diff options
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 142 |
1 files changed, 142 insertions, 0 deletions
@@ -1,3 +1,75 @@ +Knot DNS 3.4.0 (2024-09-02) +=========================== + +Features: +--------- + - knotd: full DNS over TLS (DoT, RFC 7858) implementation (see 'DNS over TLS') + - knotd: bidirectional XFR over TLS (XoT) support with opportunistic, strict, + and mutual authentication profiles + - knotd: support for DDNS over QUIC and TLS + - knotd: DNSSEC validation requires the remaining RRSIG validity is longer than 'rrsig-refresh' + - knotd: new event for automatic DNSSEC revalidation + - knotd: if enabled DNSSEC signing, EDNS expire is adjusted to the earliest RRSIG expiration + - knotd: added support for libdbus as an alternative to systemd dbus + (see '--enable-dbus=libdbus' configure parameter) + - knotd: new XDP-related configuration options + (see 'xdp.ring-size', 'xdp.busypoll-budget', and 'xdp.busypoll-timeout') + - knotc: new command for explicit triggering DNSSEC validation (see 'zone-validate' command) + - keymgr: SKR verification requires end of DNSKEY RRSIG validity covers next DNSKEY snapshot + - kdig: +nocrypto applies also to CERT, DS, SSHFP, DHCID, TLSA, ZONEMD, and TSIG + - knsupdate: added support for DDNS over QUIC and TLS (see '-Q' and '-S' parameters) + - kxdpgun: support for reading a binary input file (see '-B' parameter) + - kxdpgun: support for output in JSON (see '-j' parameter) + - kxdpgun: support for periodical output (see '-S' parameter) + - mod-rrl: module offers limiting of non-UDP protocols based on consumed time + (see 'mod-rrl.time-rate-limit' and 'mod-rrl.time-instant-limit') + - utils: -VV option for listing compile time configuration summary + +Improvements: +------------- + - knotd: up to eight DDNS queries can be queued per zone when frozen + - knotd: the number of created/validated RRSIGs is logged + - knotd: overhaul of atomic operations usage + - knotd: unified DNAME semantic errors with the CNAME ones + (see 'Handling CNAME and DNAME-related updates') + - knotd: better DDNS pre-check to prevent dropping a bulk of updates + - knotd: extended SOA presence semantic checks + - knotd: disallowed concurrent control zone and config transactions to avoid deadlock + - knotd: disallowed opening zone transaction when blocking command is running to avoid deadlock + - knotd: new XDP statistic counters + - knotd: remote zone serial is logged upon received incoming transfer + - knotd: zone backup stores and zone restore checks the CPU architecture compatibility + - knotd: time configuration options support 'w', 'M', and 'y' units + - knotd: some control commands can be processed asynchronously + - knotc: zone backup overwrites already existing backupdir in the force mode + - kdig: EDNS is enabled by default + - kdig: the default EDNS payload size was lowered to 1232 + - mod-rrl: completely reimplemented UDP rate limiting using an efficient + query-counting mechanism on several address prefix lengths + - mod-rrl: module no longer requires explicit configuration + - libknot: various XDP improvements and new configuration parameters + - docker: increased -D_FORTIFY_SOURCE to 3 + +Bugfixes: +--------- + - knotd: deadlock during zone-ksk-submitted processing of a frozen zone + - kxdpgun: race condition in SIGUSR1 signal processing + - doc: parallel build is unreliable #928 + +Compatibility: +-------------- + - configure: increase minimal GnuTLS version to 3.6.10 + - configure: removed deprecated libidn 1 support + - configure: removed liburcu search fallback + - configure: required GCC or LLVM Clang compiler with C11 support + - knotd: removed already ignored obsolete configuration options + - keymgr: removed legacy parameter '--brief' + - kjournalprint: removed legacy parameter '--no-color' + - kjournalprint: removed legacy database specification without '--dir' + - kcatalogprint: removed legacy database specification without '--dir' + - packaging: CentOS 7, Debian 10, and Ubuntu 18.04 no longer supported + - doc: removed info pages + Knot DNS 3.3.9 (2024-08-26) =========================== @@ -296,6 +368,76 @@ Packaging: - debian,ubuntu: new self-hosted repository (see https://pkg.labs.nic.cz/doc/) - docker: upgraded to Debian bookworm-slim +Knot DNS 3.2.13 (2024-06-25) +============================ + +Bugfixes: +--------- + - knotd: insufficient metadata check can cause journal corruption + - knotd: failed to build on macOS #909 + - knotd: early NSEC3 salt replanning if 'nsec3-salt-lifetime: -1' + - knotc: zone check complains about missing zone file #913 + - kdig: failed to parse empty QNAME (do not fill question section) + - python: failed to set an empty configuration value + - libzscanner: incorrect alpn processing #923 + - libknot: insufficient check for malformed TCP header options over XDP + - libknot: infinite loop in knot_rrset_to_wire_extra() #916 + +Knot DNS 3.2.12 (2023-12-19) +============================ + +Improvements: +------------- + - knotd: zone purging waits for finished zone expiration for better reliability + - doc: various fixes and extensions + +Bugfixes: +--------- + - knotd: zone backup fails due to improper backup context deinitialization #891 + - knotd: failed to sign the zone if maximum zone's TTL is too high + - knotd: malformed TCP header if used with QUIC in the generic XDP mode + - knotd: incorrect initialization of TCP limits + - knotd: orphaned PEM file not deleted when key generation fails + - knotd: server can crash when processing new TCP connections over XDP + - kdig: crashed when querying DNS over TLS if TLS handshake times out #896 + - kzonecheck: failed to check DS with SHA-1 or GOST if not supported by local policy + +Knot DNS 3.2.11 (2023-10-30) +============================ + +Improvements: +------------- + - keymgr: improved error message if a key file is not accessible + - keymgr: added offline RRSIGs validation at the end of their validity intervals + - doc: fixed some typos + +Bugfixes: +--------- + - knotd: DNAME record returned with query domain name instead of actual name #873 + - knotd: failed to import configuration file if mod-geoip is in use #881 + - knotd: failed to sign RRSet that fits to 64k only if compressed + - keymgr: offline RRSIGs not refreshed if 'rrsig-refresh' is not set + - knsupdate: incorrect processing of @ in the delete operation #879 + +Knot DNS 3.2.10 (2023-09-11) +============================ + +Improvements: +------------- + - knotd: multiple catalog groups per member are tolerated, but only one is used + - knotd: server cleans up stale LMDB readers when opening a RW transaction + +Bugfixes: +--------- + - knotd: server can crash when adjusting a wildcard glue + - knotd: failed to forward DDNS if 'zone.master' points to 'remotes' + - knotd: subsequent addition and removal to catalog zone isn't handled properly + - knotd: server can crash if a shared module is loaded and dynamic configuration used + - knotc: configuration import fails if an explicit shared module is configured + - kdig: double-free on some malformed responses over QUIC #869 + - kdig: some TLS parameters override QUIC parameters + - libs: NULL record with empty RDATA isn't allowed + Knot DNS 3.2.9 (2023-07-27) =========================== |