Merging upstream version 3.4.0.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

13 files changed, 265 insertions, 116 deletions

diff --git a/doc/man/kcatalogprint.8in b/doc/man/kcatalogprint.8
index da964d8..f9d9fc9 100644
--- a/doc/man/kcatalogprint.8in
+++ b/doc/man/kcatalogprint.8
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "KCATALOGPRINT" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KCATALOGPRINT" "8" "2024-09-02" "3.4.0" "Knot DNS"
 .SH NAME
 kcatalogprint \- Knot DNS catalog print utility
 .SH SYNOPSIS
@@ -40,10 +40,10 @@ The program prints zone catalog stored in a catalog database.
 .INDENT 0.0
 .TP
 \fB\-c\fP, \fB\-\-config\fP \fIfile\fP
-Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP).
+Use a textual configuration file (default is \fB/usr/local/etc/knot/knot.conf\fP).
 .TP
 \fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
-Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP).
+Use a binary configuration database directory (default is \fB/usr/local/var/lib/knot/confdb\fP).
 The default configuration database, if exists, has a preference to the default
 configuration file.
 .TP
@@ -63,7 +63,8 @@ Filter the output by member zone name.
 Print the program help.
 .TP
 \fB\-V\fP, \fB\-\-version\fP
-Print the program version.
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
 .UNINDENT
 .SH EXIT VALUES
 .sp
diff --git a/doc/man/kdig.1in b/doc/man/kdig.1
index 99745c9..207c8c8 100644
--- a/doc/man/kdig.1in
+++ b/doc/man/kdig.1
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "KDIG" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KDIG" "1" "2024-09-02" "3.4.0" "Knot DNS"
 .SH NAME
 kdig \- Advanced DNS lookup utility
 .SH SYNOPSIS
@@ -43,16 +43,16 @@ which must precede \fIquery\fP specification.
 .SS Parameters
 .INDENT 0.0
 .TP
-\fIquery\fP
+.B \fIquery\fP
 \fIname\fP | \fB\-q\fP \fIname\fP | \fB\-x\fP \fIaddress\fP | \fB\-G\fP \fItapfile\fP
 .TP
-\fIcommon\-settings\fP, \fIsettings\fP
+.B \fIcommon\-settings\fP, \fIsettings\fP
 [\fIquery_class\fP] [\fIquery_type\fP] [\fB@\fP\fIserver\fP]... [\fIoptions\fP]
 .TP
-\fIname\fP
+.B \fIname\fP
 Is a domain name that is to be looked up.
 .TP
-\fIserver\fP
+.B \fIserver\fP
 Is a domain name or an IPv4 or IPv6 address of the nameserver to send a query
 to. An additional port can be specified using address:port ([address]:port
 for IPv6 address), address@port, or address#port notation. A value which begins
@@ -132,7 +132,8 @@ is provided, empty question section is set.
 An explicit \fIquery_type\fP specification. See possible values above.
 .TP
 \fB\-V\fP, \fB\-\-version\fP
-Print the program version.
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
 .TP
 \fB\-x\fP \fIaddress\fP
 Send a reverse (PTR) query for IPv4 or IPv6 \fIaddress\fP\&. The correct name, class
@@ -302,7 +303,7 @@ Use QUIC (DNS\-over\-QUIC).
 Request the nameserver identifier (NSID).
 .TP
 \fB+\fP[\fBno\fP]\fBbufsize\fP=\fIB\fP
-Set EDNS buffer size in bytes (default is 4096 bytes).
+Set EDNS buffer size in bytes (default is 1232 bytes).
 .TP
 \fB+\fP[\fBno\fP]\fBpadding\fP[=\fIB\fP]
 Use EDNS(0) padding option to pad queries, optionally to a specific
@@ -319,7 +320,7 @@ Align the query to B\-byte\-block message using the EDNS(0) padding option
 Set EDNS(0) client subnet SUBN=addr/prefix.
 .TP
 \fB+\fP[\fBno\fP]\fBedns\fP[=\fIN\fP]
-Use EDNS version (default is 0).
+Use EDNS version (default is 0). EDNS(0) is enabled by default.
 .TP
 \fB+\fP[\fBno\fP]\fBtimeout\fP=\fIT\fP
 Set the wait\-for\-reply interval in seconds (default is 5 seconds). This timeout
@@ -354,7 +355,7 @@ Use JSON for output encoding (RFC 8427).
 .TP
 \fB+noidn\fP
 Disable the IDN transformation to ASCII and vice versa. IDN support depends
-on libidn availability during project building! If used in \fIcommon\-settings\fP,
+on libidn2 availability during project building! If used in \fIcommon\-settings\fP,
 all IDN transformations are disabled. If used in the individual query \fIsettings\fP,
 transformation from ASCII is disabled on output for the particular query. Note
 that IDN transformation does not preserve domain name letter case.
diff --git a/doc/man/keymgr.8in b/doc/man/keymgr.8
index 020d854..a963df3 100644
--- a/doc/man/keymgr.8in
+++ b/doc/man/keymgr.8
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "KEYMGR" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KEYMGR" "8" "2024-09-02" "3.4.0" "Knot DNS"
 .SH NAME
 keymgr \- Knot DNS key management utility
 .SH SYNOPSIS
@@ -51,17 +51,17 @@ The database is backed by LMDB.
 .SS Parameters
 .INDENT 0.0
 .TP
-\fIzone_name\fP
+.B \fIzone_name\fP
 Name of the zone the command is executed for.
 .UNINDENT
 .SS Config options
 .INDENT 0.0
 .TP
 \fB\-c\fP, \fB\-\-config\fP \fIfile\fP
-Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP).
+Use a textual configuration file (default is \fB/usr/local/etc/knot/knot.conf\fP).
 .TP
 \fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
-Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP).
+Use a binary configuration database directory (default is \fB/usr/local/var/lib/knot/confdb\fP).
 The default configuration database, if exists, has a preference to the default
 configuration file.
 .TP
@@ -98,7 +98,8 @@ Force colorized output in the normal mode.
 Print the program help.
 .TP
 \fB\-V\fP, \fB\-\-version\fP
-Print the program version.
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
 .UNINDENT
 .sp
 \fBNOTE:\fP
@@ -279,16 +280,16 @@ Key deleted.
 .SS Timestamps
 .INDENT 0.0
 .TP
-0
+.B 0
 Zero timestamp means infinite future.
 .TP
-\fIUNIX_time\fP
+.B \fIUNIX_time\fP
 Positive number of seconds since 1970 UTC.
 .TP
-\fIYYYYMMDDHHMMSS\fP
+.B \fIYYYYMMDDHHMMSS\fP
 Date and time in this format without any punctuation.
 .TP
-\fIrelative_timestamp\fP
+.B \fIrelative_timestamp\fP
 A sign character (\fB+\fP, \fB\-\fP), a number, and an optional time unit
 (\fBy\fP, \fBmo\fP, \fBd\fP, \fBh\fP, \fBmi\fP, \fBs\fP). The default unit is one second.
 E.g. +1mi, \-2mo.
@@ -296,7 +297,7 @@ E.g. +1mi, \-2mo.
 .SS Output timestamp formats
 .INDENT 0.0
 .TP
-(none)
+.B (none)
 The timestamps are printed as UNIX timestamp.
 .TP
 \fBhuman\fP
diff --git a/doc/man/khost.1in b/doc/man/khost.1
index 292f080..4cae5e9 100644
--- a/doc/man/khost.1in
+++ b/doc/man/khost.1
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "KHOST" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KHOST" "1" "2024-09-02" "3.4.0" "Knot DNS"
 .SH NAME
 khost \- Simple DNS lookup utility
 .SH SYNOPSIS
@@ -41,11 +41,11 @@ instead.
 .SS Parameters
 .INDENT 0.0
 .TP
-\fIname\fP
+.B \fIname\fP
 Is a domain name that is to be looked up. If the \fIname\fP is IPv4 or IPv6
 address the PTR query type is used.
 .TP
-\fIserver\fP
+.B \fIserver\fP
 Is a name or an address of the nameserver to send a query to.  The address
 can be specified using [address]:port notation. If no server is specified,
 the servers from \fB/etc/resolv.conf\fP are used.
@@ -80,7 +80,8 @@ Use the TCP protocol.
 Enable verbose output.
 .TP
 \fB\-V\fP, \fB\-\-version\fP
-Print the program version.
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
 .TP
 \fB\-w\fP
 Wait forever for the reply.
diff --git a/doc/man/kjournalprint.8in b/doc/man/kjournalprint.8
index 2a1303a..4c17e36 100644
--- a/doc/man/kjournalprint.8in
+++ b/doc/man/kjournalprint.8
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "KJOURNALPRINT" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KJOURNALPRINT" "8" "2024-09-02" "3.4.0" "Knot DNS"
 .SH NAME
 kjournalprint \- Knot DNS journal print utility
 .SH SYNOPSIS
@@ -42,17 +42,17 @@ changes are colored for terminal.
 .SS Parameters
 .INDENT 0.0
 .TP
-\fIzone_name\fP
+.B \fIzone_name\fP
 A name of the zone to print the history for.
 .UNINDENT
 .SS Config options
 .INDENT 0.0
 .TP
 \fB\-c\fP, \fB\-\-config\fP \fIfile\fP
-Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP).
+Use a textual configuration file (default is \fB/usr/local/etc/knot/knot.conf\fP).
 .TP
 \fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
-Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP).
+Use a binary configuration database directory (default is \fB/usr/local/var/lib/knot/confdb\fP).
 The default configuration database, if exists, has a preference to the default
 configuration file.
 .TP
@@ -80,9 +80,6 @@ Debug mode brief output.
 \fB\-x\fP, \fB\-\-mono\fP
 Don\(aqt generate colorized output.
 .TP
-\fB\-n\fP, \fB\-\-no\-color\fP
-An alias for \fB\-x\fP\&. Use of this option is deprecated, it will be removed in the future.
-.TP
 \fB\-X\fP, \fB\-\-color\fP
 Force colorized output.
 .TP
@@ -90,7 +87,8 @@ Force colorized output.
 Print the program help.
 .TP
 \fB\-V\fP, \fB\-\-version\fP
-Print the program version.
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
 .UNINDENT
 .SH EXIT VALUES
 .sp
diff --git a/doc/man/knot.conf.5in b/doc/man/knot.conf.5
index d091d15..dc6fe4a 100644
--- a/doc/man/knot.conf.5in
+++ b/doc/man/knot.conf.5
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "KNOT.CONF" "5" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KNOT.CONF" "5" "2024-09-02" "3.4.0" "Knot DNS"
 .SH NAME
 knot.conf \- Knot DNS configuration file
 .SH DESCRIPTION
@@ -47,10 +47,11 @@ the following symbols:
 .IP \(bu 2
 \fBBOOL\fP – Boolean value (\fBon\fP/\fBoff\fP or \fBtrue\fP/\fBfalse\fP)
 .IP \(bu 2
-\fBTIME\fP – Number of seconds, an integer with possible time multiplier suffix
-(\fBs\fP ~ 1, \fBm\fP ~ 60, \fBh\fP ~ 3600 or \fBd\fP ~ 24 * 3600)
+\fBTIME\fP – Number of seconds, an integer with a possible time multiplier suffix
+(\fBs\fP ~ 1, \fBm\fP ~ 60, \fBh\fP ~ 3600, \fBd\fP ~ 24 * 3600, \fBw\fP ~ 7 * 24 * 3600,
+\fBM\fP ~ 30 * 24 * 3600, \fBy\fP ~ 365 * 24 * 3600)
 .IP \(bu 2
-\fBSIZE\fP – Number of bytes, an integer with possible size multiplier suffix
+\fBSIZE\fP – Number of bytes, an integer with a possible size multiplier suffix
 (\fBB\fP ~ 1, \fBK\fP ~ 1024, \fBM\fP ~ 1024^2 or \fBG\fP ~ 1024^3)
 .IP \(bu 2
 \fBBASE64\fP – Base64 encoded string
@@ -268,6 +269,7 @@ server:
     dbus\-init\-delay: TIME
     listen: ADDR[@INT] | STR ...
     listen\-quic: ADDR[@INT] ...
+    listen\-tls: ADDR[@INT] ...
 .ft P
 .fi
 .UNINDENT
@@ -531,19 +533,15 @@ Maximum EDNS0 UDP payload size for IPv6.
 \fIDefault:\fP \fB1232\fP
 .SS key\-file
 .sp
-Path to a server key PEM file which is used for DNS over QUIC communication.
+Path to a server key PEM file which is used for DNS over QUIC/TLS communication.
 A non\-absolute path of a user specified key file is relative to the
-\fB@config_dir@\fP directory.
-.sp
-Change of this parameter requires restart of the Knot server to take effect.
+\fB/usr/local/etc/knot\fP directory.
 .sp
 \fIDefault:\fP auto\-generated key
 .SS cert\-file
 .sp
-Path to a server certificate PEM file which is used for DNS over QUIC communication.
-A non\-absolute path is relative to the \fB@config_dir@\fP directory.
-.sp
-Change of this parameter requires restart of the Knot server to take effect.
+Path to a server certificate PEM file which is used for DNS over QUIC/TLS communication.
+A non\-absolute path is relative to the \fB/usr/local/etc/knot\fP directory.
 .sp
 \fIDefault:\fP one\-time in\-memory certificate
 .SS edns\-client\-subnet
@@ -604,20 +602,21 @@ catalog zones and their members) are loaded or successfully bootstrapped.
 the signal parameters are \fIzone name\fP and \fIzone SOA serial\fP\&.
 .IP \(bu 2
 \fBkeys\-updated\fP \- The signal \fBkeys_updated\fP is emitted when a DNSSEC key set
-of this zone is updated.
+is updated; the signal parameter is \fIzone name\fP\&.
 .IP \(bu 2
 \fBksk\-submission\fP – The signal \fBzone_ksk_submission\fP is emitted if there is
 a ready KSK present when the zone is signed; the signal parameters are
 \fIzone name\fP, \fIKSK keytag\fP, and \fIKSK KASP id\fP\&.
 .IP \(bu 2
 \fBdnssec\-invalid\fP – The signal \fBzone_dnssec_invalid\fP is emitted when DNSSEC
-validation fails; the signal parameter is \fIzone name\fP\&.
+validation fails; the signal parameters are \fIzone name\fP, and \fIremaining seconds\fP
+until an RRSIG expires.
 .UNINDENT
 .sp
 \fBNOTE:\fP
 .INDENT 0.0
 .INDENT 3.5
-This function requires systemd version at least 221.
+This function requires systemd version at least 221 or libdbus.
 .UNINDENT
 .UNINDENT
 .sp
@@ -655,14 +654,14 @@ for incoming queries over QUIC protocol.
 Change of this parameter requires restart of the Knot server to take effect.
 .sp
 \fIDefault:\fP not set
+.SS listen\-tls
 .sp
-\fBNOTE:\fP
-.INDENT 0.0
-.INDENT 3.5
-Incoming \fI\%DDNS\fP over QUIC isn\(aqt supported.
-The server always responds with SERVFAIL.
-.UNINDENT
-.UNINDENT
+One or more IP addresses (and optionally ports) where the server listens
+for incoming queries over TLS protocol (DoT).
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP not set
 .SH XDP SECTION
 .sp
 Various options related to XDP listening, especially TCP.
@@ -684,6 +683,9 @@ xdp:
     tcp\-idle\-reset\-timeout: TIME
     tcp\-resend\-timeout: TIME
     route\-check: BOOL
+    ring\-size: INT
+    busypoll\-budget: INT
+    busypoll\-timeout: INT
 .ft P
 .fi
 .UNINDENT
@@ -849,6 +851,63 @@ Only VLAN 802.1Q is supported.
 .UNINDENT
 .sp
 \fIDefault:\fP \fBoff\fP
+.SS ring\-size
+.sp
+Size of RX, FQ, TX, and CQ rings.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This value should be at least as high as the configured RX size of the
+network device in the XDP mode.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fB2048\fP
+.SS busypoll\-budget
+.sp
+If set to a positive value, preferred busy polling is enabled with the
+specified budget.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Preferred busy polling also requires setting \fBnapi_defer_hard_irqs\fP and
+\fBgro_flush_timeout\fP for the appropriate network interface. E.g.:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+echo 2 | sudo tee /sys/class/net/<interface>/napi_defer_hard_irqs
+echo 200000 | sudo tee /sys/class/net/<interface>/gro_flush_timeout
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+A recommended value is between 8 and 64.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fB0\fP (disabled)
+.SS busypoll\-timeout
+.sp
+Timeout in microseconds of preferrred busy polling if enabled by
+\fI\%busypoll\-budget\fP\&.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP \fB20\fP (20 microseconds)
 .SH CONTROL SECTION
 .sp
 Configuration of the server control interface.
@@ -1266,6 +1325,7 @@ remote:
     address: ADDR[@INT] | STR ...
     via: ADDR[@INT] ...
     quic: BOOL
+    tls: BOOL
     key: key_id
     cert\-key: BASE64 ...
     block\-notify\-after\-transfer: BOOL
@@ -1356,6 +1416,12 @@ queried remotes.
 .UNINDENT
 .sp
 \fIDefault:\fP \fBoff\fP
+.SS tls
+.sp
+If this option is set, the TLS (DoT) protocol will be used for outgoing communication
+with this remote.
+.sp
+\fIDefault:\fP \fBoff\fP
 .SS key
 .sp
 A \fI\%reference\fP to the TSIG key which is used to authenticate
@@ -1787,8 +1853,6 @@ Possible values:
 \fBNOTE:\fP
 .INDENT 0.0
 .INDENT 3.5
-Ed25519 algorithm is only available if compiled with GnuTLS 3.6.0+.
-.sp
 Ed448 algorithm is only available if compiled with GnuTLS 3.6.12+ and Nettle 3.6+.
 .UNINDENT
 .UNINDENT
@@ -1955,6 +2019,10 @@ will be refreshed, in order to prevent expired RRSIGs on secondary servers or
 resolvers\(aq caches.
 .sp
 \fIDefault:\fP 0.1 * \fI\%rrsig\-lifetime\fP + \fI\%propagation\-delay\fP + \fI\%zone\-max\-ttl\fP
+.sp
+If \fI\%dnssec\-validation\fP is enabled:
+.sp
+\fIDefault:\fP \fB1d\fP (1 day)
 .SS rrsig\-pre\-refresh
 .sp
 A period (in seconds) how long at most before a signature refresh time the signature
@@ -2638,7 +2706,9 @@ Every NSEC(3) RR is linked to the lexicographically next one.
 .sp
 The validation is not affected by \fI\%dnssec\-policy\fP configuration,
 except for \fI\%signing\-threads\fP option, which specifies the number
-of threads for parallel validation.
+of threads for parallel validation, and \fI\%rrsig\-refresh\fP, which
+defines minimal allowed remaining RRSIG validity (otherwise a warning is
+logged).
 .sp
 \fBNOTE:\fP
 .INDENT 0.0
diff --git a/doc/man/knotc.8in b/doc/man/knotc.8
index 01bfc95..5e41e97 100644
--- a/doc/man/knotc.8in
+++ b/doc/man/knotc.8
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "KNOTC" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KNOTC" "8" "2024-09-02" "3.4.0" "Knot DNS"
 .SH NAME
 knotc \- Knot DNS control utility
 .SH SYNOPSIS
@@ -43,10 +43,10 @@ is executed in the interactive mode.
 .INDENT 0.0
 .TP
 \fB\-c\fP, \fB\-\-config\fP \fIfile\fP
-Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP).
+Use a textual configuration file (default is \fB/usr/local/etc/knot/knot.conf\fP).
 .TP
 \fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
-Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP).
+Use a binary configuration database directory (default is \fB/usr/local/var/lib/knot/confdb\fP).
 The default configuration database, if exists, has a preference to the default
 configuration file.
 .UNINDENT
@@ -55,10 +55,10 @@ configuration file.
 .TP
 \fB\-m\fP, \fB\-\-max\-conf\-size\fP \fIMiB\fP
 Set maximum size of the configuration database
-(default is @conf_mapsize@ MiB, maximum 10000 MiB).
+(default is 500 MiB, maximum 10000 MiB).
 .TP
 \fB\-s\fP, \fB\-\-socket\fP \fIpath\fP
-Use a control UNIX socket path (default is \fB@run_dir@/knot.sock\fP).
+Use a control UNIX socket path (default is \fB/usr/local/var/run/knot/knot.sock\fP).
 .TP
 \fB\-t\fP, \fB\-\-timeout\fP \fIseconds\fP
 Use a control timeout in seconds. Set to 0 for infinity (default is 60).
@@ -88,7 +88,8 @@ Enable debug output.
 Print the program help.
 .TP
 \fB\-V\fP, \fB\-\-version\fP
-Print the program version.
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
 .UNINDENT
 .SS Actions
 .INDENT 0.0
@@ -173,8 +174,9 @@ disables all other filters by default, but they can still be turned on
 explicitly. If zone flushing is disabled, the original zone file is backed
 up instead of writing out zone contents to a file. When backing\-up a catalog
 zone, it is recommended to prevent ongoing changes to it by use of
-\fBzone\-freeze\fP\&.
-See \fI\%Notes\fP below about the directory permissions. (#)
+\fBzone\-freeze\fP\&. The force option allows an already existing backupdir to
+be overwritten. See \fI\%Notes\fP below about the directory permissions.
+(#)
 .TP
 \fBzone\-restore\fP [\fIzone\fP\&...] \fB+backupdir\fP \fIdirectory\fP [\fIfilter\fP\&...]
 Trigger a zone data and metadata restore from a specified backup directory.
@@ -187,6 +189,10 @@ permissions. (#)
 Trigger a DNSSEC re\-sign of the zone. Existing signatures will be dropped.
 This command is valid for zones with DNSSEC signing enabled. (#)
 .TP
+\fBzone\-validate\fP [\fIzone\fP\&...]
+Trigger a DNSSEC validation of the zone. If the validation fails and the
+zone is secondary, the zone expires immediately! (#)
+.TP
 \fBzone\-keys\-load\fP [\fIzone\fP\&...]
 Trigger a load of DNSSEC keys and other signing material from KASP database
 (which might have been altered manually). If suitable, re\-sign the zone
@@ -207,7 +213,8 @@ KSK in submission phase and the old KSK can be retired. (#)
 \fBzone\-freeze\fP [\fIzone\fP\&...]
 Trigger a zone freeze. All running events will be finished and all new and pending
 (planned) zone\-changing events (load, refresh, update, flush, and DNSSEC signing)
-will be held up until the zone is thawed. (#)
+will be held up until the zone is thawed. Up to 8 (this limit is hardcoded) DDNS
+updates per zone will be queued, subsequent updates will be refused. (#)
 .TP
 \fBzone\-thaw\fP [\fIzone\fP\&...]
 Trigger dismissal of zone freeze. (#)
diff --git a/doc/man/knotd.8in b/doc/man/knotd.8
index 1d02cc8..bbeb6a4 100644
--- a/doc/man/knotd.8in
+++ b/doc/man/knotd.8
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "KNOTD" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KNOTD" "8" "2024-09-02" "3.4.0" "Knot DNS"
 .SH NAME
 knotd \- Knot DNS server daemon
 .SH SYNOPSIS
@@ -41,10 +41,10 @@ the DNS server daemon.
 .INDENT 0.0
 .TP
 \fB\-c\fP, \fB\-\-config\fP \fIfile\fP
-Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP).
+Use a textual configuration file (default is \fB/usr/local/etc/knot/knot.conf\fP).
 .TP
 \fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
-Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP).
+Use a binary configuration database directory (default is \fB/usr/local/var/lib/knot/confdb\fP).
 The default configuration database, if exists, has a preference to the default
 configuration file.
 .UNINDENT
@@ -53,10 +53,10 @@ configuration file.
 .TP
 \fB\-m\fP, \fB\-\-max\-conf\-size\fP \fIMiB\fP
 Set maximum size of the configuration database
-(default is @conf_mapsize@ MiB, maximum 10000 MiB).
+(default is 500 MiB, maximum 10000 MiB).
 .TP
 \fB\-s\fP, \fB\-\-socket\fP \fIpath\fP
-Use a remote control UNIX socket path (default is \fB@run_dir@/knot.sock\fP).
+Use a remote control UNIX socket path (default is \fB/usr/local/var/run/knot/knot.sock\fP).
 .TP
 \fB\-d\fP, \fB\-\-daemonize\fP [\fIdirectory\fP]
 Run the server as a daemon. New root directory may be specified
@@ -69,7 +69,8 @@ Enable debug output.
 Print the program help.
 .TP
 \fB\-V\fP, \fB\-\-version\fP
-Print the program version.
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
 .UNINDENT
 .SS Signals
 .sp
diff --git a/doc/man/knsec3hash.1in b/doc/man/knsec3hash.1
index d9fa4a3..3bb9766 100644
--- a/doc/man/knsec3hash.1in
+++ b/doc/man/knsec3hash.1
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "KNSEC3HASH" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KNSEC3HASH" "1" "2024-09-02" "3.4.0" "Knot DNS"
 .SH NAME
 knsec3hash \- Simple utility to compute NSEC3 hash
 .SH SYNOPSIS
@@ -35,27 +35,39 @@ knsec3hash \- Simple utility to compute NSEC3 hash
 \fBknsec3hash\fP \fIsalt\fP \fIalgorithm\fP \fIiterations\fP \fIname\fP
 .sp
 \fBknsec3hash\fP \fIalgorithm\fP \fIflags\fP \fIiterations\fP \fIsalt\fP \fIname\fP
+.sp
+\fBknsec3hash\fP [\fI\-h\fP] [\fI\-V\fP]
 .SH DESCRIPTION
 .sp
 This utility generates a NSEC3 hash for a given domain name and parameters of NSEC3 hash.
 .SS Parameters
 .INDENT 0.0
 .TP
-\fIsalt\fP
+.B \fIsalt\fP
 Specifies a binary salt encoded as a hexadecimal string.
 .TP
-\fIalgorithm\fP
+.B \fIalgorithm\fP
 Specifies a hashing algorithm by number. Currently, the only supported algorithm is SHA\-1 (number 1).
 .TP
-\fIiterations\fP
+.B \fIiterations\fP
 Specifies the number of additional iterations of the hashing algorithm.
 .TP
-\fIname\fP
+.B \fIname\fP
 Specifies the domain name to be hashed.
 .TP
-\fIflags\fP
+.B \fIflags\fP
 Specifies NSEC3 flags as an unsigned integer.
 .UNINDENT
+.SS Options
+.INDENT 0.0
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
+.UNINDENT
 .SH EXIT VALUES
 .sp
 Exit status of 0 means successful operation. Any other exit status indicates
diff --git a/doc/man/knsupdate.1in b/doc/man/knsupdate.1
index ed34dd2..58220a0 100644
--- a/doc/man/knsupdate.1in
+++ b/doc/man/knsupdate.1
@@ -27,12 +27,14 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "KNSUPDATE" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KNSUPDATE" "1" "2024-09-02" "3.4.0" "Knot DNS"
 .SH NAME
 knsupdate \- Dynamic DNS update utility
 .SH SYNOPSIS
 .sp
-\fBknsupdate\fP [\fIoptions\fP] [\fIfilename\fP]
+\fBknsupdate\fP [\fB\-v\fP] [\fIoptions\fP] [\fIfilename\fP]
+.sp
+\fBknsupdate\fP [\fB\-q\fP] [\fIquic_options\fP] [\fIoptions\fP] [\fIfilename\fP]
 .SH DESCRIPTION
 .sp
 This utility sends Dynamic DNS update messages to a DNS server. Update content
@@ -45,44 +47,76 @@ comments and are not processed.
 .SS Parameters
 .INDENT 0.0
 .TP
-\fIfilename\fP
+.B \fIfilename\fP
 Path to the file with knsupdate commands.
 .UNINDENT
 .SS Options
 .INDENT 0.0
 .TP
-\fB\-d\fP
-Enable debug messages.
+\fB\-T\fP, \fB\-\-tcp\fP
+Use a TCP connection. (\fB\-v\fP can be used for compatibility with nsupdate).
 .TP
-\fB\-h\fP, \fB\-\-help\fP
-Print the program help.
+\fB\-S\fP, \fB\-\-tls\fP
+Use a TLS connection.
 .TP
-\fB\-k\fP \fIkeyfile\fP
-Use the TSIG key stored in a file \fIkeyfile\fP to authenticate the request. The
-file should contain the key in the same format, which is accepted by the
-\fB\-y\fP option.
+\fB\-Q\fP, \fB\-\-quic\fP
+Use a QUIC connection.
 .TP
-\fB\-p\fP \fIport\fP
+\fB\-p\fP, \fB\-\-port\fP \fInumber\fP
 Set the port to use for connections to the server (if not explicitly specified
-in the update). The default is 53.
+in the update). The default is 53 for UDP/TCP or 853 for QUIC.
 .TP
-\fB\-r\fP \fIretries\fP
+\fB\-r\fP, \fB\-\-retry\fP \fIcount\fP
 The number of retries for UDP requests. The default is 3.
 .TP
-\fB\-t\fP \fItimeout\fP
+\fB\-t\fP, \fB\-\-timeout\fP \fIseconds\fP
 The total timeout (for all UDP update tries) of the update request in seconds.
 The default is 12. If set to zero, the timeout is infinite.
 .TP
-\fB\-v\fP
-Use a TCP connection.
-.TP
-\fB\-V\fP, \fB\-\-version\fP
-Print the program version.
-.TP
-\fB\-y\fP [\fIalg\fP:]\fIname\fP:\fIkey\fP
+\fB\-y\fP, \fB\-\-tsig\fP [\fIalg\fP:]\fIname\fP:\fIkey\fP
 Use the TSIG key with a name \fIname\fP to authenticate the request. The \fIalg\fP
 part specifies the algorithm (the default is hmac\-sha256) and \fIkey\fP specifies
 the shared secret encoded in Base64.
+.TP
+\fB\-k\fP, \fB\-\-tsigfile\fP \fIpath\fP
+Use the TSIG key stored in a file \fIkeyfile\fP to authenticate the request. The
+file should contain the key in the same format, which is accepted by the
+\fB\-y\fP option.
+.TP
+\fB\-d\fP, \fB\-\-debug\fP
+Enable debug messages.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
+.UNINDENT
+.SS QUIC/TLS options
+.INDENT 0.0
+.TP
+\fB\-H\fP, \fB\-\-hostname\fP \fIstring\fP
+Enable remote server hostname validation.
+.TP
+\fB\-P\fP, \fB\-\-pin\fP \fIbase64\fP
+Use Out\-of\-Band key\-pinned privacy profile
+(RFC 7858#section\-4.2). The PIN must be a Base64 encoded SHA\-256 hash of the
+X.509 SubjectPublicKeyInfo. Can be specified multiple times.
+.TP
+\fB\-A\fP, \fB\-\-ca\fP [\fIpath\fP]
+Enable certificate validation. Certification authority certificates
+are loaded from the specified PEM file (default is system certificate storage
+if no argument is provided). Can be specified multiple times.
+.TP
+\fB\-E\fP, \fB\-\-certfile\fP \fIpath\fP
+Path to a client certificate file.
+.TP
+\fB\-K\fP, \fB\-\-keyfile\fP \fIpath\fP
+Path to a client key file.
+.TP
+\fB\-s\fP, \fB\-\-sni\fP \fIstring\fP
+Use specified Server Name Indication.
 .UNINDENT
 .SS Commands
 .INDENT 0.0
diff --git a/doc/man/kxdpgun.8in b/doc/man/kxdpgun.8
index f93872b..d7892eb 100644
--- a/doc/man/kxdpgun.8in
+++ b/doc/man/kxdpgun.8
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "KXDPGUN" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KXDPGUN" "8" "2024-09-02" "3.4.0" "Knot DNS"
 .SH NAME
 kxdpgun \- XDP-powered DNS benchmarking tool
 .SH SYNOPSIS
@@ -47,10 +47,10 @@ configured for the network interface.
 .SS Parameters
 .INDENT 0.0
 .TP
-\fIfilename\fP
+.B \fIfilename\fP
 Path to the queries file. See the description below regarding the file format.
 .TP
-\fItarget\fP
+.B \fItarget\fP
 Either the domain name, IPv4 or IPv6 address of a remote target.
 .UNINDENT
 .SS Options
@@ -90,6 +90,11 @@ CPU ID increment for next thread (default is 0s1).
 \fB\-i\fP, \fB\-\-infile\fP \fIfilename\fP
 Path to a file with query templates.
 .TP
+\fB\-B\fP, \fB\-\-binary\fP
+Specify that input file is in binary format. This format is similar to the
+TCP DNS message format. The file contains records formated as 2\-octet length
+(network order) followed by a message in DNS wire format.
+.TP
 \fB\-I\fP, \fB\-\-interface\fP \fIinterface\fP
 Network interface for outgoing communication. This can be useful in situations
 when the interfaces are in a bond for example.
@@ -136,11 +141,20 @@ has to exist.
 This option is ignored if not in the QUIC mode. The recommended usage is
 with \fB\-\-quic=R\fP or with low QPS. Otherwise, too many files are generated.
 .TP
+\fB\-j\fP, \fB\-\-json\fP
+Print statistics formatted as json.
+.TP
+\fB\-S\fP, \fB\-\-stats\-period\fP \fIperiod\fP
+Report statistics automatically every \fIperiod\fP milliseconds.
+.sp
+These reports contain only metrics collected in the given period.
+.TP
 \fB\-h\fP, \fB\-\-help\fP
 Print the program help.
 .TP
 \fB\-V\fP, \fB\-\-version\fP
-Print the program version.
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
 .UNINDENT
 .SS Queries file format
 .sp
@@ -187,7 +201,8 @@ Instead of opening a connection for each query, reuse connections.
 .SS Signals
 .sp
 Sending USR1 signal to a running process triggers current statistics dump
-to the standard output.
+to the standard output. In combination with \fB\-S\fP may cause erratic printout
+timing.
 .SH NOTES
 .sp
 Linux kernel 4.18+ is required.
@@ -197,6 +212,12 @@ CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_ADMIN, CAP_IPC_LOCK, and CAP_SYS_RESOURCE
 (Linux < 5.11).
 .sp
 The utility allocates source UDP/TCP ports from the range 2000\-65535.
+.sp
+Due to the multi\-threaded program structure there are slight discrepancies in
+the timespan during which metrics are collected for any given thread. The
+statistics printouts ignore this and are thus ever\-so\-slightly inaccurate. The
+error margin decreases proportionally to the volume of data & timespan over
+which they are collected.
 .SH EXIT VALUES
 .sp
 Exit status of 0 means successful operation. Any other exit status indicates
diff --git a/doc/man/kzonecheck.1in b/doc/man/kzonecheck.1
index a73b66e..22ebe47 100644
--- a/doc/man/kzonecheck.1in
+++ b/doc/man/kzonecheck.1
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "KZONECHECK" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KZONECHECK" "1" "2024-09-02" "3.4.0" "Knot DNS"
 .SH NAME
 kzonecheck \- Knot DNS zone check tool
 .SH SYNOPSIS
@@ -44,7 +44,7 @@ Please, refer to the \fBsemantic\-checks\fP configuration option in
 .SS Parameters
 .INDENT 0.0
 .TP
-\fIfilename\fP
+.B \fIfilename\fP
 Path to the zone file to be checked. For reading from \fBstdin\fP use \fB/dev/stdin\fP
 or just \fB\-\fP\&.
 .UNINDENT
@@ -77,7 +77,8 @@ Enable debug output.
 Print the program help.
 .TP
 \fB\-V\fP, \fB\-\-version\fP
-Print the program version.
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
 .UNINDENT
 .SH EXIT VALUES
 .sp
diff --git a/doc/man/kzonesign.1in b/doc/man/kzonesign.1
index 147e112..558c95b 100644
--- a/doc/man/kzonesign.1in
+++ b/doc/man/kzonesign.1
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "KZONESIGN" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KZONESIGN" "1" "2024-09-02" "3.4.0" "Knot DNS"
 .SH NAME
 kzonesign \- DNSSEC signing utility
 .SH SYNOPSIS
@@ -43,17 +43,17 @@ and zone.adjust\-threads).
 .SS Parameters
 .INDENT 0.0
 .TP
-\fIzone_name\fP
+.B \fIzone_name\fP
 A name of the zone to be signed.
 .UNINDENT
 .SS Config options
 .INDENT 0.0
 .TP
 \fB\-c\fP, \fB\-\-config\fP \fIfile\fP
-Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP).
+Use a textual configuration file (default is \fB/usr/local/etc/knot/knot.conf\fP).
 .TP
 \fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
-Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP).
+Use a binary configuration database directory (default is \fB/usr/local/var/lib/knot/confdb\fP).
 The default configuration database, if exists, has a preference to the default
 configuration file.
 .UNINDENT
@@ -78,7 +78,8 @@ specified by timestamp.
 Print the program help.
 .TP
 \fB\-V\fP, \fB\-\-version\fP
-Print the program version.
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
 .UNINDENT
 .SH EXIT VALUES
 .sp