"Fossies" - the Fresh Open Source Software Archive

Member "knot-2.9.2/NEWS" (12 Dec 2019, 64274 Bytes) of package /linux/misc/dns/knot-2.9.2.tar.xz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "NEWS": 2.9.1_vs_2.9.2.

    1 Knot DNS 2.9.2 (2019-12-12)
    2 ===========================
    3 
    4 Improvements:
    5 -------------
    6  - Tiny ds-check log message rewording
    7  - Some unnecessary code cleanup
    8 
    9 Bugfixes:
   10 ---------
   11  - ds-push doesn't replace the DS RRset on the parent #661
   12  - Server gets stuck in a never-ending logging loop when changing SOA TTL
   13  - Server can crash when the journal database size limit is reached
   14  - Server can create a bogus changeset with equal serials from and to
   15  - Unreasonable re-signing of the NSEC3PARAM record when reloading the zone
   16    and 'zonefile-load: difference-no-serial' is configured
   17  - SOA RRSIG not updated if the only changed record is SOA
   18  - Failed to remove NSEC3 records through the control interface #666
   19  - Failed to stop the server if a zone transaction is active
   20 
   21 Knot DNS 2.9.1 (2019-11-11)
   22 ===========================
   23 
   24 Features:
   25 ---------
   26  - New option for OCSP stapling '+[no]tls-ocsp-stapling[=H]' in kdig (Thanks to Alexander Schultz)
   27 
   28 Improvements:
   29 -------------
   30  - Kdig always randomizes source TCP port on recent Linux #575
   31  - Server no longer warns about disabled zone file synchronization during shutdown
   32  - Zone loading stops if failed to load zone from the journal
   33  - Speed-up of insertion to big RRSets
   34  - Various code and documentation improvements
   35 
   36 Bugfixes:
   37 ---------
   38  - Failed to apply journal changes after upgrade #659
   39  - Failed to finish zone loading if journal changeset serials from and to are equal
   40  - Incorrect handling of 0 value for 'tcp-io-timeout' and 'tcp-remote-io-timeout' configuration
   41  - Server can crash if zone transaction is open during zone update
   42  - NSEC3 chain not fully updated if NSEC3 salt changes during zone update
   43  - Server can crash when flushing zone to a specified directory
   44  - Server can respond incorrect NSEC3 records after NSEC3 salt change
   45  - Delegation glue records not updated after specific zone change
   46 
   47 Knot DNS 2.9.0 (2019-10-10)
   48 ===========================
   49 
   50 Features:
   51 ---------
   52  - Full support for different master/slave serial arithmetics when on-slave signing
   53  - Module geoip newly supports wildcard records #650
   54  - New DNSSEC policy configuration option 'rrsig-pre-refresh' for reducing
   55    frequency of the zone signing event
   56  - New server configuration option 'tcp-reuseport' for setting SO_REUSEPORT(_LB)
   57    mode on TCP sockets
   58  - New server configuration option 'tcp-io-timeout' [ms] for restricting inbound
   59    IO operations over TCP #474
   60 
   61 Improvements:
   62 -------------
   63  - Significant speed-up of zone contents modifications
   64  - Avoided double zone signing during CSK rollovers
   65  - Self-created RRSIGs are not cryptographically verified if not necessary
   66  - Zone journal can store two changesets if zone file difference computing
   67    and DNSSEC signing are enabled. The first one containing the difference of
   68    zone history needed by slave servers, the second one containing the difference
   69    between zone file and zone needed for server restart
   70  - Universal and more robust memory clearing
   71  - More precise socket timeout handling
   72  - New notice log message for configuration changes requiring server restart
   73  - Module RRL logs both trigger source address and affected subnet
   74  - Various code (especially zone and TCP processing) and documentation improvements
   75 
   76 Bugfixes:
   77 ---------
   78  - RRSIGs are wrongly checked for inconsistent RRSet TTLs during zone update
   79  - DS check/push warnings after disabled DNSSEC signing
   80  - NSEC3 records not accessible through control interface
   81  - Module geoip doesn't accept underscore character in dname specification #655
   82 
   83 Compatibility:
   84 --------------
   85  - Removed runtime reconfiguration of network workers and interfaces since
   86    it was imperfect and also couldn't work after dropped process privileges
   87  - Removed inaccurate and misleading knotc command 'zone-memstats' because
   88    memory consumption varies during zone modifications or transfers
   89  - Removed useless 'zone.request-edns-option' configuration option
   90  - Reimplemented DNS Cookies to be interoperable (based on draft-ietf-dnsop-server-cookies
   91    and work by Witold Kręcicki)
   92  - Default limit on TCP clients is auto-configured to one half of the file
   93    descriptor limit for the server process
   94  - Number of open files limit is set to 1048576 in upstream packages
   95  - Default number of TCP workers is equal to the number of online CPUs or at least 10
   96  - Default EDNS buffer size is 1232 for both IPv4 and IPv6
   97  - Removed 'tcp-handshake-timeout' server configuration option
   98  - Some configuration options were renamed and possibly moved. Old names will
   99    be supported at least until next major release:
  100     - 'server.tcp-reply-timeout' [s] to 'server.tcp-remote-io-timeout' [ms]
