.gitignore

@@ -45,7 +45,7 @@
 /test-driver
 Makefile
 Makefile.in
-version.h
+/src/lib*/version.h
 
 /samples/knot.sample.conf
 /src/knot/modules/static_modules.h

Knot.files

@@ -23,6 +23,8 @@ src/contrib/files.c
 src/contrib/files.h
 src/contrib/getline.c
 src/contrib/getline.h
+src/contrib/json.c
+src/contrib/json.h
 src/contrib/libbpf/bpf/bpf.c
 src/contrib/libbpf/bpf/bpf.h
 src/contrib/libbpf/bpf/bpf_core_read.h
@@ -64,6 +66,89 @@ src/contrib/libbpf/include/uapi/linux/btf.h
 src/contrib/libbpf/include/uapi/linux/if_link.h
 src/contrib/libbpf/include/uapi/linux/if_xdp.h
 src/contrib/libbpf/include/uapi/linux/netlink.h
+src/contrib/libngtcp2/ngtcp2/crypto/gnutls.c
+src/contrib/libngtcp2/ngtcp2/crypto/shared.c
+src/contrib/libngtcp2/ngtcp2/crypto/shared.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_acktr.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_acktr.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_addr.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_addr.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_balloc.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_balloc.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_bbr.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_bbr.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_bbr2.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_bbr2.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_buf.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_buf.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_cc.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_cc.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_cid.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_cid.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_conn.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_conn.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_conv.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_conv.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_crypto.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_crypto.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_err.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_err.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_gaptr.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_gaptr.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_idtr.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_idtr.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_ksl.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_ksl.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_log.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_log.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_macro.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_map.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_map.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_mem.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_mem.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_net.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_objalloc.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_objalloc.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_opl.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_opl.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_path.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_path.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_pkt.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_pkt.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_pmtud.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_pmtud.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_ppe.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_ppe.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_pq.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_pq.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_pv.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_pv.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_qlog.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_qlog.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_range.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_range.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_rcvry.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_ringbuf.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_ringbuf.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_rob.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_rob.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_rst.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_rst.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_rtb.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_rtb.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_str.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_str.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_strm.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_strm.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_vec.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_vec.h
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_version.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_window_filter.c
+src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_window_filter.h
+src/contrib/libngtcp2/ngtcp2/ngtcp2.h
+src/contrib/libngtcp2/ngtcp2/ngtcp2_crypto.h
+src/contrib/libngtcp2/ngtcp2/ngtcp2_crypto_gnutls.h
+src/contrib/libngtcp2/ngtcp2/version.h
 src/contrib/macros.h
 src/contrib/mempattern.c
 src/contrib/mempattern.h
@@ -486,6 +571,8 @@ src/utils/common/netio.c
 src/utils/common/netio.h
 src/utils/common/params.c
 src/utils/common/params.h
+src/utils/common/quic.c
+src/utils/common/quic.h
 src/utils/common/resolv.c
 src/utils/common/resolv.h
 src/utils/common/sign.c

configure.ac

@@ -171,6 +171,10 @@ PKG_CHECK_MODULES([gnutls], [gnutls >= 3.3], [
         [AC_DEFINE([HAVE_GNUTLS_MEMSET], [1], [gnutls_memset available])
          gnutls_memset=yes], [gnutls_memset=no])
 
+    AC_CHECK_FUNC([gnutls_early_cipher_get],
+        [AC_DEFINE([HAVE_GNUTLS_QUIC], [1], [gnutls_early_cipher_get available])
+         gnutls_quic=yes], [gnutls_quic=no])
+
     CFLAGS=$save_CFLAGS
     LIBS=$save_LIBS
 ])
@@ -550,6 +554,33 @@ AS_IF([test "$enable_daemon" = "yes" -o "$enable_utilities" = "yes"], [
   libedit_LIBS=
 ])
 
+# QUIC support
+AC_ARG_ENABLE([quic],
+   AS_HELP_STRING([--enable-quic=auto|yes|no], [Support DoQ (needs libngtcp2 = 0.6.0, gnutls >= 3.7.2) [default=auto]]),
+   [], [enable_quic=auto])
+
+AS_CASE([$enable_quic],
+   [auto], [PKG_CHECK_MODULES([libngtcp2], [libngtcp2 = 0.6.0 libngtcp2_crypto_gnutls], [enable_quic=yes], [enable_quic=no])],
+   [yes], [PKG_CHECK_MODULES([libngtcp2], [libngtcp2 = 0.6.0 libngtcp2_crypto_gnutls], [enable_quic=yes],
+             AS_IF([test "$gnutls_quic" = "yes"],
+                [enable_quic=embedded
+                 embedded_libngtcp2_CFLAGS="-I\$(top_srcdir)/src/contrib/libngtcp2 -I\$(top_srcdir)/src/contrib/libngtcp2/ngtcp2/lib"
+                 embedded_libngtcp2_LIBS=$libelf_LIBS
+                 libngtcp2_CFLAGS="-I\$(top_srcdir)/src/contrib/libngtcp2"],
+                [enable_quic=no
+                 AC_MSG_WARN([gnutls >= 3.7.2 is required])]))],
+   [no], [],
+   [*], [AC_MSG_ERROR([Invalid value of --enable-quic.])]
+)
+AM_CONDITIONAL([EMBEDDED_LIBNGTCP2], [test "$enable_quic" = "embedded"])
+AC_SUBST([embedded_libngtcp2_CFLAGS])
+AC_SUBST([embedded_libngtcp2_LIBS])
+AC_SUBST([libngtcp2_CFLAGS])
+AC_SUBST([libngtcp2_LIBS])
+
+AS_IF([test "$enable_quic" != "no"], [
+  AC_DEFINE([LIBNGTCP2], [1], [Define to 1 to enable DoQ support using libngtcp2 and GnuTLS])])
+
 ############################################
 # Dependencies needed for Knot DNS utilities
 ############################################
@@ -779,6 +810,7 @@ result_msg_base="  Knot DNS $VERSION
     Use recvmmsg:           ${enable_recvmmsg}
     Use SO_REUSEPORT(_LB):  ${enable_reuseport}
     XDP support:            ${enable_xdp}
+    DoQ support:            ${enable_quic}
     Socket polling:         ${socket_polling}
     Memory allocator:       ${with_memory_allocator}
     Fast zone parser:       ${enable_fastparser}

distro/common/knot.service

@@ -26,6 +26,7 @@ TemporaryFileSystem=/run:ro /var:ro
 BindPaths=/run/systemd
 RuntimeDirectory=knot
 StateDirectory=knot
+LogsDirectory=knot
 NoNewPrivileges=yes
 
 [Install]

distro/pkg/deb/control

@@ -161,6 +161,28 @@ Description: DNS clients provided with Knot DNS (kdig, knsupdate)
  .
  WARNING: knslookup is not provided as it is considered obsolete.
 
+Package: knot-dnssecutils
+Architecture: any
+Depends:
+ libdnssec8 (= ${binary:Version}),
+ libknot12 (= ${binary:Version}),
+ libzscanner4 (= ${binary:Version}),
+ ${misc:Depends},
+ ${shlibs:Depends},
+Description: DNSSEC tools provided with Knot DNS
+ Knot DNS is a fast, authoritative only, high performance, feature
+ full and open source name server.
+ .
+ Knot DNS is developed by CZ.NIC Labs, the R&D department of .CZ
+ registry and hence is well suited to run anything from the root
+ zone, the top-level domain, to many smaller standard domain names.
+ .
+ This package delivers various DNSSEC tools from Knot DNS.
+ .
+  - kzonecheck
+  - kzonesign
+  - knsec3hash
+
 Package: knot-host
 Architecture: any
 Depends:

distro/pkg/deb/copyright

@@ -47,6 +47,11 @@ Copyright: 2013-2015 Alexei Starovoitov <ast@kernel.org>
            2018-2019 Facebook
 License: LGPL-2.1
 
+Files: src/contrib/libngtcp2/*
+Copyright: 2016-2022 ngtcp2 contributors
+           2012-2017 nghttp2 contributors
+License: MIT
+
 Files: src/contrib/openbsd/siphash.*
 Copyright: 2013 Andre Oppermann <andre@FreeBSD.org>
 License: BSD-3-Clause

distro/pkg/deb/knot-dnssecutils.install

+usr/bin/knsec3hash
+usr/bin/kzonecheck
+usr/bin/kzonesign

distro/pkg/deb/knot-dnssecutils.manpages

+usr/share/man/man1/knsec3hash.1
+usr/share/man/man1/kzonecheck.1
+usr/share/man/man1/kzonesign.1

distro/pkg/deb/knot.install

 debian/cz.nic.knotd.conf etc/dbus-1/system.d/
 debian/ufw/knot etc/ufw/applications.d/
 etc/knot/knot.conf
-usr/bin/knsec3hash
-usr/bin/kzonecheck
-usr/bin/kzonesign
 usr/sbin/kcatalogprint
 usr/sbin/keymgr
 usr/sbin/kjournalprint

distro/pkg/deb/knot.manpages

-usr/share/man/man1/knsec3hash.1
-usr/share/man/man1/kzonecheck.1
-usr/share/man/man1/kzonesign.1
 usr/share/man/man5/knot.conf.5
 usr/share/man/man8/kcatalogprint.8
 usr/share/man/man8/keymgr.8

distro/pkg/deb/libknot12.symbols

@@ -64,6 +64,7 @@ libknot.so.12 libknot12 #MINVER#
  knot_edns_cookie_server_generate@Base 3.1.0
  knot_edns_cookie_size@Base 3.1.0
  knot_edns_cookie_write@Base 3.1.0
+ knot_edns_ede_names@Base 3.2.0
  knot_edns_get_ext_rcode@Base 3.1.0
  knot_edns_get_option@Base 3.1.0
  knot_edns_get_options@Base 3.1.0
@@ -145,6 +146,11 @@ libknot.so.12 libknot12 #MINVER#
  knot_strerror@Base 3.1.0
  knot_svcb_param_names@Base 3.1.0
  knot_tcp_cleanup@Base 3.2.0
+ knot_tcp_inbuf_update@Base 3.2.0
+ knot_tcp_outbufs_ack@Base 3.2.0
+ knot_tcp_outbufs_add@Base 3.2.0
+ knot_tcp_outbufs_can_send@Base 3.2.0
+ knot_tcp_outbufs_usage@Base 3.2.0
  knot_tcp_recv@Base 3.2.0
  knot_tcp_reply_data@Base 3.2.0
  knot_tcp_send@Base 3.1.0

distro/pkg/rpm/knot.spec

@@ -110,10 +110,19 @@ included in knot-libs package.
 %package utils
 Summary:	DNS client utilities shipped with the Knot DNS server
 Requires:	%{name}-libs%{?_isa} = %{version}-%{release}
+# Debian package compat
+Provides:	%{name}-dnsutils = %{version}-%{release}
 
 %description utils
 The package contains DNS client utilities shipped with the Knot DNS server.
 
+%package dnssecutils
+Summary:	DNSSEC tools shipped with the Knot DNS server
+Requires:	%{name}-libs%{?_isa} = %{version}-%{release}
+
+%description dnssecutils
+The package contains DNSSEC tools shipped with the Knot DNS server.
+
 %package module-dnstap
 Summary:	dnstap module for Knot DNS
 Requires:	%{name} = %{version}-%{release}
@@ -257,8 +266,6 @@ getent passwd knot >/dev/null || \
 %dir %{_libdir}/knot
 %dir %{_libdir}/knot/modules-*
 %{_unitdir}/knot.service
-%{_bindir}/kzonecheck
-%{_bindir}/kzonesign
 %{_sbindir}/kcatalogprint
 %{_sbindir}/kjournalprint
 %{_sbindir}/keymgr
@@ -267,8 +274,6 @@ getent passwd knot >/dev/null || \
 %if 0%{?suse_version}
 %{_sbindir}/rcknot
 %endif
-%{_mandir}/man1/kzonecheck.*
-%{_mandir}/man1/kzonesign.*
 %{_mandir}/man5/knot.conf.*
 %{_mandir}/man8/kcatalogprint.*
 %{_mandir}/man8/kjournalprint.*
@@ -280,7 +285,6 @@ getent passwd knot >/dev/null || \
 %files utils
 %{_bindir}/kdig
 %{_bindir}/khost
-%{_bindir}/knsec3hash
 %{_bindir}/knsupdate
 %if 0%{?use_xdp}
 %{_sbindir}/kxdpgun
@@ -288,9 +292,16 @@ getent passwd knot >/dev/null || \
 %endif
 %{_mandir}/man1/kdig.*
 %{_mandir}/man1/khost.*
-%{_mandir}/man1/knsec3hash.*
 %{_mandir}/man1/knsupdate.*
 
