Navigation:
Browse pkgsrc
(this page)| 2022-10-26 12:32:08 by Thomas Klausner | Files touched by this commit (687) |
Log message: *: bump PKGREVISION for libunistring shlib major bump |
| 2022-06-30 13:19:02 by Nia Alarie | Files touched by this commit (524) |
Log message: *: Revbump packages that use Python at runtime without a PKGNAME prefix |
2022-06-16 18:31:04 by Ryo ONODERA | Files touched by this commit (2) |  |
Log message:
knot: Update to 3.1.8
Changelog:
Version 3.1.8
Thursday, April 28, 2022
Features:
+ knotd: optional automatic ACL for XFR and NOTIFY (see
'remote.automatic-acl')
+ knotd: new soft zone semantic check mode for allowing defective zone
loading
+ knotc: added zone transfer freeze state to the zone status output
Improvements:
+ knotd: added configuration check for serial policy of generated
catalogs
Bugfixes:
+ knotd/libknot: the server can crash when validating a malformed TSIG
record
+ knotd: outgoing zone transfer freeze not preserved during server reload
+ knotd: catalog UPDATE not processed if previous UPDATE processing not
finished #790
+ knotd: zone refresh not started if planned during server reload
+ knotd: generated catalogs can be queried over UDP
+ knotd/utils: failed to open LMDB database if too many stale slots
occupy the lock table
Version 3.1.7
Wednesday, March 30, 2022
Features:
+ knotd: new configuration items for restricting minimum and maximum zone
expire and retry intervals (see 'zone.expire-min-interval',
'zone.expire-max-interval', 'zone.retry-min-interval',
'zone.retry-max-interval') #785
+ knotc: added catalog information to zone status
Improvements:
+ knotd: better warning message if SOA serial comparison failed when
loading from zone file
+ knotc: zone status shows all zone events when frozen
+ keymgr: better error message is returned when importing SKR with
insufficient permissions
+ kdig: transfer status is also printed if failed
Bugfixes:
+ knotd: incomplete implementation of the Offline KSK mode in the IXFR
and DDNS processing
+ knotd: catalog zone accepts duplicate members via UPDATE #786
+ knotd: server crashes if catalog database contains orphaned member
zones
+ knotd: old journal is scraped when restoring just the zone file
+ knotd: some planned zone events can be lost during server reload
+ knotd: frozen zone gets thawed during server reload
+ knsupdate: missing section names in the show output
+ knsupdate: inappropriate log message if called from a script
Version 3.1.6
Tuesday, February 8, 2022
Features:
+ knotd: optional D-Bus notifications for significant server and zone
events (see 'server.dbus-event')
+ knotd: new submission configuration option for delayed KSK
post-activation (see 'submission.parent-delay')
+ knotc: new commands for outgoing XFR freeze (see 'zone-xfr-freeze' and
'zone-xfr-thaw')
+ kzonesign: added multithreaded DNSSEC validation mode (see '--verify')
Improvements:
+ kdig: trailing data in reply packet is accepted with a warning
+ kdig: XFR responses are checked if SOA owners match
+ knotd: failed remote operations are logged as info instead of debug
+ knsec3hash: added alternative and more natural parameter semantics
+ knsupdate: interactive mode is newly based on library Editline
+ Dockerfile: added UID argument to facilitate the use of unprivileged
container #783
+ doc: various fixes and improvements
Bugfixes:
+ libknot: inaccurate KNOT_DNAME_TXT_MAXLEN constant value #781
+ knotd: propagation delay not considered before DS push
+ knotd: excessive refresh retry delay when a few early attemps fail
+ knotd: duplicate KSK submission log message during a KSK rollover
+ kdig: dname letter case not preserved in XFR and Dnstap outputs
+ mod-cookies: missing server cookie in responses over TCP
Version 3.1.5
Monday, December 20, 2021
Features:
+ knotd: optional outgoing TCP connection pool for faster communication
with remotes (see 'server.remote-pool-limit' and
'server.remote-pool-timeout')
+ knotd: optional unreachable remote tracking to avoid zone events
clogging (see 'server.remote-retry-delay')
+ knotd: new ZONEMD generation mode for the record removal from the zone
apex #760 (see 'zone.zonemd-generate: remove')
+ mod-dnsproxy: new source address match option (see
'mod-dnsproxy.address')
+ scripts/probe_dump: simple mod-probe client
Improvements:
+ knotd: DS push sets DS TTL equal to DNSKEY TTL
+ knotd: extended zone purge error logging
+ knotd: zone file parsing error message was extended by the file name
+ knotd: improved debug log message when TCP timeout is reached
+ knotd: new configuration check for using the default number of NSEC3
iterations
+ knotd: new configuration check for insufficient RRSIG refresh time
+ mod-geoip: configuration check newly verifies the module configuration
file #778
+ kdig: option +notimeout or +timeout=0 is interpreted as infinity
+ kdig: option +noretry is interpreted as zero retries
+ python/probe: more detailed default output format
+ doc: many spelling fixes (Thanks to Josh Soref)
+ doc: various fixes and improvements
Bugfixes:
+ knotd: imperfect TCP connection closing in the XDP mode
+ knotd: TCP reset packets are wrongly checked for ackno in the XDP mode
+ knotd: only first zone name is logged for multi-zone control operations
#776
+ knotd: minor memory leak when full zone update fails to write to
journal
+ knotc: configuration check doesn't check a configuration database
+ mod-dnstap: incorrect QNAME case restore in some corner cases (Thanks
to Robert Edmonds) #777
|
| 2021-12-17 16:15:58 by Ryo ONODERA | Files touched by this commit (2) | |
Log message:
knot: Update to 3.1.4
Changelog:
Version 3.1.4
Features:
+ mod-dnstap: added 'responses-with-queries' configuration option (Thanks
to Robert Edmonds)
Improvements:
+ knotd: DNSSEC keys are logged in sorted order by timestamp
+ mod-cookies: added statistics counter for dropped queries due to the
slip limit
+ mod-dnstap: restored the original query QNAME case #773 (Thanks to
Robert Edmonds)
+ configure: improved compatibility of some scripts on macOS and BSDs
+ doc: updates on DNSSEC signing
Bugfixes:
+ knotd: server can crash when receiving queries with NSID EDNS flag #774
(Thanks to Romain Labolle)
+ knotd: server crashes on reload when no interfaces configured #770
+ knotd: ZONEMD without DNSSEC not handled correctly
+ knotd: generated catalog zone not updated on config reload #772
+ knotd: zone catalog not verified before its interpretation
+ knotd: ds-push fails to update the parent zone if a CNAME exists for a
non-terminal node
Version 3.1.3
Monday, October 18, 2021
Improvements:
+ knotd: added simple error logging to orphaned zone purge
+ knotd: allow manual public-only keys for unused algorithm
+ kdig: send ALPN when using DoT or XoT #769
+ doc: various fixes and improvements #767
Bugfixes:
+ knotd: catalog backup doesn't preserve version of the catalog
implementation
+ knotd: NOTIFY is scheduled even when DNSSEC signing is up-to-date
+ knotd: server can crash when zone difference is inconsistent upon cold
start
+ knotd: zone not bootstrapped when zone file load failed due to an error
+ knotd: broken AXFR with knot as slave and dnsmasq as master (Thanks to
Daniel Gr?ber)
+ knotd: journal not able to free up space when zone-in-journal present
and zonefile written
+ mod-stats: missing protocol counters for TCP over XDP
+ kzonesign: input zone name not lower-cased
Version 3.1.2
Features:
+ knotd: new policy configuration for postponing complete deletion of
previous keys
+ keymgr: new optional pretty mode (-b) of listing keys
+ kdig: added support for TCP keepopen #503
Improvements:
+ knotd: configuration item values can contain UTF-8 characters
+ knotd: added configuration check for database storage writability
+ knotd: better error reporting if zone is empty
+ knotd: smaller journal database chunks in order to mitigate LMDB
fragmentation
+ knotd/kxdpgun: CAP_SYS_RESOURCE capability no longer needed for XDP on
Linux >= 5.11
Bugfixes:
+ knotd: incomplete NSEC3 proof in response to opt-outed empty
non-terminal
+ knotd: wrong SOA serial handling when enabling signing on already
existing secondary zone
+ knotd: defective ZONEMD verification error reporting when loading zone
#759
+ knotd: server can crash when reloading catalog zone #761
+ knotd: DNSSEC validation doesn't work when only NSEC3 chain changes
+
knotd: DNSSEC validation doesn't check if empty non-terminal over
non-opt-outed
delegation isn't opt-outed too
+ knotd: ZONEMD generation doesn't cause flushing zone to disk #758
+ knotd: incorrect evaluation of ACL deny rule in combination with TSIG
+ knotd: failed DS-check is replaned even if no key is ready
+ kdig: abort when query times out #763
+ libzscanner: missing output overflow check in the SVCB parsing
Compatibility:
+ keymgr: parameter -d is marked deprecated in favor of new parameter -D
+ kjournalprint: parameter -n is marked deprecated in favor of new
parameter -x
Version 3.1.1
Improvements:
+ keymgr: import-bind sets publish and active timers to now if missing
timers #747
+ mod-rrl: added QNAME, which triggered an action, to log messages #757
+ systemd: added environment variable for setting maximum configuration
DB size
Bugfixes:
+ knotd: adding RRSIGs to a signed zone can lead to redundant RRSIGs for
some NSEC(3)s
+ knotd: code not compiled correctly for ARM on Fedora >= 33
+ knotd: server can crash when opening catalog DB on startup
+ knotd: incorrect catalog update counts in logs
+ knotd: journal discontinuity and zone-in-journal result in incorrectly
calculated journal occupation
+ kdig: +noall does not filter out AUTHORITY comment #749
+ tests: journal unit test not passing if memory page size is different
from 4096
Reverts:
+ libzscanner: reverted "omitted TTL value is correctly set to the last
explicitly stated value (RFC 1035)" #751
|
| 2021-12-08 17:07:18 by Adam Ciarcinski | Files touched by this commit (3063) |
Log message: revbump for icu and libffi |
| 2021-10-26 13:07:15 by Nia Alarie | Files touched by this commit (958) |
Log message: net: Replace RMD160 checksums with BLAKE2s checksums All checksums have been double-checked against existing RMD160 and SHA512 hashes Not committed (merge conflicts...): net/radsecproxy/distinfo The following distfiles could not be fetched (fetched conditionally?): ./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz ./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch ./net/djbdns/distinfo djbdns-1.05-test28.diff.xz ./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch ./net/djbdns/distinfo djbdns-1.05-multiip.diff ./net/djbdns/distinfo djbdns-cachestats.patch |
| 2021-10-07 16:43:07 by Nia Alarie | Files touched by this commit (962) |
Log message: net: Remove SHA1 hashes for distfiles |
| 2021-09-29 21:01:31 by Adam Ciarcinski | Files touched by this commit (872) |
Log message: revbump for boost-libs |
| 2021-08-07 18:36:18 by Ryo ONODERA | Files touched by this commit (4) |
Log message:
knot: Update to 3.1.0
Changelog:
Version 3.1.0
Monday, August 2, 2021
Features:
+ knotd: automatic zone catalog generation based on actual configuration
+ knotd: zone catalog supports configuration groups
+ knotd: support for ZONEMD validation and generation
+ knotd: basic support for TCP over XDP processing
+ knotd: configuration option for enabling IP route check in the XDP mode
+ knotd: support for epoll (Linux) and kqueue (*BSD, macOS) socket
polling
+ knotd: extended EDNS error (EDE) is added to the response if
appropriate
+ knotd: DNSSEC operation with extra ready public-only KSK is newly
allowed
+ knotd: new zone backup/restore filters for more variable component
specification
+ knotd: adaptive systemd service start timeout and new zone loading
status #733
+ knotd: configuration option for enabling TCP Fast Open on outbound
communication
+ knotd: when the server starts, zone NOTIFY is send only if not sent
already
+ knotc: zone reload with the force flag triggers reload of the zone and
its modules
+ libs: support for parsing and dumping SVCB and HTTPS resource records
+ kdig: support for TCP Fast Open along with DoT/DoH #549
+ kxdpgun: basic support for DNS over TCP processing
+ kxdpgun: current traffic statistics can be printed using a USR1 signal
+ python: new libknot/probe API wrapper
Improvements:
+ knotd: PID file is created even in the foreground mode
+ knotd: more robust and enhanced zone data backup and restore operations
+ knotd: maximum length of an XFR message is limited to 16 KiB for better
compression
+ knotd: maximum CNAME/DNAME chain depth per reply was decreased from 20
to 5
+ knotd: improved performance of processing domain names with many short
labels
+ knotd: adaptive limit on the number of LMDB readers to avoid problems
with many workers
+ knotd: TTL of generated NSEC(3) records is set to min(SOA TTL, SOA
minimum)
+ knotd: TTL of generated NSEC3PARAM is equal to TTL of NSEC3 records
+ knotd: maximum TCP segment size is restricted to 1220 octets on Linux #
468
+ knotc: various improvements in error reporting
+ knotc: default control timeout is infinity in the blocking mode
+ dnssec: dnskey generator tries to return a key with a unique keytag
+ kxdpgun: RLIMIT_MEMLOCK is increased only if not high enough
+ kxdpgun: RTNETLINK is used for getting network information instead of
the ip command
Bugfixes:
+ knotd: DNAME not applied more than once to resolve the query #714
+ knotd: root zone not correctly purged from the journal
+ kzonecheck: incorrect check for opt-outed empty non-terminal nodes
+ libzscanner: wrong error line number
+ libzscanner: broken multiline rdata processing if an error occurs
+ mod-geoip: NXDOMAIN is responded instead of NODATA #745
+ make: build fails with undefined references if building using slibtool
#722
Packaging:
+ knotd: systemd service reload uses 'kill -HUP' instead of 'knotc
reload'
+ kxdpgun: new library dependency libmnl
+ mod-dnstap: new package separate from the knot package
+ mod-geoip: new package separate from the knot package
Compatibility:
+ configure: option '--enable-xdp=yes' means use an external libbpf if
available
or use the embedded one
+ libzsanner: omitted TTL value is correctly set to the last explicitly
stated value (RFC 1035)
+ knotc: zone restore from an old backup (3.0.x) requires forced
operation
+ knotd: configuration option 'server.listen-xdp' is replaced with
'xdp.listen'
+ knotd: zone file loading with automatic SOA serial incrementation newly
requires having full zone in the journal
+ knotd: obsolete configuration options 'zone.disable-any',
'server.tcp-handshake-timeout'
are silently ignored
+ knotd: obsolete configuration options 'zone.max-zone-size',
'zone.max-journal-depth',
'zone.max-journal-usage', 'zone.max-refresh-interval',
'zone.min-refresh-interval' 'server.max-ipv4-udp-payload',
'server.max-ipv6-udp-payload', 'server.max-udp-payload',
'server.tcp-reply-timeout', 'server.max-tcp-clients' are ignored
+ knotd: obsolete default template options 'template.journal-db',
'template.kasp-db', 'template.timer-db',
'template.max-journal-db-size', 'template.journal-db-mode',
'template.max-timer-db-size', 'template.max-kasp-db-size' are
ignored
Version 3.0.8
Friday, July 16, 2021
Features:
+ knotc: new command for loading DNSSEC keys without dropping all RRSIGs
when re-signing
+ knotd: new policy configuration option for disabling some DNSSEC safety
features #741
+ mod-geoip: new dnssec and policy configuration options
Bugfixes:
+ knotd: early KSK removal during a KSK rollover if automatic KSK
submission check
is enabled and DNSKEY TTL is lower than the corresponding DS TTL
+ knotd: failed to generate a new DNSKEY if previously generated shared
key not available
+ knotd: periodical error logging when a PKCS #11 keystore failed to
initialize #742
+ knotd: zone commit doesn't check for missing SOA record
Version 3.0.7
Wednesday, June 16, 2021
Features:
+ knotd: new configuration policy option for CDS digest algorithm setting
#738
+ keymgr: new command for primary SOA serial manipulation in on-secondary
signing mode
Improvements:
+ knotd: improved algorithm rollover to shorten the last step of old
RRSIG publication
Bugfixes:
+ knotd: zone is flushed upon server start, despite DNSSEC signing is
up-to-date
+ knotd: wildcard nonexistence is proved on empty-non-terminal query
+ knotd: redundant wildcard proof for non-authoritative data in a reply
+ knotd: missing wildcard proofs in a wildcard-cname loop reply
+ knotd: incorrectly synthesized CNAME owner from a wildcard record #715
+ knotd: zone-in-journal changeset ignores journal-max-usage limit #736
+ knotd: incorrect processing of zone-in-journal changeset with SOA
serial 0
+ knotd: broken initialization of processing workers if SO_REUSEPORT(_LB)
not available
+ kjournalprint: reported journal usage is incorrect #736
+ keymgr: cannot parse algorithm name ed448 #739
+ keymgr: default key size not set properly
+ kdig: failed to process huge DoH responses
+ libknot/probe: some corner-case bugs
Version 3.0.6
Wednesday, May 12, 2021
Features:
+ mod-probe: new module for simple traffic logging (Python API not yet
included)
Improvements:
+ keymgr: new mode for listing zones with at least one key stored
+ keymgr: the pregenerate command accepts optional timestamp-from
parameter
+ kzonecheck: accept '-' as substitution for standard input #727
+ knotd: print an error when unable to change owner of a logging file
+ knotd: new warning log if no interface is configured
+ knotd: new signing policy check for NSEC3 iterations higher than 20
+ knotd: don't allow backup to/restore from the DB storage directory
+ Various code (mostly zone backup/restore), tests, and documentation
improvements
Bugfixes:
+ knotd: secondary fails to load zone file if HTTPS or SVCB record is
present #725
+ knotd: (KSK roll-over) new KSK is not signing DNSKEY long enough before
DS submission
+ knotd: (KSK roll-over) old KSK uselessly published after roll-over
finished
+ knotd: malformed address in TCP-related logs when listening on a UNIX
socket
+ knotd: server responds FORMERR instead of BADTIME if TSIG signed time
is zero #730
+ modules: incorrect local and remote addresses in the XDP mode
+ modules: failed to read configuration from a section without
identifiers
+ mod-synthrecord: queries on synthesized empty-non-terminals not
answered with NODATA
+ keymgr: confusing error if del-all-old command fails
|
| 2021-05-14 15:08:10 by Nia Alarie | Files touched by this commit (1) |
Log message: knot: needs editline |
New packages: