File knot.changes of Package knot
-------------------------------------------------------------------
Mon Jan 8 12:38:53 UTC 2018 - i@marguerite.su
- add knot-openssl-1.1+.patch
* fix build with openssl 1.1+
-------------------------------------------------------------------
Mon Jun 5 08:57:24 UTC 2017 - pgajdos@suse.com
- refreshed 0002-make-configure.ac-compatible-with-old-tools.patch
to fix build
-------------------------------------------------------------------
Mon Feb 13 11:55:40 UTC 2017 - mrueckert@suse.de
- update to 1.6.8
- Zone size limit restriction for DDNS, AXFR, and IXFR
(CVE-2016-6171)
-------------------------------------------------------------------
Tue May 10 22:57:40 UTC 2016 - mrueckert@suse.de
- fix the sphinx buildrequires so we can build on sle12
-------------------------------------------------------------------
Thu Feb 11 00:16:19 UTC 2016 - mrueckert@suse.de
- update to 1.6.7
- Improvements:
- IXFR: Log change of the zone serial number after the
transfer.
- RRL: Document operational impact of various settings.
- RRL: Add support for zero slip (dropping of all limited
responses).
-------------------------------------------------------------------
Tue Nov 24 22:24:55 UTC 2015 - mrueckert@suse.de
- update to 1.6.6
- Fix daemon startup systemd notification
- Out-of-bound read in packet parser for malformed NAPTR records
(LibFuzzer)
- Add rosedb module
- enable rosedb
- refresh patches to apply cleanly again
0001-loosen-openssl-dependency.patch
0002-make-configure.ac-compatible-with-old-tools.patch
-------------------------------------------------------------------
Thu Sep 3 16:48:32 UTC 2015 - mrueckert@suse.de
- skip silent rule in configure.ac to fix the SLE 11 build
-------------------------------------------------------------------
Thu Sep 3 16:37:24 UTC 2015 - mrueckert@suse.de
- update to 1.6.5
- Bugfixes:
- Do not reload expired zones on 'knotc reload' and server
startup
- Fix rare race-condition in event scheduling causing delayed
event execution
- Fix skipping of non-authoritative nodes in NSEC proofs
- Fix TC flag setting in RRL slipped answers
- Disable domain name compression for root label for better
compatibility
- Log via journald only when running under systemd
- Improve lookup of libsystemd build dependencies
- Fix compilation warnings in endian conversion functions on
OpenBSD
- Features:
- Update persistent timers only on shutdown for better
performance
- Add 'request-edns-option' config option to add custom EDNS0
option into server initiated queries
- Allow specification of time units in 'max-conn-idle',
'max-conn-handshake', 'max-conn-reply', and 'notify-timeout'
config options
- changes in 1.6.4
- Bugfixes:
- Fix lost NOTIFY message if received during zone transfer
- Fix compilation error with LibreSSL
- Disable fast zone parser when compiled in Clang (workaround
for Clang bug)
- kdig: Record correct dnstap SocketProtocol when retrying
over TCP
- kdig: Hide TSIG section with +noall
- Do not set AA flag for AXFR/IXFR queries
- Features:
- Zone parser: Split long TXT/SPF strings into multiple
strings
- kdig: Add generic dump style option (+generic)
- Try all master servers in multi-master environment
- Improvements:
- Zone dump: Do not write class for SOA record (unified with
other RR types)
- Zone dump: Do not write master server address into the zone
file
- refresh patches to apply cleanly again
- sync spec file with knot2 spec file
- use bcond_with for the systemd conditional
- replace all occurences of %{name} with %{pkg_name}
- removed duplicated libexecdir
- also pass disable static and includedir
-------------------------------------------------------------------
Wed Apr 29 07:03:38 UTC 2015 - mrueckert@suse.de
- local state dir should be just /var
-------------------------------------------------------------------
Thu Apr 9 02:51:53 UTC 2015 - mrueckert@suse.de
- enable dnstap support for factory and newer:
- new BR: protobuf-c and libfstrm-devel
- prepared lto support but not enabled yet, still need to find out
which distros support it
-------------------------------------------------------------------
Thu Apr 9 02:17:01 UTC 2015 - mrueckert@suse.de
- update to 1.6.3
- Performance drop for NSEC-signed zones
- Proper handling of TCP short-writes
- Out-of-bound read in zone parser for long domain names in
origin (AFL fuzzer)
- Out-of-bound read in packet parser for TSIG RR without RDATA
(AFL fuzzer)
- Out-of-bound read in packet parser for malformed NAPTR RR (AFL
fuzzer)
- CDS and CDNSKEY support in zone parser
- Add defaults for TCP config options into documentation
- Detailed error message if zone reload fails
- refreshed patches to apply cleanly again:
0002-make-configure.ac-compatible-with-old-tools.patch
-------------------------------------------------------------------
Tue Mar 10 17:20:55 UTC 2015 - mrueckert@suse.de
- update to 1.6.2
- Limiting number of parallel TCP clients (max-tcp-clients config
option)
- Ignore refresh and transfer events on non-slave zones
- Compilation with Dnstap support on FreeBSD
- Possible file descriptor leak when terminating inactive TCP
clients
- refreshed patches to apply cleanly again:
0002-make-configure.ac-compatible-with-old-tools.patch
- moved autoreconf -fi to %build so it wont be tried in quilt setup
or similar tools
- move up the %if case for systemd in for the preun scriptlet to
avoid warning about empty scripts on non systemd distributions.
- used xz tarball: new buildrequires xz
-------------------------------------------------------------------
Thu Jan 8 10:07:50 UTC 2015 - tchvatal@suse.com
- Add deps on the docu packages to regen documentation
- Enable systemd integration fully
- Add dep on libidn
- Cleanup with spec-cleaner
-------------------------------------------------------------------
Wed Dec 31 10:49:27 UTC 2014 - ondrej@sury.org
- Only require lmdb-devel on (Open)SUSE 13.2 and higher
-------------------------------------------------------------------
Wed Dec 31 10:29:48 UTC 2014 - ondrej@sury.org
- Updated to 1.6.1
Bugfixes:
- Journal file would sometimes outgrow its set limit
- Fixed incompatibility with OpenSSL 0.9.8
- Proper handling when machine hostname cannot be retreived
Features:
- Support for DNSSEC Single Type Signing Scheme
- Compile with lmdb-devel to add support for persistent timers
-------------------------------------------------------------------
Tue Nov 18 15:49:27 UTC 2014 - pgajdos@suse.com
- Updated to 1.6.0
Bugfixes:
- Fix zone expiration when AXFR/IXFR is being refused by master
- Fix forced zone refresh on slave (knotc refresh -f)
- Persistent timers database opening after privileges has been dropped
- DNSSEC: RFC compliant processing of letter case in RDATA domain names
- EDNS: Return minimal error response for queries with unsupported version
- EDNS: Fix interpretation of Extended RCODE
Improvements:
- Maximal size of persistent timers database increased from 10 MB to 100 MB
- Added logging of persistent timers database errors
Features:
- Persistent timers for slave zones (expire, refresh, and flush)
-------------------------------------------------------------------
Mon Sep 15 19:44:38 UTC 2014 - ondrej@sury.org
- Updated to 1.5.3
Bugfixes:
- Some specific incoming IXFRs were causing server to crash
- Rare sychronization error during reload caused read-after-free
- Response synthetization module did not work properly with DNSSEC-enabled zones
- When Knot sent AXFR when IXFR was requested, message ID and opcode were wrong
- Knot failed to send large messages to remote control (present since 1.5.1)
- Some RR parsing corner cases were not handled properly
- AXFR-style IXFR was refused and had to be retransfered
- Hash character (#) was not properly escaped when storing text zone file
- DNSSEC: DNAMEs in RDATA were not lowercased before signing
- EDNS: OPT RR were not put into responsing for some errors
- TSIG: DDNS responses were not signed with TSIG
- DDNS: Prerequisite checks failed for some inputs
- knsupdate: Zone origin was not used for deletions
Features:
- Basic support for logging using systemd journal
- DDNS: Ability to process updates in bulk
Improvements:
- Unified logging messages structure
- DNSSEC: More strict controls for signing keys
- Refreshed patches on top of 1.5.3 release:
* 0001-loosen-openssl-dependency.patch
* 0002-make-configure.ac-compatible-with-old-tools.patch
-------------------------------------------------------------------
Fri Jul 11 09:06:45 UTC 2014 - ondrej@sury.org
- Squash 0002-remove-AM_SILENT_RULES.patch and 0003-no-dist-xz.patch
into 0002-make-configure.ac-compatible-with-old-tools.patch that
removes configure.ac options incompatible with SLES_11_SP[23].
- added patches:
* 0002-make-configure.ac-compatible-with-old-tools.patch
- removed patches:
* 0002-remove-AM_SILENT_RULES.patch
* 0003-no-dist-xz.patch
-------------------------------------------------------------------
Thu Jul 10 08:18:29 UTC 2014 - ondrej@sury.org
- Updated to 1.5.0
Features:
* DDNS forwarding reimplemented
* edns-client-subnet support in kdig
* Optional asynchronous startup (config "asynchronous-start")
* Pluggable query processing modules
* Synthetic IPv4/IPv6 reverse/forward records (optional module)
* dnstap support in both utilities & server (optional module)
* NOTIFY message support and new TSIG section in kdig
* Multi-master support
Improvements:
* Transfer sizes logged in bytes if needed
* Logging outgoing NOTIFY messages
* Logging unauthorized incoming NOTIFYs
* Preempt task queue for faster reload
* Lazy zone file write after zone transfer (governed by "zonefile-sync")
* Query processing and core functionality overhaul
* Performance and reduced memory footprint
* Faster zone events scheduling
* RFC compliant queries/responses in some corner cases
* Log messages
* New documentation (Sphinx)
Bugfixes:
* Zone flush planning after bootstrap
* Incorrect incoming AXFR message sizes
* DDNS signing changes were freed too soon, posibility of stale data
* knotc remote control key handling
* Close zone transfer after SERVFAIL response
* Incremental to full zone transfer fallback, wrong log message
* Zone events corner cases, reload replanning
-------------------------------------------------------------------
Tue Jun 24 12:56:27 UTC 2014 - pgajdos@suse.com
- updated to 1.4.7:
* Fixed DDNS corner cases
* Fixed zone EXPIRE timer
* Fixed semantic checks false positives
* Fixed sending malformed IXFR with automatic DNSSEC
* Fixed NAPTR record serialization
-------------------------------------------------------------------
Mon May 12 12:38:02 UTC 2014 - ondrej@sury.org
- Fixed the missing 1.4.5 tarball
-------------------------------------------------------------------
Tue Apr 15 07:08:27 UTC 2014 - ondrej@sury.org
- updated to 1.4.5
Bugfixes:
* Fix possible weakness in TSIG signature checking
-------------------------------------------------------------------
Fri Mar 28 10:56:24 UTC 2014 - pgajdos@suse.com
- updated to 1.4.4
Features:
* Server is logging remote control commands
* 'knotc reload' doesn't refresh unchanged zones
* 'knotc -f refresh' forces zone retransfer
Bugfixes:
* Missing notifications after DDNS/automatic resign
* Zone is rebootstrapped if the zone file is unreadable
* Progressive bootstrap retry backoff
* Zone file parser allows asterisk as part of the label
* Journal maximum entry size fixes
* Sign DNSKEYs in non-apex nodes as regular RR sets
-------------------------------------------------------------------
Tue Feb 18 14:56:36 UTC 2014 - ondrej@sury.org
- Enable recvmmsg support in the build to increase performance
- Update upstream config directory to /etc/knot (instead of /etc/knot/knot)
- Replace tar.xz with tar.gz to allow backporting to older releases
- Disable silent rules to have more verbose builds
- Add support to compile with OpenSSL << 1.0.0
- added patches:
* 0001-loosen-openssl-dependency.patch
-------------------------------------------------------------------
Tue Feb 18 12:07:36 UTC 2014 - ondrej@sury.org
- update to 1.4.3:
* Failure when expanding wildcard leading to apex and having DNSKEY records
* Failure for query to wildcard without wildcard expansion
* Bad cleanup when loading a faulty entry from a journal
* Zone file $ORIGIN and configuration comparison is case-insensitive
* Config "include" statement supports directory and includes all files within
-------------------------------------------------------------------
Mon Jan 27 15:17:49 UTC 2014 - ondrej@sury.org
- update to 1.4.2:
* AXFR/IXFR compatibility issues with tinydns/axfrdns
* Journal file is created only when needed
* Zone-related log messages are logged into correct category
* DNSSEC: Refresh signatures earlier (3 days before their expiration
with the default signature lifetime)
* Fixed RCU synchronization causing deadlock on 'knotc signzone'
* RRSIG not fitting in the additional records doesn't cause truncation
-------------------------------------------------------------------
Tue Jan 14 15:14:06 UTC 2014 - ondrej@sury.org
- update to 1.4.1:
* Empty APL record support
* 'zonestatus' when using immediate zone syncing
* Immediate zone syncing after reload
* Race condition writing time values to zone file
* Hard require OpenSSL >= 1.0.0
- removed patches:
* 0001-Add-support-for-OpenSSL-threads-in-OpenSSL-1.0.0.patch
* 0001-Check-the-OpenSSL-version-when-checking-for-GOST-alg.patch
-------------------------------------------------------------------
Wed Jan 8 08:58:19 UTC 2014 - ondrej@sury.org
- Add support to compile with OpenSSL << 1.0.0
- added patches:
* 0001-Add-support-for-OpenSSL-threads-in-OpenSSL-1.0.0.patch
* 0001-Check-the-OpenSSL-version-when-checking-for-GOST-alg.patch
-------------------------------------------------------------------
Wed Jan 8 08:40:45 UTC 2014 - ondrej@sury.org
- update to 1.4.0:
* Experimental automatic DNSSEC signing
* Fastest ragel parser enabled by default
* Reduced memory usage
* Zone SOA SERIAL policies (INCREMENT, UNIXTIME) for DDNS and
automatic DNSSEC signing
* IDN support in Knot utilities (kdig, knsupdate, ...)
* DNSSEC: support for GOST algorithm
* Support for DNSSEC key pre-publication
-------------------------------------------------------------------
Mon Dec 16 09:46:03 UTC 2013 - ondrej@sury.org
- update to 1.3.4:
* Bugfixes:
Crash in particular additionals processing
Race condition in event cancelation
Journal corruption after failed transactions
-------------------------------------------------------------------
Tue Nov 26 13:36:54 UTC 2013 - pgajdos@suse.com
- update to 1.3.3:
* New features:
Reduced memory usage
Improved performance
Experimental automatic DNSSEC signing
Refactored zone loading
Improved journal locking
* Bugfixes:
Fixed some race conditions
Various fixes in client utilities
-------------------------------------------------------------------
Mon Sep 9 15:16:04 UTC 2013 - pgajdos@suse.com
- update to 1.3.1
* Faster zone parser
* Full support for EUI and ILNP resource records
* Lower memory footprint for large zones
* No compilation of zones
* Improved scheduling of zone transfers
* Logging of serials and timing information for zone transfers
* see NEWS or https://www.knot-dns.cz/ for details
-------------------------------------------------------------------
Wed Apr 3 15:37:52 UTC 2013 - ondrej@sury.org
- Update to 1.2.0 final
Bugfixes:
* Memory leaks
-------------------------------------------------------------------
Fri Mar 22 15:32:38 UTC 2013 - ondrej@sury.org
- Update to 1.2.0-rc4
New features:
* knotc 'zonestatus' command
Bugfixes:
* Changing logfile ownership before dropping privileges
* knotc respects 'control' section from configuration
* RRL: resolved bucket collisions
* RRL: updated bucket mapping to conform RRL technical memo
-------------------------------------------------------------------
Tue Mar 12 08:37:55 UTC 2013 - ondrej@sury.org
- Update to 1.2.0-rc3
New features:
* Dynamic updates, including forwarding (limited on signed zones)
* Updated remote control utility
* Configurable TCP timeouts
* LOC RR support
* Response rate limiting (see documentation)
Bugfixes:
* Fixed processing of some non-standard dnames.
* Correct checking of label length bounds in some cases.
* More compliant rcodes in case of DDNS/TSIG failures.
* Correct processing of malformed DDNS prereq section.
* Fixed OpenBSD build
* Responses to ANY should contain RRSIGs
-------------------------------------------------------------------
Sat Nov 24 09:12:42 UTC 2012 - aj@suse.de
- Documentation only needs makeinfo, thus require it instead of texinfo
where it's available as separate package.
-------------------------------------------------------------------
Thu Nov 22 17:22:37 UTC 2012 - ondrej@sury.org
- update to 1.1.2:
Bugfixes:
* Fixed crash on reload when config contained duplicate zones.
* Fixed scheduling of transfers.
* Fixed debug message.
- merge some changes from fedora spec file
- remove unittest files, they don't belong in binary packages
- depend on texinfo package to build the documentation
-------------------------------------------------------------------
Tue Nov 20 12:37:14 UTC 2012 - pgajdos@suse.com
- update to 1.1.1:
New features:
* Optionally disable ANY queries for authoritative answers.
* Dropping identical records in zone and incoming transfers.
* Support for '/' in zone names.
* Generating journal from reloaded zone (EXPERIMENTAL).
* Outgoing-only interfaces in configuration file.
* Following DNAME if the synthetized name is in the same zone.
* Signing SOA with TSIG queries when checking zone version with master.
* Improved compression of packets. Out-of-zone dnames present in RDATA
were not compressed.
* Slave zones are now automatically refreshed after startup.
* Proper response to IXFR/UDP query (returns SOA in Authority section).
Bugfixes:
* Crash when zone contained RRSIG signing a CNAME, but did not
contain the CNAME.
* Malformed packets parsing.
* Failed IXFR caused memory leaks.
* Failed IXFR might have resulted in inconsistent zone structures.
* Fixed answering to +dnssec queries when NSEC3 chain is corrupted.
* Fixed answering when transitioning from NSEC3 to NSEC.
* Fixed answering when zone contains multiple NSEC3 chains.
* Handling RRSets with different TTLs - TTL from the first RR is used.
* Synchronization of zone reload and zone transfers.
* Fixed build on NetBSD 5 and FreeBSD.
* Fixed binding to both IPv4 and IPv6 at the same time on special
interfaces.
* Fixed access rights of created files.
* Semantic checks corrupted RDATA domain names which are covered by
wildcard in the same zone.
* Fixed ixfr-from-differences journal generation in case of IPSECKEY
and APL records.
* Fixed possible leak on server shutdown with a pending transfer.
* Syncing journal to zone was not updating the compiled zone database.
* Crash after IXFR in certain cases when adding RRSIG in an IXFR.
* Fixed behaviour when incoming IXFR removes a zone cut. Previously
occluded names now become properly visible. Previously lead to a
crash when the server was asked for the previously occluded name.
* Fixed handling of zero-length strings in text zone dump. Caused the
compilation to fail.
* Fixed TSIG algorithm name comparison - the names should be in
canonical form.
* Fixed handling unknown RR types with type less than 251.
Other improvements:
* IXFR-in optimized.
* Many zones loading optimized.
* More detailed log messages (mostly transfer-related).
* Copying Question section to error responses.
* Using zone name from config file as default origin in zone file.
* Additional records are now added to response also from
wildcard-covered names.
* Improved user manual.
* Better checks of corrupted zone database.
-------------------------------------------------------------------
Tue Aug 28 10:02:40 UTC 2012 - pgajdos@suse.com
- fix build for older distributions (dont user %{make_install}
macro)
-------------------------------------------------------------------
Mon Jul 2 08:58:06 UTC 2012 - pgajdos@suse.com
- initial version 1.0.6
