summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 00:53:35 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 00:53:35 +0000
commit46ec4c5ae30e9137e303a1f7187da16da6378eb4 (patch)
tree94a4a825604057e5fda94b7249d8310605fe1c62
parentAdding upstream version 2.7.6. (diff)
downloadknot-debian/2.7.6-2.tar.xz
knot-debian/2.7.6-2.zip
Adding debian version 2.7.6-2.debian/2.7.6-2debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--debian/TODO32
-rw-r--r--debian/changelog1258
-rw-r--r--debian/clean1
-rw-r--r--debian/compat1
-rw-r--r--debian/control228
-rw-r--r--debian/copyright83
-rw-r--r--debian/docs1
-rw-r--r--debian/gbp.conf28
-rwxr-xr-xdebian/get_kaspdb59
-rwxr-xr-xdebian/get_user28
-rwxr-xr-xdebian/kasp_json2lmdb458
-rw-r--r--debian/knot-dnsutils.NEWS6
-rw-r--r--debian/knot-dnsutils.install2
-rw-r--r--debian/knot-dnsutils.manpages2
-rw-r--r--debian/knot-doc.doc-base20
-rw-r--r--debian/knot-doc.install2
-rw-r--r--debian/knot-doc.links2
-rw-r--r--debian/knot-host.NEWS6
-rw-r--r--debian/knot-host.install1
-rw-r--r--debian/knot-host.manpages1
-rw-r--r--debian/knot.NEWS12
-rw-r--r--debian/knot.default1
-rw-r--r--debian/knot.dirs1
-rw-r--r--debian/knot.init168
-rw-r--r--debian/knot.install11
-rw-r--r--debian/knot.lintian-overrides5
-rw-r--r--debian/knot.maintscript1
-rw-r--r--debian/knot.manpages7
-rw-r--r--debian/knot.postinst26
-rw-r--r--debian/knot.postrm18
-rw-r--r--debian/knot.service14
-rw-r--r--debian/knot.tmpfile2
-rw-r--r--debian/libdnssec6.install1
-rw-r--r--debian/libdnssec6.symbols109
-rw-r--r--debian/libknot-dev.install4
-rw-r--r--debian/libknot8.install1
-rw-r--r--debian/libknot8.symbols207
-rw-r--r--debian/libzscanner2.install1
-rw-r--r--debian/libzscanner2.symbols11
-rw-r--r--debian/not-installed1
-rw-r--r--debian/patches/0001-avoid-git-version-inclusion-in-debian-packages.patch23
-rw-r--r--debian/patches/0002-zonefile-Verify-mtime-against-full-precision-timesta.patch129
-rw-r--r--debian/patches/0003-correct-kdig-documentation-about-no-crypto.patch39
-rw-r--r--debian/patches/series3
-rwxr-xr-xdebian/prepare-environment38
-rwxr-xr-xdebian/rules89
-rw-r--r--debian/source/format1
-rwxr-xr-xdebian/tests/authoritative-server193
-rw-r--r--debian/tests/control5
-rwxr-xr-xdebian/tests/kdig11
-rw-r--r--debian/ufw/knot4
-rw-r--r--debian/upstream/signing-key.asc51
-rw-r--r--debian/watch4
53 files changed, 3410 insertions, 0 deletions
diff --git a/debian/TODO b/debian/TODO
new file mode 100644
index 0000000..ee28e33
--- /dev/null
+++ b/debian/TODO
@@ -0,0 +1,32 @@
+ * package python3-libknot
+
+ * add more autopkgtest tests
+ - set up and run an authoritative resolver
+ - do dnssec signing
+ - validate the signatures
+
+ * consider making the modules dynamic instead of static. i see three
+ possible approaches:
+
+ a) each module could ship in a separate package, and would drop
+ into the path identified by --with-moduledir=
+ (/usr/lib/$(DEB_HOST_MULTIARCH)/knot/ , currently). They would
+ be automatically loaded by knotd as long as the packages were
+ installed.
+
+ b) we could ship them all directly in the knot package. they would
+ live in /usr/lib/$(DEBHOST_MULTIARCH)/knot-$(VERSION)/ in this
+ case, and the admin would need to manually load them in
+ knot.conf.
+
+ c) we could ship them in a separate knot-modules package (one
+ bundle of all modules, located in the same place as (b)). the
+ admin would need to manually load them in knot.conf.
+
+ In either (b) or (c) we might want to change --with-moduledir to
+ point to somewhere that the admin is encouraged to edit, like
+ /etc/knot/modules or something. or maybe we should abandon
+ --with-moduledir entirely?
+
+ Transitioning from static to dynamic modules seems like an awkward
+ process, though.
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..faa1176
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,1258 @@
+knot (2.7.6-2) unstable; urgency=medium
+
+ * add libsofthsm2 when testing for libdnssec/test_keystore_pkcs11
+ * Check fine-grained timestamps on zonefiles.
+ * Correct documentation about key formats
+ * Standards-Version: bump to 4.3.0 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 22 Feb 2019 16:51:08 -0500
+
+knot (2.7.6-1) unstable; urgency=medium
+
+ * new upstream release
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 08 Feb 2019 12:53:57 +0000
+
+knot (2.7.4-1) unstable; urgency=medium
+
+ * new upstream release
+ * drop patch applied upstream
+ * d/upstream/signing-key.asc: minimize OpenPGP certificate
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 14 Nov 2018 01:16:27 -0500
+
+knot (2.7.3-3) unstable; urgency=medium
+
+ * update build-deps and autopkgtest deps
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 08 Nov 2018 08:39:43 +0700
+
+knot (2.7.3-2) unstable; urgency=medium
+
+ * postinst: use runuser instead of su for safety and simplicity
+ * fix get_kaspdb and test it against shipped config (Closes: #912210)
+ * added Build-Depends-Package: libknot-dev to symbols files
+ * cleaner diffs: put dh args on separate lines
+ * added authoritative nameserver autopkgtest
+ * Avoid including git version in debian packages
+ * fix broken python
+ * fix up get_user
+ * autopkgtest: test upgrade/conversion tooling
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 07 Nov 2018 22:55:37 +0700
+
+knot (2.7.3-1) unstable; urgency=medium
+
+ * new upstream release
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 15 Oct 2018 17:21:51 -0400
+
+knot (2.7.2-2) unstable; urgency=medium
+
+ * d/rules: try moving DEB_HOST_ARCH check for -latomic
+ * mips and powerpc both appear to build fine without -latomic
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 29 Aug 2018 16:07:02 -0400
+
+knot (2.7.2-1) unstable; urgency=medium
+
+ * new upstream release
+ * try to fix up architecture selection
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 29 Aug 2018 10:34:56 -0400
+
+knot (2.7.1-3) unstable; urgency=medium
+
+ [ Daniel Salzman ]
+ * remove obsolete dependency libjansson-dev
+ * remove obsolete --with-bash-completions
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 27 Aug 2018 19:18:20 -0400
+
+knot (2.7.1-2) unstable; urgency=medium
+
+ * Standards-Version: bump to 4.2.1 (no changes needed)
+ * add -latomic to riscv64 arch as well
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 27 Aug 2018 19:06:08 -0400
+
+knot (2.7.1-1) unstable; urgency=medium
+
+ * new upstream release
+ * SONAME bumps: move to libknot8, libdnssec6, and libzscanner2
+ * adopted pykeymgr from upstream, renaming to
+ /usr/lib/knot/kasp_json2lmdb
+ * ship manpages with dh_installman
+ * kjournalprint is now a shipped as a system administration utility
+ * avoid more autogened files on package import
+ * drop THANKS, no longer shipped upstream
+ * update symbols files
+ * Standards-Version: bump to 4.2.0 (no changes needed)
+ * clean up kdns-utils description
+ * added libcap-ng to build-deps
+ * move to libidn2
+ * d/copyright: correct license of TAP sources
+ * added build-dep on libmaxminddb-dev for GeoIP module
+ * Only conditionally add -latomic based on the platform
+ * record notes about dynamic modules instead of static modules
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 24 Aug 2018 18:02:44 -0400
+
+knot (2.6.8-2) unstable; urgency=medium
+
+ * d/knot.NEWS: fix spelling (thanks, Lintian!)
+ * refresh patches
+ * Standards-Version: bump to 4.1.5 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 10 Jul 2018 16:14:48 -0400
+
+knot (2.6.8-1) unstable; urgency=medium
+
+ * New upstream version 2.6.8
+
+ -- Daniel Salzman <daniel.salzman@nic.cz> Tue, 10 Jul 2018 16:23:19 +0200
+
+knot (2.6.7-2) unstable; urgency=medium
+
+ * use knot@packages.debian.org as Maintainer (Closes: #899825)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 24 May 2018 16:00:33 -0400
+
+knot (2.6.7-1) unstable; urgency=medium
+
+ * New upstream version 2.6.7
+
+ -- Daniel Salzman <daniel.salzman@nic.cz> Thu, 17 May 2018 13:18:22 +0200
+
+knot (2.6.6-2) unstable; urgency=medium
+
+ [ Daniel Salzman ]
+ * Remove already included patches
+ * Add new symbol to libknot7.symbols
+ * Update changelog for 2.6.6-1 release
+
+ [ Daniel Kahn Gillmor ]
+ * standards-version: bump to 4.1.4 (no changes needed)
+ * clean up libknot7.symbols
+ * prepare debian release
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 23 Apr 2018 02:07:36 -0400
+
+knot (2.6.5-3) unstable; urgency=medium
+
+ * accept suggestions from the Multiarch hinter
+ * d/tests/control: rely on ca-certificates to validate the
+ DNS-over-TLS cert
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 25 Feb 2018 15:49:46 -0800
+
+knot (2.6.5-2) unstable; urgency=medium
+
+ * re-ship /usr/lib/$(DEB_HOST_MULTIARCH)/knot" (Closes: #891319)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 25 Feb 2018 10:17:49 -0800
+
+knot (2.6.5-1) unstable; urgency=medium
+
+ * new upstream release
+
+ [ Daniel Salzman ]
+ * Update uploaders and dependencies in the control file
+ * Downgrade 'Recommends' to 'Suggests' for systemd
+ * Update upstream signing key
+
+ [ Daniel Kahn Gillmor ]
+ * wrap-and-sort -ast
+ * add myself to uploaders
+ * move to debhelper 11
+ * Standards-Version: 4.1.3 (no changes needed)
+ * build-depend on python3-sphinx instead of python-sphinx
+ * d/gbp.conf: clean up, use DEP-14
+ * dh11: apply --fail-missing only to dh_missing
+ * remove doc/modules symlink on clean
+ * Use python3 instead of python2 for helper functions
+ * use python3 for pykeymgr
+ * move knot from python 2 to python 3
+ * Move python3-lmdb to Recommends
+ * d/TODO: note future debian packaging work
+ * knot-doc: use system jquery and underscore javascript
+ * include upstream VCS in git history
+ * d/control: add Rules-Requires-Root: no
+ * d/changelog: strip trailing whitespace
+ * ship upstream ChangeLog
+ * d/copyright: drop hat-trie, removed upstream
+ * d/*.NEWS: stop using asterisks
+ * stop declaring unnecessary dirs
+ * stop shipping /usr/lib/$(DEB_HOST_MULTIARCH)/knot
+ * add doc-base entry for knot-doc
+ * d/gbp.conf: improve cleanup during import-orig
+ * fix spelling errors in manpages
+ * info: fix direntry and category
+ * add really simple autopkgtest
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 22 Feb 2018 23:38:33 -0800
+
+knot (2.6.4-1) unstable; urgency=medium
+
+ * Update Vcs-* links to salsa.d.o
+ * New upstream version 2.6.4
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 04 Jan 2018 15:02:46 +0000
+
+knot (2.6.3-1) unstable; urgency=medium
+
+ * New upstream version 2.6.3
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 24 Nov 2017 15:33:43 +0000
+
+knot (2.6.1-2) unstable; urgency=medium
+
+ * Add Breaks/Replaces for libdnssec5/libknot7 to remedy botched 2.6.0-1
+ upload (Closes: #881638)
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 13 Nov 2017 19:58:35 +0000
+
+knot (2.6.1-1) unstable; urgency=medium
+
+ * New upstream version 2.6.1
+ * Remove upstream patch for disabling TCP Fastopen
+
+ -- Ondřej Surý <ondrej@debian.org> Sun, 12 Nov 2017 03:11:26 +0000
+
+knot (2.6.0-3) unstable; urgency=medium
+
+ * kdig: disable TCP Fastopen by default as it breaks TLS connection
+ (Closes: #879079)
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 19 Oct 2017 08:22:18 +0000
+
+knot (2.6.0-2) unstable; urgency=medium
+
+ [ John Bond ]
+ * fix get_kasp and get_user to support unquoted ipv6 addresses
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 05 Oct 2017 13:08:26 +0000
+
+knot (2.6.0-1) unstable; urgency=medium
+
+ * New upstream version 2.6.0
+ * Enable strict symbols checking
+ * Bump libknot 6->7 and libdnssec 4->5 SONAMEs and update symbols files
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 29 Sep 2017 19:46:41 +0200
+
+knot (2.5.4-2) unstable; urgency=medium
+
+ * Drop conflicting links to dig, nsupdate and host (Closes: #741645)
+ * Build-Depend on latexmk (Closes: #872203)
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 18 Sep 2017 07:11:39 +0200
+
+knot (2.5.4-1) unstable; urgency=medium
+
+ * New upstream version 2.5.4
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 01 Sep 2017 09:03:02 +0200
+
+knot (2.5.3-3) unstable; urgency=medium
+
+ * Simple rebuild to make knot-doc arch:all again.
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 26 Jul 2017 14:41:26 +0200
+
+knot (2.5.3-2) unstable; urgency=medium
+
+ * Disable dh-exec usage as #831786 breaks dh_install --fail-missing
+ (Closes: #869199)
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 24 Jul 2017 10:26:09 +0200
+
+knot (2.5.3-1) unstable; urgency=medium
+
+ * New upstream version 2.5.3
+
+ -- Ondřej Surý <ondrej@debian.org> Sat, 15 Jul 2017 07:26:12 +0200
+
+knot (2.5.2-1) unstable; urgency=medium
+
+ * New upstream version 2.5.2
+ * Remove all patches merged upstream
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 23 Jun 2017 11:46:34 +0200
+
+knot (2.5.1-4) unstable; urgency=medium
+
+ * Create the modules M-A directory to workaround the bug that fails to
+ start knot when modules directory is missing
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 15 Jun 2017 11:32:09 +0200
+
+knot (2.5.1-3) unstable; urgency=medium
+
+ * Enable dnstap module and set default moduledir to multiarch path
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 15 Jun 2017 08:32:34 +0200
+
+knot (2.5.1-2) unstable; urgency=medium
+
+ * Explicitly exclude example.com.zone to support older debhelpers
+ * Add patch to fix duplicate section merging in the config
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 09 Jun 2017 13:47:17 +0200
+
+knot (2.5.1-1) unstable; urgency=medium
+
+ * New upstream version 2.5.1
+ * Remove upstream patches released as Knot DNS 2.5.1
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 07 Jun 2017 16:04:16 +0200
+
+knot (2.5.0-2) unstable; urgency=medium
+
+ * Add upstream patches to fix old DNSSEC installations
+ * Skip already converted kasp-db directories
+ * Install pykeymgr from upstream tarball
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 07 Jun 2017 14:20:38 +0200
+
+knot (2.5.0-1) unstable; urgency=medium
+
+ * New upstream version 2.5.0
+ * Update maintscript to use dh-exec and remove obsolete cruft
+ * Bump the package names for libknot and libdnssec to match new
+ SOVERSIONs
+ * Simplify d/rules overrides
+ * Remove not-installed files from d/*.install
+ * Install local copy of pykeymgr (not included in the source
+ distribution)
+ * Add python-lmdb for pykeymgr migration utility
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 07 Jun 2017 11:03:22 +0200
+
+knot (2.4.3-1) unstable; urgency=medium
+
+ * New upstream version 2.4.3
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 11 Apr 2017 21:17:47 +0200
+
+knot (2.4.2-1) unstable; urgency=medium
+
+ * New upstream version 2.4.2
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 23 Mar 2017 11:47:52 +0100
+
+knot (2.4.1-2) unstable; urgency=medium
+
+ * Enable dnstap module
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 27 Feb 2017 11:35:15 +0100
+
+knot (2.4.1-1) unstable; urgency=medium
+
+ * New upstream version 2.4.1
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 10 Feb 2017 13:54:24 +0100
+
+knot (2.4.0-3) unstable; urgency=medium
+
+ * Fix timeout call syntax in dh_auto_test invocation
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 25 Jan 2017 15:10:04 +0100
+
+knot (2.4.0-2) unstable; urgency=medium
+
+ * Add -latomic to LDFLAGS to fix FTBFS on platforms that need it
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 23 Jan 2017 11:41:59 +0100
+
+knot (2.4.0-1) unstable; urgency=medium
+
+ * Fix gbp.conf to be readable by git config --file debian/gbp.conf on Jessie
+ * New upstream version 2.4.0
+ * Bump libknot SONAME 4->5
+ * Update symbols files for 2.4.0 release
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 20 Jan 2017 12:15:30 +0100
+
+knot (2.3.3-1) unstable; urgency=medium
+
+ [ Daniel Kahn Gillmor ]
+ * Use secure URLs where possible
+ * Clean up debian/copyright.
+ * Drop duplicate Source: lines (clears lintian binary-control-field-duplicates-source)
+ * Avoid using asterisk in NEWS (clears lintian debian-news-entry-uses-asterisk)
+ * Knot needs a dependency on lsb-base (clears lintian init.d-script-needs-depends-on-lsb-base)
+ * Filter auto-reconfed files out during future gbp import-orig operations
+ * debian/control: clean up Description: lines
+ * Added Documentation= to knot.service
+
+ [ Ondřej Surý ]
+ * Imported Upstream version 2.3.3
+ * Add kjournalprint to knot package
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 08 Dec 2016 14:49:31 +0100
+
+knot (2.3.2-1) unstable; urgency=medium
+
+ * Imported Upstream version 2.3.2
+ * Add new symbols to libknot4.symbols
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 04 Nov 2016 11:31:33 +0100
+
+knot (2.3.1-1) unstable; urgency=medium
+
+ * Imported Upstream version 2.3.1
+ * Bump libknot3 to libknot4
+ * kzonecheck was moved to /usr/bin
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 10 Oct 2016 12:01:41 +0200
+
+knot (2.3.0-4) unstable; urgency=medium
+
+ * Don't fail if there's no knot user defined
+ * Don't list explicit -c or -C path and let daemon figure it out
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 15 Sep 2016 12:44:57 +0200
+
+knot (2.3.0-3) unstable; urgency=medium
+
+ * Ignore the test results if they don't finish within 5 minutes
+ * Correctly break/replace libzscanner0 that contained libzscanner.so.1
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 11 Aug 2016 08:49:25 +0200
+
+knot (2.3.0-2) unstable; urgency=medium
+
+ * Move examples to knot-doc package (fix arch-only FTBFS)
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 10 Aug 2016 10:17:17 +0200
+
+knot (2.3.0-1) unstable; urgency=medium
+
+ * Imported Upstream version 2.3.0
+ + Zone size limit restriction for DDNS, AXFR, and IXFR (CVE-2016-6171)
+ (Closes: #830809)
+ * Restructure d/rules so dh_install --fail-missing works again
+ * Upstream bumped SOVERSION to libknot3, libdnssec2 and libzscanner1
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 10 Aug 2016 09:16:35 +0200
+
+knot (2.2.1-2) unstable; urgency=high
+
+ * Add texlive-generic-extra to B-D for missing iftex.sty
+ (Closes: #829428)
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 11 Jul 2016 11:47:34 +0200
+
+knot (2.2.1-1) unstable; urgency=medium
+
+ * Imported Upstream version 2.2.1
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 24 May 2016 17:48:16 +0200
+
+knot (2.2.0-3) unstable; urgency=medium
+
+ * knotc checkconf is not knotc conf-check (Closes: #823574)
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 20 May 2016 14:22:11 +0200
+
+knot (2.2.0-2) unstable; urgency=medium
+
+ * Do dbgsym migration of debug symbols
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 27 Apr 2016 17:43:59 +0200
+
+knot (2.2.0-1) unstable; urgency=medium
+
+ * confdb should be in /var/lib/knot/ by default
+ * Imported Upstream version 2.2.0
+ * Add libedit-dev to Build-Depends
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 27 Apr 2016 10:10:10 +0200
+
+knot (2.1.1-2) unstable; urgency=medium
+
+ * Add python to Depends and run wrap-and-sort -a
+ * Parse correct /etc/default/knot instead of /etc/default/knotd
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 15 Apr 2016 17:18:02 +0200
+
+knot (2.1.1-1) unstable; urgency=medium
+
+ * Imported Upstream version 2.1.1
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 10 Feb 2016 20:01:44 +0100
+
+knot (2.1.0-3) unstable; urgency=medium
+
+ * Add small python helper programs to get values from knot.conf
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 25 Jan 2016 12:44:00 +0100
+
+knot (2.1.0-2) unstable; urgency=medium
+
+ * Revert "Run keymgr init on every upgrade (just to be sure it happens)"
+ * Add support for relative directories in kasp-db
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 14 Jan 2016 11:46:35 +0100
+
+knot (2.1.0-1) unstable; urgency=medium
+
+ * Set knot user home directory to /var/lib/knot
+ * Imported Upstream version 2.1.0
+ * Run keymgr init on every upgrade (just to be sure it happens)
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 14 Jan 2016 10:55:26 +0100
+
+knot (2.1.0~rc1-55-gf227348-1) unstable; urgency=medium
+
+ * Add libgnutls28-dev and libjansson-dev as dependencies to libknot-dev
+ to satisfy pkg-config requirements
+ * Imported Upstream version 2.1.0~rc1-55-gf227348
+ * Automatically upgrade all KASP databases found in the configuration
+ and restart the server afterwards when upgrading from 2.0.x to 2.1.x
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 13 Jan 2016 14:03:17 +0100
+
+knot (2.1.0~rc1-52-gd80ce77-1) unstable; urgency=medium
+
+ * Imported Upstream version 2.1.0~rc1-52-gd80ce77
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 12 Jan 2016 16:56:12 +0100
+
+knot (2.0.2-1) unstable; urgency=medium
+
+ * Imported Upstream version 2.0.2
+ * Delete d/p/series as we carry no patches
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 24 Nov 2015 19:59:56 +0100
+
+knot (2.0.1-4) unstable; urgency=medium
+
+ * Split knot-libs into individual library packages
+ * Add knot.default file and use it from systemd and init.d scripts
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 05 Oct 2015 20:34:02 +0200
+
+knot (2.0.1-3) unstable; urgency=medium
+
+ * The upstart conffile ends with .conf, fix the stale conffile removal
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 21 Sep 2015 13:54:42 +0200
+
+knot (2.0.1-2) unstable; urgency=medium
+
+ * Compile the production version with NDEBUG
+ * Remove stale upstart init script via dpkg-maintscript-helper rm_config
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 14 Sep 2015 13:41:29 +0200
+
+knot (2.0.1-1) unstable; urgency=medium
+
+ * Imported Upstream version 2.0.1
+ * Fix the do_tmpfiles() in sysvrc script (Courtesy of Daniel Baumann)
+ (Closes: #796921)
+ * Disable -pedantic as it causes errors to be thrown in the tests
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 03 Sep 2015 10:56:16 +0200
+
+knot (2.0.0-1+0) unstable; urgency=medium
+
+ * Bump the version to workaround ~exp* higher than ~bpo*
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 17 Aug 2015 15:05:37 +0200
+
+knot (2.0.0-1) unstable; urgency=medium
+
+ * New upstream version 2.0.0
+ + Bugfixes:
+ - Fix lost NOTIFY message if received during zone transfer
+ - Disable fast zone parser when compiled in Clang (workaround for Clang bug)
+ - kdig: Record correct dnstap SocketProtocol when retrying over TCP
+ - kdig: Hide TSIG section with +noall
+ - Do not set AA flag for AXFR/IXFR queries
+ + Features:
+ - DNSSEC: separate library, switch to GnuTLS, new utilities
+ - DNSSEC: basic KASP support (generate initial keys, ZSK rollover)
+ - Configuration: New text format in YAML, binary store in LMDB
+ - Zone parser: Split long TXT/SPF strings into multiple strings
+ - kdig: Add generic dump style option (+generic)
+ - Try all master servers in multi-master environment
+ - Improved remotes and ACLs (multiple addresses, multiple keys)
+ - Basic support for zone file patterns (%s to substitute zone name)
+ - Disable zone file synchronization by setting 'zonefile_sync' to '-1'
+ - knsupdate: Add input prompt in interactive mode and 'quit' command
+ - knsupdate: Allow TSIG algorithm specification in interactive prompt
+ + Improvements:
+ - Zone dump: Do not write class for SOA record (unified with other RR types)
+ - Zone dump: Do not write master server address into the zone file
+ - Documentation: Manual pages are included in HTML and PDF
+ * Install knot1to2 configuration file conversion tool
+ * Automatically convert knot.conf with some safety-checks
+ * Add note about the conversion to debian/knot.NEWS
+ * Make the build libsystem-{daemon,journal}-dev friendly to allow Ubuntu
+ and backported builds
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 17 Aug 2015 11:56:43 +0200
+
+knot (2.0.0-1~exp2) experimental; urgency=medium
+
+ * Update prepare-environment to match the new config file syntax
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 30 Jul 2015 09:26:52 +0200
+
+knot (2.0.0-1~exp1) experimental; urgency=medium
+
+ * New upstream version 2.0.0
+ + Bugfixes:
+ - Fix lost NOTIFY message if received during zone transfer
+ - Disable fast zone parser when compiled in Clang (workaround for Clang bug)
+ - kdig: Record correct dnstap SocketProtocol when retrying over TCP
+ - kdig: Hide TSIG section with +noall
+ - Do not set AA flag for AXFR/IXFR queries
+ + Features:
+ - DNSSEC: separate library, switch to GnuTLS, new utilities
+ - DNSSEC: basic KASP support (generate initial keys, ZSK rollover)
+ - Configuration: New text format in YAML, binary store in LMDB
+ - Zone parser: Split long TXT/SPF strings into multiple strings
+ - kdig: Add generic dump style option (+generic)
+ - Try all master servers in multi-master environment
+ - Improved remotes and ACLs (multiple addresses, multiple keys)
+ - Basic support for zone file patterns (%s to substitute zone name)
+ - Disable zone file synchronization by setting 'zonefile_sync' to '-1'
+ - knsupdate: Add input prompt in interactive mode and 'quit' command
+ - knsupdate: Allow TSIG algorithm specification in interactive prompt
+ + Improvements:
+ - Zone dump: Do not write class for SOA record (unified with other RR types)
+ - Zone dump: Do not write master server address into the zone file
+ - Documentation: Manual pages are included in HTML and PDF
+ * Install knot1to2 configuration file conversion tool
+ * Automatically convert knot.conf with some safety-checks
+ * Add note about the conversion to debian/knot.NEWS
+ * Make the build libsystem-{daemon,journal}-dev friendly to allow Ubuntu
+ and backported builds
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 29 Jun 2015 10:40:45 +0200
+
+knot (1.6.1-1) unstable; urgency=medium
+
+ * New upstream version 1.6.1
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 30 Dec 2014 09:50:54 +0100
+
+knot (1.6.0-1) unstable; urgency=medium
+
+ * New upstream version 1.6.0
+ * Switch to network-online.target to mitigate some network not-yet-ready races
+ * Recommend systemd due journald enabled logging (Closes: #766596)
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 24 Oct 2014 12:41:32 +0200
+
+knot (1.6.0~rc2-1) unstable; urgency=medium
+
+ * New upstream version 1.6.0~rc2
+ * Update patches for 1.6.0~rc2 release
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 17 Oct 2014 17:32:30 +0200
+
+knot (1.6.0~rc1-1) unstable; urgency=medium
+
+ * New upstream version 1.6.0~rc1
+ * Knot needs lmdb for persistent timers
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 13 Oct 2014 23:06:56 +0200
+
+knot (1.5.3-1) unstable; urgency=medium
+
+ * Move knot-libs to Section: net (Closes: #760795)
+ * New upstream version 1.5.3
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 15 Sep 2014 17:00:08 +0200
+
+knot (1.5.2-1) unstable; urgency=high
+
+ * Update Vcs-Urls to point to anonscm.debian.org
+ * New upstream version 1.5.2
+ + [CVE-2014-0486]: Fixed remote crash with crafted DNS message
+ * Update patches for 1.5.2 release
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 08 Sep 2014 11:11:56 +0200
+
+knot (1.5.1-3) unstable; urgency=high
+
+ * More arch/indep build rules splitting to fix binary-arch-only builds
+ * Add lintian override to override warning about internal libraries in
+ knot-libs
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 26 Aug 2014 09:43:05 +0200
+
+knot (1.5.1-2) unstable; urgency=medium
+
+ * Enable full hardening via debhelper >= 9
+ * Enable IDN in knot-dnsutils and knot-host packages
+ * Enable systemd libraries only on linux-any
+ * Split arch and indep builds to build the documentation just once
+ * Drop ragel from build depends to allow arm64 builds
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 25 Aug 2014 15:54:34 +0200
+
+knot (1.5.1-1) unstable; urgency=medium
+
+ * New upstream version 1.5.1
+ * Enable systemd notification mechanism
+ * Enable systemd journal enhanced logging
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 20 Aug 2014 10:45:18 +0200
+
+knot (1.5.0-1) unstable; urgency=medium
+
+ * New upstream version 1.5.0
+ + Features:
+ - Pluggable query processing modules
+ - Synthetic IPv4/IPv6 reverse/forward records (optional module)
+ - dnstap support in both utilities & server (optional module)
+ - NOTIFY message support and new TSIG section in kdig
+ - Multi-master support
+ - edns-client-subnet support in kdig
+ - Optional asynchronous startup (config "asynchronous-start")
+ - DDNS forwarding reimplemented
+ + Improvements:
+ - Query processing and core functionality overhaul
+ - Performance and reduced memory footprint
+ - Faster zone events scheduling
+ - RFC compliant queries/responses in some corner cases
+ - Log messages
+ - New documentation (Sphinx)
+ - Transfer sizes logged in bytes if needed
+ - Logging outgoing NOTIFY messages
+ - Logging unauthorized incoming NOTIFYs
+ - Preempt task queue for faster reload
+ - Lazy zone file write after zone transfer (governed by "zonefile-sync")
+ + Bugfixes:
+ - Close zone transfer after SERVFAIL response
+ - Incremental to full zone transfer fallback, wrong log message
+ - Zone events corner cases, reload replanning
+ - Zone flush planning after bootstrap
+ - Incorrect incoming AXFR message sizes
+ - DDNS signing changes were freed too soon, posibility of stale data
+ - knotc remote control key handling
+ * Debian packaging:
+ + d/control: New documentation is using sphinx
+ + d/control: New knot-libs package containing internal shared libraries
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 09 Jul 2014 13:08:26 +0200
+
+knot (1.4.6+hotfix-1) unstable; urgency=medium
+
+ * New upstream version 1.4.6+hotfix
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 22 May 2014 15:39:07 +0200
+
+knot (1.4.6-1) unstable; urgency=medium
+
+ * New upstream version 1.4.6
+ * Update patches for 1.4.6 release
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 22 May 2014 13:15:14 +0200
+
+knot (1.4.5-2) unstable; urgency=high
+
+ * Re-upload to fix botched amd64 upload in 1.4.5-1
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 22 Apr 2014 14:58:30 +0200
+
+knot (1.4.5-1) unstable; urgency=high
+
+ * New upstream version 1.4.5
+ + Fix possible weakness in TSIG signature checking
+ * Refresh patches for 1.4.5 release
+ * Use dh-autoreconf to regenerate autotools files
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 14 Apr 2014 15:11:12 +0200
+
+knot (1.4.4-1) unstable; urgency=medium
+
+ * New upstream version 1.4.4
+ + Server is logging remote control commands
+ + 'knotc reload' doesn't refresh unchanged zones
+ + 'knotc -f refresh' forces zone retransfer
+ + Fixed missing notifications after DDNS/automatic resign
+ + Zone is rebootstrapped if the zone file is unreadable
+ + Progressive bootstrap retry backoff
+ + Zone file parser now allows asterisk as part of the label
+ + Fix journal maximum entry size
+ + Sign DNSKEYs in non-apex nodes as regular RR sets
+ + Various spelling and typo fixes (Courtesy of Robert Edmonds)
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 27 Mar 2014 15:49:54 +0100
+
+knot (1.4.3-2) unstable; urgency=medium
+
+ * Add support for autotools-dev and dh-systemd
+ * Enable parallel builds in dh invocation
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 18 Feb 2014 13:44:13 +0100
+
+knot (1.4.3-1) unstable; urgency=low
+
+ * New upstream version 1.4.3
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 18 Feb 2014 13:03:42 +0100
+
+knot (1.4.2-1) unstable; urgency=low
+
+ * New upstream version 1.4.2
+ * Update OpenSSL << 1.0.0 compatibility patch
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 27 Jan 2014 16:14:33 +0100
+
+knot (1.4.1-2) unstable; urgency=low
+
+ * Add patch to remove the requirement for OpenSSL 1.0.0 to build on
+ Debian squeeze, be warned though that the OpenSSL before 1.0.0 might
+ manifest some threading errors and crashes, so you really should
+ upgrade your system to Debian wheezy.
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 23 Jan 2014 16:53:03 +0100
+
+knot (1.4.1-1) unstable; urgency=low
+
+ * New upstream version 1.4.1
+ + Empty APL record support
+ + 'zonestatus' when using immediate zone syncing
+ + Immediate zone syncing after reload
+ + Race condition writing time values to zone file
+ + Require OpenSSL >= 1.0.0
+ * Don't use dh-autoreconf, upstream uses recent enough autotools
+ * Bump standards version to 3.9.5
+ * Run the tests on every arch without the condition, but don't fail
+ anywhere
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 13 Jan 2014 18:00:18 +0100
+
+knot (1.4.0-1) unstable; urgency=low
+
+ * New major upstream version 1.4.0
+ + Experimental automatic DNSSEC signing
+ + Fastest ragel parser enabled by default
+ + Reduced memory usage
+ + Zone SOA SERIAL policies (INCREMENT, UNIXTIME) for DDNS and
+ automatic DNSSEC signing
+ + IDN support in Knot utilities (kdig, knsupdate, ...)
+ + DNSSEC: support for GOST algorithm
+ + Support for DNSSEC key pre-publication
+ * Remove PATH_MAX patch, it's already included in upstream
+ * Run the tests on all archs, but don't fail the build if the tests fail
+ on broken archs
+ * Update watch file to match (alpha|beta|rc)\d* versions
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 06 Jan 2014 11:00:07 +0100
+
+knot (1.4.0~rc2-1) experimental; urgency=low
+
+ * New upstream version 1.4.0~rc2
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 13 Dec 2013 17:53:26 +0100
+
+knot (1.4.0~rc1-1) experimental; urgency=low
+
+ * Disable tests on GNU Hurd
+ * New upstream version 1.4.0~rc1
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 25 Nov 2013 16:19:27 +0100
+
+knot (1.4.0~beta-1) experimental; urgency=low
+
+ * New upstream version 1.4.0~beta
+ * Update patches for 1.4.0~beta release
+ * Disable fastparser since the ragel is broken in one test
+ * Add knsec3hash to knot package
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 29 Oct 2013 12:25:49 +0100
+
+knot (1.3.4-1) unstable; urgency=low
+
+ * Disable tests on GNU Hurd
+ * New upstream version 1.3.4
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 13 Dec 2013 17:23:52 +0100
+
+knot (1.3.3-1) unstable; urgency=low
+
+ * New upstream version 1.3.3
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 28 Oct 2013 11:40:13 +0100
+
+knot (1.3.2-3) unstable; urgency=low
+
+ * Add ufw applications.d rule for Knot DNS
+ * Disable recvmmsg on GNU Hurd (since recvmmsg is not implemented on GNU
+ Hurd and will always fail)
+ * Enable fastparser (requires Ragel)
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 11 Oct 2013 17:23:35 +0200
+
+knot (1.3.2-2) unstable; urgency=low
+
+ * Define #PATH_MAX to make GNU Hurd happy
+ * Don't enable LTO, it doesn't play well with debugging symbols
+
+ -- Ondřej Surý <ondrej@debian.org> Sun, 06 Oct 2013 01:57:13 +0200
+
+knot (1.3.2-1) unstable; urgency=low
+
+ * New upstream version 1.3.2
+ * Enable link-time-optimizations by default
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 30 Sep 2013 15:04:01 +0200
+
+knot (1.3.1-1) unstable; urgency=low
+
+ * New upstream version 1.3.1
+ * Add new debian/watch file (Courtesy of Debian QA)
+ * Bump standards to 3.9.4
+ * Stop using /lib/init/vars.sh, we don't use $VERBOSE anymore anyway
+ * Drop syslog.target as it is not needed anymore
+ * Remove SSE detection patch as it was merged upstream
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 27 Aug 2013 14:27:44 +0200
+
+knot (1.3.0-2) unstable; urgency=low
+
+ * Disable SSE detection in the packaged version of Knot DNS
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 16 Aug 2013 13:04:39 +0200
+
+knot (1.3.0-1) unstable; urgency=low
+
+ * New upstream version 1.3.0
+ * Remove upstream patch from 1.3.0~rc5-2 as it is included in
+ this release.
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 05 Aug 2013 17:01:23 +0200
+
+knot (1.3.0~rc5-2) unstable; urgency=low
+
+ * Pull some pre 1.3.0 patches (mainly to test before release):
+ + Initialize secondary groups for user <user>.<group>.
+ + Reworked CH TXT records support (RFC 4892).
+ + Fixed inactive xfers may be disconnected depending on the previous
+ result.
+ + Add server starting information to log.
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 05 Aug 2013 10:39:48 +0200
+
+knot (1.3.0~rc5-1) unstable; urgency=low
+
+ * New upstream version 1.3.0~rc5
+ * Remove last upstream patch, all our changes have been merged. Yay\!
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 29 Jul 2013 17:15:56 +0200
+
+knot (1.3.0~rc4-2) unstable; urgency=low
+
+ * Disable tests on big endian architectures (but the code still needs to
+ be fixed)
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 23 Jul 2013 14:07:39 +0200
+
+knot (1.3.0~rc4-1) unstable; urgency=low
+
+ * New upstream version 1.3.0~rc4
+ * Add upstream patch to honour CONFIG_DIR
+ * Remove now obsolete patch to run as knot:knot
+ * The knot/ is now added by upstream to @sysconfdir@
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 15 Jul 2013 15:15:05 +0200
+
+knot (1.3.0~rc3-2) unstable; urgency=low
+
+ * Add proper support for upstart and systemd along with sysvinit
+ * Add /usr/lib/knot/prepare-environment script which will parse
+ knot configuration file and properly create rundir and set
+ correct permissions to configured values in /etc/knot/knot.conf
+ * Remove /etc/default/knot since the values are now parsed
+ directly from the configuration file
+ * Add /var/lib/knot to knot.dirs, so it gets created on package
+ install
+ * Drop checking for $VERBOSE variable and properly log start/stop from
+ sysvinit script
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 02 Jul 2013 13:08:33 +0200
+
+knot (1.3.0~rc3-1) unstable; urgency=low
+
+ * New upstream version 1.3.0~rc3
+ * Packaging changes:
+ + Use --fail-missing to check for all new files
+ + Remove obsolete patches and update installed conffile with latest
+ options
+ + Don't install knot-zcompile as it is no more
+ + Install minimal example configuration file as /etc/knot/knot.conf
+ + Add --disable-silent-rules to configure invocation
+ + Add patch to fix missing $(DESTDIR) in src/Makefile.am
+ + Set --with-rundir and --with-storage to correct locations
+ + Run under knot:knot by default (create and delete knot user)
+ + Add knot-dnsutils and knot-host packages
+ + Add patch to move knot-{host,dnsutils} manpages to correct location
+ + Add samples/knot.{full,keys}.conf and example zone to examples.
+ * Add knot-doc package with generated documentation (PDF and HTML)
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 28 Jun 2013 12:59:55 +0200
+
+knot (1.2.0-2) unstable; urgency=low
+
+ * /etc/init.d/knot now sources /etc/default/knot instead of
+ /etc/init.d/knotd (Closes: #707683)
+ * Pull upstream fix for pidfile creation before dropping priviledges
+ (Closes: #707685)
+ * Enable SSE2 support again (we will simply not support anything older
+ than Pentium M)
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 26 Jun 2013 14:41:04 +0200
+
+knot (1.2.0-1) unstable; urgency=low
+
+ * Imported Upstream version 1.2.0
+ + Final release.
+ + Some small memory leaks fixes.
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 03 Apr 2013 09:16:25 +0200
+
+knot (1.2.0~rc4-1) unstable; urgency=low
+
+ * Imported Upstream version 1.2.0~rc4
+ + knotc 'zonestatus' command
+ + Changing logfile ownership before dropping privileges
+ + knotc respects 'control' section from configuration
+ + RRL: resolved bucket collisions
+ + RRL: updated bucket mapping to conform RRL technical memo
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 22 Mar 2013 15:35:50 +0100
+
+knot (1.2.0~rc3-1) unstable; urgency=low
+
+ * Imported Upstream version 1.2.0~rc3
+ + New functionality: Response Rate Limiting as a response to
+ reflection DNS DDoS attacks in the wild
+ + Add missing RRSIG in ANY queries
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 01 Mar 2013 13:24:28 +0100
+
+knot (1.2~rc2-1) unstable; urgency=low
+
+ * Imported Upstream version 1.2~rc2
+ * Fix git location
+ * Update patches for 1.2 release
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 18 Feb 2013 12:40:01 +0100
+
+knot (1.1.3-1) unstable; urgency=low
+
+ * Imported Upstream version 1.1.3
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 20 Dec 2012 10:50:41 +0100
+
+knot (1.1.3~rc1-1) unstable; urgency=low
+
+ * Imported Upstream version 1.1.3~rc1
+ + Fixed answering DS queries (RRSIGs not together with DS, AA bit
+ missing).
+ + Fixed setting ARCOUNT in some error responses with EDNS enabled.
+ + Fixed crash when compiling zone zone with NSEC3PARAM but no NSEC3
+ and semantic checks enabled.
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 07 Dec 2012 11:19:35 +0100
+
+knot (1.1.2-1) unstable; urgency=low
+
+ * Imported Upstream version 1.1.2
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 21 Nov 2012 14:45:34 +0100
+
+knot (1.1.2~rc1-1) unstable; urgency=low
+
+ * Imported Upstream version 1.1.2~rc1
+ * Update patches for new release
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 14 Nov 2012 14:04:17 +0100
+
+knot (1.1.1-1) unstable; urgency=low
+
+ * Imported Upstream version 1.1.1
+ * Update and remove obsolete patches for new release
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 31 Oct 2012 10:42:09 +0100
+
+knot (1.1.0-5) unstable; urgency=low
+
+ * Disable SSE2 instruction set, might solve some strange crashes.
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 10 Oct 2012 13:09:54 +0200
+
+knot (1.1.0-4) unstable; urgency=low
+
+ * Disable extra hardening via dpkg-buildflags, which is not needed
+ by debhelper 9, but breaks builds on squeeze
+ * Install man5 and knot.info documentation
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 03 Sep 2012 16:43:26 +0200
+
+knot (1.1.0-3) unstable; urgency=low
+
+ * Bump dependency on debhelper >= 9
+ * Bump standards version to 3.9.3
+ * Fix installation of manpages to correct directories
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 03 Sep 2012 16:02:11 +0200
+
+knot (1.1.0-2) unstable; urgency=low
+
+ * Disable AM_MAINTAINER_MODE and re-run autoreconf -fi
+ * Enable hardening build by default
+ * Update pidfile patch to 1.1.0
+ * Cope with default MultiArch in dh_compat==9 and don't install
+ unittests* binaries
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 03 Sep 2012 15:32:53 +0200
+
+knot (1.1.0-1) unstable; urgency=low
+
+ * Imported Upstream version 1.1.0
+ - User manual now available.
+ - Optionally disable ANY queries for authoritative answers.
+ - Dropping identical records in zone and incoming transfers.
+ - Support for '/' in zone names.
+ - Generating journal from reloaded zone (EXPERIMENTAL).
+ - Outgoing-only interfaces in configuration file.
+ - Following DNAME if the synthetized name is in the same zone.
+ - IXFR-in optimized.
+ - Many zones loading optimized.
+ - Signing SOA with TSIG queries when checking zone version with master.
+ * Enable maintainer mode to generate version.texi as a workaround.
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 31 Aug 2012 16:27:07 +0200
+
+knot (1.0.6-1) unstable; urgency=low
+
+ * Imported Upstream version 1.0.6
+ - Add NSEC/NSEC3 for all wildcard CNAMEs in the response.
+ - Fixed potential problems with RCU synchronization.
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 13 Jun 2012 15:31:52 +0200
+
+knot (1.0.5-1) unstable; urgency=low
+
+ * Imported Upstream version 1.0.5
+ - Fixed bug with creating journal files which didn't get merged
+ by accident
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 17 May 2012 12:25:27 +0200
+
+knot (1.0.4-1) unstable; urgency=low
+
+ * Imported Upstream version 1.0.4
+ - Speed-up loading of many zones due parallelization
+ - Support for TLSA resource record (Type 52)
+ - New commands knotc checkzone and knotc refresh (forced update)
+ - Fixed responses to CNAME queries if the canonical name was also
+ an alias
+ - Fixed crash when NS or MX points to an alias
+ - Fixed crash when bootstraping/compiling a lot of zones
+ - Significant speed-up and memory usage reduction of IXFR-in
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 16 May 2012 09:33:26 +0200
+
+knot (1.0.3-1) unstable; urgency=low
+
+ * Imported Upstream version 1.0.3
+ - Fixed bug in non-EDNS0 queries over TCP
+ - Zone compilation time regression fixed
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 18 Apr 2012 09:06:57 +0200
+
+knot (1.0.2-1) unstable; urgency=low
+
+ * Imported Upstream version 1.0.2
+ - Bugfix release
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 13 Apr 2012 16:09:11 +0200
+
+knot (1.0.1-1) unstable; urgency=low
+
+ * Imported Upstream version 1.0.1
+ - Implemented jitter to REFRESH/RETRY timers
+ - Fixed problem with creating IXFR journal for bootstrapped zone
+ - Fixed race condition in processing NOTIFY/SOA queries
+ - Fixed improper assignment of TSIG algorithm type
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 09 Mar 2012 20:18:37 +0100
+
+knot (1.0.0-1) unstable; urgency=low
+
+ * Imported Upstream version 1.0.0
+ * Update pidfile patch
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 29 Feb 2012 18:46:13 +0100
+
+knot (1.0~rc1-1) unstable; urgency=low
+
+ * Imported Upstream version 1.0~rc1
+ * Move knotd.pid to /var/run where it belongs
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 15 Feb 2012 21:12:56 +0100
+
+knot (0.9.1-3) unstable; urgency=low
+
+ * Install files into knot package (broken build after added debug
+ package)
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 23 Jan 2012 15:01:42 +0100
+
+knot (0.9.1-2) unstable; urgency=low
+
+ * Build knot-dbg package with debug symbols
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 23 Jan 2012 13:27:20 +0100
+
+knot (0.9.1-1) unstable; urgency=low
+
+ * Imported Upstream version 0.9.1
+ + RRSet rotation functionality added
+ + New pseudo-random number generator (new BSD licensed)
+ + Fixed build on BSD
+ + Fixes in parsing and dumping of some RR types
+ * Add correct git-buildpackage configuration
+ * Update copyright for new PRNG
+
+ -- Ondřej Surý <ondrej@debian.org> Sat, 21 Jan 2012 15:47:30 +0100
+
+knot (0.9-1) unstable; urgency=low
+
+ * Imported Upstream version 0.9
+ + Add TSIG support
+ + Several smaller bugfixes
+ * Add correct git-buildpackage configuration
+ * Imported Upstream version 0.9.1
+ * Update copyright for new PRNG
+
+ -- Ondřej Surý <ondrej@debian.org> Sat, 21 Jan 2012 15:46:54 +0100
+
+knot (0.8.1-1) unstable; urgency=low
+
+ * Imported Upstream version 0.8.1
+ + Correctly handle SPF resource records
+ + Fix wrong text dumping of unknown records.
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 01 Dec 2011 16:27:44 +0100
+
+knot (0.8-1) unstable; urgency=low
+
+ * Initial release (Closes: #647461)
+ * Add some dependencies in the init.d script
+ * Add flex and bison to b-d
+ * Add versioned dependency on liburcu
+ * Daemonize on the start
+ * Update copyright file to include all licenses
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 16 Nov 2011 07:14:55 +0100
diff --git a/debian/clean b/debian/clean
new file mode 100644
index 0000000..7e5c111
--- /dev/null
+++ b/debian/clean
@@ -0,0 +1 @@
+doc/modules
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..b4de394
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+11
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..3f1bd7f
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,228 @@
+Source: knot
+Section: net
+Priority: optional
+Maintainer: knot packagers <knot@packages.debian.org>
+Uploaders:
+ Ondřej Surý <ondrej@debian.org>,
+ Daniel Salzman <daniel.salzman@nic.cz>,
+ Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
+Build-Depends-Indep:
+ ghostscript,
+ python3-sphinx,
+ texinfo,
+ texlive,
+ texlive-font-utils,
+ texlive-generic-extra,
+ texlive-latex-extra,
+Build-Depends:
+ debhelper (>= 11~),
+ latexmk,
+ libcap-ng-dev,
+ libedit-dev,
+ libfstrm-dev,
+ libgnutls28-dev,
+ libidn2-dev,
+ liblmdb-dev,
+ libmaxminddb-dev,
+ libprotobuf-c-dev,
+ libsofthsm2 <!nocheck>,
+ libsystemd-dev [linux-any] | libsystemd-daemon-dev [linux-any],
+ libsystemd-dev [linux-any] | libsystemd-journal-dev [linux-any],
+ liburcu-dev (>= 0.4),
+ pkg-config,
+ protobuf-c-compiler,
+ python3-yaml <!nocheck>,
+Standards-Version: 4.3.0
+Homepage: https://www.knot-dns.cz/
+Vcs-Browser: https://salsa.debian.org/dns-team/knot-dns
+Vcs-Git: https://salsa.debian.org/dns-team/knot-dns.git
+Rules-Requires-Root: no
+
+Package: knot
+Architecture: any
+Depends:
+ adduser,
+ libdnssec6 (= ${binary:Version}),
+ libknot8 (= ${binary:Version}),
+ libzscanner2 (= ${binary:Version}),
+ lsb-base (>= 3.0-6),
+ python3,
+ python3-yaml,
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ python3-lmdb,
+Suggests:
+ systemd,
+Description: Authoritative domain name server
+ Knot DNS is a fast, authoritative only, high performance, feature
+ full and open source name server.
+ .
+ Knot DNS is developed by CZ.NIC Labs, the R&D department of .CZ
+ registry and hence is well suited to run anything from the root
+ zone, the top-level domain, to many smaller standard domain names.
+
+Package: libknot8
+Architecture: any
+Multi-Arch: same
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Section: libs
+Replaces:
+ knot-libs (<< 2.0.1-4),
+ libknot6 (<< 2.6.1-1~),
+Breaks:
+ knot-libs (<< 2.0.1-4),
+ libknot6 (<< 2.6.1-1~),
+Description: Authoritative domain name server (shared library)
+ Knot DNS is a fast, authoritative only, high performance, feature
+ full and open source name server.
+ .
+ Knot DNS is developed by CZ.NIC Labs, the R&D department of .CZ
+ registry and hence is well suited to run anything from the root
+ zone, the top-level domain, to many smaller standard domain names.
+ .
+ This package provides libknot shared library used by Knot DNS and
+ Knot Resolver.
+
+Package: libzscanner2
+Architecture: any
+Multi-Arch: same
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Section: libs
+Replaces:
+ knot-libs (<< 2.0.1-4),
+ libzscanner0 (<< 2.3.0~),
+Breaks:
+ knot-libs (<< 2.0.1-4),
+ libzscanner0 (<< 2.3.0~),
+Description: DNS zone-parsing library from Knot
+ Knot DNS is a fast, authoritative only, high performance, feature
+ full and open source name server.
+ .
+ Knot DNS is developed by CZ.NIC Labs, the R&D department of .CZ
+ registry and hence is well suited to run anything from the root
+ zone, the top-level domain, to many smaller standard domain names.
+ .
+ This package provides a fast zone parser shared library used by Knot
+ DNS and Knot Resolver.
+
+Package: libdnssec6
+Architecture: any
+Multi-Arch: same
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Section: libs
+Replaces:
+ knot-libs (<< 2.0.1-4),
+ libdnssec4 (<< 2.6.1-1~),
+Breaks:
+ knot-libs (<< 2.0.1-4),
+ libdnssec4 (<< 2.6.1-1~),
+Description: DNSSEC shared library from Knot
+ Knot DNS is a fast, authoritative only, high performance, feature
+ full and open source name server.
+ .
+ Knot DNS is developed by CZ.NIC Labs, the R&D department of .CZ
+ registry and hence is well suited to run anything from the root
+ zone, the top-level domain, to many smaller standard domain names.
+ .
+ This package provides common DNSSEC shared library used by Knot DNS
+ and Knot Resolver.
+
+Package: libknot-dev
+Architecture: any
+Multi-Arch: same
+Depends:
+ libdnssec6 (= ${binary:Version}),
+ libgnutls28-dev,
+ libknot8 (= ${binary:Version}),
+ libzscanner2 (= ${binary:Version}),
+ ${misc:Depends},
+ ${shlibs:Depends},
+Section: libdevel
+Replaces:
+ knot-libs (<< 2.0.1-4),
+Breaks:
+ knot-libs (<< 2.0.1-4),
+Description: Knot DNS shared library development files
+ Knot DNS is a fast, authoritative only, high performance, feature
+ full and open source name server.
+ .
+ Knot DNS is developed by CZ.NIC Labs, the R&D department of .CZ
+ registry and hence is well suited to run anything from the root
+ zone, the top-level domain, to many smaller standard domain names.
+ .
+ This package provides development files for internal common shared
+ libraries.
+
+Package: knot-dnsutils
+Architecture: any
+Depends:
+ libdnssec6 (= ${binary:Version}),
+ libknot8 (= ${binary:Version}),
+ libzscanner2 (= ${binary:Version}),
+ ${misc:Depends},
+ ${shlibs:Depends},
+Description: Clients provided with Knot DNS (kdig, knslookup, knsupdate)
+ Knot DNS is a fast, authoritative only, high performance, feature
+ full and open source name server.
+ .
+ Knot DNS is developed by CZ.NIC Labs, the R&D department of .CZ
+ registry and hence is well suited to run anything from the root
+ zone, the top-level domain, to many smaller standard domain names.
+ .
+ This package delivers various client programs related to DNS that are
+ derived from the Knot DNS source tree.
+ .
+ - kdig - query the DNS in various ways
+ - knsupdate - perform dynamic updates (See RFC2136)
+ .
+ Those clients were designed to be 1:1 compatible with BIND dnsutils,
+ but they provide some enhancements, which are documented in respective
+ manpages.
+ .
+ WARNING: knslookup is not provided as it is considered obsolete.
+
+Package: knot-host
+Architecture: any
+Depends:
+ libdnssec6 (= ${binary:Version}),
+ libknot8 (= ${binary:Version}),
+ libzscanner2 (= ${binary:Version}),
+ ${misc:Depends},
+ ${shlibs:Depends},
+Description: Version of 'host' bundled with Knot DNS
+ Knot DNS is a fast, authoritative only, high performance, feature
+ full and open source name server.
+ .
+ Knot DNS is developed by CZ.NIC Labs, the R&D department of .CZ
+ registry and hence is well suited to run anything from the root
+ zone, the top-level domain, to many smaller standard domain names.
+ .
+ This package provides the 'host' program in the form that is bundled
+ with the Knot DNS. The 'host' command is designed to be 1:1
+ compatible with BIND 9.x 'host' program.
+
+Package: knot-doc
+Architecture: all
+Multi-Arch: foreign
+Depends:
+ libjs-jquery,
+ libjs-underscore,
+ ${misc:Depends},
+Section: doc
+Description: Documentation for Knot DNS
+ Knot DNS is a fast, authoritative only, high performance, feature
+ full and open source name server.
+ .
+ Knot DNS is developed by CZ.NIC Labs, the R&D department of .CZ
+ registry and hence is well suited to run anything from the root
+ zone, the top-level domain, to many smaller standard domain names.
+ .
+ This package provides various documents that are useful for
+ maintaining a working Knot DNS installation.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..f96f58e
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,83 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: Knot DNS
+Upstream-Contact: knot-dns@labs.nic.cz
+Source: https://secure.nic.cz/files/knot-dns/
+
+Files: *
+Copyright: 2011-2012 CZ.NIC, z.s.p.o.
+License: GPL-3+ with OpenSSL exception
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+ .
+ In addition, as a special exception, the author of this program gives
+ permission to link the code of its release with the OpenSSL project's
+ "OpenSSL" library (or with modified versions of it that use the same
+ license as the "OpenSSL" library), and distribute the linked
+ executables. You must obey the GNU General Public License in all
+ respects for all of the code used other than "OpenSSL". If you
+ modify this file, you may extend this exception to your version of
+ the file, but you are not obligated to do so. If you do not wish to
+ do so, delete this exception statement from your version.
+ .
+ This program is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>.
+ .
+ On Debian systems, the full text of the GNU General Public License
+ version 3 can be found in the file `/usr/share/common-licenses/GPL-3'.
+
+Files: tests/tap/*
+Copyright: 2000-2001, 2004, 2006-2011 Russ Allbery <rra@stanford.edu>
+License: Expat
+
+Files: src/contrib/ucw/lists.c
+Copyright: 1998 Martin Mares <mj@ucw.cz>
+License: GPL-3+
+
+Files: debian/*
+Copyright: 2011 Ondřej Surý <ondrej@debian.org>
+License: GPL-3+
+
+License: Expat
+ Permission is hereby granted, free of charge, to any person obtaining
+ a copy of this software and associated documentation files (the
+ "Software"), to deal in the Software without restriction, including
+ without limitation the rights to use, copy, modify, merge, publish,
+ distribute, sublicense, and/or sell copies of the Software, and to
+ permit persons to whom the Software is furnished to do so, subject to
+ the following conditions:
+ .
+ The above copyright notice and this permission notice shall be
+ included in all copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ SOFTWARE.
+
+License: GPL-3+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+ .
+ This program is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>.
+ .
+ On Debian systems, the full text of the GNU General Public License
+ version 3 can be found in the file `/usr/share/common-licenses/GPL-3'.
diff --git a/debian/docs b/debian/docs
new file mode 100644
index 0000000..e845566
--- /dev/null
+++ b/debian/docs
@@ -0,0 +1 @@
+README
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..71bf28a
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,28 @@
+[DEFAULT]
+debian-branch = debian/master
+pristine-tar = True
+upstream-vcs-tag = v%(version)s
+
+[dch]
+meta = 1
+
+[import-orig]
+filter = [
+ 'configure',
+ '*/Makefile.in',
+ '*/*/Makefile.in',
+ '*/*/*/Makefile.in',
+ 'install-sh',
+ 'ltmain.sh',
+ 'm4/libtool.m4',
+ '*/*/version.h',
+ 'src/dnssec/lib/dnssec/version.h',
+ 'INSTALL',
+ 'aclocal.m4',
+ 'ar-lib',
+ 'depcomp',
+ 'compile',
+ 'missing',
+ 'test-driver',
+ ]
+filter-pristine-tar = False
diff --git a/debian/get_kaspdb b/debian/get_kaspdb
new file mode 100755
index 0000000..5562c1d
--- /dev/null
+++ b/debian/get_kaspdb
@@ -0,0 +1,59 @@
+#!/usr/bin/python3
+
+import yaml, os.path, sys
+
+conf_file = '/etc/knot/knot.conf' if len(sys.argv) < 2 else sys.argv[1]
+ip_fields = ['listen', 'address', 'via', 'whitelist', 'network']
+
+try:
+ conf = yaml.load(open(conf_file, 'r'))
+except (yaml.scanner.ScannerError, yaml.parser.ParserError):
+ conf = False
+
+if not conf:
+ import io
+ conf_io = io.StringIO()
+ with open(conf_file) as f:
+ for line in f:
+ if line.split(':')[0].strip() not in ip_fields:
+ conf_io.write(line)
+ conf_io.seek(0)
+ try:
+ conf = yaml.load(conf_io)
+ except (yaml.scanner.ScannerError, yaml.parser.ParserError):
+ sys.exit(1)
+
+dirs = set()
+# if we have valid yaml use it
+if "template" in conf and conf["template"]:
+
+ for template in conf["template"]:
+ if "kasp-db" in template:
+ kasp_db = template["kasp-db"]
+ else:
+ continue
+
+ if not os.path.isabs(kasp_db):
+ if "storage" in template:
+ kasp_db = os.path.join(template["storage"], kasp_db)
+ else:
+ continue
+ dirs.add(kasp_db)
+
+if "zone" in conf and conf["zone"]:
+
+ for domain in conf["zone"]:
+ if "kasp-db" in domain:
+ kasp_db = domain["kasp-db"]
+ else:
+ continue
+
+ if not os.path.isabs(kasp_db):
+ if "storage" in kaspdomain:
+ kasp_db = os.path.join(domain["storage"], kasp_db)
+ else:
+ continue
+ dirs.add(kasp_db)
+
+for dir in dirs:
+ print(dir)
diff --git a/debian/get_user b/debian/get_user
new file mode 100755
index 0000000..1e0f258
--- /dev/null
+++ b/debian/get_user
@@ -0,0 +1,28 @@
+#!/usr/bin/python3
+
+import yaml, sys
+
+conf_file = '/etc/knot/knot.conf' if len(sys.argv) < 2 else sys.argv[1]
+ip_fields = ['listen', 'address', 'via', 'whitelist', 'network']
+
+try:
+ conf = yaml.load(open(conf_file, 'r'))
+except (yaml.scanner.ScannerError, yaml.parser.ParserError):
+ conf = False
+
+if not conf:
+ import io
+ conf_io = io.StringIO()
+ with open(conf_file) as f:
+ for line in f:
+ if line.split(':')[0].strip() not in ip_fields:
+ conf_io.write(line)
+ conf_io.seek(0)
+ try:
+ conf = yaml.load(conf_io)
+ except (yaml.scanner.ScannerError, yaml.parser.ParserError):
+ sys.exit(1)
+
+if "server" in conf and conf["server"]:
+ if "user" in conf["server"] and conf["server"]["user"]:
+ print(conf["server"]["user"].split(":")[0].split(".")[0])
diff --git a/debian/kasp_json2lmdb b/debian/kasp_json2lmdb
new file mode 100755
index 0000000..f6aa785
--- /dev/null
+++ b/debian/kasp_json2lmdb
@@ -0,0 +1,458 @@
+#!/usr/bin/env python3
+# vim: et ts=4 sw=4 sts=4
+#
+# import from obsolete JSON KASP to LMDB-beckended KASP database.
+#
+
+from __future__ import print_function
+
+import datetime
+import time
+import json
+import sys
+import re
+import glob
+import argparse
+import time
+import traceback
+import os
+import hashlib
+import importlib
+import codecs
+
+opt_force = False
+lmdb = None
+
+def lmdb_requirement():
+ global lmdb
+
+ try:
+ lmdb = importlib.import_module('lmdb')
+ except ImportError:
+ print("Error: unable to import module LMDB.")
+ print("Probably you need to 'apt install python3-lmdb'.")
+ sys.exit(10)
+
+# workarounding that python 2 doesn't have int.to_bytes()
+def to_bytes(n, length, endianness='big'):
+ h = '%x' % n
+ assert len(h) <= length * 2
+ s = ('0'*(len(h) % 2) + h).zfill(length * 2)
+ if sys.version_info >= (3,0):
+ sb = codecs.decode(s, 'hex')
+ else:
+ sb = s.decode('hex')
+ return bytearray(sb) if endianness == 'big' else bytearray(sb[::-1])
+
+def from_bytes(ba, endianness='big'):
+ x = ba if endianness == 'big' else bytearray(s[::-1])
+ if sys.version_info >= (3,0):
+ hx = codecs.encode(x, 'hex')
+ else:
+ hx = str(x).encode('hex')
+ return int(hx, 16)
+
+# aka knot_dname_from_str_alloc()
+def str2dname(s):
+ if s.endswith('.') is False:
+ s += '.'
+ res = bytearray(b"")
+ nodes = s.lower().split('.')
+ if nodes[-1] != "":
+ nodes.append("")
+
+ for node in nodes:
+ res.append(len(node))
+ res.extend(bytearray(node.lower(), 'ascii'))
+
+ return res
+
+def dname2str(dn):
+ res = ""
+ beg = 0
+ end = ord(dn[0]) + 1
+ while ord(dn[beg]) > 0:
+ res += str(dn[beg+1:end]) + "."
+ beg = end
+ end = beg + ord(dn[beg]) + 1
+
+ return res
+
+# this is just helper for shuffling time
+def shuffle_unixtime(base_time, shuffle_years, shuffle_months):
+ rsm = shuffle_months + 12 * shuffle_years
+ dt = datetime.datetime.fromtimestamp(base_time)
+ newmonth = (dt.month - 1 + rsm) % 12 + 1 # in python, % always returns [0, 11]
+ sameyear = dt.month + rsm % 12
+ newyear = dt.year + rsm // 12 + (0 if sameyear in range(1, 13) else 1) # in python, (-1)//12 = -1
+ dt2 = dt.replace(month=newmonth, year=newyear)
+ print(dt2.month, "/", dt2.year)
+ ttuple = dt2.timetuple()
+ return int(time.mktime(ttuple))
+
+def timespec2unix(spec):
+ if re.match(r"^\d+$", spec):
+ return int(spec)
+
+ now = int(time.time())
+ s = re.sub(r"^now", "t", spec)
+ if s == "t":
+ return now
+
+ unitmap = { "" : 1, "mi" : 60, "h" : 3600, "d" : 86400 }
+ unitmap_mo = { "mo" : 1, "y" : 12 }
+
+ if re.match(r"^t[-+]\d+", s):
+ unit = re.sub(r"^t[-+]\d+", "", s)
+ cutend = len(s) if unit == "" else -len(unit)
+ if unit in list(unitmap.keys()):
+ return now + int(s[1:cutend]) * unitmap[unit]
+ elif unit in list(unitmap_mo.keys()):
+ return shuffle_unixtime(now, 0, int(s[1:cutend]) * unitmap_mo[unit])
+ else:
+ print("Error in time unit specification")
+
+ print("Error in time specification")
+
+class Keykey:
+ '''Kasp DB key serialized (type, zone_name, key_id)'''
+
+ def __init__(self, raw_bytearray):
+ self.raw = bytearray(raw_bytearray)
+
+ @classmethod
+ def from_params(self, valtype, zone_name, key_id):
+ selfraw = to_bytes(valtype, 1)
+ if zone_name is not None:
+ selfraw.extend(zone_name)
+ if key_id is not None:
+ selfraw.extend(bytearray(key_id.encode("ascii")))
+ selfraw.append(0)
+ return Keykey(selfraw)
+
+ def getRaw(self):
+ return bytearray(self.raw)
+
+ def getType(self):
+ return self.raw[0]
+
+ def __getSplit(self):
+ x = self.raw.find(to_bytes(0, 1))
+ assert x > 0
+ return x + 1
+
+ def getZone(self):
+ if self.getType() == 2:
+ return None
+ return str(self.raw[1:self.__getSplit()])
+
+ def getKeyid(self):
+ if self.getType() != 1:
+ return None
+ return str(self.raw[self.__getSplit():])
+
+class Keyparams:
+ '''Serialized key parameters for kasp-db.'''
+
+ def __init__(self, raw_bytearray):
+ self.raw = bytearray(raw_bytearray)
+ self.timers_dict = { "created" : [ 0, 20, 28 ],
+ "publish" : [ 1, 28, 36 ],
+ "ready" : [ 2, 36, 44 ],
+ "active" : [ 3, 44, 52 ],
+ "retire" : [ 4, 52, 60 ],
+ "remove" : [ 5, 60, 68 ] }
+
+ @classmethod
+ def from_params(self, pubkey, keytag, algorithm, isksk, timers):
+ assert len(timers) == 6
+ if sys.version_info >= (3,0):
+ pk = codecs.decode(bytearray(pubkey, 'ascii'), "base64")
+ else:
+ pk = pubkey.decode("base64")
+ selfraw = to_bytes(len(pk), 8)
+ selfraw.extend(to_bytes(0, 8)) # zero length of unused-future
+ selfraw.extend(to_bytes(int(keytag), 2))
+ selfraw.extend(to_bytes(int(algorithm), 1))
+ selfraw.extend(to_bytes((1 if isksk else 0), 1))
+ for t in timers:
+ if t < 0:
+ print("keytag=%i timers=(%i, %i, %i, %i, %i, %i)" % (keytag,
+ timers[0], timers[1], timers[2], timers[3], timers[4], timers[5]))
+ assert False
+ selfraw.extend(to_bytes(t, 8))
+ selfraw.extend(pk)
+ return Keyparams(selfraw)
+
+ def _check(self):
+ assert len(self.raw) >= 16
+ pkl = from_bytes(self.raw[0:8])
+ ufl = from_bytes(self.raw[8:16])
+ assert len(self.raw) == 68 + pkl + ufl
+ assert self.raw[19] < 2
+
+ def getRaw(self):
+ self._check()
+ return bytearray(self.raw)
+
+ def getAlgorithm(self):
+ self._check()
+ return int(self.raw[18])
+
+ def setAlgorithm(self, algorithm):
+ self._check()
+ self.raw[18] = to_bytes(algorithm, 1)[0]
+
+ def isKSK(self):
+ self._check()
+ return 1 if self.raw[19] != 0 else 0
+
+ def setKSK(self, isksk):
+ self._check()
+ self.raw[11] = (b"\01" if isksk else b"\00")[0]
+
+ def getKeytag(self):
+ self._check()
+ return from_bytes(self.raw[16:18])
+
+ def setKeytag(self, keytag):
+ self._check()
+ self.raw[16:18] = to_bytes(keytag, 2)
+
+ def getTimers(self):
+ self._check()
+ res = [ 0, 0, 0, 0, 0, 0 ]
+ for i, x, y in list(self.timers_dict.values()):
+ res[i] = from_bytes(self.raw[x:y])
+ return res
+
+ def getTimersString(self):
+ self._check()
+ res = "["
+ for ti in list(self.timers_dict.keys()):
+ _, x, y = self.timers_dict[ti];
+ res += (" " if res == "[" else ", ") + ti + ": " + str(from_bytes(self.raw[x:y]))
+ return res + " ]"
+
+ def setTimers(self, timers):
+ self._check()
+ assert len(timers) == 5
+ for i, x, y in list(self.timers_dict.values()):
+ self.raw[x:y] = to_bytes(timers[i], 8)
+
+ def getPubKey(self):
+ self._check()
+ pkl = from_bytes(self.raw[0:8])
+ return self.raw[68:68+pkl].encode("base64")
+
+ def getParams(self):
+ return [ self.getPubKey(), self.getKeytag(), self.getAlgorithm(),
+ self.isKSK(), self.getTimers() ];
+
+ def setByParamName(self, param_name, new_val):
+ if param_name == "algorithm":
+ self.setAlgorithm(int(new_val))
+ elif param_name == "isksk":
+ if new_val in ("1", "True", "true", "on", "yes", "Yes"):
+ self.setKSK(True)
+ elif new_val in ("0", "False", "false", "off", "no", "No"):
+ self.setKSK(False)
+ else:
+ print("Error: bad true/false value", new_val)
+ elif param_name == "keytag":
+ self.setKeytag(int(new_val))
+ elif param_name in list(self.timers_dict.keys()):
+ _, x, y = self.timers_dict[param_name]
+ self.raw[x:y] = to_bytes(timespec2unix(new_val), 8)
+ else:
+ print("Error: bad parameter", param_name)
+
+ def computeDS(self, zone_str, digestalg):
+ ds_raw = bytearray(str2dname(zone_str))
+ ds_raw.extend(to_bytes(257 if self.isKSK() else 256, 2))
+ ds_raw.extend(b"\x03") # protocol is always == 3
+ ds_raw.extend(self.raw[18:19]) # algorithm
+ pkl = from_bytes(self.raw[0:8])
+ ds_raw.extend(self.raw[68:68+pkl]) # pubkey
+ if digestalg == "sha1":
+ ds_hash = hashlib.sha1(ds_raw).hexdigest()
+ algno = " 1 "
+ elif digestalg == "sha256":
+ ds_hash = hashlib.sha256(ds_raw).hexdigest()
+ algno = " 2 "
+ elif digestalg == "sha384":
+ ds_hash = hashlib.sha384(ds_raw).hexdigest()
+ algno = " 4 "
+ else:
+ print("Error: bad DS digest algorith", ds_hash)
+ return
+ return zone_str + ' DS ' + str(self.getKeytag()) + ' ' + str(self.getAlgorithm()) + algno + ds_hash
+
+ def isPublished(self, moment):
+ tmrs = self.getTimers()
+ if tmrs[self.timers_dict["publish"][0]] <= moment:
+ if moment < tmrs[self.timers_dict["remove"][0]]:
+ return True
+ return False
+
+ def isReady(self, moment):
+ tmrs = self.getTimers()
+ if tmrs[self.timers_dict["ready"][0]] <= moment:
+ if moment < tmrs[self.timers_dict["ready"][0]]:
+ return True
+ return False
+
+ def isActive(self, moment):
+ tmrs = self.getTimers()
+ if tmrs[self.timers_dict["active"][0]] <= moment:
+ if moment < tmrs[self.timers_dict["retire"][0]]:
+ return True
+ return False
+
+ def isRetired(self, moment):
+ tmrs = self.getTimers()
+ if tmrs[self.timers_dict["retire"][0]] <= moment:
+ return True
+ return False
+
+ def isRemoved(self, moment):
+ tmrs = self.getTimers()
+ if tmrs[self.timers_dict["remove"][0]] <= moment:
+ return True
+ return False
+
+# static: just for use in following method
+def arr_ind2unix(arr, ind, defaul):
+ try:
+ ttuple = datetime.datetime.strptime(arr[ind], "%Y-%m-%dT%H:%M:%S+0000").timetuple()
+ res = int(time.mktime(ttuple))
+ return res if res >= 0 else 0
+ except KeyError:
+ return defaul
+
+def import_nsec3salt(keys, env, db_keys, zname):
+ try:
+ with lmdb.Transaction(env, db_keys, write=True) as txn_keys:
+ dbk1 = Keykey.from_params(3, zname, None).getRaw()
+ dbv1 = keys["nsec3_salt"]
+ if dbv1 is None:
+ return
+ if sys.version_info >= (3,0):
+ dbv1d = codecs.decode(bytearray(dbv1, 'ascii'), "base64")
+ else:
+ dbv1d = dbv1.decode("base64")
+ txn_keys.put(dbk1, dbv1d, dupdata=False, overwrite=True)
+
+ dbk2 = Keykey.from_params(4, zname, None).getRaw()
+ dbv2 = to_bytes(arr_ind2unix(keys, "nsec3_salt_created", 0), 8)
+ txn_keys.put(dbk2, dbv2, dupdata=False, overwrite=True)
+ except (KeyError, AttributeError):
+ pass # nsec3salt not configured or set to null, no problem
+
+# import single JSON zone config into open LMDB env
+def import_file(fname, env, db_keys):
+ try:
+ with open(fname) as f:
+ keys = json.load(f)
+
+ except ValueError:
+ print("Warning: not imported ", fname)
+ return False
+
+ try:
+ zname_str = re.sub(r'^zone_', '', re.sub(r'\.json$', '', re.sub(r'.*/', '', fname)))
+ print("Importing zone", zname_str)
+ zname = str2dname(zname_str)
+ import_nsec3salt(keys, env, db_keys, zname)
+
+ import_now = int(time.time())
+
+ for key in keys["keys"]:
+ dbk3 = Keykey.from_params(1, zname, key["id"]).getRaw()
+
+ infty = 0x00ffffffffffff00 # time infinity, this is year 142'715'360
+
+ dbv3 = Keyparams.from_params(key["public_key"], key["keytag"],
+ key["algorithm"], key["ksk"], [
+ arr_ind2unix(key, "created", 0),
+ arr_ind2unix(key, "publish", 0),
+ arr_ind2unix(key, "active", 0), # taking active for ready
+ arr_ind2unix(key, "active", 0),
+ arr_ind2unix(key, "retire", infty),
+ arr_ind2unix(key, "remove", infty)
+ ])
+
+ if dbv3.isRemoved(import_now):
+ continue
+
+ with lmdb.Transaction(env, db_keys, write=True) as txn_keys:
+ txn_keys.put(dbk3, dbv3.getRaw(), dupdata=False, overwrite=True)
+
+ except (KeyError, KeyboardInterrupt, TypeError):
+ print("Warning: not imported ", fname)
+ return False
+
+ return True
+
+def import_dir(dirname):
+ print("Importing json key config in", dirname)
+ if os.path.isfile(dirname + "/data.mdb"):
+ print("Warning: LMDB key configuration in", dirname, "already exists.")
+ if opt_force:
+ print("...deleting it.")
+ os.remove(dirname + "/data.mdb")
+ os.remove(dirname + "/lock.mdb")
+ else:
+ print("If you want to delete it and import again, use 'force' option.")
+ return False
+
+ env = lmdb.open(dirname, max_dbs=2, map_size=500*1024*1024)
+ db_keys = env.open_db(b"keys_db")
+ something_imported = False
+ for json_file in glob.glob(dirname + "/*.json"):
+ something_imported = import_file(json_file, env, db_keys) or something_imported
+
+ if not something_imported:
+ print("Warning: nothing imported in", dirname)
+
+class VersionAction(argparse.Action):
+ def __init__(self, option_strings, version=None, dest=argparse.SUPPRESS,
+ default=argparse.SUPPRESS, help="show program's version number and exit"):
+ super(VersionAction, self).__init__(option_strings=option_strings, dest=dest,
+ default=default, nargs=0, help=help)
+ self.version = version
+
+ def __call__(self, parser, namespace, values, option_string=None):
+ version = self.version
+ if version is None:
+ version = parser.version
+ formatter = parser._get_formatter()
+ formatter.add_text(version)
+ sys.stdout.write(formatter.format_help())
+ sys.exit(0)
+
+def main():
+ global opt_force
+ parser = argparse.ArgumentParser(description="Knot DNSSEC KASP converter (JSON to LMDB)",
+ formatter_class=argparse.RawTextHelpFormatter)
+ parser.add_argument("-i", "--import", action="append", nargs="?", dest="importdir",
+ help='''Import zone-key configuration from JSON.
+Syntax: -i <key_dir>
+(You can import multiple key_dirs at once by repeating this option.)''')
+ parser.add_argument("-f", "--force", action="store_true", dest="force", help="Do stuff even if dangerous.")
+ parser.add_argument("-V", "--version", action=VersionAction, version="knot KASP legacy JSON importer (debian support for Knot DNS), version 2.7.1")
+ args = parser.parse_args()
+ opt_force = args.force
+
+ if args.importdir is not None:
+ lmdb_requirement()
+ if isinstance(args.importdir, (list, tuple)):
+ importdir = args.importdir
+ else:
+ importdir = [args.importdir]
+
+ for dirn in importdir:
+ import_dir(dirn)
+
+if __name__ == "__main__":
+ main()
diff --git a/debian/knot-dnsutils.NEWS b/debian/knot-dnsutils.NEWS
new file mode 100644
index 0000000..20045dc
--- /dev/null
+++ b/debian/knot-dnsutils.NEWS
@@ -0,0 +1,6 @@
+knot (2.5.4-2) unstable; urgency=medium
+
+ The compatibility links with dig and nsupdate has been dropped
+ in favour of coinstallability with dnsutils (from BIND9).
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 18 Sep 2017 07:07:49 +0200
diff --git a/debian/knot-dnsutils.install b/debian/knot-dnsutils.install
new file mode 100644
index 0000000..960fa92
--- /dev/null
+++ b/debian/knot-dnsutils.install
@@ -0,0 +1,2 @@
+usr/bin/kdig
+usr/bin/knsupdate
diff --git a/debian/knot-dnsutils.manpages b/debian/knot-dnsutils.manpages
new file mode 100644
index 0000000..3cc29ec
--- /dev/null
+++ b/debian/knot-dnsutils.manpages
@@ -0,0 +1,2 @@
+usr/share/man/man1/kdig.1
+usr/share/man/man1/knsupdate.1
diff --git a/debian/knot-doc.doc-base b/debian/knot-doc.doc-base
new file mode 100644
index 0000000..c137e28
--- /dev/null
+++ b/debian/knot-doc.doc-base
@@ -0,0 +1,20 @@
+Document: knot
+Title: Documentation for the Knot authoritative DNS server
+Author: Knot DNS authors at CZ.NIC Labs (https://www.knot-dns.cz)
+Abstract: Knot DNS is a high-performance open-source authoritative DNS server
+Section: Network/Communication
+
+Format: HTML
+Index: /usr/share/doc/knot-doc/index.html
+Files: /usr/share/doc/knot-doc
+
+Format: PDF
+Files: /usr/share/doc/knot-doc/knot.pdf.gz
+
+Format: Info
+Files: /usr/share/info/knot.info.gz
+Index: /usr/share/info/knot.info.gz
+
+Format: Text
+Index: /usr/share/doc/knot-doc/_sources/index.rst.txt
+Files: /usr/share/doc/knot-doc/_sources/
diff --git a/debian/knot-doc.install b/debian/knot-doc.install
new file mode 100644
index 0000000..c19da52
--- /dev/null
+++ b/debian/knot-doc.install
@@ -0,0 +1,2 @@
+usr/share/doc/knot/* /usr/share/doc/knot-doc/
+usr/share/info
diff --git a/debian/knot-doc.links b/debian/knot-doc.links
new file mode 100644
index 0000000..3949022
--- /dev/null
+++ b/debian/knot-doc.links
@@ -0,0 +1,2 @@
+usr/share/javascript/jquery/jquery.min.js usr/share/doc/knot-doc/_static/jquery.js
+usr/share/javascript/underscore/underscore.min.js usr/share/doc/knot-doc/_static/underscore.js
diff --git a/debian/knot-host.NEWS b/debian/knot-host.NEWS
new file mode 100644
index 0000000..20045dc
--- /dev/null
+++ b/debian/knot-host.NEWS
@@ -0,0 +1,6 @@
+knot (2.5.4-2) unstable; urgency=medium
+
+ The compatibility links with dig and nsupdate has been dropped
+ in favour of coinstallability with dnsutils (from BIND9).
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 18 Sep 2017 07:07:49 +0200
diff --git a/debian/knot-host.install b/debian/knot-host.install
new file mode 100644
index 0000000..51bacf0
--- /dev/null
+++ b/debian/knot-host.install
@@ -0,0 +1 @@
+usr/bin/khost
diff --git a/debian/knot-host.manpages b/debian/knot-host.manpages
new file mode 100644
index 0000000..4891e2c
--- /dev/null
+++ b/debian/knot-host.manpages
@@ -0,0 +1 @@
+usr/share/man/man1/khost.1
diff --git a/debian/knot.NEWS b/debian/knot.NEWS
new file mode 100644
index 0000000..fa22ec4
--- /dev/null
+++ b/debian/knot.NEWS
@@ -0,0 +1,12 @@
+knot (2.0.0-1) unstable; urgency=medium
+
+ The configuration file format has changed with Knot DNS 2.0 release.
+ The knot1to2 conversion tools has been provided for your convenience
+ and the package will automatically save the existing configuration
+ file to /var/backups/knot/<TIMESTAMP> directory and convert the
+ configuration file into the new format. The Knot DNS team worked
+ hard to make this transition as smooth as possible, but you are
+ strongly advised to check the results if everything went as
+ expected.
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 29 Jun 2015 10:36:08 +0200
diff --git a/debian/knot.default b/debian/knot.default
new file mode 100644
index 0000000..12d6cc5
--- /dev/null
+++ b/debian/knot.default
@@ -0,0 +1 @@
+KNOTD_ARGS=""
diff --git a/debian/knot.dirs b/debian/knot.dirs
new file mode 100644
index 0000000..6e937aa
--- /dev/null
+++ b/debian/knot.dirs
@@ -0,0 +1 @@
+var/lib/knot
diff --git a/debian/knot.init b/debian/knot.init
new file mode 100644
index 0000000..ec6e3f5
--- /dev/null
+++ b/debian/knot.init
@@ -0,0 +1,168 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides: knot
+# Required-Start: $network $local_fs $remote_fs $syslog
+# Required-Stop: $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: authoritative domain name server
+# Description: Knot DNS is a authoritative-only domain name server
+### END INIT INFO
+
+# Author: Ondřej Surý <ondrej@debian.org>
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="Knot DNS server" # Introduce a short description here
+NAME=knotd # Introduce the short server's name here
+DAEMON=/usr/sbin/$NAME # Introduce the server's location here
+PIDFILE=/run/knot/knot.pid
+SCRIPTNAME=/etc/init.d/knot
+KNOTC=/usr/sbin/knotc
+
+# Exit if the package is not installed
+[ -x $DAEMON ] || exit 0
+
+KNOTD_ARGS="-c /etc/knot/knot.conf"
+
+# Read configuration variable file if it is present
+[ -r /etc/default/knot ] && . /etc/default/knot
+
+DAEMON_ARGS="-d $KNOTD_ARGS"
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+
+ $KNOTC status >/dev/null 2>/dev/null \
+ && return 1
+
+ start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+ || return 1
+ start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
+ $DAEMON_ARGS \
+ || return 2
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+
+ $KNOTC status >/dev/null 2>/dev/null \
+ || return 1
+
+ $KNOTC stop >/dev/null
+ RETVAL="$?"
+ [ $? = 1 ] && return 2
+
+ # Many daemons don't delete their pidfiles when they exit.
+ rm -f $PIDFILE
+ return 0
+}
+
+do_reload() {
+ $KNOTC reload >/dev/null
+ return $?
+}
+
+do_tmpfiles() {
+ local type path mode user group age argument
+ if [ -r "$1" ]; then
+ if [ -x /bin/systemd-tmpfiles ]; then
+ /bin/systemd-tmpfiles --create "$1"
+ else
+ while read type path mode user group age argument; do
+ case "$type" in
+ d)
+ mkdir -p "$path";
+ chmod "$mode" "$path";
+ chown "$user:$group" "$path";
+ ;;
+ \#*)
+ ;;
+ *)
+ log_warning_msg "tmpfile.d type '$type' is not supported yet"
+ ;;
+ esac
+ done < "$1"
+ fi
+ else
+ log_warning_msg "tmpfiles.d file '$1' doesn't exist or is not readable"
+ fi
+}
+
+case "$1" in
+ start)
+ do_tmpfiles /usr/lib/tmpfiles.d/knot.conf
+ log_daemon_msg "Starting $DESC " "$NAME"
+ do_start
+ case "$?" in
+ 0|1) log_end_msg 0 ;;
+ 2) log_end_msg 1 ;;
+ esac
+ ;;
+ stop)
+ log_daemon_msg "Stopping $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1) log_end_msg 0 ;;
+ 2) log_end_msg 1 ;;
+ esac
+ ;;
+ status)
+ STATUS=$($KNOTC status 2>&1 >/dev/null)
+ RETVAL=$?
+ if [ $RETVAL = 0 ]; then
+ log_success_msg "$NAME is running"
+ else
+ log_failure_msg "$NAME is not running ($STATUS)"
+ fi
+ exit $RETVAL
+ ;;
+ reload|force-reload)
+ log_daemon_msg "Reloading $DESC" "$NAME"
+ do_reload
+ log_end_msg $?
+ ;;
+ restart)
+ log_daemon_msg "Restarting $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1)
+ do_start
+ case "$?" in
+ 0) log_end_msg 0 ;;
+ 1) log_end_msg 1 ;; # Old process is still running
+ *) log_end_msg 1 ;; # Failed to start
+ esac
+ ;;
+ *)
+ # Failed to stop
+ log_end_msg 1
+ ;;
+ esac
+ ;;
+ *)
+ echo "Usage: $SCRIPTNAME {start|stop|status|restart|reload|force-reload}" >&2
+ exit 3
+ ;;
+esac
+
+:
diff --git a/debian/knot.install b/debian/knot.install
new file mode 100644
index 0000000..57c6815
--- /dev/null
+++ b/debian/knot.install
@@ -0,0 +1,11 @@
+debian/get_kaspdb usr/lib/knot/
+debian/get_user usr/lib/knot/
+debian/kasp_json2lmdb usr/lib/knot/
+debian/ufw/knot etc/ufw/applications.d/
+etc/knot/knot.conf
+usr/bin/knsec3hash
+usr/bin/kzonecheck
+usr/sbin/keymgr
+usr/sbin/kjournalprint
+usr/sbin/knotc
+usr/sbin/knotd
diff --git a/debian/knot.lintian-overrides b/debian/knot.lintian-overrides
new file mode 100644
index 0000000..5ac0537
--- /dev/null
+++ b/debian/knot.lintian-overrides
@@ -0,0 +1,5 @@
+# knot currently requires that the MODULE_DIR exists, even if it
+# is empty:
+# https://gitlab.labs.nic.cz/knot/knot-dns/issues/567
+# https://bugs.debian.org/891319
+knot: package-contains-empty-directory usr/lib/*/knot/
diff --git a/debian/knot.maintscript b/debian/knot.maintscript
new file mode 100644
index 0000000..42bc330
--- /dev/null
+++ b/debian/knot.maintscript
@@ -0,0 +1 @@
+rm_conffile /etc/init/knot.conf 2.0.0-1~
diff --git a/debian/knot.manpages b/debian/knot.manpages
new file mode 100644
index 0000000..bb40303
--- /dev/null
+++ b/debian/knot.manpages
@@ -0,0 +1,7 @@
+usr/share/man/man1/knsec3hash.1
+usr/share/man/man1/kzonecheck.1
+usr/share/man/man5/knot.conf.5
+usr/share/man/man8/keymgr.8
+usr/share/man/man8/kjournalprint.8
+usr/share/man/man8/knotc.8
+usr/share/man/man8/knotd.8
diff --git a/debian/knot.postinst b/debian/knot.postinst
new file mode 100644
index 0000000..7a69d85
--- /dev/null
+++ b/debian/knot.postinst
@@ -0,0 +1,26 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = "configure" ]; then
+ if ! getent passwd knot > /dev/null; then
+ adduser --quiet --system --group --no-create-home --home /var/lib/knot knot
+ fi
+
+ dpkg-statoverride --list /var/lib/knot > /dev/null || dpkg-statoverride --update --add knot knot 0755 /var/lib/knot
+ dpkg-statoverride --list /etc/knot/knot.conf > /dev/null || dpkg-statoverride --update --add knot knot 0640 /etc/knot/knot.conf
+ dpkg-statoverride --list /etc/knot > /dev/null || dpkg-statoverride --update --add knot knot 0750 /etc/knot
+fi
+
+if [ "$1" = "configure" ] && [ -n "$2" ] && dpkg --compare-versions "$2" lt "2.5.0-1~"; then
+ KNOT_USER=$(/usr/lib/knot/get_user 2>/dev/null || echo "knot")
+
+ /usr/lib/knot/get_kaspdb | while read KASPDB; do
+ if [ ! -f "${KASPDB}/data.mdb" ]; then
+ runuser -u "${KNOT_USER}" -- /usr/lib/knot/kasp_json2lmdb -i "${KASPDB}"
+ fi
+ done
+fi
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/knot.postrm b/debian/knot.postrm
new file mode 100644
index 0000000..76dccba
--- /dev/null
+++ b/debian/knot.postrm
@@ -0,0 +1,18 @@
+#!/bin/sh
+set -e
+
+if test "$1" = "purge"; then
+ spool=/var/lib/knot
+ rm -rf $spool/timers $spool/keys $spool/journal
+ rmdir $spool 2>/dev/null || true
+
+ dpkg-statoverride --remove /var/lib/knot >/dev/null 2>/dev/null || true
+ dpkg-statoverride --remove /etc/knot/knot.conf >/dev/null 2>/dev/null || true
+ dpkg-statoverride --remove /etc/knot >/dev/null 2>/dev/null || true
+
+ deluser --quiet knot > /dev/null || true
+fi
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/knot.service b/debian/knot.service
new file mode 100644
index 0000000..191fd3d
--- /dev/null
+++ b/debian/knot.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Knot DNS server
+Wants=network-online.target
+After=network-online.target
+Documentation=man:knotd(8) man:knot.conf(5) man:knotc(8)
+
+[Service]
+EnvironmentFile=/etc/default/knot
+ExecReload=/usr/sbin/knotc reload
+ExecStart=/usr/sbin/knotd $KNOTD_ARGS
+Restart=on-abort
+
+[Install]
+WantedBy=multi-user.target
diff --git a/debian/knot.tmpfile b/debian/knot.tmpfile
new file mode 100644
index 0000000..aab7815
--- /dev/null
+++ b/debian/knot.tmpfile
@@ -0,0 +1,2 @@
+#Type Path Mode UID GID Age Argument
+ d /run/knot 0755 knot knot - -
diff --git a/debian/libdnssec6.install b/debian/libdnssec6.install
new file mode 100644
index 0000000..17a9fe6
--- /dev/null
+++ b/debian/libdnssec6.install
@@ -0,0 +1 @@
+usr/lib/*/libdnssec.so.*
diff --git a/debian/libdnssec6.symbols b/debian/libdnssec6.symbols
new file mode 100644
index 0000000..35a8c99
--- /dev/null
+++ b/debian/libdnssec6.symbols
@@ -0,0 +1,109 @@
+libdnssec.so.6 libdnssec6 #MINVER#
+* Build-Depends-Package: libknot-dev
+ dnssec_algorithm_digest_support@Base 2.6.0
+ dnssec_algorithm_key_size_check@Base 2.3.0
+ dnssec_algorithm_key_size_default@Base 2.3.0
+ dnssec_algorithm_key_size_range@Base 2.3.0
+ dnssec_algorithm_key_support@Base 2.6.0
+ dnssec_binary_alloc@Base 2.3.0
+ dnssec_binary_cmp@Base 2.3.0
+ dnssec_binary_dup@Base 2.3.0
+ dnssec_binary_free@Base 2.3.0
+ dnssec_binary_from_base64@Base 2.3.0
+ dnssec_binary_resize@Base 2.3.0
+ dnssec_binary_to_base64@Base 2.3.0
+ dnssec_crypto_cleanup@Base 2.3.0
+ dnssec_crypto_init@Base 2.3.0
+ dnssec_crypto_reinit@Base 2.3.0
+ dnssec_item_get@Base 2.3.0
+ dnssec_item_set@Base 2.3.0
+ dnssec_key_can_sign@Base 2.3.0
+ dnssec_key_can_verify@Base 2.3.0
+ dnssec_key_clear@Base 2.3.0
+ dnssec_key_create_ds@Base 2.3.0
+ dnssec_key_dup@Base 2.3.0
+ dnssec_key_free@Base 2.3.0
+ dnssec_key_get_algorithm@Base 2.3.0
+ dnssec_key_get_dname@Base 2.3.0
+ dnssec_key_get_flags@Base 2.3.0
+ dnssec_key_get_keyid@Base 2.6.0
+ dnssec_key_get_keytag@Base 2.3.0
+ dnssec_key_get_protocol@Base 2.3.0
+ dnssec_key_get_pubkey@Base 2.3.0
+ dnssec_key_get_rdata@Base 2.3.0
+ dnssec_key_get_size@Base 2.3.0
+ dnssec_key_import_keystore@Base 2.3.0
+ dnssec_key_load_pkcs8@Base 2.3.0
+ dnssec_key_new@Base 2.3.0
+ dnssec_key_set_algorithm@Base 2.3.0
+ dnssec_key_set_dname@Base 2.3.0
+ dnssec_key_set_flags@Base 2.3.0
+ dnssec_key_set_protocol@Base 2.3.0
+ dnssec_key_set_pubkey@Base 2.3.0
+ dnssec_key_set_rdata@Base 2.3.0
+ dnssec_keyid_copy@Base 2.3.0
+ dnssec_keyid_equal@Base 2.3.0
+ dnssec_keyid_is_valid@Base 2.3.0
+ dnssec_keyid_normalize@Base 2.3.0
+ dnssec_keystore_close@Base 2.3.0
+ dnssec_keystore_deinit@Base 2.3.0
+ dnssec_keystore_generate_key@Base 2.3.0
+ dnssec_keystore_import@Base 2.3.0
+ dnssec_keystore_init@Base 2.3.0
+ dnssec_keystore_init_pkcs11@Base 2.3.0
+ dnssec_keystore_init_pkcs8_custom@Base 2.3.0
+ dnssec_keystore_init_pkcs8_dir@Base 2.3.0
+ dnssec_keystore_list_keys@Base 2.3.0
+ dnssec_keystore_open@Base 2.3.0
+ dnssec_keystore_remove_key@Base 2.3.0
+ dnssec_keytag@Base 2.3.0
+ dnssec_list_append@Base 2.3.0
+ dnssec_list_clear@Base 2.3.0
+ dnssec_list_clear_full@Base 2.3.0
+ dnssec_list_contains@Base 2.3.0
+ dnssec_list_free@Base 2.3.0
+ dnssec_list_free_full@Base 2.3.0
+ dnssec_list_head@Base 2.3.0
+ dnssec_list_insert_after@Base 2.3.0
+ dnssec_list_insert_before@Base 2.3.0
+ dnssec_list_is_empty@Base 2.3.0
+ dnssec_list_new@Base 2.3.0
+ dnssec_list_next@Base 2.3.0
+ dnssec_list_nth@Base 2.3.0
+ dnssec_list_prepend@Base 2.3.0
+ dnssec_list_prev@Base 2.3.0
+ dnssec_list_remove@Base 2.3.0
+ dnssec_list_search@Base 2.3.0
+ dnssec_list_size@Base 2.3.0
+ dnssec_list_tail@Base 2.3.0
+ dnssec_nsec3_hash@Base 2.3.0
+ dnssec_nsec3_hash_length@Base 2.3.0
+ dnssec_nsec3_params_free@Base 2.3.0
+ dnssec_nsec3_params_from_rdata@Base 2.3.0
+ dnssec_nsec_bitmap_add@Base 2.3.0
+ dnssec_nsec_bitmap_clear@Base 2.3.0
+ dnssec_nsec_bitmap_contains@Base 2.7.0
+ dnssec_nsec_bitmap_free@Base 2.3.0
+ dnssec_nsec_bitmap_new@Base 2.3.0
+ dnssec_nsec_bitmap_size@Base 2.3.0
+ dnssec_nsec_bitmap_write@Base 2.3.0
+ dnssec_random_binary@Base 2.3.0
+ dnssec_random_buffer@Base 2.3.0
+ dnssec_sign_add@Base 2.3.0
+ dnssec_sign_free@Base 2.3.0
+ dnssec_sign_init@Base 2.3.0
+ dnssec_sign_new@Base 2.3.0
+ dnssec_sign_verify@Base 2.3.0
+ dnssec_sign_write@Base 2.3.0
+ dnssec_strerror@Base 2.3.0
+ dnssec_tsig_add@Base 2.3.0
+ dnssec_tsig_algorithm_from_dname@Base 2.3.0
+ dnssec_tsig_algorithm_from_name@Base 2.3.0
+ dnssec_tsig_algorithm_size@Base 2.3.0
+ dnssec_tsig_algorithm_to_dname@Base 2.3.0
+ dnssec_tsig_algorithm_to_name@Base 2.3.0
+ dnssec_tsig_free@Base 2.3.0
+ dnssec_tsig_new@Base 2.3.0
+ dnssec_tsig_optimal_key_size@Base 2.3.0
+ dnssec_tsig_size@Base 2.3.0
+ dnssec_tsig_write@Base 2.3.0
diff --git a/debian/libknot-dev.install b/debian/libknot-dev.install
new file mode 100644
index 0000000..54f2635
--- /dev/null
+++ b/debian/libknot-dev.install
@@ -0,0 +1,4 @@
+usr/include/
+usr/lib/*/*.a
+usr/lib/*/*.so
+usr/lib/*/pkgconfig/*
diff --git a/debian/libknot8.install b/debian/libknot8.install
new file mode 100644
index 0000000..f9b9f93
--- /dev/null
+++ b/debian/libknot8.install
@@ -0,0 +1 @@
+usr/lib/*/libknot.so.*
diff --git a/debian/libknot8.symbols b/debian/libknot8.symbols
new file mode 100644
index 0000000..4c7d0dd
--- /dev/null
+++ b/debian/libknot8.symbols
@@ -0,0 +1,207 @@
+libknot.so.8 libknot8 #MINVER#
+* Build-Depends-Package: libknot-dev
+ KNOT_DB_LMDB_DUPSORT@Base 2.5.0
+ KNOT_DB_LMDB_INTEGERKEY@Base 2.4.0
+ KNOT_DB_LMDB_MAPASYNC@Base 2.5.0
+ KNOT_DB_LMDB_NOSYNC@Base 2.4.0
+ KNOT_DB_LMDB_NOTLS@Base 2.3.0
+ KNOT_DB_LMDB_RDONLY@Base 2.3.0
+ KNOT_DB_LMDB_WRITEMAP@Base 2.5.0
+ KNOT_DUMP_STYLE_DEFAULT@Base 2.3.0
+ knot_ctl_accept@Base 2.3.0
+ knot_ctl_alloc@Base 2.3.0
+ knot_ctl_bind@Base 2.3.0
+ knot_ctl_close@Base 2.3.0
+ knot_ctl_connect@Base 2.3.0
+ knot_ctl_free@Base 2.3.0
+ knot_ctl_receive@Base 2.3.0
+ knot_ctl_send@Base 2.3.0
+ knot_ctl_set_timeout@Base 2.3.0
+ knot_ctl_unbind@Base 2.3.0
+ knot_db_lmdb_api@Base 2.3.0
+ knot_db_lmdb_del_exact@Base 2.5.0
+ knot_db_lmdb_get_mapsize@Base 2.4.0
+ knot_db_lmdb_get_usage@Base 2.4.0
+ knot_db_lmdb_iter_del@Base 2.3.0
+ knot_db_lmdb_txn_begin@Base 2.3.0
+ knot_db_trie_api@Base 2.3.0
+ knot_dname_cmp@Base 2.3.0
+ knot_dname_copy@Base 2.3.0
+ knot_dname_free@Base 2.3.0
+ knot_dname_from_str@Base 2.3.0
+ knot_dname_in_bailiwick@Base 2.7.0
+ knot_dname_is_equal@Base 2.3.0
+ knot_dname_labels@Base 2.3.0
+ knot_dname_lf@Base 2.3.0
+ knot_dname_matched_labels@Base 2.3.0
+ knot_dname_prefixlen@Base 2.3.0
+ knot_dname_realsize@Base 2.3.0
+ knot_dname_replace_suffix@Base 2.3.0
+ knot_dname_size@Base 2.3.0
+ knot_dname_store@Base 2.7.0
+ knot_dname_to_lower@Base 2.3.0
+ knot_dname_to_str@Base 2.3.0
+ knot_dname_to_wire@Base 2.3.0
+ knot_dname_unpack@Base 2.3.0
+ knot_dname_wire_check@Base 2.3.0
+ knot_dnssec_alg_names@Base 2.3.0
+ knot_edns_add_option@Base 2.3.0
+ knot_edns_alignment_size@Base 2.7.0
+ knot_edns_chain_parse@Base 2.4.0
+ knot_edns_chain_size@Base 2.4.0
+ knot_edns_chain_write@Base 2.4.0
+ knot_edns_client_subnet_get_addr@Base 2.3.1
+ knot_edns_client_subnet_parse@Base 2.3.0
+ knot_edns_client_subnet_set_addr@Base 2.3.1
+ knot_edns_client_subnet_size@Base 2.3.1
+ knot_edns_client_subnet_write@Base 2.3.1
+ knot_edns_cookie_client_check@Base 2.7.0
+ knot_edns_cookie_client_generate@Base 2.7.0
+ knot_edns_cookie_parse@Base 2.7.0
+ knot_edns_cookie_server_check@Base 2.7.0
+ knot_edns_cookie_server_generate@Base 2.7.0
+ knot_edns_cookie_size@Base 2.7.0
+ knot_edns_cookie_write@Base 2.7.0
+ knot_edns_get_ext_rcode@Base 2.3.0
+ knot_edns_get_option@Base 2.3.0
+ knot_edns_get_options@Base 2.7.0
+ knot_edns_get_version@Base 2.3.0
+ knot_edns_init@Base 2.3.0
+ knot_edns_keepalive_parse@Base 2.4.0
+ knot_edns_keepalive_size@Base 2.4.0
+ knot_edns_keepalive_write@Base 2.4.0
+ knot_edns_reserve_option@Base 2.3.0
+ knot_edns_set_ext_rcode@Base 2.3.0
+ knot_edns_set_version@Base 2.3.0
+ knot_error_from_libdnssec@Base 2.5.0
+ knot_get_obsolete_rdata_descriptor@Base 2.3.0
+ knot_get_rdata_descriptor@Base 2.3.0
+ knot_naptr_header_size@Base 2.3.0
+ knot_opcode_names@Base 2.3.0
+ knot_opt_code_to_string@Base 2.6.6
+ knot_pkt_begin@Base 2.3.0
+ knot_pkt_clear@Base 2.3.0
+ knot_pkt_copy@Base 2.3.0
+ knot_pkt_ext_rcode@Base 2.4.0
+ knot_pkt_ext_rcode_name@Base 2.4.0
+ knot_pkt_free@Base 2.3.0
+ knot_pkt_init_response@Base 2.3.0
+ knot_pkt_new@Base 2.3.0
+ knot_pkt_parse@Base 2.3.0
+ knot_pkt_parse_question@Base 2.3.0
+ knot_pkt_put_question@Base 2.3.0
+ knot_pkt_put_rotate@Base 2.7.0
+ knot_pkt_reclaim@Base 2.3.0
+ knot_pkt_reserve@Base 2.3.0
+ knot_rcode_names@Base 2.3.0
+ knot_rdataset_add@Base 2.3.0
+ knot_rdataset_at@Base 2.3.0
+ knot_rdataset_clear@Base 2.3.0
+ knot_rdataset_copy@Base 2.3.0
+ knot_rdataset_eq@Base 2.3.0
+ knot_rdataset_intersect@Base 2.3.0
+ knot_rdataset_member@Base 2.3.0
+ knot_rdataset_merge@Base 2.3.0
+ knot_rdataset_reserve@Base 2.3.0
+ knot_rdataset_size@Base 2.3.0
+ knot_rdataset_subtract@Base 2.3.0
+ knot_rdataset_unreserve@Base 2.3.0
+ knot_rrclass_from_string@Base 2.3.0
+ knot_rrclass_to_string@Base 2.3.0
+ knot_rrset_add_rdata@Base 2.3.0
+ knot_rrset_clear@Base 2.3.0
+ knot_rrset_copy@Base 2.3.0
+ knot_rrset_equal@Base 2.3.0
+ knot_rrset_free@Base 2.3.0
+ knot_rrset_is_nsec3rel@Base 2.3.0
+ knot_rrset_new@Base 2.3.0
+ knot_rrset_rr_from_wire@Base 2.3.0
+ knot_rrset_rr_to_canonical@Base 2.3.0
+ knot_rrset_size@Base 2.3.0
+ knot_rrset_to_wire_extra@Base 2.7.0
+ knot_rrset_to_wire_rotate@Base 2.7.0
+ knot_rrset_txt_dump@Base 2.3.0
+ knot_rrset_txt_dump_data@Base 2.3.0
+ knot_rrset_txt_dump_header@Base 2.3.0
+ knot_rrtype_additional_needed@Base 2.3.0
+ knot_rrtype_from_string@Base 2.3.0
+ knot_rrtype_is_dnssec@Base 2.3.0
+ knot_rrtype_is_metatype@Base 2.3.0
+ knot_rrtype_should_be_lowercased@Base 2.3.0
+ knot_rrtype_to_string@Base 2.3.0
+ knot_strerror@Base 2.3.0
+ knot_tsig_add@Base 2.3.0
+ knot_tsig_append@Base 2.3.0
+ knot_tsig_client_check@Base 2.3.0
+ knot_tsig_client_check_next@Base 2.3.0
+ knot_tsig_create_rdata@Base 2.3.0
+ knot_tsig_key_copy@Base 2.3.0
+ knot_tsig_key_deinit@Base 2.3.0
+ knot_tsig_key_init@Base 2.3.0
+ knot_tsig_key_init_file@Base 2.3.0
+ knot_tsig_key_init_str@Base 2.3.0
+ knot_tsig_rcode_names@Base 2.4.0
+ knot_tsig_rdata_alg@Base 2.3.0
+ knot_tsig_rdata_alg_name@Base 2.3.0
+ knot_tsig_rdata_error@Base 2.3.0
+ knot_tsig_rdata_fudge@Base 2.3.0
+ knot_tsig_rdata_is_ok@Base 2.3.0
+ knot_tsig_rdata_mac@Base 2.3.0
+ knot_tsig_rdata_mac_length@Base 2.3.0
+ knot_tsig_rdata_orig_id@Base 2.3.0
+ knot_tsig_rdata_other_data@Base 2.3.0
+ knot_tsig_rdata_other_data_length@Base 2.3.0
+ knot_tsig_rdata_set_fudge@Base 2.3.0
+ knot_tsig_rdata_set_mac@Base 2.3.0
+ knot_tsig_rdata_set_orig_id@Base 2.3.0
+ knot_tsig_rdata_set_other_data@Base 2.3.0
+ knot_tsig_rdata_set_time_signed@Base 2.3.0
+ knot_tsig_rdata_time_signed@Base 2.3.0
+ knot_tsig_rdata_tsig_timers_length@Base 2.3.0
+ knot_tsig_rdata_tsig_variables_length@Base 2.3.0
+ knot_tsig_server_check@Base 2.3.0
+ knot_tsig_sign@Base 2.3.0
+ knot_tsig_sign_next@Base 2.3.0
+ knot_tsig_wire_maxsize@Base 2.3.0
+ knot_tsig_wire_size@Base 2.4.1
+ yp_addr@Base 2.5.0
+ yp_addr_noport@Base 2.5.0
+ yp_addr_noport_to_bin@Base 2.5.0
+ yp_addr_noport_to_txt@Base 2.5.0
+ yp_addr_range_to_bin@Base 2.5.0
+ yp_addr_range_to_txt@Base 2.5.0
+ yp_addr_to_bin@Base 2.5.0
+ yp_addr_to_txt@Base 2.5.0
+ yp_base64_to_bin@Base 2.5.0
+ yp_base64_to_txt@Base 2.5.0
+ yp_bool_to_bin@Base 2.5.0
+ yp_bool_to_txt@Base 2.5.0
+ yp_deinit@Base 2.5.0
+ yp_dname_to_bin@Base 2.5.0
+ yp_dname_to_txt@Base 2.5.0
+ yp_format_id@Base 2.5.0
+ yp_format_key0@Base 2.5.0
+ yp_format_key1@Base 2.5.0
+ yp_hex_to_bin@Base 2.5.0
+ yp_hex_to_txt@Base 2.5.0
+ yp_init@Base 2.5.0
+ yp_int_to_bin@Base 2.5.0
+ yp_int_to_txt@Base 2.5.0
+ yp_item_to_bin@Base 2.5.0
+ yp_item_to_txt@Base 2.5.0
+ yp_option_to_bin@Base 2.5.0
+ yp_option_to_txt@Base 2.5.0
+ yp_parse@Base 2.5.0
+ yp_schema_check_deinit@Base 2.5.0
+ yp_schema_check_init@Base 2.5.0
+ yp_schema_check_parser@Base 2.5.0
+ yp_schema_check_str@Base 2.5.0
+ yp_schema_copy@Base 2.5.0
+ yp_schema_find@Base 2.5.0
+ yp_schema_free@Base 2.5.0
+ yp_schema_merge@Base 2.5.0
+ yp_schema_purge_dynamic@Base 2.5.0
+ yp_set_input_file@Base 2.5.0
+ yp_set_input_string@Base 2.5.0
+ yp_str_to_bin@Base 2.5.0
+ yp_str_to_txt@Base 2.5.0
diff --git a/debian/libzscanner2.install b/debian/libzscanner2.install
new file mode 100644
index 0000000..a8dc226
--- /dev/null
+++ b/debian/libzscanner2.install
@@ -0,0 +1 @@
+usr/lib/*/libzscanner.so.*
diff --git a/debian/libzscanner2.symbols b/debian/libzscanner2.symbols
new file mode 100644
index 0000000..3477f9c
--- /dev/null
+++ b/debian/libzscanner2.symbols
@@ -0,0 +1,11 @@
+libzscanner.so.2 libzscanner2 #MINVER#
+* Build-Depends-Package: libknot-dev
+ zs_deinit@Base 2.3.0
+ zs_errorname@Base 2.3.0
+ zs_init@Base 2.3.0
+ zs_parse_all@Base 2.3.0
+ zs_parse_record@Base 2.3.0
+ zs_set_input_file@Base 2.3.0
+ zs_set_input_string@Base 2.3.0
+ zs_set_processing@Base 2.3.0
+ zs_strerror@Base 2.3.0
diff --git a/debian/not-installed b/debian/not-installed
new file mode 100644
index 0000000..c928be1
--- /dev/null
+++ b/debian/not-installed
@@ -0,0 +1 @@
+etc/knot/example.com.zone
diff --git a/debian/patches/0001-avoid-git-version-inclusion-in-debian-packages.patch b/debian/patches/0001-avoid-git-version-inclusion-in-debian-packages.patch
new file mode 100644
index 0000000..1ed81bf
--- /dev/null
+++ b/debian/patches/0001-avoid-git-version-inclusion-in-debian-packages.patch
@@ -0,0 +1,23 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Fri, 2 Nov 2018 18:53:10 +0300
+Subject: avoid git version inclusion in debian packages
+
+---
+ m4/knot-version.m4 | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/m4/knot-version.m4 b/m4/knot-version.m4
+index 6e9158d..d4abe1d 100644
+--- a/m4/knot-version.m4
++++ b/m4/knot-version.m4
+@@ -11,9 +11,6 @@
+ ################################################################################
+
+ m4_define([knot_PATCH], m4_ifblank(knot_VERSION_PATCH, [dev], knot_VERSION_PATCH))dnl
+-m4_define([knot_GIT_HASH], m4_esyscmd_s(git rev-parse --short HEAD 2>/dev/null))dnl
+-m4_define([knot_GIT_TAG], m4_esyscmd_s(git describe --exact-match 2>/dev/null))dnl
+ m4_define([knot_TIMESTAMP], m4_esyscmd_s(date -u +'%s' 2>/dev/null))dnl
+-m4_define([knot_GIT_INFO], m4_ifblank(knot_GIT_TAG, m4_ifnblank(knot_GIT_HASH, .knot_TIMESTAMP.knot_GIT_HASH, []), []))dnl
+
+-m4_define([knot_PKG_VERSION], [knot_VERSION_MAJOR.knot_VERSION_MINOR.knot_PATCH]knot_GIT_INFO)dnl
++m4_define([knot_PKG_VERSION], [knot_VERSION_MAJOR.knot_VERSION_MINOR.knot_PATCH])dnl
diff --git a/debian/patches/0002-zonefile-Verify-mtime-against-full-precision-timesta.patch b/debian/patches/0002-zonefile-Verify-mtime-against-full-precision-timesta.patch
new file mode 100644
index 0000000..fa79f5d
--- /dev/null
+++ b/debian/patches/0002-zonefile-Verify-mtime-against-full-precision-timesta.patch
@@ -0,0 +1,129 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Fri, 22 Feb 2019 16:05:38 -0500
+Subject: zonefile: Verify mtime against full-precision timestamp
+
+We've just used 1-second granularity mtime to check if a file has
+changed.
+
+But if two updates happen within a calendar second, and knotd notices
+the first one and reloads the file, it might never notice the second
+change and continue serving the old file. We can see this happening
+in intermittent test suite failures in the debian continuous
+integration servers:
+
+ https://ci.debian.net/packages/k/knot/unstable/amd64
+
+Using nanosecond-granularity timestamps should make these problems go
+away.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ src/knot/events/handlers/load.c | 6 ++++--
+ src/knot/zone/zone.c | 2 +-
+ src/knot/zone/zone.h | 2 +-
+ src/knot/zone/zonedb-load.c | 6 ++++--
+ src/knot/zone/zonefile.c | 4 ++--
+ src/knot/zone/zonefile.h | 2 +-
+ 6 files changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/src/knot/events/handlers/load.c b/src/knot/events/handlers/load.c
+index 7410d30..1f8f368 100644
+--- a/src/knot/events/handlers/load.c
++++ b/src/knot/events/handlers/load.c
+@@ -73,10 +73,12 @@ int event_load(conf_t *conf, zone_t *zone)
+
+ // If configured, attempt to load zonefile.
+ if (zf_from != ZONEFILE_LOAD_NONE) {
+- time_t mtime;
++ struct timespec mtime;
+ char *filename = conf_zonefile(conf, zone->name);
+ ret = zonefile_exists(filename, &mtime);
+- bool zonefile_unchanged = (zone->zonefile.exists && zone->zonefile.mtime == mtime);
++ bool zonefile_unchanged = (zone->zonefile.exists &&
++ zone->zonefile.mtime.tv_sec == mtime.tv_sec &&
++ zone->zonefile.mtime.tv_nsec == mtime.tv_nsec);
+ free(filename);
+ if (ret == KNOT_EOK) {
+ ret = zone_load_contents(conf, zone->name, &zf_conts);
+diff --git a/src/knot/zone/zone.c b/src/knot/zone/zone.c
+index efc0caa..0ec29f1 100644
+--- a/src/knot/zone/zone.c
++++ b/src/knot/zone/zone.c
+@@ -145,7 +145,7 @@ static int flush_journal(conf_t *conf, zone_t *zone, bool allow_empty_zone)
+
+ /* Update zone file attributes. */
+ zone->zonefile.exists = true;
+- zone->zonefile.mtime = st.st_mtime;
++ zone->zonefile.mtime = st.st_mtim;
+ zone->zonefile.serial = serial_to;
+ zone->zonefile.resigned = false;
+
+diff --git a/src/knot/zone/zone.h b/src/knot/zone/zone.h
+index 360e222..09c92cc 100644
+--- a/src/knot/zone/zone.h
++++ b/src/knot/zone/zone.h
+@@ -50,7 +50,7 @@ typedef struct zone
+
+ /*! \brief Zonefile parameters. */
+ struct {
+- time_t mtime;
++ struct timespec mtime;
+ uint32_t serial;
+ bool exists;
+ bool resigned;
+diff --git a/src/knot/zone/zonedb-load.c b/src/knot/zone/zonedb-load.c
+index a6e9834..f23b4b1 100644
+--- a/src/knot/zone/zonedb-load.c
++++ b/src/knot/zone/zonedb-load.c
+@@ -35,12 +35,14 @@ static bool zone_file_updated(conf_t *conf, const zone_t *old_zone,
+ assert(zone_name);
+
+ char *zonefile = conf_zonefile(conf, zone_name);
+- time_t mtime;
++ struct timespec mtime;
+ int ret = zonefile_exists(zonefile, &mtime);
+ free(zonefile);
+
+ return (ret == KNOT_EOK && old_zone != NULL &&
+- !(old_zone->zonefile.exists && old_zone->zonefile.mtime == mtime));
++ !(old_zone->zonefile.exists &&
++ old_zone->zonefile.mtime.tv_sec == mtime.tv_sec &&
++ old_zone->zonefile.mtime.tv_nsec == mtime.tv_nsec));
+ }
+
+ static zone_t *create_zone_from(const knot_dname_t *name, server_t *server)
+diff --git a/src/knot/zone/zonefile.c b/src/knot/zone/zonefile.c
+index 37fc90b..0e02d21 100644
+--- a/src/knot/zone/zonefile.c
++++ b/src/knot/zone/zonefile.c
+@@ -248,7 +248,7 @@ fail:
+ return NULL;
+ }
+
+-int zonefile_exists(const char *path, time_t *mtime)
++int zonefile_exists(const char *path, struct timespec *mtime)
+ {
+ if (path == NULL) {
+ return KNOT_EINVAL;
+@@ -260,7 +260,7 @@ int zonefile_exists(const char *path, time_t *mtime)
+ }
+
+ if (mtime != NULL) {
+- *mtime = zonefile_st.st_mtime;
++ *mtime = zonefile_st.st_mtim;
+ }
+
+ return KNOT_EOK;
+diff --git a/src/knot/zone/zonefile.h b/src/knot/zone/zonefile.h
+index 90283ee..9d0542e 100644
+--- a/src/knot/zone/zonefile.h
++++ b/src/knot/zone/zonefile.h
+@@ -79,7 +79,7 @@ zone_contents_t *zonefile_load(zloader_t *loader);
+ *
+ * \return KNOT_E*
+ */
+-int zonefile_exists(const char *path, time_t *mtime);
++int zonefile_exists(const char *path, struct timespec *mtime);
+
+ /*!
+ * \brief Write zone contents to zone file.
diff --git a/debian/patches/0003-correct-kdig-documentation-about-no-crypto.patch b/debian/patches/0003-correct-kdig-documentation-about-no-crypto.patch
new file mode 100644
index 0000000..02d2e15
--- /dev/null
+++ b/debian/patches/0003-correct-kdig-documentation-about-no-crypto.patch
@@ -0,0 +1,39 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Fri, 4 Jan 2019 15:14:32 -0500
+Subject: correct kdig documentation about +[no]crypto
+
+kdig displays cryptographic signatures and keys in base64 encoding,
+not in hexdump format.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ doc/man/kdig.1in | 2 +-
+ doc/man_kdig.rst | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/doc/man/kdig.1in b/doc/man/kdig.1in
+index 8bb2d01..df2fb3c 100644
+--- a/doc/man/kdig.1in
++++ b/doc/man/kdig.1in
+@@ -159,7 +159,7 @@ Use the generic representation format when printing resource record types
+ and data.
+ .TP
+ \fB+\fP[\fBno\fP]\fBcrypto\fP
+-Display the DNSSEC keys and signatures values in hexdump, instead of omitting them.
++Display the DNSSEC keys and signatures values in base64, instead of omitting them.
+ .TP
+ \fB+\fP[\fBno\fP]\fBaaflag\fP
+ Set the AA flag.
+diff --git a/doc/man_kdig.rst b/doc/man_kdig.rst
+index c1b3961..7fa2db0 100644
+--- a/doc/man_kdig.rst
++++ b/doc/man_kdig.rst
+@@ -138,7 +138,7 @@ Options
+ and data.
+
+ **+**\ [\ **no**\ ]\ **crypto**
+- Display the DNSSEC keys and signatures values in hexdump, instead of omitting them.
++ Display the DNSSEC keys and signatures values in base64, instead of omitting them.
+
+ **+**\ [\ **no**\ ]\ **aaflag**
+ Set the AA flag.
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..404f14f
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,3 @@
+0001-avoid-git-version-inclusion-in-debian-packages.patch
+0002-zonefile-Verify-mtime-against-full-precision-timesta.patch
+0003-correct-kdig-documentation-about-no-crypto.patch
diff --git a/debian/prepare-environment b/debian/prepare-environment
new file mode 100755
index 0000000..7176f5e
--- /dev/null
+++ b/debian/prepare-environment
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+set -eu
+
+CONFFILE=${1:-/etc/knot/knot.conf}
+
+if [ ! -r $CONFFILE ]; then
+ echo "$CONFFILE doesn't exist or has wrong permissions."
+ exit 1;
+fi
+
+KNOT_RUNDIR=$(sed -ne "s/#.*$//;s/.*rundir: \"*\([^\";]*\\).*/\\1/p;" $CONFFILE)
+[ -z "$KNOT_RUNDIR" ] && KNOT_RUNDIR=/run/knot
+
+mkdir --parents "$KNOT_RUNDIR";
+
+KNOT_USER=$(sed -ne "s/#.*$//;s/.*user:[ \"]*\\([^\\:\"]*\\)[ \"]*/\\1/p;" $CONFFILE)
+
+if [ -n "$KNOT_USER" ]; then
+ if ! getent passwd $KNOT_USER >/dev/null; then
+ echo "Configured user '$KNOT_USER' doesn't exist."
+ exit 1
+ fi
+
+ KNOT_GROUP=$(sed -ne "s/#.*$//;s/.*user:[ \"]*[^\\:\"]*\\:\\([^\"]*\\)[ \"]*/\\1/p;" $CONFFILE)
+ if [ -z "$KNOT_GROUP" ]; then
+ KNOT_GROUP=$(getent group $(getent passwd "$KNOT_USER" | cut -f 4 -d :) | cut -f 1 -d :)
+ fi
+
+ if ! getent group $KNOT_GROUP >/dev/null; then
+ echo "Configured group '$KNOT_GROUP' doesn't exist."
+ exit 1
+ fi
+ chown --silent "$KNOT_USER:$KNOT_GROUP" "$KNOT_RUNDIR"
+ chmod 775 "$KNOT_RUNDIR"
+fi
+
+:
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..2d6cbb6
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,89 @@
+#!/usr/bin/make -f
+
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+export DEB_CFLAGS_MAINT_APPEND = -Wall -DNDEBUG
+export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
+
+export DPKG_GENSYMBOLS_CHECK_LEVEL := 4
+export KNOT_SOFTHSM2_DSO = /usr/lib/softhsm/libsofthsm2.so
+
+ifeq ($(DEB_HOST_ARCH),$(filter $(DEB_HOST_ARCH),riscv64))
+ export DEB_LDFLAGS_MAINT_APPEND += -latomic
+endif
+
+include /usr/share/dpkg/default.mk
+
+ifeq (maint,$(filter $(DEB_BUILD_OPTIONS),maint))
+ FASTPARSER := --disable-fastparser
+else
+ FASTPARSER := --enable-fastparser
+endif
+
+ifeq ($(DEB_HOST_ARCH),$(filter $(DEB_HOST_ARCH),hurd-i386))
+ RECVMMSG:=--enable-recvmmsg=no
+else
+ RECVMMSG:=--enable-recvmmsg=yes
+endif
+
+ifeq ($(DEB_HOST_ARCH),$(filter $(DEB_HOST_ARCH),amd64 i386))
+ RUN_TEST :=
+else
+ RUN_TEST := -timeout --kill-after=5s 5m
+endif
+
+%:
+ dh $@ \
+ --dbgsym-migration='knot-dbg (<< 2.2.0-2~)' \
+ --exclude=.la --exclude=example.com.zone
+
+override_dh_auto_configure:
+ echo confirming architecture...
+ echo 'arch:' $(DEB_HOST_ARCH)
+ echo 'filtered arch:' $(filter $(DEB_HOST_ARCH),mips powerpc riscv64)
+ echo 'DEB_LDFLAGS_MAINT_APPEND:' $(DEB_LDFLAGS_MAINT_APPEND)
+ echo done
+ dh_auto_configure -- \
+ --sysconfdir=/etc \
+ --localstatedir=/var/lib \
+ --libexecdir=/usr/lib/knot \
+ --with-rundir=/run/knot \
+ --with-moduledir=/usr/lib/$(DEB_HOST_MULTIARCH)/knot \
+ --with-storage=/var/lib/knot \
+ --enable-systemd=auto \
+ --enable-dnstap \
+ --with-module-dnstap=yes \
+ $(RECVMMSG) \
+ $(FASTPARSER) \
+ --disable-silent-rules
+
+override_dh_auto_build-indep:
+ dh_auto_build -- info pdf html
+
+override_dh_auto_install-arch:
+ dh_auto_install -- install
+ # rename knot.sample.conf to knot.conf
+ mv $(CURDIR)/debian/tmp/etc/knot/knot.sample.conf $(CURDIR)/debian/tmp/etc/knot/knot.conf
+
+override_dh_auto_install-indep:
+ dh_auto_install -- install-info install-pdf install-html
+ # rename knot.sample.conf to knot.conf
+ mv $(CURDIR)/debian/tmp/etc/knot/knot.sample.conf $(CURDIR)/debian/tmp/etc/knot/knot.conf
+
+override_dh_auto_test-indep:
+override_dh_auto_test-arch:
+ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
+ $(RUN_TEST) dh_auto_test
+ $(MAKE) -C samples knot.sample.conf
+ debian/get_kaspdb samples/knot.sample.conf
+ [ $$(debian/get_user samples/knot.sample.conf) = knot ]
+endif
+
+override_dh_installdirs-arch:
+ dh_installdirs --arch --package=knot /usr/lib/$(DEB_HOST_MULTIARCH)/knot
+ dh_installdirs --arch --remaining-packages
+
+override_dh_missing:
+ dh_missing --fail-missing
+
+override_dh_installchangelogs:
+ dh_installchangelogs NEWS
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..163aaf8
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/debian/tests/authoritative-server b/debian/tests/authoritative-server
new file mode 100755
index 0000000..a2ae9c5
--- /dev/null
+++ b/debian/tests/authoritative-server
@@ -0,0 +1,193 @@
+#!/bin/bash
+
+# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+# 2018-11-02
+# License: GPLv3+
+
+# error on exit
+set -e
+# for handling jobspecs:
+set -m
+
+if [ -z "$AUTOPKGTEST_ARTIFACTS" ]; then
+ d="$(mktemp -d)"
+ remove="$d"
+else
+ d="$AUTOPKGTEST_ARTIFACTS"
+fi
+ip="${TESTIP:-127.$(( $RANDOM % 256 )).$(( $RANDOM % 256 )).$(( $RANDOM % 256 ))}"
+port="${PORT:-8123}"
+knotd="${KNOTD:-/usr/sbin/knotd}"
+kdig="${KDIG:-$(which kdig)}"
+kzonecheck="${KZONECHECK:-$(which kzonecheck)}"
+knotc="${KNOTC:-/usr/sbin/knotc}"
+test_address="${TEST_ADDRESS:-192.0.2.199}"
+get_kaspdb="${GET_KASPDB:-/usr/lib/knot/get_kaspdb}"
+get_user="${GET_USER:-/usr/lib/knot/get_user}"
+kasp_json2lmdb="${KASP_JSON2LMDB:-/usr/lib/knot/kasp_json2lmdb}"
+
+declare -a knot_args=(--socket "$d/knot.sock" --config="$d/knot.conf" --verbose)
+
+printf "%s + %s roundtrip tests\n------------\n workdir: %s\n IP addr: %s\n knot args: %s\n" "$knotd" "$kdig" "$d" "$ip" "${knot_args[*]}"
+
+section() {
+ printf "\n%s\n" "$1"
+ sed 's/./-/g' <<<"$1"
+}
+
+cleanup () {
+ section "cleaning up"
+ find "$d" -ls
+ "${knotc}" "${knot_args[@]}" stop
+ wait %1
+ tail -n +1 -v "$d"/*.err
+ if [ "$remove" ]; then
+ printf "\ncleaning up working directory %s\n" "$remove"
+ rm -rf "$remove"
+ fi
+}
+trap cleanup EXIT
+
+section "set up config file and zonefile"
+
+user=$(id -nu)
+group=$(id -ng)
+cat > "$d/knot.conf" <<EOF
+server:
+ rundir: "$d/run"
+ listen: $ip@$port
+ user: $user:$group
+template:
+ - id: default
+ storage: "$d"
+ file: "%s.zone"
+zone:
+ - domain: example.net
+EOF
+
+cat > "$d/example.net.zone" <<EOF
+@ 1D IN SOA a.ns hostmaster 2018103100 3h 15m 1w 1d
+@ 1D IN NS a.ns.example.net.
+@ 1D IN NS b.ns.example.net.
+a.ns 1D IN A 192.0.2.1
+b.ns 1D IN A 192.0.2.2
+test 1D IN A $test_address
+EOF
+
+mkdir -p "$d/kasp-db/keys"
+keytime="$(TZ=UTC date +%FT%T%z -d 'yesterday')"
+cat >"$d/kasp-db/zone_example.net.json" <<EOF
+{
+ "policy": "default",
+ "nsec3_salt": null,
+ "nsec3_salt_created": null,
+ "keys": [
+ {
+ "id": "ff81022ffd8e16256b3ac8e136f5f068fbe9b714",
+ "keytag": 24401,
+ "algorithm": 13,
+ "public_key": "6J7vEzP9NI/vgkLRToCmgNZ8XOWoUrwrSJyxqcL8Ll/t1Ucy6arTtzsjBQ32SDJEHfQhg0u/fABsp9HVZnFo3g==",
+ "ksk": true,
+ "created": "$keytime",
+ "publish": "$keytime",
+ "active": "$keytime"
+ },
+ {
+ "id": "bf033546160229f56a8c90ca6ed3b599060b0067",
+ "keytag": 46765,
+ "algorithm": 13,
+ "public_key": "TczXowY+XyfUlvHFThLnPnM1zL/kH9lJP1B+WbhgksgHt/Bt93RrOWMgASoYWlBgW2uTVqqoNzLCk9YbPz5ViA==",
+ "ksk": false,
+ "created": "$keytime",
+ "publish": "$keytime",
+ "active": "$keytime"
+ }
+ ]
+}
+EOF
+cat > "$d/kasp-db/keys/bf033546160229f56a8c90ca6ed3b599060b0067.pem" <<EOF
+-----BEGIN PRIVATE KEY-----
+MIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQgEVKLYtyI4lZ7JiAM
+xziZ/May2VI20QseJGS2AD0U3HKgCgYIKoZIzj0DAQehRANCAARNzNejBj5fJ9SW
+8cVOEuc+czXMv+Qf2Uk/UH5ZuGCSyAe38G33dGs5YyABKhhaUGBba5NWqqg3MsKT
+1hs/PlWI
+-----END PRIVATE KEY-----
+EOF
+cat > "$d/kasp-db/keys/ff81022ffd8e16256b3ac8e136f5f068fbe9b714.pem" <<EOF
+-----BEGIN PRIVATE KEY-----
+MIGUAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHoweAIBAQQhALYx6iXAqIQPL8aI
+Bw0RtWKEOMSW/XawlfPM+7Gdkx9GoAoGCCqGSM49AwEHoUQDQgAE6J7vEzP9NI/v
+gkLRToCmgNZ8XOWoUrwrSJyxqcL8Ll/t1Ucy6arTtzsjBQ32SDJEHfQhg0u/fABs
+p9HVZnFo3g==
+-----END PRIVATE KEY-----
+EOF
+
+
+find "$d" -maxdepth 1 -type f -print0 | xargs -0 tail -n +1 -v
+
+mkdir -p "${d}/run"
+
+section "kzonecheck'ing zonefile"
+"${kzonecheck}" -v "$d/example.net.zone"
+
+section "launching knot"
+"${knotd}" "${knot_args[@]}" 2> "$d/knotd.err" &
+
+# FIXME: this is an annoying poll -- would be better if we could be
+# alerted when the daemon is done setting up the socket, but i don't
+# want to "--daemonize" if i can avoid it because i want the shell to
+# remain in direct supervision of all its processes
+tried=0
+while [ $tried -lt 10 ] ; do
+ if "${knotc}" "${knot_args[@]}" status 2>&1; then
+ break;
+ fi
+ sleep 0.5
+ tried=$(( $tried + 1 ))
+done
+if [ $tried -ge 10 ]; then
+ printf "failed to use %s\n" "${knotc}" >&2
+ exit 1
+fi
+
+
+section "querying knot"
+"${kdig}" -p "${port}" @"${ip}" -t A test.example.net test2.example.net
+answer="$("${kdig}" +short -p "${port}" @"${ip}" -t A test.example.net)"
+if ! [ "$answer" = "$test_address" ]; then
+ printf "test.example.net mismatch!\nexpected: %s\n got: %s\n" "$test_address" "$answer" >&2
+ exit 1
+fi
+answer2="$("${kdig}" +short -p "${port}" @"${ip}" -t A test2.example.net)"
+if ! [ "$answer2" = "" ]; then
+ printf "test2.example.net gave unexpected answer!\n got: %s\n" "$answer2" >&2
+ exit 1
+fi
+
+section "modifying zone"
+printf "test2 1D IN A $test_address\n" >>"$d/example.net.zone"
+sed -i 's/^@ 1D IN SOA.*/@ 1D IN SOA a.ns hostmaster 2018110100 3h 15m 1w 1d/' "$d/example.net.zone"
+"${knotc}" "${knot_args[@]}" reload
+
+section "querying again"
+"${kdig}" -p "${port}" @"${ip}" -t A test.example.net test2.example.net
+answer="$("${kdig}" +short -p "${port}" @"${ip}" -t A test.example.net)"
+if ! [ "$answer" = "$test_address" ]; then
+ printf "test.example.net mismatch!\nexpected: %s\n got: %s\n" "$test_address" "$answer" >&2
+ exit 1
+fi
+answer2="$("${kdig}" +short -p "${port}" @"${ip}" -t A test2.example.net)"
+if ! [ "$answer2" = "$test_address" ]; then
+ printf "test2.example.net mismatch!\nexpected: %s\n got: %s\n" "$test_address" "$answer2" >&2
+ exit 1
+fi
+
+section "testing python transition helpers"
+"${get_kaspdb}" "$d/knot.conf"
+got_user="$(${get_user} "$d/knot.conf")"
+if [ "$got_user" != "$user" ]; then
+ printf "user account mismatch!\nexpected: %s\n got: %s\n" "$user" "$got_user" >&2
+ exit 1
+fi
+"${kasp_json2lmdb}" --import "$d/kasp-db"
+
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..c654e9b
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,5 @@
+Tests: kdig
+Depends: knot-dnsutils, ca-certificates
+
+Tests: authoritative-server
+Depends: knot, knot-dnsutils, findutils, python3-lmdb, python3-yaml
diff --git a/debian/tests/kdig b/debian/tests/kdig
new file mode 100755
index 0000000..a2f388e
--- /dev/null
+++ b/debian/tests/kdig
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -e
+
+expected=93.184.216.34
+answer=$(kdig +short +tls-ca +tls-hostname=dns.cmrg.net @dns.cmrg.net example.org)
+
+if [ "$answer" != "$expected" ]; then
+ printf "expected: %s\ngot: %s\n" "$expected" "$answer" >&2
+ kdig +tls-ca +tls-hostname=dns.cmrg.net @dns.cmrg.net example.org
+fi
diff --git a/debian/ufw/knot b/debian/ufw/knot
new file mode 100644
index 0000000..ee36916
--- /dev/null
+++ b/debian/ufw/knot
@@ -0,0 +1,4 @@
+[Knot]
+title=Internet Domain Name Server
+description=The Knot DNS implements an Internet domain name server.
+ports=53
diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc
new file mode 100644
index 0000000..7935cee
--- /dev/null
+++ b/debian/upstream/signing-key.asc
@@ -0,0 +1,51 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFljlBcBEACuCSBlN1vTS9eEDqowZcLAAF8NytcTlRjXTLWMQtjU+fXkz9Vz
+10n9TIFj9Kcec0p0+8F+SowybecwhmYoUzhKI7S9M1ziUmaIhFs2KvZ1GzigE/W5
+L448P/7pugh875e1tIrkrbbcIp6+SxaLbgvXlFl630ILZl/gbYOa/Wk21sLu4RjQ
+Y39oHb0WTiwPnKhdMdwlnxm6HeWkHzlvI9N8tlDc6oVnUfqVI8gUyExLnEYjDpZf
+orTVgHRq6RNyfTRZkh8zRsXSTnJlk/bVEDW5i/VgIQugzkgpuTGWlCstryi/MRhe
+NxU1YEUenT69okb96QStfr1J00n8L4VAs8V5IuFUcSc8UqSpB+LgERRTMRFo9IrE
+XAW/gEKlEVR+501BvJ0/Qggxbgz4PEnKNaxXmAnykJzot2VDKTzrr26a9LnrT0GW
+om9rg89Ih876PA53vUXBB+FWP9QOFDcOfz3nMjCrLbMzhTsAzrNFXxchzLq+66CL
+qsQQytDVFpLI+X++sKRTOHkq6vV1bAPjlljrannLnn1y/DvkOOkiHOdYyjmR7Dfk
+vxgcWh/3Gx4J9gipxZITOr7LamEYgHfElY/UWCtc1Vjt8Xvgt4dofDpvSwY9YzgR
+WxJKC5ewYdqTCI+zxL1f0fjkeiRYNi959UMMjgdcY7Zpi8oPPQmlyBw15QARAQAB
+tCZEYW5pZWwgU2Fsem1hbiA8ZGFuaWVsLnNhbHptYW5AbmljLmN6PokCPQQTAQoA
+JwUCWWOUFwIbAwUJA8JnAAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRAQu3r2
+/rvWq1+eEAClhOEK2MZOz+nwJSeX7iINKbw477Y+LSvYkKG81pve+xtblQEn7rI3
+cYnDrqlUb3bXdbMHujYrg1fPoccpCvf6d/JvlN6WXCE25R+GR6vxr6v7jycHdSOb
+Fe4sTcwce6IViwiWiSizh4UCkz8285LjLcf3AnT2v6GJwHiZbPOeMQUNIRj6PEYL
+SQsq0ZlqEx8LGKLTc5Ukrkoi4lN44SI1rzSwDPIqvlvrVnDXcDB8M7E2Ii51zU8/
+TVk920KeayUeCPxpmgQW3USI45NrE/jEgyodyxMGp5lg3OqzHT2wu9BVLWkQvTjF
+fLfEsTay4K4kUSbYzbpS93b33J+I20rYLGBBYlTrN5417IgF6Bb8NzyrfVy1Wdqh
+cggAEKX5EkOmZM8oduRxsHqiRLC/xKF8GqTo6t3GMS5i8RClNvmdq0WUkQUvld4b
+OnXBCZ2QLbjV7sXjcr56ee+qdpiuRQjEidjHzpibcIBN8LVupVgXAZl9lsiBtoJX
+OHsvSdU3VgGWnRGtzFjSHzl3TRPIsaVVqD7aCzQDfXDjrGlmhzgDfMwkqmBGgsku
+8tSR3Ag0MRAouJFXiZrcM3XGeYVbHT6dt7UMAB27Xc5foc0kGRo5tzlK6rWG2sJI
+lcQB7tKvwI/tE9lwJDjw+XNekEdIpcdcQ7mWa1COYkcYTre3oPmN+7kCDQRZY5QX
+ARAA6RnxYG82/X+A49srgHR9yIxlHqSq6IhNn+iJQ5lpVpfeBItOG4NDu4Aq5X41
+pAJ3NKxsCPV62gEald/C7gJrTI5rag/87GYFFo6QRrwGsWVGORGs9G1pBF7ZZwhP
+JwD3MeagGZNfWZzRxXefL1P3mrpO3etSEEwENHtCqEMP6x/JHh3SKonKAlL4xfj3
+F54aKj4upIcjxGBAJH8u66bN1GmYjstBzzbD4TWNTwfKgp15XxjrTgbThFy7CBoO
+gcaApiYTPE7D5nB1+AyhGjnO3ZlNgy1ZIHVDFk6HEakaqKM9QlkJnZsB2+cTqXlV
+0etmFQsedCg2sUier0hhIrEOOtGQbY1P+0vv+VRoaNym3ritl+70RG8WgrHNLMRH
+VGeLRq3gOFnt+d/3h7meAKbORW/ZY30UpwthtlZYgciFzoDJCW8Be1i1X4toiUaM
+kFh79jd7YTvZ87+P4DllC9MNsoq5cY/bHBNZYtXf7y6XqVqYo2IbFUR3VXKtzSN5
+eYm5YpFPczzmg1bNgl3i6WBcOF4EPEJEVjZ+u1r59NvfVLQ8XVh/QmLoG7x8oFcv
+hWctMy17Vdm4qZjpSA+B1sQocehdra+xT+PWV0kcrYpsqwkYeFRQnJGqIupWHnot
+qGOBNAyQWIcjK6K5y0CeioJZpNN5Oe5XloMXsYmgXsR+gTUAEQEAAYkCJQQYAQoA
+DwUCWWOUFwIbDAUJA8JnAAAKCRAQu3r2/rvWq+IQD/9ikZ5MtdDOVLtULPqXXeP3
+6Oss2Ie4/4IQ7xkUZZ/Ujig0x1rW+d21o92VryH1s4K+nyCIW31rbtexK/0a54/w
+Zyyjbqfh6Tgo9n3f5bMV9qyubb49cfTSKfgzoOkG8Xdc/TIO1IjWHy1NBDl8GWKJ
+0QPYz78SCCkEFiVCAFBjuIQsoPqDKcZTs7k661w0A75ken88JJLgUgffZJRQK0i1
+dCw8kS4c2pqm24Q6d0AF5EdqXn2IFH82p49Pp5bRMY3LnibRL3Sq0xvXs7i5vY+o
+JLuPAdomiGbdEbxcLytqQ2KitVdrGvrnZJxPs16m0uuTeM06krorDlgGBXFp5+Z9
+JbQpViHkVpLo+vf/GuT9WOWWH8gG0r14ZLVQTvCGXiAR4Aju7W5jPMPmVDJ+wMrD
+cLta1Jv0U0+AnVe67mRXb0n5E/7kVshB3rfGzunPSlqT5kEiOXq6fJWB2l0lzCv0
+WtNuINmU9U3ap1oZBGSYl83vyuRUIlx61/tlnJvwseBL1FmASXOgfedCsxjHIlgF
+SUeScLxnOSyap/4ePqZ0C76Nkvzx43SfM1LJUeCHwon0o+LZv2GlBmlEp6PbekRQ
+Tz1hewLBbfAeXZRnwxvmkRqTP4DJCIVu2AE47+rbqVEjJZuEO4ORlkKoBdLOV3HN
+xWbfbG7+n/h2cnUw3pqbHw==
+=4CxJ
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 0000000..a763cd4
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,4 @@
+version=3
+opts=uversionmangle=s/-((alpha|beta|rc)\d*)$/~$1/,pgpsigurlmangle=s/$/.asc/,dversionmangle=s/\+hotfix// \
+https://secure.nic.cz/files/knot-dns/ \
+(?:|.*/)knot(?:[_\-]v?|)(\d\S*)\.(?:tar\.xz|txz|tar\.bz2|tbz2|tar\.gz|tgz)