| Message ID | 20241119211106.2194373-3-adolf.belka@ipfire.org |
|---|---|
| State | New |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4XtHGx45xmz3wx0 for <patchwork@web04.haj.ipfire.org>; Tue, 19 Nov 2024 21:11:21 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4XtHGs27T0z1wh; Tue, 19 Nov 2024 21:11:17 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4XtHGr5TV8z34Jn; Tue, 19 Nov 2024 21:11:16 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4XtHGn2C30z2xP8 for <development@lists.ipfire.org>; Tue, 19 Nov 2024 21:11:13 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4XtHGn0dD1z1tf; Tue, 19 Nov 2024 21:11:13 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1732050673; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=c1vFbUBwCQHNU4zPvg7hsRRMDjlhEDLzgXo5scM3dmM=; b=aT/Ptv+ElOHyouRUZUrrYsLCcVKyLjl2MYbhey7KeiUE/IwkG7Q90U14DW8DbqdtrrKUdf AOheAe+wJoy1GhDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1732050673; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=c1vFbUBwCQHNU4zPvg7hsRRMDjlhEDLzgXo5scM3dmM=; b=ZIXVuxq7Xgge7kZj/fguI4oity4BBYUcYhTO2o/4m9Vxiu/uqD+i+oayvnYzmh5M0qlnlQ QFbjs5fMqsErjDXKcYJwGjCJ9IX4HO9tKgvTL0FouElfGRNeHtNFMVEHGYGZvRhwiWE8WJ l4CV50ATMlhgz577Hi+yg9avWhzJWvy//PtdgD9vUNBpZQhnwKNCjPmE1EZHjCS4OfWrze wFd2hGJ7Q71t8NZ+osmdHd9MHWdMOIT9aWJq/FYHwoyW4hL4BhO0qvj+qSQbGcac+HJN+Q UVZZFS/MA3HUMt1IQOHUuwuW+oHwrCpsI/2LqBZq+LFlVzsXPTUmIw5qRQWK0Q== From: Adolf Belka <adolf.belka@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] knot: Update to version 3.4.2 Date: Tue, 19 Nov 2024 22:10:51 +0100 Message-ID: <20241119211106.2194373-3-adolf.belka@ipfire.org> In-Reply-To: <20241119211106.2194373-1-adolf.belka@ipfire.org> References: <20241119211106.2194373-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Message-ID-Hash: 2E4W7RPUYHYHMMPU2YIHK3OOCV6W2EJ7 X-Message-ID-Hash: 2E4W7RPUYHYHMMPU2YIHK3OOCV6W2EJ7 X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> Archived-At: <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/2E4W7RPUYHYHMMPU2YIHK3OOCV6W2EJ7/> List-Archive: <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Owner: <mailto:development-owner@lists.ipfire.org> List-Post: <mailto:development@lists.ipfire.org> List-Subscribe: <mailto:development-join@lists.ipfire.org> List-Unsubscribe: <mailto:development-leave@lists.ipfire.org> |
| Series |
knot: Update to version 3.4.2
|
|
Commit Message
Adolf Belka
Nov. 19, 2024, 9:10 p.m. UTC
- Update from version 3.3.8 to 3.4.2
- Update of rootfile
- Changelog
3.4.2
Improvements:
- knotd: new warning log upon every incremental update if previous
zone signing failed
- mod-cookies: support for two secret values specification
- keymgr: key pregenerate works even when a KSK exists
- libs: upgraded embedded libngtcp2 to 1.8.1
Bugfixes:
- knotd: server can crash when processing just a terminal label as QNAME
- knotd: failed to compile if no atomic operations available
- kjournalprint: failed to merge zone-in-journal if followed by a
non-first changeset
- knot-exporter: faulty escape sequence in time value parsing
- knot-exporter: failed to parse zone-status output
- kxdpgun: periodic statistics doesn't work correctly for longer time
periods
3.4.1
Features:
- knotd: ACL configuration allows protocol specification (see
'acl.protocol')
- knotc: support for benevolent zone updates (see zone-begin with
'+benevolent')
- knotd: implemented TLS session resumption
- knotd: pending TLS connections leak memory when the server shuts down
- kjournalprint: added print merged changesets mode (see '-M')
- libknot: added NXNAME meta type (Thanks to Jan Včelák)
Improvements:
- knotd: DNSKEY synchronization event logs removed/added *DNSKEYs
- knotd: control command log message contains filters and flags in
the debug mode
- knotc: zone status prints running, pending, and frozen duration
- knotd,knotc: unification of control flags and filters
- keymgr: key listing reports configured keys that are inaccessible
- libs: upgraded embedded libngtcp2 to 1.8.0
- doc: various fixes and updates
Bugfixes:
- knotd: missing support for IPv6 link local address configuration
- knotd: zone reload occasionally causes a core dump #939 (Thanks to
lidcc2)
- knotd: race condition in DDNS over QUIC processing
- knotd: imperfect signal handling on some auxiliary threads
- knotd: EDNS EXPIRE not updated when zone signing results in up-to-date
- knotd: failed to reload autogenerated QUIC/TLS key after process
ownership change
- knotc: zone backup filter +keysonly doesn't disable other defaults
- kxdpgun: failed to receive more data over QUIC until 1-RTT
handshake is done
- knsupdate: memory leak if rdata parsing fails
- doc: failed to install manual pages from a tarball
- Dockerfile: TCP port 853 not exposed for DoT
3.4.0
Features:
- knotd: full DNS over TLS (DoT, RFC 7858) implementation (see 'DNS
over TLS')
- knotd: bidirectional XFR over TLS (XoT) support with opportunistic,
strict, and mutual authentication profiles
- knotd: support for DDNS over QUIC and TLS
- knotd: DNSSEC validation requires the remaining RRSIG validity is
longer than 'rrsig-refresh'
- knotd: new event for automatic DNSSEC revalidation
- knotd: if enabled DNSSEC signing, EDNS expire is adjusted to the
earliest RRSIG expiration
- knotd: added support for libdbus as an alternative to systemd dbus
(see '--enable-dbus=libdbus' configure parameter)
- knotd: new XDP-related configuration options
(see 'xdp.ring-size', 'xdp.busypoll-budget', and
'xdp.busypoll-timeout')
- knotc: new command for explicit triggering DNSSEC validation (see
'zone-validate' command)
- keymgr: SKR verification requires end of DNSKEY RRSIG validity
covers next DNSKEY snapshot
- kdig: +nocrypto applies also to CERT, DS, SSHFP, DHCID, TLSA,
ZONEMD, and TSIG
- knsupdate: added support for DDNS over QUIC and TLS (see '-Q' and
'-S' parameters)
- kxdpgun: support for reading a binary input file (see '-B' parameter)
- kxdpgun: support for output in JSON (see '-j' parameter)
- kxdpgun: support for periodical output (see '-S' parameter)
- mod-rrl: module offers limiting of non-UDP protocols based on
consumed time (see 'mod-rrl.time-rate-limit' and
'mod-rrl.time-instant-limit')
- utils: -VV option for listing compile time configuration summary
Improvements:
- knotd: up to eight DDNS queries can be queued per zone when frozen
- knotd: the number of created/validated RRSIGs is logged
- knotd: overhaul of atomic operations usage
- knotd: unified DNAME semantic errors with the CNAME ones
(see 'Handling CNAME and DNAME-related updates')
- knotd: better DDNS pre-check to prevent dropping a bulk of updates
- knotd: extended SOA presence semantic checks
- knotd: disallowed concurrent control zone and config transactions
to avoid deadlock
- knotd: disallowed opening zone transaction when blocking command is
running to avoid deadlock
- knotd: new XDP statistic counters
- knotd: remote zone serial is logged upon received incoming transfer
- knotd: zone backup stores and zone restore checks the CPU
architecture compatibility
- knotd: time configuration options support 'w', 'M', and 'y' units
- knotd: some control commands can be processed asynchronously
- knotc: zone backup overwrites already existing backupdir in the
force mode
- kdig: EDNS is enabled by default
- kdig: the default EDNS payload size was lowered to 1232
- mod-rrl: completely reimplemented UDP rate limiting using an efficient
query-counting mechanism on several address prefix lengths
- mod-rrl: module no longer requires explicit configuration
- libknot: various XDP improvements and new configuration parameters
- docker: increased -D_FORTIFY_SOURCE to 3
Bugfixes:
- knotd: deadlock during zone-ksk-submitted processing of a frozen zone
- kxdpgun: race condition in SIGUSR1 signal processing
- doc: parallel build is unreliable #928
Compatibility:
- configure: increase minimal GnuTLS version to 3.6.10
- configure: removed deprecated libidn 1 support
- configure: removed liburcu search fallback
- configure: required GCC or LLVM Clang compiler with C11 support
- knotd: removed already ignored obsolete configuration options
- keymgr: removed legacy parameter '--brief'
- kjournalprint: removed legacy parameter '--no-color'
- kjournalprint: removed legacy database specification without '--dir'
- kcatalogprint: removed legacy database specification without '--dir'
- packaging: CentOS 7, Debian 10, and Ubuntu 18.04 no longer supported
- doc: removed info pages
3.3.9
Improvements:
- libknot: added EDE code 30
- libknot: improved performance of knot_rrset_to_wire_extra()
- libs: upgraded embedded libngtcp2 to 1.7.0
- doc: various fixes and updates
Bugfixes:
- keymgr: pregenerate clears future timestamps of old keys and
creates new keys
- mod-dnsproxy: defective TSIG processing
- mod-dnsproxy: TCP not detected in the XDP mode
- kxdpgun: unsuccessful interface initialization leaks memory
- packaging: libknot not installed with python3-libknot
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
config/rootfiles/common/knot | 4 ++--
lfs/knot | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/rootfiles/common/knot b/config/rootfiles/common/knot index 0fc076c10..5d0ab19d3 100644 --- a/config/rootfiles/common/knot +++ b/config/rootfiles/common/knot @@ -9,7 +9,7 @@ usr/lib/libdnssec.so.9.0.0 #usr/lib/libknot.la #usr/lib/libknot.lai #usr/lib/libknot.so -usr/lib/libknot.so.14 -usr/lib/libknot.so.14.0.0 +usr/lib/libknot.so.15 +usr/lib/libknot.so.15.0.0 #usr/lib/libknotus.a #usr/lib/libknotus.la diff --git a/lfs/knot b/lfs/knot index a016f3f91..6645c7be5 100644 --- a/lfs/knot +++ b/lfs/knot @@ -24,7 +24,7 @@ include Config -VER = 3.3.8 +VER = 3.4.2 THISAPP = knot-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = a51e756f34d8641b2bc8ce32cb37c68c19ce1b5e13e981647e165634644ee005bb0a31b869148d50b3cd0a040f6952857df726e8ff67c5a46204270fa02396c5 +$(DL_FILE)_BLAKE2 = 0b633b27b22665db243bc4222f05028a17ee7ec6ba5960ff1cfe503d27bf3d26218f771cb15b70bbf8782898bcc7748bd5c27d55747607a1d93f784cdadddad7 install : $(TARGET)