From patchwork Tue Apr 28 12:11:07 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9745 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4g4fRm0lfCz3wbJ for ; Tue, 28 Apr 2026 12:11:32 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4g4fRl5B1Jz1FG for ; Tue, 28 Apr 2026 12:11:31 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4g4fRd19ZNz342J for ; Tue, 28 Apr 2026 12:11:25 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4g4fRW3y1vz34C5 for ; Tue, 28 Apr 2026 12:11:19 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4g4fRV31SPz7F2; Tue, 28 Apr 2026 12:11:18 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1777378278; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0akrOgSo/ARrT76KhK7KiJ1ebNyiSq6bkOZPp/2TRXE=; b=ASNSI37tAPQAF3atdr4ZYBK/4r+KSVrcPWIWFCiQDbHxZgvoFO6KeOefPVxKk7ykaP4+xZ l0TFBeBBJ6a+aYBQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1777378278; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0akrOgSo/ARrT76KhK7KiJ1ebNyiSq6bkOZPp/2TRXE=; b=Xd8ZVfl5dAqWZOiyaxeFMYNVmnUZYrqrFhwQWoKrxI6rAO5L3ssYSyVZilEHiUTVb8YiAZ h+mLHdOmKJ/u/qNdlWShYMhn0GeV9tGvII0hrZQaS4Ua+Xaq6sA6i6+QSX2LJ0vqY4ljtq xKaXpolepZ4fa9Ft7ejTM5NTW/NELQS2amg5/EAjOvKbAVKRN1siXqy21hx3sOB1In1K8g 8UIbxGbynrjD107WbHMHS60FSZURxoFFDXGVJsqa2yfT6MGD9k7gvCeeg+FG2h6VBo0i5P OO/WjYhDpteJWMnOqRD+t8JRrWK2F4ipOyRVnNFP0j0mNGZIAaAIteu6Vu1+3w== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] knot: Update to version 3.5.4 Date: Tue, 28 Apr 2026 14:11:07 +0200 Message-ID: <20260428121111.1146161-7-adolf.belka@ipfire.org> In-Reply-To: <20260428121111.1146161-1-adolf.belka@ipfire.org> References: <20260428121111.1146161-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Update from 3.4.2 to 3.5.4 - Update of rootfile - find-dependencies run due to sobump. No issues identified. - Changelog 3.5.4 Features: - knotd: configurable ZERO-COPY XDP mode (see 'xdp.zero-copy') - mod-dnserr: module for DNS error reporting Improvements: - knotd: 'zone-update-error' statistic counter covers more situations - knotd: 'zone.catalog-zone' configuration option is ignored if not needed - knotd: dynamic reconfiguration logs item value in debug mode - knotd: memory optimizations when reloading a zone file - knotd: improved interoperability with Bind9 Offline KSK operations - knotd: improved performance of updated zone check - knotd: increased maximum configuration database reader limit by 3 - knotd: new warning logs if primaries are outdated during zone refresh - kxdpgun: JSON output is stream of newline-delimited objects instead of a list - kxdpgun: extended throughput statistics - libs: support for loading private ALIAS record type - libs: upgraded embedded libngtcp2 to 1.22.0 - debian: switched to sysusers.d and tmpfiles.d configurations (Thanks to Luca Boccassi) - doc: various improvements Bugfixes: - mod-onlinesign: incorrect next NSEC owner name leading to a DoS (Thanks to Shang Kunjie) - knotd: server crash upon receiving a malformed resource record over XFR (Thanks to Haruto Kimura) - knotd: generated catalog not updated if reconfigured without server restart - knotd: some cross-zone reconfigurations not handled correctly - knotd: configuration control transaction not recoverable after a semantic error - knotd: zone loaded from Redis backend incrementally for non-continuous changes - knotd: server crash when accessing an HSM in parallel by multiple background workers - knotd: insufficient module unloading if error - modules: some module hook registrations not checked for errors - mod-geoip: server crash if record owner missing in configuration file - libs: insufficient checks for malformed resource records (Thanks to Haruto Kimura) - redis: incorrect arity check and use-after-free in AOF (Thanks to Haruto Kimura) - redis: various issues when processing empty data 3.5.3 Features: - knotd: added statistics counter for failed zone update (see 'zone-update-error') - knotd: new D-Bus signal for zones not updated (see 'server.dbus-event') - knotc: optional parameter for delayed old KSK removal upon submission (see 'zone-ksk-submitted') - libs: added support for the RESINFO record type Improvements: - knotd: zone inclusion deletes the whole subtree of glues and junk from the parent - knotd: supported unsigned input ZONEMD validation if enabled DNSSEC signing and ZONEMD generate - knotd: DNSSEC signing not required for key restore - knotd: increased defaults for 'database.timer-db-max-size' and 'database.kasp-db-max-size' - knotd: database connection pool is purged if reconfigured - knotd: removed shutdown delay if connected to a database - knotd: optimized memory trimming frequency for many zones - knotd: primary server sends NOTIFY after answering started, not sooner - redis: GnuTLS is not required to build the module alone !1809 - libs: improved detection of PKCS #11 support !1830 - libs: upgraded embedded libngtcp2 to 1.19.0 - samples: added JSON support to probe_dump (Thanks to Benedikt Heine) - doc: extended and updated table of compatible PKCS #11 devices Bugfixes: - knotd: DS push not replanned if reconfigured during DS submission - knotd: missing check for empty zone when flushing - knotd: missing catalog update clear if error - knotd: failed to parse database address without port specification - knotd: incorrect thread synchronization when dumping timers - knotd: server crashes when outbound QUIC connection is closed unexpectedly - knotd: zone not reloaded from database if not updated incrementally - knotd: UNIX socket path containing a single colon considered an IPv6 address - keymgr: program crashes when importing a malformed key - kdig: missing address context deinitialization when iterating over addresses - kdig: missing AA flag on NOTIFY query 3.5.2 Features: - knotd: configurable zone timer storage mode (see 'database.timer-db-sync') - libknot: added support for the DSYNC record type - redis: new module command for printing zone information (see 'KNOT.ZONE.INFO') Improvements: - knotd: queries to a catalog zone are now allowed also for ACL rules with action 'query' - knotd: denied query to a catalog zone is responded to with NOTAUTH instead of REFUSED - knotd: existing PID file is reused if it matches current PID !1819 - knotd: zone purge has its own zone event - knotd: optimized zone timer storage - knotd: optimized ACL evaluation - keymgr: added more algorithms to keystore-test and keystore-bench - mod-dnstap: added detection for protoc - libs: upgraded embedded libngtcp2 to 1.18.0 - redis: added support for zone data replication - redis: extended logging - doc: various improvements Bugfixes: - knotd: failed to receive zone with ZONEMD if enabled DNSSEC signing and ZONEMD generate - knotd: refresh with pinned master not rescheduled when tolerance period expired - knotd: failed to build with older libhiredis without TLS support - knotd: misleading error message when attempting to sign empty zone - mod-rrl: failed to compile if target architecture was specified - libknot: failed to dump RRSet if the initial output buffer was too small - libdnssec: missing digest.h in dnssec.h - redis: defective communication with sentinel - redis: failed zone load was not rescheduled - redis: several memory leaks 3.5.1 Features: - knotc: new command for setting zone SOA serial (see 'zone-serial-set') Improvements: - knotd: zone database listen configuration now accepts a hostname value - knotd: support for specifying multiple zone databases (see 'zone-db-listen') - knotd: added serial parameter to D-Bus event 'external_verify' - libs: upgraded embedded libngtcp2 to 1.16.0 - configure: new option for specifying Redis module destination (see '--with-redisdir') - configure: Redis support is fully optional (see '--enable-redis') (Thanks to Nicolas Parlant) - deb,rpm: renamed inappropriate package 'redis-knot' to 'redis-module-knot' Bugfixes: - knotd: failed to build on PowerPC and MIPS - knotd: missing some checks for file operations - knotd: zones added via knotc conf-set include not loaded until restart - knotd: zone-diff after zone-begin prints misleading SOA removal - knotd: failed to load from other PEM keystores if PKCS #11 keystore is configured - knotd: failed to restore PKCS #11 keystore #960 - knotc: failed to compile on GNU Hurd - keymgr: missing deprecation warning for 'local-serial' command - configure: linked with libhiredis even when configured with --disable-redis - deb,rpm: incorrect destination for Redis module (see 'Database zone backend') 3.5.0 Features: - knotd: database zone backend using Redis/Valkey (see 'Database zone backend') - knotd: support for multiple control sockets (see 'control.listen') - knotd: external zone validation (see 'External validation') - knotd: authorization based on certificate hostname validation (see 'DNS over QUIC') - knotd: multiple keystores can be specified per policy (see 'DNSSEC multiple keystores') - knotd: specified resource record types can be omitted when loading (see 'zone.zonefile-skip') - knotd: configurable delay before zone change processing (see 'zone.update-delay') - knotd: subzone flattening (see 'zone.include-from') Improvements: - knotd: optimized dynamic zone addition/removal for many zones - knotd: optimized catalog updates for many zones - knotd: replaced a poor atomic fallback with a spin-lock-protected version - knotd: support for independent SOA serial series on the secondary side - knotd: self-signed certificate contains SAN instead of CN - knotd: removed RCU synchronization lock between unrelated zones' updates - knotd: zone-reload/reload fails if there is a module configuration error - knotd: control interfaces are started before zones loading - knotd: session ticket pool is purged on server reload if changed credentials - knotc: status returns 'Loading' if the server is not yet answering - knotc: extended tab completion for details, filters, and paths - kzonecheck: zone origin auto-detection uses SOA owner from the checked zone file - libknot: XDP drops packets with too many or inappropriate extended IPv6 headers - libknot: extended XDP checks for correct packets - libknot: semantically malformed resource records are dumped in generic format - libs: upgraded embedded libngtcp2 to 1.15.0 - knot-exporter: less confusing option parsing and documentation - doc: various improvements Bugfixes: - knotd: if multiple primaries send NOTIFY concurrently, only the last remote is queried - knotd: failed to build on macOS with POSIX semaphores - knotd: early zone free due to RCU-delayed update cleanup - knotd: server crashes if "" value overrides template master value - knot-exporter: label collisions caused by duplicate metrics (Thanks to Guillaume Cornet) Packaging: - deb,rpm: keymgr extracted to a separate package knot-keymgr - deb,rpm: new package redis-knot with a Knot module for Redis/Valkey - docker: upgraded to Debian trixie-slim Compatibility: - license: project relicensed to GPL-2.0-or-later - knotd: new default value of 'policy.nsec3-salt-length' is 0 - knot-exporter: renamed some metrics, labes, or units (see 'Migration') 3.4.8 Features: - keymgr: implemented key pregeneration for later use (see 'for-later') Improvements: - knotd: decreased remote session ticket lifetime to 1200 seconds - knotd: TCP connection is not shared between SOA and XFR if 'remote.no-edns' is set - knotd: 'zone.notify-delay' now applies to every outgoing NOTIFY - knotd: reduced timers database size by omitting zero timer values - knotd: zone-reload can be called on an expired zone - knotd: improved configuration commit performance when many zones are present - keymgr: allowed boolen key flags without an explicit 'on' value - keymgr: support for colon separators in keyid specification - utils: added INTERNET and CHAOS aliases for IN and CH class names - libs: upgraded embedded libngtcp2 to 1.14.0 - doc: various improvements Bugfixes: - knotd: possible use after free if member zone is reused when full reload - knotd: incorrect zone update revert adjustments 3.4.7 Features: - knotd: implemented optional NOTIFY delay upon zone loading (see 'zone.notify-delay') - knotd: failed ZONEMD validation emits 'dnssec-invalid' D-Bus event - kdig: added option for delayed reading of next transfer message (see '+msgdelay') - kzonecheck: new parameter for job count (see '-j') Improvements: - knotd: semantic checks support DS algorithms 5 and 6 - knotd: pending generation of reverse records is logged as warning - knotd: DNSKEY synchronization considers keytag modulo for better reliability - knotd: zone-(un)set parser errors no longer logged by the server - knotd: more verbose zone-(un)set parser errors are returned to the client - knotc: configuration warnings are printed only with the conf-check command - kdig: enabled TLS 1.2 support (with warning) - kdig: more verbose TLS/QUIC certificate information - SAN (see '-dd') - mod-rrl: disabled optimized KRU version on macOS to fix CPU issues - libknot: added two specific variants of KNOT_EAGAIN error (KNOT_NET_EAGAIN, KNOT_ETRYAGAIN) - libs: upgraded embedded libngtcp2 to 1.13.0 - knot-exporter: added maximum libknot version dependency #956 - knot-exporter: removed return statement from a finally block #957 - packaging: new knot-exporter and python3-libknot RPM subpackages - doc: simplified highlighting of options enabled by default - doc: various improvements Bugfixes: - knotd: false warning for missing glue if NS is at other delegation - knotd: missing rdata canonicalization in zone-(un)set operations - knotd: missing check for member zone configured with a non-generated catalog - knotd: benevolent IXFR skips whole rrset when ignoring a record - knotd: missing next remove key action log during KSK/algorithm rollover - knotd: missing catalog template configuration checks - knotd: missing check for empty QUIC connection in XDP mode - libknot: incorrect trailing rdata check in packet parser - kdig: ignored DoQ response from dnsdist #954 - packaging: uninstalling lib*t64 packages removes files from upstream packages 3.4.6 Improvements: - knotd: default TSIG algorithm is now 'hmac-sha256' - knotd: added zone expiration info to the failed zone refresh log - knotd: reverse record generation now accepts multiple forward zones to be reversed - keymgr: underscores are now tolerated instead of dashes in command names - keymgr: correct mnemonic 'rsasha1-nsec3-sha1' is used instead of 'rsasha1nsec3sha1' - kdig: new '+[no]doflag' alias for '+[no]dnssec' #952 - kdig: documented default option values #951 - kxdpgun: extended JSON output with some packet statistics - doc: various updates and improvements Bugfixes: - knotd: failed to stop the server if 'dbus-event: running` is set - knotd: TLS 0-RTT not working if compiled with the QUIC support - knotd: TLS handshake fails on FreeBSD - knotd: outbound QUIC communication fails on FreeBSD - knotd: KSK submission not ignored in the manual key management mode - knotd: failed to bind to a UNIX socket on recent Linux kernels - kzonecheck: failed to check non-trivial zones through standard input 3.4.5 Features: - knotd: support for SOA serial shift (see 'serial-modulo') - knotd: new server statistics (see 'tcp-io-timeout"' and 'tcp-idle-timeout') Improvements: - knotd: better signing performance of many zones in parallel by moving 'last_signed_serial' from KASP database to timer database - knotd: the 'terminated inactive client' TCP log moved to debug level - knotd: allowed initial DDNS to an empty zone - knotd: extended backup and flush argument checks - knotd: new debug logs for zone events suspension - libs: upgraded embedded libngtcp2 to 1.11.0 - doc: new section Multi-primary, updates Bugfixes: - libdnssec: inappropriate DNSKEY flags evaluation - libknot: incorrect VLAN map size calculation for XDP 3.4.4 Features: - knotd: added support for EDNS ZONEVERSION - kdig: added support for EDNS ZONEVERSION (see '+zoneversion') Improvements: - knotd: improved control error detection and reporting - kdig: proper section names for exported DDNS messages - libs: upgraded embedded libngtcp2 to 1.10.0 - python: expanded documentation for the libknot control API - doc: updated XDP prerequisites Bugfixes: - knotd: a DNAME record at the zone apex with active NSEC3 not accepted via XFR - knotd: configuration abort times out if no active transaction - knotd: defective serial modulo result if it overflows - knotd: TLS connections not properly terminated - knotd: maximum zone TTL not correctly recomputed after RRSIG TTL change - knotd: zone hangs if zone reload fails (Thanks to solidcc2) - knotd: statistics dump generates invalid YAML output if XDP is enabled #947 - knotd: insufficient check for incomplete control message - mod-dnstap: used incorrect type for DDNS messages - knot-exporter: failed to run with Python 3.11 or older - tests: test_atomic and test_spinlock require building with the daemon enabled #946 3.4.3 Improvements: - knotd: improved processing of QNAMEs containing zero bytes - knotd: zone expiration now aborts possible zone control transaction #929 - knotd: generated catalog memeber metadata is stored when the zone is loaded - knotd: new configuration check for using default NSEC3 salt length, which will change - mod-rrl: added QNAME (if possible) and transport protocol to log messages - mod-rrl: increased defaults for 'log-period' to 30 secs, 'rate-limit' to 50, 'instant-rate-limit' to 125, and 'time-rate-limit' to 5 ms - kxdpgun: added space separators to some printed values for better readability - libs: upgraded embedded libngtcp2 to 1.9.1 - knot-exporter: zone timers metric is now disabled by default (see '--zone-timers') - packaging: added build dependency softhsm for PKCS #11 testing on RPM distributions - doc: updated description of DNSSEC key management and module RRL Bugfixes: - knotd: more active ZSKs cause cumulative ZSK rollovers - knotd: zone purge clears active generated catalog member metadata - mod-rrl: authorized requests are rate limited #943 - kdig: misleading warning about timeout during QUIC connection - keymgr: public-only keys are marked as missing in the list output Signed-off-by: Adolf Belka --- config/rootfiles/common/knot | 8 ++++---- lfs/knot | 20 ++++++++++---------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/config/rootfiles/common/knot b/config/rootfiles/common/knot index 5d0ab19d3..fdca132f8 100644 --- a/config/rootfiles/common/knot +++ b/config/rootfiles/common/knot @@ -4,12 +4,12 @@ usr/bin/kdig #usr/lib/libdnssec.la #usr/lib/libdnssec.lai #usr/lib/libdnssec.so -usr/lib/libdnssec.so.9 -usr/lib/libdnssec.so.9.0.0 +usr/lib/libdnssec.so.10 +usr/lib/libdnssec.so.10.0.0 #usr/lib/libknot.la #usr/lib/libknot.lai #usr/lib/libknot.so -usr/lib/libknot.so.15 -usr/lib/libknot.so.15.0.0 +usr/lib/libknot.so.16 +usr/lib/libknot.so.16.0.0 #usr/lib/libknotus.a #usr/lib/libknotus.la diff --git a/lfs/knot b/lfs/knot index 6645c7be5..63bb5d264 100644 --- a/lfs/knot +++ b/lfs/knot @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2024 IPFire Team # +# Copyright (C) 2007-2026 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 3.4.2 +VER = 3.5.4 THISAPP = knot-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 0b633b27b22665db243bc4222f05028a17ee7ec6ba5960ff1cfe503d27bf3d26218f771cb15b70bbf8782898bcc7748bd5c27d55747607a1d93f784cdadddad7 +$(DL_FILE)_BLAKE2 = ddd7b2fdcc2fbd23c3ff3173026883bae4b068eac7b076a641353a0c2f13b525914c6d8df3ea41b339667c28f4f5e70486b51fc7b6eee2de7bdf648b3ec2d3c8 install : $(TARGET) @@ -74,13 +74,13 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar Jxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && ./configure \ - --prefix=/usr \ - --enable-static=no \ - --disable-fastparser \ - --disable-daemon \ - --disable-modules \ - --enable-maxminddb=no \ - --disable-documentation + --prefix=/usr \ + --enable-static=no \ + --disable-fastparser \ + --disable-daemon \ + --disable-modules \ + --enable-maxminddb=no \ + --disable-documentation cd $(DIR_APP)/src && make $(MAKETUNING) kdig cd $(DIR_APP)/src/.libs && cp -av kdig /usr/bin cd $(DIR_APP)/src/.libs && cp -av lib* /usr/lib