2020-05-22 12:56:49 by Adam Ciarcinski | Files touched by this commit (624) |
Log message:
revbump after updating security/nettle
|
2020-05-21 13:39:10 by Ryo ONODERA | Files touched by this commit (2) | |
Log message:
Update to 2.9.4
Changelog:
Version 2.9.4
Tuesday, May 5, 2020
Improvements:
ANY query over UDP is always answered with one RRSet + possible RRSIG \
instead of truncated reply
Server tries to resolve CNAME record generated by geoip module (Thanks \
to Conrad Hoffmann)
Earlier OCSP validity check in kdig certificate verification (Thanks to \
Alexander Schultz)
Module onlinesign allows KSK + ZSK mode
Server control listen backlog limit was increased to 5
Zone signing event is always re-scheduled even after a signing error
Extended error checks and tiny enhancements in kjournalprint
kdig logs a more detailed error message when failed to acquire a remote \
address
Some documentation improvements
Bugfixes:
Server can crash when zone update fails due to exceeded zone size limit
keymgr 'share' command doesn't work
Shared KSK doesn't work with an initial key
Self-created RRSIGs are still cryptographically verified in some \
unnecessary cases
Changed NSEC3PARAM not correctly detected during zone update
NSEC(3) chain not fixed if affected by zone udpate
knotc orphan purge doesn't work on journal
Online signing configured along with DNSSEC signing can cause \
MDB_BAD_RSLOT error during server reload
Zone journal access can stuck if mismanaged zone serial
Concurrently added and removed same records in a DDNS message are not \
properly handled
Zone check logs error instead of warning after a first error occured
|
2020-05-08 18:25:04 by Roland Illig | Files touched by this commit (1) |
Log message:
net/knot: remove nonexistent file from REPLACE_PYTHON
|
2020-03-30 14:42:22 by Ryo ONODERA | Files touched by this commit (2) |
Log message:
knot: Update to 2.9.3
Changelog:
Version 2.9.3
Tuesday, March 3, 2020
Features:
New configuration option 'remote.block-notify-after-transfer' to \
suppress sending NOTIFY messages
Enabled testing support for Ed448 DNSSEC algorithm (requires GnuTLS \
3.6.12+ and not-yet-released Nettle 3.6+)
New keymgr parameter 'local-serial' for getting/setting signed zone SOA \
serial in the KASP database
keymgr can import Ed25519 and Ed448 keys in the BIND format (Thanks to \
Conrad Hoffmann)
Improvements:
kdig returns error if the query name is invalid
Increased 'server.tcp-io-timeout' default value to 500 ms
Decreased 'database.journal-db-max-size' default value to 512 MiB on \
32-bit systems
Server no longer falls back to AXFR if master is outdated during zone refresh
Some documentation improvements (including new EPUB format and \
compatibility with Ultra Electronics CIS Keyper Plus HSM)
Some packaging improvements (including new python3-libknot deb package)
Bugfixes:
Outgoing IXFR can be malformed if the message size has specific size
Server can crash if the zone contains solo NSEC3 record
Improved compatibility with older journal format
Incorrect SOA TTL in negative answers — SOA minimum not considered
Cannot unset uppercase nodes via control interface #668
Module RRL doesn't set AA flag and NOERROR rcode in slipped responses
Server returns FORMERR instead of NOTIMP if empty QUESTION and unknown OPCODE
|
2020-03-08 17:51:54 by Thomas Klausner | Files touched by this commit (2833) |
Log message:
*: recursive bump for libffi
|
2020-02-19 14:17:24 by Ryo ONODERA | Files touched by this commit (2) | |
Log message:
knot: Update to 2.9.2
Changelog:
Knot DNS 2.9.2 (2019-12-12)
===========================
Improvements:
-------------
- Tiny ds-check log message rewording
- Some unnecessary code cleanup
Bugfixes:
---------
- ds-push doesn't replace the DS RRset on the parent #661
- Server gets stuck in a never-ending logging loop when changing SOA TTL
- Server can crash when the journal database size limit is reached
- Server can create a bogus changeset with equal serials from and to
- Unreasonable re-signing of the NSEC3PARAM record when reloading the zone
and 'zonefile-load: difference-no-serial' is configured
- SOA RRSIG not updated if the only changed record is SOA
- Failed to remove NSEC3 records through the control interface #666
- Failed to stop the server if a zone transaction is active
Knot DNS 2.9.1 (2019-11-11)
===========================
Features:
---------
- New option for OCSP stapling '+[no]tls-ocsp-stapling[=H]' in kdig (Thanks to \
Alexander Schultz)
Improvements:
-------------
- Kdig always randomizes source TCP port on recent Linux #575
- Server no longer warns about disabled zone file synchronization during shutdown
- Zone loading stops if failed to load zone from the journal
- Speed-up of insertion to big RRSets
- Various code and documentation improvements
Bugfixes:
---------
- Failed to apply journal changes after upgrade #659
- Failed to finish zone loading if journal changeset serials from and to are equal
- Incorrect handling of 0 value for 'tcp-io-timeout' and \
'tcp-remote-io-timeout' configuration
- Server can crash if zone transaction is open during zone update
- NSEC3 chain not fully updated if NSEC3 salt changes during zone update
- Server can crash when flushing zone to a specified directory
- Server can respond incorrect NSEC3 records after NSEC3 salt change
- Delegation glue records not updated after specific zone change
Knot DNS 2.9.0 (2019-10-10)
===========================
Features:
---------
- Full support for different master/slave serial arithmetics when on-slave signing
- Module geoip newly supports wildcard records #650
- New DNSSEC policy configuration option 'rrsig-pre-refresh' for reducing
frequency of the zone signing event
- New server configuration option 'tcp-reuseport' for setting SO_REUSEPORT(_LB)
mode on TCP sockets
- New server configuration option 'tcp-io-timeout' [ms] for restricting inbound
IO operations over TCP #474
Improvements:
-------------
- Significant speed-up of zone contents modifications
- Avoided double zone signing during CSK rollovers
- Self-created RRSIGs are not cryptographically verified if not necessary
- Zone journal can store two changesets if zone file difference computing
and DNSSEC signing are enabled. The first one containing the difference of
zone history needed by slave servers, the second one containing the difference
between zone file and zone needed for server restart
- Universal and more robust memory clearing
- More precise socket timeout handling
- New notice log message for configuration changes requiring server restart
- Module RRL logs both trigger source address and affected subnet
- Various code (especially zone and TCP processing) and documentation improvements
Bugfixes:
---------
- RRSIGs are wrongly checked for inconsistent RRSet TTLs during zone update
- DS check/push warnings after disabled DNSSEC signing
- NSEC3 records not accessible through control interface
- Module geoip doesn't accept underscore character in dname specification #655
Compatibility:
--------------
- Removed runtime reconfiguration of network workers and interfaces since
it was imperfect and also couldn't work after dropped process privileges
- Removed inaccurate and misleading knotc command 'zone-memstats' because
memory consumption varies during zone modifications or transfers
- Removed useless 'zone.request-edns-option' configuration option
- Reimplemented DNS Cookies to be interoperable (based on \
draft-ietf-dnsop-server-cookies
and work by Witold Kręcicki)
- Default limit on TCP clients is auto-configured to one half of the file
descriptor limit for the server process
- Number of open files limit is set to 1048576 in upstream packages
- Default number of TCP workers is equal to the number of online CPUs or at least 10
- Default EDNS buffer size is 1232 for both IPv4 and IPv6
- Removed 'tcp-handshake-timeout' server configuration option
- Some configuration options were renamed and possibly moved. Old names will
be supported at least until next major release:
- 'server.tcp-reply-timeout' [s] to 'server.tcp-remote-io-timeout' [ms]
- 'server.max-tcp-clients' to 'server.tcp-max-clients'
- 'server.max-udp-payload' to 'server.udp-max-payload'
- 'server.max-ipv4-udp-payload' to 'server.udp-max-payload-ipv4'
- 'server.max-ipv6-udp-payload' to 'server.udp-max-payload-ipv6'
- 'template.journal-db' to 'database.journal-db'
- 'template.journal-db-mode' to 'database.journal-db-mode'
- 'template.max-journal-db-size' to 'database.journal-db-max-size'
- 'template.kasp-db' to 'database.kasp-db'
- 'template.max-kasp-db-size' to 'database.kasp-db-max-size'
- 'template.timer-db' to 'database.timer-db'
- 'template.max-timer-db-size' to 'database.timer-db-max-size'
- 'zone.max-journal-usage' to 'zone.journal-max-usage'
- 'zone.max-journal-depth' to 'zone.journal-max-depth'
- 'zone.max-zone-size' to 'zone.zone-max-size'
- 'zone.max-refresh-interval' to 'zone.refresh-max-interval'
- 'zone.min-refresh-interval' to 'zone.refresh-min-interval'
Knot DNS 2.8.4 (2019-09-24)
===========================
Features:
---------
- Automatic uploading of DS records to parent zone using DDNS,
see 'policy.ds-push' configuration option
Improvements:
-------------
- Incoming IXFR no longer falls back to AXFR if connection error #642
- More accurate semantic checks for missing glue records
- Various code and documentation improvements
Bugfixes:
---------
- Failed to read/export configuration if 'acl.update-type' is set #651
- Failed to generate initial zero-length salt
- Missing error log for invalid rrtype input to dynamic configuration #652
- Missing error log when AXFR processing fails to store zone data
- Redundant notice log about unavailable persistent configuration DB
- Zone not flushed after retransfer if SOA serial not changed
- Zone contents not properly fixed during zone transfers
- No changeset created for updated rrset's TTL if changed by RR addition
|
2019-11-03 12:45:59 by Roland Illig | Files touched by this commit (255) |
Log message:
net: align variable assignments
pkglint -Wall -F --only aligned --only indent -r
No manual corrections.
|
2019-08-21 16:19:00 by Ryo ONODERA | Files touched by this commit (2) | |
Log message:
Update to 2.8.3
Changelog:
Features:
Added cert/key file configuration for TLS in kdig (Thanks to Alexander \
Schultz)
Improvements:
More verbose log message for offline-KSK signing
Module RRL logs affected source address subnet instead of only one \
source address
Extended DNSSEC policy configuration checks
Various improvements in the documentation
Bugfixes:
Excessive server load when maximum TCP clients limit is reached
Incorrect reply after zone update with a node changed from \
non-authoritative to delegation
Wrong error line number in a config file if it contains leading tab character
Config file error message contains unrelated parsing context
NSEC3 salt not updated when reconfigured to zero length
Kjournalprint sometimes prints a random value for per-zone occupation
Missing debug log for failed zone refresh triggered by zone notification
DS check not scheduled when reconfigured
Broken unit test on NetBSD 8.x
|
2019-07-21 00:46:59 by Thomas Klausner | Files touched by this commit (595) |
Log message:
*: recursive bump for nettle 3.5.1
|
2019-06-14 01:47:05 by Ryo ONODERA | Files touched by this commit (2) |
Log message:
Update to 2.8.2
Changelog:
Knot DNS 2.8.2 (2019-06-05)
===========================
Features:
---------
- New blocking mode for zone event triggers in knotc
- New weighted records mode in the module geoip (Thanks to Conrad Hoffmann)
- Module noudp allows UDP allow rate configuration
Improvements:
-------------
- NSEC3 salt lifetime can be set to infinity
- New 'running' zone event status in the knotc output
- Knotc in the forced mode returns failure also if zone check emits any warning
- Ignoring PMTU information for IPv4/UDP via IP_PMTUDISC_OMIT (Thanks to \
Daisuke Higashi)
- Various improvements in the documentation
Bugfixes:
---------
- Broken setting of CPU affinity for UDP workers
- Unexpected results with the geoip subnet mode
- Sometimes insufficient zone adjusting
- Incoherent DNSKEY RRSIG lifetimes in SKR
- Confusing output from keymgr if an error occurs during KSR generation
- Non-functional changeset history depth limitation in kjournalprint
- Wrong processing of multiple $INCLUDE directives #646
|