knot: Update to version 3.2.4

Message ID 20230101140715.3041415-2-adolf.belka@ipfire.org
State Accepted
Commit 3816b8b5bcbbcb258e12b51e50f8ecf70c930f63
Headers
Series knot: Update to version 3.2.4 |

Commit Message

Adolf Belka 1 Jan 2023, 2:07 p.m. UTC
  - Update from version 3.1.7 to 3.2.4
- Update of rootfile
- find-dependencies run and only thing showing as depending on the libs are knot itself.
- Changelog
    Knot DNS 3.2.4 (2022-12-12)
	Improvements:
	 - knotd: significant speed-up of catalog zone update processing
	 - knotd: new runtime check if RRSIG lifetime is lower than RRSIG refresh
	 - knotd: reworked zone re-bootstrap scheduling to be less progressive
	 - mod-synthrecord: module can work with CIDR-style reverse zones #826
	 - python: new libknot wrappers for some dname transformation functions
	 - doc: a few fixes and improvements
	Bugfixes:
	 - knotd: incomplete zone is received when IXFR falls back to AXFR due to
	          connection timeout if primary puts initial SOA only to the first message
	 - knotd: first zone re-bootstrap is planned after 24 hours
	 - knotd: EDNS EXPIRE option is present in outgoing transfer of a catalog zone
	 - knotd: catalog zone can expire upon EDNS EXPIRE processing
	 - knotd: DNSSEC signing doesn't fail if no offline KSK records available
    Knot DNS 3.2.3 (2022-11-20)
	Improvements:
	 - knotd: new per-zone DS push configuration option (see 'zone.ds-push')
	 - libs: upgraded embedded libngtcp2 to 0.11.0
	Bugfixes:
	 - knsupdate: program crashes when sending an update
	 - knotd: server drops more responses over UDP under higher load
	 - knotd: missing EDNS padding in responses over QUIC
	 - knotd: some memory issues when handling unusual QUIC traffic
	 - kxdpgun: broken IPv4 source subnet processing
	 - kdig: incorrect handling of unsent data over QUIC
    Knot DNS 3.2.2 (2022-11-01)
	Features:
	 - knotd,kxdpgun: support for VLAN (802.1Q) traffic in the XDP mode
	 - knotd: added configurable delay upon D-Bus initialization (see 'server.dbus-init-delay')
	 - kdig: support for JSON (RFC 8427) output format (see '+json')
	 - kdig: support for PROXYv2 (see '+proxy') (Gift for Peter van Dijk)
	Improvements:
	 - mod-geoip: module respects the server configuration of answer rotation
	 - libs: upgraded embedded libngtcp2 to 0.10.0
	 - tests: improved robustness of some unit tests
	 - doc: added description of zone bootstrap re-planning
	Bugfixes:
	 - knotd: catalog confusion when a member is added and immediately deleted #818
	 - knotd: defective handling of short messages with PROXYv2 header #816
	 - knotd: inconsistent processing of malformed messages with PROXYv2 header #817
	 - kxdpgun: incorrect XDP mode is logged
	 - packaging: outdated dependency check in RPM packages
    Knot DNS 3.2.1 (2022-09-09)
	Improvements:
	 - libknot: added compatibility with libbpf 1.0 and libxdp
	 - libknot: removed some trailing white space characters from textual RR format
	 - libs: upgraded embedded libngtcp2 to 0.8.1
	Bugfixes:
	 - knotd: some non-DNS packets not passed to OS if XDP mode enabled
	 - knotd: inappropriate log about QUIC port change if QUIC not enabled
	 - knotd/kxdpgun: various memory leaks related to QUIC and TCP
	 - kxdpgun: can crash at high rates in emulated XDP mode
	 - tests: broken XDP-TCP test on 32-bit platforms
	 - kdig: failed to build with enabled QUIC on OpenBSD
	 - systemd: failed to start server due to TemporaryFileSystem setting
	 - packaging: missing knot-dnssecutils package on CentOS 7
    Knot DNS 3.2.0 (2022-08-22)
	Features:
	 - knotd: finalized TCP over XDP implementation
	 - knotd: initial implementation of DNS over QUIC in the XDP mode (see 'xdp.quic')
	 - knotd: new incremental DNSKEY management for multi-signer deployment (see 'policy.dnskey-management')
	 - knotd: support for remote grouping in configuration (see 'groups' section)
	 - knotd: implemented EDNS Expire option (RFC 7314)
	 - knotd: NSEC3 salt is changed with every ZSK rollover if lifetime is set to -1
	 - knotd: support for PROXY v2 protocol over UDP (Thanks to Robert Edmonds) #762
	 - knotd: support for key labels with PKCS #11 keystore (see 'keystore.key-label')
	 - knotd: SVCB/HTTPS treatment according to draft-ietf-dnsop-svcb-https
	 - keymgr: new JSON output format (see '-j' parameter) for listing keys or zones (Thanks to JP Mens)
	 - kxdpgun: support for DNS over QUIC with some testing modes (see '-U' parameter)
	 - kdig: new DNS over QUIC support (see '+quic')
	Improvements:
	 - knotd: reduced memory consumption when processing IXFR, DNSSEC, catalog, or DDNS
	 - knotd: RRSIG refresh values don't have to match in the mode Offline KSK
	 - knotd: better decision whether AXFR fallback is needed upon a refresh error
	 - knotd: NSEC3 resalt event was merged with the DNSSEC event
	 - knotd: server logs when the connection to remote was taken from the pool
	 - knotd: server logs zone expiration time when the zone is loaded
	 - knotd: DS check verifies removal of old DS during algorithm rollover
	 - knotd: DNSSEC-related records can be updated via DDNS
	 - knotd: new 'xdp.udp' configuration option for disabling UDP over XDP
	 - knotd: outgoing NOTIFY is replanned if failed
	 - knotd: configuration checks if zone MIN interval values are lower or equal to MAX ones
	 - knotd: DNSSEC-related zone semantic checks use DNSSEC validation
	 - knotd: new configuration value 'query' for setting ACL action
	 - knotd: new check on near end of imported Offline KSK records
	 - knotd/knotc: implemented zone catalog purge, including orphaned member zones
	 - knotc: interactive mode supports catalog zone completion, value completion, and more
	 - knotc: new default brief and colorized output from zone status
	 - knotc: unified empty values in zone status output
	 - keymgr: DNSKEY TTL is taken from KSR in the Offline KSK mode
	 - kjournalprint: path to journal DB is automatically taken from the configuration,
	                  which can be specified using '-c', '-C' (or '-D')
	 - kcatalogprint: path to catalog DB is automatically taken from the configuration,
	                  which can be specified using '-c', '-C' (or '-D')
	 - kzonesign: added automatic configuration file detection and '-C' parameter
	              for configuration DB specificaion
	 - kzonesign: all CPU threads are used for DNSSEC validation
	 - libknot: dname pointer cannot point to another dname pointer when encoding RRsets #765
	 - libknot: QNAME case is preserved in knot_pkt_t 'wire' field (Thanks to Robert Edmonds) #780
	 - libknot: reduced memory consumption of the XDP mode
	 - libknot: XDP filter supports up to 256 NIC queues
	 - kxdpgun: new options for specifying source and remote MAC addresses
	 - utils: extended logging of LMDB-related errors
	 - utils: improved error outputs
	 - kdig: query has AD bit set by default
	 - doc: various improvements
	Bugfixes:
	 - knotd: zone changeset is stored to journal even if disabled
	 - knotd: journal not applied to zone file if zone file changed during reload
	 - knotd: possible out-of-order processing or postponed zone events to far future
	 - knotd: incorrect TTL is used if updated RRSet is empty over control interface
	 - knotd/libs: serial arithmetics not used for RRSIG expiration processing
	 - knsupdate: incorrect RRTYPE in the question section
	Compatibility:
	 - knotd: default value for 'zone.journal-max-depth' was lowered to 20
	 - knotd: default value for 'policy.nsec3-iterations' was lowered to 0
	 - knotd: default value for 'policy.rrsig-refresh' is propagation delay + zone maximum TTL
	 - knotd: server fails to load configuration if 'policy.rrsig-refresh' is too low
	 - knotd: configuration option 'server.listen-xdp' has no effect
	 - knotd: new configuration check on deprecated DNSSEC algorithm
	 - knotc: new '-e' parameter for full zone status output
	 - keymgr: new '-e' parameter for full key list output
	 - keymgr: brief key listing mode is enabled by default
	 - keymgr: renamed parameter '-d' to '-D'
	 - knsupdate: default TTL is set to 3600
	 - knsupdate: default zone is empty
	 - kjournalprint: renamed parameter '-c' to '-H'
	 - python/libknot: removed compatibility with Python 2
	Packaging:
	 - systemd: removed knot.tmpfile
	 - systemd: added some hardening options
	 - distro: Debian 9 and Ubuntu 16.04 no longer supported
	 - distro: packages for CentOS 7 are built in a separate COPR repository
	 - kzonecheck/kzonesign/knsec3hash: moved to new package knot-dnssecutils
    Knot DNS 3.1.9 (2022-08-10)
	Improvements:
	 - knotd: new configuration checks on unsupported catalog settings
	 - knotd: semantic check issues have notice log level in the soft mode
	 - keymgr: command generate-ksr automatically sets 'from' parameter to last
	           offline KSK records' timestamp if it's not specified
	 - keymgr: command show-offline starts from the first offline KSK record set
	           if 'from' parameter isn't specified
	 - kcatalogprint: new parameters for filtering catalog or member zone
	 - mod-probe: default rate limit was increased to 100000
	 - libknot: default control timeout was increased to 30 seconds
	 - python/libknot: various exceptions are raised from class KnotCtl
	 - doc: some improvements
	Bugfixes:
	 - knotd: incomplete outgoing IXFR is responded if journal history is inconsistent
	 - knotd: manually triggered zone flush is suppressed if disabled zone synchronization
	 - knotd: failed to configure XDP listen interface without port specification
	 - knotd: de-cataloged member zone's file isn't deleted #805
	 - knotd: member zone leaks memory when reloading catalog during dynamic configuration change
	 - knotd: server can crash when reloading modules with DNSSEC signing (Thanks to iqinlongfei)
	 - knotd: server crashes during shutdown if PKCS #11 keystore is used
	 - keymgr: command del-all-old isn't applied to all keys in the removed state
	 - kxdpgun: user specified network interface isn't used
	 - libs: fixed compilation on illumos derivatives (Thanks to Nick Ewins)
    Knot DNS 3.1.8 (2022-04-28)
	Features:
	 - knotd: optional automatic ACL for XFR and NOTIFY (see 'remote.automatic-acl')
	 - knotd: new soft zone semantic check mode for allowing defective zone loading
	 - knotc: added zone transfer freeze state to the zone status output
	Improvements:
	 - knotd: added configuration check for serial policy of generated catalogs
	Bugfixes:
	 - knotd/libknot: the server can crash when validating a malformed TSIG record
	 - knotd: outgoing zone transfer freeze not preserved during server reload
	 - knotd: catalog UPDATE not processed if previous UPDATE processing not finished #790
	 - knotd: zone refresh not started if planned during server reload
	 - knotd: generated catalogs can be queried over UDP
	 - knotd/utils: failed to open LMDB database if too many stale slots occupy the lock table

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/knot | 8 ++++----
 lfs/knot                     | 6 +++---
 2 files changed, 7 insertions(+), 7 deletions(-)
  

Comments

Peter Müller 9 Jan 2023, 6:28 p.m. UTC | #1
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>

> - Update from version 3.1.7 to 3.2.4
> - Update of rootfile
> - find-dependencies run and only thing showing as depending on the libs are knot itself.
> - Changelog
>     Knot DNS 3.2.4 (2022-12-12)
> 	Improvements:
> 	 - knotd: significant speed-up of catalog zone update processing
> 	 - knotd: new runtime check if RRSIG lifetime is lower than RRSIG refresh
> 	 - knotd: reworked zone re-bootstrap scheduling to be less progressive
> 	 - mod-synthrecord: module can work with CIDR-style reverse zones #826
> 	 - python: new libknot wrappers for some dname transformation functions
> 	 - doc: a few fixes and improvements
> 	Bugfixes:
> 	 - knotd: incomplete zone is received when IXFR falls back to AXFR due to
> 	          connection timeout if primary puts initial SOA only to the first message
> 	 - knotd: first zone re-bootstrap is planned after 24 hours
> 	 - knotd: EDNS EXPIRE option is present in outgoing transfer of a catalog zone
> 	 - knotd: catalog zone can expire upon EDNS EXPIRE processing
> 	 - knotd: DNSSEC signing doesn't fail if no offline KSK records available
>     Knot DNS 3.2.3 (2022-11-20)
> 	Improvements:
> 	 - knotd: new per-zone DS push configuration option (see 'zone.ds-push')
> 	 - libs: upgraded embedded libngtcp2 to 0.11.0
> 	Bugfixes:
> 	 - knsupdate: program crashes when sending an update
> 	 - knotd: server drops more responses over UDP under higher load
> 	 - knotd: missing EDNS padding in responses over QUIC
> 	 - knotd: some memory issues when handling unusual QUIC traffic
> 	 - kxdpgun: broken IPv4 source subnet processing
> 	 - kdig: incorrect handling of unsent data over QUIC
>     Knot DNS 3.2.2 (2022-11-01)
> 	Features:
> 	 - knotd,kxdpgun: support for VLAN (802.1Q) traffic in the XDP mode
> 	 - knotd: added configurable delay upon D-Bus initialization (see 'server.dbus-init-delay')
> 	 - kdig: support for JSON (RFC 8427) output format (see '+json')
> 	 - kdig: support for PROXYv2 (see '+proxy') (Gift for Peter van Dijk)
> 	Improvements:
> 	 - mod-geoip: module respects the server configuration of answer rotation
> 	 - libs: upgraded embedded libngtcp2 to 0.10.0
> 	 - tests: improved robustness of some unit tests
> 	 - doc: added description of zone bootstrap re-planning
> 	Bugfixes:
> 	 - knotd: catalog confusion when a member is added and immediately deleted #818
> 	 - knotd: defective handling of short messages with PROXYv2 header #816
> 	 - knotd: inconsistent processing of malformed messages with PROXYv2 header #817
> 	 - kxdpgun: incorrect XDP mode is logged
> 	 - packaging: outdated dependency check in RPM packages
>     Knot DNS 3.2.1 (2022-09-09)
> 	Improvements:
> 	 - libknot: added compatibility with libbpf 1.0 and libxdp
> 	 - libknot: removed some trailing white space characters from textual RR format
> 	 - libs: upgraded embedded libngtcp2 to 0.8.1
> 	Bugfixes:
> 	 - knotd: some non-DNS packets not passed to OS if XDP mode enabled
> 	 - knotd: inappropriate log about QUIC port change if QUIC not enabled
> 	 - knotd/kxdpgun: various memory leaks related to QUIC and TCP
> 	 - kxdpgun: can crash at high rates in emulated XDP mode
> 	 - tests: broken XDP-TCP test on 32-bit platforms
> 	 - kdig: failed to build with enabled QUIC on OpenBSD
> 	 - systemd: failed to start server due to TemporaryFileSystem setting
> 	 - packaging: missing knot-dnssecutils package on CentOS 7
>     Knot DNS 3.2.0 (2022-08-22)
> 	Features:
> 	 - knotd: finalized TCP over XDP implementation
> 	 - knotd: initial implementation of DNS over QUIC in the XDP mode (see 'xdp.quic')
> 	 - knotd: new incremental DNSKEY management for multi-signer deployment (see 'policy.dnskey-management')
> 	 - knotd: support for remote grouping in configuration (see 'groups' section)
> 	 - knotd: implemented EDNS Expire option (RFC 7314)
> 	 - knotd: NSEC3 salt is changed with every ZSK rollover if lifetime is set to -1
> 	 - knotd: support for PROXY v2 protocol over UDP (Thanks to Robert Edmonds) #762
> 	 - knotd: support for key labels with PKCS #11 keystore (see 'keystore.key-label')
> 	 - knotd: SVCB/HTTPS treatment according to draft-ietf-dnsop-svcb-https
> 	 - keymgr: new JSON output format (see '-j' parameter) for listing keys or zones (Thanks to JP Mens)
> 	 - kxdpgun: support for DNS over QUIC with some testing modes (see '-U' parameter)
> 	 - kdig: new DNS over QUIC support (see '+quic')
> 	Improvements:
> 	 - knotd: reduced memory consumption when processing IXFR, DNSSEC, catalog, or DDNS
> 	 - knotd: RRSIG refresh values don't have to match in the mode Offline KSK
> 	 - knotd: better decision whether AXFR fallback is needed upon a refresh error
> 	 - knotd: NSEC3 resalt event was merged with the DNSSEC event
> 	 - knotd: server logs when the connection to remote was taken from the pool
> 	 - knotd: server logs zone expiration time when the zone is loaded
> 	 - knotd: DS check verifies removal of old DS during algorithm rollover
> 	 - knotd: DNSSEC-related records can be updated via DDNS
> 	 - knotd: new 'xdp.udp' configuration option for disabling UDP over XDP
> 	 - knotd: outgoing NOTIFY is replanned if failed
> 	 - knotd: configuration checks if zone MIN interval values are lower or equal to MAX ones
> 	 - knotd: DNSSEC-related zone semantic checks use DNSSEC validation
> 	 - knotd: new configuration value 'query' for setting ACL action
> 	 - knotd: new check on near end of imported Offline KSK records
> 	 - knotd/knotc: implemented zone catalog purge, including orphaned member zones
> 	 - knotc: interactive mode supports catalog zone completion, value completion, and more
> 	 - knotc: new default brief and colorized output from zone status
> 	 - knotc: unified empty values in zone status output
> 	 - keymgr: DNSKEY TTL is taken from KSR in the Offline KSK mode
> 	 - kjournalprint: path to journal DB is automatically taken from the configuration,
> 	                  which can be specified using '-c', '-C' (or '-D')
> 	 - kcatalogprint: path to catalog DB is automatically taken from the configuration,
> 	                  which can be specified using '-c', '-C' (or '-D')
> 	 - kzonesign: added automatic configuration file detection and '-C' parameter
> 	              for configuration DB specificaion
> 	 - kzonesign: all CPU threads are used for DNSSEC validation
> 	 - libknot: dname pointer cannot point to another dname pointer when encoding RRsets #765
> 	 - libknot: QNAME case is preserved in knot_pkt_t 'wire' field (Thanks to Robert Edmonds) #780
> 	 - libknot: reduced memory consumption of the XDP mode
> 	 - libknot: XDP filter supports up to 256 NIC queues
> 	 - kxdpgun: new options for specifying source and remote MAC addresses
> 	 - utils: extended logging of LMDB-related errors
> 	 - utils: improved error outputs
> 	 - kdig: query has AD bit set by default
> 	 - doc: various improvements
> 	Bugfixes:
> 	 - knotd: zone changeset is stored to journal even if disabled
> 	 - knotd: journal not applied to zone file if zone file changed during reload
> 	 - knotd: possible out-of-order processing or postponed zone events to far future
> 	 - knotd: incorrect TTL is used if updated RRSet is empty over control interface
> 	 - knotd/libs: serial arithmetics not used for RRSIG expiration processing
> 	 - knsupdate: incorrect RRTYPE in the question section
> 	Compatibility:
> 	 - knotd: default value for 'zone.journal-max-depth' was lowered to 20
> 	 - knotd: default value for 'policy.nsec3-iterations' was lowered to 0
> 	 - knotd: default value for 'policy.rrsig-refresh' is propagation delay + zone maximum TTL
> 	 - knotd: server fails to load configuration if 'policy.rrsig-refresh' is too low
> 	 - knotd: configuration option 'server.listen-xdp' has no effect
> 	 - knotd: new configuration check on deprecated DNSSEC algorithm
> 	 - knotc: new '-e' parameter for full zone status output
> 	 - keymgr: new '-e' parameter for full key list output
> 	 - keymgr: brief key listing mode is enabled by default
> 	 - keymgr: renamed parameter '-d' to '-D'
> 	 - knsupdate: default TTL is set to 3600
> 	 - knsupdate: default zone is empty
> 	 - kjournalprint: renamed parameter '-c' to '-H'
> 	 - python/libknot: removed compatibility with Python 2
> 	Packaging:
> 	 - systemd: removed knot.tmpfile
> 	 - systemd: added some hardening options
> 	 - distro: Debian 9 and Ubuntu 16.04 no longer supported
> 	 - distro: packages for CentOS 7 are built in a separate COPR repository
> 	 - kzonecheck/kzonesign/knsec3hash: moved to new package knot-dnssecutils
>     Knot DNS 3.1.9 (2022-08-10)
> 	Improvements:
> 	 - knotd: new configuration checks on unsupported catalog settings
> 	 - knotd: semantic check issues have notice log level in the soft mode
> 	 - keymgr: command generate-ksr automatically sets 'from' parameter to last
> 	           offline KSK records' timestamp if it's not specified
> 	 - keymgr: command show-offline starts from the first offline KSK record set
> 	           if 'from' parameter isn't specified
> 	 - kcatalogprint: new parameters for filtering catalog or member zone
> 	 - mod-probe: default rate limit was increased to 100000
> 	 - libknot: default control timeout was increased to 30 seconds
> 	 - python/libknot: various exceptions are raised from class KnotCtl
> 	 - doc: some improvements
> 	Bugfixes:
> 	 - knotd: incomplete outgoing IXFR is responded if journal history is inconsistent
> 	 - knotd: manually triggered zone flush is suppressed if disabled zone synchronization
> 	 - knotd: failed to configure XDP listen interface without port specification
> 	 - knotd: de-cataloged member zone's file isn't deleted #805
> 	 - knotd: member zone leaks memory when reloading catalog during dynamic configuration change
> 	 - knotd: server can crash when reloading modules with DNSSEC signing (Thanks to iqinlongfei)
> 	 - knotd: server crashes during shutdown if PKCS #11 keystore is used
> 	 - keymgr: command del-all-old isn't applied to all keys in the removed state
> 	 - kxdpgun: user specified network interface isn't used
> 	 - libs: fixed compilation on illumos derivatives (Thanks to Nick Ewins)
>     Knot DNS 3.1.8 (2022-04-28)
> 	Features:
> 	 - knotd: optional automatic ACL for XFR and NOTIFY (see 'remote.automatic-acl')
> 	 - knotd: new soft zone semantic check mode for allowing defective zone loading
> 	 - knotc: added zone transfer freeze state to the zone status output
> 	Improvements:
> 	 - knotd: added configuration check for serial policy of generated catalogs
> 	Bugfixes:
> 	 - knotd/libknot: the server can crash when validating a malformed TSIG record
> 	 - knotd: outgoing zone transfer freeze not preserved during server reload
> 	 - knotd: catalog UPDATE not processed if previous UPDATE processing not finished #790
> 	 - knotd: zone refresh not started if planned during server reload
> 	 - knotd: generated catalogs can be queried over UDP
> 	 - knotd/utils: failed to open LMDB database if too many stale slots occupy the lock table
> 
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
>  config/rootfiles/common/knot | 8 ++++----
>  lfs/knot                     | 6 +++---
>  2 files changed, 7 insertions(+), 7 deletions(-)
> 
> diff --git a/config/rootfiles/common/knot b/config/rootfiles/common/knot
> index 79e86141d..6660b27d1 100644
> --- a/config/rootfiles/common/knot
> +++ b/config/rootfiles/common/knot
> @@ -4,12 +4,12 @@ usr/bin/kdig
>  #usr/lib/libdnssec.la
>  #usr/lib/libdnssec.lai
>  #usr/lib/libdnssec.so
> -usr/lib/libdnssec.so.8
> -usr/lib/libdnssec.so.8.0.0
> +usr/lib/libdnssec.so.9
> +usr/lib/libdnssec.so.9.0.0
>  #usr/lib/libknot.la
>  #usr/lib/libknot.lai
>  #usr/lib/libknot.so
> -usr/lib/libknot.so.12
> -usr/lib/libknot.so.12.0.0
> +usr/lib/libknot.so.13
> +usr/lib/libknot.so.13.0.0
>  #usr/lib/libknotus.a
>  #usr/lib/libknotus.la
> diff --git a/lfs/knot b/lfs/knot
> index 0c0c033c0..feb3c8931 100644
> --- a/lfs/knot
> +++ b/lfs/knot
> @@ -1,7 +1,7 @@
>  ###############################################################################
>  #                                                                             #
>  # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
> +# Copyright (C) 2007-2023  IPFire Team  <info@ipfire.org>                     #
>  #                                                                             #
>  # This program is free software: you can redistribute it and/or modify        #
>  # it under the terms of the GNU General Public License as published by        #
> @@ -24,7 +24,7 @@
>  
>  include Config
>  
> -VER        = 3.1.7
> +VER        = 3.2.4
>  
>  THISAPP    = knot-$(VER)
>  DL_FILE    = $(THISAPP).tar.xz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>  
>  $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>  
> -$(DL_FILE)_BLAKE2 = d0e5c999c1b4bca89b86ad956dd91643f795fcba94757e34c44e3e6b925030c332da9cb0bfd72d6ae0f32b3016a8c50d821cfcc513268682dd6b5715714d9047
> +$(DL_FILE)_BLAKE2 = 1d5fec057898d8cbe73f37cd85aa9d56c7db0215e0fe8ba697f3ee4c38d7554780804b8859d062a824b18f823d6cff1546bd7ce54438ee54c555d068c5f19da1
>  
>  install : $(TARGET)
>
  

Patch

diff --git a/config/rootfiles/common/knot b/config/rootfiles/common/knot
index 79e86141d..6660b27d1 100644
--- a/config/rootfiles/common/knot
+++ b/config/rootfiles/common/knot
@@ -4,12 +4,12 @@  usr/bin/kdig
 #usr/lib/libdnssec.la
 #usr/lib/libdnssec.lai
 #usr/lib/libdnssec.so
-usr/lib/libdnssec.so.8
-usr/lib/libdnssec.so.8.0.0
+usr/lib/libdnssec.so.9
+usr/lib/libdnssec.so.9.0.0
 #usr/lib/libknot.la
 #usr/lib/libknot.lai
 #usr/lib/libknot.so
-usr/lib/libknot.so.12
-usr/lib/libknot.so.12.0.0
+usr/lib/libknot.so.13
+usr/lib/libknot.so.13.0.0
 #usr/lib/libknotus.a
 #usr/lib/libknotus.la
diff --git a/lfs/knot b/lfs/knot
index 0c0c033c0..feb3c8931 100644
--- a/lfs/knot
+++ b/lfs/knot
@@ -1,7 +1,7 @@ 
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2023  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@ 
 
 include Config
 
-VER        = 3.1.7
+VER        = 3.2.4
 
 THISAPP    = knot-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@  objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = d0e5c999c1b4bca89b86ad956dd91643f795fcba94757e34c44e3e6b925030c332da9cb0bfd72d6ae0f32b3016a8c50d821cfcc513268682dd6b5715714d9047
+$(DL_FILE)_BLAKE2 = 1d5fec057898d8cbe73f37cd85aa9d56c7db0215e0fe8ba697f3ee4c38d7554780804b8859d062a824b18f823d6cff1546bd7ce54438ee54c555d068c5f19da1
 
 install : $(TARGET)