  101     - 'server.max-tcp-clients'       to 'server.tcp-max-clients'
  102     - 'server.max-udp-payload'       to 'server.udp-max-payload'
  103     - 'server.max-ipv4-udp-payload'  to 'server.udp-max-payload-ipv4'
  104     - 'server.max-ipv6-udp-payload'  to 'server.udp-max-payload-ipv6'
  105     - 'template.journal-db'          to 'database.journal-db'
  106     - 'template.journal-db-mode'     to 'database.journal-db-mode'
  107     - 'template.max-journal-db-size' to 'database.journal-db-max-size'
  108     - 'template.kasp-db'             to 'database.kasp-db'
  109     - 'template.max-kasp-db-size'    to 'database.kasp-db-max-size'
  110     - 'template.timer-db'            to 'database.timer-db'
  111     - 'template.max-timer-db-size'   to 'database.timer-db-max-size'
  112     - 'zone.max-journal-usage'       to 'zone.journal-max-usage'
  113     - 'zone.max-journal-depth'       to 'zone.journal-max-depth'
  114     - 'zone.max-zone-size'           to 'zone.zone-max-size'
  115     - 'zone.max-refresh-interval'    to 'zone.refresh-max-interval'
  116     - 'zone.min-refresh-interval'    to 'zone.refresh-min-interval'
  117 
  118 Knot DNS 2.8.4 (2019-09-24)
  119 ===========================
  120 
  121 Features:
  122 ---------
  123  - Automatic uploading of DS records to parent zone using DDNS,
  124    see 'policy.ds-push' configuration option
  125 
  126 Improvements:
  127 -------------
  128  - Incoming IXFR no longer falls back to AXFR if connection error #642
  129  - More accurate semantic checks for missing glue records
  130  - Various code and documentation improvements
  131 
  132 Bugfixes:
  133 ---------
  134  - Failed to read/export configuration if 'acl.update-type' is set #651
  135  - Failed to generate initial zero-length salt
  136  - Missing error log for invalid rrtype input to dynamic configuration #652
  137  - Missing error log when AXFR processing fails to store zone data
  138  - Redundant notice log about unavailable persistent configuration DB
  139  - Zone not flushed after retransfer if SOA serial not changed
  140  - Zone contents not properly fixed during zone transfers
  141  - No changeset created for updated rrset's TTL if changed by RR addition
  142 
  143 Knot DNS 2.8.3 (2019-07-16)
  144 ===========================
  145 
  146 Features:
  147 ---------
  148  - Added cert/key file configuration for TLS in kdig (Thanks to Alexander Schultz)
  149 
  150 Improvements:
  151 -------------
  152  - More verbose log message for offline-KSK signing
  153  - Module RRL logs affected source address subnet instead of only one source address
  154  - Extended DNSSEC policy configuration checks
  155  - Various improvements in the documentation
  156 
  157 Bugfixes:
  158 ---------
  159  - Excessive server load when maximum TCP clients limit is reached
  160  - Incorrect reply after zone update with a node changed from non-authoritative to delegation
  161  - Wrong error line number in a config file if it contains leading tab character
  162  - Config file error message contains unrelated parsing context
  163  - NSEC3 salt not updated when reconfigured to zero length
  164  - Kjournalprint sometimes prints a random value for per-zone occupation
  165  - Missing debug log for failed zone refresh triggered by zone notification
  166  - DS check not scheduled when reconfigured
  167  - Broken unit test on NetBSD 8.x
  168 
  169 Knot DNS 2.8.2 (2019-06-05)
  170 ===========================
  171 
  172 Features:
  173 ---------
  174  - New blocking mode for zone event triggers in knotc
  175  - New weighted records mode in the module geoip (Thanks to Conrad Hoffmann)
  176  - Module noudp allows UDP allow rate configuration
  177 
  178 Improvements:
  179 -------------
  180  - NSEC3 salt lifetime can be set to infinity
  181  - New 'running' zone event status in the knotc output
  182  - Knotc in the forced mode returns failure also if zone check emits any warning
  183  - Ignoring PMTU information for IPv4/UDP via IP_PMTUDISC_OMIT (Thanks to Daisuke Higashi)
  184  - Various improvements in the documentation
  185 
  186 Bugfixes:
  187 ---------
  188  - Broken setting of CPU affinity for UDP workers
  189  - Unexpected results with the geoip subnet mode
  190  - Sometimes insufficient zone adjusting
  191  - Incoherent DNSKEY RRSIG lifetimes in SKR
  192  - Confusing output from keymgr if an error occurs during KSR generation
  193  - Non-functional changeset history depth limitation in kjournalprint
  194  - Wrong processing of multiple $INCLUDE directives #646
  195 
  196 Knot DNS 2.8.1 (2019-04-09)
  197 ===========================
  198 
  199 Improvements:
  200 -------------
  201  - Possible zone transaction is aborted by zone events to avoid inconsistency
  202  - Added log message if no persistent config DB is available during 'conf-begin'
  203  - New environment setting 'KNOT_VERSION_FORMAT=release' for extended version suppression
  204  - Various improvements in the documentation
  205 
  206 Bugfixes:
  207 ---------
  208  - Broken NSEC3-wildcard-nonexistence proof after NSEC3 re-salt
  209  - Glue records under delegation are sometimes signed
  210  - RRL doesn't work correctly on big-endian architectures
  211  - NSEC3 not re-salted during AXFR refresh
  212  - Failed to sign new zone contents if added dynamically #641
  213  - NSEC3 opt-out signing doesn't work in some cases
