NEWS

 - Possible buffer overflow in 'knot_dname_to_str' (libknot)
 - Module dnsproxy doesn't preserve letter case of QNAME
 - Module dnsproxy duplicates OPT and TSIG in the non-fallback mode

Knot DNS 2.6.6 (2018-04-11)
===========================

Features:
---------
 - New EDNS option counters in the statistics module
 - New '+orphan' filter for the 'zone-purge' operation

Improvements:
-------------
 - Reduced memory consumption of disabled statistics metrics
 - Some spelling fixes (Thanks to Daniel Kahn Gillmor)
 - Server no longer fails to start if MODULE_DIR doesn't exist
 - Configuration include doesn't fail if empty wildcard match
 - Added a configuration check for a problematical option combination

Bugfixes:
---------
 - NSEC3 chain not re-created when SOA minimum TTL changed
 - Failed to start server if no template is configured
 - Possibly incorrect SOA serial upon changed zone reload with DNSSEC signing
 - Inaccurate outgoing zone transfer size in the log message
 - Invalid dname compression if empty question section
 - Missing EDNS in EMALF responses

Knot DNS 2.6.5 (2018-02-12)
===========================

Features:
---------
 - New 'zone-notify' command in knotc
 - Kdig uses '@server' as a hostname for TLS authentication if '+tls-ca' is set

Improvements:
-------------
 - Better heap memory trimming for zone operations
 - Added proper polling for TLS operations in kdig
 - Configuration export uses stdout as a default output
 - Simplified detection of atomic operations
 - Added '--disable-modules' configure option
 - Small documentation updates

Bugfixes:
---------
 - Zone retransfer doesn't work well if more masters configured
 - Kdig can leak or double free memory in corner cases
 - Inconsistent error outputs from dynamic configuration operations
 - Failed to generate documentation on OpenBSD

Knot DNS 2.6.4 (2018-01-02)
===========================

Features:
---------
 - Module synthrecord allows multiple 'network' specification
 - New CSK handling support in keymgr

Improvements:
-------------
 - Allowed configuration for infinite zsk lifetime
 - Increased performance and security of the module synthrecord
 - Signing changeset is stored into journal even if 'zonefile-load' is whole

Bugfixes:
---------
 - Unintentional zone re-sign during reload if empty NSEC3 salt
 - Inconsistent zone names in journald structured logs
 - Malformed outgoing transfer for big zone with TSIG
 - Some minor DNSSEC-related issues

Knot DNS 2.6.3 (2017-11-24)
===========================

Bugfixes:
---------
 - Wrong detection of signing scheme rollover

Knot DNS 2.6.2 (2017-11-23)
===========================

Features:
---------
 - CSK algorithm rollover and (KSK, ZSK) <-> CSK rollover support

Improvements:
-------------
 - Allowed explicit configuration for infinite ksk lifetime
 - Proper error messages instead of unclear error codes in server log
 - Better support for old compilers

Bugfixes:
---------
 - Unexpected reply for DS query with an owner below a delegation point
 - Old dependencies in the pkg-config file

Knot DNS 2.6.1 (2017-11-02)
===========================

Features:
---------
 - NSEC3 Opt-Out support in the DNSSEC signing
 - New CDS/CDNSKEY publish configuration option

Improvements:
-------------
 - Simplified DNSSEC log message with DNSKEY details
 - +tls-hostname in kdig implies +tls-ca if neither +tls-ca nor +tls-pin is given
 - New documentation sections for DNSSEC key rollovers and shared keys
 - Keymgr no longer prints useless algorithm number for generated key
 - Kdig prints unknown RCODE in a numeric format
 - Better support for LLVM libFuzzer

Bugfixes:
---------
 - Faulty DNAME semantic check if present in the zone apex and NSEC3 is used
 - Immediate zone flush not scheduled during the zone load event
 - Server crashes upon dynamic zone addition if a query module is loaded
 - Kdig fails to connect over TLS due to SNI is set to server IP address
 - Possible out-of-bounds memory access at the end of the input
 - TCP Fast Open enabled by default in kdig breaks TLS connection

