Knot DNS 3.4.5 (2025-03-18)

Features:

• knotd: support for SOA serial shift (see 'serial-modulo')
• knotd: new server statistics (see 'tcp-io-timeout"' and 'tcp-idle-timeout')

Improvements:

• knotd: better signing performance of many zones in parallel by moving 'last_signed_serial' from KASP database to timer database
• knotd: the 'terminated inactive client' TCP log moved to debug level
• knotd: allowed initial DDNS to an empty zone
• knotd: extended backup and flush argument checks
• knotd: new debug logs for zone events suspension
• libs: upgraded embedded libngtcp2 to 1.11.0
• doc: new section Multi-primary, updates

Bugfixes:

• libdnssec: inappropriate DNSKEY flags evaluation
• libknot: incorrect VLAN map size calculation for XDP

Knot DNS 3.4.4 (2025-01-22)

Features:

• knotd: added support for EDNS ZONEVERSION
• kdig: added support for EDNS ZONEVERSION (see '+zoneversion')

Improvements:

• knotd: improved control error detection and reporting
• kdig: proper section names for exported DDNS messages
• libs: upgraded embedded libngtcp2 to 1.10.0
• python: expanded documentation for the libknot control API
• doc: updated XDP prerequisites

Bugfixes:

• knotd: a DNAME record at the zone apex with active NSEC3 not accepted via XFR
• knotd: configuration abort times out if no active transaction
• knotd: defective serial modulo result if it overflows
• knotd: TLS connections not properly terminated
• knotd: maximum zone TTL not correctly recomputed after RRSIG TTL change
• knotd: zone hangs if zone reload fails (Thanks to solidcc2)
• knotd: statistics dump generates invalid YAML output if XDP is enabled #947
• knotd: insufficient check for incomplete control message
• mod-dnstap: used incorrect type for DDNS messages
• knot-exporter: failed to run with Python 3.11 or older
• tests: test_atomic and test_spinlock require building with the daemon enabled #946

Knot DNS 3.3.10 (2024-12-12)

Improvements:

• libknot: added NXNAME meta type (Thanks to Jan Včelák)

Improvements:

• knotd: improved processing of QNAMEs containing zero bytes
• knotd: generated catalog member metadata is stored when the zone is loaded
• doc: various fixes and updates

Bugfixes:

• knotd: more active ZSKs cause cumulative ZSK rollovers
• knotd: zone reload occasionally causes a core dump #939 (Thanks to solidcc2)
• knotd: zone purge clears active generated catalog member metadata
• knotc: zone backup filter +keysonly doesn't disable other defaults
• kxdpgun: failed to receive more data over QUIC until 1-RTT handshake is done
• knsupdate: memory leak if rdata parsing fails
• kdig: misleading warning about timeout during QUIC connection
• knot-exporter: faulty escape sequence in time value parsing

Knot DNS 3.4.3 (2024-12-06)

Improvements:

• knotd: improved processing of QNAMEs containing zero bytes
• knotd: zone expiration now aborts possible zone control transaction #929
• knotd: generated catalog member metadata is stored when the zone is loaded
• knotd: new configuration check for using default NSEC3 salt length, which will change
• mod-rrl: added QNAME (if possible) and transport protocol to log messages
• mod-rrl: increased defaults for 'log-period' to 30 secs, 'rate-limit' to 50, 'instant-rate-limit' to 125, and 'time-rate-limit' to 5 ms
• kxdpgun: added space separators to some printed values for better readability
• libs: upgraded embedded libngtcp2 to 1.9.1
• knot-exporter: zone timers metric is now disabled by default (see '--zone-timers')
• packaging: added build dependency softhsm for PKCS #11 testing on RPM distributions
• doc: updated description of DNSSEC key management and module RRL

Bugfixes:

• knotd: more active ZSKs cause cumulative ZSK rollovers
• knotd: zone purge clears active generated catalog member metadata
• mod-rrl: authorized requests are rate limited #943
• kdig: misleading warning about timeout during QUIC connection
• keymgr: public-only keys are marked as missing in the list output

Knot DNS 3.4.2 (2024-10-31)

Improvements:

• knotd: new warning log upon every incremental update if previous zone signing failed
• mod-cookies: support for two secret values specification
• keymgr: key pregenerate works even when a KSK exists
• libs: upgraded embedded libngtcp2 to 1.8.1

Bugfixes:

• knotd: server can crash when processing just a terminal label as QNAME
• knotd: failed to compile if no atomic operations available
• kjournalprint: failed to merge zone-in-journal if followed by a non-first changeset
• knot-exporter: faulty escape sequence in time value parsing
• knot-exporter: failed to parse zone-status output
• kxdpgun: periodic statistics doesn't work correctly for longer time periods

Knot DNS 3.4.1 (2024-10-14)

Features:

• knotd: ACL configuration allows protocol specification (see 'acl.protocol')
• knotc: support for benevolent zone updates (see zone-begin with '+benevolent')
• knotd: implemented TLS session resumption
• kjournalprint: added print merged changesets mode (see '-M')
• libknot: added NXNAME meta type (Thanks to Jan Včelák)

Improvements:

• knotd: DNSKEY synchronization event logs removed/added *DNSKEYs
• knotd: control command log message contains filters and flags in the debug mode
• knotc: zone status prints running, pending, and frozen duration
• knotd,knotc: unification of control flags and filters
• keymgr: key listing reports configured keys that are inaccessible
• libs: upgraded embedded libngtcp2 to 1.8.0
• doc: various fixes and updates

Bugfixes:

• knotd: missing support for IPv6 link local address configuration
• knotd: zone reload occasionally causes a core dump #939 (Thanks to solidcc2)
• knotd: race condition in DDNS over QUIC processing
• knotd: imperfect signal handling on some auxiliary threads
• knotd: EDNS EXPIRE not updated when zone signing results in up-to-date
• knotd: failed to reload autogenerated QUIC/TLS key after process ownership change
• knotc: zone backup filter +keysonly doesn't disable other defaults
• kxdpgun: failed to receive more data over QUIC until 1-RTT handshake is done
• knsupdate: memory leak if rdata parsing fails
• doc: failed to install manual pages from a tarball
• Dockerfile: TCP port 853 not exposed for DoT

Knot DNS 3.4.0 (2024-09-02)

Features:

• knotd: full DNS over TLS (DoT, RFC 7858) implementation (see 'DNS over TLS')
• knotd: bidirectional XFR over TLS (XoT) support with opportunistic, strict,
  and mutual authentication profiles
• knotd: support for DDNS over QUIC and TLS
• knotd: DNSSEC validation requires the remaining RRSIG validity is longer than 'rrsig-refresh'
• knotd: new event for automatic DNSSEC revalidation
• knotd: if enabled DNSSEC signing, EDNS expire is adjusted to the earliest RRSIG expiration
• knotd: added support for libdbus as an alternative to systemd dbus
  (see '--enable-dbus=libdbus' configure parameter)
• knotd: new XDP-related configuration options
  (see 'xdp.ring-size', 'xdp.busypoll-budget', and 'xdp.busypoll-timeout')
• knotc: new command for explicit triggering DNSSEC validation (see 'zone-validate' command)
• keymgr: SKR verification requires end of DNSKEY RRSIG validity covers next DNSKEY snapshot
• kdig: +nocrypto applies also to CERT, DS, SSHFP, DHCID, TLSA, ZONEMD, and TSIG
• knsupdate: added support for DDNS over QUIC and TLS (see '-Q' and '-S' parameters)
• kxdpgun: support for reading a binary input file (see '-B' parameter)
• kxdpgun: support for output in JSON (see '-j' parameter)
• kxdpgun: support for periodical output (see '-S' parameter)
• mod-rrl: module offers limiting of non-UDP protocols based on consumed time
  (see 'mod-rrl.time-rate-limit' and 'mod-rrl.time-instant-limit')
• utils: -VV option for listing compile time configuration summary

Improvements:

• knotd: up to eight DDNS queries can be queued per zone when frozen
• knotd: the number of created/validated RRSIGs is logged
• knotd: overhaul of atomic operations usage
• knotd: unified DNAME semantic errors with the CNAME ones
  (see 'Handling CNAME and DNAME-related updates')
• knotd: better DDNS pre-check to prevent dropping a bulk of updates
• knotd: extended SOA presence semantic checks
• knotd: disallowed concurrent control zone and config transactions to avoid deadlock
• knotd: disallowed opening zone transaction when blocking command is running to avoid deadlock
• knotd: new XDP statistic counters
• knotd: remote zone serial is logged upon received incoming transfer
• knotd: zone backup stores and zone restore checks the CPU architecture compatibility
• knotd: time configuration options support 'w', 'M', and 'y' units
• knotd: some control commands can be processed asynchronously
• knotc: zone backup overwrites already existing backupdir in the force mode
• kdig: EDNS is enabled by default
• kdig: the default EDNS payload size was lowered to 1232
• mod-rrl: completely reimplemented UDP rate limiting using an efficient
  query-counting mechanism on several address prefix lengths
• mod-rrl: module no longer requires explicit configuration
• libknot: various XDP improvements and new configuration parameters
• docker: increased -D_FORTIFY_SOURCE to 3

Bugfixes:

• knotd: deadlock during zone-ksk-submitted processing of a frozen zone
• kxdpgun: race condition in SIGUSR1 signal processing
• doc: parallel build is unreliable #928

Compatibility:

• configure: increase minimal GnuTLS version to 3.6.10
• configure: removed deprecated libidn 1 support
• configure: removed liburcu search fallback
• configure: required GCC or LLVM Clang compiler with C11 support
• knotd: removed already ignored obsolete configuration options
• keymgr: removed legacy parameter '--brief'
• kjournalprint: removed legacy parameter '--no-color'
• kjournalprint: removed legacy database specification without '--dir'
• kcatalogprint: removed legacy database specification without '--dir'
• packaging: CentOS 7, Debian 10, and Ubuntu 18.04 no longer supported
• doc: removed info pages

Knot DNS 3.3.9 (2024-08-26)

Improvements:

• libknot: added EDE code 30
• libknot: improved performance of knot_rrset_to_wire_extra()
• libs: upgraded embedded libngtcp2 to 1.7.0
• doc: various fixes and updates

Bugfixes:

• keymgr: pregenerate clears future timestamps of old keys and creates new keys
• mod-dnsproxy: defective TSIG processing
• mod-dnsproxy: TCP not detected in the XDP mode
• kxdpgun: unsuccessful interface initialization leaks memory
• packaging: libknot not installed with python3-libknot

Knot DNS 3.3.8 (2024-07-22)

Features:

• libzscanner,libknot: added support for 'dohpath' and 'ohttp' SVCB parameters
• libzscanner,libknot: added support for WALLET rrtype
• keymgr: new commands for keystore testing (see 'keystore-test' and 'keystore-bench')
• knotd: new configuration option for setting default TTL (see 'zone.default-ttl')

Improvements:

• libknot: added error codes to better describe some failures

Bugfixes:

• knotd: DNSSEC signing doesn't remove NSEC records for non-authoritative nodes
• knotd: DNSSEC signing not scheduled on secondary if nothing to be reloaded
• libknot: TCP over XDP doesn't ignore SYN+ACK packets on the server side