2021-08-07 18:36:18 by Ryo ONODERA | Files touched by this commit (4) |
Log message:
knot: Update to 3.1.0
Changelog:
Version 3.1.0
Monday, August 2, 2021
Features:
+ knotd: automatic zone catalog generation based on actual configuration
+ knotd: zone catalog supports configuration groups
+ knotd: support for ZONEMD validation and generation
+ knotd: basic support for TCP over XDP processing
+ knotd: configuration option for enabling IP route check in the XDP mode
+ knotd: support for epoll (Linux) and kqueue (*BSD, macOS) socket
polling
+ knotd: extended EDNS error (EDE) is added to the response if
appropriate
+ knotd: DNSSEC operation with extra ready public-only KSK is newly
allowed
+ knotd: new zone backup/restore filters for more variable component
specification
+ knotd: adaptive systemd service start timeout and new zone loading
status #733
+ knotd: configuration option for enabling TCP Fast Open on outbound
communication
+ knotd: when the server starts, zone NOTIFY is send only if not sent
already
+ knotc: zone reload with the force flag triggers reload of the zone and
its modules
+ libs: support for parsing and dumping SVCB and HTTPS resource records
+ kdig: support for TCP Fast Open along with DoT/DoH #549
+ kxdpgun: basic support for DNS over TCP processing
+ kxdpgun: current traffic statistics can be printed using a USR1 signal
+ python: new libknot/probe API wrapper
Improvements:
+ knotd: PID file is created even in the foreground mode
+ knotd: more robust and enhanced zone data backup and restore operations
+ knotd: maximum length of an XFR message is limited to 16 KiB for better
compression
+ knotd: maximum CNAME/DNAME chain depth per reply was decreased from 20
to 5
+ knotd: improved performance of processing domain names with many short
labels
+ knotd: adaptive limit on the number of LMDB readers to avoid problems
with many workers
+ knotd: TTL of generated NSEC(3) records is set to min(SOA TTL, SOA
minimum)
+ knotd: TTL of generated NSEC3PARAM is equal to TTL of NSEC3 records
+ knotd: maximum TCP segment size is restricted to 1220 octets on Linux #
468
+ knotc: various improvements in error reporting
+ knotc: default control timeout is infinity in the blocking mode
+ dnssec: dnskey generator tries to return a key with a unique keytag
+ kxdpgun: RLIMIT_MEMLOCK is increased only if not high enough
+ kxdpgun: RTNETLINK is used for getting network information instead of
the ip command
Bugfixes:
+ knotd: DNAME not applied more than once to resolve the query #714
+ knotd: root zone not correctly purged from the journal
+ kzonecheck: incorrect check for opt-outed empty non-terminal nodes
+ libzscanner: wrong error line number
+ libzscanner: broken multiline rdata processing if an error occurs
+ mod-geoip: NXDOMAIN is responded instead of NODATA #745
+ make: build fails with undefined references if building using slibtool
#722
Packaging:
+ knotd: systemd service reload uses 'kill -HUP' instead of 'knotc
reload'
+ kxdpgun: new library dependency libmnl
+ mod-dnstap: new package separate from the knot package
+ mod-geoip: new package separate from the knot package
Compatibility:
+ configure: option '--enable-xdp=yes' means use an external libbpf if
available
or use the embedded one
+ libzsanner: omitted TTL value is correctly set to the last explicitly
stated value (RFC 1035)
+ knotc: zone restore from an old backup (3.0.x) requires forced
operation
+ knotd: configuration option 'server.listen-xdp' is replaced with
'xdp.listen'
+ knotd: zone file loading with automatic SOA serial incrementation newly
requires having full zone in the journal
+ knotd: obsolete configuration options 'zone.disable-any',
'server.tcp-handshake-timeout'
are silently ignored
+ knotd: obsolete configuration options 'zone.max-zone-size',
'zone.max-journal-depth',
