2023-03-03 16:32:41 by Ryo ONODERA | Files touched by this commit (2) | |
Log message:
knot: Update to 3.2.5
Changelog:
Version 3.2.5
Thursday, February 2, 2023
Features:
+ knotd: new configuration option for enforcing IXFR fallback (see
'zone.provide-ixfr')
Improvements:
+ knotd: changed UNIX socket file mode to 0222 for answering and 0220 for
control
+ mod-probe: new support for communication over a UNIX socket
+ kdig: new support for communication over a UNIX socket
+ libs: upgraded embedded libngtcp2 to 0.13.0
+ doc: various improvements
Bugfixes:
+ knotd: failed to get catalog member configuration if catalog template
is in a template
+ knotd: failed to respond over a UNIX socket with EDNS
+ knotd: unexpected zone update upon restart or zone reload if ZONEMD
generation is enabled
+ knotd: redundant zone flush of unchanged zone if zone file load is
'difference-no-serial'
+ knotd/kxdpgun: failed to receive messages over XDP with drivers tap or
ena
+ knotc: zone check doesn't report missing zone file #829
+ kxdpgun: program crashes when remote closes QUIC connection instead of
resumption
+ mod-geoip: configuration check leaks memory in the geodb mode
+ utils: unwanted color reset sequences in non-color output
|
2023-01-08 21:40:20 by Ryo ONODERA | Files touched by this commit (4) | |
Log message:
knot: Update to 3.2.4
Changelog:
Version 3.2.4
Improvements:
+ knotd: significant speed-up of catalog zone update processing
+ knotd: new runtime check if RRSIG lifetime is lower than RRSIG refresh
+ knotd: reworked zone re-bootstrap scheduling to be less progressive
+ mod-synthrecord: module can work with CIDR-style reverse zones #826
+ python: new libknot wrappers for some dname transformation functions
+ doc: a few fixes and improvements
Bugfixes:
+ knotd: incomplete zone is received when IXFR falls back to AXFR due to
connection timeout if primary puts initial SOA only to the first
message
+ knotd: first zone re-bootstrap is planned after 24 hours
+ knotd: EDNS EXPIRE option is present in outgoing transfer of a catalog
zone
+ knotd: catalog zone can expire upon EDNS EXPIRE processing
+ knotd: DNSSEC signing doesn't fail if no offline KSK records available
Version 3.2.3
Improvements:
+ knotd: new per-zone DS push configuration option (see 'zone.ds-push')
+ libs: upgraded embedded libngtcp2 to 0.11.0
Bugfixes:
+ knsupdate: program crashes when sending an update
+ knotd: server drops more responses over UDP under higher load
+ knotd: missing EDNS padding in responses over QUIC
+ knotd: some memory issues when handling unusual QUIC traffic
+ kxdpgun: broken IPv4 source subnet processing
+ kdig: incorrect handling of unsent data over QUIC
Version 3.2.2
Features:
+ knotd,kxdpgun: support for VLAN (802.1Q) traffic in the XDP mode
+ knotd: added configurable delay upon D-Bus initialization (see
'server.dbus-init-delay')
+ kdig: support for JSON (RFC 8427) output format (see '+json')
+ kdig: support for PROXYv2 (see '+proxy') (Gift for Peter van Dijk)
Improvements:
+ mod-geoip: module respects the server configuration of answer rotation
+ libs: upgraded embedded libngtcp2 to 0.10.0
+ tests: improved robustness of some unit tests
+ doc: added description of zone bootstrap re-planning
Bugfixes:
+ knotd: catalog confusion when a member is added and immediately deleted
#818
+ knotd: defective handling of short messages with PROXYv2 header #816
+ knotd: inconsistent processing of malformed messages with PROXYv2
header #817
+ kxdpgun: incorrect XDP mode is logged
+ packaging: outdated dependency check in RPM packages
Version 3.2.1
Improvements:
+ libknot: added compatibility with libbpf 1.0 and libxdp
+ libknot: removed some trailing white space characters from textual RR
format
+ libs: upgraded embedded libngtcp2 to 0.8.1
Bugfixes:
+ knotd: some non-DNS packets not passed to OS if XDP mode enabled
+ knotd: inappropriate log about QUIC port change if QUIC not enabled
+ knotd/kxdpgun: various memory leaks related to QUIC and TCP
+ kxdpgun: can crash at high rates in emulated XDP mode
+ tests: broken XDP-TCP test on 32-bit platforms
+ kdig: failed to build with enabled QUIC on OpenBSD
+ systemd: failed to start server due to TemporaryFileSystem setting
+ packaging: missing knot-dnssecutils package on CentOS 7
