Adding upstream version 3.3.6.upstream/3.3.6

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

8 files changed, 207 insertions, 116 deletions

diff --git a/doc/configuration.rst b/doc/configuration.rst
index 55457eb..a29521b 100644
--- a/doc/configuration.rst
+++ b/doc/configuration.rst
@@ -89,15 +89,15 @@ zones. There is no inheritance between templates; they are exclusive. The
 Access control list (ACL)
 =========================
 
-Some types of incoming DNS requests must be authorized before they can be
-processed by the server. A zone can have configured :ref:`zone_acl` which is
-a sequence of :ref:`rules <ACL section>` describing what requests are authorized.
-By default if :ref:`automatic ACL <server_automatic-acl>` is not enabled, all requests,
-which require authorization, are denied.
-
-Every ACL rule can allow or deny one or more request types based on the
-source IP address, network subnet, or address range and/or if the request is
-secured by a given TSIG key. See :doc:`keymgr -t<man_keymgr>` on how
+Normal DNS queries are always allowed. All other DNS requests must be
+authorized before they can be processed by the server. A zone can have
+configured :ref:`ACL <ACL section>` which is a sequence of rules describing
+what requests are authorized. An :ref:`automatic ACL <server_automatic-acl>`
+feature can be used to simplify ACL management.
+
+Every ACL rule can allow or deny one or more request types (:ref:`actions <acl_action>`)
+based on the source IP address, network subnet, or address range and/or if the
+request is secured by a given TSIG key. See :doc:`keymgr -t<man_keymgr>` on how
 to generate a TSIG key.
 