  214  - Broken NSEC3 chain after adding new sub-delegations
  215  - Redundant SOA RRSIG on slave if RRSIG TTL changed on master
  216  - Sometimes confusing log error message for NOTIFY event
  217  - Improper include for LMDB #638
  218 
  219 Knot DNS 2.8.0 (2019-03-05)
  220 ===========================
  221 
  222 Features:
  223 ---------
  224  - New offline-KSK mode of operation
  225  - Configurable multithreaded DNSSEC signing for large zones
  226  - Extended ACL configuration for dynamic updates
  227  - New knotc trigger 'zone-key-rollover' for immediate DNSKEY rollover
  228  - Added support for OPENPGPKEY, CSYNC, SMIMEA, and ZONEMD RR types
  229  - New 'double-ds' option for CDS/CDNSKEY publication
  230 
  231 Improvements:
  232 -------------
  233  - Significant speed-up of zone updates
  234  - Knotc supports force option in the interactive mode
  235  - Copy-on-write support for QP-trie (Thanks to Tony Finch)
  236  - Unified and more efficient LMDB layer for journal, timer, and KASP databases
  237  - DS check event is re-planned according to KASP even when purged timers
  238  - Module DNS Cookies supports explicit Server Secret configuration
  239  - Zone mtime is verified against full-precision timestamp (Thanks to Daniel Kahn Gillmor)
  240  - Extended logging (loaded SOA serials, refresh duration, tiny cleanup)
  241  - Relaxed fixed-length condition for DNSSEC key ID
  242  - Extended semantic checks for DNAME and NS RR types
  243  - Added support for FreeBSD's SO_REUSEPORT_LB
  244  - Improved performance of geoip module
  245  - Various improvements in the documentation
  246 
  247 Compatibility:
  248 --------------
  249  - Changed configuration default for 'cds-cdnskey-publish' to 'rollover'
  250  - Journal DB format changes are not downgrade-compatible
  251  - Keymgr no longer prints DS for algorithm SHA-1
  252 
  253 Knot DNS 2.7.8 (2019-07-16)
  254 ===========================
  255 
  256 Improvements:
  257 -------------
  258  - Various improvements in the documentation
  259 
  260 Bugfixes:
  261 ---------
  262  - Excessive server load when maximum TCP clients limit is reached
  263  - Incorrect reply after zone update with a node changed from non-authoritative to delegation
  264  - Missing debug log for failed zone refresh triggered by zone notification
  265  - Wrong processing of multiple $INCLUDE directives #646
  266  - Broken unit test on NetBSD 8.x
  267 
  268 Knot DNS 2.7.7 (2019-04-15)
  269 ===========================
  270 
  271 Improvements:
  272 -------------
  273  - Possible zone transaction is aborted by zone events to avoid inconsistency
  274  - Added log message if no persistent config DB is available during 'conf-begin'
  275  - Tiny building improvements
  276 
  277 Bugfixes:
  278 ---------
  279  - Glue records under delegation are sometimes signed
  280  - NSEC3 not re-salted during AXFR refresh
  281  - Broken NSEC3 chain after adding new sub-delegations
  282  - Failed to sign new zone contents if added dynamically #641
  283  - NSEC3 opt-out signing doesn't work in some cases
  284  - Redundant SOA RRSIG on slave if RRSIG TTL changed on master
  285  - Sometimes confusing log error message for NOTIFY event
  286  - Failed to explicit set value 0 for submission timeout
  287 
  288 Knot DNS 2.7.6 (2019-01-23)
  289 ===========================
  290 
  291 Improvements:
  292 -------------
  293  - Zone status also shows when the zone load is scheduled
  294  - Server workers status also shows background workers utilization
  295  - Default control timeout for knotc was increased to 10 seconds
  296  - Pkg-config files contain auxiliary variable with library filename
  297 
  298 Bugfixes:
  299 ---------
  300  - Configuration commit or server reload can drop some pending zone events
  301  - Nonempty zone journal is created even though it's disabled #635
  302  - Zone is completely re-signed during empty dynamic update processing
  303  - Server can crash when storing a big zone difference to the journal
  304  - Failed to link on FreeBSD 12 with Clang
  305 
  306 Knot DNS 2.7.5 (2019-01-07)
  307 ===========================
  308 
  309 Features:
  310 ---------
  311  - Keymgr supports NSEC3 salt handling
  312 
  313 Improvements:
  314 -------------
  315  - Zone history in journal is dropped apon AXFR-like zone update
  316  - Libdnssec is no longer linked against libm #628
  317  - Libdnssec is explicitly linked against libpthread if PKCS #11 enabled #629
  318  - Better support for libknot packaging in Python
  319  - Manually generated KSK is 'ready' by default
  320  - Kdig supports '+timeout' as an alias for '+time'
  321  - Kdig supports '+nocomments' option
  322  - Kdig no longer prints empty lines between retries
  323  - Kdig returns failure if operations not successfully resolved #632
  324  - Fixed repeating of the 'KSK submission, waiting for confirmation' log
  325  - Various improvements in documentation, Dockerfile, and tests
  326 
  327 Bugfixes:
  328 ---------
  329  - Knotc fails to unset huge configuration section
  330  - Kjournalprint sometimes fails to display zone journal content
  331  - Improper timing of ZSK removal during ZSK rollover
  332  - Missing UTC time zone indication in the 'iso' keymgr list output
  333  - A race condition in the online signing module
  334 
  335 Knot DNS 2.7.4 (2018-11-13)
  336 ===========================
  337 
  338 Features:
  339 ---------
  340  - Added SNI configuration for TLS in kdig (Thanks to Alexander Schultz)
  341 
  342 Improvements:
  343 -------------
  344  - Added warning log when DNSSEC events not successfully scheduled
  345  - New semantic check on timer values in keymgr
  346  - DS query no longer asks other addresses if got a negative answer
  347  - Reintroduced 'rollover' configuration option for CDS/CDNSKEY publication
  348  - Extended logging for zone loading
  349  - Various documentation improvements
  350 
  351 Bugfixes:
  352 ---------
  353  - Failed to import module configuration #613
  354  - Improper Cflags value in libknot.pc if built with embedded LMDB #615
  355  - IXFR doesn't fall back to AXFR if malformed reply
  356  - DNSSEC events not correctly scheduled for empty zone updates
  357  - During algorithm rollover old keys get removed before DS TTL expires #617
  358  - Maximum zone's RRSIG TTL not considered during algorithm rollover #620
  359 
  360 Knot DNS 2.7.3 (2018-10-11)
  361 ===========================
  362 
  363 Features:
  364 ---------
  365  - New queryacl module for query access control
  366  - Configurable answer rrset rotation #612
  367  - Configurable NSEC bitmap in online signing
  368 
  369 Improvements:
  370 -------------
  371  - Better error logging for KASP DB operations #601
  372  - Some documentation improvements
  373 
  374 Bugfixes:
  375 ---------
  376  - Keymgr "list" output doesn't show key size for ECDSA algorithms #602
  377  - Failed to link statically with embedded LMDB
  378  - Configuration commit causes zone reload for all zones
  379  - The statistics module overlooks TSIG record in a request
  380  - Improper processing of an AXFR-style-IXFR response consisting of one-record messages
  381  - Race condition in online signing during key rollover #600
  382  - Server can crash if geoip module is enabled in the geo mode
  383 
  384 Knot DNS 2.7.2 (2018-08-29)
  385 ===========================
  386 
  387 Improvements:
  388 -------------
  389  - Keymgr list command displays also key size
  390  - Kjournalprint displays total occupied size in the debug mode
  391  - Server doesn't stop if failed to load a shared module from the module directory
  392  - Libraries libcap-ng, pthread, and dl are linked selectively if needed
  393 
  394 Bugfixes:
  395 ---------
  396  - Sometimes incorrect result from dnssec_nsec_bitmap_contains (libdnssec)
  397  - Server can crash when loading zone file difference and zone-in-journal is set
  398  - Incorrect treatment of specific queries in the module RRL
  399  - Failed to link module Cookies as a shared library
  400 
  401 Knot DNS 2.7.1 (2018-08-14)
  402 ===========================
  403 
  404 Improvements:
  405 -------------
  406  - Added zone wire size information to zone loading log message
  407  - Added debug log message for each unsuccessful remote address operation
  408  - Various improvements for packaging
  409 
  410 Bugfixes:
  411 ---------
  412  - Incompatible handling of RRSIG TTL value when creating a DNS message
  413  - Incorrect RRSIG TTL value in zone differences and knotc zone operation outputs
  414  - Default configure prefix is ignored
  415 
  416 Knot DNS 2.7.0 (2018-08-03)
  417 ===========================
  418 
  419 Features:
  420 ---------
  421  - New DNS Cookies module and related '+cookie' kdig option
  422  - New module for response tailoring according to client's subnet or geographic location
  423  - General EDNS Client Subnet support in the server
  424  - OSS-Fuzz integration (Thanks to Jonathan Foote)
  425  - New '+ednsopt' kdig option (Thanks to Jan Včelák)
  426  - Online Signing support for automatic key rollover
  427  - Non-normal file (e.g. pipe) loading support in zscanner #542
  428  - Automatic SOA serial incrementation if non-empty zone difference
  429  - New zone file load option for ignoring zone file's SOA serial
  430  - New build-time option for alternative malloc specification
  431  - Structured logging for DNSSEC key submission event
  432  - Empty QNAME support in kdig
  433 
  434 Improvements:
  435 -------------
  436  - Various library and server optimizations
  437  - Reduced memory consumption of outgoing IXFR processing
  438  - Linux capabilities use overhaul #546 (Thanks to Robert Edmonds)
  439  - Online Signing properly signs delegations and CNAME records
  440  - CDS/CDNSKEY rrset is signed with KSK instead of ZSK
  441  - DNSSEC-related records are ignored when loading zone difference with signing enabled
  442  - Minimum allowed RSA key length was increased to 1024
  443  - Removed explicit dependency on Nettle
  444 
  445 Bugfixes:
  446 ---------
  447  - Possible uninitialized address buffer use in zscanner
  448  - Possible index overflow during multiline record parsing in zscanner
  449  - kdig +tls sometimes consumes 100 % CPU #561
  450  - Single-Type Signing doesn't work with single ZSK key #566
  451  - Zone not flushed after re-signing during zone load #594
  452  - Server crashes when committing empty zone transaction
  453  - Incoming IXFR with on-slave signing sometimes leads to memory corruption #595
  454 
  455 Compatibility:
  456 --------------
  457  - Removed obsolete RRL configuration
  458  - Removed obsolete module names 'mod-online-sign' and 'mod-synth-record'
  459  - Removed obsolete 'ixfr-from-differences' configuration option
  460  - Removed old journal migration
  461  - Removed module rosedb
  462 
  463 Knot DNS 2.6.9 (2018-08-14)
  464 ===========================
  465 
  466 Improvements:
  467 -------------
  468  - Added zone wire size to zone loading log message
  469  - Added debug log message for each unsuccessful remote address operation
  470 
  471 Bugfixes:
  472 ---------
  473  - Zone not flushed after re-signing during zone load #594
  474  - Server crashes when committing empty zone transaction
  475  - Incoming IXFR with on-slave signing sometimes leads to memory corruption #595
  476 
  477 Knot DNS 2.6.8 (2018-07-10)
  478 ===========================
  479 
  480 Features:
  481 ---------
  482  - New 'import-pkcs11' command in keymgr
  483 
  484 Improvements:
  485 -------------
  486  - Unixtime serial policy mimics Bind – increment if lower #593
  487 
  488 Bugfixes:
  489 ---------
  490  - Creeping memory consuption upon server reload #584
  491  - Kdig incorrectly detects QNAME if 'notify' is a prefix
  492  - Server crashes when zone sign fails #587
  493  - CSK->KZSK rollover retires CSK early #588
  494  - Server crashes when zone expires during outgoing multi-message transfer
  495  - Kjournalprint doesn't convert zone name argument to lower-case
  496  - Cannot switch to a previously used ksk-shared dnssec policy #589
  497 
  498 Knot DNS 2.6.7 (2018-05-17)
  499 ===========================
  500 
  501 Features:
  502 ---------
  503  - Added 'dateserial' (YYYYMMDDnn) serial policy configuration (Thanks to Wolfgang Jung)
  504 
  505 Improvements:
  506 -------------
  507  - Trailing data indication from the packet parser (libknot)
  508  - Better configuration check for a problematical option combination
  509 
  510 Bugfixes:
  511 ---------
  512  - Incomplete configuration option item name check
  513  - Possible buffer overflow in 'knot_dname_to_str' (libknot)
  514  - Module dnsproxy doesn't preserve letter case of QNAME
  515  - Module dnsproxy duplicates OPT and TSIG in the non-fallback mode
  516 
  517 Knot DNS 2.6.6 (2018-04-11)
  518 ===========================
  519 
  520 Features:
  521 ---------
  522  - New EDNS option counters in the statistics module
  523  - New '+orphan' filter for the 'zone-purge' operation
  524 
  525 Improvements:
  526 -------------
  527  - Reduced memory consuption of disabled statistics metrics
  528  - Some spelling fixes (Thanks to Daniel Kahn Gillmor)
  529  - Server no longer fails to start if MODULE_DIR doesn't exist
  530  - Configuration include doesn't fail if empty wildcard match
  531  - Added a configuration check for a problematical option combination
  532 
  533 Bugfixes:
  534 ---------
  535  - NSEC3 chain not re-created when SOA minimum TTL changed
  536  - Failed to start server if no template is configured
  537  - Possibly incorrect SOA serial upon changed zone reload with DNSSEC signing
  538  - Inaccurate outgoing zone transfer size in the log message
  539  - Invalid dname compression if empty question section
  540  - Missing EDNS in EMALF responses
  541 
  542 Knot DNS 2.6.5 (2018-02-12)
  543 ===========================
  544 
  545 Features:
  546 ---------
  547  - New 'zone-notify' command in knotc
  548  - Kdig uses '@server' as a hostname for TLS authenticaion if '+tls-ca' is set
  549 
  550 Improvements:
  551 -------------
  552  - Better heap memory trimming for zone operations
  553  - Added proper polling for TLS operations in kdig
  554  - Configuration export uses stdout as a default output
  555  - Simplified detection of atomic operations
  556  - Added '--disable-modules' configure option
  557  - Small documentation updates
  558 
  559 Bugfixes:
  560 ---------
  561  - Zone retransfer doesn't work well if more masters configured
  562  - Kdig can leak or double free memory in corner cases
  563  - Inconsistent error outputs from dynamic configuration operations
  564  - Failed to generate documentation on OpenBSD
  565 
  566 Knot DNS 2.6.4 (2018-01-02)
  567 ===========================
  568 
  569 Features:
  570 ---------
  571  - Module synthrecord allows multiple 'network' specification
  572  - New CSK handling support in keymgr
  573 
  574 Improvements:
  575 -------------
  576  - Allowed configuration for infinite zsk lifetime
  577  - Increased performance and security of the module synthrecord
  578  - Signing changeset is stored into journal even if 'zonefile-load' is whole
  579 
  580 Bugfixes:
  581 ---------
  582  - Unintentional zone re-sign during reload if empty NSEC3 salt
  583  - Inconsistent zone names in journald structured logs
  584  - Malformed outgoing transfer for big zone with TSIG
  585  - Some minor DNSSEC-related issues
  586 
  587 Knot DNS 2.6.3 (2017-11-24)
  588 ===========================
  589 
  590 Bugfixes:
  591 ---------
  592  - Wrong detection of signing scheme rollover
  593 
  594 Knot DNS 2.6.2 (2017-11-23)
  595 ===========================
  596 
  597 Features:
  598 ---------
  599  - CSK algorithm rollover and (KSK, ZSK) <-> CSK rollover support
  600 
  601 Improvements:
  602 -------------
  603  - Allowed explicit configuration for infinite ksk lifetime
  604  - Proper error messages instead of unclear error codes in server log
  605  - Better support for old compilers
  606 
  607 Bugfixes:
  608 ---------
  609  - Unexpected reply for DS query with an owner below a delegation point
  610  - Old dependencies in the pkg-config file
  611 
  612 Knot DNS 2.6.1 (2017-11-02)
  613 ===========================
  614 
  615 Features:
  616 ---------
  617  - NSEC3 Opt-Out support in the DNSSEC signing
  618  - New CDS/CDNSKEY publish configuration option
  619 
  620 Improvements:
  621 -------------
  622  - Simplified DNSSEC log message with DNSKEY details
  623  - +tls-hostname in kdig implies +tls-ca if neither +tls-ca nor +tls-pin is given
  624  - New documentation sections for DNSSEC key rollovers and shared keys
  625  - Keymgr no longer prints useless algorithm number for generated key
  626  - Kdig prints unknown RCODE in a numeric format
  627  - Better support for LLVM libFuzzer
  628 
  629 Bugfixes:
  630 ---------
  631  - Faulty DNAME semantic check if present in the zone apex and NSEC3 is used
  632  - Immediate zone flush not scheduled during the zone load event
  633  - Server crashes upon dynamic zone addition if a query module is loaded
  634  - Kdig fails to connect over TLS due to SNI is set to server IP address
  635  - Possible out-of-bounds memory access at the end of the input
  636  - TCP Fast Open enabled by default in kdig breaks TLS connection
  637 
  638 Knot DNS 2.6.0 (2017-09-29)
  639 ===========================
  640 
  641 Features:
  642 ---------
  643  - On-slave (inline) signing support
  644  - Automatic DNSSEC key algorithm rollover
  645  - Ed25519 algorithm support in DNSSEC (requires GnuTLS 3.6.0)
  646  - New 'journal-content' and 'zonefile-load' configuration options
  647  - keymgr tries to run as user/group set in the configuration
  648  - Public-only DNSSEC key import into KASP DB via keymgr
  649  - NSEC3 resalt and parent DS query events are persistent in timer DB
  650  - New processing state for a response suppression within a query module
  651  - Enabled server side TCP Fast Open if supported
  652  - TCP Fast Open support in kdig
  653 
  654 Improvements:
  655 -------------
  656  - Better record owner compression if related to the previous rdata dname
  657  - NSEC(3) chain is no longer recomputed whole on every update
  658  - Remove inconsistent and unnecessary quoting in log files
  659  - Avoiding of overlapping key rollovers at a time
  660  - More DNSSSEC-related semantic checks
  661  - Extended timestamp format in keymgr
  662 
  663 Bugfixes:
  664 ---------
  665  - Incorrect journal free space computation causing inefficient space handling
  666  - Interface-automatic broken on Linux in the presence of asymmetric routing
  667 
  668 Knot DNS 2.5.7 (2018-01-02)
  669 ===========================
  670 
  671 Bugfixes:
  672 ---------
  673  - Unintentional zone re-sign during reload if empty NSEC3 salt
  674  - Inconsistent zone names in journald structured logs
  675  - Malformed outgoing transfer for big zone with TSIG
  676  - Unexpected reply for DS query with an owner below a delegation point
  677  - Old dependencies in the pkg-config file
  678 
  679 Knot DNS 2.5.6 (2017-11-02)
  680 ===========================
  681 
  682 Improvements:
  683 -------------
  684  - Keymgr no longer prints useless algorithm number for generated key
  685 
  686 Bugfixes:
  687 ---------
  688  - Faulty DNAME semantic check if present in the zone apex and NSEC3 is used
  689  - Immediate zone flush not scheduled during the zone load event
  690  - Server crashes upon dynamic zone addition if a query module is loaded
  691  - Kdig fails to connect over TLS due to SNI is set to server IP address
  692 
  693 Knot DNS 2.5.5 (2017-09-29)
  694 ===========================
  695 
  696 Improvements:
  697 -------------
  698  - Constant time memory comparison in the TSIG processing
  699  - Proper use of the ctype functions
  700  - Generated RRSIG records have inception time 90 minutes in the past
  701 
  702 Bugfixes:
  703 ---------
  704  - Incorrect online signature for NSEC in the case of a CNAME record
  705  - Incorrect timestamps in dnstap records
  706  - EDNS Subnet Client validation rejects valid payloads
  707  - Module configuration semantic checks are not executed
  708  - Kzonecheck segfaults with unusual inputs
  709 
  710 Knot DNS 2.5.4 (2017-08-31)
  711 ===========================
  712 
  713 Improvements:
  714 -------------
  715  - New minimum and maximum refresh interval config options (Thanks to Manabu Sonoda)
  716  - New warning when unforced flush with disabled zone file synchronization
  717  - New 'dnskey' keymgr command
  718  - Linking with libatomic on architectures that require it (Thanks to Pierre-Olivier Mercier)
  719  - Removed 'OK' from listing keymgr command outputs
  720  - Extended journal and keymgr documentation and logging
  721 
  722 Bugfixes:
  723 ---------
  724  - Incorrect handling of specific corner-cases with zone-in-journal
  725  - The 'share' keymgr command doesn't work
  726  - Server crashes if configured with query-size and reply-size statistics options
  727  - Malformed big integer configuration values on some 32-bit platforms
  728  - Keymgr uses local time when parsing date inputs
  729  - Memory leak in kdig upon IXFR query
  730 
  731 Knot DNS 2.5.3 (2017-07-14)
  732 ===========================
  733 
  734 Features:
  735 ---------
  736  - CSK rollover support for Single-Type Signing Scheme
  737 
  738 Improvements:
  739 -------------
  740  - Allowed binding to non-local adresses for TCP (Thanks to Julian Brost!)
  741  - New documentation section for manual DNSSEC key algorithm rollover
  742  - Initial KSK also generated in the submission state
  743  - The 'ds' keymgr command with no parameter uses all KSK keys
  744  - New debug mode in kjournalprint
  745  - Updated keymgr documentation
  746 
  747 Bugfixes:
  748 ---------
  749  - Sometimes missing RRSIG by KSK in submission state.
  750  - Minor DNSSEC-related issues
  751 
  752 Knot DNS 2.5.2 (2017-06-23)
  753 ===========================
  754 
  755 Security:
  756 ---------
  757  - CVE-2017-11104: Improper TSIG validity period check can allow TSIG forgery (Thanks to Synacktiv!)
  758 
  759 Improvements:
  760 -------------
  761  - Extended debug logging for TSIG errors
  762  - Better error message for unknown module section in the configuration
  763  - Module documentation compilation no longer depends on module configuration
  764  - Extended policy section configuration semantic checks
  765  - Improved python version compatibility in pykeymgr
  766  - Extended migration section in the documentation
  767  - Improved DNSSEC event timing on 32-bit systems
  768  - New KSK rollover start log info message
  769  - NULL qtype support in kdig
  770 
  771 Bugfixes:
  772 ---------
  773  - Failed to process included configuration
  774  - dnskey_ttl policy option in the configuration has no effect on DNSKEY TTL
  775  - Corner case journal fixes (huge changesets, OpenWRT operation)
  776  - Confusing event timestamps in knotc zone-status output
  777  - NSEC/NSEC3 bitmap not updated for CDS/CDNSKEY
  778  - CDS/CDNSKEY RRSIG not updated
  779 
  780 Knot DNS 2.5.1 (2017-06-07)
  781 ===========================
  782 
  783 Bugfixes:
  784 ---------
  785  - pykeymgr no longer crash on empty json files in the KASP DB directory
  786  - pykeymgr no longer imports keys in the "removed" state
  787  - Imported keys in the "removed" state no longer makes knotd to crash
  788  - Including an empty configuration directory no longer makes knotd to crash
  789  - pykeymgr is distributed and installed to the distribution tarball
  790 
  791 Knot DNS 2.5.0 (2017-06-05)
  792 ===========================
  793 
  794 Features:
  795 ---------
  796  - KASP database switched from JSON files to LMDB database
  797  - KSK rollover support using CDNSKEY and CDS in the automatic DNSSEC signing
  798  - Dynamic module loading support with proper module API
  799  - Journal can store full zone contents (not only differences)
  800  - Zone freeze/thaw support
  801  - Updated knotc zone-status output with optional column filters
  802  - New '[no]crypto' option in kdig
  803  - New keymgr implementation reflecting KASP database changes
  804  - New pykeymgr for JSON-based KASP database migration
  805  - Removed obsolete knot1to2 utility
  806 
  807 Improvements:
  808 -------------
  809  - Added libidn2 support to kdig (with libidn fallback)
  810  - Maximum timer database switched from configure to the server configuration
  811 
  812 Knot DNS 2.4.4 (2017-06-05)
  813 ===========================
  814 
  815 Improvements:
  816 -------------
  817  - Improved error handling in kjournalprint
  818 
  819 Bugfixes:
  820 ---------
  821  - Zone flush not replanned upon unsuccessful flush
  822  - Journal inconsistency after deleting deleted zone
  823  - Zone events not rescheduled upon server reload (Thanks to Mark Warren)
  824  - Unreliable LMDB mapsize detection in kjournalprint
  825  - Some minor issues found by AddressSanitizer
  826 
  827 Knot DNS 2.4.3 (2017-04-11)
  828 ===========================
  829 
  830 Improvements:
  831 -------------
  832  - New 'journal-db-mode' optimization configuration option
  833  - The default TSIG algorithm for utilities input is HMAC-SHA256
  834  - Implemented sensible default EDNS(0) padding policy (Thanks to D. K. Gillmor)
  835  - Added some more semantic checks on the knotc configuration operations
  836 
  837 Bugfixes:
  838 ---------
  839  - Missing 'zone' keyword in the YAML output
  840  - Missing trailing dot in the keymgr DS owner output
  841  - Journal logs 'invalid parameter' in several cases
  842  - Some minor journal-related problems
  843 
  844 Knot DNS 2.4.2 (2017-03-23)
  845 ===========================
  846 
  847 Features:
  848 ---------
  849  - Zscanner can store record comments placed on the same line
