summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-09-12 04:45:07 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-09-12 04:45:07 +0000
commit0335817ced71e8355806ea0445aa3b105a22364c (patch)
treedffe735f2668a4728d8567feaf7ccb2d73076bac /doc
parentAdding upstream version 3.3.9. (diff)
downloadknot-0335817ced71e8355806ea0445aa3b105a22364c.tar.xz
knot-0335817ced71e8355806ea0445aa3b105a22364c.zip
Adding upstream version 3.4.0.upstream/3.4.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc')
-rw-r--r--doc/Makefile.am109
-rw-r--r--doc/Makefile.in275
-rw-r--r--doc/appendices.rst21
-rw-r--r--doc/conf.py5
-rw-r--r--doc/configuration.rst75
-rw-r--r--doc/installation.rst5
-rw-r--r--doc/introduction.rst4
-rw-r--r--doc/man/kcatalogprint.8 (renamed from doc/man/kcatalogprint.8in)9
-rw-r--r--doc/man/kdig.1 (renamed from doc/man/kdig.1in)19
-rw-r--r--doc/man/keymgr.8 (renamed from doc/man/keymgr.8in)21
-rw-r--r--doc/man/khost.1 (renamed from doc/man/khost.1in)9
-rw-r--r--doc/man/kjournalprint.8 (renamed from doc/man/kjournalprint.8in)14
-rw-r--r--doc/man/knot.conf.5 (renamed from doc/man/knot.conf.5in)120
-rw-r--r--doc/man/knotc.8 (renamed from doc/man/knotc.8in)25
-rw-r--r--doc/man/knotd.8 (renamed from doc/man/knotd.8in)13
-rw-r--r--doc/man/knsec3hash.1 (renamed from doc/man/knsec3hash.1in)24
-rw-r--r--doc/man/knsupdate.1 (renamed from doc/man/knsupdate.1in)78
-rw-r--r--doc/man/kxdpgun.8 (renamed from doc/man/kxdpgun.8in)31
-rw-r--r--doc/man/kzonecheck.1 (renamed from doc/man/kzonecheck.1in)7
-rw-r--r--doc/man/kzonesign.1 (renamed from doc/man/kzonesign.1in)11
-rw-r--r--doc/man_kcatalogprint.rst3
-rw-r--r--doc/man_kdig.rst9
-rw-r--r--doc/man_keymgr.rst3
-rw-r--r--doc/man_khost.rst3
-rw-r--r--doc/man_kjournalprint.rst6
-rw-r--r--doc/man_knotc.rst15
-rw-r--r--doc/man_knotd.rst3
-rw-r--r--doc/man_knsec3hash.rst12
-rw-r--r--doc/man_knsupdate.rst74
-rw-r--r--doc/man_kxdpgun.rst25
-rw-r--r--doc/man_kzonecheck.rst3
-rw-r--r--doc/man_kzonesign.rst3
-rw-r--r--doc/migration.rst90
-rw-r--r--doc/operation.rst34
-rw-r--r--doc/reference.rst114
-rw-r--r--doc/requirements.rst8
36 files changed, 778 insertions, 502 deletions
diff --git a/doc/Makefile.am b/doc/Makefile.am
index b26e298..71d561c 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -1,18 +1,3 @@
-MANPAGES_IN = \
- man/knot.conf.5in \
- man/knotc.8in \
- man/knotd.8in \
- man/kcatalogprint.8in \
- man/keymgr.8in \
- man/kjournalprint.8in \
- man/kdig.1in \
- man/khost.1in \
- man/knsupdate.1in \
- man/knsec3hash.1in \
- man/kzonecheck.1in \
- man/kzonesign.1in \
- man/kxdpgun.8in
-
MANPAGES_RST = \
reference.rst \
man_knotc.rst \
@@ -44,7 +29,6 @@ EXTRA_DIST = \
troubleshooting.rst \
utilities.rst \
\
- $(MANPAGES_IN) \
$(MANPAGES_RST) \
\
logo.pdf \
@@ -66,27 +50,26 @@ SPHINXBUILDDIR = $(builddir)/_build
_SPHINXOPTS = -c $(srcdir) \
-a \
- $(SPHINX_V)
-
-ALLSPHINXOPTS = $(_SPHINXOPTS) \
+ $(SPHINX_V) \
-D version="$(VERSION)" \
-D today="$(RELEASE_DATE)" \
- -D release="$(VERSION)" \
+ -D release="$(VERSION)"
+
+ALLSPHINXOPTS = $(_SPHINXOPTS) \
$(SPHINXOPTS) \
$(srcdir)
man_SPHINXOPTS = $(_SPHINXOPTS) \
- -D version="@""VERSION@" \
- -D today="@""RELEASE_DATE@" \
- -D release="@""VERSION@" \
-D extensions="ignore_panels" \
$(SPHINXOPTS) \
$(srcdir)
-.PHONY: html-local singlehtml pdf-local info-local epub man install-html-local install-singlehtml install-pdf-local install-info-local install-epub
+.PHONY: html-local singlehtml pdf-local epub man install-html-local install-singlehtml install-pdf-local install-epub
man_MANS =
+if HAVE_DOCS
+
if HAVE_DAEMON
man_MANS += \
man/knot.conf.5 \
@@ -115,43 +98,8 @@ man_MANS += man/kxdpgun.8
endif # ENABLE_XDP
endif # HAVE_UTILS
-man/knot.conf.5: man/knot.conf.5in
-man/knotc.8: man/knotc.8in
-man/knotd.8: man/knotd.8in
-man/kcatalogprint.8: man/kcatalogprint.8in
-man/keymgr.8: man/keymgr.8in
-man/kjournalprint.8: man/kjournalprint.8in
-man/kdig.1: man/kdig.1in
-man/khost.1: man/khost.1in
-man/knsupdate.1: man/knsupdate.1in
-man/knsec3hash.1: man/knsec3hash.1in
-man/kzonecheck.1: man/kzonecheck.1in
-man/kzonesign.1: man/kzonesign.1in
-man/kxdpgun.8: man/kxdpgun.8in
-
-man_SUBST = $(AM_V_GEN)mkdir -p man; \
- sed -e 's,[@]VERSION@,$(VERSION),' \
- -e 's,[@]RELEASE_DATE@,$(RELEASE_DATE),' \
- -e 's,[@]config_dir@,$(config_dir),' \
- -e 's,[@]storage_dir@,$(storage_dir),' \
- -e 's,[@]run_dir@,$(run_dir),' \
- -e 's,[@]conf_mapsize@,$(conf_mapsize),' \
- $< > $@
-
-.1in.1:
- $(man_SUBST)
-
-.5in.5:
- $(man_SUBST)
-
-.8in.8:
- $(man_SUBST)
-
-if HAVE_DOCS
-
-if HAVE_SPHINXBUILD
html-local:
- $(AM_V_SPHINX)$(SPHINXBUILD) -b html -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/html
+ $(AM_V_SPHINX)$(SPHINXBUILD) -b html -d $(SPHINXBUILDDIR)/doctrees/html $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/html
@echo "The HTML documentation has been built in $(SPHINXBUILDDIR)/html/"
install-html-local:
@@ -161,7 +109,7 @@ install-html-local:
$(INSTALL_DATA) $(SPHINXBUILDDIR)/html/_static/* $(DESTDIR)/$(docdir)/_static/
singlehtml:
- $(AM_V_SPHINX)$(SPHINXBUILD) -b singlehtml -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/singlehtml
+ $(AM_V_SPHINX)$(SPHINXBUILD) -b singlehtml -d $(SPHINXBUILDDIR)/doctrees/singlehtml $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/singlehtml
@echo "The single HTML documentation has been built in $(SPHINXBUILDDIR)/singlehtml/"
install-singlehtml: singlehtml
@@ -170,7 +118,7 @@ install-singlehtml: singlehtml
$(INSTALL_DATA) $(SPHINXBUILDDIR)/singlehtml/_static/* $(DESTDIR)/$(docdir)/_static/
epub:
- $(AM_V_SPHINX)$(SPHINXBUILD) -b epub -A today=$(RELEASE_DATE) -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/epub
+ $(AM_V_SPHINX)$(SPHINXBUILD) -b epub -A today=$(RELEASE_DATE) -d $(SPHINXBUILDDIR)/doctrees/epub $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/epub
@echo "The EPUB documentation has been built in $(SPHINXBUILDDIR)/epub/"
install-epub:
@@ -179,7 +127,7 @@ install-epub:
if HAVE_PDFLATEX
pdf-local:
- $(AM_V_SPHINX)$(SPHINXBUILD) -b latex -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/latex
+ $(AM_V_SPHINX)$(SPHINXBUILD) -b latex -d $(SPHINXBUILDDIR)/doctrees/latex $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/latex
$(MAKE) -C $(SPHINXBUILDDIR)/latex all-pdf
@echo "The PDF documentation has been built in $(SPHINXBUILDDIR)/latex/"
@@ -192,37 +140,26 @@ pdf-local install-pdf-local:
@echo "Install 'pdflatex' and re-run configure to be able to generate PDF documentation!"
endif # HAVE_PDFLATEX
-if HAVE_MAKEINFO
-info-local:
- $(AM_V_SPHINX)$(SPHINXBUILD) -b texinfo -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/texinfo
- $(MAKE) -C $(SPHINXBUILDDIR)/texinfo info
- @echo "The Info pages have been built in $(SPHINXBUILDDIR)/texinfo/"
-
-install-info-local:
- $(INSTALL) -d $(DESTDIR)/$(infodir)
- $(INSTALL_DATA) $(SPHINXBUILDDIR)/texinfo/knot.info $(DESTDIR)/$(infodir)/
-
-else
-info-local install-info-local:
- @echo "Install 'texinfo' and re-run configure to be able to generate Info pages!"
-endif # HAVE_MAKEINFO
-
-.NOTPARALLEL: man
man: $(man_MANS)
-$(MANPAGES_IN): $(MANPAGES_RST)
- $(AM_V_SPHINX)$(SPHINXBUILD) -b man -d $(SPHINXBUILDDIR)/doctrees $(man_SPHINXOPTS) $(SPHINXBUILDDIR)/man
- @mkdir -p $(srcdir)/man
+$(man_MANS)&: $(MANPAGES_RST)
+ $(AM_V_SPHINX)$(SPHINXBUILD) -b man -d $(SPHINXBUILDDIR)/doctrees/man $(man_SPHINXOPTS) $(SPHINXBUILDDIR)/man
+ @mkdir -p man
@for f in $(SPHINXBUILDDIR)/man/*; do \
- sed -e '/^\.TP$$/ {' -e 'n' -e 's/^\.B //' -e '}' "$$f" > "$(srcdir)/man/$$(basename $$f)in"; \
+ sed -e 's,[@]config_dir@,$(config_dir),' \
+ -e 's,[@]storage_dir@,$(storage_dir),' \
+ -e 's,[@]run_dir@,$(run_dir),' \
+ -e 's,[@]conf_mapsize@,$(conf_mapsize),' "$$f" > "man/$$(basename $$f)"; \
done
else
-html-local singlehtml pdf-local info-local epub man install-html-local install-singlehtml install-pdf-local install-info-local install-epub:
+html-local singlehtml pdf-local epub man install-html-local install-singlehtml install-pdf-local install-epub:
@echo "Install 'sphinx-build' and re-run configure to be able to generate documentation!"
-endif # HAVE_SPHINXBUILD
endif # HAVE_DOCS
+EXTRA_DIST += \
+ $(man_MANS)
+
clean-local:
-rm -rf $(SPHINXBUILDDIR)
- -rm -f man/*.1 man/*.5 man/*.8
+ -rm -rf man
diff --git a/doc/Makefile.in b/doc/Makefile.in
index 5642629..a7bacd9 100644
--- a/doc/Makefile.in
+++ b/doc/Makefile.in
@@ -87,25 +87,25 @@ PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
-@HAVE_DAEMON_TRUE@am__append_1 = \
-@HAVE_DAEMON_TRUE@ man/knot.conf.5 \
-@HAVE_DAEMON_TRUE@ man/knotc.8 \
-@HAVE_DAEMON_TRUE@ man/knotd.8
-
-@HAVE_DAEMON_TRUE@@HAVE_UTILS_TRUE@am__append_2 = \
-@HAVE_DAEMON_TRUE@@HAVE_UTILS_TRUE@ man/kcatalogprint.8 \
-@HAVE_DAEMON_TRUE@@HAVE_UTILS_TRUE@ man/keymgr.8 \
-@HAVE_DAEMON_TRUE@@HAVE_UTILS_TRUE@ man/kjournalprint.8 \
-@HAVE_DAEMON_TRUE@@HAVE_UTILS_TRUE@ man/kzonecheck.1 \
-@HAVE_DAEMON_TRUE@@HAVE_UTILS_TRUE@ man/kzonesign.1
-
-@HAVE_UTILS_TRUE@am__append_3 = \
-@HAVE_UTILS_TRUE@ man/kdig.1 \
-@HAVE_UTILS_TRUE@ man/khost.1 \
-@HAVE_UTILS_TRUE@ man/knsupdate.1 \
-@HAVE_UTILS_TRUE@ man/knsec3hash.1
-
-@ENABLE_XDP_TRUE@@HAVE_UTILS_TRUE@am__append_4 = man/kxdpgun.8
+@HAVE_DAEMON_TRUE@@HAVE_DOCS_TRUE@am__append_1 = \
+@HAVE_DAEMON_TRUE@@HAVE_DOCS_TRUE@ man/knot.conf.5 \
+@HAVE_DAEMON_TRUE@@HAVE_DOCS_TRUE@ man/knotc.8 \
+@HAVE_DAEMON_TRUE@@HAVE_DOCS_TRUE@ man/knotd.8
+
+@HAVE_DAEMON_TRUE@@HAVE_DOCS_TRUE@@HAVE_UTILS_TRUE@am__append_2 = \
+@HAVE_DAEMON_TRUE@@HAVE_DOCS_TRUE@@HAVE_UTILS_TRUE@ man/kcatalogprint.8 \
+@HAVE_DAEMON_TRUE@@HAVE_DOCS_TRUE@@HAVE_UTILS_TRUE@ man/keymgr.8 \
+@HAVE_DAEMON_TRUE@@HAVE_DOCS_TRUE@@HAVE_UTILS_TRUE@ man/kjournalprint.8 \
+@HAVE_DAEMON_TRUE@@HAVE_DOCS_TRUE@@HAVE_UTILS_TRUE@ man/kzonecheck.1 \
+@HAVE_DAEMON_TRUE@@HAVE_DOCS_TRUE@@HAVE_UTILS_TRUE@ man/kzonesign.1
+
+@HAVE_DOCS_TRUE@@HAVE_UTILS_TRUE@am__append_3 = \
+@HAVE_DOCS_TRUE@@HAVE_UTILS_TRUE@ man/kdig.1 \
+@HAVE_DOCS_TRUE@@HAVE_UTILS_TRUE@ man/khost.1 \
+@HAVE_DOCS_TRUE@@HAVE_UTILS_TRUE@ man/knsupdate.1 \
+@HAVE_DOCS_TRUE@@HAVE_UTILS_TRUE@ man/knsec3hash.1
+
+@ENABLE_XDP_TRUE@@HAVE_DOCS_TRUE@@HAVE_UTILS_TRUE@am__append_4 = man/kxdpgun.8
subdir = doc
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \
@@ -312,6 +312,8 @@ infodir = @infodir@
install_sh = @install_sh@
libbpf_CFLAGS = @libbpf_CFLAGS@
libbpf_LIBS = @libbpf_LIBS@
+libdbus_CFLAGS = @libdbus_CFLAGS@
+libdbus_LIBS = @libdbus_LIBS@
libdir = @libdir@
libdnssec_SONAME = @libdnssec_SONAME@
libdnssec_SOVERSION = @libdnssec_SOVERSION@
@@ -323,8 +325,6 @@ libfstrm_CFLAGS = @libfstrm_CFLAGS@
libfstrm_LIBS = @libfstrm_LIBS@
libidn2_CFLAGS = @libidn2_CFLAGS@
libidn2_LIBS = @libidn2_LIBS@
-libidn_CFLAGS = @libidn_CFLAGS@
-libidn_LIBS = @libidn_LIBS@
libknot_SONAME = @libknot_SONAME@
libknot_SOVERSION = @libknot_SOVERSION@
libknot_VERSION_INFO = @libknot_VERSION_INFO@
@@ -342,7 +342,6 @@ libprotobuf_c_CFLAGS = @libprotobuf_c_CFLAGS@
libprotobuf_c_LIBS = @libprotobuf_c_LIBS@
liburcu_CFLAGS = @liburcu_CFLAGS@
liburcu_LIBS = @liburcu_LIBS@
-liburcu_PKGCONFIG = @liburcu_PKGCONFIG@
libxdp_CFLAGS = @libxdp_CFLAGS@
libxdp_LIBS = @libxdp_LIBS@
libzscanner_SONAME = @libzscanner_SONAME@
@@ -378,21 +377,6 @@ target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
-MANPAGES_IN = \
- man/knot.conf.5in \
- man/knotc.8in \
- man/knotd.8in \
- man/kcatalogprint.8in \
- man/keymgr.8in \
- man/kjournalprint.8in \
- man/kdig.1in \
- man/khost.1in \
- man/knsupdate.1in \
- man/knsec3hash.1in \
- man/kzonecheck.1in \
- man/kzonesign.1in \
- man/kxdpgun.8in
-
MANPAGES_RST = \
reference.rst \
man_knotc.rst \
@@ -408,31 +392,11 @@ MANPAGES_RST = \
man_kzonesign.rst \
man_kxdpgun.rst
-EXTRA_DIST = \
- conf.py \
- \
- appendices.rst \
- configuration.rst \
- index.rst \
- installation.rst \
- introduction.rst \
- migration.rst \
- modules.rst.in \
- operation.rst \
- reference.rst \
- requirements.rst \
- troubleshooting.rst \
- utilities.rst \
- \
- $(MANPAGES_IN) \
- $(MANPAGES_RST) \
- \
- logo.pdf \
- logo.svg \
- \
- ext/ignore_panels.py \
- theme_html
-
+EXTRA_DIST = conf.py appendices.rst configuration.rst index.rst \
+ installation.rst introduction.rst migration.rst modules.rst.in \
+ operation.rst reference.rst requirements.rst \
+ troubleshooting.rst utilities.rst $(MANPAGES_RST) logo.pdf \
+ logo.svg ext/ignore_panels.py theme_html $(man_MANS)
SPHINX_V = $(SPHINX_V_@AM_V@)
SPHINX_V_ = $(SPHINX_V_@AM_DEFAULT_V@)
SPHINX_V_0 = -q
@@ -443,38 +407,25 @@ AM_V_SPHINX_0 = @echo " SPHINX $@";
SPHINXBUILDDIR = $(builddir)/_build
_SPHINXOPTS = -c $(srcdir) \
-a \
- $(SPHINX_V)
-
-ALLSPHINXOPTS = $(_SPHINXOPTS) \
+ $(SPHINX_V) \
-D version="$(VERSION)" \
-D today="$(RELEASE_DATE)" \
- -D release="$(VERSION)" \
+ -D release="$(VERSION)"
+
+ALLSPHINXOPTS = $(_SPHINXOPTS) \
$(SPHINXOPTS) \
$(srcdir)
man_SPHINXOPTS = $(_SPHINXOPTS) \
- -D version="@""VERSION@" \
- -D today="@""RELEASE_DATE@" \
- -D release="@""VERSION@" \
-D extensions="ignore_panels" \
$(SPHINXOPTS) \
$(srcdir)
man_MANS = $(am__append_1) $(am__append_2) $(am__append_3) \
$(am__append_4)
-man_SUBST = $(AM_V_GEN)mkdir -p man; \
- sed -e 's,[@]VERSION@,$(VERSION),' \
- -e 's,[@]RELEASE_DATE@,$(RELEASE_DATE),' \
- -e 's,[@]config_dir@,$(config_dir),' \
- -e 's,[@]storage_dir@,$(storage_dir),' \
- -e 's,[@]run_dir@,$(run_dir),' \
- -e 's,[@]conf_mapsize@,$(conf_mapsize),' \
- $< > $@
-
all: all-am
.SUFFIXES:
-.SUFFIXES: .1 .1in .5 .5in .8 .8in
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
@@ -718,21 +669,11 @@ maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
@HAVE_DOCS_FALSE@html-local:
-@HAVE_SPHINXBUILD_FALSE@html-local:
-@HAVE_DOCS_FALSE@info-local:
-@HAVE_MAKEINFO_FALSE@info-local:
-@HAVE_SPHINXBUILD_FALSE@info-local:
@HAVE_DOCS_FALSE@install-html-local:
-@HAVE_SPHINXBUILD_FALSE@install-html-local:
-@HAVE_DOCS_FALSE@install-info-local:
-@HAVE_MAKEINFO_FALSE@install-info-local:
-@HAVE_SPHINXBUILD_FALSE@install-info-local:
@HAVE_DOCS_FALSE@install-pdf-local:
@HAVE_PDFLATEX_FALSE@install-pdf-local:
-@HAVE_SPHINXBUILD_FALSE@install-pdf-local:
@HAVE_DOCS_FALSE@pdf-local:
@HAVE_PDFLATEX_FALSE@pdf-local:
-@HAVE_SPHINXBUILD_FALSE@pdf-local:
clean: clean-am
clean-am: clean-generic clean-libtool clean-local mostlyclean-am
@@ -751,7 +692,7 @@ html-am: html-local
info: info-am
-info-am: info-local
+info-am:
install-data-am: install-man
@@ -767,7 +708,7 @@ install-html-am: install-html-local
install-info: install-info-am
-install-info-am: install-info-local
+install-info-am:
install-man: install-man1 install-man5 install-man8
@@ -806,11 +747,10 @@ uninstall-man: uninstall-man1 uninstall-man5 uninstall-man8
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
clean-local cscopelist-am ctags-am distclean distclean-generic \
distclean-libtool distdir dvi dvi-am html html-am html-local \
- info info-am info-local install install-am install-data \
- install-data-am install-dvi install-dvi-am install-exec \
- install-exec-am install-html install-html-am \
- install-html-local install-info install-info-am \
- install-info-local install-man install-man1 install-man5 \
+ info info-am install install-am install-data install-data-am \
+ install-dvi install-dvi-am install-exec install-exec-am \
+ install-html install-html-am install-html-local install-info \
+ install-info-am install-man install-man1 install-man5 \
install-man8 install-pdf install-pdf-am install-pdf-local \
install-ps install-ps-am install-strip installcheck \
installcheck-am installdirs maintainer-clean \
@@ -822,97 +762,64 @@ uninstall-man: uninstall-man1 uninstall-man5 uninstall-man8
.PRECIOUS: Makefile
-.PHONY: html-local singlehtml pdf-local info-local epub man install-html-local install-singlehtml install-pdf-local install-info-local install-epub
-
-man/knot.conf.5: man/knot.conf.5in
-man/knotc.8: man/knotc.8in
-man/knotd.8: man/knotd.8in
-man/kcatalogprint.8: man/kcatalogprint.8in
-man/keymgr.8: man/keymgr.8in
-man/kjournalprint.8: man/kjournalprint.8in
-man/kdig.1: man/kdig.1in
-man/khost.1: man/khost.1in
-man/knsupdate.1: man/knsupdate.1in
-man/knsec3hash.1: man/knsec3hash.1in
-man/kzonecheck.1: man/kzonecheck.1in
-man/kzonesign.1: man/kzonesign.1in
-man/kxdpgun.8: man/kxdpgun.8in
-
-.1in.1:
- $(man_SUBST)
-
-.5in.5:
- $(man_SUBST)
-
-.8in.8:
- $(man_SUBST)
-
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@html-local:
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_SPHINX)$(SPHINXBUILD) -b html -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/html
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ @echo "The HTML documentation has been built in $(SPHINXBUILDDIR)/html/"
-
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@install-html-local:
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL) -d $(DESTDIR)/$(docdir) $(DESTDIR)/$(docdir)/_static $(DESTDIR)/$(docdir)/_sources
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL) -D $(SPHINXBUILDDIR)/html/*.html $(DESTDIR)/$(docdir)/
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/html/_sources/* $(DESTDIR)/$(docdir)/_sources/
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/html/_static/* $(DESTDIR)/$(docdir)/_static/
-
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@singlehtml:
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_SPHINX)$(SPHINXBUILD) -b singlehtml -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/singlehtml
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ @echo "The single HTML documentation has been built in $(SPHINXBUILDDIR)/singlehtml/"
-
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@install-singlehtml: singlehtml
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL) -d $(DESTDIR)/$(docdir) $(DESTDIR)/$(docdir)/_static
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/singlehtml/*.html $(DESTDIR)/$(docdir)/
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/singlehtml/_static/* $(DESTDIR)/$(docdir)/_static/
-
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@epub:
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_SPHINX)$(SPHINXBUILD) -b epub -A today=$(RELEASE_DATE) -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/epub
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ @echo "The EPUB documentation has been built in $(SPHINXBUILDDIR)/epub/"
-
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@install-epub:
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL) -d $(DESTDIR)/$(docdir)
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/epub/KnotDNS.epub $(DESTDIR)/$(docdir)/
-
-@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@pdf-local:
-@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_SPHINX)$(SPHINXBUILD) -b latex -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/latex
-@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(MAKE) -C $(SPHINXBUILDDIR)/latex all-pdf
-@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@ @echo "The PDF documentation has been built in $(SPHINXBUILDDIR)/latex/"
-
-@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@install-pdf-local:
-@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL) -d $(DESTDIR)/$(docdir)
-@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/latex/KnotDNS.pdf $(DESTDIR)/$(docdir)/
-
-@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_FALSE@@HAVE_SPHINXBUILD_TRUE@pdf-local install-pdf-local:
-@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_FALSE@@HAVE_SPHINXBUILD_TRUE@ @echo "Install 'pdflatex' and re-run configure to be able to generate PDF documentation!"
-
-@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@info-local:
-@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_SPHINX)$(SPHINXBUILD) -b texinfo -d $(SPHINXBUILDDIR)/doctrees $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/texinfo
-@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(MAKE) -C $(SPHINXBUILDDIR)/texinfo info
-@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@ @echo "The Info pages have been built in $(SPHINXBUILDDIR)/texinfo/"
-
-@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@install-info-local:
-@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL) -d $(DESTDIR)/$(infodir)
-@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/texinfo/knot.info $(DESTDIR)/$(infodir)/
-
-@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_FALSE@@HAVE_SPHINXBUILD_TRUE@info-local install-info-local:
-@HAVE_DOCS_TRUE@@HAVE_MAKEINFO_FALSE@@HAVE_SPHINXBUILD_TRUE@ @echo "Install 'texinfo' and re-run configure to be able to generate Info pages!"
-
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@.NOTPARALLEL: man
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@man: $(man_MANS)
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@$(MANPAGES_IN): $(MANPAGES_RST)
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ $(AM_V_SPHINX)$(SPHINXBUILD) -b man -d $(SPHINXBUILDDIR)/doctrees $(man_SPHINXOPTS) $(SPHINXBUILDDIR)/man
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ @mkdir -p $(srcdir)/man
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ @for f in $(SPHINXBUILDDIR)/man/*; do \
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ sed -e '/^\.TP$$/ {' -e 'n' -e 's/^\.B //' -e '}' "$$f" > "$(srcdir)/man/$$(basename $$f)in"; \
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_TRUE@ done
-
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_FALSE@html-local singlehtml pdf-local info-local epub man install-html-local install-singlehtml install-pdf-local install-info-local install-epub:
-@HAVE_DOCS_TRUE@@HAVE_SPHINXBUILD_FALSE@ @echo "Install 'sphinx-build' and re-run configure to be able to generate documentation!"
+.PHONY: html-local singlehtml pdf-local epub man install-html-local install-singlehtml install-pdf-local install-epub
+
+@HAVE_DOCS_TRUE@html-local:
+@HAVE_DOCS_TRUE@ $(AM_V_SPHINX)$(SPHINXBUILD) -b html -d $(SPHINXBUILDDIR)/doctrees/html $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/html
+@HAVE_DOCS_TRUE@ @echo "The HTML documentation has been built in $(SPHINXBUILDDIR)/html/"
+
+@HAVE_DOCS_TRUE@install-html-local:
+@HAVE_DOCS_TRUE@ $(INSTALL) -d $(DESTDIR)/$(docdir) $(DESTDIR)/$(docdir)/_static $(DESTDIR)/$(docdir)/_sources
+@HAVE_DOCS_TRUE@ $(INSTALL) -D $(SPHINXBUILDDIR)/html/*.html $(DESTDIR)/$(docdir)/
+@HAVE_DOCS_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/html/_sources/* $(DESTDIR)/$(docdir)/_sources/
+@HAVE_DOCS_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/html/_static/* $(DESTDIR)/$(docdir)/_static/
+
+@HAVE_DOCS_TRUE@singlehtml:
+@HAVE_DOCS_TRUE@ $(AM_V_SPHINX)$(SPHINXBUILD) -b singlehtml -d $(SPHINXBUILDDIR)/doctrees/singlehtml $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/singlehtml
+@HAVE_DOCS_TRUE@ @echo "The single HTML documentation has been built in $(SPHINXBUILDDIR)/singlehtml/"
+
+@HAVE_DOCS_TRUE@install-singlehtml: singlehtml
+@HAVE_DOCS_TRUE@ $(INSTALL) -d $(DESTDIR)/$(docdir) $(DESTDIR)/$(docdir)/_static
+@HAVE_DOCS_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/singlehtml/*.html $(DESTDIR)/$(docdir)/
+@HAVE_DOCS_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/singlehtml/_static/* $(DESTDIR)/$(docdir)/_static/
+
+@HAVE_DOCS_TRUE@epub:
+@HAVE_DOCS_TRUE@ $(AM_V_SPHINX)$(SPHINXBUILD) -b epub -A today=$(RELEASE_DATE) -d $(SPHINXBUILDDIR)/doctrees/epub $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/epub
+@HAVE_DOCS_TRUE@ @echo "The EPUB documentation has been built in $(SPHINXBUILDDIR)/epub/"
+
+@HAVE_DOCS_TRUE@install-epub:
+@HAVE_DOCS_TRUE@ $(INSTALL) -d $(DESTDIR)/$(docdir)
+@HAVE_DOCS_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/epub/KnotDNS.epub $(DESTDIR)/$(docdir)/
+
+@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@pdf-local:
+@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@ $(AM_V_SPHINX)$(SPHINXBUILD) -b latex -d $(SPHINXBUILDDIR)/doctrees/latex $(ALLSPHINXOPTS) $(SPHINXBUILDDIR)/latex
+@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@ $(MAKE) -C $(SPHINXBUILDDIR)/latex all-pdf
+@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@ @echo "The PDF documentation has been built in $(SPHINXBUILDDIR)/latex/"
+
+@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@install-pdf-local:
+@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@ $(INSTALL) -d $(DESTDIR)/$(docdir)
+@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_TRUE@ $(INSTALL_DATA) $(SPHINXBUILDDIR)/latex/KnotDNS.pdf $(DESTDIR)/$(docdir)/
+
+@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_FALSE@pdf-local install-pdf-local:
+@HAVE_DOCS_TRUE@@HAVE_PDFLATEX_FALSE@ @echo "Install 'pdflatex' and re-run configure to be able to generate PDF documentation!"
+
+@HAVE_DOCS_TRUE@man: $(man_MANS)
+@HAVE_DOCS_TRUE@$(man_MANS)&: $(MANPAGES_RST)
+@HAVE_DOCS_TRUE@ $(AM_V_SPHINX)$(SPHINXBUILD) -b man -d $(SPHINXBUILDDIR)/doctrees/man $(man_SPHINXOPTS) $(SPHINXBUILDDIR)/man
+@HAVE_DOCS_TRUE@ @mkdir -p man
+@HAVE_DOCS_TRUE@ @for f in $(SPHINXBUILDDIR)/man/*; do \
+@HAVE_DOCS_TRUE@ sed -e 's,[@]config_dir@,$(config_dir),' \
+@HAVE_DOCS_TRUE@ -e 's,[@]storage_dir@,$(storage_dir),' \
+@HAVE_DOCS_TRUE@ -e 's,[@]run_dir@,$(run_dir),' \
+@HAVE_DOCS_TRUE@ -e 's,[@]conf_mapsize@,$(conf_mapsize),' "$$f" > "man/$$(basename $$f)"; \
+@HAVE_DOCS_TRUE@ done
+
+@HAVE_DOCS_FALSE@html-local singlehtml pdf-local epub man install-html-local install-singlehtml install-pdf-local install-epub:
+@HAVE_DOCS_FALSE@ @echo "Install 'sphinx-build' and re-run configure to be able to generate documentation!"
clean-local:
-rm -rf $(SPHINXBUILDDIR)
- -rm -f man/*.1 man/*.5 man/*.8
+ -rm -rf man
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/doc/appendices.rst b/doc/appendices.rst
index 309bb20..1012623 100644
--- a/doc/appendices.rst
+++ b/doc/appendices.rst
@@ -103,24 +103,3 @@ support.
A command similar to the following may be used to verify what algorithms are supported:
``$ pkcs11-tool --modul /usr/lib64/pkcs11/libsofthsm2.so -M``.
.. [#fn-utimaco] Requires setting the number of background workers to 1!
-
-The following table summarizes supported DNSSEC algorithm numbers and minimal
-GnuTLS library version required. Any algorithm may work with older library,
-however the supported operations may be limited (e.g. private key import).
-
-.. list-table::
- :header-rows: 1
- :stub-columns: 1
-
- * -
- - `Numbers <https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1>`_
- - GnuTLS version
- * - ED25519
- - 15
- - 3.6.0 or newer
- * - ECDSA
- - 13, 14
- - 3.4.8 or newer
- * - RSA
- - 5, 7, 8, 10
- - 3.4.6 or newer
diff --git a/doc/conf.py b/doc/conf.py
index ec821d6..4b1c8e9 100644
--- a/doc/conf.py
+++ b/doc/conf.py
@@ -248,10 +248,7 @@ man_pages = [
# Grouping the document tree into Texinfo files. List of tuples
# (source start file, target name, title, author,
# dir menu entry, description, category)
-texinfo_documents = [
- ('index', 'knot', 'Knot DNS Documentation', author,
- 'KnotDNS', 'Knot Authoritative DNS Server', 'Miscellaneous')
-]
+#texinfo_documents = []
# Documents to append as an appendix to all manuals.
#texinfo_appendices = []
diff --git a/doc/configuration.rst b/doc/configuration.rst
index a29521b..982031b 100644
--- a/doc/configuration.rst
+++ b/doc/configuration.rst
@@ -377,6 +377,19 @@ which must be used for the transaction security::
- domain: example.net.
acl: owner_rule3_net
+.. _Handling CNAME and DNAME-related updates:
+
+Handling CNAME and DNAME-related updates
+----------------------------------------
+
+In general, no RR must exist beside a CNAME or below a DNAME. Whenever
+such a CNAME or DNAME-related semantic rule is vialoated by an RR addition
+in DDNS (this means addition of a CNAME beside an existing record, addition of
+another record beside a CNAME, addition of a DNAME above an existing record,
+addition of another record below a DNAME), such an RR addition is silently ignored.
+However, other RRs from the same DDNS update are processed normally. This is slightly
+non-compliant with RFC 6672 (in particular, no RR occlusion takes place).
+
.. _dnssec:
Automatic DNSSEC signing
@@ -826,7 +839,7 @@ of the used certificate:
.. code-block:: console
... info: binding to QUIC interface ::1@853
- ... info: QUIC, certificate public key 0xtdayWpnJh4Py8goi8cei/gXGD4kJQ+HEqcxS++DBw=
+ ... info: QUIC/TLS, certificate public key 0xtdayWpnJh4Py8goi8cei/gXGD4kJQ+HEqcxS++DBw=
.. TIP::
@@ -861,10 +874,10 @@ Using :doc:`kdig<man_kdig>` we can verify that the server responds over QUIC:
;; version.server. CH TXT
;; ANSWER SECTION:
- version.server. 0 CH TXT "Knot DNS 3.3.0"
+ version.server. 0 CH TXT "Knot DNS 3.4.0"
;; Received 468 B
- ;; Time 2023-08-15 15:04:36 CEST
+ ;; Time 2024-06-21 08:30:12 CEST
;; From ::1@853(QUIC) in 1.1 ms
In this case, :rfc:`opportunistic authentication<9103#section-9.3.1>` was
@@ -1074,6 +1087,62 @@ This mode is recommended if possible.
Knot DNS uses certificate public key pinning. This approach has much lower
overhead and in most cases simplifies configuration and certificate management.
+.. _DNS_over_TLS:
+
+DNS over TLS
+============
+
+TLS is an encrypted internet transport protocol.
+Knot DNS supports DNS over TLS (DoT) (:rfc:`7858`), including zone transfers (XoT).
+By default, the TCP port `853` is used for DNS over TLS.
+
+There are the same requirements for TLS key and certificate as for :ref:`DNS_over_QUIC`.
+
+In order to listen for incoming requests over TLS, :ref:`interface<server_listen-tls>`
+must be configured.
+
+An example of configuration of listening for DNS over TLS on the loopback interface:
+
+.. code-block:: console
+
+ server:
+ listen-tls: ::1
+
+When the server is started, it logs some interface details and public key pin
+of the used certificate:
+
+.. code-block:: console
+
+ ... info: binding to TLS interface ::1@853
+ ... info: QUIC/TLS, certificate public key 0xtdayWpnJh4Py8goi8cei/gXGD4kJQ+HEqcxS++DBw=
+
+Using :doc:`kdig<man_kdig>` we can verify that the server responds over TLS:
+
+.. code-block:: console
+
+ $ kdig @::1 ch txt version.server +tls
+ ;; TLS session (TLS1.3)-(ECDHE-X25519)-(EdDSA-Ed25519)-(AES-256-GCM)
+ ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 0
+ ;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
+
+ ;; EDNS PSEUDOSECTION:
+ ;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
+ ;; PADDING: 370 B
+
+ ;; QUESTION SECTION:
+ ;; version.server. CH TXT
+
+ ;; ANSWER SECTION:
+ version.server. 0 CH TXT "Knot DNS 3.4.0"
+
+ ;; Received 468 B
+ ;; Time 2024-06-21 08:31:13 CEST
+ ;; From ::1@853(TLS) in 9.1 ms
+
+Zone transfer configuration and authentication profiles are almost identical
+to :ref:`DNS_over_QUIC`, with the only difference being the enabling of
+:ref:`remote_tls` for the corresponding remotes.
+
.. _query-modules:
Query modules
diff --git a/doc/installation.rst b/doc/installation.rst
index f89f439..8eebaa3 100644
--- a/doc/installation.rst
+++ b/doc/installation.rst
@@ -34,10 +34,7 @@ The build process relies on these standard tools:
* autoconf >= 2.65
* python-sphinx (optional, for documentation building)
-GCC >= 4.1 is mandatory for atomic built-ins, but the latest
-available version is recommended. Another requirement is ``_GNU_SOURCE``
-and C99 support, otherwise it adapts to the available compiler features.
-LLVM clang compiler since version 2.9 can be used as well.
+A GCC or LLVM Clang compiler with C11 support.
Getting the source code
-----------------------
diff --git a/doc/introduction.rst b/doc/introduction.rst
index 398d0d4..f472b85 100644
--- a/doc/introduction.rst
+++ b/doc/introduction.rst
@@ -29,7 +29,7 @@ DNS features:
* Primary and secondary server operation
* Internet (IN) and Chaos (CH) classes
* DNS extension (EDNS0, EDE, EXPIRE)
-* UDP, TCP, and QUIC protocols
+* UDP, TCP, TLS 1.3, and QUIC protocols
* Zone catalog generation and interpretation
* Minimal responses
* Dynamic zone updates
@@ -73,7 +73,7 @@ Remarkable module extensions:
Remarkable supported networking features:
* TCP Fast Open (client and server)
-* Opportunistic, strict, and mutual authentication profiles over QUIC
+* Opportunistic, strict, and mutual authentication profiles over TLS 1.3 or QUIC
* High-performance UDP, TCP, and QUIC through AF_XDP processing (on Linux 4.18+)
* SO_REUSEPORT (on Linux) or SO_REUSEPORT_LB (on FreeBSD 12.0+) on UDP and by choice on TCP
* Binding to non-local addresses (IP_FREEBIND on Linux, IP_BINDANY/IPV6_BINDANY on FreeBSD)
diff --git a/doc/man/kcatalogprint.8in b/doc/man/kcatalogprint.8
index da964d8..f9d9fc9 100644
--- a/doc/man/kcatalogprint.8in
+++ b/doc/man/kcatalogprint.8
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KCATALOGPRINT" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KCATALOGPRINT" "8" "2024-09-02" "3.4.0" "Knot DNS"
.SH NAME
kcatalogprint \- Knot DNS catalog print utility
.SH SYNOPSIS
@@ -40,10 +40,10 @@ The program prints zone catalog stored in a catalog database.
.INDENT 0.0
.TP
\fB\-c\fP, \fB\-\-config\fP \fIfile\fP
-Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP).
+Use a textual configuration file (default is \fB/usr/local/etc/knot/knot.conf\fP).
.TP
\fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
-Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP).
+Use a binary configuration database directory (default is \fB/usr/local/var/lib/knot/confdb\fP).
The default configuration database, if exists, has a preference to the default
configuration file.
.TP
@@ -63,7 +63,8 @@ Filter the output by member zone name.
Print the program help.
.TP
\fB\-V\fP, \fB\-\-version\fP
-Print the program version.
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
.UNINDENT
.SH EXIT VALUES
.sp
diff --git a/doc/man/kdig.1in b/doc/man/kdig.1
index 99745c9..207c8c8 100644
--- a/doc/man/kdig.1in
+++ b/doc/man/kdig.1
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KDIG" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KDIG" "1" "2024-09-02" "3.4.0" "Knot DNS"
.SH NAME
kdig \- Advanced DNS lookup utility
.SH SYNOPSIS
@@ -43,16 +43,16 @@ which must precede \fIquery\fP specification.
.SS Parameters
.INDENT 0.0
.TP
-\fIquery\fP
+.B \fIquery\fP
\fIname\fP | \fB\-q\fP \fIname\fP | \fB\-x\fP \fIaddress\fP | \fB\-G\fP \fItapfile\fP
.TP
-\fIcommon\-settings\fP, \fIsettings\fP
+.B \fIcommon\-settings\fP, \fIsettings\fP
[\fIquery_class\fP] [\fIquery_type\fP] [\fB@\fP\fIserver\fP]... [\fIoptions\fP]
.TP
-\fIname\fP
+.B \fIname\fP
Is a domain name that is to be looked up.
.TP
-\fIserver\fP
+.B \fIserver\fP
Is a domain name or an IPv4 or IPv6 address of the nameserver to send a query
to. An additional port can be specified using address:port ([address]:port
for IPv6 address), address@port, or address#port notation. A value which begins
@@ -132,7 +132,8 @@ is provided, empty question section is set.
An explicit \fIquery_type\fP specification. See possible values above.
.TP
\fB\-V\fP, \fB\-\-version\fP
-Print the program version.
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
.TP
\fB\-x\fP \fIaddress\fP
Send a reverse (PTR) query for IPv4 or IPv6 \fIaddress\fP\&. The correct name, class
@@ -302,7 +303,7 @@ Use QUIC (DNS\-over\-QUIC).
Request the nameserver identifier (NSID).
.TP
\fB+\fP[\fBno\fP]\fBbufsize\fP=\fIB\fP
-Set EDNS buffer size in bytes (default is 4096 bytes).
+Set EDNS buffer size in bytes (default is 1232 bytes).
.TP
\fB+\fP[\fBno\fP]\fBpadding\fP[=\fIB\fP]
Use EDNS(0) padding option to pad queries, optionally to a specific
@@ -319,7 +320,7 @@ Align the query to B\-byte\-block message using the EDNS(0) padding option
Set EDNS(0) client subnet SUBN=addr/prefix.
.TP
\fB+\fP[\fBno\fP]\fBedns\fP[=\fIN\fP]
-Use EDNS version (default is 0).
+Use EDNS version (default is 0). EDNS(0) is enabled by default.
.TP
\fB+\fP[\fBno\fP]\fBtimeout\fP=\fIT\fP
Set the wait\-for\-reply interval in seconds (default is 5 seconds). This timeout
@@ -354,7 +355,7 @@ Use JSON for output encoding (RFC 8427).
.TP
\fB+noidn\fP
Disable the IDN transformation to ASCII and vice versa. IDN support depends
-on libidn availability during project building! If used in \fIcommon\-settings\fP,
+on libidn2 availability during project building! If used in \fIcommon\-settings\fP,
all IDN transformations are disabled. If used in the individual query \fIsettings\fP,
transformation from ASCII is disabled on output for the particular query. Note
that IDN transformation does not preserve domain name letter case.
diff --git a/doc/man/keymgr.8in b/doc/man/keymgr.8
index 020d854..a963df3 100644
--- a/doc/man/keymgr.8in
+++ b/doc/man/keymgr.8
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KEYMGR" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KEYMGR" "8" "2024-09-02" "3.4.0" "Knot DNS"
.SH NAME
keymgr \- Knot DNS key management utility
.SH SYNOPSIS
@@ -51,17 +51,17 @@ The database is backed by LMDB.
.SS Parameters
.INDENT 0.0
.TP
-\fIzone_name\fP
+.B \fIzone_name\fP
Name of the zone the command is executed for.
.UNINDENT
.SS Config options
.INDENT 0.0
.TP
\fB\-c\fP, \fB\-\-config\fP \fIfile\fP
-Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP).
+Use a textual configuration file (default is \fB/usr/local/etc/knot/knot.conf\fP).
.TP
\fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
-Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP).
+Use a binary configuration database directory (default is \fB/usr/local/var/lib/knot/confdb\fP).
The default configuration database, if exists, has a preference to the default
configuration file.
.TP
@@ -98,7 +98,8 @@ Force colorized output in the normal mode.
Print the program help.
.TP
\fB\-V\fP, \fB\-\-version\fP
-Print the program version.
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
.UNINDENT
.sp
\fBNOTE:\fP
@@ -279,16 +280,16 @@ Key deleted.
.SS Timestamps
.INDENT 0.0
.TP
-0
+.B 0
Zero timestamp means infinite future.
.TP
-\fIUNIX_time\fP
+.B \fIUNIX_time\fP
Positive number of seconds since 1970 UTC.
.TP
-\fIYYYYMMDDHHMMSS\fP
+.B \fIYYYYMMDDHHMMSS\fP
Date and time in this format without any punctuation.
.TP
-\fIrelative_timestamp\fP
+.B \fIrelative_timestamp\fP
A sign character (\fB+\fP, \fB\-\fP), a number, and an optional time unit
(\fBy\fP, \fBmo\fP, \fBd\fP, \fBh\fP, \fBmi\fP, \fBs\fP). The default unit is one second.
E.g. +1mi, \-2mo.
@@ -296,7 +297,7 @@ E.g. +1mi, \-2mo.
.SS Output timestamp formats
.INDENT 0.0
.TP
-(none)
+.B (none)
The timestamps are printed as UNIX timestamp.
.TP
\fBhuman\fP
diff --git a/doc/man/khost.1in b/doc/man/khost.1
index 292f080..4cae5e9 100644
--- a/doc/man/khost.1in
+++ b/doc/man/khost.1
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KHOST" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KHOST" "1" "2024-09-02" "3.4.0" "Knot DNS"
.SH NAME
khost \- Simple DNS lookup utility
.SH SYNOPSIS
@@ -41,11 +41,11 @@ instead.
.SS Parameters
.INDENT 0.0
.TP
-\fIname\fP
+.B \fIname\fP
Is a domain name that is to be looked up. If the \fIname\fP is IPv4 or IPv6
address the PTR query type is used.
.TP
-\fIserver\fP
+.B \fIserver\fP
Is a name or an address of the nameserver to send a query to. The address
can be specified using [address]:port notation. If no server is specified,
the servers from \fB/etc/resolv.conf\fP are used.
@@ -80,7 +80,8 @@ Use the TCP protocol.
Enable verbose output.
.TP
\fB\-V\fP, \fB\-\-version\fP
-Print the program version.
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
.TP
\fB\-w\fP
Wait forever for the reply.
diff --git a/doc/man/kjournalprint.8in b/doc/man/kjournalprint.8
index 2a1303a..4c17e36 100644
--- a/doc/man/kjournalprint.8in
+++ b/doc/man/kjournalprint.8
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KJOURNALPRINT" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KJOURNALPRINT" "8" "2024-09-02" "3.4.0" "Knot DNS"
.SH NAME
kjournalprint \- Knot DNS journal print utility
.SH SYNOPSIS
@@ -42,17 +42,17 @@ changes are colored for terminal.
.SS Parameters
.INDENT 0.0
.TP
-\fIzone_name\fP
+.B \fIzone_name\fP
A name of the zone to print the history for.
.UNINDENT
.SS Config options
.INDENT 0.0
.TP
\fB\-c\fP, \fB\-\-config\fP \fIfile\fP
-Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP).
+Use a textual configuration file (default is \fB/usr/local/etc/knot/knot.conf\fP).
.TP
\fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
-Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP).
+Use a binary configuration database directory (default is \fB/usr/local/var/lib/knot/confdb\fP).
The default configuration database, if exists, has a preference to the default
configuration file.
.TP
@@ -80,9 +80,6 @@ Debug mode brief output.
\fB\-x\fP, \fB\-\-mono\fP
Don\(aqt generate colorized output.
.TP
-\fB\-n\fP, \fB\-\-no\-color\fP
-An alias for \fB\-x\fP\&. Use of this option is deprecated, it will be removed in the future.
-.TP
\fB\-X\fP, \fB\-\-color\fP
Force colorized output.
.TP
@@ -90,7 +87,8 @@ Force colorized output.
Print the program help.
.TP
\fB\-V\fP, \fB\-\-version\fP
-Print the program version.
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
.UNINDENT
.SH EXIT VALUES
.sp
diff --git a/doc/man/knot.conf.5in b/doc/man/knot.conf.5
index d091d15..dc6fe4a 100644
--- a/doc/man/knot.conf.5in
+++ b/doc/man/knot.conf.5
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KNOT.CONF" "5" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KNOT.CONF" "5" "2024-09-02" "3.4.0" "Knot DNS"
.SH NAME
knot.conf \- Knot DNS configuration file
.SH DESCRIPTION
@@ -47,10 +47,11 @@ the following symbols:
.IP \(bu 2
\fBBOOL\fP – Boolean value (\fBon\fP/\fBoff\fP or \fBtrue\fP/\fBfalse\fP)
.IP \(bu 2
-\fBTIME\fP – Number of seconds, an integer with possible time multiplier suffix
-(\fBs\fP ~ 1, \fBm\fP ~ 60, \fBh\fP ~ 3600 or \fBd\fP ~ 24 * 3600)
+\fBTIME\fP – Number of seconds, an integer with a possible time multiplier suffix
+(\fBs\fP ~ 1, \fBm\fP ~ 60, \fBh\fP ~ 3600, \fBd\fP ~ 24 * 3600, \fBw\fP ~ 7 * 24 * 3600,
+\fBM\fP ~ 30 * 24 * 3600, \fBy\fP ~ 365 * 24 * 3600)
.IP \(bu 2
-\fBSIZE\fP – Number of bytes, an integer with possible size multiplier suffix
+\fBSIZE\fP – Number of bytes, an integer with a possible size multiplier suffix
(\fBB\fP ~ 1, \fBK\fP ~ 1024, \fBM\fP ~ 1024^2 or \fBG\fP ~ 1024^3)
.IP \(bu 2
\fBBASE64\fP – Base64 encoded string
@@ -268,6 +269,7 @@ server:
dbus\-init\-delay: TIME
listen: ADDR[@INT] | STR ...
listen\-quic: ADDR[@INT] ...
+ listen\-tls: ADDR[@INT] ...
.ft P
.fi
.UNINDENT
@@ -531,19 +533,15 @@ Maximum EDNS0 UDP payload size for IPv6.
\fIDefault:\fP \fB1232\fP
.SS key\-file
.sp
-Path to a server key PEM file which is used for DNS over QUIC communication.
+Path to a server key PEM file which is used for DNS over QUIC/TLS communication.
A non\-absolute path of a user specified key file is relative to the
-\fB@config_dir@\fP directory.
-.sp
-Change of this parameter requires restart of the Knot server to take effect.
+\fB/usr/local/etc/knot\fP directory.
.sp
\fIDefault:\fP auto\-generated key
.SS cert\-file
.sp
-Path to a server certificate PEM file which is used for DNS over QUIC communication.
-A non\-absolute path is relative to the \fB@config_dir@\fP directory.
-.sp
-Change of this parameter requires restart of the Knot server to take effect.
+Path to a server certificate PEM file which is used for DNS over QUIC/TLS communication.
+A non\-absolute path is relative to the \fB/usr/local/etc/knot\fP directory.
.sp
\fIDefault:\fP one\-time in\-memory certificate
.SS edns\-client\-subnet
@@ -604,20 +602,21 @@ catalog zones and their members) are loaded or successfully bootstrapped.
the signal parameters are \fIzone name\fP and \fIzone SOA serial\fP\&.
.IP \(bu 2
\fBkeys\-updated\fP \- The signal \fBkeys_updated\fP is emitted when a DNSSEC key set
-of this zone is updated.
+is updated; the signal parameter is \fIzone name\fP\&.
.IP \(bu 2
\fBksk\-submission\fP – The signal \fBzone_ksk_submission\fP is emitted if there is
a ready KSK present when the zone is signed; the signal parameters are
\fIzone name\fP, \fIKSK keytag\fP, and \fIKSK KASP id\fP\&.
.IP \(bu 2
\fBdnssec\-invalid\fP – The signal \fBzone_dnssec_invalid\fP is emitted when DNSSEC
-validation fails; the signal parameter is \fIzone name\fP\&.
+validation fails; the signal parameters are \fIzone name\fP, and \fIremaining seconds\fP
+until an RRSIG expires.
.UNINDENT
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
-This function requires systemd version at least 221.
+This function requires systemd version at least 221 or libdbus.
.UNINDENT
.UNINDENT
.sp
@@ -655,14 +654,14 @@ for incoming queries over QUIC protocol.
Change of this parameter requires restart of the Knot server to take effect.
.sp
\fIDefault:\fP not set
+.SS listen\-tls
.sp
-\fBNOTE:\fP
-.INDENT 0.0
-.INDENT 3.5
-Incoming \fI\%DDNS\fP over QUIC isn\(aqt supported.
-The server always responds with SERVFAIL.
-.UNINDENT
-.UNINDENT
+One or more IP addresses (and optionally ports) where the server listens
+for incoming queries over TLS protocol (DoT).
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP not set
.SH XDP SECTION
.sp
Various options related to XDP listening, especially TCP.
@@ -684,6 +683,9 @@ xdp:
tcp\-idle\-reset\-timeout: TIME
tcp\-resend\-timeout: TIME
route\-check: BOOL
+ ring\-size: INT
+ busypoll\-budget: INT
+ busypoll\-timeout: INT
.ft P
.fi
.UNINDENT
@@ -849,6 +851,63 @@ Only VLAN 802.1Q is supported.
.UNINDENT
.sp
\fIDefault:\fP \fBoff\fP
+.SS ring\-size
+.sp
+Size of RX, FQ, TX, and CQ rings.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This value should be at least as high as the configured RX size of the
+network device in the XDP mode.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fB2048\fP
+.SS busypoll\-budget
+.sp
+If set to a positive value, preferred busy polling is enabled with the
+specified budget.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Preferred busy polling also requires setting \fBnapi_defer_hard_irqs\fP and
+\fBgro_flush_timeout\fP for the appropriate network interface. E.g.:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+echo 2 | sudo tee /sys/class/net/<interface>/napi_defer_hard_irqs
+echo 200000 | sudo tee /sys/class/net/<interface>/gro_flush_timeout
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+A recommended value is between 8 and 64.
+.UNINDENT
+.UNINDENT
+.sp
+\fIDefault:\fP \fB0\fP (disabled)
+.SS busypoll\-timeout
+.sp
+Timeout in microseconds of preferrred busy polling if enabled by
+\fI\%busypoll\-budget\fP\&.
+.sp
+Change of this parameter requires restart of the Knot server to take effect.
+.sp
+\fIDefault:\fP \fB20\fP (20 microseconds)
.SH CONTROL SECTION
.sp
Configuration of the server control interface.
@@ -1266,6 +1325,7 @@ remote:
address: ADDR[@INT] | STR ...
via: ADDR[@INT] ...
quic: BOOL
+ tls: BOOL
key: key_id
cert\-key: BASE64 ...
block\-notify\-after\-transfer: BOOL
@@ -1356,6 +1416,12 @@ queried remotes.
.UNINDENT
.sp
\fIDefault:\fP \fBoff\fP
+.SS tls
+.sp
+If this option is set, the TLS (DoT) protocol will be used for outgoing communication
+with this remote.
+.sp
+\fIDefault:\fP \fBoff\fP
.SS key
.sp
A \fI\%reference\fP to the TSIG key which is used to authenticate
@@ -1787,8 +1853,6 @@ Possible values:
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
-Ed25519 algorithm is only available if compiled with GnuTLS 3.6.0+.
-.sp
Ed448 algorithm is only available if compiled with GnuTLS 3.6.12+ and Nettle 3.6+.
.UNINDENT
.UNINDENT
@@ -1955,6 +2019,10 @@ will be refreshed, in order to prevent expired RRSIGs on secondary servers or
resolvers\(aq caches.
.sp
\fIDefault:\fP 0.1 * \fI\%rrsig\-lifetime\fP + \fI\%propagation\-delay\fP + \fI\%zone\-max\-ttl\fP
+.sp
+If \fI\%dnssec\-validation\fP is enabled:
+.sp
+\fIDefault:\fP \fB1d\fP (1 day)
.SS rrsig\-pre\-refresh
.sp
A period (in seconds) how long at most before a signature refresh time the signature
@@ -2638,7 +2706,9 @@ Every NSEC(3) RR is linked to the lexicographically next one.
.sp
The validation is not affected by \fI\%dnssec\-policy\fP configuration,
except for \fI\%signing\-threads\fP option, which specifies the number
-of threads for parallel validation.
+of threads for parallel validation, and \fI\%rrsig\-refresh\fP, which
+defines minimal allowed remaining RRSIG validity (otherwise a warning is
+logged).
.sp
\fBNOTE:\fP
.INDENT 0.0
diff --git a/doc/man/knotc.8in b/doc/man/knotc.8
index 01bfc95..5e41e97 100644
--- a/doc/man/knotc.8in
+++ b/doc/man/knotc.8
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KNOTC" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KNOTC" "8" "2024-09-02" "3.4.0" "Knot DNS"
.SH NAME
knotc \- Knot DNS control utility
.SH SYNOPSIS
@@ -43,10 +43,10 @@ is executed in the interactive mode.
.INDENT 0.0
.TP
\fB\-c\fP, \fB\-\-config\fP \fIfile\fP
-Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP).
+Use a textual configuration file (default is \fB/usr/local/etc/knot/knot.conf\fP).
.TP
\fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
-Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP).
+Use a binary configuration database directory (default is \fB/usr/local/var/lib/knot/confdb\fP).
The default configuration database, if exists, has a preference to the default
configuration file.
.UNINDENT
@@ -55,10 +55,10 @@ configuration file.
.TP
\fB\-m\fP, \fB\-\-max\-conf\-size\fP \fIMiB\fP
Set maximum size of the configuration database
-(default is @conf_mapsize@ MiB, maximum 10000 MiB).
+(default is 500 MiB, maximum 10000 MiB).
.TP
\fB\-s\fP, \fB\-\-socket\fP \fIpath\fP
-Use a control UNIX socket path (default is \fB@run_dir@/knot.sock\fP).
+Use a control UNIX socket path (default is \fB/usr/local/var/run/knot/knot.sock\fP).
.TP
\fB\-t\fP, \fB\-\-timeout\fP \fIseconds\fP
Use a control timeout in seconds. Set to 0 for infinity (default is 60).
@@ -88,7 +88,8 @@ Enable debug output.
Print the program help.
.TP
\fB\-V\fP, \fB\-\-version\fP
-Print the program version.
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
.UNINDENT
.SS Actions
.INDENT 0.0
@@ -173,8 +174,9 @@ disables all other filters by default, but they can still be turned on
explicitly. If zone flushing is disabled, the original zone file is backed
up instead of writing out zone contents to a file. When backing\-up a catalog
zone, it is recommended to prevent ongoing changes to it by use of
-\fBzone\-freeze\fP\&.
-See \fI\%Notes\fP below about the directory permissions. (#)
+\fBzone\-freeze\fP\&. The force option allows an already existing backupdir to
+be overwritten. See \fI\%Notes\fP below about the directory permissions.
+(#)
.TP
\fBzone\-restore\fP [\fIzone\fP\&...] \fB+backupdir\fP \fIdirectory\fP [\fIfilter\fP\&...]
Trigger a zone data and metadata restore from a specified backup directory.
@@ -187,6 +189,10 @@ permissions. (#)
Trigger a DNSSEC re\-sign of the zone. Existing signatures will be dropped.
This command is valid for zones with DNSSEC signing enabled. (#)
.TP
+\fBzone\-validate\fP [\fIzone\fP\&...]
+Trigger a DNSSEC validation of the zone. If the validation fails and the
+zone is secondary, the zone expires immediately! (#)
+.TP
\fBzone\-keys\-load\fP [\fIzone\fP\&...]
Trigger a load of DNSSEC keys and other signing material from KASP database
(which might have been altered manually). If suitable, re\-sign the zone
@@ -207,7 +213,8 @@ KSK in submission phase and the old KSK can be retired. (#)
\fBzone\-freeze\fP [\fIzone\fP\&...]
Trigger a zone freeze. All running events will be finished and all new and pending
(planned) zone\-changing events (load, refresh, update, flush, and DNSSEC signing)
-will be held up until the zone is thawed. (#)
+will be held up until the zone is thawed. Up to 8 (this limit is hardcoded) DDNS
+updates per zone will be queued, subsequent updates will be refused. (#)
.TP
\fBzone\-thaw\fP [\fIzone\fP\&...]
Trigger dismissal of zone freeze. (#)
diff --git a/doc/man/knotd.8in b/doc/man/knotd.8
index 1d02cc8..bbeb6a4 100644
--- a/doc/man/knotd.8in
+++ b/doc/man/knotd.8
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KNOTD" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KNOTD" "8" "2024-09-02" "3.4.0" "Knot DNS"
.SH NAME
knotd \- Knot DNS server daemon
.SH SYNOPSIS
@@ -41,10 +41,10 @@ the DNS server daemon.
.INDENT 0.0
.TP
\fB\-c\fP, \fB\-\-config\fP \fIfile\fP
-Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP).
+Use a textual configuration file (default is \fB/usr/local/etc/knot/knot.conf\fP).
.TP
\fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
-Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP).
+Use a binary configuration database directory (default is \fB/usr/local/var/lib/knot/confdb\fP).
The default configuration database, if exists, has a preference to the default
configuration file.
.UNINDENT
@@ -53,10 +53,10 @@ configuration file.
.TP
\fB\-m\fP, \fB\-\-max\-conf\-size\fP \fIMiB\fP
Set maximum size of the configuration database
-(default is @conf_mapsize@ MiB, maximum 10000 MiB).
+(default is 500 MiB, maximum 10000 MiB).
.TP
\fB\-s\fP, \fB\-\-socket\fP \fIpath\fP
-Use a remote control UNIX socket path (default is \fB@run_dir@/knot.sock\fP).
+Use a remote control UNIX socket path (default is \fB/usr/local/var/run/knot/knot.sock\fP).
.TP
\fB\-d\fP, \fB\-\-daemonize\fP [\fIdirectory\fP]
Run the server as a daemon. New root directory may be specified
@@ -69,7 +69,8 @@ Enable debug output.
Print the program help.
.TP
\fB\-V\fP, \fB\-\-version\fP
-Print the program version.
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
.UNINDENT
.SS Signals
.sp
diff --git a/doc/man/knsec3hash.1in b/doc/man/knsec3hash.1
index d9fa4a3..3bb9766 100644
--- a/doc/man/knsec3hash.1in
+++ b/doc/man/knsec3hash.1
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KNSEC3HASH" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KNSEC3HASH" "1" "2024-09-02" "3.4.0" "Knot DNS"
.SH NAME
knsec3hash \- Simple utility to compute NSEC3 hash
.SH SYNOPSIS
@@ -35,27 +35,39 @@ knsec3hash \- Simple utility to compute NSEC3 hash
\fBknsec3hash\fP \fIsalt\fP \fIalgorithm\fP \fIiterations\fP \fIname\fP
.sp
\fBknsec3hash\fP \fIalgorithm\fP \fIflags\fP \fIiterations\fP \fIsalt\fP \fIname\fP
+.sp
+\fBknsec3hash\fP [\fI\-h\fP] [\fI\-V\fP]
.SH DESCRIPTION
.sp
This utility generates a NSEC3 hash for a given domain name and parameters of NSEC3 hash.
.SS Parameters
.INDENT 0.0
.TP
-\fIsalt\fP
+.B \fIsalt\fP
Specifies a binary salt encoded as a hexadecimal string.
.TP
-\fIalgorithm\fP
+.B \fIalgorithm\fP
Specifies a hashing algorithm by number. Currently, the only supported algorithm is SHA\-1 (number 1).
.TP
-\fIiterations\fP
+.B \fIiterations\fP
Specifies the number of additional iterations of the hashing algorithm.
.TP
-\fIname\fP
+.B \fIname\fP
Specifies the domain name to be hashed.
.TP
-\fIflags\fP
+.B \fIflags\fP
Specifies NSEC3 flags as an unsigned integer.
.UNINDENT
+.SS Options
+.INDENT 0.0
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
+.UNINDENT
.SH EXIT VALUES
.sp
Exit status of 0 means successful operation. Any other exit status indicates
diff --git a/doc/man/knsupdate.1in b/doc/man/knsupdate.1
index ed34dd2..58220a0 100644
--- a/doc/man/knsupdate.1in
+++ b/doc/man/knsupdate.1
@@ -27,12 +27,14 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KNSUPDATE" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KNSUPDATE" "1" "2024-09-02" "3.4.0" "Knot DNS"
.SH NAME
knsupdate \- Dynamic DNS update utility
.SH SYNOPSIS
.sp
-\fBknsupdate\fP [\fIoptions\fP] [\fIfilename\fP]
+\fBknsupdate\fP [\fB\-v\fP] [\fIoptions\fP] [\fIfilename\fP]
+.sp
+\fBknsupdate\fP [\fB\-q\fP] [\fIquic_options\fP] [\fIoptions\fP] [\fIfilename\fP]
.SH DESCRIPTION
.sp
This utility sends Dynamic DNS update messages to a DNS server. Update content
@@ -45,44 +47,76 @@ comments and are not processed.
.SS Parameters
.INDENT 0.0
.TP
-\fIfilename\fP
+.B \fIfilename\fP
Path to the file with knsupdate commands.
.UNINDENT
.SS Options
.INDENT 0.0
.TP
-\fB\-d\fP
-Enable debug messages.
+\fB\-T\fP, \fB\-\-tcp\fP
+Use a TCP connection. (\fB\-v\fP can be used for compatibility with nsupdate).
.TP
-\fB\-h\fP, \fB\-\-help\fP
-Print the program help.
+\fB\-S\fP, \fB\-\-tls\fP
+Use a TLS connection.
.TP
-\fB\-k\fP \fIkeyfile\fP
-Use the TSIG key stored in a file \fIkeyfile\fP to authenticate the request. The
-file should contain the key in the same format, which is accepted by the
-\fB\-y\fP option.
+\fB\-Q\fP, \fB\-\-quic\fP
+Use a QUIC connection.
.TP
-\fB\-p\fP \fIport\fP
+\fB\-p\fP, \fB\-\-port\fP \fInumber\fP
Set the port to use for connections to the server (if not explicitly specified
-in the update). The default is 53.
+in the update). The default is 53 for UDP/TCP or 853 for QUIC.
.TP
-\fB\-r\fP \fIretries\fP
+\fB\-r\fP, \fB\-\-retry\fP \fIcount\fP
The number of retries for UDP requests. The default is 3.
.TP
-\fB\-t\fP \fItimeout\fP
+\fB\-t\fP, \fB\-\-timeout\fP \fIseconds\fP
The total timeout (for all UDP update tries) of the update request in seconds.
The default is 12. If set to zero, the timeout is infinite.
.TP
-\fB\-v\fP
-Use a TCP connection.
-.TP
-\fB\-V\fP, \fB\-\-version\fP
-Print the program version.
-.TP
-\fB\-y\fP [\fIalg\fP:]\fIname\fP:\fIkey\fP
+\fB\-y\fP, \fB\-\-tsig\fP [\fIalg\fP:]\fIname\fP:\fIkey\fP
Use the TSIG key with a name \fIname\fP to authenticate the request. The \fIalg\fP
part specifies the algorithm (the default is hmac\-sha256) and \fIkey\fP specifies
the shared secret encoded in Base64.
+.TP
+\fB\-k\fP, \fB\-\-tsigfile\fP \fIpath\fP
+Use the TSIG key stored in a file \fIkeyfile\fP to authenticate the request. The
+file should contain the key in the same format, which is accepted by the
+\fB\-y\fP option.
+.TP
+\fB\-d\fP, \fB\-\-debug\fP
+Enable debug messages.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
+.UNINDENT
+.SS QUIC/TLS options
+.INDENT 0.0
+.TP
+\fB\-H\fP, \fB\-\-hostname\fP \fIstring\fP
+Enable remote server hostname validation.
+.TP
+\fB\-P\fP, \fB\-\-pin\fP \fIbase64\fP
+Use Out\-of\-Band key\-pinned privacy profile
+(RFC 7858#section\-4.2). The PIN must be a Base64 encoded SHA\-256 hash of the
+X.509 SubjectPublicKeyInfo. Can be specified multiple times.
+.TP
+\fB\-A\fP, \fB\-\-ca\fP [\fIpath\fP]
+Enable certificate validation. Certification authority certificates
+are loaded from the specified PEM file (default is system certificate storage
+if no argument is provided). Can be specified multiple times.
+.TP
+\fB\-E\fP, \fB\-\-certfile\fP \fIpath\fP
+Path to a client certificate file.
+.TP
+\fB\-K\fP, \fB\-\-keyfile\fP \fIpath\fP
+Path to a client key file.
+.TP
+\fB\-s\fP, \fB\-\-sni\fP \fIstring\fP
+Use specified Server Name Indication.
.UNINDENT
.SS Commands
.INDENT 0.0
diff --git a/doc/man/kxdpgun.8in b/doc/man/kxdpgun.8
index f93872b..d7892eb 100644
--- a/doc/man/kxdpgun.8in
+++ b/doc/man/kxdpgun.8
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KXDPGUN" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KXDPGUN" "8" "2024-09-02" "3.4.0" "Knot DNS"
.SH NAME
kxdpgun \- XDP-powered DNS benchmarking tool
.SH SYNOPSIS
@@ -47,10 +47,10 @@ configured for the network interface.
.SS Parameters
.INDENT 0.0
.TP
-\fIfilename\fP
+.B \fIfilename\fP
Path to the queries file. See the description below regarding the file format.
.TP
-\fItarget\fP
+.B \fItarget\fP
Either the domain name, IPv4 or IPv6 address of a remote target.
.UNINDENT
.SS Options
@@ -90,6 +90,11 @@ CPU ID increment for next thread (default is 0s1).
\fB\-i\fP, \fB\-\-infile\fP \fIfilename\fP
Path to a file with query templates.
.TP
+\fB\-B\fP, \fB\-\-binary\fP
+Specify that input file is in binary format. This format is similar to the
+TCP DNS message format. The file contains records formated as 2\-octet length
+(network order) followed by a message in DNS wire format.
+.TP
\fB\-I\fP, \fB\-\-interface\fP \fIinterface\fP
Network interface for outgoing communication. This can be useful in situations
when the interfaces are in a bond for example.
@@ -136,11 +141,20 @@ has to exist.
This option is ignored if not in the QUIC mode. The recommended usage is
with \fB\-\-quic=R\fP or with low QPS. Otherwise, too many files are generated.
.TP
+\fB\-j\fP, \fB\-\-json\fP
+Print statistics formatted as json.
+.TP
+\fB\-S\fP, \fB\-\-stats\-period\fP \fIperiod\fP
+Report statistics automatically every \fIperiod\fP milliseconds.
+.sp
+These reports contain only metrics collected in the given period.
+.TP
\fB\-h\fP, \fB\-\-help\fP
Print the program help.
.TP
\fB\-V\fP, \fB\-\-version\fP
-Print the program version.
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
.UNINDENT
.SS Queries file format
.sp
@@ -187,7 +201,8 @@ Instead of opening a connection for each query, reuse connections.
.SS Signals
.sp
Sending USR1 signal to a running process triggers current statistics dump
-to the standard output.
+to the standard output. In combination with \fB\-S\fP may cause erratic printout
+timing.
.SH NOTES
.sp
Linux kernel 4.18+ is required.
@@ -197,6 +212,12 @@ CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_ADMIN, CAP_IPC_LOCK, and CAP_SYS_RESOURCE
(Linux < 5.11).
.sp
The utility allocates source UDP/TCP ports from the range 2000\-65535.
+.sp
+Due to the multi\-threaded program structure there are slight discrepancies in
+the timespan during which metrics are collected for any given thread. The
+statistics printouts ignore this and are thus ever\-so\-slightly inaccurate. The
+error margin decreases proportionally to the volume of data & timespan over
+which they are collected.
.SH EXIT VALUES
.sp
Exit status of 0 means successful operation. Any other exit status indicates
diff --git a/doc/man/kzonecheck.1in b/doc/man/kzonecheck.1
index a73b66e..22ebe47 100644
--- a/doc/man/kzonecheck.1in
+++ b/doc/man/kzonecheck.1
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KZONECHECK" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KZONECHECK" "1" "2024-09-02" "3.4.0" "Knot DNS"
.SH NAME
kzonecheck \- Knot DNS zone check tool
.SH SYNOPSIS
@@ -44,7 +44,7 @@ Please, refer to the \fBsemantic\-checks\fP configuration option in
.SS Parameters
.INDENT 0.0
.TP
-\fIfilename\fP
+.B \fIfilename\fP
Path to the zone file to be checked. For reading from \fBstdin\fP use \fB/dev/stdin\fP
or just \fB\-\fP\&.
.UNINDENT
@@ -77,7 +77,8 @@ Enable debug output.
Print the program help.
.TP
\fB\-V\fP, \fB\-\-version\fP
-Print the program version.
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
.UNINDENT
.SH EXIT VALUES
.sp
diff --git a/doc/man/kzonesign.1in b/doc/man/kzonesign.1
index 147e112..558c95b 100644
--- a/doc/man/kzonesign.1in
+++ b/doc/man/kzonesign.1
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KZONESIGN" "1" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
+.TH "KZONESIGN" "1" "2024-09-02" "3.4.0" "Knot DNS"
.SH NAME
kzonesign \- DNSSEC signing utility
.SH SYNOPSIS
@@ -43,17 +43,17 @@ and zone.adjust\-threads).
.SS Parameters
.INDENT 0.0
.TP
-\fIzone_name\fP
+.B \fIzone_name\fP
A name of the zone to be signed.
.UNINDENT
.SS Config options
.INDENT 0.0
.TP
\fB\-c\fP, \fB\-\-config\fP \fIfile\fP
-Use a textual configuration file (default is \fB@config_dir@/knot.conf\fP).
+Use a textual configuration file (default is \fB/usr/local/etc/knot/knot.conf\fP).
.TP
\fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
-Use a binary configuration database directory (default is \fB@storage_dir@/confdb\fP).
+Use a binary configuration database directory (default is \fB/usr/local/var/lib/knot/confdb\fP).
The default configuration database, if exists, has a preference to the default
configuration file.
.UNINDENT
@@ -78,7 +78,8 @@ specified by timestamp.
Print the program help.
.TP
\fB\-V\fP, \fB\-\-version\fP
-Print the program version.
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
.UNINDENT
.SH EXIT VALUES
.sp
diff --git a/doc/man_kcatalogprint.rst b/doc/man_kcatalogprint.rst
index cccc641..da2ed97 100644
--- a/doc/man_kcatalogprint.rst
+++ b/doc/man_kcatalogprint.rst
@@ -40,7 +40,8 @@ Options
Print the program help.
**-V**, **--version**
- Print the program version.
+ Print the program version. The option **-VV** makes the program
+ print the compile time configuration summary.
Exit values
-----------
diff --git a/doc/man_kdig.rst b/doc/man_kdig.rst
index 4457b68..cda3303 100644
--- a/doc/man_kdig.rst
+++ b/doc/man_kdig.rst
@@ -111,7 +111,8 @@ Options
An explicit *query_type* specification. See possible values above.
**-V**, **--version**
- Print the program version.
+ Print the program version. The option **-VV** makes the program
+ print the compile time configuration summary.
**-x** *address*
Send a reverse (PTR) query for IPv4 or IPv6 *address*. The correct name, class
@@ -281,7 +282,7 @@ Options
Request the nameserver identifier (NSID).
**+**\ [\ **no**\ ]\ **bufsize**\ =\ *B*
- Set EDNS buffer size in bytes (default is 4096 bytes).
+ Set EDNS buffer size in bytes (default is 1232 bytes).
**+**\ [\ **no**\ ]\ **padding**\[\ =\ *B*\]
Use EDNS(0) padding option to pad queries, optionally to a specific
@@ -298,7 +299,7 @@ Options
Set EDNS(0) client subnet SUBN=addr/prefix.
**+**\ [\ **no**\ ]\ **edns**\[\ =\ *N*\]
- Use EDNS version (default is 0).
+ Use EDNS version (default is 0). EDNS(0) is enabled by default.
**+**\ [\ **no**\ ]\ **timeout**\ =\ *T*
Set the wait-for-reply interval in seconds (default is 5 seconds). This timeout
@@ -333,7 +334,7 @@ Options
**+noidn**
Disable the IDN transformation to ASCII and vice versa. IDN support depends
- on libidn availability during project building! If used in *common-settings*,
+ on libidn2 availability during project building! If used in *common-settings*,
all IDN transformations are disabled. If used in the individual query *settings*,
transformation from ASCII is disabled on output for the particular query. Note
that IDN transformation does not preserve domain name letter case.
diff --git a/doc/man_keymgr.rst b/doc/man_keymgr.rst
index 136a92c..a0001fe 100644
--- a/doc/man_keymgr.rst
+++ b/doc/man_keymgr.rst
@@ -75,7 +75,8 @@ Options
Print the program help.
**-V**, **--version**
- Print the program version.
+ Print the program version. The option **-VV** makes the program
+ print the compile time configuration summary.
.. NOTE::
Keymgr runs with the same user privileges as configured for :doc:`knotd<man_knotd>`.
diff --git a/doc/man_khost.rst b/doc/man_khost.rst
index 1fcc0bf..9447856 100644
--- a/doc/man_khost.rst
+++ b/doc/man_khost.rst
@@ -57,7 +57,8 @@ Options
Enable verbose output.
**-V**, **--version**
- Print the program version.
+ Print the program version. The option **-VV** makes the program
+ print the compile time configuration summary.
**-w**
Wait forever for the reply.
diff --git a/doc/man_kjournalprint.rst b/doc/man_kjournalprint.rst
index f83a137..3b2d024 100644
--- a/doc/man_kjournalprint.rst
+++ b/doc/man_kjournalprint.rst
@@ -57,9 +57,6 @@ Options
**-x**, **--mono**
Don't generate colorized output.
-**-n**, **--no-color**
- An alias for **-x**. Use of this option is deprecated, it will be removed in the future.
-
**-X**, **--color**
Force colorized output.
@@ -67,7 +64,8 @@ Options
Print the program help.
**-V**, **--version**
- Print the program version.
+ Print the program version. The option **-VV** makes the program
+ print the compile time configuration summary.
Exit values
-----------
diff --git a/doc/man_knotc.rst b/doc/man_knotc.rst
index d03bc77..4755a6a 100644
--- a/doc/man_knotc.rst
+++ b/doc/man_knotc.rst
@@ -65,7 +65,8 @@ Options
Print the program help.
**-V**, **--version**
- Print the program version.
+ Print the program version. The option **-VV** makes the program
+ print the compile time configuration summary.
Actions
.......
@@ -150,8 +151,9 @@ Actions
explicitly. If zone flushing is disabled, the original zone file is backed
up instead of writing out zone contents to a file. When backing-up a catalog
zone, it is recommended to prevent ongoing changes to it by use of
- **zone-freeze**.
- See :ref:`Notes<notes>` below about the directory permissions. (#)
+ **zone-freeze**. The force option allows an already existing backupdir to
+ be overwritten. See :ref:`Notes<notes>` below about the directory permissions.
+ (#)
**zone-restore** [*zone*...] **+backupdir** *directory* [*filter*...]
Trigger a zone data and metadata restore from a specified backup directory.
@@ -164,6 +166,10 @@ Actions
Trigger a DNSSEC re-sign of the zone. Existing signatures will be dropped.
This command is valid for zones with DNSSEC signing enabled. (#)
+**zone-validate** [*zone*...]
+ Trigger a DNSSEC validation of the zone. If the validation fails and the
+ zone is secondary, the zone expires immediately! (#)
+
**zone-keys-load** [*zone*...]
Trigger a load of DNSSEC keys and other signing material from KASP database
(which might have been altered manually). If suitable, re-sign the zone
@@ -184,7 +190,8 @@ Actions
**zone-freeze** [*zone*...]
Trigger a zone freeze. All running events will be finished and all new and pending
(planned) zone-changing events (load, refresh, update, flush, and DNSSEC signing)
- will be held up until the zone is thawed. (#)
+ will be held up until the zone is thawed. Up to 8 (this limit is hardcoded) DDNS
+ updates per zone will be queued, subsequent updates will be refused. (#)
**zone-thaw** [*zone*...]
Trigger dismissal of zone freeze. (#)
diff --git a/doc/man_knotd.rst b/doc/man_knotd.rst
index d0fe83b..9f3193f 100644
--- a/doc/man_knotd.rst
+++ b/doc/man_knotd.rst
@@ -46,7 +46,8 @@ Options
Print the program help.
**-V**, **--version**
- Print the program version.
+ Print the program version. The option **-VV** makes the program
+ print the compile time configuration summary.
Signals
.......
diff --git a/doc/man_knsec3hash.rst b/doc/man_knsec3hash.rst
index bf0688c..b3367fe 100644
--- a/doc/man_knsec3hash.rst
+++ b/doc/man_knsec3hash.rst
@@ -10,6 +10,8 @@ Synopsis
:program:`knsec3hash` *algorithm* *flags* *iterations* *salt* *name*
+:program:`knsec3hash` [*-h*] [*-V*]
+
Description
-----------
@@ -33,6 +35,16 @@ Parameters
*flags*
Specifies NSEC3 flags as an unsigned integer.
+Options
+.......
+
+**-h**, **--help**
+ Print the program help.
+
+**-V**, **--version**
+ Print the program version. The option **-VV** makes the program
+ print the compile time configuration summary.
+
Exit values
-----------
diff --git a/doc/man_knsupdate.rst b/doc/man_knsupdate.rst
index 40a419b..e2d71f9 100644
--- a/doc/man_knsupdate.rst
+++ b/doc/man_knsupdate.rst
@@ -6,7 +6,9 @@
Synopsis
--------
-:program:`knsupdate` [*options*] [*filename*]
+:program:`knsupdate` [**-v**] [*options*] [*filename*]
+
+:program:`knsupdate` [**-q**] [*quic_options*] [*options*] [*filename*]
Description
-----------
@@ -28,39 +30,71 @@ Parameters
Options
.......
-**-d**
- Enable debug messages.
+**-T**, **--tcp**
+ Use a TCP connection. (**-v** can be used for compatibility with nsupdate).
-**-h**, **--help**
- Print the program help.
+**-S**, **--tls**
+ Use a TLS connection.
-**-k** *keyfile*
- Use the TSIG key stored in a file *keyfile* to authenticate the request. The
- file should contain the key in the same format, which is accepted by the
- **-y** option.
+**-Q**, **--quic**
+ Use a QUIC connection.
-**-p** *port*
+**-p**, **--port** *number*
Set the port to use for connections to the server (if not explicitly specified
- in the update). The default is 53.
+ in the update). The default is 53 for UDP/TCP or 853 for QUIC.
-**-r** *retries*
+**-r**, **--retry** *count*
The number of retries for UDP requests. The default is 3.
-**-t** *timeout*
+**-t**, **--timeout** *seconds*
The total timeout (for all UDP update tries) of the update request in seconds.
The default is 12. If set to zero, the timeout is infinite.
-**-v**
- Use a TCP connection.
-
-**-V**, **--version**
- Print the program version.
-
-**-y** [*alg*:]\ *name*:*key*
+**-y**, **--tsig** [*alg*:]\ *name*:*key*
Use the TSIG key with a name *name* to authenticate the request. The *alg*
part specifies the algorithm (the default is hmac-sha256) and *key* specifies
the shared secret encoded in Base64.
+**-k**, **--tsigfile** *path*
+ Use the TSIG key stored in a file *keyfile* to authenticate the request. The
+ file should contain the key in the same format, which is accepted by the
+ **-y** option.
+
+**-d**, **--debug**
+ Enable debug messages.
+
+**-h**, **--help**
+ Print the program help.
+
+**-V**, **--version**
+ Print the program version. The option **-VV** makes the program
+ print the compile time configuration summary.
+
+QUIC/TLS options
+................
+
+**-H**, **--hostname** *string*
+ Enable remote server hostname validation.
+
+**-P**, **--pin** *base64*
+ Use Out-of-Band key-pinned privacy profile
+ (RFC 7858#section-4.2). The PIN must be a Base64 encoded SHA-256 hash of the
+ X.509 SubjectPublicKeyInfo. Can be specified multiple times.
+
+**-A**, **--ca** [*path*]
+ Enable certificate validation. Certification authority certificates
+ are loaded from the specified PEM file (default is system certificate storage
+ if no argument is provided). Can be specified multiple times.
+
+**-E**, **--certfile** *path*
+ Path to a client certificate file.
+
+**-K**, **--keyfile** *path*
+ Path to a client key file.
+
+**-s**, **--sni** *string*
+ Use specified Server Name Indication.
+
Commands
........
diff --git a/doc/man_kxdpgun.rst b/doc/man_kxdpgun.rst
index 28713ba..bc26d12 100644
--- a/doc/man_kxdpgun.rst
+++ b/doc/man_kxdpgun.rst
@@ -67,6 +67,11 @@ Options
**-i**, **--infile** *filename*
Path to a file with query templates.
+**-B**, **--binary**
+ Specify that input file is in binary format. This format is similar to the
+ TCP DNS message format. The file contains records formated as 2-octet length
+ (network order) followed by a message in DNS wire format.
+
**-I**, **--interface** *interface*
Network interface for outgoing communication. This can be useful in situations
when the interfaces are in a bond for example.
@@ -111,11 +116,20 @@ Options
This option is ignored if not in the QUIC mode. The recommended usage is
with **--quic=R** or with low QPS. Otherwise, too many files are generated.
+**-j**, **--json**
+ Print statistics formatted as json.
+
+**-S**, **--stats-period** *period*
+ Report statistics automatically every *period* milliseconds.
+
+ These reports contain only metrics collected in the given period.
+
**-h**, **--help**
Print the program help.
**-V**, **--version**
- Print the program version.
+ Print the program version. The option **-VV** makes the program
+ print the compile time configuration summary.
Queries file format
...................
@@ -165,7 +179,8 @@ Signals
.......
Sending USR1 signal to a running process triggers current statistics dump
-to the standard output.
+to the standard output. In combination with **-S** may cause erratic printout
+timing.
Notes
-----
@@ -178,6 +193,12 @@ CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_ADMIN, CAP_IPC_LOCK, and CAP_SYS_RESOURCE
The utility allocates source UDP/TCP ports from the range 2000-65535.
+Due to the multi-threaded program structure there are slight discrepancies in
+the timespan during which metrics are collected for any given thread. The
+statistics printouts ignore this and are thus ever-so-slightly inaccurate. The
+error margin decreases proportionally to the volume of data & timespan over
+which they are collected.
+
Exit values
-----------
diff --git a/doc/man_kzonecheck.rst b/doc/man_kzonecheck.rst
index 3a10863..c0dae37 100644
--- a/doc/man_kzonecheck.rst
+++ b/doc/man_kzonecheck.rst
@@ -54,7 +54,8 @@ Options
Print the program help.
**-V**, **--version**
- Print the program version.
+ Print the program version. The option **-VV** makes the program
+ print the compile time configuration summary.
Exit values
-----------
diff --git a/doc/man_kzonesign.rst b/doc/man_kzonesign.rst
index c759c57..a1981ee 100644
--- a/doc/man_kzonesign.rst
+++ b/doc/man_kzonesign.rst
@@ -55,7 +55,8 @@ Options
Print the program help.
**-V**, **--version**
- Print the program version.
+ Print the program version. The option **-VV** makes the program
+ print the compile time configuration summary.
Exit values
-----------
diff --git a/doc/migration.rst b/doc/migration.rst
index f79539c..7c4a279 100644
--- a/doc/migration.rst
+++ b/doc/migration.rst
@@ -249,19 +249,19 @@ Configuration changes
- Ignored obsolete options (with a notice log):
- - ``server.max-journal-depth``
- - ``server.max-journal-usage``
- - ``server.max-refresh-interval``
- - ``server.min-refresh-interval``
- ``server.max-ipv4-udp-payload``
- ``server.max-ipv6-udp-payload``
- ``server.max-udp-payload``
- ``server.max-tcp-clients``
- ``server.tcp-reply-timeout``
+ - ``zone.max-journal-depth``
+ - ``zone.max-journal-usage``
+ - ``zone.max-refresh-interval``
+ - ``zone.min-refresh-interval``
+ - ``zone.max-zone-size``
- ``template.journal-db``
- ``template.kasp-db``
- ``template.timer-db``
- - ``template.max-zone-size``
- ``template.max-journal-db-size``
- ``template.max-timer-db-size``
- ``template.max-kasp-db-size``
@@ -393,6 +393,86 @@ Query module API change
The function ``knotd_qdata_local_addr()`` only takes one parameter.
+.. _Upgrade 3.3.x to 3.4.x:
+
+Upgrade 3.3.x to 3.4.x
+======================
+
+There are the following changes between Knot DNS versions 3.4.x and 3.3.x.
+
+DNSSEC
+------
+
+- DNSSEC validation fails if the remaining RRSIG validity is shorter than
+ the corresponding :ref:`policy_rrsig-refresh` value.
+- SKR verification fails if the end of a DNSKEY RRSIG validity period doesn't
+ cover the next DNSKEY snapshot.
+- If DNSSEC signing is enabled, the outbound request's EDNS expire value is
+ lowered to the earliest RRSIG expiration if it is higher.
+
+Semantic checks
+---------------
+
+- Just one SOA record is required.
+- Unified DNAME and CNAME semantic checks (see :ref:`Handling CNAME and DNAME-related updates`).
+
+Configuration changes
+---------------------
+
+- The server no longer allows concurrent control zone and configuration transactions.
+- The server no longer allows opening a zone transaction when a blocking command is running.
+- Removed already ignored obsolete options:
+
+ - ``server.max-ipv4-udp-payload``
+ - ``server.max-ipv6-udp-payload``
+ - ``server.max-udp-payload``
+ - ``server.max-tcp-clients``
+ - ``server.tcp-handshake-timeout``
+ - ``server.tcp-reply-timeout``
+ - ``server.listen-xdp``
+ - ``xdp.quic-log``
+ - ``zone.max-journal-depth``
+ - ``zone.max-journal-usage``
+ - ``zone.max-refresh-interval``
+ - ``zone.min-refresh-interval``
+ - ``zone.max-zone-size``
+ - ``zone.disable-any``
+ - ``template.journal-db``
+ - ``template.kasp-db``
+ - ``template.timer-db``
+ - ``template.max-journal-db-size``
+ - ``template.max-timer-db-size``
+ - ``template.max-kasp-db-size``
+ - ``template.journal-db-mode``
+
+Utilities
+---------
+
+- Changed defaults:
+
+ - :doc:`kdig<man_kdig>`: enabled ``+edns`` and ``+bufsize=1232``
+
+- Removed legacy parameters:
+
+ - :doc:`keymgr<man_keymgr>`: ``--brief``
+ - :doc:`kjournalprint<man_kjournalprint>`: ``--no-color``
+ - :doc:`kjournalprint<man_kjournalprint>`: database specification without ``--dir``
+ - :doc:`kjournalprint<man_kcatalogprint>`: database specification without ``--dir``
+
+Documentation
+-------------
+
+- Info pages are no longer supported.
+
+Building notes
+--------------
+
+- A GCC or LLVM Clang compiler with C11 support is required.
+- Minimum required *GnuTLS* version is 3.6.10.
+- *Libidn* version 1 is no longer supported.
+- *Liburcu* must be available via pkg-config.
+- Linux distributions CentOS 7, Debian 10, and Ubuntu 18.04 are no longer supported.
+
.. _Knot DNS for BIND users:
Knot DNS for BIND users
diff --git a/doc/operation.rst b/doc/operation.rst
index 5754147..5c2bdf2 100644
--- a/doc/operation.rst
+++ b/doc/operation.rst
@@ -632,7 +632,7 @@ continues along the lines of :rfc:`6781#section-4.1.2`::
2024-02-14T15:20:00+0100 info: [example.com.] DNSSEC, key, tag 36185, algorithm ECDSAP256SHA256, public, active
2024-02-14T15:20:00+0100 info: [example.com.] DNSSEC, key, tag 3375, algorithm ECDSAP256SHA256, KSK, public, active+
2024-02-14T15:20:00+0100 info: [example.com.] DNSSEC, signing started
- 2024-02-14T15:20:00+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111204
+ 2024-02-14T15:20:00+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111204, new RRSIGs 3
2024-02-14T15:20:00+0100 info: [example.com.] DNSSEC, next signing at 2024-02-14T15:20:12+0100
... (propagation-delay + dnskey-ttl) ...
@@ -643,7 +643,7 @@ continues along the lines of :rfc:`6781#section-4.1.2`::
2024-02-14T15:20:12+0100 info: [example.com.] DNSSEC, key, tag 36185, algorithm ECDSAP256SHA256, public, active
2024-02-14T15:20:12+0100 info: [example.com.] DNSSEC, key, tag 3375, algorithm ECDSAP256SHA256, KSK, public, ready, active+
2024-02-14T15:20:12+0100 info: [example.com.] DNSSEC, signing started
- 2024-02-14T15:20:12+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111205
+ 2024-02-14T15:20:12+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111205, new RRSIGs 6
2024-02-14T15:20:12+0100 info: [example.com.] DNSSEC, next signing at 2024-02-28T15:19:37+0100
At this point the new KSK has to be submitted to the parent zone. Knot detects the updated parent's DS
@@ -660,7 +660,7 @@ operator must confirm it manually (using ``knotc zone-ksk-submitted``)::
2024-02-14T15:20:16+0100 info: [example.com.] DNSSEC, key, tag 36185, algorithm ECDSAP256SHA256, public, active
2024-02-14T15:20:16+0100 info: [example.com.] DNSSEC, key, tag 3375, algorithm ECDSAP256SHA256, KSK, public, active
2024-02-14T15:20:16+0100 info: [example.com.] DNSSEC, signing started
- 2024-02-14T15:20:16+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111206
+ 2024-02-14T15:20:16+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111206, new RRSIGs 2
2024-02-14T15:20:16+0100 info: [example.com.] DNSSEC, next signing at 2024-02-14T15:20:23+0100
... (parent's DS TTL is 7 seconds) ...
@@ -670,7 +670,7 @@ operator must confirm it manually (using ``knotc zone-ksk-submitted``)::
2024-02-14T15:20:23+0100 info: [example.com.] DNSSEC, key, tag 36185, algorithm ECDSAP256SHA256, public, active
2024-02-14T15:20:23+0100 info: [example.com.] DNSSEC, key, tag 3375, algorithm ECDSAP256SHA256, KSK, public, active
2024-02-14T15:20:23+0100 info: [example.com.] DNSSEC, signing started
- 2024-02-14T15:20:23+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111207
+ 2024-02-14T15:20:23+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111207, new RRSIGs 2
2024-02-14T15:20:23+0100 info: [example.com.] DNSSEC, next signing at 2024-02-14T15:21:54+0100
Upon the zone's ZSK lifetime expiration, a new ZSK is generated and the rollover
@@ -685,7 +685,7 @@ continues along the lines of :rfc:`6781#section-4.1.1`::
2024-02-14T15:21:54+0100 info: [example.com.] DNSSEC, key, tag 3375, algorithm ECDSAP256SHA256, KSK, public, active
2024-02-14T15:21:54+0100 info: [example.com.] DNSSEC, key, tag 38559, algorithm ECDSAP256SHA256, public
2024-02-14T15:21:54+0100 info: [example.com.] DNSSEC, signing started
- 2024-02-14T15:21:54+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111208
+ 2024-02-14T15:21:54+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111208, new RRSIGs 2
2024-02-14T15:21:54+0100 info: [example.com.] DNSSEC, next signing at 2024-02-14T15:22:06+0100
... (propagation-delay + dnskey-ttl) ...
@@ -696,7 +696,7 @@ continues along the lines of :rfc:`6781#section-4.1.1`::
2024-02-14T15:22:06+0100 info: [example.com.] DNSSEC, key, tag 3375, algorithm ECDSAP256SHA256, KSK, public, active
2024-02-14T15:22:06+0100 info: [example.com.] DNSSEC, key, tag 38559, algorithm ECDSAP256SHA256, public, active
2024-02-14T15:22:06+0100 info: [example.com.] DNSSEC, signing started
- 2024-02-14T15:22:06+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111209
+ 2024-02-14T15:22:06+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111209, new RRSIGs 14
2024-02-14T15:22:06+0100 info: [example.com.] DNSSEC, next signing at 2024-02-14T15:22:23+0100
... (propagation-delay + zone-max-ttl) ...
@@ -706,7 +706,7 @@ continues along the lines of :rfc:`6781#section-4.1.1`::
2024-02-14T15:22:23+0100 info: [example.com.] DNSSEC, key, tag 3375, algorithm ECDSAP256SHA256, KSK, public, active
2024-02-14T15:22:23+0100 info: [example.com.] DNSSEC, key, tag 38559, algorithm ECDSAP256SHA256, public, active
2024-02-14T15:22:23+0100 info: [example.com.] DNSSEC, signing started
- 2024-02-14T15:22:23+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111210
+ 2024-02-14T15:22:23+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111210, new RRSIGs 2
2024-02-14T15:22:23+0100 info: [example.com.] DNSSEC, next signing at 2024-02-14T15:24:06+0100
Further rollovers::
@@ -722,7 +722,7 @@ Further rollovers::
2024-02-14T15:24:06+0100 info: [example.com.] DNSSEC, key, tag 38559, algorithm ECDSAP256SHA256, public, active
2024-02-14T15:24:06+0100 info: [example.com.] DNSSEC, key, tag 59825, algorithm ECDSAP256SHA256, public
2024-02-14T15:24:06+0100 info: [example.com.] DNSSEC, signing started
- 2024-02-14T15:24:06+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111211
+ 2024-02-14T15:24:06+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111211, new RRSIGs 2
2024-02-14T15:24:06+0100 info: [example.com.] DNSSEC, next signing at 2024-02-14T15:24:18+0100
...
@@ -736,7 +736,7 @@ Further rollovers::
2024-02-14T15:25:00+0100 info: [example.com.] DNSSEC, key, tag 59825, algorithm ECDSAP256SHA256, public, active
2024-02-14T15:25:00+0100 info: [example.com.] DNSSEC, key, tag 50822, algorithm ECDSAP256SHA256, KSK, public, active+
2024-02-14T15:25:00+0100 info: [example.com.] DNSSEC, signing started
- 2024-02-14T15:25:00+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111214
+ 2024-02-14T15:25:00+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111214, new RRSIGs 3
2024-02-14T15:25:00+0100 info: [example.com.] DNSSEC, next signing at 2024-02-14T15:25:12+0100
...
@@ -1282,12 +1282,12 @@ if the backup was created for only a subset of zones.
turns off some verification checks, it shouldn't be used in other cases.
.. NOTE::
- For QUIC, only the auto-generated key is restored. The ``zone-restore``
- command doesn't restore a user-defined QUIC key and certificate so as to
+ For QUIC/TLS, only the auto-generated key is restored. The ``zone-restore``
+ command doesn't restore a user-defined QUIC/TLS key and certificate so as to
avoid possible configuration management conflicts and they must be restored
from the backup (its subdirectory ``quic``) manually. In all cases,
restart of the Knot server after the restore is necessary for the restored
- QUIC key/certificate to take effect.
+ QUIC/TLS key/certificate to take effect.
Limitations
-----------
@@ -1375,9 +1375,15 @@ Pre-requisites
* A multiqueue network card, which offers enough Combined RX/TX channels, with
native XDP support is highly recommended. Successfully tested cards:
+ * NVIDIA (Mellanox) ConnectX-6 Dx (driver `mlx5_core`), maximum number of channels
+ per interface is 63. Official drivers are recommended.
* Intel series 700 (driver `i40e`), maximum number of channels per interface is 64.
- * Intel series 500 (driver `ixgbe`), maximum number of channels per interface is 64.
- The number of CPUs available has to be at most 64!
+ Linux kernel drivers are recommended.
+
+ Cards with known instability issues:
+
+ * Intel series E810 (driver `ice`).
+ * Intel series 500 (driver `ixgbe`).
* If the `knotd` service is not directly executed in the privileged mode, some
additional Linux capabilities have to be set:
diff --git a/doc/reference.rst b/doc/reference.rst
index 6cb42f3..1aefc57 100644
--- a/doc/reference.rst
+++ b/doc/reference.rst
@@ -20,9 +20,10 @@ the following symbols:
- ``STR`` – Textual string
- ``HEXSTR`` – Hexadecimal string (with ``0x`` prefix)
- ``BOOL`` – Boolean value (``on``/``off`` or ``true``/``false``)
-- ``TIME`` – Number of seconds, an integer with possible time multiplier suffix
- (``s`` ~ 1, ``m`` ~ 60, ``h`` ~ 3600 or ``d`` ~ 24 * 3600)
-- ``SIZE`` – Number of bytes, an integer with possible size multiplier suffix
+- ``TIME`` – Number of seconds, an integer with a possible time multiplier suffix
+ (``s`` ~ 1, ``m`` ~ 60, ``h`` ~ 3600, ``d`` ~ 24 * 3600, ``w`` ~ 7 * 24 * 3600,
+ ``M`` ~ 30 * 24 * 3600, ``y`` ~ 365 * 24 * 3600)
+- ``SIZE`` – Number of bytes, an integer with a possible size multiplier suffix
(``B`` ~ 1, ``K`` ~ 1024, ``M`` ~ 1024^2 or ``G`` ~ 1024^3)
- ``BASE64`` – Base64 encoded string
- ``ADDR`` – IPv4 or IPv6 address
@@ -217,6 +218,7 @@ General options related to the server.
dbus-init-delay: TIME
listen: ADDR[@INT] | STR ...
listen-quic: ADDR[@INT] ...
+ listen-tls: ADDR[@INT] ...
.. CAUTION::
When you change configuration parameters dynamically or via configuration file
@@ -561,12 +563,10 @@ Maximum EDNS0 UDP payload size for IPv6.
key-file
--------
-Path to a server key PEM file which is used for DNS over QUIC communication.
+Path to a server key PEM file which is used for DNS over QUIC/TLS communication.
A non-absolute path of a user specified key file is relative to the
:file:`@config_dir@` directory.
-Change of this parameter requires restart of the Knot server to take effect.
-
*Default:* auto-generated key
.. _server_cert-file:
@@ -574,11 +574,9 @@ Change of this parameter requires restart of the Knot server to take effect.
cert-file
---------
-Path to a server certificate PEM file which is used for DNS over QUIC communication.
+Path to a server certificate PEM file which is used for DNS over QUIC/TLS communication.
A non-absolute path is relative to the :file:`@config_dir@` directory.
-Change of this parameter requires restart of the Knot server to take effect.
-
*Default:* one-time in-memory certificate
.. _server_edns-client-subnet:
@@ -646,16 +644,17 @@ Possible values:
- ``stopped`` when the server shutdown sequence is initiated.
- ``zone-updated`` – The signal ``zone_updated`` is emitted when a zone has been updated;
the signal parameters are `zone name` and `zone SOA serial`.
-- ``keys-updated`` - The signal ``keys_updated`` is emitted when a DNSSEC key set
- of this zone is updated.
+- ``keys-updated`` - The signal ``keys_updated`` is emitted when a DNSSEC key set
+ is updated; the signal parameter is `zone name`.
- ``ksk-submission`` – The signal ``zone_ksk_submission`` is emitted if there is
a ready KSK present when the zone is signed; the signal parameters are
`zone name`, `KSK keytag`, and `KSK KASP id`.
- ``dnssec-invalid`` – The signal ``zone_dnssec_invalid`` is emitted when DNSSEC
- validation fails; the signal parameter is `zone name`.
+ validation fails; the signal parameters are `zone name`, and `remaining seconds`
+ until an RRSIG expires.
.. NOTE::
- This function requires systemd version at least 221.
+ This function requires systemd version at least 221 or libdbus.
Change of this parameter requires restart of the Knot server to take effect.
@@ -704,9 +703,17 @@ Change of this parameter requires restart of the Knot server to take effect.
*Default:* not set
-.. NOTE::
- Incoming :ref:`DDNS<dynamic updates>` over QUIC isn't supported.
- The server always responds with SERVFAIL.
+.. _server_listen-tls:
+
+listen-tls
+----------
+
+One or more IP addresses (and optionally ports) where the server listens
+for incoming queries over TLS protocol (DoT).
+
+Change of this parameter requires restart of the Knot server to take effect.
+
+*Default:* not set
.. _xdp section:
@@ -730,6 +737,9 @@ Various options related to XDP listening, especially TCP.
tcp-idle-reset-timeout: TIME
tcp-resend-timeout: TIME
route-check: BOOL
+ ring-size: INT
+ busypoll-budget: INT
+ busypoll-timeout: INT
.. CAUTION::
When you change configuration parameters dynamically or via configuration file
@@ -912,6 +922,57 @@ Change of this parameter requires restart of the Knot server to take effect.
*Default:* ``off``
+.. _xdp_ring-size:
+
+ring-size
+---------
+
+Size of RX, FQ, TX, and CQ rings.
+
+Change of this parameter requires restart of the Knot server to take effect.
+
+.. NOTE::
+ This value should be at least as high as the configured RX size of the
+ network device in the XDP mode.
+
+*Default:* ``2048``
+
+.. _xdp_busypoll-budget:
+
+busypoll-budget
+---------------
+
+If set to a positive value, preferred busy polling is enabled with the
+specified budget.
+
+Change of this parameter requires restart of the Knot server to take effect.
+
+.. NOTE::
+
+ Preferred busy polling also requires setting ``napi_defer_hard_irqs`` and
+ ``gro_flush_timeout`` for the appropriate network interface. E.g.::
+
+ echo 2 | sudo tee /sys/class/net/<interface>/napi_defer_hard_irqs
+ echo 200000 | sudo tee /sys/class/net/<interface>/gro_flush_timeout
+
+.. NOTE::
+
+ A recommended value is between 8 and 64.
+
+*Default:* ``0`` (disabled)
+
+.. _xdp_busypoll-timeout:
+
+busypoll-timeout
+----------------
+
+Timeout in microseconds of preferrred busy polling if enabled by
+:ref:`xdp_busypoll-budget`.
+
+Change of this parameter requires restart of the Knot server to take effect.
+
+*Default:* ``20`` (20 microseconds)
+
.. _control section:
``control`` section
@@ -1378,6 +1439,7 @@ transfer, target for a notification, etc.).
address: ADDR[@INT] | STR ...
via: ADDR[@INT] ...
quic: BOOL
+ tls: BOOL
key: key_id
cert-key: BASE64 ...
block-notify-after-transfer: BOOL
@@ -1459,6 +1521,16 @@ with this remote.
*Default:* ``off``
+.. _remote_tls:
+
+tls
+---
+
+If this option is set, the TLS (DoT) protocol will be used for outgoing communication
+with this remote.
+
+*Default:* ``off``
+
.. _remote_key:
key
@@ -1955,8 +2027,6 @@ Possible values:
- ``ed448``
.. NOTE::
- Ed25519 algorithm is only available if compiled with GnuTLS 3.6.0+.
-
Ed448 algorithm is only available if compiled with GnuTLS 3.6.12+ and Nettle 3.6+.
*Default:* ``ecdsap256sha256``
@@ -2134,6 +2204,10 @@ resolvers' caches.
*Default:* 0.1 * :ref:`policy_rrsig-lifetime` + :ref:`policy_propagation-delay` + :ref:`policy_zone-max-ttl`
+If :ref:`zone_dnssec-validation` is enabled:
+
+*Default:* ``1d`` (1 day)
+
.. _policy_rrsig-pre-refresh:
rrsig-pre-refresh
@@ -2847,7 +2921,9 @@ List of DNSSEC checks:
The validation is not affected by :ref:`zone_dnssec-policy` configuration,
except for :ref:`policy_signing-threads` option, which specifies the number
-of threads for parallel validation.
+of threads for parallel validation, and :ref:`policy_rrsig-refresh`, which
+defines minimal allowed remaining RRSIG validity (otherwise a warning is
+logged).
.. NOTE::
diff --git a/doc/requirements.rst b/doc/requirements.rst
index 584afa2..6b25fc1 100644
--- a/doc/requirements.rst
+++ b/doc/requirements.rst
@@ -60,9 +60,9 @@ Required libraries
Knot DNS requires a few libraries to be available:
+* gnutls >= 3.6.10
* libedit
-* gnutls >= 3.3
-* liburcu >= 0.5.4
+* liburcu
* lmdb >= 0.9.15
.. NOTE::
@@ -72,9 +72,9 @@ Knot DNS requires a few libraries to be available:
Optional libraries
==================
-International Domain Names support (IDNA2008 or IDNA2003) in :doc:`kdig<man_kdig>`:
+International Domain Names support (IDNA2008) in :doc:`kdig<man_kdig>`:
-* libidn2 (or libidn)
+* libidn2
Systemd's startup notification mechanism and journald logging: