FEDORA-EPEL-2017-6d2a35b0f7

enhancement update in Fedora EPEL 7 for knot

Status: testing 13 days ago

Knot DNS major update:

Knot DNS 2.6.1 (2017-11-02)

Features:

  • NSEC3 Opt-Out support in the DNSSEC signing
  • New CDS/CDNSKEY publish configuration option

Improvements:

  • Simplified DNSSEC log message with DNSKEY details
  • +tls-hostname in kdig implies +tls-ca if neither +tls-ca nor +tls-pin is given
  • New documentation sections for DNSSEC key rollovers and shared keys
  • Keymgr no longer prints useless algorithm number for generated key
  • Kdig prints unknown RCODE in a numeric format
  • Better support for LLVM libFuzzer

Bugfixes:

  • Faulty DNAME semantic check if present in the zone apex and NSEC3 is used
  • Immediate zone flush not scheduled during the zone load event
  • Server crashes upon dynamic zone addition if a query module is loaded
  • Kdig fails to connect over TLS due to SNI is set to server IP address
  • Possible out-of-bounds memory access at the end of the input
  • TCP Fast Open enabled by default in kdig breaks TLS connection

Knot DNS 2.6.0 (2017-09-29)

Features:

  • On-slave (inline) signing support
  • Automatic DNSSEC key algorithm rollover
  • Ed25519 algorithm support in DNSSEC (requires GnuTLS 3.6.0)
  • New 'journal-content' and 'zonefile-load' configuration options
  • keymgr tries to run as user/group set in the configuration
  • Public-only DNSSEC key import into KASP DB via keymgr
  • NSEC3 resalt and parent DS query events are persistent in timer DB
  • New processing state for a response suppression within a query module
  • Enabled server side TCP Fast Open if supported
  • TCP Fast Open support in kdig

Improvements:

  • Better record owner compression if related to the previous rdata dname
  • NSEC(3) chain is no longer recomputed whole on every update
  • Remove inconsistent and unnecessary quoting in log files
  • Avoiding of overlapping key rollovers at a time
  • More DNSSSEC-related semantic checks
  • Extended timestamp format in keymgr

Bugfixes:

  • Incorrect journal free space computation causing inefficient space handling
  • Interface-automatic broken on Linux in the presence of asymmetric routing

Knot DNS 2.5.5 (2017-09-29)

Improvements:

  • Constant time memory comparison in the TSIG processing
  • Proper use of the ctype functions
  • Generated RRSIG records have inception time 90 minutes in the past

Bugfixes:

  • Incorrect online signature for NSEC in the case of a CNAME record
  • Incorrect timestamps in dnstap records
  • EDNS Subnet Client validation rejects valid payloads
  • Module configuration semantic checks are not executed
  • Kzonecheck segfaults with unusual inputs

Knot DNS 2.5.4 (2017-08-31)

Improvements:

  • New minimum and maximum refresh interval config options (Thanks to Manabu Sonoda)
  • New warning when unforced flush with disabled zone file synchronization
  • New 'dnskey' keymgr command
  • Linking with libatomic on architectures that require it (Thanks to Pierre-Olivier Mercier)
  • Removed 'OK' from listing keymgr command outputs
  • Extended journal and keymgr documentation and logging

Bugfixes:

  • Incorrect handling of specific corner-cases with zone-in-journal
  • The 'share' keymgr command doesn't work
  • Server crashes if configured with query-size and reply-size statistics options
  • Malformed big integer configuration values on some 32-bit platforms
  • Keymgr uses local time when parsing date inputs
  • Memory leak in kdig upon IXFR query

Knot DNS 2.5.3 (2017-07-14)

Features:

  • CSK rollover support for Single-Type Signing Scheme

Improvements:

  • Allowed binding to non-local adresses for TCP (Thanks to Julian Brost!)
  • New documentation section for manual DNSSEC key algorithm rollover
  • Initial KSK also generated in the submission state
  • The 'ds' keymgr command with no parameter uses all KSK keys
  • New debug mode in kjournalprint
  • Updated keymgr documentation

Bugfixes:

  • Sometimes missing RRSIG by KSK in submission state.
  • Minor DNSSEC-related issues

Comments 3

This update has been submitted for testing by pspacek.

pspacek edited this update.

This update has been pushed to testing.


Add Comment & Feedback
Toggle Preview

Comment fields support Fedora-Flavored Markdown.

-1 0 +1 Feedback Guidelines
Is the update generally functional?
Content Type
RPM
Status
testing
Submitted by
Update Type
enhancement
Karma
0
stable threshold: 3
unstable threshold: -3
Autopush
Enabled
Dates
submitted 13 days ago
in testing 13 days ago
days to stable 1
modified 13 days ago

Automated Test Results