Tags give the ability to mark specific points in history as being important
  • v3.0.dev protected   Knot DNS 3.0.dev
    c9ec6301 · Bump version 3.0.dev ·
  • v2.9.0 protected   Knot DNS 2.9.0
    27fb3f7f · Bump version 2.9.0 ·

    Knot DNS 2.9.0 (2019-10-10)

    Features:

    • Full support for different master/slave serial arithmetics when on-slave signing
    • Module geoip newly supports wildcard records #650
    • New DNSSEC policy configuration option 'rrsig-pre-refresh' for reducing frequency of the zone signing event
    • New server configuration option 'tcp-reuseport' for setting SO_REUSEPORT(_LB) mode on TCP sockets
    • New server configuration option 'tcp-io-timeout' [ms] for restricting inbound IO operations over TCP #474

    Improvements:

    • Significant speed-up of zone contents modifications
    • Avoided double zone signing during CSK rollovers
    • Self-created RRSIGs are not cryptographically verified if not necessary
    • Zone journal can store two changesets if zone file difference computing and DNSSEC signing are enabled. The first one containing the difference of zone history needed by slave servers, the second one containing the difference between zone file and zone needed for server restart
    • Universal and more robust memory clearing
    • More precise socket timeout handling
    • New notice log message for configuration changes requiring server restart
    • Module RRL logs both trigger source address and affected subnet
    • Various code (especially zone and TCP processing) and documentation improvements

    Bugfixes:

    • RRSIGs are wrongly checked for inconsistent RRSet TTLs during zone update
    • DS check/push warnings after disabled DNSSEC signing
    • NSEC3 records not accessible through control interface
    • Module geoip doesn't accept underscore character in dname specification #655

    Compatibility:

    • Removed runtime reconfiguration of network workers and interfaces since it was imperfect and also couldn't work after dropped process privileges
    • Removed inaccurate and misleading knotc command 'zone-memstats' because memory consumption varies during zone modifications or transfers
    • Removed useless 'zone.request-edns-option' configuration option
    • Reimplemented DNS Cookies to be interoperable (based on draft-ietf-dnsop-server-cookies and work by Witold Kręcicki)
    • Default limit on TCP clients is auto-configured to one half of the file descriptor limit for the server process
    • Number of open files limit is set to 1048576 in upstream packages
    • Default number of TCP workers is equal to the number of online CPUs or at least 10
    • Default EDNS buffer size is 1232 for both IPv4 and IPv6
    • Removed 'tcp-handshake-timeout' server configuration option
    • Some configuration options were renamed and possibly moved. Old names will be supported at least until next major release:
      • 'server.tcp-reply-timeout' [s] to 'server.tcp-remote-io-timeout' [ms]
      • 'server.max-tcp-clients' to 'server.tcp-max-clients'
      • 'server.max-udp-payload' to 'server.udp-max-payload'
      • 'server.max-ipv4-udp-payload' to 'server.udp-max-payload-ipv4'
      • 'server.max-ipv6-udp-payload' to 'server.udp-max-payload-ipv6'
      • 'template.journal-db' to 'database.journal-db'
      • 'template.journal-db-mode' to 'database.journal-db-mode'
      • 'template.max-journal-db-size' to 'database.journal-db-max-size'
      • 'template.kasp-db' to 'database.kasp-db'
      • 'template.max-kasp-db-size' to 'database.kasp-db-max-size'
      • 'template.timer-db' to 'database.timer-db'
      • 'template.max-timer-db-size' to 'database.timer-db-max-size'
      • 'zone.max-journal-usage' to 'zone.journal-max-usage'
      • 'zone.max-journal-depth' to 'zone.journal-max-depth'
      • 'zone.max-zone-size' to 'zone.zone-max-size'
      • 'zone.max-refresh-interval' to 'zone.refresh-max-interval'
      • 'zone.min-refresh-interval' to 'zone.refresh-min-interval'

    Downloads:

