Tags give the ability to mark specific points in history as being important
  • v2.7.7 protected   Knot DNS 2.7.7
    366163ee · Bump version 2.7.7 ·

    Knot DNS 2.7.7 (2019-04-15)

    Improvements:

    • Possible zone transaction is aborted by zone events to avoid inconsistency
    • Added log message if no persistent config DB is available during 'conf-begin'
    • Tiny building improvements

    Bugfixes:

    • Glue records under delegation are sometimes signed
    • NSEC3 not re-salted during AXFR refresh
    • Broken NSEC3 chain after adding new sub-delegations
    • Failed to sign new zone contents if added dynamically #641
    • NSEC3 opt-out signing doesn't work in some cases
    • Redundant SOA RRSIG on slave if RRSIG TTL changed on master
    • Sometimes confusing log error message for NOTIFY event
    • Failed to explicit set value 0 for submission timeout

    Downloads:

  • v2.8.1 protected   Knot DNS 2.8.1
    f72719fc · Bump version 2.8.1 ·

    Knot DNS 2.8.1 (2019-04-09)

    Improvements:

    • Possible zone transaction is aborted by zone events to avoid inconsistency
    • Added log message if no persistent config DB is available during 'conf-begin'
    • New environment setting 'KNOT_VERSION_FORMAT=release' for extended version suppression
    • Various improvements in the documentation

    Bugfixes:

    • Broken NSEC3-wildcard-nonexistence proof after NSEC3 re-salt
    • Glue records under delegation are sometimes signed
    • RRL doesn't work correctly on big-endian architectures
    • NSEC3 not re-salted during AXFR refresh
    • Failed to sign new zone contents if added dynamically #641
    • NSEC3 opt-out signing doesn't work in some cases
    • Broken NSEC3 chain after adding new sub-delegations
    • Redundant SOA RRSIG on slave if RRSIG TTL changed on master
    • Sometimes confusing log error message for NOTIFY event
    • Improper include for LMDB #638

    Downloads:

  • v2.9.dev protected   Knot DNS 2.9.dev
    d57b368f · Bump version 2.9.dev ·
  • v2.8.0 protected   Knot DNS 2.8.0
    3b502830 · Bump version 2.8.0 ·

    Knot DNS 2.8.0 (2019-03-05)

    Features:

    • New offline-KSK mode of operation
    • Configurable multithreaded DNSSEC signing for large zones
    • Extended ACL configuration for dynamic updates
    • New knotc trigger 'zone-key-rollover' for immediate DNSKEY rollover
    • Added support for OPENPGPKEY, CSYNC, SMIMEA, and ZONEMD RR types
    • New 'double-ds' option for CDS/CDNSKEY publication

    Improvements:

    • Significant speed-up of zone updates
    • Knotc supports force option in the interactive mode
    • Copy-on-write support for QP-trie (Thanks to Tony Finch)
    • Unified and more efficient LMDB layer for journal, timer, and KASP databases
    • DS check event is re-planned according to KASP even when purged timers
    • Module DNS Cookies supports explicit Server Secret configuration
    • Zone mtime is verified against full-precision timestamp (Thanks to Daniel Kahn Gillmor)
    • Extended logging (loaded SOA serials, refresh duration, tiny cleanup)
    • Relaxed fixed-length condition for DNSSEC key ID
    • Extended semantic checks for DNAME and NS RR types
    • Added support for FreeBSD's SO_REUSEPORT_LB
    • Improved performance of geoip module
    • Various improvements in the documentation

    Compatibility:

    • Changed configuration default for 'cds-cdnskey-publish' to 'rollover'
    • Journal DB format changes are not downgrade-compatible
    • Keymgr no longer prints DS for algorithm SHA-1

    Downloads:

  • v2.7.6 protected   Knot DNS 2.7.6

    Knot DNS 2.7.6 (2019-01-23)

    Improvements:

    • Zone status also shows when the zone load is scheduled
    • Server workers status also shows background workers utilization
    • Default control timeout for knotc was increased to 10 seconds
    • Pkg-config files contain auxiliary variable with library filename