Knot DNS 2.6.0 (2017-09-29)
===========================

Features:
---------
 - On-slave (inline) signing support
 - Automatic DNSSEC key algorithm rollover
 - Ed25519 algorithm support in DNSSEC (requires GnuTLS 3.6.0)
 - New 'journal-content' and 'zonefile-load' configuration options
 - keymgr tries to run as user/group set in the configuration
 - Public-only DNSSEC key import into KASP DB via keymgr
 - NSEC3 resalt and parent DS query events are persistent in timer DB
 - New processing state for a response suppression within a query module
 - Enabled server side TCP Fast Open if supported
 - TCP Fast Open support in kdig

Improvements:
-------------
 - Better record owner compression if related to the previous rdata dname
 - NSEC(3) chain is no longer recomputed whole on every update
 - Remove inconsistent and unnecessary quoting in log files
 - Avoiding of overlapping key rollovers at a time
 - More DNSSEC-related semantic checks
 - Extended timestamp format in keymgr

Bugfixes:
---------
 - Incorrect journal free space computation causing inefficient space handling
 - Interface-automatic broken on Linux in the presence of asymmetric routing

Knot DNS 2.5.7 (2018-01-02)
===========================

Bugfixes:
---------
 - Unintentional zone re-sign during reload if empty NSEC3 salt
 - Inconsistent zone names in journald structured logs
 - Malformed outgoing transfer for big zone with TSIG
 - Unexpected reply for DS query with an owner below a delegation point
 - Old dependencies in the pkg-config file

Knot DNS 2.5.6 (2017-11-02)
===========================

Improvements:
-------------
 - Keymgr no longer prints useless algorithm number for generated key

Bugfixes:
---------
 - Faulty DNAME semantic check if present in the zone apex and NSEC3 is used
 - Immediate zone flush not scheduled during the zone load event
 - Server crashes upon dynamic zone addition if a query module is loaded
 - Kdig fails to connect over TLS due to SNI is set to server IP address

Knot DNS 2.5.5 (2017-09-29)
===========================

Improvements:
-------------
 - Constant time memory comparison in the TSIG processing
 - Proper use of the ctype functions
 - Generated RRSIG records have inception time 90 minutes in the past

Bugfixes:
---------
 - Incorrect online signature for NSEC in the case of a CNAME record
 - Incorrect timestamps in dnstap records
 - EDNS Subnet Client validation rejects valid payloads
 - Module configuration semantic checks are not executed
 - Kzonecheck segfaults with unusual inputs

Knot DNS 2.5.4 (2017-08-31)
===========================

Improvements:
-------------
 - New minimum and maximum refresh interval config options (Thanks to Manabu Sonoda)
 - New warning when unforced flush with disabled zone file synchronization
 - New 'dnskey' keymgr command
 - Linking with libatomic on architectures that require it (Thanks to Pierre-Olivier Mercier)
 - Removed 'OK' from listing keymgr command outputs
 - Extended journal and keymgr documentation and logging

Bugfixes:
---------
 - Incorrect handling of specific corner-cases with zone-in-journal
 - The 'share' keymgr command doesn't work
 - Server crashes if configured with query-size and reply-size statistics options
 - Malformed big integer configuration values on some 32-bit platforms
 - Keymgr uses local time when parsing date inputs
 - Memory leak in kdig upon IXFR query

Knot DNS 2.5.3 (2017-07-14)
===========================

Features:
---------
 - CSK rollover support for Single-Type Signing Scheme

Improvements:
-------------
 - Allowed binding to non-local addresses for TCP (Thanks to Julian Brost!)
 - New documentation section for manual DNSSEC key algorithm rollover
 - Initial KSK also generated in the submission state
 - The 'ds' keymgr command with no parameter uses all KSK keys
 - New debug mode in kjournalprint
 - Updated keymgr documentation

Bugfixes:
---------
 - Sometimes missing RRSIG by KSK in submission state.
 - Minor DNSSEC-related issues

Knot DNS 2.5.2 (2017-06-23)
===========================

Security:
---------
 - CVE-2017-11104: Improper TSIG validity period check can allow TSIG forgery (Thanks to Synacktiv!)

Improvements:
-------------
 - Extended debug logging for TSIG errors
 - Better error message for unknown module section in the configuration
 - Module documentation compilation no longer depends on module configuration
 - Extended policy section configuration semantic checks
 - Improved python version compatibility in pykeymgr
 - Extended migration section in the documentation
 - Improved DNSSEC event timing on 32-bit systems
 - New KSK rollover start log info message
 - NULL qtype support in kdig

Bugfixes:
---------
 - Failed to process included configuration
 - dnskey_ttl policy option in the configuration has no effect on DNSKEY TTL
 - Corner case journal fixes (huge changesets, OpenWRT operation)
 - Confusing event timestamps in knotc zone-status output
 - NSEC/NSEC3 bitmap not updated for CDS/CDNSKEY
 - CDS/CDNSKEY RRSIG not updated

Knot DNS 2.5.1 (2017-06-07)
===========================

Bugfixes:
---------
 - pykeymgr no longer crash on empty json files in the KASP DB directory
 - pykeymgr no longer imports keys in the "removed" state
 - Imported keys in the "removed" state no longer makes knotd to crash
 - Including an empty configuration directory no longer makes knotd to crash
 - pykeymgr is distributed and installed to the distribution tarball

Knot DNS 2.5.0 (2017-06-05)
===========================

Features:
---------
 - KASP database switched from JSON files to LMDB database
 - KSK rollover support using CDNSKEY and CDS in the automatic DNSSEC signing
 - Dynamic module loading support with proper module API
 - Journal can store full zone contents (not only differences)
 - Zone freeze/thaw support
 - Updated knotc zone-status output with optional column filters
 - New '[no]crypto' option in kdig
 - New keymgr implementation reflecting KASP database changes
 - New pykeymgr for JSON-based KASP database migration
 - Removed obsolete knot1to2 utility

Improvements:
-------------
 - Added libidn2 support to kdig (with libidn fallback)
 - Maximum timer database switched from configure to the server configuration

Knot DNS 2.4.4 (2017-06-05)
===========================

Improvements:
-------------
 - Improved error handling in kjournalprint

Bugfixes:
---------
 - Zone flush not replanned upon unsuccessful flush
 - Journal inconsistency after deleting deleted zone
 - Zone events not rescheduled upon server reload (Thanks to Mark Warren)
 - Unreliable LMDB mapsize detection in kjournalprint
 - Some minor issues found by AddressSanitizer

Knot DNS 2.4.3 (2017-04-11)
===========================

Improvements:
-------------
 - New 'journal-db-mode' optimization configuration option
 - The default TSIG algorithm for utilities input is HMAC-SHA256
 - Implemented sensible default EDNS(0) padding policy (Thanks to D. K. Gillmor)
 - Added some more semantic checks on the knotc configuration operations

Bugfixes:
---------
 - Missing 'zone' keyword in the YAML output
 - Missing trailing dot in the keymgr DS owner output
 - Journal logs 'invalid parameter' in several cases
 - Some minor journal-related problems

Knot DNS 2.4.2 (2017-03-23)
===========================

Features:
---------
 - Zscanner can store record comments placed on the same line
 - Knotc status extension with version, configure, and workers parameters

Improvements:
-------------
 - Significant incoming XFR speed-up in the case of many zones

Bugfixes:
---------
 - Double OPT RR insertion when a global module returns KNOT_STATE_FAIL
 - User-driven zscanner parsing logic inconsistency
 - Lower serial at master doesn't trigger any errors
 - Queries with too long DNAME substitution do not return YXDOMAIN response
 - Incorrect elapsed time in the DDNS log
 - Failed to process forwarded DDNS request with TSIG

Knot DNS 2.4.1 (2017-02-10)
===========================

Improvements:
-------------
 - Speed-up of rdata addition into a huge rrset
 - Introduce check of minimum timeout for next refresh
 - Dnsproxy module can forward all queries without local resolving

Bugfixes:
--------
 - Transfer of a huge rrset goes into an infinite loop
 - Huge response over TCP contains useless TC bit instead of SERVFAIL
 - Failed to build utilities with disabled daemon
 - Memory leaks during keys removal
 - Rough TSIG packet reservation causes early truncation
 - Minor out-of-bounds string termination write in rrset dump
 - Server crash during stop if failed to open timers DB
 - Failed to compile on OS X older than Sierra
 - Poor minimum UDP-max-size configuration check
 - Failed to receive one-record-per-message IXFR-style AXFR
 - Kdig timeouts when receiving RCODE != NOERROR on subsequent transfer message

Knot DNS 2.4.0 (2017-01-18)
===========================

Bugfixes:
--------
 - False positive semantic-check warning about invalid bitmap in NSEC
 - Unnecessary SOA queries upon notify with up to date serial
 - Timers for expired zones are reset on reload
 - Zone doesn't expire when the server is down
 - Failed to handle keys with duplicate keytags
 - Per zone module and global module inconsistency
 - Obsolete online signing module configuration
 - Malformed output from kjournalprint
 - Redundant SO_REUSEPORT activation on the TCP socket
 - Failed to use higher number of background workers

Improvements:
-------------
 - Lower memory consumption with qp-trie
 - Zone events and zone timers improvements
 - Print all zone names in the FQDN format
 - Simplified query module interface
 - Shared TCP connection between SOA query and transfer
 - Response Rate Limiting as a module with statistics support
 - Key filters in keymgr

Features:
---------
 - New unified LMDB-based zone journal
 - Server statistics support
 - New statistics module for traffic measuring
 - Automatic deletion of retired DNSSEC keys
 - New control logging category

Knot DNS 2.3.4 (2017-11-20)
===========================

Security:
---------
 - CVE-2017-11104: Improper TSIG validity period check can allow TSIG forgery (Thanks to Synacktiv!)

Bugfixes:
---------
 - Unexpected response for DS query below delegation poing
 - Zone events not rescheduled upon server reload (Thanks to Mark Warren)
 - Missing trailing dot in the keymgr DS owner output
 - Malformed output from kjournalprint
 - Redundant SO_REUSEPORT activation on the TCP socket

Knot DNS 2.3.3 (2016-12-08)
===========================

Bugfixes:
---------
 - Double free when failed to apply zone journal
 - Zone bootstrap retry interval not preserved upon zone reload
 - DNSSEC related records not flushed if not signed
 - False semantic checks warning about incorrect type in NSEC bitmap
 - Memory leak in kzonecheck

Improvements:
-------------
 - All zone names are fully-qualified in log

Features:
---------
 - New kjournalprint utility

Knot DNS 2.3.2 (2016-11-04)
===========================

Bugfixes:
---------
 - Incorrect %s expansion for the root zone
 - Failed to refresh not existing slave zone after restart
 - Immediate zone refresh upon restart if refresh already scheduled
 - Early zone transfer after restart if transfer already scheduled
 - Not ignoring empty non-terminal parents during delegation lookup
 - CD bit preservation in responses
 - Compilation error on GNU/kFreeBSD
 - Server crash after double zone-commit if journal error

Improvements:
-------------
 - Speed-up of knotc if control operation and known socket
 - Zone purge operation purges also zone timers

Features:
---------
 - Simple modules don't require empty configuration section
 - New zone journal path configuration option
 - New timeout configuration option for module dnsproxy

Knot DNS 2.3.1 (2016-10-07)
===========================

Bugfixes:
---------
 - Missing glue records in some responses
 - Knsupdate prompt printing on non-terminal
 - Mismatch between configuration policy item names and documentation
 - Segfault on OS X (Sierra)

Improvements:
-------------
 - Significant speed-up of conf-commit and conf-diff operations (in most cases)
 - New EDNS Client Subnet libknot API
 - Better semantic-checks error messages

Features:
---------
 - Print TLS certificate hierarchy in kdig verbose mode
 - New +subnet alias for +client
 - New mod-whoami and mod-noudp modules
 - New zone-purge control command
 - New log-queries and log-responses options for mod-dnstap

Knot DNS 2.3.0 (2016-08-09)
===========================

Bugfixes:
---------
 - No wildcard expansion below empty non-terminal for NSEC signed zone
 - Avoid multiple loads of the same PKCS #11 module
 - Fix kdig IXFR response processing if the transfer content is empty
 - Don't ignore non-existing records to be removed in IXFR

Improvements:
-------------
 - Refactored semantic checks and improved error messages
 - Set TC flag in delegation only if mandatory glue doesn't fit the response
 - Separate EDNS(0) payload size configuration for IPv4 and IPv6

Features:
---------
 - DNSSEC policy can be defined in server configuration
 - Automatic NSEC3 resalt according to DNSSEC policy
 - Zone content editing using control interface
 - Zone size limit restriction for DDNS, AXFR, and IXFR (CVE-2016-6171)
 - DNS-over-TLS support in kdig (RFC 7858)
 - EDNS(0) padding and alignment support in kdig (RFC 7830)

Knot DNS 2.2.1 (2016-05-24)
===========================

Bugfixes:
---------
 - Fix separate logging of server and zone events
 - Fix concurrent zone file flushing with many zones
 - Fix possible server crash with empty hostname on OpenWRT
 - Fix control timeout parsing in knotc
 - Fix "Environment maxreaders limit reached" error in knotc
 - Don't apply journal changes on modified zone file
 - Remove broken LTO option from configure script
 - Enable multiple zone names completion in interactive knotc
 - Set the TC flag in a response if a glue doesn't fit the response
 - Disallow server reload when there is an active configuration transaction

Improvements:
-------------
 - Distinguish unavailable zones from zones with zero serial in log messages
 - Log warning and error messages to standard error output in all utilities
 - Document tested PKCS #11 devices
 - Extended Python configuration interface

Knot DNS 2.2.0 (2016-04-26)
===========================

Bugfixes:
---------
 - Fix build dependencies on FreeBSD
 - Fix query/response message type setting in dnstap module
 - Fix remote address retrieval from dnstap capture in kdig
 - Fix global modules execution for queries hitting existing zones
 - Fix execution of semantic checks after an IXFR transfer
 - Fix PKCS#11 support detection at build time
 - Fix kdig failure when the first AXFR message contains just the SOA record
 - Exclude non-authoritative types from NSEC/NSEC3 bitmap at a delegation
 - Mark PKCS#11 generated keys as sensitive (required by Luna SA)
 - Fix error when removing the only zone from the server
 - Don't abort knotc transaction when some check fails

Features:
---------
 - URI and CAA resource record types support
 - RRL client address based white list
 - knotc interactive mode

Improvements:
-------------
 - Consistent IXFR error messages
 - Various fixes for better compatibility with PKCS#11 devices
 - Various keymgr user interface improvements
 - Better zone event scheduler performance with many zones
 - New server control interface
 - kdig uses local resolver if resolv.conf is empty

Knot DNS 2.1.1 (2016-02-10)
===========================

Bugfixes:
---------
 - DNSSEC: Allow import of duplicate private key into the KASP
 - DNSSEC: Avoid duplicate NSEC for Wildcard No Data answer
 - Fix server crash when an incoming transfer is in progress and reload is issued
 - Fix socket polling when configured with many interfaces and threads
 - Fix compilation against Nettle 3.2

Improvements:
-------------
 - Select correct source address for UDP messages received on ANY address
 - Extend documentation of knotc commands

Knot DNS 2.1.0 (2016-01-14)
===========================

Features:
---------
 - Per-thread UDP socket binding using SO_REUSEPORT on Linux
 - Support for dynamic configuration database
 - DNSSEC: Support for cryptographic tokens via PKCS #11 interface
 - DNSSEC: Experimental support for online signing

Improvements:
-------------
 - Support for zone file name patterns
 - Configurable location of zone timer database
 - Non-blocking network operations and better timeout handling
 - Caching of Critical configuration values for better performance
 - Logging of ACL failures
 - RRL: Add rate-limit-slip zero support to drop all responses
 - RRL: Document behavior for different rate-limit-slip options
 - kdig: Warning instead of error on TSIG validation failure
 - Cleanup of support libraries interfaces (libknot, libzscanner, libdnssec)
 - Remove possibly insecure server control over a network socket
 - Remove implementation limit for the number of network interfaces

Bugfixes:
---------
 - synth-record module: Fix application of default configuration options
 - TSIG: Allow compressed TSIG name when forwarding DDNS updates
 - Schedule zone bootstrap after slave zone fails to load from disk

Knot DNS 2.0.2 (2015-11-24)
===========================

Bugfixes:
---------
 - Out-of-bound read in packet parser for malformed NAPTR records (LibFuzzer)

Knot DNS 2.0.1 (2015-09-02)
===========================

Bugfixes:
---------
 - Do not reload expired zones on 'knotc reload' and server startup
 - Fix rare race-condition in event scheduling causing delayed event execution
 - Fix skipping of non-authoritative nodes in NSEC proofs
 - Fix TC flag setting in RRL slipped answers
 - Disable domain name compression for root label
 - Log via journald only when running under systemd
 - Fix CNAME following when querying for NSEC RR type
 - Fix refreshing of DNSSEC signatures for zone keys
 - Fix binding an unavailable IPv6 address on Linux (IP_FREEBIND)
 - Fix infinite loop in knotc zonestatus and memstats
 - Fix memory leak in configuration on server shutdown
 - Fix broken dnsproxy module
 - Fix DNSSEC KASP timestamps parsing in strict POSIX environment
 - Fix multi value parsing on big-endian
 - Adapt to Nettle 3 API break causing base64 decoding failures on big-endian

Features:
---------
 - Add 'keymgr zone key ds' to show key's DS record
 - Add 'keymgr tsig generate' to generate TSIG keys
 - Add query module scoping to process either all queries or zone queries only
 - Add support for file name globbing in config file includes
 - Add 'request-edns-option' config option to add custom EDNS0 option into
   server initiated queries

Improvements:
-------------
 - Send minimal responses (remove NS from Authority section for NOERROR)
 - Update persistent timers only on shutdown for better performance
 - Allow change of RR TTL over DDNS
 - Documentation fixes, updates, and improvements in formatting
 - Install yparser and zscanner header files
 - Improve lookup of libsystemd build dependencies
 - Fix compilation warnings in endian conversion functions on OpenBSD

Knot DNS 2.0.0 (2015-06-26)
===========================

Bugfixes:
---------
 - Fix lost NOTIFY message if received during zone transfer
 - Disable fast zone parser when compiled in Clang (workaround for Clang bug)
 - kdig: Record correct dnstap SocketProtocol when retrying over TCP
 - kdig: Hide TSIG section with +noall
 - Do not set AA flag for AXFR/IXFR queries

Features:
---------
 - DNSSEC: separate library, switch to GnuTLS, new utilities
 - DNSSEC: basic KASP support (generate initial keys, ZSK rollover)
 - Configuration: New text format in YAML, binary store in LMDB
 - Zone parser: Split long TXT/SPF strings into multiple strings
 - kdig: Add generic dump style option (+generic)
 - Try all master servers in multi-master environment
 - Improved remotes and ACLs (multiple addresses, multiple keys)
 - Basic support for zone file patterns (%s to substitute zone name)
 - Disable zone file synchronization by setting 'zonefile_sync' to '-1'
 - knsupdate: Add input prompt in interactive mode and 'quit' command
 - knsupdate: Allow TSIG algorithm specification in interactive prompt

Improvements:
-------------
 - Zone dump: Do not write class for SOA record (unified with other RR types)
 - Zone dump: Do not write master server address into the zone file
 - Documentation: Manual pages are included in HTML and PDF

Knot DNS 1.6.3 (2015-04-08)
===========================

Bugfixes:
---------
 - Performance drop for NSEC-signed zones
 - Proper handling of TCP short-writes
 - Out-of-bound read in zone parser for long domain names in origin (AFL fuzzer)
 - Out-of-bound read in packet parser for TSIG RR without RDATA (AFL fuzzer)
 - Out-of-bound read in packet parser for malformed NAPTR RR (AFL fuzzer)

Features:
--------
 - CDS and CDNSKEY support in zone parser

Improvements:
-------------
 - Add defaults for TCP config options into documentation
 - Detailed error message if zone reload fails

Knot DNS 1.6.2 (2015-02-19)
===========================

Features:
---------
 - Limiting number of parallel TCP clients (max-tcp-clients config option)

Bugfixes:
---------
 - Ignore refresh and transfer events on non-slave zones
 - Compilation with Dnstap support on FreeBSD
 - Possible file descriptor leak when terminating inactive TCP clients

Knot DNS 1.6.1 (2014-12-13)
===========================

Bugfixes:
---------
 - Journal file would sometimes outgrow its limit (ixfr-fslimit in configuration)
 - Fixed incompatibility with OpenSSL 0.9.8
 - Proper handling when hostname cannot be retrieved (for NSID and CH)

Features:
---------
 - DNSSEC Single Type Signing Scheme is now supported

Knot DNS 1.6.0 (2014-10-23)
===========================

Bugfixes:
---------
 - Fix zone expiration when AXFR/IXFR is being refused by master
 - Fix forced zone refresh on slave (knotc refresh -f)

Knot DNS 1.6.0-rc2 (2014-10-17)
===============================

Improvements:
-------------
 - Maximal size of persistent timers database increased from 10 MB to 100 MB
 - Added logging of persistent timers database errors

Bugfixes:
---------
 - Persistent timers database opening after privileges has been dropped

Knot DNS 1.6.0-rc1 (2014-10-13)
===============================

Features:
---------
 - Persistent timers for slave zones (expire, refresh, and flush)

Bugfixes:
---------
 - DNSSEC: RFC compliant processing of letter case in RDATA domain names
 - EDNS: Return minimal error response for queries with unsupported version
 - EDNS: Fix interpretation of Extended RCODE

Knot DNS 1.5.3 (2014-09-15)
===========================

Bugfixes:
---------
 - Some specific incoming IXFRs were causing server to crash
 - Rare synchronization error during reload caused read-after-free
 - Response synthetization module did not work properly with DNSSEC-enabled zones
 - When Knot sent AXFR when IXFR was requested, message ID and opcode were wrong
 - Knot failed to send large messages to remote control (present since 1.5.1)

Knot DNS 1.5.2 (2014-09-08)
===========================

Bugfixes:
---------
 - Some RR parsing corner cases were not handled properly
 - AXFR-style IXFR was refused and had to be retransferred
 - Hash character (#) was not properly escaped when storing text zone file

Knot DNS 1.5.1 (2014-08-19)
===========================

Features:
---------
 - Basic support for logging using systemd journal
 - DDNS: Ability to process updates in bulk

Improvements:
-------------
 - Unified logging messages structure
 - DNSSEC: More strict controls for signing keys

Bugfixes:
---------
 - DNSSEC: DNAMEs in RDATA were not lowercased before signing
 - EDNS: OPT RR were not put into responsing for some errors
 - TSIG: DDNS responses were not signed with TSIG
 - DDNS: Prerequisite checks failed for some inputs
 - knsupdate: Zone origin was not used for deletions

Knot DNS 1.5.0 (2014-07-08)
===========================

Features:
---------
 - DDNS forwarding reimplemented

Improvements:
-------------
 - Transfer sizes logged in bytes if needed
 - Logging outgoing NOTIFY messages
 - Logging unauthorized incoming NOTIFYs

Bugfixes:
---------
 - Zone flush planning after bootstrap
 - Incorrect incoming AXFR message sizes
 - DDNS signing changes were freed too soon, possibility of stale data
 - knotc remote control key handling

Knot DNS 1.5.0-rc2 (2014-06-18)
===============================

Features:
---------
 - edns-client-subnet support in kdig
 - Optional asynchronous startup (config "asynchronous-start")

Improvements:
-------------
 - Preempt task queue for faster reload
 - Lazy zone file write after zone transfer (governed by
   "zonefile-sync")

Bugfixes:
---------
 - Close zone transfer after SERVFAIL response
 - Incremental to full zone transfer fallback, wrong log message
 - Zone events corner cases, reload replanning

Knot DNS 1.5.0-rc1 (2014-06-03)
===============================

Features:
---------
 - Pluggable query processing modules
 - Synthetic IPv4/IPv6 reverse/forward records (optional module)
 - dnstap support in both utilities & server (optional module)
 - NOTIFY message support and new TSIG section in kdig
 - Zone transfer master failover

Improvements:
-------------
 - Query processing and core functionality overhaul
 - Performance and reduced memory footprint
 - Faster zone events scheduling
 - RFC compliant queries/responses in some corner cases
 - Log messages
 - New documentation (Sphinx)

Knot DNS 1.4.2 (2014-01-27)
===========================

Bugfixes:
---------
 - AXFR/IXFR compatibility issues with tinydns/axfrdns
 - Journal file is created only when needed
 - Zone-related log messages are logged into correct category
 - DNSSEC: Refresh signatures earlier (3 days before their expiration
    with the default signature lifetime)
 - Fixed RCU synchronization causing deadlock on 'knotc signzone'
 - RRSIG not fitting in the additional records doesn't cause
   truncation

Knot DNS 1.4.1 (2014-01-13)
===========================

Bugfixes:
---------
 - Empty APL record support
 - 'zonestatus' when using immediate zone syncing
 - Immediate zone syncing after reload
 - Race condition writing time values to zone file

Knot DNS 1.4.0 (2014-01-06)
===========================

Features:
---------
 - Zone SERIAL policies (INCREMENT, UNIXTIME)
 - IDN support in Knot utilities
 - DNSSEC: support for GOST algorithm
 - Better logging of automatic DNSSEC events
 - Support for DNSSEC key pre-publication
 - Experimental automatic DNSSEC signing
 - Reduced memory usage

Improvements:
-------------
 - ./configure prints build configuration summary
 - Pretty zone file output (DNSSEC-related data separately)
 - Lower memory consumption
 - config: option 'dnssec-keydir' can be set per zone
 - config: option 'storage' can be set per zone

Bugfixes:
---------
 - AXFR crash with specific packet
 - QNAME case-sensitive since 1.4.0-rc0
 - DNSSEC records over DDNS
 - Semantic check fail in AXFR is only soft-error
 - Journal race condition
 - Notifies are sent immediately
 - Crash in particular additionals processing
 - Race condition in event cancellation
 - Journal corruption after failed transactions
 - DNSSEC: fixed detection of ECDSA support
 - Refactored zone loading
 - Improved journal locking and fixed some race conditions
 - Various fixes in client utilities
 - Fixed memory errors in automatic DNSSEC signing
 - 'dnssec-keydir' doesn't auto-enable signing
 - Fixed rescheduling of zone resigns

Knot DNS 1.3.3 (2013-10-28)
===========================

Bugfixes:
---------
 - Improved zone loading error messages
 - Correct control socket permissions
 - Improved log syntax documentation
 - Fixed wrong assertions in DDNS prerequisites checking
 - Fixed processing of some malformed DNS packets
 - Fixed notify messages being ignored in some cases

Knot DNS 1.3.2 (2013-09-30)
===========================

Bugfixes:
---------
 - Configuration option for EDNS0 max UDP payload.
 - Max UDP payload from EDNS0 affected TCP responses.
 - Fixed build on SLE 10.
 - knotc reload did not close files included from config.

Knot DNS 1.3.1 (2013-08-26)
===========================

Bugfixes:
---------
 - Response with NSID contained extra bytes after reload
 - List of remotes is scanned for longest prefix match
 - Multipacket TSIG signatures for transfers
 - Wrongly parsed TSIG key secret without quotes
 - Removed autoconf checks for extended instruction sets

Knot DNS 1.3.0 (2013-08-05)
===========================

Features:
---------
 - Defaults for CH TXT id.server,version.server (see doc)
 - Much faster bootstrap of many zones
 - --with-configdir option for default config path
 - Reintroduced 'pidfile' config option
 - Utility to estimate memory consumption (see 'knotc memstats')
 - PID file is not created when running on foreground
 - UNIX sockets support for knotc
 - Configurable 'rundir' and 'storage'
 - Faster zone parser
 - Full support for EUI and ILNP resource records
 - Lower memory footprint for large zones
 - No compilation of zones
 - Improved scheduling of zone transfers
 - Logging of serials and timing information for zone transfers
 - Config: 'groups' keyword allowing to create groups of remotes
 - Config: 'include' keyword allowing other file includes
 - Client utilities: kdig, khost, knsupdate
 - Server identification using TXT/CH queries (RFC 4892)
 - Improved build scripts
 - Improved dname compression and performance

Bugfixes: