- Update from version 3.3.8 to 3.4.2
- Update of rootfile
- Changelog
3.4.2
Improvements:
- knotd: new warning log upon every incremental update if previous
zone signing failed
- mod-cookies: support for two secret values specification
- keymgr: key pregenerate works even when a KSK exists
- libs: upgraded embedded libngtcp2 to 1.8.1
Bugfixes:
- knotd: server can crash when processing just a terminal label as QNAME
- knotd: failed to compile if no atomic operations available
- kjournalprint: failed to merge zone-in-journal if followed by a
non-first changeset
- knot-exporter: faulty escape sequence in time value parsing
- knot-exporter: failed to parse zone-status output
- kxdpgun: periodic statistics doesn't work correctly for longer time
periods
3.4.1
Features:
- knotd: ACL configuration allows protocol specification (see
'acl.protocol')
- knotc: support for benevolent zone updates (see zone-begin with
'+benevolent')
- knotd: implemented TLS session resumption
- knotd: pending TLS connections leak memory when the server shuts down
- kjournalprint: added print merged changesets mode (see '-M')
- libknot: added NXNAME meta type (Thanks to Jan Včelák)
Improvements:
- knotd: DNSKEY synchronization event logs removed/added *DNSKEYs
- knotd: control command log message contains filters and flags in
the debug mode
- knotc: zone status prints running, pending, and frozen duration
- knotd,knotc: unification of control flags and filters
- keymgr: key listing reports configured keys that are inaccessible
- libs: upgraded embedded libngtcp2 to 1.8.0
- doc: various fixes and updates
Bugfixes:
- knotd: missing support for IPv6 link local address configuration
- knotd: zone reload occasionally causes a core dump #939 (Thanks to
lidcc2)
- knotd: race condition in DDNS over QUIC processing
- knotd: imperfect signal handling on some auxiliary threads
- knotd: EDNS EXPIRE not updated when zone signing results in up-to-date
- knotd: failed to reload autogenerated QUIC/TLS key after process
ownership change
- knotc: zone backup filter +keysonly doesn't disable other defaults
- kxdpgun: failed to receive more data over QUIC until 1-RTT
handshake is done
- knsupdate: memory leak if rdata parsing fails
- doc: failed to install manual pages from a tarball
- Dockerfile: TCP port 853 not exposed for DoT
3.4.0
Features:
- knotd: full DNS over TLS (DoT, RFC 7858) implementation (see 'DNS
over TLS')
- knotd: bidirectional XFR over TLS (XoT) support with opportunistic,
strict, and mutual authentication profiles
- knotd: support for DDNS over QUIC and TLS
- knotd: DNSSEC validation requires the remaining RRSIG validity is
longer than 'rrsig-refresh'
- knotd: new event for automatic DNSSEC revalidation
- knotd: if enabled DNSSEC signing, EDNS expire is adjusted to the
earliest RRSIG expiration
- knotd: added support for libdbus as an alternative to systemd dbus
(see '--enable-dbus=libdbus' configure parameter)
- knotd: new XDP-related configuration options
(see 'xdp.ring-size', 'xdp.busypoll-budget', and
'xdp.busypoll-timeout')
- knotc: new command for explicit triggering DNSSEC validation (see
'zone-validate' command)
- keymgr: SKR verification requires end of DNSKEY RRSIG validity
covers next DNSKEY snapshot
- kdig: +nocrypto applies also to CERT, DS, SSHFP, DHCID, TLSA,
ZONEMD, and TSIG
- knsupdate: added support for DDNS over QUIC and TLS (see '-Q' and
'-S' parameters)
- kxdpgun: support for reading a binary input file (see '-B' parameter)
- kxdpgun: support for output in JSON (see '-j' parameter)
- kxdpgun: support for periodical output (see '-S' parameter)
- mod-rrl: module offers limiting of non-UDP protocols based on
consumed time (see 'mod-rrl.time-rate-limit' and
'mod-rrl.time-instant-limit')
- utils: -VV option for listing compile time configuration summary
Improvements:
- knotd: up to eight DDNS queries can be queued per zone when frozen
- knotd: the number of created/validated RRSIGs is logged
- knotd: overhaul of atomic operations usage
- knotd: unified DNAME semantic errors with the CNAME ones
(see 'Handling CNAME and DNAME-related updates')
- knotd: better DDNS pre-check to prevent dropping a bulk of updates
- knotd: extended SOA presence semantic checks
- knotd: disallowed concurrent control zone and config transactions
to avoid deadlock
- knotd: disallowed opening zone transaction when blocking command is
running to avoid deadlock
- knotd: new XDP statistic counters
- knotd: remote zone serial is logged upon received incoming transfer
- knotd: zone backup stores and zone restore checks the CPU
architecture compatibility
- knotd: time configuration options support 'w', 'M', and 'y' units
- knotd: some control commands can be processed asynchronously
- knotc: zone backup overwrites already existing backupdir in the
force mode
- kdig: EDNS is enabled by default
- kdig: the default EDNS payload size was lowered to 1232
- mod-rrl: completely reimplemented UDP rate limiting using an efficient
query-counting mechanism on several address prefix lengths
- mod-rrl: module no longer requires explicit configuration
- libknot: various XDP improvements and new configuration parameters
- docker: increased -D_FORTIFY_SOURCE to 3
Bugfixes:
- knotd: deadlock during zone-ksk-submitted processing of a frozen zone
- kxdpgun: race condition in SIGUSR1 signal processing
- doc: parallel build is unreliable #928
Compatibility:
- configure: increase minimal GnuTLS version to 3.6.10
- configure: removed deprecated libidn 1 support
- configure: removed liburcu search fallback
- configure: required GCC or LLVM Clang compiler with C11 support
- knotd: removed already ignored obsolete configuration options
- keymgr: removed legacy parameter '--brief'
- kjournalprint: removed legacy parameter '--no-color'
- kjournalprint: removed legacy database specification without '--dir'
- kcatalogprint: removed legacy database specification without '--dir'
- packaging: CentOS 7, Debian 10, and Ubuntu 18.04 no longer supported
- doc: removed info pages
3.3.9
Improvements:
- libknot: added EDE code 30
- libknot: improved performance of knot_rrset_to_wire_extra()
- libs: upgraded embedded libngtcp2 to 1.7.0
- doc: various fixes and updates
Bugfixes:
- keymgr: pregenerate clears future timestamps of old keys and
creates new keys
- mod-dnsproxy: defective TSIG processing
- mod-dnsproxy: TCP not detected in the XDP mode
- kxdpgun: unsuccessful interface initialization leaks memory
- packaging: libknot not installed with python3-libknot
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
projects / ipfire-2.x.git / commit