 If there are multiple ACL rules assigned to a zone, they are applied in the
diff --git a/doc/man/knot.conf.5in b/doc/man/knot.conf.5in
index a951b7c..a9b175e 100644
--- a/doc/man/knot.conf.5in
+++ b/doc/man/knot.conf.5in
@@ -253,7 +253,7 @@ server:
     quic\-idle\-close\-timeout: TIME
     remote\-pool\-limit: INT
     remote\-pool\-timeout: TIME
-    remote\-retry\-delay: TIME
+    remote\-retry\-delay: INT
     socket\-affinity: BOOL
     udp\-max\-payload: SIZE
     udp\-max\-payload\-ipv4: SIZE
@@ -809,7 +809,7 @@ Time in seconds, after which any idle connection is forcibly closed.
 .SS tcp\-resend\-timeout
 .sp
 Resend outgoing data packets (with DNS response payload) if not ACKed
-before this timeout.
+before this timeout (in seconds).
 .sp
 \fIMinimum:\fP \fB1\fP
 .sp
@@ -859,6 +859,7 @@ Configuration of the server control interface.
 .ft C
 control:
     listen: STR
+    backlog: INT
     timeout: TIME
 .ft P
 .fi
@@ -869,7 +870,16 @@ control:
 A UNIX socket \fI\%path\fP where the server listens for
 control commands.
 .sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
 \fIDefault:\fP \fI\%rundir\fP\fB/knot.sock\fP
+.SS backlog
+.sp
+The control UNIX socket listen backlog size.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP \fB5\fP
 .SS timeout
 .sp
 Maximum time (in seconds) the control socket operations can take.
@@ -1436,8 +1446,9 @@ An ordered list of \fI\%references\fP to remote server definitions.
 .SH ACL SECTION
 .sp
 Access control list rule definitions. An ACL rule is a description of one
-or more authorized operations (zone transfer request, zone change notification,
-and dynamic DNS update) which are allowed to be processed or denied.
+or more authorized actions (zone transfer request, zone change notification,
+and dynamic DNS update) which are allowed to be processed or denied. Normal
+DNS queries are always allowed.
 .INDENT 0.0
 .INDENT 3.5
 .sp
@@ -1506,7 +1517,7 @@ This option cannot be specified along with the \fI\%address\fP or
 \fIDefault:\fP not set
 .SS action
 .sp
-An ordered list of allowed (or denied) actions.
+An ordered list of allowed, or denied, actions (request types).
 .sp
 Possible values:
 .INDENT 0.0
@@ -1626,8 +1637,8 @@ A DNSSEC\-validating resolver can be set as a parent.
 .UNINDENT
 .SS check\-interval
 .sp
-Interval for periodic checks of DS presence on parent\(aqs DNS servers, in the
-case of the KSK submission.
+Interval (in seconds) for periodic checks of DS presence on parent\(aqs DNS
+servers, in the case of the KSK submission.
 .sp
 \fIDefault:\fP \fB1h\fP (1 hour)
 .SS timeout
@@ -1639,14 +1650,14 @@ Set to 0 for infinity.
 \fIDefault:\fP \fB0\fP
 .SS parent\-delay
 .sp
-After successful parent DS check, wait for this period before continuing the next
-key roll\-over step. This delay shall cover the propagation delay of update in the
-parent zone.
+After successful parent DS check, wait for this period (in seconds) before
+continuing the next key roll\-over step. This delay shall cover the propagation
+delay of update in the parent zone.
 .sp
 \fIDefault:\fP \fB0\fP
 .SH DNSKEY-SYNC SECTION
 .sp
-Parameters of DNSKEY dynamic\-update synchrnization.
+Parameters of DNSKEY dynamic\-update synchronization.
 .INDENT 0.0
 .INDENT 3.5
 .sp
@@ -1673,7 +1684,7 @@ DNSKEY/CDNSKEY/CDS records shall be sent to.
 .SS check\-interval
 .sp
 If the last DNSKEY sync failed or resulted in any change, re\-check
-the consistence after this interval and re\-try if needed.
+the consistence after this interval (in seconds) and re\-try if needed.
 .sp
 \fIDefault:\fP \fB60\fP (1 minute)
 .SH POLICY SECTION
@@ -1695,6 +1706,7 @@ policy:
     ksk\-shared: BOOL
     dnskey\-ttl: TIME
     zone\-max\-ttl: TIME
+    keytag\-modulo: INT/INT
     ksk\-lifetime: TIME
     zsk\-lifetime: TIME
     delete\-delay: TIME
@@ -1844,9 +1856,26 @@ really reasonable when records are generated dynamically
 .UNINDENT
 .sp
 \fIDefault:\fP computed after zone is loaded
+.SS keytag\-modulo
+.sp
+Specifies that the keytags of any generated keys shall be congruent by specified modulo.
+The option value must be a string in the format \fBR/M\fP, where \fBR < M <= 256\fP are
+positive integers. Whenever a DNSSEC key is generated, it is ensured
+that \fBkeytag % M == R\fP\&. This prevents keytag conflict in \fI\%DNSSEC Offline KSK\fP
+or \fI\%DNSSEC multi\-signer\fP (and possibly other) setups.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This only applies to newly generated keys when they are generated. Keys from
+before this option and keys imported from elsewhere might not fulfill the policy.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fB0/1\fP
 .SS ksk\-lifetime
 .sp
-A period between KSK generation and the next rollover initiation.
+A period (in seconds) between KSK generation and the next rollover initiation.
 .sp
 \fBNOTE:\fP
 .INDENT 0.0
@@ -1860,10 +1889,10 @@ This applies for CSK lifetime if single\-type\-signing is enabled.
 .UNINDENT
 .UNINDENT
 .sp
-\fIDefault:\fP \fB0\fP
+\fIDefault:\fP \fB0\fP (infinity)
 .SS zsk\-lifetime
 .sp
-A period between ZSK activation and the next rollover initiation.
+A period (in seconds) between ZSK activation and the next rollover initiation.
 .sp
 \fBNOTE:\fP
 .INDENT 0.0
@@ -1883,20 +1912,20 @@ Zero (aka infinity) value causes no ZSK rollover as a result.
 .SS delete\-delay
 .sp
 Once a key (KSK or ZSK) is rolled\-over and removed from the zone,
-keep it in the KASP database for at least this period before deleting it completely.
-This might be useful in some troubleshooting cases when resurrection
+keep it in the KASP database for at least this period (in seconds) before deleting
+it completely. This might be useful in some troubleshooting cases when resurrection
 is needed.
 .sp
 \fIDefault:\fP \fB0\fP
 .SS propagation\-delay
 .sp
-An extra delay added for each key rollover step. This value should be high
-enough to cover propagation of data from the primary server to all
-secondary servers, as well as the duration of signing routine itself and
-possible outages in signing and propagation infrastructure. In other words,
-this delay should ensure that within this period of time after planned
-change of the key set, all public\-facing secondaries will already serve
-new DNSKEY RRSet for sure.
+An extra delay added for each key rollover step. This value (in seconds)
+should be high enough to cover propagation of data from the primary server
+to all secondary servers, as well as the duration of signing routine itself
+and possible outages in signing and propagation infrastructure. In other
+words, this delay should ensure that within this period of time after
+planned change of the key set, all public\-facing secondaries will already
+serve new DNSKEY RRSet for sure.
 .sp
 \fBNOTE:\fP
 .INDENT 0.0
@@ -1908,7 +1937,7 @@ Has influence over ZSK key lifetime.
 \fIDefault:\fP \fB1h\fP (1 hour)
 .SS rrsig\-lifetime
 .sp
-A validity period of newly issued signatures.
+A validity period (in seconds) of newly issued signatures.
 .sp
 \fBNOTE:\fP
 .INDENT 0.0
@@ -1921,15 +1950,16 @@ time period is not counted to the signature lifetime.
 \fIDefault:\fP \fB14d\fP (14 days)
 .SS rrsig\-refresh
 .sp
-A period how long at least before a signature expiration the signature will be refreshed,
-in order to prevent expired RRSIGs on secondary servers or resolvers\(aq caches.
+A period (in seconds) how long at least before a signature expiration the signature
+will be refreshed, in order to prevent expired RRSIGs on secondary servers or
+resolvers\(aq caches.
 .sp
 \fIDefault:\fP 0.1 * \fI\%rrsig\-lifetime\fP + \fI\%propagation\-delay\fP + \fI\%zone\-max\-ttl\fP
 .SS rrsig\-pre\-refresh
 .sp
-A period how long at most before a signature refresh time the signature might be refreshed,
