Log message:
revbump after updating security/nettle

Log message:
Update to 2.9.4

Changelog:
Version 2.9.4
Tuesday, May 5, 2020

Improvements:

        ANY query over UDP is always answered with one RRSet + possible RRSIG \ 
instead of truncated reply
        Server tries to resolve CNAME record generated by geoip module (Thanks \ 
to Conrad Hoffmann)
        Earlier OCSP validity check in kdig certificate verification (Thanks to \ 
Alexander Schultz)
        Module onlinesign allows KSK + ZSK mode
        Server control listen backlog limit was increased to 5
        Zone signing event is always re-scheduled even after a signing error
        Extended error checks and tiny enhancements in kjournalprint
        kdig logs a more detailed error message when failed to acquire a remote \ 
address
        Some documentation improvements

Bugfixes:
        Server can crash when zone update fails due to exceeded zone size limit
        keymgr 'share' command doesn't work
        Shared KSK doesn't work with an initial key
        Self-created RRSIGs are still cryptographically verified in some \ 
unnecessary cases
        Changed NSEC3PARAM not correctly detected during zone update
        NSEC(3) chain not fixed if affected by zone udpate
        knotc orphan purge doesn't work on journal
        Online signing configured along with DNSSEC signing can cause \ 
MDB_BAD_RSLOT error during server reload
        Zone journal access can stuck if mismanaged zone serial
        Concurrently added and removed same records in a DDNS message are not \ 
properly handled
        Zone check logs error instead of warning after a first error occured

Log message:
net/knot: remove nonexistent file from REPLACE_PYTHON

Log message:
knot: Update to 2.9.3

Changelog:
Version 2.9.3

Tuesday, March 3, 2020
Features:

        New configuration option 'remote.block-notify-after-transfer' to \ 
suppress sending NOTIFY messages
        Enabled testing support for Ed448 DNSSEC algorithm (requires GnuTLS \ 
3.6.12+ and not-yet-released Nettle 3.6+)
        New keymgr parameter 'local-serial' for getting/setting signed zone SOA \ 
serial in the KASP database
        keymgr can import Ed25519 and Ed448 keys in the BIND format (Thanks to \ 
Conrad Hoffmann)

Improvements:

        kdig returns error if the query name is invalid
        Increased 'server.tcp-io-timeout' default value to 500 ms
        Decreased 'database.journal-db-max-size' default value to 512 MiB on \ 
32-bit systems
        Server no longer falls back to AXFR if master is outdated during zone refresh
        Some documentation improvements (including new EPUB format and \ 
compatibility with Ultra Electronics CIS Keyper Plus HSM)
        Some packaging improvements (including new python3-libknot deb package)

Bugfixes:

        Outgoing IXFR can be malformed if the message size has specific size
        Server can crash if the zone contains solo NSEC3 record
        Improved compatibility with older journal format
        Incorrect SOA TTL in negative answers — SOA minimum not considered
        Cannot unset uppercase nodes via control interface #668
        Module RRL doesn't set AA flag and NOERROR rcode in slipped responses
        Server returns FORMERR instead of NOTIMP if empty QUESTION and unknown OPCODE

Log message:
*: recursive bump for libffi

Log message:
knot: Update to 2.9.2

Changelog:
Knot DNS 2.9.2 (2019-12-12)
===========================

Improvements:
-------------
 - Tiny ds-check log message rewording
 - Some unnecessary code cleanup

Bugfixes:
---------
 - ds-push doesn't replace the DS RRset on the parent #661
 - Server gets stuck in a never-ending logging loop when changing SOA TTL
 - Server can crash when the journal database size limit is reached
 - Server can create a bogus changeset with equal serials from and to
 - Unreasonable re-signing of the NSEC3PARAM record when reloading the zone
   and 'zonefile-load: difference-no-serial' is configured
 - SOA RRSIG not updated if the only changed record is SOA
 - Failed to remove NSEC3 records through the control interface #666
 - Failed to stop the server if a zone transaction is active

Knot DNS 2.9.1 (2019-11-11)
===========================

Features:
---------
 - New option for OCSP stapling '+[no]tls-ocsp-stapling[=H]' in kdig (Thanks to \ 
Alexander Schultz)

Improvements:
-------------
 - Kdig always randomizes source TCP port on recent Linux #575
 - Server no longer warns about disabled zone file synchronization during shutdown
 - Zone loading stops if failed to load zone from the journal
 - Speed-up of insertion to big RRSets
 - Various code and documentation improvements

Bugfixes:
---------
 - Failed to apply journal changes after upgrade #659
 - Failed to finish zone loading if journal changeset serials from and to are equal
 - Incorrect handling of 0 value for 'tcp-io-timeout' and \ 
'tcp-remote-io-timeout' configuration
 - Server can crash if zone transaction is open during zone update
 - NSEC3 chain not fully updated if NSEC3 salt changes during zone update
 - Server can crash when flushing zone to a specified directory
 - Server can respond incorrect NSEC3 records after NSEC3 salt change
 - Delegation glue records not updated after specific zone change

Knot DNS 2.9.0 (2019-10-10)
===========================

Features:
---------
 - Full support for different master/slave serial arithmetics when on-slave signing
 - Module geoip newly supports wildcard records #650
 - New DNSSEC policy configuration option 'rrsig-pre-refresh' for reducing
   frequency of the zone signing event
 - New server configuration option 'tcp-reuseport' for setting SO_REUSEPORT(_LB)
   mode on TCP sockets
 - New server configuration option 'tcp-io-timeout' [ms] for restricting inbound
   IO operations over TCP #474

Improvements:
-------------
 - Significant speed-up of zone contents modifications
 - Avoided double zone signing during CSK rollovers
 - Self-created RRSIGs are not cryptographically verified if not necessary
 - Zone journal can store two changesets if zone file difference computing
   and DNSSEC signing are enabled. The first one containing the difference of
   zone history needed by slave servers, the second one containing the difference
   between zone file and zone needed for server restart
 - Universal and more robust memory clearing
 - More precise socket timeout handling
 - New notice log message for configuration changes requiring server restart
 - Module RRL logs both trigger source address and affected subnet
 - Various code (especially zone and TCP processing) and documentation improvements

Bugfixes:
---------
 - RRSIGs are wrongly checked for inconsistent RRSet TTLs during zone update
 - DS check/push warnings after disabled DNSSEC signing
 - NSEC3 records not accessible through control interface
 - Module geoip doesn't accept underscore character in dname specification #655

Compatibility:
--------------
 - Removed runtime reconfiguration of network workers and interfaces since
   it was imperfect and also couldn't work after dropped process privileges
 - Removed inaccurate and misleading knotc command 'zone-memstats' because
   memory consumption varies during zone modifications or transfers
 - Removed useless 'zone.request-edns-option' configuration option
 - Reimplemented DNS Cookies to be interoperable (based on \ 
draft-ietf-dnsop-server-cookies
   and work by Witold Kręcicki)
 - Default limit on TCP clients is auto-configured to one half of the file
   descriptor limit for the server process
 - Number of open files limit is set to 1048576 in upstream packages
 - Default number of TCP workers is equal to the number of online CPUs or at least 10
 - Default EDNS buffer size is 1232 for both IPv4 and IPv6
 - Removed 'tcp-handshake-timeout' server configuration option
 - Some configuration options were renamed and possibly moved. Old names will
   be supported at least until next major release:
    - 'server.tcp-reply-timeout' [s] to 'server.tcp-remote-io-timeout' [ms]
    - 'server.max-tcp-clients'       to 'server.tcp-max-clients'
    - 'server.max-udp-payload'       to 'server.udp-max-payload'
    - 'server.max-ipv4-udp-payload'  to 'server.udp-max-payload-ipv4'
    - 'server.max-ipv6-udp-payload'  to 'server.udp-max-payload-ipv6'
    - 'template.journal-db'          to 'database.journal-db'
    - 'template.journal-db-mode'     to 'database.journal-db-mode'
    - 'template.max-journal-db-size' to 'database.journal-db-max-size'
    - 'template.kasp-db'             to 'database.kasp-db'
    - 'template.max-kasp-db-size'    to 'database.kasp-db-max-size'
    - 'template.timer-db'            to 'database.timer-db'
    - 'template.max-timer-db-size'   to 'database.timer-db-max-size'
    - 'zone.max-journal-usage'       to 'zone.journal-max-usage'
    - 'zone.max-journal-depth'       to 'zone.journal-max-depth'
    - 'zone.max-zone-size'           to 'zone.zone-max-size'
    - 'zone.max-refresh-interval'    to 'zone.refresh-max-interval'
    - 'zone.min-refresh-interval'    to 'zone.refresh-min-interval'

Knot DNS 2.8.4 (2019-09-24)
===========================

Features:
---------
 - Automatic uploading of DS records to parent zone using DDNS,
   see 'policy.ds-push' configuration option

Improvements:
-------------
 - Incoming IXFR no longer falls back to AXFR if connection error #642
 - More accurate semantic checks for missing glue records
 - Various code and documentation improvements

Bugfixes:
---------
 - Failed to read/export configuration if 'acl.update-type' is set #651
 - Failed to generate initial zero-length salt
 - Missing error log for invalid rrtype input to dynamic configuration #652
 - Missing error log when AXFR processing fails to store zone data
 - Redundant notice log about unavailable persistent configuration DB
 - Zone not flushed after retransfer if SOA serial not changed
 - Zone contents not properly fixed during zone transfers
 - No changeset created for updated rrset's TTL if changed by RR addition

Log message:
net: align variable assignments

pkglint -Wall -F --only aligned --only indent -r

No manual corrections.

Log message:
Update to 2.8.3

Changelog:

Features:

        Added cert/key file configuration for TLS in kdig (Thanks to Alexander \ 
Schultz)

Improvements:

        More verbose log message for offline-KSK signing
        Module RRL logs affected source address subnet instead of only one \ 
source address
        Extended DNSSEC policy configuration checks
        Various improvements in the documentation

Bugfixes:

        Excessive server load when maximum TCP clients limit is reached
        Incorrect reply after zone update with a node changed from \ 
non-authoritative to delegation
        Wrong error line number in a config file if it contains leading tab character
        Config file error message contains unrelated parsing context
        NSEC3 salt not updated when reconfigured to zero length
        Kjournalprint sometimes prints a random value for per-zone occupation
        Missing debug log for failed zone refresh triggered by zone notification
        DS check not scheduled when reconfigured
        Broken unit test on NetBSD 8.x

Log message:
*: recursive bump for nettle 3.5.1

Log message:
Update to 2.8.2

Changelog:
Knot DNS 2.8.2 (2019-06-05)
===========================

Features:
---------
 - New blocking mode for zone event triggers in knotc
 - New weighted records mode in the module geoip (Thanks to Conrad Hoffmann)
 - Module noudp allows UDP allow rate configuration

Improvements:
-------------
 - NSEC3 salt lifetime can be set to infinity
 - New 'running' zone event status in the knotc output
 - Knotc in the forced mode returns failure also if zone check emits any warning
 - Ignoring PMTU information for IPv4/UDP via IP_PMTUDISC_OMIT (Thanks to \ 
Daisuke Higashi)
 - Various improvements in the documentation

Bugfixes:
---------
 - Broken setting of CPU affinity for UDP workers
 - Unexpected results with the geoip subnet mode
 - Sometimes insufficient zone adjusting
 - Incoherent DNSKEY RRSIG lifetimes in SKR
 - Confusing output from keymgr if an error occurs during KSR generation
 - Non-functional changeset history depth limitation in kjournalprint
 - Wrong processing of multiple $INCLUDE directives #646