Version 3.2.0
Features:
+ knotd: finalized TCP over XDP implementation
+ knotd: initial implementation of DNS over QUIC in the XDP mode (see
'xdp.quic')
+ knotd: new incremental DNSKEY management for multi-signer deployment
(see 'policy.dnskey-management')
+ knotd: support for remote grouping in configuration (see 'groups'
section)
+ knotd: implemented EDNS Expire option (RFC 7314)
+ knotd: NSEC3 salt is changed with every ZSK rollover if lifetime is set
to -1
+ knotd: support for PROXY v2 protocol over UDP (Thanks to Robert
Edmonds) #762
+ knotd: support for key labels with PKCS #11 keystore (see
'keystore.key-label')
+ knotd: SVCB/HTTPS treatment according to draft-ietf-dnsop-svcb-https
+ keymgr: new JSON output format (see '-j' parameter) for listing keys or
zones (Thanks to JP Mens)
+ kxdpgun: support for DNS over QUIC with some testing modes (see '-U'
parameter)
+ kdig: new DNS over QUIC support (see '+quic')
Improvements:
+ knotd: reduced memory consumption when processing IXFR, DNSSEC,
catalog, or DDNS
+ knotd: RRSIG refresh values don't have to match in the mode Offline KSK
+ knotd: better decision whether AXFR fallback is needed upon a refresh
error
+ knotd: NSEC3 resalt event was merged with the DNSSEC event
+ knotd: server logs when the connection to remote was taken from the
pool
+ knotd: server logs zone expiration time when the zone is loaded
+ knotd: DS check verifies removal of old DS during algorithm rollover
+ knotd: DNSSEC-related records can be updated via DDNS
+ knotd: new 'xdp.udp' configuration option for disabling UDP over XDP
+ knotd: outgoing NOTIFY is replanned if failed
+ knotd: configuration checks if zone MIN interval values are lower or
equal to MAX ones
+ knotd: DNSSEC-related zone semantic checks use DNSSEC validation
+ knotd: new configuration value 'query' for setting ACL action
+ knotd: new check on near end of imported Offline KSK records
+ knotd/knotc: implemented zone catalog purge, including orphaned member
zones
+ knotc: interactive mode supports catalog zone completion, value
completion, and more
+ knotc: new default brief and colorized output from zone status
+ knotc: unified empty values in zone status output
+ keymgr: DNSKEY TTL is taken from KSR in the Offline KSK mode
+ kjournalprint: path to journal DB is automatically taken from the
configuration, which can be specified using '-c', '-C' (or '-D')
+ kcatalogprint: path to catalog DB is automatically taken from the
configuration, which can be specified using '-c', '-C' (or '-D')
+ kzonesign: added automatic configuration file detection and '-C'
parameter for configuration DB specificaion
+ kzonesign: all CPU threads are used for DNSSEC validation
+ libknot: dname pointer cannot point to another dname pointer when
encoding RRsets #765
+ libknot: QNAME case is preserved in knot_pkt_t 'wire' field (Thanks to
Robert Edmonds) #780
+ libknot: reduced memory consumption of the XDP mode
+ libknot: XDP filter supports up to 256 NIC queues
+ kxdpgun: new options for specifying source and remote MAC addresses
+ utils: extended logging of LMDB-related errors
+ utils: improved error outputs
+ kdig: query has AD bit set by default
+ doc: various improvements
Bugfixes:
+ knotd: zone changeset is stored to journal even if disabled
+ knotd: journal not applied to zone file if zone file changed during
reload
+ knotd: possible out-of-order processing or postponed zone events to far
future
+ knotd: incorrect TTL is used if updated RRSet is empty over control
interface
+ knotd/libs: serial arithmetics not used for RRSIG expiration processing
+ knsupdate: incorrect RRTYPE in the question section
Compatibility:
+ knotd: default value for 'zone.journal-max-depth' was lowered to 20
+ knotd: default value for 'policy.nsec3-iterations' was lowered to 0
+ knotd: default value for 'policy.rrsig-refresh' is propagation delay +
zone maximum TTL
+ knotd: server fails to load configuration if 'policy.rrsig-refresh' is
too low
+ knotd: configuration option 'server.listen-xdp' has no effect
+ knotd: new configuration check on deprecated DNSSEC algorithm
+ knotc: new '-e' parameter for full zone status output
+ keymgr: new '-e' parameter for full key list output
+ keymgr: brief key listing mode is enabled by default
+ keymgr: renamed parameter '-d' to '-D'
+ knsupdate: default TTL is set to 3600
+ knsupdate: default zone is empty
+ kjournalprint: renamed parameter '-c' to '-H'
+ python/libknot: removed compatibility with Python 2
Packaging:
+ systemd: removed knot.tmpfile
+ systemd: added some hardening options
+ distro: Debian 9 and Ubuntu 16.04 no longer supported
+ distro: packages for CentOS 7 are built in a separate COPR repository
+ kzonecheck/kzonesign/knsec3hash: moved to new package knot-dnssecutils
Version 3.1.9
Improvements:
+ knotd: new configuration checks on unsupported catalog settings
+ knotd: semantic check issues have notice log level in the soft mode
+ keymgr: command generate-ksr automatically sets 'from' parameter to
last offline KSK records' timestamp if it's not specified
+ keymgr: command show-offline starts from the first offline KSK record
set if 'from' parameter isn't specified
+ kcatalogprint: new parameters for filtering catalog or member zone
+ mod-probe: default rate limit was increased to 100000
+ libknot: default control timeout was increased to 30 seconds
+ python/libknot: various exceptions are raised from class KnotCtl
+ doc: some improvements
Bugfixes:
+ knotd: incomplete outgoing IXFR is responded if journal history is
inconsistent
+ knotd: manually triggered zone flush is suppressed if disabled zone
synchronization
+ knotd: failed to configure XDP listen interface without port
specification
+ knotd: de-cataloged member zone's file isn't deleted #805
+ knotd: member zone leaks memory when reloading catalog during dynamic
configuration change
+ knotd: server can crash when reloading modules with DNSSEC signing
(Thanks to iqinlongfei)
+ knotd: server crashes during shutdown if PKCS #11 keystore is used
+ keymgr: command del-all-old isn't applied to all keys in the removed
state
+ kxdpgun: user specified network interface isn't used
+ libs: fixed compilation on illumos derivatives (Thanks to Nick Ewins)
|
2022-10-26 12:32:08 by Thomas Klausner | Files touched by this commit (687) |
Log message:
*: bump PKGREVISION for libunistring shlib major bump
|
2022-06-30 13:19:02 by Nia Alarie | Files touched by this commit (524) |
Log message:
*: Revbump packages that use Python at runtime without a PKGNAME prefix
|
2022-06-16 18:31:04 by Ryo ONODERA | Files touched by this commit (2) | |
Log message:
knot: Update to 3.1.8
Changelog:
Version 3.1.8
Thursday, April 28, 2022
Features:
+ knotd: optional automatic ACL for XFR and NOTIFY (see
'remote.automatic-acl')
+ knotd: new soft zone semantic check mode for allowing defective zone
loading
+ knotc: added zone transfer freeze state to the zone status output
Improvements:
+ knotd: added configuration check for serial policy of generated
catalogs
Bugfixes:
+ knotd/libknot: the server can crash when validating a malformed TSIG
record
+ knotd: outgoing zone transfer freeze not preserved during server reload
+ knotd: catalog UPDATE not processed if previous UPDATE processing not
finished #790
+ knotd: zone refresh not started if planned during server reload
+ knotd: generated catalogs can be queried over UDP
+ knotd/utils: failed to open LMDB database if too many stale slots
occupy the lock table
Version 3.1.7
Wednesday, March 30, 2022
Features:
+ knotd: new configuration items for restricting minimum and maximum zone
expire and retry intervals (see 'zone.expire-min-interval',
'zone.expire-max-interval', 'zone.retry-min-interval',
'zone.retry-max-interval') #785
+ knotc: added catalog information to zone status
Improvements:
+ knotd: better warning message if SOA serial comparison failed when
loading from zone file
+ knotc: zone status shows all zone events when frozen
+ keymgr: better error message is returned when importing SKR with
insufficient permissions
+ kdig: transfer status is also printed if failed
Bugfixes:
+ knotd: incomplete implementation of the Offline KSK mode in the IXFR
and DDNS processing
+ knotd: catalog zone accepts duplicate members via UPDATE #786
+ knotd: server crashes if catalog database contains orphaned member
zones
+ knotd: old journal is scraped when restoring just the zone file
+ knotd: some planned zone events can be lost during server reload
+ knotd: frozen zone gets thawed during server reload
+ knsupdate: missing section names in the show output
+ knsupdate: inappropriate log message if called from a script
Version 3.1.6
Tuesday, February 8, 2022
Features:
+ knotd: optional D-Bus notifications for significant server and zone
events (see 'server.dbus-event')
+ knotd: new submission configuration option for delayed KSK
post-activation (see 'submission.parent-delay')
+ knotc: new commands for outgoing XFR freeze (see 'zone-xfr-freeze' and
'zone-xfr-thaw')
+ kzonesign: added multithreaded DNSSEC validation mode (see '--verify')
Improvements:
+ kdig: trailing data in reply packet is accepted with a warning
+ kdig: XFR responses are checked if SOA owners match
+ knotd: failed remote operations are logged as info instead of debug
+ knsec3hash: added alternative and more natural parameter semantics
+ knsupdate: interactive mode is newly based on library Editline
+ Dockerfile: added UID argument to facilitate the use of unprivileged
container #783
+ doc: various fixes and improvements
Bugfixes:
+ libknot: inaccurate KNOT_DNAME_TXT_MAXLEN constant value #781
+ knotd: propagation delay not considered before DS push
+ knotd: excessive refresh retry delay when a few early attemps fail
+ knotd: duplicate KSK submission log message during a KSK rollover
+ kdig: dname letter case not preserved in XFR and Dnstap outputs
+ mod-cookies: missing server cookie in responses over TCP
Version 3.1.5
Monday, December 20, 2021
Features:
+ knotd: optional outgoing TCP connection pool for faster communication
with remotes (see 'server.remote-pool-limit' and
'server.remote-pool-timeout')
+ knotd: optional unreachable remote tracking to avoid zone events
clogging (see 'server.remote-retry-delay')
+ knotd: new ZONEMD generation mode for the record removal from the zone
apex #760 (see 'zone.zonemd-generate: remove')
+ mod-dnsproxy: new source address match option (see
'mod-dnsproxy.address')
+ scripts/probe_dump: simple mod-probe client
Improvements:
+ knotd: DS push sets DS TTL equal to DNSKEY TTL
+ knotd: extended zone purge error logging
+ knotd: zone file parsing error message was extended by the file name
+ knotd: improved debug log message when TCP timeout is reached
+ knotd: new configuration check for using the default number of NSEC3
iterations
+ knotd: new configuration check for insufficient RRSIG refresh time
+ mod-geoip: configuration check newly verifies the module configuration
file #778
+ kdig: option +notimeout or +timeout=0 is interpreted as infinity
+ kdig: option +noretry is interpreted as zero retries
+ python/probe: more detailed default output format
+ doc: many spelling fixes (Thanks to Josh Soref)
+ doc: various fixes and improvements
Bugfixes:
+ knotd: imperfect TCP connection closing in the XDP mode
+ knotd: TCP reset packets are wrongly checked for ackno in the XDP mode
+ knotd: only first zone name is logged for multi-zone control operations
#776
+ knotd: minor memory leak when full zone update fails to write to
journal
+ knotc: configuration check doesn't check a configuration database
+ mod-dnstap: incorrect QNAME case restore in some corner cases (Thanks
to Robert Edmonds) #777
|
2021-12-17 16:15:58 by Ryo ONODERA | Files touched by this commit (2) | |
Log message:
knot: Update to 3.1.4
Changelog:
Version 3.1.4
Features:
+ mod-dnstap: added 'responses-with-queries' configuration option (Thanks
to Robert Edmonds)
Improvements:
+ knotd: DNSSEC keys are logged in sorted order by timestamp
+ mod-cookies: added statistics counter for dropped queries due to the
slip limit
+ mod-dnstap: restored the original query QNAME case #773 (Thanks to
Robert Edmonds)
+ configure: improved compatibility of some scripts on macOS and BSDs
+ doc: updates on DNSSEC signing
Bugfixes:
+ knotd: server can crash when receiving queries with NSID EDNS flag #774
(Thanks to Romain Labolle)
+ knotd: server crashes on reload when no interfaces configured #770
+ knotd: ZONEMD without DNSSEC not handled correctly
+ knotd: generated catalog zone not updated on config reload #772
+ knotd: zone catalog not verified before its interpretation
+ knotd: ds-push fails to update the parent zone if a CNAME exists for a
non-terminal node
Version 3.1.3
Monday, October 18, 2021
Improvements:
+ knotd: added simple error logging to orphaned zone purge
+ knotd: allow manual public-only keys for unused algorithm
+ kdig: send ALPN when using DoT or XoT #769
+ doc: various fixes and improvements #767
Bugfixes:
+ knotd: catalog backup doesn't preserve version of the catalog
implementation
+ knotd: NOTIFY is scheduled even when DNSSEC signing is up-to-date
+ knotd: server can crash when zone difference is inconsistent upon cold
start
+ knotd: zone not bootstrapped when zone file load failed due to an error
+ knotd: broken AXFR with knot as slave and dnsmasq as master (Thanks to
Daniel Gr?ber)
+ knotd: journal not able to free up space when zone-in-journal present
and zonefile written
+ mod-stats: missing protocol counters for TCP over XDP
+ kzonesign: input zone name not lower-cased
Version 3.1.2
Features:
+ knotd: new policy configuration for postponing complete deletion of
previous keys
+ keymgr: new optional pretty mode (-b) of listing keys
+ kdig: added support for TCP keepopen #503
Improvements:
+ knotd: configuration item values can contain UTF-8 characters
+ knotd: added configuration check for database storage writability
+ knotd: better error reporting if zone is empty
+ knotd: smaller journal database chunks in order to mitigate LMDB
fragmentation
+ knotd/kxdpgun: CAP_SYS_RESOURCE capability no longer needed for XDP on
Linux >= 5.11
Bugfixes:
+ knotd: incomplete NSEC3 proof in response to opt-outed empty
non-terminal
+ knotd: wrong SOA serial handling when enabling signing on already
existing secondary zone
+ knotd: defective ZONEMD verification error reporting when loading zone
#759
+ knotd: server can crash when reloading catalog zone #761
+ knotd: DNSSEC validation doesn't work when only NSEC3 chain changes
+
knotd: DNSSEC validation doesn't check if empty non-terminal over
non-opt-outed
delegation isn't opt-outed too
+ knotd: ZONEMD generation doesn't cause flushing zone to disk #758
+ knotd: incorrect evaluation of ACL deny rule in combination with TSIG
+ knotd: failed DS-check is replaned even if no key is ready
+ kdig: abort when query times out #763
+ libzscanner: missing output overflow check in the SVCB parsing
Compatibility:
+ keymgr: parameter -d is marked deprecated in favor of new parameter -D
+ kjournalprint: parameter -n is marked deprecated in favor of new
parameter -x
Version 3.1.1
Improvements:
+ keymgr: import-bind sets publish and active timers to now if missing
timers #747
+ mod-rrl: added QNAME, which triggered an action, to log messages #757
+ systemd: added environment variable for setting maximum configuration
DB size
Bugfixes:
+ knotd: adding RRSIGs to a signed zone can lead to redundant RRSIGs for
some NSEC(3)s
+ knotd: code not compiled correctly for ARM on Fedora >= 33
+ knotd: server can crash when opening catalog DB on startup
+ knotd: incorrect catalog update counts in logs
+ knotd: journal discontinuity and zone-in-journal result in incorrectly
calculated journal occupation
+ kdig: +noall does not filter out AUTHORITY comment #749
+ tests: journal unit test not passing if memory page size is different
from 4096
Reverts:
+ libzscanner: reverted "omitted TTL value is correctly set to the last
explicitly stated value (RFC 1035)" #751
|
2021-12-08 17:07:18 by Adam Ciarcinski | Files touched by this commit (3063) |
Log message:
revbump for icu and libffi
|
2021-10-26 13:07:15 by Nia Alarie | Files touched by this commit (958) |
Log message:
net: Replace RMD160 checksums with BLAKE2s checksums
All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Not committed (merge conflicts...):
net/radsecproxy/distinfo
The following distfiles could not be fetched (fetched conditionally?):
./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz
./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch
./net/djbdns/distinfo djbdns-1.05-test28.diff.xz
./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch
./net/djbdns/distinfo djbdns-1.05-multiip.diff
./net/djbdns/distinfo djbdns-cachestats.patch
|
2021-10-07 16:43:07 by Nia Alarie | Files touched by this commit (962) |
Log message:
net: Remove SHA1 hashes for distfiles
|
2021-09-29 21:01:31 by Adam Ciarcinski | Files touched by this commit (872) |
Log message:
revbump for boost-libs
|