Rebase to Knot DNS 2.8.1 and Knot Resolver 4.0.0

Knot DNS 2.8.1 (2019-04-09)


  • Possible zone transaction is aborted by zone events to avoid inconsistency
  • Added log message if no persistent config DB is available during 'conf-begin'
  • New environment setting 'KNOT_VERSION_FORMAT=release' for extended version suppression
  • Various improvements in the documentation


  • Broken NSEC3-wildcard-nonexistence proof after NSEC3 re-salt
  • Glue records under delegation are sometimes signed
  • RRL doesn't work correctly on big-endian architectures
  • NSEC3 not re-salted during AXFR refresh
  • Failed to sign new zone contents if added dynamically #641
  • NSEC3 opt-out signing doesn't work in some cases
  • Broken NSEC3 chain after adding new sub-delegations
  • Redundant SOA RRSIG on slave if RRSIG TTL changed on master
  • Sometimes confusing log error message for NOTIFY event
  • Improper include for LMDB #638

Knot DNS 2.8.0 (2019-03-05)


  • New offline-KSK mode of operation
  • Configurable multithreaded DNSSEC signing for large zones
  • Extended ACL configuration for dynamic updates
  • New knotc trigger 'zone-key-rollover' for immediate DNSKEY rollover
  • Added support for OPENPGPKEY, CSYNC, SMIMEA, and ZONEMD RR types
  • New 'double-ds' option for CDS/CDNSKEY publication


  • Significant speed-up of zone updates
  • Knotc supports force option in the interactive mode
  • Copy-on-write support for QP-trie (Thanks to Tony Finch)
  • Unified and more efficient LMDB layer for journal, timer, and KASP databases
  • DS check event is re-planned according to KASP even when purged timers
  • Module DNS Cookies supports explicit Server Secret configuration
  • Zone mtime is verified against full-precision timestamp (Thanks to Daniel Kahn Gillmor)
  • Extended logging (loaded SOA serials, refresh duration, tiny cleanup)
  • Relaxed fixed-length condition for DNSSEC key ID
  • Extended semantic checks for DNAME and NS RR types
  • Added support for FreeBSD's SO_REUSEPORT_LB
  • Improved performance of geoip module
  • Various improvements in the documentation


  • Changed configuration default for 'cds-cdnskey-publish' to 'rollover'
  • Journal DB format changes are not downgrade-compatible
  • Keymgr no longer prints DS for algorithm SHA-1

Knot Resolver 4.0.0 (2019-04-18)

Incompatible changes

  • see upgrading guide:
  • configuration: trust_anchors aliases .file, .config() and .negative were removed (!788)
  • configuration: trust_anchors.keyfile_default is no longer accessible (!788)
  • daemon: -k/--keyfile and -K/--keyfile-ro options were removed
  • meson build system is now used for builds (!771)
  • build with embedded LMBD is no longer supported
  • default modules dir location has changed
  • DNSSEC is enabled by default
  • upstream packages for Debian now require systemd
  • libknot >= 2.8 is required
  • net.list() output format changed (#448)
  • net.listen() reports error when address-port pair is in use
  • bind to DNS-over-TLS port by default (!792)
  • stop versioning libkres library
  • default port for web management and APIs changed to 8453


  • policy.TLS_FORWARD: if hostname is configured, send it on wire (!762)
  • hints module: allow configuring the TTL and change default from 0 to 5s
  • policy module: policy.rpz() will watch the file for changes by default
  • packaging: lua cqueues added to default dependencies where available
  • systemd: service is no longer auto-restarted on configuration errors
  • always send DO+CD flags upstream, even in insecure zones (#153)
  • cache.stats() output is completely new; see docs (!775)
  • improve usability of table_print() (!790, !801)
  • add DNS-over-HTTPS support (#280)
  • docker image supports and exposes DNS-over-HTTPS


  • predict module: load stats module if config didn't specify period (!755)
  • trust_anchors: don't do 5011-style updates on anchors from files that were loaded as unmanaged trust anchors (!753)
  • trust_anchors.add(): include these TAs in .summary() (!753)
  • policy module: support '#' for separating port numbers, for consistency
  • fix startup on macOS+BSD when </dev/null and cqueues installed
  • policy.RPZ: log problems from zone-file level of parser as well (#453)
  • fix flushing of messages to logs in some cases (notably systemd) (!781)
  • fix fallback when SERVFAIL or REFUSED is received from upstream (!784)
  • fix crash when dealing with unknown TA key algorhitm (#449)
  • go insecure due to algorithm support even if DNSKEY is NODATA (!798)
  • fix mac addresses in the output of net.interfaces() command (!804)
  • http module: fix too early renewal of ephemeral certificates (!808)

Module API changes

  • kr_straddr_split() changed API a bit (compiler will catch that)
  • C modules defining *_layer or *_props symbols need to change a bit See the upgrading guide for details. It's detected on module load.

How to install

sudo dnf upgrade --advisory=FEDORA-2019-bfc53df27f

This update has been submitted for testing by tkrizek.

2 years ago

This update test gating status has been changed to 'waiting'.

2 years ago

This update test gating status has been changed to 'ignored'.

2 years ago

This update has been pushed to testing.

2 years ago

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

2 years ago

This update has been submitted for stable by tkrizek.

2 years ago

This update has been pushed to stable.

2 years ago

Please login to add feedback.

Content Type
Test Gating
Unstable by Karma
Stable by Karma
Stable by Time
2 years ago
in testing
2 years ago
in stable
2 years ago

Automated Test Results