2023-12-09 07:10:07 by Ryo ONODERA | Files touched by this commit (3) | ![Package updated](https://pkgsrc.se/images/update.gif) |
Log message:
knot: Update to 3.3.2
Changelog:
Version 3.3.2
Friday, October 20, 2023
Features:
+ knotd: support for IXFR from AXFR computation (see
'zone.ixfr-from-axfr')
+ knotd: support benevolent IXFR (see 'zone.ixfr-benevolent')
+ knot-exporter: new configuration option '--no-zone-serial' #880
Improvements:
+ libs: upgraded embedded libngtcp2 to 1.0.0
+ knotd: added logging of new SOA serial when signing is finished
+ knotd: unified some XDP-related logging
+ keymgr: improved error message if a key file is not accessible
+ keymgr: added offline RRSIGs validation at the end of their validity
intervals
+ kdig: upgraded EDNS presentation format to draft version -02
+ kdig: simplified QUIC connection without extra PING frames
+ kzonecheck: removed requirement that DS is at delegation point
+ doc: various fixes and improvements
Bugfixes:
+ knotd: logged incorrect new SOA serial if 'zonefile-load: difference'
is set #875
+ knotd: more signing threads with a PKCS #11 keystore has no effect #876
+ knotd: DNAME record returned with query domain name instead of actual
name #873
+ knotd: failed to import configuration file if mod-geoip is in use #881
+ knotd: failed to sign RRSet that fits to 64k only if compressed
+ knotd: broken zone update context upon failed operation over control
interface
+ keymgr: offline RRSIGs not refreshed if 'rrsig-refresh' is not set
+ knsupdate: incorrect processing of @ in the delete operation #879
+ knot-exporter: failed to parse knotd PIDs on FreeBSD
Version 3.2.11
Thursday, October 19, 2023
Improvements:
+ keymgr: improved error message if a key file is not accessible
+ keymgr: added offline RRSIGs validation at the end of their validity
intervals
+ doc: fixed some typos
Bugfixes:
+ knotd: DNAME record returned with query domain name instead of actual
name #873
+ knotd: failed to import configuration file if mod-geoip is in use #881
+ knotd: failed to sign RRSet that fits to 64k only if compressed
+ keymgr: offline RRSIGs not refreshed if 'rrsig-refresh' is not set
+ knsupdate: incorrect processing of @ in the delete operation #879
Version 3.3.1
Monday, September 11, 2023
Improvements:
+ knotd: multiple catalog groups per member are tolerated, but only one
is used
+ modules: added const qualifier to various function parameters #877
(Thanks to Robert Edmonds)
+ libs: upgraded embedded libngtcp2 to 0.19.1
Bugfixes:
+ knotd: TCP over XDP fails to respond
+ knotd: server can crash when adjusting a wildcard glue
+ knotd: failed to forward DDNS if 'zone.master' points to 'remotes'
+ knotd: broken YAML statistics if more modules are configured #874
+ knotd: DDNS forwarding isn't RFC 8945 compliant
Version 3.2.10
Sunday, September 10, 2023
Improvements:
+ knotd: multiple catalog groups per member are tolerated, but only one
is used
+ knotd: server cleans up stale LMDB readers when opening a RW
transaction
Bugfixes:
+ knotd: server can crash when adjusting a wildcard glue
+ knotd: failed to forward DDNS if 'zone.master' points to 'remotes'
+ knotd: subsequent addition and removal to catalog zone isn't handled
properly
+ knotd: server can crash if a shared module is loaded and dynamic
configuration used
+ knotc: configuration import fails if an explicit shared module is
configured
+ kdig: double-free on some malformed responses over QUIC #869
+ kdig: some TLS parameters override QUIC parameters
+ libs: NULL record with empty RDATA isn't allowed
Version 3.3.0
Monday, August 28, 2023
Features:
+ knotd: full DNS over QUIC (DoQ, RFC 9250) implementation, also without
XDP
+ knotd: bidirectional XFR over QUIC (XoQ) support with opportunistic,
strict, and mutual authentication profiles
+ knotd: automatic reverse PTR records pre-generation (see
'zone.reverse-generate')
+ knotd: new per zone statistic counters 'zone.size' and 'zone.max-ttl'
+ knotd: new primary server pinning (see 'zone.master-pin-tolerance')
