SYSCONF* variables correctly in net/knot.

Set PKG_SYSCONFSUBDIR to "knot" to have all of the config files
located in the "knot" subdirectory of ${PKG_SYSCONFBASE}.

Pass ${PKG_SYSCONFBASE} to the configure script since the package's
build infrastructure automatically appends "/knot" to the value
passed in through --sysconfdir.

Remove ${PKG_SYSCONFDIR} from INSTALLATION_DIRS since it is
automatically created by the package install script.

Bump the PKGREVISION due to changes in the package install scripts.
   2016-12-09 23:28:18 by Fredrik Pettai | Files touched by this commit (3)
Log message:
Knot DNS 2.3.3 (2016-12-08)
===========================

Bugfixes:
---------
 - Double free when failed to apply zone journal
 - Zone bootstrap retry interval not preserved upon zone reload
 - DNSSEC related records not flushed if not signed
 - False semantic checks warning about incorrect type in NSEC bitmap
 - Memory leak in kzonecheck

Improvements:
-------------
 - All zone names are fully-qualified in log

Features:
---------
 - New kjournalprint utility

Knot DNS 2.3.2 (2016-11-04)
===========================

Bugfixes:
---------
 - Incorrect %s expansion for the root zone
 - Failed to refresh not existing slave zone after restart
 - Immediate zone refresh upon restart if refresh already scheduled
 - Early zone transfer after restart if transfer already scheduled
 - Not ignoring empty non-terminal parents during delegation lookup
 - CD bit preservation in responses
 - Compilation error on GNU/kFreeBSD
 - Server crash after double zone-commit if journal error

Improvements:
-------------
 - Speed-up of knotc if control operation and known socket
 - Zone purge operation purges also zone timers

Features:
---------
 - Simple modules don't require empty configuration section
 - New zone journal path configuration option
 - New timeout configuration option for module dnsproxy