  • v2.8.4 protected   Knot DNS 2.8.4
    21fd6bc7 · Bump version 2.8.4 ·

    Knot DNS 2.8.4 (2019-09-24)

    Features:

    • Automatic uploading of DS records to parent zone using DDNS, see 'policy.ds-push' configuration option

    Improvements:

    • Incoming IXFR no longer falls back to AXFR if connection error #642
    • More accurate semantic checks for missing glue records
    • Various code and documentation improvements

    Bugfixes:

    • Failed to read/export configuration if 'acl.update-type' is set #651
    • Failed to generate initial zero-length salt
    • Missing error log for invalid rrtype input to dynamic configuration #652
    • Missing error log when AXFR processing fails to store zone data
    • Redundant notice log about unavailable persistent configuration DB
    • Zone not flushed after retransfer if SOA serial not changed
    • Zone contents not properly fixed during zone transfers
    • No changeset created for updated rrset's TTL if changed by RR addition

    Downloads:

  • v2.8.3 protected   Knot DNS 2.8.3
    801560a1 · Bump version 2.8.3 ·

    Knot DNS 2.8.3 (2019-07-16)

    Features:

    • Added cert/key file configuration for TLS in kdig (Thanks to Alexander Schultz)

    Improvements:

    • More verbose log message for offline-KSK signing
    • Module RRL logs affected source address subnet instead of only one source address
    • Extended DNSSEC policy configuration checks
    • Various improvements in the documentation

    Bugfixes:

    • Excessive server load when maximum TCP clients limit is reached
    • Incorrect reply after zone update with a node changed from non-authoritative to delegation
    • Wrong error line number in a config file if it contains leading tab character
    • Config file error message contains unrelated parsing context
    • NSEC3 salt not updated when reconfigured to zero length
    • Kjournalprint sometimes prints a random value for per-zone occupation
    • Missing debug log for failed zone refresh triggered by zone notification
    • DS check not scheduled when reconfigured
    • Broken unit test on NetBSD 8.x

    Downloads:

  • v2.7.8 protected   Knot DNS 2.7.8
    951fe60c · Bump version 2.7.8 ·

    Knot DNS 2.7.8 (2019-07-16)

    Improvements:

    • Various improvements in the documentation

    Bugfixes:

    • Excessive server load when maximum TCP clients limit is reached
    • Incorrect reply after zone update with a node changed from non-authoritative to delegation
    • Missing debug log for failed zone refresh triggered by zone notification
    • Wrong processing of multiple $INCLUDE directives #646
    • Broken unit test on NetBSD 8.x

    Downloads:

  • v2.8.2 protected   Knot DNS 2.8.2
    0adac6d9 · Bump version 2.8.2 ·

    Knot DNS 2.8.2 (2019-06-05)

    Features:

    • New blocking mode for zone event triggers in knotc
    • New weighted records mode in the module geoip (Thanks to Conrad Hoffmann)
    • Module noudp allows UDP allow rate configuration

    Improvements:

    • NSEC3 salt lifetime can be set to infinity
    • New 'running' zone event status in the knotc output
    • Knotc in the forced mode returns failure also if zone check emits any warning
    • Ignoring PMTU information for IPv4/UDP via IP_PMTUDISC_OMIT (Thanks to Daisuke Higashi)
    • Various improvements in the documentation

    Bugfixes:

    • Broken setting of CPU affinity for UDP workers
    • Unexpected results with the geoip subnet mode
    • Sometimes insufficient zone adjusting
    • Incoherent DNSKEY RRSIG lifetimes in SKR
    • Confusing output from keymgr if an error occurs during KSR generation
    • Non-functional changeset history depth limitation in kjournalprint
    • Wrong processing of multiple $INCLUDE directives #646

    Downloads:

  • v2.7.7 protected   Knot DNS 2.7.7
    366163ee · Bump version 2.7.7 ·

    Knot DNS 2.7.7 (2019-04-15)

    Improvements:

    • Possible zone transaction is aborted by zone events to avoid inconsistency
    • Added log message if no persistent config DB is available during 'conf-begin'
    • Tiny building improvements