+ knotd: new SOA serial modulo policy (see 'zone.serial-modulo')
+ knotd: new multi-signer operation mode (see 'policy.dnskey-sync' and
'DNSSEC multi-signer')
+ kdig: support for EDNS presentation format, also in JSON mode (see
'+optpresent')
+ kxdpgun: new TCP/QUIC debug mode 'R' for connection reuse
+ kxdpgun: new XDP mode parameter '--mode' (Thanks to Jan V?el??k)
+ kxdpgun: new parameter '--qlog' for qlog destination specification
+ kzonecheck: new '--print' parameter for dumping the zone on stdout
Improvements:
+ knotd: secondary can be configured not to forward DDNS (see
'zone.ddns-master')
+ knotd: extended support for UNIX socket configuration (remote, acl)
+ knotd: stats no longer dump empty or zero counters
+ knotd: new 'keys-updated' D-Bus event
+ knotd: added transport protocol information to outgoing event and
nameserver logs
+ knotd: server cleans up stale LMDB readers when opening a RW
transaction
+ knotd,kzonecheck: semantic check allows DS only at delegation point
+ knotc: new zone backup filters '+quic' and '+noquic' for QUIC key
backup
+ mod-dnstap: DNS over QUIC traffic is marked as QUIC
+ kxdpgun: QUIC connections are closed by default
+ libs: upgraded embedded libngtcp2 to 0.18.0
+ kdig: QUIC, TLS, or HTTPS protocol is printed in the final statistics
+ doc: new sections 'DNS over QUIC' and 'DNSSEC multi-signer'
+ doc: various improvements
Bugfixes:
+ knotd: server can crash if a shared module is loaded and dynamic
configuration used
+ knotd: inaccurate transfer size is logged if EDNS EXPIRE, PADDING, or
TSIG is present
+ knotd: subsequent addition and removal to catalog zone isn't handled
properly
+ knotc: configuration import fails if an explicit shared module is
configured
+ utils: database transactions not properly closed when terminated
prematurely
+ kdig: double-free on some malformed responses over QUIC #869
+ kdig: some TLS parameters override QUIC parameters
+ libs: NULL record with empty RDATA isn't allowed
+ tests: dthreads destructor test sometimes fails
Compatibility:
+ knotd: responses to forwarded DDNS requests are signed with local TSIG
key
+ knotd: NOTIFY-initiated refresh tries all configured addresses of the
remote
+ knotd: configuration option 'xdp.quic-log' was replaced with 'log.quic'
+ libs: removed embedded libbpf, an external one is necessary for XDP
+ libs: DNS over QUIC implementation only supports 'doq' ALPN
+ ctl: removed 'Version: ' prefix from 'status version' output
+ modules: reduced parameters of 'knotd_qdata_local_addr()'
Packaging:
+ knot-exporter: Prometheus exporter imported from GitHub
+ knot-exporter: packages for Debian, Ubuntu, and PyPI
+ debian,ubuntu: new self-hosted repository (see https://pkg.labs.nic.cz/
doc/)
+ docker: upgraded to Debian bookworm-slim
Version 3.2.9
Thursday, July 27, 2023
Improvements:
+ keymgr: 'import-pkcs11' not allowed if no PKCS #11 keystore backend is
configured
+ keymgr: more verbose key import errors
+ doc: extended migration notes
+ doc: various improvements
Bugfixes:
+ knotd: server may crash when storing changeset of a big zone migrating
to/from NSEC3
+ knotd: zone refresh loop when all masters are outdated and timers
cleared
+ knotd: failed to active D-Bus notifications if not started as systemd
service
+ kjournalprint: database transaction not properly closed when terminated
prematurely
|
2023-11-08 14:21:43 by Thomas Klausner | Files touched by this commit (2377) |
Log message:
*: recursive bump for icu 74.1
|
2023-10-25 00:11:51 by Thomas Klausner | Files touched by this commit (2298) |
Log message:
*: bump for openssl 3
|
2023-08-14 07:25:36 by Thomas Klausner | Files touched by this commit (1247) |
Log message:
*: recursive bump for Python 3.11 as new default
|
2023-08-02 18:17:20 by Nia Alarie | Files touched by this commit (41) |
Log message:
*: Use FORCE_C_STD=c99 for C packages that use for loop initial
declarations without setting -std=c99.
|
2023-07-12 22:56:03 by Nia Alarie | Files touched by this commit (1) |
Log message:
knot: Assumes compiler defaults to c99.
|
2023-07-07 12:53:14 by Ryo ONODERA | Files touched by this commit (2) | ![Package updated](https://pkgsrc.se/images/update.gif) |
Log message:
knot: Update to 3.2.8
Changelog:
Version 3.2.8
Improvements:
kdig: malformed messages are parsed and printed using a best-effort approach
python: new dname from wire initialization
Bugfixes:
knotd: missing outgoing NOTIFY upon refresh if one of more primaries is \
up-to-date
knotd: journal loop detection can prevent zone from loading
knotd: cryptic error message when journal is full #842
knotd: failed to query catalog zone over UDP
configure: libngtcp2 check wrongly requires version 0.13.0 instead of 0.13.1
Version 3.2.7
Features:
knotd: new configuration option for preserving incoming IXFR changeset \
history (see 'zone.ixfr-by-one')
Improvements:
knotd: journal ensures the stored changeset's SOA serials are strictly \
increasing
knotd: more effective handling of zero KNOT_ZONE_LOAD_TIMEOUT_SEC \
environment value
knotd, kdig: incoming transfer fails if a message has the TC bit set
knotd, kjournalprint: store or print the timestamp of changeset creation
kxdpgun: load only necessary number of queries (Thanks to Petr Špaček)
kxdpgun: print ratio of sent vs. requested queries (Thanks to Petr Špaček)
kxdpgun: print percentages as floats (Thanks to Petr Špaček)
kjournalprint: ability to print a changeset loop
kjournalprint: added changset serials information to '-z -d' output
packaging: RHEL9 requires libxdp like fedora since RHEL 9.2 #844
doc: various improvements
Bugfixes:
knotd: journal loading can get stuck in a multi-changeset loop
knotd: missing RCU lock when reading zone through the control interface
knotd: server start D-Bus signaling doesn't work well if the zone file \
is missing, catalog zones are used, or in the async-start mode
knotd: test suite fails on 32bit architectures on musl 1.2 and newer #843
knotd: failed to process zero-length messages over QUIC
libs: compilation with embedded ngtcp2 fails if there is another ngtcp2 \
in the path
Version 3.2.6
Improvements:
libs: upgraded embedded libngtcp2 to 0.13.1
libs: added support for building on Cygwin and MSYS (Thanks to \
Christopher Ng)
mod-dnstap: improved precision of stored time values
kdig: added option for EDNS EXPIRE (see '+expire') #836
kdig: extended description of SOA timers in the multiline mode
kdig: reduced latency of TLS communication
libknot: added EDE codes 28 and 29
doc: various improvements
Bugfixes:
knotd: generated catalog zone not updated upon server reload #834
knotd: failed to check shared module configuration
knotd: missing RCU registration of the statistics thread (Thanks to Qin \
Longfei)
knotd: server logs failed to send QUIC packets in the XDP mode
libs: inconsistent transformation of IPv4-Compatible IPv6 Addresses
utils: failed to load configuration if dnstap module is enabled #831
libknot: missing include string.h
|
2023-04-19 10:12:01 by Adam Ciarcinski | Files touched by this commit (2359) | ![Package updated](https://pkgsrc.se/images/update.gif) |
Log message:
revbump after textproc/icu update
|
2023-03-03 16:32:41 by Ryo ONODERA | Files touched by this commit (2) | ![Package updated](https://pkgsrc.se/images/update.gif) |
Log message:
knot: Update to 3.2.5
Changelog:
Version 3.2.5
Thursday, February 2, 2023
Features:
+ knotd: new configuration option for enforcing IXFR fallback (see
'zone.provide-ixfr')
Improvements:
+ knotd: changed UNIX socket file mode to 0222 for answering and 0220 for
control
+ mod-probe: new support for communication over a UNIX socket
+ kdig: new support for communication over a UNIX socket
+ libs: upgraded embedded libngtcp2 to 0.13.0
+ doc: various improvements
Bugfixes:
+ knotd: failed to get catalog member configuration if catalog template
is in a template
+ knotd: failed to respond over a UNIX socket with EDNS
+ knotd: unexpected zone update upon restart or zone reload if ZONEMD
generation is enabled
+ knotd: redundant zone flush of unchanged zone if zone file load is
'difference-no-serial'
+ knotd/kxdpgun: failed to receive messages over XDP with drivers tap or
ena
+ knotc: zone check doesn't report missing zone file #829
+ kxdpgun: program crashes when remote closes QUIC connection instead of
resumption
+ mod-geoip: configuration check leaks memory in the geodb mode
+ utils: unwanted color reset sequences in non-color output
|
2023-01-08 21:40:20 by Ryo ONODERA | Files touched by this commit (4) | ![Package updated](https://pkgsrc.se/images/update.gif) |
Log message:
knot: Update to 3.2.4
Changelog:
Version 3.2.4
Improvements:
+ knotd: significant speed-up of catalog zone update processing
+ knotd: new runtime check if RRSIG lifetime is lower than RRSIG refresh
+ knotd: reworked zone re-bootstrap scheduling to be less progressive
+ mod-synthrecord: module can work with CIDR-style reverse zones #826
+ python: new libknot wrappers for some dname transformation functions
+ doc: a few fixes and improvements
Bugfixes:
+ knotd: incomplete zone is received when IXFR falls back to AXFR due to
connection timeout if primary puts initial SOA only to the first
message
+ knotd: first zone re-bootstrap is planned after 24 hours
+ knotd: EDNS EXPIRE option is present in outgoing transfer of a catalog
zone
+ knotd: catalog zone can expire upon EDNS EXPIRE processing
+ knotd: DNSSEC signing doesn't fail if no offline KSK records available
Version 3.2.3
Improvements:
+ knotd: new per-zone DS push configuration option (see 'zone.ds-push')
+ libs: upgraded embedded libngtcp2 to 0.11.0
Bugfixes:
+ knsupdate: program crashes when sending an update
+ knotd: server drops more responses over UDP under higher load
+ knotd: missing EDNS padding in responses over QUIC
+ knotd: some memory issues when handling unusual QUIC traffic
+ kxdpgun: broken IPv4 source subnet processing
+ kdig: incorrect handling of unsent data over QUIC
Version 3.2.2
Features:
+ knotd,kxdpgun: support for VLAN (802.1Q) traffic in the XDP mode
+ knotd: added configurable delay upon D-Bus initialization (see
'server.dbus-init-delay')
+ kdig: support for JSON (RFC 8427) output format (see '+json')
+ kdig: support for PROXYv2 (see '+proxy') (Gift for Peter van Dijk)
Improvements:
+ mod-geoip: module respects the server configuration of answer rotation
+ libs: upgraded embedded libngtcp2 to 0.10.0
+ tests: improved robustness of some unit tests
+ doc: added description of zone bootstrap re-planning
Bugfixes:
+ knotd: catalog confusion when a member is added and immediately deleted
#818
+ knotd: defective handling of short messages with PROXYv2 header #816
+ knotd: inconsistent processing of malformed messages with PROXYv2
header #817
+ kxdpgun: incorrect XDP mode is logged
+ packaging: outdated dependency check in RPM packages
Version 3.2.1
Improvements:
+ libknot: added compatibility with libbpf 1.0 and libxdp
+ libknot: removed some trailing white space characters from textual RR
format
+ libs: upgraded embedded libngtcp2 to 0.8.1
Bugfixes:
+ knotd: some non-DNS packets not passed to OS if XDP mode enabled
+ knotd: inappropriate log about QUIC port change if QUIC not enabled
+ knotd/kxdpgun: various memory leaks related to QUIC and TCP
+ kxdpgun: can crash at high rates in emulated XDP mode
+ tests: broken XDP-TCP test on 32-bit platforms
+ kdig: failed to build with enabled QUIC on OpenBSD
+ systemd: failed to start server due to TemporaryFileSystem setting
+ packaging: missing knot-dnssecutils package on CentOS 7
Version 3.2.0
Features:
+ knotd: finalized TCP over XDP implementation
+ knotd: initial implementation of DNS over QUIC in the XDP mode (see
'xdp.quic')
+ knotd: new incremental DNSKEY management for multi-signer deployment
(see 'policy.dnskey-management')
+ knotd: support for remote grouping in configuration (see 'groups'
section)
+ knotd: implemented EDNS Expire option (RFC 7314)
+ knotd: NSEC3 salt is changed with every ZSK rollover if lifetime is set
to -1
+ knotd: support for PROXY v2 protocol over UDP (Thanks to Robert
Edmonds) #762
+ knotd: support for key labels with PKCS #11 keystore (see
'keystore.key-label')
+ knotd: SVCB/HTTPS treatment according to draft-ietf-dnsop-svcb-https
+ keymgr: new JSON output format (see '-j' parameter) for listing keys or
zones (Thanks to JP Mens)
+ kxdpgun: support for DNS over QUIC with some testing modes (see '-U'
parameter)
+ kdig: new DNS over QUIC support (see '+quic')
Improvements:
+ knotd: reduced memory consumption when processing IXFR, DNSSEC,
catalog, or DDNS
+ knotd: RRSIG refresh values don't have to match in the mode Offline KSK
+ knotd: better decision whether AXFR fallback is needed upon a refresh
error
+ knotd: NSEC3 resalt event was merged with the DNSSEC event
+ knotd: server logs when the connection to remote was taken from the
pool
+ knotd: server logs zone expiration time when the zone is loaded
+ knotd: DS check verifies removal of old DS during algorithm rollover
+ knotd: DNSSEC-related records can be updated via DDNS
+ knotd: new 'xdp.udp' configuration option for disabling UDP over XDP
+ knotd: outgoing NOTIFY is replanned if failed
+ knotd: configuration checks if zone MIN interval values are lower or
equal to MAX ones
+ knotd: DNSSEC-related zone semantic checks use DNSSEC validation
+ knotd: new configuration value 'query' for setting ACL action
+ knotd: new check on near end of imported Offline KSK records
+ knotd/knotc: implemented zone catalog purge, including orphaned member
zones
+ knotc: interactive mode supports catalog zone completion, value
completion, and more
+ knotc: new default brief and colorized output from zone status
+ knotc: unified empty values in zone status output
+ keymgr: DNSKEY TTL is taken from KSR in the Offline KSK mode
+ kjournalprint: path to journal DB is automatically taken from the
configuration, which can be specified using '-c', '-C' (or '-D')
+ kcatalogprint: path to catalog DB is automatically taken from the
configuration, which can be specified using '-c', '-C' (or '-D')
+ kzonesign: added automatic configuration file detection and '-C'
parameter for configuration DB specificaion
+ kzonesign: all CPU threads are used for DNSSEC validation
+ libknot: dname pointer cannot point to another dname pointer when
encoding RRsets #765
+ libknot: QNAME case is preserved in knot_pkt_t 'wire' field (Thanks to
Robert Edmonds) #780
+ libknot: reduced memory consumption of the XDP mode
+ libknot: XDP filter supports up to 256 NIC queues
+ kxdpgun: new options for specifying source and remote MAC addresses
+ utils: extended logging of LMDB-related errors
+ utils: improved error outputs
+ kdig: query has AD bit set by default
+ doc: various improvements
Bugfixes:
+ knotd: zone changeset is stored to journal even if disabled
+ knotd: journal not applied to zone file if zone file changed during
reload
+ knotd: possible out-of-order processing or postponed zone events to far
future
+ knotd: incorrect TTL is used if updated RRSet is empty over control
interface
+ knotd/libs: serial arithmetics not used for RRSIG expiration processing
+ knsupdate: incorrect RRTYPE in the question section
Compatibility:
+ knotd: default value for 'zone.journal-max-depth' was lowered to 20
+ knotd: default value for 'policy.nsec3-iterations' was lowered to 0
+ knotd: default value for 'policy.rrsig-refresh' is propagation delay +
zone maximum TTL
+ knotd: server fails to load configuration if 'policy.rrsig-refresh' is
too low
+ knotd: configuration option 'server.listen-xdp' has no effect
+ knotd: new configuration check on deprecated DNSSEC algorithm
+ knotc: new '-e' parameter for full zone status output
+ keymgr: new '-e' parameter for full key list output
+ keymgr: brief key listing mode is enabled by default
+ keymgr: renamed parameter '-d' to '-D'
+ knsupdate: default TTL is set to 3600
+ knsupdate: default zone is empty
+ kjournalprint: renamed parameter '-c' to '-H'
+ python/libknot: removed compatibility with Python 2
Packaging:
+ systemd: removed knot.tmpfile
+ systemd: added some hardening options
+ distro: Debian 9 and Ubuntu 16.04 no longer supported
+ distro: packages for CentOS 7 are built in a separate COPR repository
+ kzonecheck/kzonesign/knsec3hash: moved to new package knot-dnssecutils
Version 3.1.9
Improvements:
+ knotd: new configuration checks on unsupported catalog settings
+ knotd: semantic check issues have notice log level in the soft mode
+ keymgr: command generate-ksr automatically sets 'from' parameter to
last offline KSK records' timestamp if it's not specified
+ keymgr: command show-offline starts from the first offline KSK record
set if 'from' parameter isn't specified
+ kcatalogprint: new parameters for filtering catalog or member zone
+ mod-probe: default rate limit was increased to 100000
+ libknot: default control timeout was increased to 30 seconds
+ python/libknot: various exceptions are raised from class KnotCtl
+ doc: some improvements
Bugfixes:
+ knotd: incomplete outgoing IXFR is responded if journal history is
inconsistent
+ knotd: manually triggered zone flush is suppressed if disabled zone
synchronization
+ knotd: failed to configure XDP listen interface without port
specification
+ knotd: de-cataloged member zone's file isn't deleted #805
+ knotd: member zone leaks memory when reloading catalog during dynamic
configuration change
+ knotd: server can crash when reloading modules with DNSSEC signing
(Thanks to iqinlongfei)
+ knotd: server crashes during shutdown if PKCS #11 keystore is used
+ keymgr: command del-all-old isn't applied to all keys in the removed
state
+ kxdpgun: user specified network interface isn't used
+ libs: fixed compilation on illumos derivatives (Thanks to Nick Ewins)
|