    Bugfixes:

    • Configuration commit or server reload can drop some pending zone events
    • Nonempty zone journal is created even though it's disabled #635
    • Zone is completely re-signed during empty dynamic update processing
    • Server can crash when storing a big zone difference to the journal
    • Failed to link on FreeBSD 12 with Clang

    Downloads:

  • v2.7.5 protected   Knot DNS 2.7.5

    Knot DNS 2.7.5 (2019-01-07)

    Features:

    • Keymgr supports NSEC3 salt handling

    Improvements:

    • Zone history in journal is dropped apon AXFR-like zone update
    • Libdnssec is no longer linked against libm #628
    • Libdnssec is explicitly linked against libpthread if PKCS #11 enabled #629
    • Better support for libknot packaging in Python
    • Manually generated KSK is 'ready' by default
    • Kdig supports '+timeout' as an alias for '+time'
    • Kdig supports '+nocomments' option
    • Kdig no longer prints empty lines between retries
    • Kdig returns failure if operations not successfully resolved #632
    • Fixed repeating of the 'KSK submission, waiting for confirmation' log
    • Various improvements in documentation, Dockerfile, and tests

    Bugfixes:

    • Knotc fails to unset huge configuration section
    • Kjournalprint sometimes fails to display zone journal content
    • Improper timing of ZSK removal during ZSK rollover
    • Missing UTC time zone indication in the 'iso' keymgr list output
    • A race condition in the online signing module

    Downloads:

  • v2.7.4 protected   Knot DNS 2.7.4

    Knot DNS 2.7.4 (2018-11-13)

    Features:

    • Added SNI configuration for TLS in kdig (Thanks to Alexander Schultz)

    Improvements:

    • Added warning log when DNSSEC events not successfully scheduled
    • New semantic check on timer values in keymgr
    • DS query no longer asks other addresses if got a negative answer
    • Reintroduced 'rollover' configuration option for CDS/CDNSKEY publication
    • Extended logging for zone loading
    • Various documentation improvements

    Bugfixes:

    • Failed to import module configuration #613
    • Improper Cflags value in libknot.pc if built with embedded LMDB #615
    • IXFR doesn't fall back to AXFR if malformed reply
    • DNSSEC events not correctly scheduled for empty zone updates
    • During algorithm rollover old keys get removed before DS TTL expires #617
    • Maximum zone's RRSIG TTL not considered during algorithm rollover #620

    Downloads:

  • v2.7.3 protected   Knot DNS 2.7.3

    Knot DNS 2.7.3 (2018-10-11)

    Features:

    • New queryacl module for query access control
    • Configurable answer rrset rotation #612
    • Configurable NSEC bitmap in online signing

    Improvements:

    • Better error logging for KASP DB operations #601
    • Some documentation improvements

    Bugfixes:

    • Keymgr "list" output doesn't show key size for ECDSA algorithms #602
    • Failed to link statically with embedded LMDB
    • Configuration commit causes zone reload for all zones
    • The statistics module overlooks TSIG record in a request
    • Improper processing of an AXFR-style-IXFR response consisting of one-record messages
    • Race condition in online signing during key rollover #600
    • Server can crash if geoip module is enabled in the geo mode

    Downloads:

  • v2.7.2 protected   Knot DNS 2.7.2

    Knot DNS 2.7.2 (2018-08-29)

    Improvements:

    • Keymgr list command displays also key size
    • Kjournalprint displays total occupied size in the debug mode
    • Server doesn't stop if failed to load a shared module from the module directory
    • Libraries libcap-ng, pthread, and dl are linked selectively if needed

    Bugfixes:

    • Sometimes incorrect result from dnssec_nsec_bitmap_contains (libdnssec)
    • Server can crash when loading zone file difference and zone-in-journal is set
    • Incorrect treatment of specific queries in the module RRL
    • Failed to link module Cookies as a shared library

    Downloads:

  • v2.7.1 protected   Knot DNS 2.7.1

    Knot DNS 2.7.1 (2018-08-14)

    Improvements:

    • Added zone wire size information to zone loading log message
    • Added debug log message for each unsuccessful remote address operation
    • Various improvements for packaging

    Bugfixes:

    • Incompatible handling of RRSIG TTL value when creating a DNS message
    • Incorrect RRSIG TTL value in zone differences and knotc zone operation outputs
    • Default configure prefix is ignored

    Downloads:

  • v2.6.9 protected   Knot DNS 2.6.9

    Knot DNS 2.6.9 (2018-08-14)

    Improvements:

    • Added zone wire size to zone loading log message
    • Added debug log message for each unsuccessful remote address operation

    Bugfixes:

    • Zone not flushed after re-signing during zone load #594
    • Server crashes when committing empty zone transaction
    • Incoming IXFR with on-slave signing sometimes leads to memory corruption #595

    Downloads:

  • v2.7.0 protected   Knot DNS 2.7.0
    4a97d9f4 · NEWS: fix formatting ·

    Knot DNS 2.7.0 (2018-08-03)

    Features:

    • New DNS Cookies module and related '+cookie' kdig option
    • New module for response tailoring according to client's subnet or geographic location
    • General EDNS Client Subnet support in the server
    • OSS-Fuzz integration (Thanks to Jonathan Foote)
    • New '+ednsopt' kdig option (Thanks to Jan Včelák)
    • Online Signing support for automatic key rollover
    • Non-normal file (e.g. pipe) loading support in zscanner #542
    • Automatic SOA serial incrementation if non-empty zone difference
    • New zone file load option for ignoring zone file's SOA serial
    • New build-time option for alternative malloc specification
    • Structured logging for DNSSEC key submission event
    • Empty QNAME support in kdig

    Improvements:

    • Various library and server optimizations
    • Reduced memory consumption of outgoing IXFR processing
    • Linux capabilities use overhaul #546 (Thanks to Robert Edmonds)
    • Online Signing properly signs delegations and CNAME records
    • CDS/CDNSKEY rrset is signed with KSK instead of ZSK
    • DNSSEC-related records are ignored when loading zone difference with signing enabled
    • Minimum allowed RSA key length was increased to 1024
    • Removed explicit dependency on Nettle

    Bugfixes:

    • Possible uninitialized address buffer use in zscanner
    • Possible index overflow during multiline record parsing in zscanner
    • kdig +tls sometimes consumes 100 % CPU #561
    • Single-Type Signing doesn't work with single ZSK key #566
    • Zone not flushed after re-signing during zone load #594
    • Server crashes when committing empty zone transaction
    • Incoming IXFR with on-slave signing sometimes leads to memory corruption #595

    Compatibility:

    • Removed obsolete RRL configuration
    • Removed obsolete module names 'mod-online-sign' and 'mod-synth-record'
    • Removed obsolete 'ixfr-from-differences' configuration option
    • Removed old journal migration
    • Removed module rosedb

    Downloads:

  • v2.6.8 protected   Knot DNS 2.6.8

    Knot DNS 2.6.8 (2018-07-10)

    Features:

    • New 'import-pkcs11' command in keymgr

    Improvements:

    • Unixtime serial policy mimics Bind – increment if lower #593

    Bugfixes:

    • Creeping memory consuption upon server reload #584
    • Kdig incorrectly detects QNAME if 'notify' is a prefix
    • Server crashes when zone sign fails #587
    • CSK->KZSK rollover retires CSK early #588
    • Server crashes when zone expires during outgoing multi-message transfer
    • Kjournalprint doesn't convert zone name argument to lower-case
    • Cannot switch to a previously used ksk-shared dnssec policy #589

    Downloads:

  • v2.6.7 protected   Knot DNS 2.6.7

    Knot DNS 2.6.7 (2018-05-17)

    Features:

    • Added 'dateserial' (YYYYMMDDnn) serial policy configuration (Thanks to Wolfgang Jung)

    Improvements:

    • Trailing data indication from the packet parser (libknot)
    • Better configuration check for a problematical option combination

    Bugfixes:

    • Incomplete configuration option item name check
    • Possible buffer overflow in 'knot_dname_to_str' (libknot)
    • Module dnsproxy doesn't preserve letter case of QNAME
    • Module dnsproxy duplicates OPT and TSIG in the non-fallback mode

    Downloads:

  • v2.6.6 protected   Knot DNS 2.6.6

    Knot DNS 2.6.6 (2018-04-11)

    Features:

    • New EDNS option counters in the statistics module
    • New '+orphan' filter for the 'zone-purge' operation

    Improvements:

    • Reduced memory consuption of disabled statistics metrics
    • Some spelling fixes (Thanks to Daniel Kahn Gillmor)
    • Server no longer fails to start if MODULE_DIR doesn't exist
    • Configuration include doesn't fail if empty wildcard match
    • Added a configuration check for a problematical option combination

    Bugfixes:

    • NSEC3 chain not re-created when SOA minimum TTL changed
    • Failed to start server if no template is configured
    • Possibly incorrect SOA serial upon changed zone reload with DNSSEC signing
    • Inaccurate outgoing zone transfer size in the log message
    • Invalid dname compression if empty question section
    • Missing EDNS in EMALF responses

    Downloads:

  • v2.6.5 protected   Knot DNS 2.6.5

    Knot DNS 2.6.5 (2018-02-12)

    Features:

    • New 'zone-notify' command in knotc
    • Kdig uses '@server' as a hostname for TLS authenticaion if '+tls-ca' is set

    Improvements:

    • Better heap memory trimming for zone operations
    • Added proper polling for TLS operations in kdig
    • Configuration export uses stdout as a default output
    • Simplified detection of atomic operations
    • Added '--disable-modules' configure option
    • Small documentation updates

    Bugfixes:

    • Zone retransfer doesn't work well if more masters configured
    • Kdig can leak or double free memory in corner cases
    • Inconsistent error outputs from dynamic configuration operations
    • Failed to generate documentation on OpenBSD

    Downloads:

  • v2.6.4 protected   Knot DNS 2.6.4

    Knot DNS 2.6.4 (2018-01-02)

    Features:

    • Module synthrecord allows multiple 'network' specification
    • New CSK handling support in keymgr

    Improvements:

    • Allowed configuration for infinite zsk lifetime
    • Increased performance and security of the module synthrecord
    • Signing changeset is stored into journal even if 'zonefile-load' is whole

    Bugfixes:

    • Unintentional zone re-sign during reload if empty NSEC3 salt
    • Inconsistent zone names in journald structured logs
    • Malformed outgoing transfer for big zone with TSIG
    • Some minor DNSSEC-related issues

    Downloads:

  • v2.5.7 protected   Knot DNS 2.5.7

    Knot DNS 2.5.7 (2018-01-02)

    Bugfixes:

    • Unintentional zone re-sign during reload if empty NSEC3 salt
    • Inconsistent zone names in journald structured logs
    • Malformed outgoing transfer for big zone with TSIG
    • Unexpected reply for DS query with an owner below a delegation point
    • Old dependencies in the pkg-config file

    Downloads:

  • v2.6.3 protected   Knot DNS 2.6.3

    Knot DNS 2.6.3 (2017-11-24)

    Bugfixes:

    • Wrong detection of signing scheme rollover

    Downloads:

  • v2.6.2 protected   Knot DNS 2.6.2

    Knot DNS 2.6.2 (2017-11-23)

    Features:

    • CSK algorithm rollover and (KSK, ZSK) <-> CSK rollover support

    Improvements:

    • Allowed explicit configuration for infinite ksk lifetime
    • Proper error messages instead of unclear error codes in server log
    • Better support for old compilers

    Bugfixes:

    • Unexpected reply for DS query with an owner below a delegation point
    • Old dependencies in the pkg-config file

    Downloads: