Knot DNS 2.9.4

Knot DNS 2.9.4 (2020-05-05)

Improvements:

  • ANY query over UDP is always answered with one RRSet + possible RRSIG instead of truncated reply
  • Server tries to resolve CNAME record generated by geoip module (Thanks to Conrad Hoffmann)
  • Earlier OCSP validity check in kdig certificate verification (Thanks to Alexander Schultz)
  • Module onlinesign allows KSK + ZSK mode
  • Server control listen backlog limit was increased to 5
  • Zone signing event is always re-scheduled even after a signing error
  • Extended error checks and tiny enhancements in kjournalprint
  • kdig logs a more detailed error message when failed to acquire a remote address
  • Some documentation improvements

Bugfixes:

  • Server can crash when zone update fails due to exceeded zone size limit
  • keymgr 'share' command doesn't work
  • Shared KSK doesn't work with an initial key
  • Self-created RRSIGs are still cryptographically verified in some unnecessary cases
  • Changed NSEC3PARAM not correctly detected during zone update
  • NSEC(3) chain not fixed if affected by zone udpate
  • knotc orphan purge doesn't work on journal
  • Online signing configured along with DNSSEC signing can cause MDB_BAD_RSLOT error during server reload
  • Zone journal access can stuck if mismanaged zone serial
  • Concurrently added and removed same records in a DDNS message are not properly handled
  • Zone check logs error instead of warning after a first error occured