    Bugfixes:

    • Glue records under delegation are sometimes signed
    • NSEC3 not re-salted during AXFR refresh
    • Broken NSEC3 chain after adding new sub-delegations
    • Failed to sign new zone contents if added dynamically #641
    • NSEC3 opt-out signing doesn't work in some cases
    • Redundant SOA RRSIG on slave if RRSIG TTL changed on master
    • Sometimes confusing log error message for NOTIFY event
    • Failed to explicit set value 0 for submission timeout

    Downloads:

  • v2.8.1 protected   Knot DNS 2.8.1
    f72719fc · Bump version 2.8.1 ·

    Knot DNS 2.8.1 (2019-04-09)

    Improvements:

    • Possible zone transaction is aborted by zone events to avoid inconsistency
    • Added log message if no persistent config DB is available during 'conf-begin'
    • New environment setting 'KNOT_VERSION_FORMAT=release' for extended version suppression
    • Various improvements in the documentation

    Bugfixes:

    • Broken NSEC3-wildcard-nonexistence proof after NSEC3 re-salt
    • Glue records under delegation are sometimes signed
    • RRL doesn't work correctly on big-endian architectures
    • NSEC3 not re-salted during AXFR refresh
    • Failed to sign new zone contents if added dynamically #641
    • NSEC3 opt-out signing doesn't work in some cases
    • Broken NSEC3 chain after adding new sub-delegations
    • Redundant SOA RRSIG on slave if RRSIG TTL changed on master
    • Sometimes confusing log error message for NOTIFY event
    • Improper include for LMDB #638

    Downloads:

  • v2.9.dev protected   Knot DNS 2.9.dev
    d57b368f · Bump version 2.9.dev ·
  • v2.8.0 protected   Knot DNS 2.8.0
    3b502830 · Bump version 2.8.0 ·

    Knot DNS 2.8.0 (2019-03-05)

    Features:

    • New offline-KSK mode of operation
    • Configurable multithreaded DNSSEC signing for large zones
    • Extended ACL configuration for dynamic updates
    • New knotc trigger 'zone-key-rollover' for immediate DNSKEY rollover
    • Added support for OPENPGPKEY, CSYNC, SMIMEA, and ZONEMD RR types
    • New 'double-ds' option for CDS/CDNSKEY publication

    Improvements:

    • Significant speed-up of zone updates
    • Knotc supports force option in the interactive mode
    • Copy-on-write support for QP-trie (Thanks to Tony Finch)
    • Unified and more efficient LMDB layer for journal, timer, and KASP databases
    • DS check event is re-planned according to KASP even when purged timers
    • Module DNS Cookies supports explicit Server Secret configuration
    • Zone mtime is verified against full-precision timestamp (Thanks to Daniel Kahn Gillmor)
    • Extended logging (loaded SOA serials, refresh duration, tiny cleanup)
    • Relaxed fixed-length condition for DNSSEC key ID
    • Extended semantic checks for DNAME and NS RR types
    • Added support for FreeBSD's SO_REUSEPORT_LB
    • Improved performance of geoip module
    • Various improvements in the documentation

    Compatibility:

    • Changed configuration default for 'cds-cdnskey-publish' to 'rollover'
    • Journal DB format changes are not downgrade-compatible
    • Keymgr no longer prints DS for algorithm SHA-1

    Downloads:

  • v2.7.6 protected   Knot DNS 2.7.6

    Knot DNS 2.7.6 (2019-01-23)

    Improvements:

    • Zone status also shows when the zone load is scheduled
    • Server workers status also shows background workers utilization
    • Default control timeout for knotc was increased to 10 seconds
    • Pkg-config files contain auxiliary variable with library filename

    Bugfixes:

    • Configuration commit or server reload can drop some pending zone events
    • Nonempty zone journal is created even though it's disabled #635
    • Zone is completely re-signed during empty dynamic update processing
    • Server can crash when storing a big zone difference to the journal
    • Failed to link on FreeBSD 12 with Clang