'zone.max-journal-usage', 'zone.max-refresh-interval',
'zone.min-refresh-interval' 'server.max-ipv4-udp-payload',
'server.max-ipv6-udp-payload', 'server.max-udp-payload',
'server.tcp-reply-timeout', 'server.max-tcp-clients' are ignored
+ knotd: obsolete default template options 'template.journal-db',
'template.kasp-db', 'template.timer-db',
'template.max-journal-db-size', 'template.journal-db-mode',
'template.max-timer-db-size', 'template.max-kasp-db-size' are
ignored
Version 3.0.8
Friday, July 16, 2021
Features:
+ knotc: new command for loading DNSSEC keys without dropping all RRSIGs
when re-signing
+ knotd: new policy configuration option for disabling some DNSSEC safety
features #741
+ mod-geoip: new dnssec and policy configuration options
Bugfixes:
+ knotd: early KSK removal during a KSK rollover if automatic KSK
submission check
is enabled and DNSKEY TTL is lower than the corresponding DS TTL
+ knotd: failed to generate a new DNSKEY if previously generated shared
key not available
+ knotd: periodical error logging when a PKCS #11 keystore failed to
initialize #742
+ knotd: zone commit doesn't check for missing SOA record
Version 3.0.7
Wednesday, June 16, 2021
Features:
+ knotd: new configuration policy option for CDS digest algorithm setting
#738
+ keymgr: new command for primary SOA serial manipulation in on-secondary
signing mode
Improvements:
+ knotd: improved algorithm rollover to shorten the last step of old
RRSIG publication
Bugfixes:
+ knotd: zone is flushed upon server start, despite DNSSEC signing is
up-to-date
+ knotd: wildcard nonexistence is proved on empty-non-terminal query
+ knotd: redundant wildcard proof for non-authoritative data in a reply
+ knotd: missing wildcard proofs in a wildcard-cname loop reply
+ knotd: incorrectly synthesized CNAME owner from a wildcard record #715
+ knotd: zone-in-journal changeset ignores journal-max-usage limit #736
+ knotd: incorrect processing of zone-in-journal changeset with SOA
serial 0
+ knotd: broken initialization of processing workers if SO_REUSEPORT(_LB)
not available
+ kjournalprint: reported journal usage is incorrect #736
+ keymgr: cannot parse algorithm name ed448 #739
+ keymgr: default key size not set properly
+ kdig: failed to process huge DoH responses
+ libknot/probe: some corner-case bugs
Version 3.0.6
Wednesday, May 12, 2021
Features:
+ mod-probe: new module for simple traffic logging (Python API not yet
included)
Improvements:
+ keymgr: new mode for listing zones with at least one key stored
+ keymgr: the pregenerate command accepts optional timestamp-from
parameter
+ kzonecheck: accept '-' as substitution for standard input #727
+ knotd: print an error when unable to change owner of a logging file
+ knotd: new warning log if no interface is configured
+ knotd: new signing policy check for NSEC3 iterations higher than 20
+ knotd: don't allow backup to/restore from the DB storage directory
+ Various code (mostly zone backup/restore), tests, and documentation
improvements
Bugfixes:
+ knotd: secondary fails to load zone file if HTTPS or SVCB record is
present #725
+ knotd: (KSK roll-over) new KSK is not signing DNSKEY long enough before
DS submission
+ knotd: (KSK roll-over) old KSK uselessly published after roll-over
finished
+ knotd: malformed address in TCP-related logs when listening on a UNIX
socket
+ knotd: server responds FORMERR instead of BADTIME if TSIG signed time
is zero #730
+ modules: incorrect local and remote addresses in the XDP mode
+ modules: failed to read configuration from a section without
identifiers
+ mod-synthrecord: queries on synthesized empty-non-terminals not
answered with NODATA
+ keymgr: confusing error if del-all-old command fails
|
2021-05-14 15:08:10 by Nia Alarie | Files touched by this commit (1) |
Log message:
knot: needs editline
|
2021-04-21 15:25:34 by Adam Ciarcinski | Files touched by this commit (864) |
Log message:
revbump for boost-libs
|
2021-02-27 19:55:32 by Ryo ONODERA | Files touched by this commit (2) |
Log message:
knot: Update to 3.0.4
Changelog:
Improvements:
Sockets to CPUs binding is no longer enabled by default but can be \
enabled via new configuration option 'server.socket-affinity'
Some documentation improvements
Bugfixes:
DNS queries without EDNS to the root zone apex are dropped in the XDP mode
Deterministic ECDSA signing leaks memory
Zone not stored to journal if zonefile-load isn't ZONEFILE_LOAD_WHOLE
Server crashes if the catalog zone isn't configured for registered \
member zones
Server crashes when loading conflicting catalog member zones
CNAME and DNAME records below delegation are not ignored #713
Not all udp/tcp workers are used if the number of NIC queues is lower \
than the number of udp/tcp workers
Failed to load statistics and geoip modules if built as shared
|
2021-01-06 13:18:48 by Ryo ONODERA | Files touched by this commit (2) |
Log message:
knot: Update to 3.0.3
Changelog:
Version 3.0.3
Features:
+ Kjournalprint can display changesets starting from specific SOA serial
Improvements:
+ New configuration check on ambiguous 'storage' specification #706
+ New configuration check on problematic 'zonefile-load' with
'journal-contents' combination
+ Server logs positive ACL check in debug severity level (Thanks to
Andreas Schrägle)
+ More verbose logging of failed zone backup
+ Extended documentation for catalog zones
Bugfixes:
+ On-slave signing produces broken NSEC(3) chain if glue node becomes
(un-)orphaned #705
+ Server responds CNAME query with NXDOMAIN for CNAME synthesized from
DNAME
+ Kdig crashes if source address and dnstap logging are specified
together #702
+ Knotc fails to display error returned from zone freeze or zone thaw
+ Dynamically reconfigured zone isn't loaded upon configuration commit
+ Keymgr is unable to import BIND-style private key if it contains empty
lines
+ Zone backup fails to backup keys if any of them is public-only
+ Failed to build with XDP support on Debian testing
Version 3.0.2
Features:
+ kdig prints Extended DNS Error (Gift for Marek Vavruša)
+ kxdpgun allows source IP address/subnet specification
Improvements:
+ Server doesn't start if any of listen addresses fails to bind
+ knotc no longer stores empty and adjacent identical commands to
interactive history
+ Depth of interactive history of knotc was increased to 1000 commands
+ keymgr prints error messages to stderr instead of stdout
+ keymgr checks for proper offline-ksk configuration before processing
KSR or SKR
+ keymgr imports Revoked timer from BIND keys
+ Additional XDP support detection in server
+ Lots of spelling and grammar fixes in documentation (Thanks to Paul
Dee)
+ Some documentation improvements
Bugfixes:
+ If more masters configured, zone retransfer triggers AXFR from all
masters
+ Server can fail to bind address during restart due to missing
SO_REUSEADDR
+ KSK imported from BIND doesn't roll over automatically
+ libdnssec respects local GnuTLS policy — affects DNSSEC operations and
Knot Resolver
+ kdig can stuck in infinite loop when solving BADCOOKIE responses
+ Zone names received over control interface are not lower-cased
+ Zone attributes not secured with multi-threaded changes
+ kzonecheck ignores forced dnssec checks if zone not signed
+ kzonecheck fails on case-sensitivity of owner names in NSEC records #
699
+ kdig fails to establish TLS connection #700
+ Server responds NOTIMPL to queries with QDCOUNT 0 and known OPCODE
|
2020-12-04 21:45:51 by Nia Alarie | Files touched by this commit (456) |
Log message:
Revbump packages with a runtime Python dep but no version prefix.
For the Python 3.8 default switch.
