Tags give the ability to mark specific points in history as being important
  • v2.7.3 protected   Knot DNS 2.7.3

    Knot DNS 2.7.3 (2018-10-11)

    Features:

    • New queryacl module for query access control
    • Configurable answer rrset rotation #612
    • Configurable NSEC bitmap in online signing

    Improvements:

    • Better error logging for KASP DB operations #601
    • Some documentation improvements

    Bugfixes:

    • Keymgr "list" output doesn't show key size for ECDSA algorithms #602
    • Failed to link statically with embedded LMDB
    • Configuration commit causes zone reload for all zones
    • The statistics module overlooks TSIG record in a request
    • Improper processing of an AXFR-style-IXFR response consisting of one-record messages
    • Race condition in online signing during key rollover #600
    • Server can crash if geoip module is enabled in the geo mode

    Downloads:

  • v2.7.2 protected   Knot DNS 2.7.2

    Knot DNS 2.7.2 (2018-08-29)

    Improvements:

    • Keymgr list command displays also key size
    • Kjournalprint displays total occupied size in the debug mode
    • Server doesn't stop if failed to load a shared module from the module directory
    • Libraries libcap-ng, pthread, and dl are linked selectively if needed

    Bugfixes:

    • Sometimes incorrect result from dnssec_nsec_bitmap_contains (libdnssec)
    • Server can crash when loading zone file difference and zone-in-journal is set
    • Incorrect treatment of specific queries in the module RRL
    • Failed to link module Cookies as a shared library

    Downloads:

  • v2.7.1 protected   Knot DNS 2.7.1

    Knot DNS 2.7.1 (2018-08-14)

    Improvements:

    • Added zone wire size information to zone loading log message
    • Added debug log message for each unsuccessful remote address operation
    • Various improvements for packaging

    Bugfixes:

    • Incompatible handling of RRSIG TTL value when creating a DNS message
    • Incorrect RRSIG TTL value in zone differences and knotc zone operation outputs
    • Default configure prefix is ignored

    Downloads:

  • v2.6.9 protected   Knot DNS 2.6.9

    Knot DNS 2.6.9 (2018-08-14)

    Improvements:

    • Added zone wire size to zone loading log message
    • Added debug log message for each unsuccessful remote address operation

    Bugfixes:

    • Zone not flushed after re-signing during zone load #594
    • Server crashes when committing empty zone transaction
    • Incoming IXFR with on-slave signing sometimes leads to memory corruption #595

    Downloads:

  • v2.7.0 protected   Knot DNS 2.7.0
    4a97d9f4 · NEWS: fix formatting ·

    Knot DNS 2.7.0 (2018-08-03)

    Features:

    • New DNS Cookies module and related '+cookie' kdig option
    • New module for response tailoring according to client's subnet or geographic location
    • General EDNS Client Subnet support in the server
    • OSS-Fuzz integration (Thanks to Jonathan Foote)
    • New '+ednsopt' kdig option (Thanks to Jan Včelák)
    • Online Signing support for automatic key rollover
    • Non-normal file (e.g. pipe) loading support in zscanner #542
    • Automatic SOA serial incrementation if non-empty zone difference
    • New zone file load option for ignoring zone file's SOA serial
    • New build-time option for alternative malloc specification
    • Structured logging for DNSSEC key submission event
    • Empty QNAME support in kdig

    Improvements:

    • Various library and server optimizations
    • Reduced memory consumption of outgoing IXFR processing
    • Linux capabilities use overhaul #546 (Thanks to Robert Edmonds)
    • Online Signing properly signs delegations and CNAME records
    • CDS/CDNSKEY rrset is signed with KSK instead of ZSK
    • DNSSEC-related records are ignored when loading zone difference with signing enabled
    • Minimum allowed RSA key length was increased to 1024
    • Removed explicit dependency on Nettle

    Bugfixes:

    • Possible uninitialized address buffer use in zscanner
    • Possible index overflow during multiline record parsing in zscanner
    • kdig +tls sometimes consumes 100 % CPU #561
    • Single-Type Signing doesn't work with single ZSK key #566
    • Zone not flushed after re-signing during zone load #594
    • Server crashes when committing empty zone transaction
    • Incoming IXFR with on-slave signing sometimes leads to memory corruption #595

    Compatibility:

    • Removed obsolete RRL configuration
    • Removed obsolete module names 'mod-online-sign' and 'mod-synth-record'
    • Removed obsolete 'ixfr-from-differences' configuration option
    • Removed old journal migration
    • Removed module rosedb

    Downloads:

  • v2.6.8 protected   Knot DNS 2.6.8

    Knot DNS 2.6.8 (2018-07-10)

    Features:

    • New 'import-pkcs11' command in keymgr

    Improvements:

    • Unixtime serial policy mimics Bind – increment if lower #593

    Bugfixes:

    • Creeping memory consuption upon server reload #584
    • Kdig incorrectly detects QNAME if 'notify' is a prefix
    • Server crashes when zone sign fails #587
    • CSK->KZSK rollover retires CSK early #588
    • Server crashes when zone expires during outgoing multi-message transfer
    • Kjournalprint doesn't convert zone name argument to lower-case
    • Cannot switch to a previously used ksk-shared dnssec policy #589

    Downloads:

  • v2.6.7 protected   Knot DNS 2.6.7

    Knot DNS 2.6.7 (2018-05-17)

    Features:

    • Added 'dateserial' (YYYYMMDDnn) serial policy configuration (Thanks to Wolfgang Jung)

    Improvements:

    • Trailing data indication from the packet parser (libknot)
    • Better configuration check for a problematical option combination

    Bugfixes:

    • Incomplete configuration option item name check
    • Possible buffer overflow in 'knot_dname_to_str' (libknot)
    • Module dnsproxy doesn't preserve letter case of QNAME
    • Module dnsproxy duplicates OPT and TSIG in the non-fallback mode

    Downloads:

  • v2.6.6 protected   Knot DNS 2.6.6

    Knot DNS 2.6.6 (2018-04-11)

    Features:

    • New EDNS option counters in the statistics module
    • New '+orphan' filter for the 'zone-purge' operation

    Improvements:

    • Reduced memory consuption of disabled statistics metrics
    • Some spelling fixes (Thanks to Daniel Kahn Gillmor)
    • Server no longer fails to start if MODULE_DIR doesn't exist
    • Configuration include doesn't fail if empty wildcard match
    • Added a configuration check for a problematical option combination

    Bugfixes:

    • NSEC3 chain not re-created when SOA minimum TTL changed
    • Failed to start server if no template is configured
    • Possibly incorrect SOA serial upon changed zone reload with DNSSEC signing
    • Inaccurate outgoing zone transfer size in the log message
    • Invalid dname compression if empty question section
    • Missing EDNS in EMALF responses

    Downloads:

  • v2.6.5 protected   Knot DNS 2.6.5

    Knot DNS 2.6.5 (2018-02-12)

    Features:

    • New 'zone-notify' command in knotc
    • Kdig uses '@server' as a hostname for TLS authenticaion if '+tls-ca' is set

    Improvements:

    • Better heap memory trimming for zone operations
    • Added proper polling for TLS operations in kdig
    • Configuration export uses stdout as a default output
    • Simplified detection of atomic operations
    • Added '--disable-modules' configure option
    • Small documentation updates

    Bugfixes:

    • Zone retransfer doesn't work well if more masters configured
    • Kdig can leak or double free memory in corner cases
    • Inconsistent error outputs from dynamic configuration operations
    • Failed to generate documentation on OpenBSD

    Downloads:

  • v2.6.4 protected   Knot DNS 2.6.4

    Knot DNS 2.6.4 (2018-01-02)

    Features:

    • Module synthrecord allows multiple 'network' specification
    • New CSK handling support in keymgr

    Improvements:

    • Allowed configuration for infinite zsk lifetime
    • Increased performance and security of the module synthrecord
    • Signing changeset is stored into journal even if 'zonefile-load' is whole

    Bugfixes:

    • Unintentional zone re-sign during reload if empty NSEC3 salt
    • Inconsistent zone names in journald structured logs
    • Malformed outgoing transfer for big zone with TSIG
    • Some minor DNSSEC-related issues

    Downloads:

  • v2.5.7 protected   Knot DNS 2.5.7

    Knot DNS 2.5.7 (2018-01-02)

    Bugfixes:

    • Unintentional zone re-sign during reload if empty NSEC3 salt
    • Inconsistent zone names in journald structured logs
    • Malformed outgoing transfer for big zone with TSIG
    • Unexpected reply for DS query with an owner below a delegation point
    • Old dependencies in the pkg-config file

    Downloads:

  • v2.6.3 protected   Knot DNS 2.6.3

    Knot DNS 2.6.3 (2017-11-24)

    Bugfixes:

    • Wrong detection of signing scheme rollover

    Downloads:

  • v2.6.2 protected   Knot DNS 2.6.2

    Knot DNS 2.6.2 (2017-11-23)

    Features:

    • CSK algorithm rollover and (KSK, ZSK) <-> CSK rollover support

    Improvements:

    • Allowed explicit configuration for infinite ksk lifetime
    • Proper error messages instead of unclear error codes in server log
    • Better support for old compilers

    Bugfixes:

    • Unexpected reply for DS query with an owner below a delegation point
    • Old dependencies in the pkg-config file

    Downloads:

  • v2.6.1 protected   Knot DNS 2.6.1

    Knot DNS 2.6.1 (2017-11-02)

    Features:

    • NSEC3 Opt-Out support in the DNSSEC signing
    • New CDS/CDNSKEY publish configuration option

    Improvements:

    • Simplified DNSSEC log message with DNSKEY details
    • +tls-hostname in kdig implies +tls-ca if neither +tls-ca nor +tls-pin is given
    • New documentation sections for DNSSEC key rollovers and shared keys
    • Keymgr no longer prints useless algorithm number for generated key
    • Kdig prints unknown RCODE in a numeric format
    • Better support for LLVM libFuzzer

    Bugfixes:

    • Faulty DNAME semantic check if present in the zone apex and NSEC3 is used
    • Immediate zone flush not scheduled during the zone load event
    • Server crashes upon dynamic zone addition if a query module is loaded
    • Kdig fails to connect over TLS due to SNI is set to server IP address
    • Possible out-of-bounds memory access at the end of the input
    • TCP Fast Open enabled by default in kdig breaks TLS connection

    Downloads:

  • v2.5.6 protected   Knot DNS 2.5.6

    Knot DNS 2.5.6 (2017-11-02)

    Improvements:

    • Keymgr no longer prints useless algorithm number for generated key

    Bugfixes:

    • Faulty DNAME semantic check if present in the zone apex and NSEC3 is used
    • Immediate zone flush not scheduled during the zone load event
    • Server crashes upon dynamic zone addition if a query module is loaded
    • Kdig fails to connect over TLS due to SNI is set to server IP address

    Downloads:

  • v2.6.0 protected   Knot DNS 2.6.0

    Knot DNS 2.6.0 (2017-09-29)

    Features:

    • On-slave (inline) signing support
    • Automatic DNSSEC key algorithm rollover
    • Ed25519 algorithm support in DNSSEC (requires GnuTLS 3.6.0)
    • New 'journal-content' and 'zonefile-load' configuration options
    • keymgr tries to run as user/group set in the configuration
    • Public-only DNSSEC key import into KASP DB via keymgr
    • NSEC3 resalt and parent DS query events are persistent in timer DB
    • New processing state for a response suppression within a query module
    • Enabled server side TCP Fast Open if supported
    • TCP Fast Open support in kdig

    Improvements:

    • Better record owner compression if related to the previous rdata dname
    • NSEC(3) chain is no longer recomputed whole on every update
    • Remove inconsistent and unnecessary quoting in log files
    • Avoiding of overlapping key rollovers at a time
    • More DNSSSEC-related semantic checks
    • Extended timestamp format in keymgr

    Bugfixes:

    • Incorrect journal free space computation causing inefficient space handling
    • Interface-automatic broken on Linux in the presence of asymmetric routing

    Downloads:

  • v2.5.5 protected   Knot DNS 2.5.5

    Knot DNS 2.5.5 (2017-09-29)

    Improvements:

    • Constant time memory comparison in the TSIG processing
    • Proper use of the ctype functions
    • Generated RRSIG records have inception time 90 minutes in the past

    Bugfixes:

    • Incorrect online signature for NSEC in the case of a CNAME record
    • Incorrect timestamps in dnstap records
    • EDNS Subnet Client validation rejects valid payloads
    • Module configuration semantic checks are not executed
    • Kzonecheck segfaults with unusual inputs

    Downloads:

  • v2.5.4 protected   Knot DNS 2.5.4

    Knot DNS 2.5.4 (2017-08-31)

    Improvements:

    • New minimum and maximum refresh interval config options (Thanks to Manabu Sonoda)
    • New warning when unforced flush with disabled zone file synchronization
    • New 'dnskey' keymgr command
    • Linking with libatomic on architectures that require it (Thanks to Pierre-Olivier Mercier)
    • Removed 'OK' from listing keymgr command outputs
    • Extended journal and keymgr documentation and logging

    Bugfixes:

    • Incorrect handling of specific corner-cases with zone-in-journal
    • The 'share' keymgr command doesn't work
    • Server crashes if configured with query-size and reply-size statistics options
    • Malformed big integer configuration values on some 32-bit platforms
    • Keymgr uses local time when parsing date inputs
    • Memory leak in kdig upon IXFR query

    Downloads:

  • v2.5.3 protected   Knot DNS 2.5.3

    Knot DNS 2.5.3 (2017-07-14)

    Features:

    • CSK rollover support for Single-Type Signing Scheme

    Improvements:

    • Allowed binding to non-local adresses for TCP (Thanks to Julian Brost!)
    • New documentation section for manual DNSSEC key algorithm rollover
    • Initial KSK also generated in the submission state
    • The 'ds' keymgr command with no parameter uses all KSK keys
    • New debug mode in kjournalprint
    • Updated keymgr documentation

    Bugfixes:

    • Sometimes missing RRSIG by KSK in submission state.
    • Minor DNSSEC-related issues

    Downloads:

  • v2.4.5 protected   Knot DNS 2.4.5