pool/knot
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
03eb6a41c5
knot/knot.changes

1217 lines
47 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

-------------------------------------------------------------------
Mon Aug 28 15:20:55 UTC 2023 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- update to version 3.3.0, see:
https://www.knot-dns.cz/2023-08-28-version-330.html
-------------------------------------------------------------------
Thu Jul 27 13:50:22 UTC 2023 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- update to version 3.2.9, see:
https://www.knot-dns.cz/2023-07-27-version-329.html
-------------------------------------------------------------------
Mon Jun 26 07:33:49 UTC 2023 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- update to version 3.2.8, see:
https://www.knot-dns.cz/2023-06-26-version-328.html
-------------------------------------------------------------------
Wed Jun 7 10:57:04 UTC 2023 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- update to version 3.2.7, see:
https://www.knot-dns.cz/2023-06-06-version-327.html
-------------------------------------------------------------------
Tue Apr 4 14:16:53 UTC 2023 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- update to version 3.2.6, see:
https://www.knot-dns.cz/2023-04-04-version-326.html
-------------------------------------------------------------------
Thu Feb 2 12:46:53 UTC 2023 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- update to version 3.2.5, see:
https://www.knot-dns.cz/2023-02-02-version-325.html
-------------------------------------------------------------------
Mon Dec 12 08:05:34 UTC 2022 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- update to version 3.2.4, see:
https://www.knot-dns.cz/2022-12-12-version-324.html
-------------------------------------------------------------------
Sun Nov 20 10:46:52 UTC 2022 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- update to version 3.2.3, see:
https://www.knot-dns.cz/2022-11-20-version-323.html
-------------------------------------------------------------------
Tue Nov 1 09:52:45 UTC 2022 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- update to version 3.2.2, see:
https://www.knot-dns.cz/2022-11-01-version-322.html
-------------------------------------------------------------------
Thu Sep 22 11:40:39 UTC 2022 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- update to version 3.2.1, see:
https://www.knot-dns.cz/2022-09-09-version-321.html
-------------------------------------------------------------------
Tue Aug 30 19:26:25 UTC 2022 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- add keyring to spec file as source to suppress factory-auto error
-------------------------------------------------------------------
Tue Aug 23 09:51:40 UTC 2022 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- use upstream service file that requires less privileges
- add keyring to actually verify the signature
-------------------------------------------------------------------
Tue Aug 23 09:19:05 UTC 2022 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- update to version 3.2.0, see:
https://www.knot-dns.cz/2022-08-22-version-320.html
-------------------------------------------------------------------
Thu Apr 28 20:42:34 UTC 2022 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- update to version 3.1.8, see:
https://www.knot-dns.cz/2022-04-28-version-318.html
-------------------------------------------------------------------
Wed Mar 30 08:25:50 UTC 2022 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- update to version 3.1.7, see:
https://www.knot-dns.cz/2022-03-30-version-317.html
-------------------------------------------------------------------
Tue Feb 8 13:08:23 UTC 2022 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- update to version 3.1.6, see:
https://www.knot-dns.cz/2022-02-08-version-316.html
-------------------------------------------------------------------
Mon Dec 20 19:49:42 UTC 2021 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- drop conditions for openSUSE 13 and older
- knot.conf is owned by knot as is it's parent directory
-------------------------------------------------------------------
Mon Dec 20 19:34:16 UTC 2021 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- update to version 3.1.5, see:
https://www.knot-dns.cz/2021-12-20-version-315.html
-------------------------------------------------------------------
Thu Nov 4 19:43:56 UTC 2021 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- update to version 3.1.4, see:
https://www.knot-dns.cz/2021-11-04-version-314.html
-------------------------------------------------------------------
Tue Oct 19 20:37:52 UTC 2021 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- update to version 3.1.3, see:
https://www.knot-dns.cz/2021-10-18-version-313.html
-------------------------------------------------------------------
Fri Sep 17 19:15:39 UTC 2021 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- migrate to user creation via sysuser-tools
- run spec-cleaner on spec file
- update to version 3.1.2, see:
https://www.knot-dns.cz/2021-09-08-version-312.html
-------------------------------------------------------------------
Thu Aug 12 07:51:04 UTC 2021 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- update to version 3.1.1, see:
https://www.knot-dns.cz/2021-08-10-version-311.html
-------------------------------------------------------------------
Wed Aug 4 17:31:13 UTC 2021 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- update to version 3.1.0, see:
https://www.knot-dns.cz/2021-08-02-version-310.html
-------------------------------------------------------------------
Thu Jul 1 09:22:32 UTC 2021 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- update to version 3.0.7, see:
https://www.knot-dns.cz/2021-06-16-version-307.html
-------------------------------------------------------------------
Fri May 14 21:24:51 UTC 2021 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- make sure we have getent and groupadd/useradd in pre
* added dependency on shadow and glibc
* might be related to bnc#1186023
-------------------------------------------------------------------
Wed May 12 12:43:44 UTC 2021 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- update to version 3.0.6, see:
https://www.knot-dns.cz/2021-05-12-version-306.html
-------------------------------------------------------------------
Tue May 11 09:24:39 UTC 2021 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- Make /etc/knot directory owned by knot - fix reload action
-------------------------------------------------------------------
Sat Mar 27 12:05:44 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
- Update descriptions, remove unsubstantiated claims.
-------------------------------------------------------------------
Thu Mar 25 12:56:29 UTC 2021 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- update to version 3.0.5, see:
https://www.knot-dns.cz/2021-03-25-version-305.html
- Update description based on homepage
-------------------------------------------------------------------
Mon Feb 1 13:19:02 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
- Trim marketing wording from description.
- Drop old rpm constructs.
-------------------------------------------------------------------
Mon Jan 25 22:30:39 UTC 2021 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- version update to 3.0.4, see:
https://www.knot-dns.cz/2021-01-20-version-304.html
-------------------------------------------------------------------
Mon Jan 4 16:48:21 UTC 2021 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- add incompatibility warning about 1.6.X version when updateing
- rename back to knot
-------------------------------------------------------------------
Mon Dec 28 16:24:32 UTC 2020 - pgajdos@suse.com
- version update to 3.0.3
-------------------------------------------------------------------
Mon Nov 30 21:41:09 UTC 2020 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- version update to 2.9.7, see:
https://www.knot-dns.cz/2020-08-31-version-296.html
https://www.knot-dns.cz/2020-10-09-version-297.html
- obsolete only pre-2.0 version
-------------------------------------------------------------------
Tue Jul 21 10:52:20 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
- remove rosedb conditional as lmdb is required in general now
-------------------------------------------------------------------
Tue Jul 21 10:35:13 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
- replace conflicts with Provides/Obsoletes
-------------------------------------------------------------------
Wed Jun 24 15:12:35 UTC 2020 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- fix dependency: python-Sphinx -> python3-Sphinx
-------------------------------------------------------------------
Wed Jun 24 15:04:01 UTC 2020 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- use upstream example config file with correct syntax
-------------------------------------------------------------------
Wed Jun 24 08:55:33 UTC 2020 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- version update to 2.9.5
- Bugfixes
- Old ZSK can be withdrawn too early during a ZSK rollover if maximum zone
TTL is computed automatically
- Server responds SERVFAIL to ANY queries on empty non-terminal nodes
- Improvements
- Also module onlinesign returns minimized responses to ANY queries
- Linking against libcap-ng can be disabled via a configure option
-------------------------------------------------------------------
Tue May 19 20:30:10 UTC 2020 - Michal Hrusecky <michal.hrusecky@opensuse.org>
- version update to 2.9.4
see NEWS
-------------------------------------------------------------------
Fri Dec 20 10:07:59 UTC 2019 - pgajdos@suse.com
- version update to 2.9.2
see NEWS
-------------------------------------------------------------------
Wed Jan 23 13:26:51 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
- update to 2.7.6
- Improvements
- Zone status also shows when the zone load is scheduled
- Server workers status also shows background workers
utilization
- Default control timeout for knotc was increased to 10 seconds
- Pkg-config files contain auxiliary variable with library
filename
- Bugfixes
- Configuration commit or server reload can drop some pending
zone events
- Nonempty zone journal is created even though it's disabled
#635
- Zone is completely re-signed during empty dynamic update
processing
- Server can crash when storing a big zone difference to the
journal
- Failed to link on FreeBSD 12 with Clang
-------------------------------------------------------------------
Mon Jan 7 13:46:56 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
- update to 2.7.5
- Features:
- Keymgr supports NSEC3 salt handling
- Improvements:
- Zone history in journal is dropped apon AXFR-like zone update
- Libdnssec is no longer linked against libm #628
- Libdnssec is explicitly linked against libpthread if PKCS #11
enabled #629
- Better support for libknot packaging in Python
- Manually generated KSK is 'ready' by default
- Kdig supports '+timeout' as an alias for '+time'
- Kdig supports '+nocomments' option
- Kdig no longer prints empty lines between retries
- Kdig returns failure if operations not successfully resolved
#632
- Fixed repeating of the 'KSK submission, waiting for
confirmation' log
- Various improvements in documentation, Dockerfile, and tests
- Bugfixes:
- Knotc fails to unset huge configuration section
- Kjournalprint sometimes fails to display zone journal content
- Improper timing of ZSK removal during ZSK rollover
- Missing UTC time zone indication in the 'iso' keymgr list
output
- A race condition in the online signing module
-------------------------------------------------------------------
Mon Dec 31 16:07:03 UTC 2018 - Petr Gajdos <pgajdos@suse.com>
- update to 2.7.4
Features:
---------
- Added SNI configuration for TLS in kdig (Thanks to Alexander Schultz)
Improvements:
-------------
- Added warning log when DNSSEC events not successfully scheduled
- New semantic check on timer values in keymgr
- DS query no longer asks other addresses if got a negative answer
- Reintroduced 'rollover' configuration option for CDS/CDNSKEY publication
- Extended logging for zone loading
- Various documentation improvements
Bugfixes:
---------
- Failed to import module configuration #613
- Improper Cflags value in libknot.pc if built with embedded LMDB #615
- IXFR doesn't fall back to AXFR if malformed reply
- DNSSEC events not correctly scheduled for empty zone updates
- During algorithm rollover old keys get removed before DS TTL expires #617
- Maximum zone's RRSIG TTL not considered during algorithm rollover #620
-------------------------------------------------------------------
Sun Nov 4 02:14:26 UTC 2018 - Marcus Rueckert <mrueckert@suse.de>
- seems we no longer need jansson
-------------------------------------------------------------------
Sun Nov 4 02:10:14 UTC 2018 - Marcus Rueckert <mrueckert@suse.de>
- limit geoip support to opensuse
-------------------------------------------------------------------
Sat Nov 3 22:23:36 UTC 2018 - Marcus Rueckert <mrueckert@suse.de>
- update to 2.7.3
- Features:
- New queryacl module for query access control
- Configurable answer rrset rotation #612
- Configurable NSEC bitmap in online signing
- Improvements:
- Better error logging for KASP DB operations #601
- Some documentation improvements
- Bugfixes:
- Keymgr "list" output doesn't show key size for ECDSA algorithms #602
- Failed to link statically with embedded LMDB
- Configuration commit causes zone reload for all zones
- The statistics module overlooks TSIG record in a request
- Improper processing of an AXFR-style-IXFR response consisting of one-record messages
- Race condition in online signing during key rollover #600
- Server can crash if geoip module is enabled in the geo mode
- changes from 2.7.2
- Improvements:
- Keymgr list command displays also key size
- Kjournalprint displays total occupied size in the debug mode
- Server doesn't stop if failed to load a shared module from the module directory
- Libraries libcap-ng, pthread, and dl are linked selectively if needed
- Bugfixes:
- Sometimes incorrect result from dnssec_nsec_bitmap_contains (libdnssec)
- Server can crash when loading zone file difference and zone-in-journal is set
- Incorrect treatment of specific queries in the module RRL
- Failed to link module Cookies as a shared library
- changes from 2.7.1
- Improvements:
- Added zone wire size information to zone loading log message
- Added debug log message for each unsuccessful remote address operation
- Various improvements for packaging
- Bugfixes:
- Incompatible handling of RRSIG TTL value when creating a DNS message
- Incorrect RRSIG TTL value in zone differences and knotc zone operation outputs
- Default configure prefix is ignored
- changes from 2.7.0
- Features:
- New DNS Cookies module and related '+cookie' kdig option
- New module for response tailoring according to client's subnet or geographic location
- General EDNS Client Subnet support in the server
- OSS-Fuzz integration (Thanks to Jonathan Foote)
- New '+ednsopt' kdig option (Thanks to Jan Včelák)
- Online Signing support for automatic key rollover
- Non-normal file (e.g. pipe) loading support in zscanner #542
- Automatic SOA serial incrementation if non-empty zone difference
- New zone file load option for ignoring zone file's SOA serial
- New build-time option for alternative malloc specification
- Structured logging for DNSSEC key submission event
- Empty QNAME support in kdig
- Improvements:
- Various library and server optimizations
- Reduced memory consumption of outgoing IXFR processing
- Linux capabilities use overhaul #546 (Thanks to Robert Edmonds)
- Online Signing properly signs delegations and CNAME records
- CDS/CDNSKEY rrset is signed with KSK instead of ZSK
- DNSSEC-related records are ignored when loading zone difference with signing enabled
- Minimum allowed RSA key length was increased to 1024
- Bugfixes:
- Possible uninitialized address buffer use in zscanner
- Possible index overflow during multiline record parsing in zscanner
- kdig +tls sometimes consumes 100 % CPU #561
- Single-Type Signing doesn't work with single ZSK key #566
- Zone not flushed after re-signing during zone load #594
- Server crashes when committing empty zone transaction
- Incoming IXFR with on-slave signing sometimes leads to memory corruption #595
- Compatibility:
- Removed obsolete RRL configuration
- Removed obsolete module names 'mod-online-sign' and 'mod-synth-record'
- Removed obsolete 'ixfr-from-differences' configuration option
- Removed old journal migration
- Removed module rosedb
- changes from 2.6.9
- Improvements:
- Added zone wire size to zone loading log message
- Added debug log message for each unsuccessful remote address operation
- Bugfixes:
- Zone not flushed after re-signing during zone load #594
- Server crashes when committing empty zone transaction
- Incoming IXFR with on-slave signing sometimes leads to memory corruption #595
- packaging changes:
- enabled geoip module: new BR: pkgconfig(libmaxminddb)
- enabled cookies module
- enabled queryacl module
-------------------------------------------------------------------
Sat Jul 14 03:07:45 UTC 2018 - mrueckert@suse.de
- update to 2.6.8
- Features:
- New 'import-pkcs11' command in keymgr
- Improvements:
- Unixtime serial policy mimics Bind increment if lower #593
- Bugfixes:
- Creeping memory consuption upon server reload #584
- Kdig incorrectly detects QNAME if 'notify' is a prefix
- Server crashes when zone sign fails #587
- CSK->KZSK rollover retires CSK early #588
- Server crashes when zone expires during outgoing
multi-message transfer
- Kjournalprint doesn't convert zone name argument to
lower-case
- Cannot switch to a previously used ksk-shared dnssec policy
#589
- update to 2.6.7
- Features:
- Added 'dateserial' (YYYYMMDDnn) serial policy configuration
(Thanks to Wolfgang Jung)
- Improvements:
- Trailing data indication from the packet parser (libknot)
- Better configuration check for a problematical option
combination
- Bugfixes:
- Incomplete configuration option item name check
- Possible buffer overflow in 'knot_dname_to_str' (libknot)
- Module dnsproxy doesn't preserve letter case of QNAME
- Module dnsproxy duplicates OPT and TSIG in the non-fallback
mode
-------------------------------------------------------------------
Wed May 2 08:29:51 UTC 2018 - kbabioch@suse.com
- Update to 2.6.6
- Features:
- New EDNS option counters in the statistics module
- New '+orphan' filter for the 'zone-purge' operation
- Improvements:
- Reduced memory consuption of disabled statistics metrics
- Some spelling fixes (Thanks to Daniel Kahn Gillmor)
- Server no longer fails to start if MODULE_DIR doesn't exist
- Configuration include doesn't fail if empty wildcard match
- Added a configuration check for a problematical option combination
- Bugfixes:
- NSEC3 chain not re-created when SOA minimum TTL changed
- Failed to start server if no template is configured
- Possibly incorrect SOA serial upon changed zone reload with DNSSEC signing
- Inaccurate outgoing zone transfer size in the log message
- Invalid dname compression if empty question section
- Missing EDNS in EMALF responses
-------------------------------------------------------------------
Mon Apr 2 00:04:43 UTC 2018 - mrueckert@suse.de
- update to 2.6.5
- Features:
- New 'zone-notify' command in knotc
- Kdig uses '@server' as a hostname for TLS authenticaion if
'+tls-ca' is set
- Improvements:
- Better heap memory trimming for zone operations
- Added proper polling for TLS operations in kdig
- Configuration export uses stdout as a default output
- Simplified detection of atomic operations
- Added '--disable-modules' configure option
- Small documentation updates
- Bugfixes:
- Zone retransfer doesn't work well if more masters configured
- Kdig can leak or double free memory in corner cases
- Inconsistent error outputs from dynamic configuration
operations
-------------------------------------------------------------------
Thu Jan 11 09:24:15 UTC 2018 - i@marguerite.su
- update to 2.6.4
see /usr/share/doc/packages/knot2/NEWS
-------------------------------------------------------------------
Sun Aug 6 23:01:55 UTC 2017 - mrueckert@suse.de
- fix tmpfiles scriptlet
-------------------------------------------------------------------
Sun Aug 6 22:40:26 UTC 2017 - mrueckert@suse.de
- package /var/lib/knot
- run tmpfiles scriptlet during install
-------------------------------------------------------------------
Sun Aug 6 21:45:44 UTC 2017 - mrueckert@suse.de
- update to 2.5.3
see /usr/share/doc/packages/knot2/NEWS
- use libidn2 on TW and 42.3
- following modules stay static:
- dnsproxy
- onlinesign
- moved modules to shared building:
- dnstap
- noudp
- rosedb
- rrl
- stats
- synthrecord
- whoami
-------------------------------------------------------------------
Mon Feb 13 11:57:09 UTC 2017 - mrueckert@suse.de
- update to 2.4.1
see /usr/share/doc/packages/knot2/NEWS
-------------------------------------------------------------------
Tue May 24 15:46:58 UTC 2016 - mrueckert@suse.de
- update to 2.2.1
- Bugfixes:
- Fix separate logging of server and zone events
- Fix concurrent zone file flushing with many zones
- Fix possible server crash with empty hostname on OpenWRT
- Fix control timeout parsing in knotc
- Fix "Environment maxreaders limit reached" error in knotc
- Don't apply journal changes on modified zone file
- Remove broken LTO option from configure script
- Enable multiple zone names completion in interactive knotc
- Set the TC flag in a response if a glue doesn't fit the
response
- Disallow server reload when there is an active configuration
transaction
- Improvements:
- Distinguish unavailable zones from zones with zero serial in
log messages
- Log warning and error messages to standard error output in
all utilities
- Document tested PKCS #11 devices
- Extended Python configuration interface
-------------------------------------------------------------------
Tue May 10 22:14:14 UTC 2016 - mrueckert@suse.de
- update to 2.2.0
- Bugfixes:
- Fix build dependencies on FreeBSD
- Fix query/response message type setting in dnstap module
- Fix remote address retrieval from dnstap capture in kdig
- Fix global modules execution for queries hitting existing
zones
- Fix execution of semantic checks after an IXFR transfer
- Fix PKCS#11 support detection at build time
- Fix kdig failure when the first AXFR message contains just
the SOA record
- Exclude non-authoritative types from NSEC/NSEC3 bitmap at a
delegation
- Mark PKCS#11 generated keys as sensitive (required by Luna
SA)
- Fix error when removing the only zone from the server
- Don't abort knotc transaction when some check fails
- Features:
- URI and CAA resource record types support
- RRL client address based white list
- knotc interactive mode
- Improvements:
- Consistent IXFR error messages
- Various fixes for better compatibility with PKCS#11 devices
- Various keymgr user interface improvements
- Better zone event scheduler performance with many zones
- New server control interface
- kdig uses local resolver if resolv.conf is empty
- new BR libedit-devel for the interactive mode
-------------------------------------------------------------------
Thu Feb 11 00:08:40 UTC 2016 - mrueckert@suse.de
- update to 2.1.1
- Bugfixes:
- DNSSEC: Allow import of duplicate private key into the KASP
- DNSSEC: Avoid duplicate NSEC for Wildcard No Data answer
- Fix server crash when an incomming transfer is in progress
and reload is issued
- Fix socket polling when configured with many interfaces and
threads
- Fix compilation against Nettle 3.2
- Improvements:
- Select correct source address for UDP messages recieved on
ANY address
- Extend documentation of knotc commands
- drop knot-2.1.0_pkcs11_check.patch
-------------------------------------------------------------------
Wed Jan 27 13:06:58 UTC 2016 - mrueckert@suse.de
- enable libcap-ng
-------------------------------------------------------------------
Wed Jan 27 13:02:40 UTC 2016 - mrueckert@suse.de
- fix configure check for pkcs11 support:
adds knot-2.1.0_pkcs11_check.patch
-------------------------------------------------------------------
Wed Jan 27 11:22:25 UTC 2016 - mrueckert@suse.de
- fix soversions
-------------------------------------------------------------------
Wed Jan 27 11:02:57 UTC 2016 - mrueckert@suse.de
- update to 2.1.0
- Features:
- Per-thread UDP socket binding using SO_REUSEPORT on Linux
- Support for dynamic configuration database
- DNSSEC: Support for cryptographic tokens via PKCS #11
interface
- DNSSEC: Experimental support for online signing
- Improvements:
- Support for zone file name patterns
- Configurable location of zone timer database
- Non-blocking network operations and better timeout handling
- Caching of Critical configuration values for better
performance
- Logging of ACL failures
- RRL: Add rate-limit-slip zero support to drop all responses
- RRL: Document behavior for different rate-limit-slip options
- kdig: Warning instead of error on TSIG validation failure
- Cleanup of support libraries interfaces (libknot,
libzscanner, libdnssec)
- Remove possibly insecure server control over a network socket
- Remove implementation limit for the number of network
interfaces
- Bugfixes:
- synth-record module: Fix application of default configuration
options
- TSIG: Allow compressed TSIG name when forwarding DDNS updates
- Schedule zone bootstrap after slave zone fails to load from
disk
- avoid activating the intree copy of lmdb
-------------------------------------------------------------------
Tue Nov 24 22:37:13 UTC 2015 - mrueckert@suse.de
- update to 2.0.2
- Out-of-bound read in packet parser for malformed NAPTR records
(LibFuzzer)
-------------------------------------------------------------------
Wed Oct 14 18:20:11 UTC 2015 - mrueckert@suse.de
- split out shared libraries, knot-resolver uses some of them and
atm we are forced to install the whole knot2 package.
-------------------------------------------------------------------
Thu Sep 3 20:21:48 UTC 2015 - mrueckert@suse.de
- lmdb seems no longer optional
-------------------------------------------------------------------
Thu Sep 3 14:41:02 UTC 2015 - mrueckert@suse.de
- create a new branch for knot 2.x starting with 2.0.1
- Bugfixes:
- Do not reload expired zones on 'knotc reload' and server
startup
- Fix rare race-condition in event scheduling causing delayed
event execution
- Fix skipping of non-authoritative nodes in NSEC proofs
- Fix TC flag setting in RRL slipped answers
- Disable domain name compression for root label
- Log via journald only when running under systemd
- Fix CNAME following when quering for NSEC RR type
- Fix refreshing of DNSSEC signatures for zone keys
- Fix binding an unavailable IPv6 address on Linux
(IP_FREEBIND)
- Fix infinite loop in knotc zonestatus and memstats
- Fix memory leak in configuration on server shutdown
- Fix broken dnsproxy module
- Fix DNSSEC KASP timestamps parsing in strict POSIX
environment
- fix multi value parsing on big-endian
- Adapt to Nettle 3 API break causing base64 decoding failures
on big-endian
- Features:
- Add 'keymgr zone key ds' to show key's DS record
- Add 'keymgr tsig generate' to generate TSIG keys
- Add query module scoping to process either all queries or
zone queries only
- Add support for file name globbing in config file includes
- Add 'request-edns-option' config option to add custom EDNS0
option into server initiated queries
- Improvements:
- Send minimal responses (remove NS from Authority section for
NOERROR)
- Update persistent timers only on shutdown for better
performance
- Allow change of RR TTL over DDNS
- Documentation fixes, updates, and improvements in formatting
- Install yparser and zscanner header files
- Improve lookup of libsystemd build dependencies
- Fix compilation warnings in endian conversion functions on
OpenBSD
- changes in knot 2.0.0
- Bugfixes:
- Fix lost NOTIFY message if received during zone transfer
- Disable fast zone parser when compiled in Clang (workaround
for Clang bug)
- kdig: Record correct dnstap SocketProtocol when retrying
over TCP
- kdig: Hide TSIG section with +noall
- Do not set AA flag for AXFR/IXFR queries
- Features:
- DNSSEC: separate library, switch to GnuTLS, new utilities
- DNSSEC: basic KASP support (generate initial keys, ZSK
rollover)
- Configuration: New text format in YAML, binary store in LMDB
- Zone parser: Split long TXT/SPF strings into multiple
strings
- kdig: Add generic dump style option (+generic)
- Try all master servers in multi-master environment
- Improved remotes and ACLs (multiple addresses, multiple
keys)
- Basic support for zone file patterns (%s to substitute zone
name)
- Disable zone file synchronization by setting 'zonefile_sync'
to '-1'
- knsupdate: Add input prompt in interactive mode and 'quit'
command
- knsupdate: Allow TSIG algorithm specification in interactive
prompt
- Improvements:
- Zone dump: Do not write class for SOA record (unified with
other RR types)
- Zone dump: Do not write master server address into the zone
file
- Documentation: Manual pages are included in HTML and PDF
- drop patches which are included upstream:
0001-loosen-openssl-dependency.patch
0002-make-configure.ac-compatible-with-old-tools.patch
- also drop all buildrequires just needed for autoreconf
- new buildrequires:
pkgconfig(gnutls) >= 3
pkgconfig(nettle)
pkgconfig(jansson)
- create devel subpackage
- enable rosedb and bash completion
-------------------------------------------------------------------
Wed Apr 29 07:03:38 UTC 2015 - mrueckert@suse.de
- local state dir should be just /var
-------------------------------------------------------------------
Thu Apr 9 02:51:53 UTC 2015 - mrueckert@suse.de
- enable dnstap support for factory and newer:
- new BR: protobuf-c and libfstrm-devel
- prepared lto support but not enabled yet, still need to find out
which distros support it
-------------------------------------------------------------------
Thu Apr 9 02:17:01 UTC 2015 - mrueckert@suse.de
- update to 1.6.3
- Performance drop for NSEC-signed zones
- Proper handling of TCP short-writes
- Out-of-bound read in zone parser for long domain names in
origin (AFL fuzzer)
- Out-of-bound read in packet parser for TSIG RR without RDATA
(AFL fuzzer)
- Out-of-bound read in packet parser for malformed NAPTR RR (AFL
fuzzer)
- CDS and CDNSKEY support in zone parser
- Add defaults for TCP config options into documentation
- Detailed error message if zone reload fails
- refreshed patches to apply cleanly again:
0002-make-configure.ac-compatible-with-old-tools.patch
-------------------------------------------------------------------
Tue Mar 10 17:20:55 UTC 2015 - mrueckert@suse.de
- update to 1.6.2
- Limiting number of parallel TCP clients (max-tcp-clients config
option)
- Ignore refresh and transfer events on non-slave zones
- Compilation with Dnstap support on FreeBSD
- Possible file descriptor leak when terminating inactive TCP
clients
- refreshed patches to apply cleanly again:
0002-make-configure.ac-compatible-with-old-tools.patch
- moved autoreconf -fi to %build so it wont be tried in quilt setup
or similar tools
- move up the %if case for systemd in for the preun scriptlet to
avoid warning about empty scripts on non systemd distributions.
- used xz tarball: new buildrequires xz
-------------------------------------------------------------------
Thu Jan 8 10:07:50 UTC 2015 - tchvatal@suse.com
- Add deps on the docu packages to regen documentation
- Enable systemd integration fully
- Add dep on libidn
- Cleanup with spec-cleaner
-------------------------------------------------------------------
Wed Dec 31 10:49:27 UTC 2014 - ondrej@sury.org
- Only require lmdb-devel on (Open)SUSE 13.2 and higher
-------------------------------------------------------------------
Wed Dec 31 10:29:48 UTC 2014 - ondrej@sury.org
- Updated to 1.6.1
Bugfixes:
- Journal file would sometimes outgrow its set limit
- Fixed incompatibility with OpenSSL 0.9.8
- Proper handling when machine hostname cannot be retreived
Features:
- Support for DNSSEC Single Type Signing Scheme
- Compile with lmdb-devel to add support for persistent timers
-------------------------------------------------------------------
Tue Nov 18 15:49:27 UTC 2014 - pgajdos@suse.com
- Updated to 1.6.0
Bugfixes:
- Fix zone expiration when AXFR/IXFR is being refused by master
- Fix forced zone refresh on slave (knotc refresh -f)
- Persistent timers database opening after privileges has been dropped
- DNSSEC: RFC compliant processing of letter case in RDATA domain names
- EDNS: Return minimal error response for queries with unsupported version
- EDNS: Fix interpretation of Extended RCODE
Improvements:
- Maximal size of persistent timers database increased from 10 MB to 100 MB
- Added logging of persistent timers database errors
Features:
- Persistent timers for slave zones (expire, refresh, and flush)
-------------------------------------------------------------------
Mon Sep 15 19:44:38 UTC 2014 - ondrej@sury.org
- Updated to 1.5.3
Bugfixes:
- Some specific incoming IXFRs were causing server to crash
- Rare sychronization error during reload caused read-after-free
- Response synthetization module did not work properly with DNSSEC-enabled zones
- When Knot sent AXFR when IXFR was requested, message ID and opcode were wrong
- Knot failed to send large messages to remote control (present since 1.5.1)
- Some RR parsing corner cases were not handled properly
- AXFR-style IXFR was refused and had to be retransfered
- Hash character (#) was not properly escaped when storing text zone file
- DNSSEC: DNAMEs in RDATA were not lowercased before signing
- EDNS: OPT RR were not put into responsing for some errors
- TSIG: DDNS responses were not signed with TSIG
- DDNS: Prerequisite checks failed for some inputs
- knsupdate: Zone origin was not used for deletions
Features:
- Basic support for logging using systemd journal
- DDNS: Ability to process updates in bulk
Improvements:
- Unified logging messages structure
- DNSSEC: More strict controls for signing keys
- Refreshed patches on top of 1.5.3 release:
* 0001-loosen-openssl-dependency.patch
* 0002-make-configure.ac-compatible-with-old-tools.patch
-------------------------------------------------------------------
Fri Jul 11 09:06:45 UTC 2014 - ondrej@sury.org
- Squash 0002-remove-AM_SILENT_RULES.patch and 0003-no-dist-xz.patch
into 0002-make-configure.ac-compatible-with-old-tools.patch that
removes configure.ac options incompatible with SLES_11_SP[23].
- added patches:
* 0002-make-configure.ac-compatible-with-old-tools.patch
- removed patches:
* 0002-remove-AM_SILENT_RULES.patch
* 0003-no-dist-xz.patch
-------------------------------------------------------------------
Thu Jul 10 08:18:29 UTC 2014 - ondrej@sury.org
- Updated to 1.5.0
Features:
* DDNS forwarding reimplemented
* edns-client-subnet support in kdig
* Optional asynchronous startup (config "asynchronous-start")
* Pluggable query processing modules
* Synthetic IPv4/IPv6 reverse/forward records (optional module)
* dnstap support in both utilities & server (optional module)
* NOTIFY message support and new TSIG section in kdig
* Multi-master support
Improvements:
* Transfer sizes logged in bytes if needed
* Logging outgoing NOTIFY messages
* Logging unauthorized incoming NOTIFYs
* Preempt task queue for faster reload
* Lazy zone file write after zone transfer (governed by "zonefile-sync")
* Query processing and core functionality overhaul
* Performance and reduced memory footprint
* Faster zone events scheduling
* RFC compliant queries/responses in some corner cases
* Log messages
* New documentation (Sphinx)
Bugfixes:
* Zone flush planning after bootstrap
* Incorrect incoming AXFR message sizes
* DDNS signing changes were freed too soon, posibility of stale data
* knotc remote control key handling
* Close zone transfer after SERVFAIL response
* Incremental to full zone transfer fallback, wrong log message
* Zone events corner cases, reload replanning
-------------------------------------------------------------------
Tue Jun 24 12:56:27 UTC 2014 - pgajdos@suse.com
- updated to 1.4.7:
* Fixed DDNS corner cases
* Fixed zone EXPIRE timer
* Fixed semantic checks false positives
* Fixed sending malformed IXFR with automatic DNSSEC
* Fixed NAPTR record serialization
-------------------------------------------------------------------
Mon May 12 12:38:02 UTC 2014 - ondrej@sury.org
- Fixed the missing 1.4.5 tarball
-------------------------------------------------------------------
Tue Apr 15 07:08:27 UTC 2014 - ondrej@sury.org
- updated to 1.4.5
Bugfixes:
* Fix possible weakness in TSIG signature checking
-------------------------------------------------------------------
Fri Mar 28 10:56:24 UTC 2014 - pgajdos@suse.com
- updated to 1.4.4
Features:
* Server is logging remote control commands
* 'knotc reload' doesn't refresh unchanged zones
* 'knotc -f refresh' forces zone retransfer
Bugfixes:
* Missing notifications after DDNS/automatic resign
* Zone is rebootstrapped if the zone file is unreadable
* Progressive bootstrap retry backoff
* Zone file parser allows asterisk as part of the label
* Journal maximum entry size fixes
* Sign DNSKEYs in non-apex nodes as regular RR sets
-------------------------------------------------------------------
Tue Feb 18 14:56:36 UTC 2014 - ondrej@sury.org
- Enable recvmmsg support in the build to increase performance
- Update upstream config directory to /etc/knot (instead of /etc/knot/knot)
- Replace tar.xz with tar.gz to allow backporting to older releases
- Disable silent rules to have more verbose builds
- Add support to compile with OpenSSL << 1.0.0
- added patches:
* 0001-loosen-openssl-dependency.patch
-------------------------------------------------------------------
Tue Feb 18 12:07:36 UTC 2014 - ondrej@sury.org
- update to 1.4.3:
* Failure when expanding wildcard leading to apex and having DNSKEY records
* Failure for query to wildcard without wildcard expansion
* Bad cleanup when loading a faulty entry from a journal
* Zone file $ORIGIN and configuration comparison is case-insensitive
* Config "include" statement supports directory and includes all files within
-------------------------------------------------------------------
Mon Jan 27 15:17:49 UTC 2014 - ondrej@sury.org
- update to 1.4.2:
* AXFR/IXFR compatibility issues with tinydns/axfrdns
* Journal file is created only when needed
* Zone-related log messages are logged into correct category
* DNSSEC: Refresh signatures earlier (3 days before their expiration
with the default signature lifetime)
* Fixed RCU synchronization causing deadlock on 'knotc signzone'
* RRSIG not fitting in the additional records doesn't cause truncation
-------------------------------------------------------------------
Tue Jan 14 15:14:06 UTC 2014 - ondrej@sury.org
- update to 1.4.1:
* Empty APL record support
* 'zonestatus' when using immediate zone syncing
* Immediate zone syncing after reload
* Race condition writing time values to zone file
* Hard require OpenSSL >= 1.0.0
- removed patches:
* 0001-Add-support-for-OpenSSL-threads-in-OpenSSL-1.0.0.patch
* 0001-Check-the-OpenSSL-version-when-checking-for-GOST-alg.patch
-------------------------------------------------------------------
Wed Jan 8 08:58:19 UTC 2014 - ondrej@sury.org
- Add support to compile with OpenSSL << 1.0.0
- added patches:
* 0001-Add-support-for-OpenSSL-threads-in-OpenSSL-1.0.0.patch
* 0001-Check-the-OpenSSL-version-when-checking-for-GOST-alg.patch
-------------------------------------------------------------------
Wed Jan 8 08:40:45 UTC 2014 - ondrej@sury.org
- update to 1.4.0:
* Experimental automatic DNSSEC signing
* Fastest ragel parser enabled by default
* Reduced memory usage
* Zone SOA SERIAL policies (INCREMENT, UNIXTIME) for DDNS and
automatic DNSSEC signing
* IDN support in Knot utilities (kdig, knsupdate, ...)
* DNSSEC: support for GOST algorithm
* Support for DNSSEC key pre-publication
-------------------------------------------------------------------
Mon Dec 16 09:46:03 UTC 2013 - ondrej@sury.org
- update to 1.3.4:
* Bugfixes:
Crash in particular additionals processing
Race condition in event cancelation
Journal corruption after failed transactions
-------------------------------------------------------------------
Tue Nov 26 13:36:54 UTC 2013 - pgajdos@suse.com
- update to 1.3.3:
* New features:
Reduced memory usage
Improved performance
Experimental automatic DNSSEC signing
Refactored zone loading
Improved journal locking
* Bugfixes:
Fixed some race conditions
Various fixes in client utilities
-------------------------------------------------------------------
Mon Sep 9 15:16:04 UTC 2013 - pgajdos@suse.com
- update to 1.3.1
* Faster zone parser
* Full support for EUI and ILNP resource records
* Lower memory footprint for large zones
* No compilation of zones
* Improved scheduling of zone transfers
* Logging of serials and timing information for zone transfers
* see NEWS or https://www.knot-dns.cz/ for details
-------------------------------------------------------------------
Wed Apr 3 15:37:52 UTC 2013 - ondrej@sury.org
- Update to 1.2.0 final
Bugfixes:
* Memory leaks
-------------------------------------------------------------------
Fri Mar 22 15:32:38 UTC 2013 - ondrej@sury.org
- Update to 1.2.0-rc4
New features:
* knotc 'zonestatus' command
Bugfixes:
* Changing logfile ownership before dropping privileges
* knotc respects 'control' section from configuration
* RRL: resolved bucket collisions
* RRL: updated bucket mapping to conform RRL technical memo
-------------------------------------------------------------------
Tue Mar 12 08:37:55 UTC 2013 - ondrej@sury.org
- Update to 1.2.0-rc3
New features:
* Dynamic updates, including forwarding (limited on signed zones)
* Updated remote control utility
* Configurable TCP timeouts
* LOC RR support
* Response rate limiting (see documentation)
Bugfixes:
* Fixed processing of some non-standard dnames.
* Correct checking of label length bounds in some cases.
* More compliant rcodes in case of DDNS/TSIG failures.
* Correct processing of malformed DDNS prereq section.
* Fixed OpenBSD build
* Responses to ANY should contain RRSIGs
-------------------------------------------------------------------
Sat Nov 24 09:12:42 UTC 2012 - aj@suse.de
- Documentation only needs makeinfo, thus require it instead of texinfo
where it's available as separate package.
-------------------------------------------------------------------
Thu Nov 22 17:22:37 UTC 2012 - ondrej@sury.org
- update to 1.1.2:
Bugfixes:
* Fixed crash on reload when config contained duplicate zones.
* Fixed scheduling of transfers.
* Fixed debug message.
- merge some changes from fedora spec file
- remove unittest files, they don't belong in binary packages
- depend on texinfo package to build the documentation
-------------------------------------------------------------------
Tue Nov 20 12:37:14 UTC 2012 - pgajdos@suse.com
- update to 1.1.1:
New features:
* Optionally disable ANY queries for authoritative answers.
* Dropping identical records in zone and incoming transfers.
* Support for '/' in zone names.
* Generating journal from reloaded zone (EXPERIMENTAL).
* Outgoing-only interfaces in configuration file.
* Following DNAME if the synthetized name is in the same zone.
* Signing SOA with TSIG queries when checking zone version with master.
* Improved compression of packets. Out-of-zone dnames present in RDATA
were not compressed.
* Slave zones are now automatically refreshed after startup.
* Proper response to IXFR/UDP query (returns SOA in Authority section).
Bugfixes:
* Crash when zone contained RRSIG signing a CNAME, but did not
contain the CNAME.
* Malformed packets parsing.
* Failed IXFR caused memory leaks.
* Failed IXFR might have resulted in inconsistent zone structures.
* Fixed answering to +dnssec queries when NSEC3 chain is corrupted.
* Fixed answering when transitioning from NSEC3 to NSEC.
* Fixed answering when zone contains multiple NSEC3 chains.
* Handling RRSets with different TTLs - TTL from the first RR is used.
* Synchronization of zone reload and zone transfers.
* Fixed build on NetBSD 5 and FreeBSD.
* Fixed binding to both IPv4 and IPv6 at the same time on special
interfaces.
* Fixed access rights of created files.
* Semantic checks corrupted RDATA domain names which are covered by
wildcard in the same zone.
* Fixed ixfr-from-differences journal generation in case of IPSECKEY
and APL records.
* Fixed possible leak on server shutdown with a pending transfer.
* Syncing journal to zone was not updating the compiled zone database.
* Crash after IXFR in certain cases when adding RRSIG in an IXFR.
* Fixed behaviour when incoming IXFR removes a zone cut. Previously
occluded names now become properly visible. Previously lead to a
crash when the server was asked for the previously occluded name.
* Fixed handling of zero-length strings in text zone dump. Caused the
compilation to fail.
* Fixed TSIG algorithm name comparison - the names should be in
canonical form.
* Fixed handling unknown RR types with type less than 251.
Other improvements:
* IXFR-in optimized.
* Many zones loading optimized.
* More detailed log messages (mostly transfer-related).
* Copying Question section to error responses.
* Using zone name from config file as default origin in zone file.
* Additional records are now added to response also from
wildcard-covered names.
* Improved user manual.
* Better checks of corrupted zone database.
-------------------------------------------------------------------
Tue Aug 28 10:02:40 UTC 2012 - pgajdos@suse.com
- fix build for older distributions (dont user %{make_install}
macro)
-------------------------------------------------------------------
Mon Jul 2 08:58:06 UTC 2012 - pgajdos@suse.com
- initial version 1.0.6
Reference in New Issue View Git Blame Copy Permalink