+%files dnssecutils
+%{_bindir}/knsec3hash
+%{_bindir}/kzonecheck
+%{_bindir}/kzonesign
+%{_mandir}/man1/knsec3hash.*
+%{_mandir}/man1/kzonecheck.*
+%{_mandir}/man1/kzonesign.*
+
 %files module-dnstap
 %{_libdir}/knot/modules-*/dnstap.so
 

doc/configuration.rst

@@ -138,16 +138,8 @@ the given request is applied and the remaining rules are ignored. Some examples:
       - domain: acl2.example.com
         acl: [deny_all, key_rule]          # Allow with the TSIG except for the subnet
 
-For dynamic DNS updates, additional conditions may be specified for more granular
-filtering. Example::
-
-    acl:
-        - id: owner_type_rule
-          action: update
-          update-type: [A, AAAA, MX]             # Updated records must match one of the specified types
-          update-owner: name                     # Updated record owners are restricted by the next conditions
-          update-owner-match: equal              # The record owner must exactly match one name from the next list
-          update-owner-name: [a, b.example.com.] # Note that non-FQDN names are relative to the effective zone name
+In the case of dynamic DNS updates, some additional conditions may be specified
+for more granular filtering. See more in the section :ref:`Restricting dynamic updates`.
 
 .. NOTE::
    If more conditions (address ranges and/or a key)
@@ -289,6 +281,86 @@ processed::
       - domain: example.com
         acl: update_acl
 
+.. _Restricting dynamic updates:
+
+Restricting dynamic updates
+---------------------------
+
+There are several additional ACL options for dynamic DNS updates which affect
+the request classification based on the update contents.
+
+Updates can be restricted to specific resource record types::
+
+    acl:
+      - id: type_rule
+        action: update
+        update-type: [A, AAAA, MX]    # Updated records must match one of the specified types
+
+Another possibility is restriction on the owner name of updated records. The option
+:ref:`acl_update-owner` is used to select the source of domain
+names which are used for the comparison. And the option :ref:`acl_update-owner-match`
+specifies the required relation between the record owner and the reference domain
+names. Example::
+
+    acl:
+      - id: owner_rule1
+        action: update
+        update-owner: name             # Updated record owners are restricted by the next conditions
+        update-owner-match: equal      # The record owner must exactly match one name from the next list
+        update-owner-name: [foo, bar.] # Reference domain names
+
+.. NOTE::
+   If the specified owner name is non-FQDN (e.g. ``foo``), it's considered relatively
+   to the effective zone name. So it can apply to more zones
+   (e.g. ``foo.example.com.`` or ``foo.example.net.``). Alternatively, if the
+   name is FQDN (e.g. ``bar.``), the rule only applies to this name.
+
+If the reference domain name is the zone name, the following variant can be used::
+
+    acl:
+      - id: owner_rule2
+        action: update
+        update-owner: zone            # The reference name is the zone name
+        update-owner-match: sub       # Any record owner matches except for the zone name itself
+
+    template:
+      - id: default
+        acl: owner_rule2
+
+    zone:
+      - domain: example.com.
+      - domain: example.net.
+
+The last variant is for the cases where the reference domain name is a TSIG key name,
+which must be used for the transaction security::
+
+    key:
+      - id: example.com               # Key names are always considered FQDN
+        ...
+      - id: steve.example.net
+        ...
+      - id: jane.example.net
+        ...
+
+    acl:
+      - id: owner_rule3_com
+        action: update
+        update-owner: key             # The reference name is the TSIG key name
+        update-owner-match: sub       # The record owner must be a subdomain of the key name
+        key: [example.com]            # One common key for updating all non-apex records
+
+      - id: owner_rule3_net
+        action: update
+        update-owner: key             # The reference name is the TSIG key name
+        update-owner-match: equal     # The record owner must exactly match the used key name
+        key: [steve.example.net, jane.example.net] # Keys for updating specific zone nodes
+
+    zone:
+     - domain: example.com.
+       acl: owner_rule3_com
+     - domain: example.net.
+       acl: owner_rule3_net
+
 .. _dnssec:
 
 Automatic DNSSEC signing
@@ -584,7 +656,8 @@ configured. The configuration for any defined member zone is taken from its
 *group* property value, which should match some catalog-template name.
 If the *group* property is not defined for a member, is empty, or doesn't match
 any of defined catalog-template names, the first catalog-template
-(in the order from configuration) is used.
+(in the order from configuration) is used. Nesting of catalog zones isn't
+supported.
 
 Any de-cataloged member zone is purged immediately, including its
 zone file, journal, timers, and DNSSEC keys. The zone file is not

doc/man/kcatalogprint.8in

 .\" Man page generated from reStructuredText.
 .
-.TH "KCATALOGPRINT" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
-.SH NAME
-kcatalogprint \- Knot DNS catalog print utility
 .
 .nr rst2man-indent-level 0
 .
@@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
+.TH "KCATALOGPRINT" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+kcatalogprint \- Knot DNS catalog print utility
 .SH SYNOPSIS
 .sp
 \fBkcatalogprint\fP [\fIconfig_option\fP \fIconfig_argument\fP] [\fIoption\fP]
@@ -53,6 +53,12 @@ Use specified catalog database path and default configuration.
 .SS Options
 .INDENT 0.0
 .TP
+\fB\-a\fP, \fB\-\-catalog\fP
+Filter the output by catalog zone name.
+.TP
+\fB\-m\fP, \fB\-\-member\fP
+Filter the output by member zone name.
+.TP
 \fB\-h\fP, \fB\-\-help\fP
 Print the program help.
 .TP

doc/man/kdig.1in

 .\" Man page generated from reStructuredText.
 .
-.TH "KDIG" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
-.SH NAME
-kdig \- Advanced DNS lookup utility
 .
 .nr rst2man-indent-level 0
 .
@@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
+.TH "KDIG" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+kdig \- Advanced DNS lookup utility
 .SH SYNOPSIS
 .sp
 \fBkdig\fP [\fIcommon\-settings\fP] [\fIquery\fP [\fIsettings\fP]]...
@@ -290,6 +290,9 @@ Library \fIlibnghttp2\fP is required.
 Use HTTPS with HTTP/GET method instead of the default HTTP/POST method.
 Library \fIlibnghttp2\fP is required.
 .TP
+\fB+\fP[\fBno\fP]\fBquic\fP
+Use QUIC (DNS\-over\-QUIC).
+.TP
 \fB+\fP[\fBno\fP]\fBnsid\fP
 Request the nameserver identifier (NSID).
 .TP

doc/man/keymgr.8in

 .\" Man page generated from reStructuredText.
 .
-.TH "KEYMGR" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
-.SH NAME
-keymgr \- Knot DNS key management utility
 .
 .nr rst2man-indent-level 0
 .
@@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
+.TH "KEYMGR" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+keymgr \- Knot DNS key management utility
 .SH SYNOPSIS
 .sp
 \fBkeymgr\fP [\fIconfig_option\fP \fIconfig_argument\fP] [\fIoption\fP\&...] \fIzone_name\fP \fIcommand\fP \fIargument\fP\&...
@@ -69,6 +69,9 @@ bit length of the key by number (default: optimal length given by algorithm). Th
 TSIG key is only displayed on \fIstdout\fP: the command does not create a file, nor include the
 key in a keystore.
 .TP
+\fB\-j\fP, \fB\-\-json\fP
+Print the zones or keys in JSON format.
+.TP
 \fB\-l\fP, \fB\-\-list\fP
 Print the list of zones that have at least one key stored in the configured KASP
 database.

doc/man/khost.1in

 .\" Man page generated from reStructuredText.
 .
-.TH "KHOST" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
-.SH NAME
-khost \- Simple DNS lookup utility
 .
 .nr rst2man-indent-level 0
 .
@@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
+.TH "KHOST" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+khost \- Simple DNS lookup utility
 .SH SYNOPSIS
 .sp
 \fBkhost\fP [\fIoptions\fP] \fIname\fP [\fIserver\fP]

doc/man/kjournalprint.8in

 .\" Man page generated from reStructuredText.
 .
-.TH "KJOURNALPRINT" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
-.SH NAME
-kjournalprint \- Knot DNS journal print utility
 .
 .nr rst2man-indent-level 0
 .
@@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
+.TH "KJOURNALPRINT" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+kjournalprint \- Knot DNS journal print utility
 .SH SYNOPSIS
 .sp
 \fBkjournalprint\fP [\fIconfig_option\fP \fIconfig_argument\fP] [\fIoption\fP\&...] \fIzone_name\fP

doc/man/knot.conf.5in

 .\" Man page generated from reStructuredText.
 .
-.TH "KNOT.CONF" "5" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
-.SH NAME
-knot.conf \- Knot DNS configuration file
 .
 .nr rst2man-indent-level 0
 .
@@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
+.TH "KNOT.CONF" "5" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+knot.conf \- Knot DNS configuration file
 .SH DESCRIPTION
 .sp
 Configuration files for Knot DNS use simplified YAML format. Simplified means
@@ -1256,14 +1256,14 @@ set by the \fI\%update\-owner\fP option.
 Possible values:
 .INDENT 0.0
 .IP \(bu 2
-\fBsub\-or\-equal\fP — The owner of each Resource Record in an update must either be equal to
-or be a subdomain of at least one domain set by \fI\%update\-owner\fP\&.
+\fBsub\-or\-equal\fP — The owner of each RR in an update must either be equal to
+or be a subdomain of at least one domain name set by \fI\%update\-owner\fP\&.
 .IP \(bu 2
-\fBequal\fP — The owner of each updated RR must be equal to at least one domain set by
-\fI\%update\-owner\fP\&.
+\fBequal\fP — The owner of each updated RR must be equal to at least one domain
+name set by \fI\%update\-owner\fP\&.
 .IP \(bu 2
-\fBsub\fP — The owner of each updated RR must be a subdomain of, but MUST NOT be equal to at least
-one domain set by \fI\%update\-owner\fP\&.
+\fBsub\fP — The owner of each updated RR must be a subdomain of, but MUST NOT
+be equal to at least one domain name set by \fI\%update\-owner\fP\&.
 .UNINDENT
 .sp
 \fIDefault:\fP sub\-or\-equal
@@ -2263,6 +2263,10 @@ has the \fIgroup\fP property defined, matching another catalog template.
 .INDENT 0.0
 .INDENT 3.5
 This option must be set if and only if \fI\%catalog\-role\fP is \fIinterpret\fP\&.
+.sp
+Nested catalog zones aren\(aqt supported. Therefore catalog templates can\(aqt use
+\fI\%catalog\-template\fP, \fI\%catalog\-role\fP, \fI\%catalog\-zone\fP,
+and \fI\%catalog\-group\fP options.
 .UNINDENT
 .UNINDENT
 .sp

doc/man/knotc.8in

 .\" Man page generated from reStructuredText.
 .
-.TH "KNOTC" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
-.SH NAME
-knotc \- Knot DNS control utility
 .
 .nr rst2man-indent-level 0
 .
@@ -30,6 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
+.TH "KNOTC" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.SH NAME
+knotc \- Knot DNS control utility
 .SH SYNOPSIS
 .sp
 \fBknotc\fP [\fIparameters\fP] \fIaction\fP [\fIaction_args\fP]
@@ -215,12 +215,13 @@ requires a ttl value specified.
 \fBzone\-unset\fP \fIzone\fP \fIowner\fP [\fItype\fP [\fIrdata\fP]]
 Remove zone data within the transaction.
 .TP
-\fBzone\-purge\fP \fIzone\fP\&... [\fIfilter\fP\&...]
+\fBzone\-purge\fP \fIzone\fP\&... [\fB+orphan\fP] [\fIfilter\fP\&...]
 Purge zone data, zone file, journal, timers, and/or KASP data of specified zones.
 Available filters are \fB+expire\fP, \fB+zonefile\fP, \fB+journal\fP, \fB+timers\fP,
-and \fB+kaspdb\fP\&. If no filter is specified, all filters are enabled.
-If the zone is no longer configured, add \fB+orphan\fP filter (zone file cannot
-be purged in this case). This command always requires the force option. (#)
+\fB+kaspdb\fP, and \fB+catalog\fP\&. If no filter is specified, all filters are enabled.
+If the zone is no longer configured, add \fB+orphan\fP parameter (zone file cannot
+be purged in this case). When purging orphans, always check the server log for
+possible errors. This command always requires the force option. (#)
 .TP
 \fBzone\-stats\fP \fIzone\fP [\fImodule\fP[\fB\&.\fP\fIcounter\fP]]
 Show zone statistics counter(s). To print also counters with value 0, use