    Downloads:

  • v2.7.5 protected   Knot DNS 2.7.5

    Knot DNS 2.7.5 (2019-01-07)

    Features:

    • Keymgr supports NSEC3 salt handling

    Improvements:

    • Zone history in journal is dropped apon AXFR-like zone update
    • Libdnssec is no longer linked against libm #628
    • Libdnssec is explicitly linked against libpthread if PKCS #11 enabled #629
    • Better support for libknot packaging in Python
    • Manually generated KSK is 'ready' by default
    • Kdig supports '+timeout' as an alias for '+time'
    • Kdig supports '+nocomments' option
    • Kdig no longer prints empty lines between retries
    • Kdig returns failure if operations not successfully resolved #632
    • Fixed repeating of the 'KSK submission, waiting for confirmation' log
    • Various improvements in documentation, Dockerfile, and tests

    Bugfixes:

    • Knotc fails to unset huge configuration section
    • Kjournalprint sometimes fails to display zone journal content
    • Improper timing of ZSK removal during ZSK rollover
    • Missing UTC time zone indication in the 'iso' keymgr list output
    • A race condition in the online signing module

    Downloads:

  • v2.7.4 protected   Knot DNS 2.7.4

    Knot DNS 2.7.4 (2018-11-13)

    Features:

    • Added SNI configuration for TLS in kdig (Thanks to Alexander Schultz)

    Improvements:

    • Added warning log when DNSSEC events not successfully scheduled
    • New semantic check on timer values in keymgr
    • DS query no longer asks other addresses if got a negative answer
    • Reintroduced 'rollover' configuration option for CDS/CDNSKEY publication
    • Extended logging for zone loading
    • Various documentation improvements

    Bugfixes:

    • Failed to import module configuration #613
    • Improper Cflags value in libknot.pc if built with embedded LMDB #615
    • IXFR doesn't fall back to AXFR if malformed reply
    • DNSSEC events not correctly scheduled for empty zone updates
    • During algorithm rollover old keys get removed before DS TTL expires #617
    • Maximum zone's RRSIG TTL not considered during algorithm rollover #620

    Downloads:

  • v2.7.3 protected   Knot DNS 2.7.3

    Knot DNS 2.7.3 (2018-10-11)

    Features:

    • New queryacl module for query access control
    • Configurable answer rrset rotation #612
    • Configurable NSEC bitmap in online signing

    Improvements:

    • Better error logging for KASP DB operations #601
    • Some documentation improvements

    Bugfixes:

    • Keymgr "list" output doesn't show key size for ECDSA algorithms #602
    • Failed to link statically with embedded LMDB
    • Configuration commit causes zone reload for all zones
    • The statistics module overlooks TSIG record in a request
    • Improper processing of an AXFR-style-IXFR response consisting of one-record messages
    • Race condition in online signing during key rollover #600
    • Server can crash if geoip module is enabled in the geo mode

    Downloads:

  • v2.7.2 protected   Knot DNS 2.7.2

    Knot DNS 2.7.2 (2018-08-29)

    Improvements:

    • Keymgr list command displays also key size
    • Kjournalprint displays total occupied size in the debug mode
    • Server doesn't stop if failed to load a shared module from the module directory
    • Libraries libcap-ng, pthread, and dl are linked selectively if needed

    Bugfixes:

    • Sometimes incorrect result from dnssec_nsec_bitmap_contains (libdnssec)
    • Server can crash when loading zone file difference and zone-in-journal is set
    • Incorrect treatment of specific queries in the module RRL
    • Failed to link module Cookies as a shared library

    Downloads:

  • v2.7.1 protected   Knot DNS 2.7.1

    Knot DNS 2.7.1 (2018-08-14)

    Improvements:

    • Added zone wire size information to zone loading log message
    • Added debug log message for each unsuccessful remote address operation
    • Various improvements for packaging

    Bugfixes:

    • Incompatible handling of RRSIG TTL value when creating a DNS message
    • Incorrect RRSIG TTL value in zone differences and knotc zone operation outputs
    • Default configure prefix is ignored

    Downloads:

  • v2.6.9 protected   Knot DNS 2.6.9

    Knot DNS 2.6.9 (2018-08-14)

    Improvements:

    • Added zone wire size to zone loading log message
    • Added debug log message for each unsuccessful remote address operation

    Bugfixes:

    • Zone not flushed after re-signing during zone load #594
    • Server crashes when committing empty zone transaction
    • Incoming IXFR with on-slave signing sometimes leads to memory corruption #595

    Downloads:

  • v2.7.0 protected   Knot DNS 2.7.0
    4a97d9f4 · NEWS: fix formatting ·

    Knot DNS 2.7.0 (2018-08-03)

    Features:

    • New DNS Cookies module and related '+cookie' kdig option
    • New module for response tailoring according to client's subnet or geographic location
    • General EDNS Client Subnet support in the server
    • OSS-Fuzz integration (Thanks to Jonathan Foote)
    • New '+ednsopt' kdig option (Thanks to Jan Včelák)
    • Online Signing support for automatic key rollover
    • Non-normal file (e.g. pipe) loading support in zscanner #542
    • Automatic SOA serial incrementation if non-empty zone difference
    • New zone file load option for ignoring zone file's SOA serial
    • New build-time option for alternative malloc specification
    • Structured logging for DNSSEC key submission event
    • Empty QNAME support in kdig

    Improvements:

    • Various library and server optimizations
    • Reduced memory consumption of outgoing IXFR processing
    • Linux capabilities use overhaul #546 (Thanks to Robert Edmonds)
    • Online Signing properly signs delegations and CNAME records
    • CDS/CDNSKEY rrset is signed with KSK instead of ZSK
    • DNSSEC-related records are ignored when loading zone difference with signing enabled
    • Minimum allowed RSA key length was increased to 1024
    • Removed explicit dependency on Nettle

    Bugfixes:

    • Possible uninitialized address buffer use in zscanner
    • Possible index overflow during multiline record parsing in zscanner
    • kdig +tls sometimes consumes 100 % CPU #561
    • Single-Type Signing doesn't work with single ZSK key #566
    • Zone not flushed after re-signing during zone load #594
    • Server crashes when committing empty zone transaction
    • Incoming IXFR with on-slave signing sometimes leads to memory corruption #595

    Compatibility:

    • Removed obsolete RRL configuration
    • Removed obsolete module names 'mod-online-sign' and 'mod-synth-record'
    • Removed obsolete 'ixfr-from-differences' configuration option
    • Removed old journal migration
    • Removed module rosedb

    Downloads:

  • v2.6.8 protected   Knot DNS 2.6.8

    Knot DNS 2.6.8 (2018-07-10)

    Features:

    • New 'import-pkcs11' command in keymgr

    Improvements:

    • Unixtime serial policy mimics Bind – increment if lower #593

    Bugfixes:

    • Creeping memory consuption upon server reload #584
    • Kdig incorrectly detects QNAME if 'notify' is a prefix
    • Server crashes when zone sign fails #587
    • CSK->KZSK rollover retires CSK early #588
    • Server crashes when zone expires during outgoing multi-message transfer
    • Kjournalprint doesn't convert zone name argument to lower-case
    • Cannot switch to a previously used ksk-shared dnssec policy #589

    Downloads:

  • v2.6.7 protected   Knot DNS 2.6.7

    Knot DNS 2.6.7 (2018-05-17)

    Features:

    • Added 'dateserial' (YYYYMMDDnn) serial policy configuration (Thanks to Wolfgang Jung)

    Improvements:

    • Trailing data indication from the packet parser (libknot)
    • Better configuration check for a problematical option combination

    Bugfixes:

    • Incomplete configuration option item name check
    • Possible buffer overflow in 'knot_dname_to_str' (libknot)
    • Module dnsproxy doesn't preserve letter case of QNAME
    • Module dnsproxy duplicates OPT and TSIG in the non-fallback mode

    Downloads: