knot: Update to version 3.5.4

- Update from 3.4.2 to 3.5.4
- Update of rootfile
- find-dependencies run due to sobump. No issues identified.
- Changelog
3.5.4
Features:
 - knotd: configurable ZERO-COPY XDP mode (see 'xdp.zero-copy')
 - mod-dnserr: module for DNS error reporting
Improvements:
 - knotd: 'zone-update-error' statistic counter covers more situations
 - knotd: 'zone.catalog-zone' configuration option is ignored if not needed
 - knotd: dynamic reconfiguration logs item value in debug mode
 - knotd: memory optimizations when reloading a zone file
 - knotd: improved interoperability with Bind9 Offline KSK operations
 - knotd: improved performance of updated zone check
 - knotd: increased maximum configuration database reader limit by 3
 - knotd: new warning logs if primaries are outdated during zone refresh
 - kxdpgun: JSON output is stream of newline-delimited objects instead of a list
 - kxdpgun: extended throughput statistics
 - libs: support for loading private ALIAS record type
 - libs: upgraded embedded libngtcp2 to 1.22.0
 - debian: switched to sysusers.d and tmpfiles.d configurations (Thanks to Luca Boccassi)
 - doc: various improvements
Bugfixes:
 - mod-onlinesign: incorrect next NSEC owner name leading to a DoS (Thanks to Shang Kunjie)
 - knotd: server crash upon receiving a malformed resource record over XFR (Thanks to Haruto Kimura)
 - knotd: generated catalog not updated if reconfigured without server restart
 - knotd: some cross-zone reconfigurations not handled correctly
 - knotd: configuration control transaction not recoverable after a semantic error
 - knotd: zone loaded from Redis backend incrementally for non-continuous changes
 - knotd: server crash when accessing an HSM in parallel by multiple background workers
 - knotd: insufficient module unloading if error
 - modules: some module hook registrations not checked for errors
 - mod-geoip: server crash if record owner missing in configuration file
 - libs: insufficient checks for malformed resource records (Thanks to Haruto Kimura)
 - redis: incorrect arity check and use-after-free in AOF (Thanks to Haruto Kimura)
 - redis: various issues when processing empty data
3.5.3
Features:
 - knotd: added statistics counter for failed zone update (see 'zone-update-error')
 - knotd: new D-Bus signal for zones not updated (see 'server.dbus-event')
 - knotc: optional parameter for delayed old KSK removal upon submission (see 'zone-ksk-submitted')
 - libs: added support for the RESINFO record type
Improvements:
 - knotd: zone inclusion deletes the whole subtree of glues and junk from the parent
 - knotd: supported unsigned input ZONEMD validation if enabled DNSSEC signing and ZONEMD generate
 - knotd: DNSSEC signing not required for key restore
 - knotd: increased defaults for 'database.timer-db-max-size' and 'database.kasp-db-max-size'
 - knotd: database connection pool is purged if reconfigured
 - knotd: removed shutdown delay if connected to a database
 - knotd: optimized memory trimming frequency for many zones
 - knotd: primary server sends NOTIFY after answering started, not sooner
 - redis: GnuTLS is not required to build the module alone !1809
 - libs: improved detection of PKCS #11 support !1830
 - libs: upgraded embedded libngtcp2 to 1.19.0
 - samples: added JSON support to probe_dump (Thanks to Benedikt Heine)
 - doc: extended and updated table of compatible PKCS #11 devices
Bugfixes:
 - knotd: DS push not replanned if reconfigured during DS submission
 - knotd: missing check for empty zone when flushing
 - knotd: missing catalog update clear if error
 - knotd: failed to parse database address without port specification
 - knotd: incorrect thread synchronization when dumping timers
 - knotd: server crashes when outbound QUIC connection is closed unexpectedly
 - knotd: zone not reloaded from database if not updated incrementally
 - knotd: UNIX socket path containing a single colon considered an IPv6 address
 - keymgr: program crashes when importing a malformed key
 - kdig: missing address context deinitialization when iterating over addresses
 - kdig: missing AA flag on NOTIFY query
3.5.2
Features:
 - knotd: configurable zone timer storage mode (see 'database.timer-db-sync')
 - libknot: added support for the DSYNC record type
 - redis: new module command for printing zone information (see 'KNOT.ZONE.INFO')
Improvements:
 - knotd: queries to a catalog zone are now allowed also for ACL rules with action 'query'
 - knotd: denied query to a catalog zone is responded to with NOTAUTH instead of REFUSED
 - knotd: existing PID file is reused if it matches current PID !1819
 - knotd: zone purge has its own zone event
 - knotd: optimized zone timer storage
 - knotd: optimized ACL evaluation
 - keymgr: added more algorithms to keystore-test and keystore-bench
 - mod-dnstap: added detection for protoc
 - libs: upgraded embedded libngtcp2 to 1.18.0
 - redis: added support for zone data replication
 - redis: extended logging
 - doc: various improvements
Bugfixes:
 - knotd: failed to receive zone with ZONEMD if enabled DNSSEC signing and ZONEMD generate
 - knotd: refresh with pinned master not rescheduled when tolerance period expired
 - knotd: failed to build with older libhiredis without TLS support
 - knotd: misleading error message when attempting to sign empty zone
 - mod-rrl: failed to compile if target architecture was specified
 - libknot: failed to dump RRSet if the initial output buffer was too small
 - libdnssec: missing digest.h in dnssec.h
 - redis: defective communication with sentinel
 - redis: failed zone load was not rescheduled
 - redis: several memory leaks
3.5.1
Features:
 - knotc: new command for setting zone SOA serial (see 'zone-serial-set')
Improvements:
 - knotd: zone database listen configuration now accepts a hostname value
 - knotd: support for specifying multiple zone databases (see 'zone-db-listen')
 - knotd: added serial parameter to D-Bus event 'external_verify'
 - libs: upgraded embedded libngtcp2 to 1.16.0
 - configure: new option for specifying Redis module destination (see '--with-redisdir')
 - configure: Redis support is fully optional (see '--enable-redis') (Thanks to Nicolas Parlant)
 - deb,rpm: renamed inappropriate package 'redis-knot' to 'redis-module-knot'
Bugfixes:
 - knotd: failed to build on PowerPC and MIPS
 - knotd: missing some checks for file operations
 - knotd: zones added via knotc conf-set include not loaded until restart
 - knotd: zone-diff after zone-begin prints misleading SOA removal
 - knotd: failed to load from other PEM keystores if PKCS #11 keystore is configured
 - knotd: failed to restore PKCS #11 keystore #960
 - knotc: failed to compile on GNU Hurd
 - keymgr: missing deprecation warning for 'local-serial' command
 - configure: linked with libhiredis even when configured with --disable-redis
 - deb,rpm: incorrect destination for Redis module (see 'Database zone backend')
3.5.0
Features:
 - knotd: database zone backend using Redis/Valkey (see 'Database zone backend')
 - knotd: support for multiple control sockets (see 'control.listen')
 - knotd: external zone validation (see 'External validation')
 - knotd: authorization based on certificate hostname validation (see 'DNS over QUIC')
 - knotd: multiple keystores can be specified per policy (see 'DNSSEC multiple keystores')
 - knotd: specified resource record types can be omitted when loading (see 'zone.zonefile-skip')
 - knotd: configurable delay before zone change processing (see 'zone.update-delay')
 - knotd: subzone flattening (see 'zone.include-from')
Improvements:
 - knotd: optimized dynamic zone addition/removal for many zones
 - knotd: optimized catalog updates for many zones
 - knotd: replaced a poor atomic fallback with a spin-lock-protected version
 - knotd: support for independent SOA serial series on the secondary side
 - knotd: self-signed certificate contains SAN instead of CN
 - knotd: removed RCU synchronization lock between unrelated zones' updates
 - knotd: zone-reload/reload fails if there is a module configuration error
 - knotd: control interfaces are started before zones loading
 - knotd: session ticket pool is purged on server reload if changed credentials
 - knotc: status returns 'Loading' if the server is not yet answering
 - knotc: extended tab completion for details, filters, and paths
 - kzonecheck: zone origin auto-detection uses SOA owner from the checked zone file
 - libknot: XDP drops packets with too many or inappropriate extended IPv6 headers
 - libknot: extended XDP checks for correct packets
 - libknot: semantically malformed resource records are dumped in generic format
 - libs: upgraded embedded libngtcp2 to 1.15.0
 - knot-exporter: less confusing option parsing and documentation
 - doc: various improvements
Bugfixes:
 - knotd: if multiple primaries send NOTIFY concurrently, only the last remote is queried
 - knotd: failed to build on macOS with POSIX semaphores
 - knotd: early zone free due to RCU-delayed update cleanup
 - knotd: server crashes if "" value overrides template master value
 - knot-exporter: label collisions caused by duplicate metrics (Thanks to Guillaume Cornet)
Packaging:
 - deb,rpm: keymgr extracted to a separate package knot-keymgr
 - deb,rpm: new package redis-knot with a Knot module for Redis/Valkey
 - docker: upgraded to Debian trixie-slim
Compatibility:
 - license: project relicensed to GPL-2.0-or-later
 - knotd: new default value of 'policy.nsec3-salt-length' is 0
 - knot-exporter: renamed some metrics, labes, or units (see 'Migration')
3.4.8
Features:
 - keymgr: implemented key pregeneration for later use (see 'for-later')
Improvements:
 - knotd: decreased remote session ticket lifetime to 1200 seconds
 - knotd: TCP connection is not shared between SOA and XFR if 'remote.no-edns' is set
 - knotd: 'zone.notify-delay' now applies to every outgoing NOTIFY
 - knotd: reduced timers database size by omitting zero timer values
 - knotd: zone-reload can be called on an expired zone
 - knotd: improved configuration commit performance when many zones are present
 - keymgr: allowed boolen key flags without an explicit 'on' value
 - keymgr: support for colon separators in keyid specification
 - utils: added INTERNET and CHAOS aliases for IN and CH class names
 - libs: upgraded embedded libngtcp2 to 1.14.0
 - doc: various improvements
Bugfixes:
 - knotd: possible use after free if member zone is reused when full reload
 - knotd: incorrect zone update revert adjustments
3.4.7
Features:
 - knotd: implemented optional NOTIFY delay upon zone loading (see 'zone.notify-delay')
 - knotd: failed ZONEMD validation emits 'dnssec-invalid' D-Bus event
 - kdig: added option for delayed reading of next transfer message (see '+msgdelay')
 - kzonecheck: new parameter for job count (see '-j')
Improvements:
 - knotd: semantic checks support DS algorithms 5 and 6
 - knotd: pending generation of reverse records is logged as warning
 - knotd: DNSKEY synchronization considers keytag modulo for better reliability
 - knotd: zone-(un)set parser errors no longer logged by the server
 - knotd: more verbose zone-(un)set parser errors are returned to the client
 - knotc: configuration warnings are printed only with the conf-check command
 - kdig: enabled TLS 1.2 support (with warning)
 - kdig: more verbose TLS/QUIC certificate information - SAN (see '-dd')
 - mod-rrl: disabled optimized KRU version on macOS to fix CPU issues
 - libknot: added two specific variants of KNOT_EAGAIN error (KNOT_NET_EAGAIN, KNOT_ETRYAGAIN)
 - libs: upgraded embedded libngtcp2 to 1.13.0
 - knot-exporter: added maximum libknot version dependency #956
 - knot-exporter: removed return statement from a finally block #957
 - packaging: new knot-exporter and python3-libknot RPM subpackages
 - doc: simplified highlighting of options enabled by default
 - doc: various improvements
Bugfixes:
 - knotd: false warning for missing glue if NS is at other delegation
 - knotd: missing rdata canonicalization in zone-(un)set operations
 - knotd: missing check for member zone configured with a non-generated catalog
 - knotd: benevolent IXFR skips whole rrset when ignoring a record
 - knotd: missing next remove key action log during KSK/algorithm rollover
 - knotd: missing catalog template configuration checks
 - knotd: missing check for empty QUIC connection in XDP mode
 - libknot: incorrect trailing rdata check in packet parser
 - kdig: ignored DoQ response from dnsdist #954
 - packaging: uninstalling lib*t64 packages removes files from upstream packages
3.4.6
Improvements:
 - knotd: default TSIG algorithm is now 'hmac-sha256'
 - knotd: added zone expiration info to the failed zone refresh log
 - knotd: reverse record generation now accepts multiple forward zones to be reversed
 - keymgr: underscores are now tolerated instead of dashes in command names
 - keymgr: correct mnemonic 'rsasha1-nsec3-sha1' is used instead of 'rsasha1nsec3sha1'
 - kdig: new '+[no]doflag' alias for '+[no]dnssec' #952
 - kdig: documented default option values #951
 - kxdpgun: extended JSON output with some packet statistics
 - doc: various updates and improvements
Bugfixes:
 - knotd: failed to stop the server if 'dbus-event: running` is set
 - knotd: TLS 0-RTT not working if compiled with the QUIC support
 - knotd: TLS handshake fails on FreeBSD
 - knotd: outbound QUIC communication fails on FreeBSD
 - knotd: KSK submission not ignored in the manual key management mode
 - knotd: failed to bind to a UNIX socket on recent Linux kernels
 - kzonecheck: failed to check non-trivial zones through standard input
3.4.5
Features:
 - knotd: support for SOA serial shift (see 'serial-modulo')
 - knotd: new server statistics (see 'tcp-io-timeout"' and 'tcp-idle-timeout')
Improvements:
 - knotd: better signing performance of many zones in parallel by
          moving 'last_signed_serial' from KASP database to timer database
 - knotd: the 'terminated inactive client' TCP log moved to debug level
 - knotd: allowed initial DDNS to an empty zone
 - knotd: extended backup and flush argument checks
 - knotd: new debug logs for zone events suspension
 - libs: upgraded embedded libngtcp2 to 1.11.0
 - doc: new section Multi-primary, updates
Bugfixes:
 - libdnssec: inappropriate DNSKEY flags evaluation
 - libknot: incorrect VLAN map size calculation for XDP
3.4.4
Features:
 - knotd: added support for EDNS ZONEVERSION
 - kdig: added support for EDNS ZONEVERSION (see '+zoneversion')
Improvements:
 - knotd: improved control error detection and reporting
 - kdig: proper section names for exported DDNS messages
 - libs: upgraded embedded libngtcp2 to 1.10.0
 - python: expanded documentation for the libknot control API
 - doc: updated XDP prerequisites
Bugfixes:
 - knotd: a DNAME record at the zone apex with active NSEC3 not accepted via XFR
 - knotd: configuration abort times out if no active transaction
 - knotd: defective serial modulo result if it overflows
 - knotd: TLS connections not properly terminated
 - knotd: maximum zone TTL not correctly recomputed after RRSIG TTL change
 - knotd: zone hangs if zone reload fails (Thanks to solidcc2)
 - knotd: statistics dump generates invalid YAML output if XDP is enabled #947
 - knotd: insufficient check for incomplete control message
 - mod-dnstap: used incorrect type for DDNS messages
 - knot-exporter: failed to run with Python 3.11 or older
 - tests: test_atomic and test_spinlock require building with the daemon enabled #946
3.4.3
Improvements:
 - knotd: improved processing of QNAMEs containing zero bytes
 - knotd: zone expiration now aborts possible zone control transaction #929
 - knotd: generated catalog memeber metadata is stored when the zone is loaded
 - knotd: new configuration check for using default NSEC3 salt length, which will change
 - mod-rrl: added QNAME (if possible) and transport protocol to log messages
 - mod-rrl: increased defaults for 'log-period' to 30 secs, 'rate-limit' to 50,
            'instant-rate-limit' to 125, and 'time-rate-limit' to 5 ms
 - kxdpgun: added space separators to some printed values for better readability
 - libs: upgraded embedded libngtcp2 to 1.9.1
 - knot-exporter: zone timers metric is now disabled by default (see '--zone-timers')
 - packaging: added build dependency softhsm for PKCS #11 testing on RPM distributions
 - doc: updated description of DNSSEC key management and module RRL
Bugfixes:
 - knotd: more active ZSKs cause cumulative ZSK rollovers
 - knotd: zone purge clears active generated catalog member metadata
 - mod-rrl: authorized requests are rate limited #943
 - kdig: misleading warning about timeout during QUIC connection
 - keymgr: public-only keys are marked as missing in the list output

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/knot |  8 ++++----
 lfs/knot                     | 20 ++++++++++----------
 2 files changed, 14 insertions(+), 14 deletions(-)