-in order to refresh RRSIGs in bigger batches on a frequently updated zone
-(avoid re\-sign event too often).
+A period (in seconds) how long at most before a signature refresh time the signature
+might be refreshed, in order to refresh RRSIGs in bigger batches on a frequently updated
+zone (avoid re\-sign event too often).
 .sp
 \fIDefault:\fP \fB1h\fP (1 hour)
 .SS reproducible\-signing
@@ -1972,7 +2002,7 @@ name before hashing.
 \fIDefault:\fP \fB8\fP
 .SS nsec3\-salt\-lifetime
 .sp
-A validity period of newly issued salt field.
+A validity period (in seconds) of newly issued salt field.
 .sp
 Zero value means infinity.
 .sp
@@ -2308,6 +2338,7 @@ where DDD is corresponding decimal ASCII code.
 An ordered list of references \fI\%remote\fP and
 \fI\%remotes\fP to zone primary servers
 (formerly known as master servers).
+Empty value is allowed for template value overriding.
 .sp
 \fIDefault:\fP not set
 .SS ddns\-master
@@ -2326,6 +2357,7 @@ combination with \fI\%dnssec\-signing\fP enabled.
 An ordered list of references \fI\%remote\fP and
 \fI\%remotes\fP to secondary servers to which notify
 message is sent if the zone changes.
+Empty value is allowed for template value overriding.
 .sp
 \fIDefault:\fP not set
 .SS acl
@@ -2339,13 +2371,13 @@ or disallow zone transfers, updates or incoming notifies.
 If set to a nonzero value on a secondary, always request AXFR/IXFR from the same
 primary as the last time, effectively pinning one primary. Only when another
 primary is updated and the current one lags behind for the specified amount of time
-(defined by this option), change to the updated primary and force AXFR.
+(defined by this option in seconds), change to the updated primary and force AXFR.
 .sp
 This option is useful when multiple primaries may have different zone history
 in their journals, making it unsafe to combine interchanged IXFR
 from different primaries.
 .sp
-\fIDefault:\fP 0
+\fIDefault:\fP \fB0\fP (disabled)
 .SS provide\-ixfr
 .sp
 If disabled, the server is forced to respond with AXFR to IXFR queries.
@@ -2412,8 +2444,8 @@ query (malformed message) and triggers a zone bootstrap instead.
 \fIDefault:\fP \fBoff\fP
 .SS zonefile\-sync
 .sp
-The time after which the current zone in memory will be synced with a zone file
-on the disk (see \fI\%file\fP). The server will serve the latest
+The time in seconds after which the current zone in memory will be synced with
+a zone file on the disk (see \fI\%file\fP). The server will serve the latest
 zone even after a restart using zone journal, but the zone file on the disk will
 only be synced after \fBzonefile\-sync\fP time has expired (or after manual zone
 flush). This is applicable when the zone is updated via IXFR, DDNS or automatic
@@ -2520,7 +2552,7 @@ Zone\-in\-journal changeset isn\(aqt counted to the limit.
 If enabled, incoming IXFR is applied even when it contains removals of non\-existing
 or additions of existing records.
 .sp
-\fIDefault:\fP off
+\fIDefault:\fP \fBoff\fP
 .SS ixfr\-by\-one
 .sp
 Within incoming IXFR, process only one changeset at a time, not multiple together.
@@ -2615,7 +2647,7 @@ A configured policy called \(dqdefault\(dq won\(aqt be used unless explicitly re
 .SS ds\-push
 .sp
 Per zone configuration of \fI\%ds\-push\fP\&. This option overrides possible
-per policy option.
+per policy option. Empty value is allowed for template value overriding.
 .sp
 \fIDefault:\fP not set
 .SS zonemd\-verify
@@ -2791,9 +2823,8 @@ has the \fIgroup\fP property defined, matching another catalog template.
 .INDENT 3.5
 This option must be set if and only if \fI\%catalog\-role\fP is \fIinterpret\fP\&.
 .sp
-Nested catalog zones aren\(aqt supported. Therefore catalog templates can\(aqt use
-\fI\%catalog\-template\fP, \fI\%catalog\-role\fP, \fI\%catalog\-zone\fP,
-and \fI\%catalog\-group\fP options.
+Nested catalog zones aren\(aqt supported. Therefore catalog templates can\(aqt
+contain \fI\%catalog\-role\fP set to \fBinterpret\fP or \fBgenerate\fP\&.
 .UNINDENT
 .UNINDENT
 .sp
diff --git a/doc/man/knotc.8in b/doc/man/knotc.8in
index 36e7c98..01bfc95 100644
--- a/doc/man/knotc.8in
+++ b/doc/man/knotc.8in
@@ -103,8 +103,8 @@ public key pin of the currently used certificate.
 Stop the server if running.
 .TP
 \fBreload\fP
-Reload the server configuration and modified zone files. All open zone
-transactions will be aborted!
+Reload the server configuration and modified zone files, and reopen the log files
+if they are configured. All open zone transactions will be aborted!
 .TP
 \fBstats\fP [\fImodule\fP[\fB\&.\fP\fIcounter\fP]]
 Show global statistics counter(s). To print also counters with value 0, use
@@ -165,13 +165,15 @@ zone\(aqs journal, zone\-related timers, zone\-related data in the KASP database
 together with keys (or keys without the KASP database), zone\(aqs catalog,
 and the server QUIC key and certificate, respectively, are backed up,
 or omitted from the backup. By default, filters \fB+zonefile\fP, \fB+timers\fP,
-\fB+kaspdb\fP, \fB+nokeysonly\fP, \fB+catalog\fP, \fB+quic\fP, and \fB+nojournal\fP
+\fB+kaspdb\fP, \fB+catalog\fP, \fB+quic\fP, \fB+nojournal\fP, and \fB+nokeysonly\fP
 are set for backup. The same defaults are set for restore, with the only
-difference being \fB+noquic\fP\&. Setting a filter for an item doesn\(aqt change
-default settings for other items. If zone flushing is disabled, the original
-zone file is backed up instead of writing out zone contents to a file.
-When backing\-up a catalog zone, it is recommended to prevent ongoing changes
-to it by use of \fBzone\-freeze\fP\&.
+difference being \fB+noquic\fP\&. Setting a filter for an item doesn\(aqt change the
+default settings for other items. The only exception is \fB+keysonly\fP, which
+disables all other filters by default, but they can still be turned on
+explicitly. If zone flushing is disabled, the original zone file is backed
+up instead of writing out zone contents to a file. When backing\-up a catalog
+zone, it is recommended to prevent ongoing changes to it by use of
+\fBzone\-freeze\fP\&.
 See \fI\%Notes\fP below about the directory permissions. (#)
 .TP
 \fBzone\-restore\fP [\fIzone\fP\&...] \fB+backupdir\fP \fIdirectory\fP [\fIfilter\fP\&...]
@@ -271,8 +273,8 @@ An optional filter \fB+nopurge\fP prevents possibly existing configuration
 database from purging before the import itself.
 Also ensure the server is not using the configuration database at the same time! (*)
 .TP
-\fBconf\-export\fP [\fIfilename\fP]
-Export the configuration database into a config file or stdout. (*)
+\fBconf\-export\fP [\fIfilename\fP] [+schema]
+Export the configuration database (or JSON schema) into a file or stdout. (*)
 .TP
 \fBconf\-list\fP [\fIitem\fP]
 List the configuration database sections or section items.
diff --git a/doc/man/kxdpgun.8in b/doc/man/kxdpgun.8in
index 243f4f4..f93872b 100644
--- a/doc/man/kxdpgun.8in
+++ b/doc/man/kxdpgun.8in
@@ -32,7 +32,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 kxdpgun \- XDP-powered DNS benchmarking tool
 .SH SYNOPSIS
 .sp
-\fBkxdpgun\fP [\fIoptions\fP] \fB\-i\fP \fIfilename\fP \fItarget_IP\fP
+\fBkxdpgun\fP [\fIoptions\fP] \fB\-i\fP \fIfilename\fP \fItarget\fP
 .SH DESCRIPTION
 .sp
 Powerful generator of DNS traffic, sending and receiving packets through XDP.
@@ -50,8 +50,8 @@ configured for the network interface.
 \fIfilename\fP
 Path to the queries file. See the description below regarding the file format.
 .TP
-\fItarget_IP\fP
-The IPv4 or IPv6 address of remote destination.
+\fItarget\fP
+Either the domain name, IPv4 or IPv6 address of a remote target.
 .UNINDENT
 .SS Options
 .INDENT 0.0
diff --git a/doc/man_knotc.rst b/doc/man_knotc.rst
index f9a5509..d03bc77 100644
--- a/doc/man_knotc.rst
+++ b/doc/man_knotc.rst
@@ -80,8 +80,8 @@ Actions
   Stop the server if running.
 
 **reload**
-  Reload the server configuration and modified zone files. All open zone
-  transactions will be aborted!
+  Reload the server configuration and modified zone files, and reopen the log files
+  if they are configured. All open zone transactions will be aborted!
 
 **stats** [*module*\ [\ **.**\ *counter*\ ]]
   Show global statistics counter(s). To print also counters with value 0, use
@@ -142,13 +142,15 @@ Actions
   together with keys (or keys without the KASP database), zone's catalog,
   and the server QUIC key and certificate, respectively, are backed up,
   or omitted from the backup. By default, filters **+zonefile**, **+timers**,
-  **+kaspdb**, **+nokeysonly**, **+catalog**, **+quic**, and **+nojournal**
+  **+kaspdb**, **+catalog**, **+quic**, **+nojournal**, and **+nokeysonly**
   are set for backup. The same defaults are set for restore, with the only
-  difference being **+noquic**. Setting a filter for an item doesn't change
-  default settings for other items. If zone flushing is disabled, the original
-  zone file is backed up instead of writing out zone contents to a file.
-  When backing-up a catalog zone, it is recommended to prevent ongoing changes
-  to it by use of **zone-freeze**.
+  difference being **+noquic**. Setting a filter for an item doesn't change the
+  default settings for other items. The only exception is **+keysonly**, which
+  disables all other filters by default, but they can still be turned on
+  explicitly. If zone flushing is disabled, the original zone file is backed
+  up instead of writing out zone contents to a file. When backing-up a catalog
+  zone, it is recommended to prevent ongoing changes to it by use of
+  **zone-freeze**.
   See :ref:`Notes<notes>` below about the directory permissions. (#)
 
 **zone-restore** [*zone*...] **+backupdir** *directory* [*filter*...]
@@ -248,8 +250,8 @@ Actions
   database from purging before the import itself.
   Also ensure the server is not using the configuration database at the same time! (*)
 
-**conf-export** [*filename*]
-  Export the configuration database into a config file or stdout. (*)
+**conf-export** [*filename*] [+schema]
+  Export the configuration database (or JSON schema) into a file or stdout. (*)
 
 **conf-list** [*item*]
   List the configuration database sections or section items.
diff --git a/doc/man_kxdpgun.rst b/doc/man_kxdpgun.rst
index 4664a1e..28713ba 100644
--- a/doc/man_kxdpgun.rst
+++ b/doc/man_kxdpgun.rst
@@ -6,7 +6,7 @@
 Synopsis
 --------
 
-:program:`kxdpgun` [*options*] **-i** *filename* *target_IP*
+:program:`kxdpgun` [*options*] **-i** *filename* *target*
 
 Description
 -----------
@@ -27,8 +27,8 @@ Parameters
 *filename*
   Path to the queries file. See the description below regarding the file format.
 
-*target_IP*
-  The IPv4 or IPv6 address of remote destination.
+*target*
+  Either the domain name, IPv4 or IPv6 address of a remote target.
 
 Options
 .......
diff --git a/doc/operation.rst b/doc/operation.rst
index 43e13ff..5754147 100644
--- a/doc/operation.rst
+++ b/doc/operation.rst
@@ -831,6 +831,7 @@ For the ZSK side (i.e. the operator of the DNS server), the zone has to be confi
   - Enabled :ref:`policy_offline-ksk`
   - Explicit :ref:`policy_dnskey-ttl`
   - Explicit :ref:`policy_zone-max-ttl`
+  - Recommended :ref:`policy_keytag-modulo` setting to ``0/2`` to prevent keytag conflicts
   - Other options are optional
 - KASP DB may contain a ZSK (the present or some previous one(s))
 
@@ -841,6 +842,7 @@ For the KSK side (i.e. the operator of the KSK signer), the zone has to be confi
   - Enabled :ref:`policy_manual`
   - Enabled :ref:`policy_offline-ksk`
   - Explicit :ref:`policy_rrsig-refresh`
+  - Recommended :ref:`policy_keytag-modulo` setting to ``1/2`` to prevent keytag conflicts
   - Optional :ref:`policy_rrsig-lifetime`, :ref:`policy_rrsig-pre-refresh`,
     :ref:`policy_algorithm`, :ref:`policy_reproducible-signing`,
     and :ref:`policy_cds-cdnskey-publish`
@@ -957,7 +959,6 @@ within an organization. For multi-signer operations involving multiple
 "DNSSEC providers" and the ability to switch between them, you can also refer to
 `MUSIC <https://github.com/DNSSEC-Provisioning/music>`_.
 
-
 Regardless of the chosen mode from the following options, any secondary that has multiple signers
 configured as primaries must prevent interchanged IXFR from them. This can be achieved
 either by setting :ref:`master pinning <zone_master-pin-tolerance>` on every secondary or
@@ -965,6 +966,11 @@ by setting distinct :ref:`zone_serial-modulo` on each signer. It is recommended
 both approaches. Alternatively, if any of the secondaries is not Knot DNS,
 :ref:`zone_provide-ixfr` can be disabled on the signers.
 
+In order to prevent keytag conflicts, it is recommended that the keytags of keys
+generated by each signer are from distinct subset of possible values. With Knot DNS, this
+can be achieved using :ref:`policy_keytag-modulo` option (e.g. for three signers, setting
+``0/3`` on the first one, ``1/3`` on the second, and ``2/3`` on the third of them).
+
 Sharing private keys, manual policy
 -----------------------------------
 
@@ -1170,6 +1176,21 @@ If you want to refresh the secondary zones, you can do this with::
 
     $ knotc zone-refresh
 
+.. _Logging:
+
+Logging
+=======
+
+Knot DNS supports :ref:`logging<log section>` to ``syslog`` or ``systemd-journald``
+facility, to a specified file, to standard output, or to standard error output.
+Several different logging targets may be used in parallel.
+
+If ``syslog`` or ``systemd-journald`` is used for logging, log rotation is handled
+by that logging facility. When logging to a specified file, log rotation should
+be done by moving the current log file followed by reopening of the log file with
+either ``knotc -b reload`` or by sending ``SIGHUP`` to the ``knotd`` process (see the
+:ref:`server_pidfile`).
+
 .. _Data and metadata backup:
 
 Data and metadata backup
diff --git a/doc/reference.rst b/doc/reference.rst
index 45574dc..bbd4586 100644
--- a/doc/reference.rst
+++ b/doc/reference.rst
@@ -202,7 +202,7 @@ General options related to the server.
      quic-idle-close-timeout: TIME
      remote-pool-limit: INT
      remote-pool-timeout: TIME
-     remote-retry-delay: TIME
+     remote-retry-delay: INT
      socket-affinity: BOOL
      udp-max-payload: SIZE
      udp-max-payload-ipv4: SIZE
@@ -875,7 +875,7 @@ tcp-resend-timeout
 ------------------
 
 Resend outgoing data packets (with DNS response payload) if not ACKed
-before this timeout.
+before this timeout (in seconds).
 
 *Minimum:* ``1``
 
@@ -923,6 +923,7 @@ Configuration of the server control interface.
 
  control:
      listen: STR
+     backlog: INT
      timeout: TIME
 
 .. _control_listen:
@@ -933,8 +934,21 @@ listen
 A UNIX socket :ref:`path<default_paths>` where the server listens for
 control commands.
 
+Change of this parameter requires restart of the Knot server to take effect.
+
 *Default:* :ref:`rundir<server_rundir>`\ ``/knot.sock``
 
+.. _control_backlog:
+
+backlog
+-------
+
+The control UNIX socket listen backlog size.
+
+Change of this parameter requires restart of the Knot server to take effect.
+
+*Default:* ``5``
+
 .. _control_timeout:
 
 timeout
@@ -1553,8 +1567,9 @@ An ordered list of :ref:`references<remote_id>` to remote server definitions.
 ===============
 
 Access control list rule definitions. An ACL rule is a description of one
-or more authorized operations (zone transfer request, zone change notification,
-and dynamic DNS update) which are allowed to be processed or denied.
+or more authorized actions (zone transfer request, zone change notification,
+and dynamic DNS update) which are allowed to be processed or denied. Normal
+DNS queries are always allowed.
 
 ::
 
@@ -1637,7 +1652,7 @@ TSIG key if configured must match.
 action
 ------
 
-An ordered list of allowed (or denied) actions.
+An ordered list of allowed, or denied, actions (request types).
 
 Possible values:
 
@@ -1769,8 +1784,8 @@ rollover must be pushed forward manually.
 check-interval
 --------------
 
-Interval for periodic checks of DS presence on parent's DNS servers, in the
-case of the KSK submission.
+Interval (in seconds) for periodic checks of DS presence on parent's DNS
+servers, in the case of the KSK submission.
 
 *Default:* ``1h`` (1 hour)
 
@@ -1790,9 +1805,9 @@ Set to 0 for infinity.
 parent-delay
 ------------
 
-After successful parent DS check, wait for this period before continuing the next
-key roll-over step. This delay shall cover the propagation delay of update in the
-parent zone.
+After successful parent DS check, wait for this period (in seconds) before
+continuing the next key roll-over step. This delay shall cover the propagation
+delay of update in the parent zone.
 
 *Default:* ``0``
 
@@ -1801,7 +1816,7 @@ parent zone.
 ``dnskey-sync`` section
 =======================
 
-Parameters of DNSKEY dynamic-update synchrnization.
+Parameters of DNSKEY dynamic-update synchronization.
 
 ::
 
@@ -1834,7 +1849,7 @@ check-interval
 --------------
 
 If the last DNSKEY sync failed or resulted in any change, re-check
-the consistence after this interval and re-try if needed.
+the consistence after this interval (in seconds) and re-try if needed.
 
 *Default:* ``60`` (1 minute)
 
@@ -1858,6 +1873,7 @@ DNSSEC policy configuration.
      ksk-shared: BOOL
      dnskey-ttl: TIME
      zone-max-ttl: TIME
+     keytag-modulo: INT/INT
      ksk-lifetime: TIME
      zsk-lifetime: TIME
      delete-delay: TIME
@@ -2011,12 +2027,29 @@ Declare (override) maximal TTL value among all the records in zone.
 
 *Default:* computed after zone is loaded
 
+.. _policy_keytag-modulo:
+
+keytag-modulo
+-------------
+
+Specifies that the keytags of any generated keys shall be congruent by specified modulo.
+The option value must be a string in the format ``R/M``, where ``R < M <= 256`` are
+positive integers. Whenever a DNSSEC key is generated, it is ensured
+that ``keytag % M == R``. This prevents keytag conflict in :ref:`DNSSEC Offline KSK`
+or :ref:`DNSSEC multi-signer` (and possibly other) setups.
+
+.. NOTE::
+   This only applies to newly generated keys when they are generated. Keys from
+   before this option and keys imported from elsewhere might not fulfill the policy.
+
+*Default:* ``0/1``
+
 .. _policy_ksk-lifetime:
 
 ksk-lifetime
 ------------
 
-A period between KSK generation and the next rollover initiation.
+A period (in seconds) between KSK generation and the next rollover initiation.
 
 .. NOTE::
    KSK key lifetime is also influenced by propagation-delay, dnskey-ttl,
@@ -2026,14 +2059,14 @@ A period between KSK generation and the next rollover initiation.
 
    This applies for CSK lifetime if single-type-signing is enabled.
 
-*Default:* ``0``
+*Default:* ``0`` (infinity)
 
 .. _policy_zsk-lifetime:
 
 zsk-lifetime
 ------------
 
-A period between ZSK activation and the next rollover initiation.
+A period (in seconds) between ZSK activation and the next rollover initiation.
 
 .. NOTE::
    More exactly, this period is measured since a ZSK is activated,
@@ -2053,8 +2086,8 @@ delete-delay
 ------------
 
 Once a key (KSK or ZSK) is rolled-over and removed from the zone,
-keep it in the KASP database for at least this period before deleting it completely.
-This might be useful in some troubleshooting cases when resurrection
+keep it in the KASP database for at least this period (in seconds) before deleting
+it completely. This might be useful in some troubleshooting cases when resurrection
 is needed.
 
 *Default:* ``0``
@@ -2064,13 +2097,13 @@ is needed.
 propagation-delay
 -----------------
 
-An extra delay added for each key rollover step. This value should be high
-enough to cover propagation of data from the primary server to all
-secondary servers, as well as the duration of signing routine itself and
-possible outages in signing and propagation infrastructure. In other words,
-this delay should ensure that within this period of time after planned
-change of the key set, all public-facing secondaries will already serve
-new DNSKEY RRSet for sure.
+An extra delay added for each key rollover step. This value (in seconds)
+should be high enough to cover propagation of data from the primary server
+to all secondary servers, as well as the duration of signing routine itself
+and possible outages in signing and propagation infrastructure. In other
+words, this delay should ensure that within this period of time after
+planned change of the key set, all public-facing secondaries will already
+serve new DNSKEY RRSet for sure.
 
 .. NOTE::
    Has influence over ZSK key lifetime.
@@ -2082,7 +2115,7 @@ new DNSKEY RRSet for sure.
 rrsig-lifetime
 --------------
 
-A validity period of newly issued signatures.
+A validity period (in seconds) of newly issued signatures.
 
 .. NOTE::
    The RRSIG's signature inception time is set to 90 minutes in the past. This
@@ -2095,8 +2128,9 @@ A validity period of newly issued signatures.
 rrsig-refresh
 -------------
 
-A period how long at least before a signature expiration the signature will be refreshed,
-in order to prevent expired RRSIGs on secondary servers or resolvers' caches.
+A period (in seconds) how long at least before a signature expiration the signature
+will be refreshed, in order to prevent expired RRSIGs on secondary servers or
+resolvers' caches.
 
 *Default:* 0.1 * :ref:`policy_rrsig-lifetime` + :ref:`policy_propagation-delay` + :ref:`policy_zone-max-ttl`
 
@@ -2105,9 +2139,9 @@ in order to prevent expired RRSIGs on secondary servers or resolvers' caches.
 rrsig-pre-refresh
 -----------------
 
-A period how long at most before a signature refresh time the signature might be refreshed,
-in order to refresh RRSIGs in bigger batches on a frequently updated zone
-(avoid re-sign event too often).
+A period (in seconds) how long at most before a signature refresh time the signature
+might be refreshed, in order to refresh RRSIGs in bigger batches on a frequently updated
+zone (avoid re-sign event too often).
 
 *Default:* ``1h`` (1 hour)
 
@@ -2170,7 +2204,7 @@ name before hashing.
 nsec3-salt-lifetime
 -------------------
 
-A validity period of newly issued salt field.
+A validity period (in seconds) of newly issued salt field.
 
 Zero value means infinity.
 
@@ -2494,6 +2528,7 @@ master
 An ordered list of references :ref:`remote<remote_id>` and
 :ref:`remotes<remotes_id>` to zone primary servers
 (formerly known as master servers).
+Empty value is allowed for template value overriding.
 
 *Default:* not set
 
@@ -2520,6 +2555,7 @@ notify
 An ordered list of references :ref:`remote<remote_id>` and
 :ref:`remotes<remotes_id>` to secondary servers to which notify
 message is sent if the zone changes.
+Empty value is allowed for template value overriding.
 
 *Default:* not set
 
@@ -2541,13 +2577,13 @@ master-pin-tolerance
 If set to a nonzero value on a secondary, always request AXFR/IXFR from the same
 primary as the last time, effectively pinning one primary. Only when another
 primary is updated and the current one lags behind for the specified amount of time
-(defined by this option), change to the updated primary and force AXFR.
+(defined by this option in seconds), change to the updated primary and force AXFR.
 
 This option is useful when multiple primaries may have different zone history
 in their journals, making it unsafe to combine interchanged IXFR
 from different primaries.
 
-*Default:* 0
+*Default:* ``0`` (disabled)
 
 .. _zone_provide-ixfr:
 
@@ -2608,8 +2644,8 @@ Extra checks:
 zonefile-sync
 -------------
 
-The time after which the current zone in memory will be synced with a zone file
-on the disk (see :ref:`file<zone_file>`). The server will serve the latest
+The time in seconds after which the current zone in memory will be synced with
+a zone file on the disk (see :ref:`file<zone_file>`). The server will serve the latest
 zone even after a restart using zone journal, but the zone file on the disk will
 only be synced after ``zonefile-sync`` time has expired (or after manual zone
 flush). This is applicable when the zone is updated via IXFR, DDNS or automatic
@@ -2707,7 +2743,7 @@ ixfr-benevolent
 If enabled, incoming IXFR is applied even when it contains removals of non-existing
 or additions of existing records.
 
-*Default:* off
+*Default:* ``off``
 
 .. _zone_ixfr-by-one:
 
@@ -2821,7 +2857,7 @@ ds-push
 -------
 
 Per zone configuration of :ref:`policy_ds-push`. This option overrides possible
-per policy option.
+per policy option. Empty value is allowed for template value overriding.
 
 *Default:* not set
 
@@ -3014,9 +3050,8 @@ has the *group* property defined, matching another catalog template.
 .. NOTE::
    This option must be set if and only if :ref:`zone_catalog-role` is *interpret*.
 
-   Nested catalog zones aren't supported. Therefore catalog templates can't use
-   :ref:`zone_catalog-template`, :ref:`zone_catalog-role`, :ref:`zone_catalog-zone`,
-   and :ref:`zone_catalog-group` options.
+   Nested catalog zones aren't supported. Therefore catalog templates can't
+   contain :ref:`zone_catalog-role` set to ``interpret`` or ``generate``.
 
 *Default:* not set