|
2020-10-25 12:13:43 by Ryo ONODERA | Files touched by this commit (2) |
Log message:
knot: Update to 3.0.1
Changelog:
3.0.1
Features:
New command in keymgr for validation of RRSIGs in SKR
Keymgr validates RRSIGs in SKR during import
New option in kzonecheck to skip DNSSEC-related checks
Improvements:
Module noudp has new configuration option for UDP truncation rate
Better detection of reproducible signing availability
Kxdpgun allows setting of network interface
Default control timeout in knotc was increased to 60 seconds
DNSSEC validation searches for invalid redundant RRSIGs
Configuration source detection no longer considers empty confdb \
directory as active configuration
Zone backup preserves original zone file if zone file synchronization is \
disabled
Bugfixes:
NSEC3 re-salt can cause server crash due to possible zone inconsistencies
Zone reload logs 'invalid parameter' if zone file not changed
Outgoing multi-message transfer can contain invalid compression pointers \
under specific conditions
Improper handling of file descriptors in libdnssec
Server crashes if no policy is configured with DNSSEC validation
Server crashes if DNSSEC validation is enabled for unsigned zone
Failed to build with libnghttp2 (Thanks to Robert Edmonds)
Various bugs in zone data backup/restore
|
2020-10-01 05:37:02 by Ryo ONODERA | Files touched by this commit (4) | |
Log message:
knot: Update to 3.0.0
Changelog:
Version 3.0.0
Wednesday, September 9, 2020
Features:
+ High-performance networking mode using XDP sockets (requires Linux
4.18+)
+ Support for Catalog zones including kcatalogprint utility
+ New DNSSEC validation mode
+ New kzonesign utility --- an interface for manual DNSSEC signing
+ New kxdpgun utility --- high-performance DNS over UDP traffic generator
for Linux
+ DoH support in kdig using GnuTLS and libnghttp2
+ New KSK revoked state (RFC 5011) in manual DNSSEC key management mode
+ Deterministic signing with ECDSA algorithms (requires GnuTLS 3.6.10+)
+ Module synthrecord supports reverse pointer shortening
+ Safe persistent zone data backup and restore
Improvements:
+ Processing depth of CNAME and DNAME chains is limited to 20
+ Non-FQDN is allowed as 'update-owner-name' configuration option value
+ Kdig prints detailed algorithm idendifier for PRIVATEDNS and PRIVATEOID
in multiline mode #334
+ Queries with QTYPE ANY or RRSIG are always responded with at most one
random RRSet
+ The statistics module has negligible performance overhead on modern
CPUs
+ If multithreaded zone signing is enabled, some additional zone
maintenance steps are newly parallelized
+ ACL can be configured by reference to a remote
+ Better CPU cache locality for higher query processing performance
+ Logging to non-syslog streams contains timestamps with the timezone
+ Keeping initial DNSKEY TTL and zone maximum TTL in KASP database to
ensure proper rollover timing in case of TTL changes during the
rollover
+ Responding FORMERR to queries with more OPT records
Bugfixes:
+ Module onlinesign responds NXDOMAIN insted of NOERROR (NODATA) if
DNSSEC not requested
+ Outgoing multi-message transfer can contain invalid compression
pointers under specific conditions
Version 2.9.6
Monday, August 31, 2020
Features:
+ New kdig option '+[no]opttext' to print unknown EDNS options as text if
possible (Thanks to Robert Edmonds)
Improvements:
+ Better error message if no key is ready for submission
+ Improved logging when master is not usable
+ Improved control logging of zone-flush errors if output directory is
specified
+ More precise system error messages when a zone transfer fails
+ Some documentation improvements (especially Offline KSK)
Bugfixes:
+ In the case of many zones, control operations over all zones take lots
of memory
+ Misleading error message on keymgr import-bind #683
+ DS push is triggered upon every zone change even though CDS wasn't
changed
+ Kzonecheck performance penalty with passive keys #688
CSK->KSK+ZSK scheme rollover can end too early
|
2020-05-27 16:32:02 by Ryo ONODERA | Files touched by this commit (2) |
Log message:
knot: Update to 2.9.5
Changelog:
Monday, May 25, 2020
Bugfixes:
Old ZSK can be withdrawn too early during a ZSK rollover if maximum zone \
TTL is computed automatically
Server responds SERVFAIL to ANY queries on empty non-terminal nodes
Improvements:
Also module onlinesign returns minimized responses to ANY queries
Linking against libcap-ng can be disabled via a configure option
|
2020-05-23 01:29:31 by Maya Rashish | Files touched by this commit (1) |
Log message:
knot: Disable hack to disable optimization.
It isn't actually stuck, with enough patience it does complete.
|