  850  - Knotc status extension with version, configure, and workers parameters
  851 
  852 Improvements:
  853 -------------
  854  - Significant incoming XFR speed-up in the case of many zones
  855 
  856 Bugfixes:
  857 ---------
  858  - Double OPT RR insertion when a global module returns KNOT_STATE_FAIL
  859  - User-driven zscanner parsing logic inconsistency
  860  - Lower serial at master doesn't trigger any errors
  861  - Queries with too long DNAME substitution do not return YXDOMAIN response
  862  - Incorrect elapsed time in the DDNS log
  863  - Failed to process forwarded DDNS request with TSIG
  864 
  865 Knot DNS 2.4.1 (2017-02-10)
  866 ===========================
  867 
  868 Improvements:
  869 -------------
  870  - Speed-up of rdata addition into a huge rrset
  871  - Introduce check of minimum timeout for next refresh
  872  - Dnsproxy module can forward all queries without local resolving
  873 
  874 Bugfixes:
  875 --------
  876  - Transfer of a huge rrset goes into an infinite loop
  877  - Huge response over TCP contains useless TC bit instead of SERVFAIL
  878  - Failed to build utilities with disabled daemon
  879  - Memory leaks during keys removal
  880  - Rough TSIG packet reservation causes early truncation
  881  - Minor out-of-bounds string termination write in rrset dump
  882  - Server crash during stop if failed to open timers DB
  883  - Failed to compile on OS X older than Sierra
  884  - Poor minimum UDP-max-size configuration check
  885  - Failed to receive one-record-per-message IXFR-style AXFR
  886  - Kdig timeouts when receiving RCODE != NOERROR on subsequent transfer message
  887 
  888 Knot DNS 2.4.0 (2017-01-18)
  889 ===========================
  890 
  891 Bugfixes:
  892 --------
  893  - False positive semantic-check warning about invalid bitmap in NSEC
  894  - Unnecessary SOA queries upon notify with up to date serial
  895  - Timers for expired zones are reset on reload
  896  - Zone doesn't expire when the server is down
  897  - Failed to handle keys with duplicate keytags
  898  - Per zone module and global module insconsistency
  899  - Obsolete online signing module configuration
  900  - Malformed output from kjournalprint
  901  - Redundant SO_REUSEPORT activation on the TCP socket
  902  - Failed to use higher number of background workers
  903 
  904 Improvements:
  905 -------------
  906  - Lower memory consumption with qp-trie
  907  - Zone events and zone timers improvements
  908  - Print all zone names in the FQDN format
  909  - Simplified query module interface
  910  - Shared TCP connection between SOA query and transfer
  911  - Response Rate Limiting as a module with statistics support
  912  - Key filters in keymgr
  913 
  914 Features:
  915 ---------
  916  - New unified LMDB-based zone journal
  917  - Server statistics support
  918  - New statistics module for traffic measuring
  919  - Automatic deletion of retired DNSSEC keys
  920  - New control logging category
  921 
  922 Knot DNS 2.3.4 (2017-11-20)
  923 ===========================
  924 
  925 Security:
  926 ---------
  927  - CVE-2017-11104: Improper TSIG validity period check can allow TSIG forgery (Thanks to Synacktiv!)
  928 
  929 Bugfixes:
  930 ---------
  931  - Unexpected response for DS query below delegation poing
  932  - Zone events not rescheduled upon server reload (Thanks to Mark Warren)
  933  - Missing trailing dot in the keymgr DS owner output
  934  - Malformed output from kjournalprint
  935  - Redundant SO_REUSEPORT activation on the TCP socket
  936 
  937 Knot DNS 2.3.3 (2016-12-08)
  938 ===========================
  939 
  940 Bugfixes:
  941 ---------
  942  - Double free when failed to apply zone journal
  943  - Zone bootstrap retry interval not preserved upon zone reload
  944  - DNSSEC related records not flushed if not signed
  945  - False semantic checks warning about incorrect type in NSEC bitmap
  946  - Memory leak in kzonecheck
  947 
  948 Improvements:
  949 -------------
  950  - All zone names are fully-qualified in log
  951 
  952 Features:
  953 ---------
  954  - New kjournalprint utility
  955 
  956 Knot DNS 2.3.2 (2016-11-04)
  957 ===========================
  958 
  959 Bugfixes:
  960 ---------
  961  - Incorrect %s expansion for the root zone
  962  - Failed to refresh not existing slave zone after restart
  963  - Immediate zone refresh upon restart if refresh already scheduled
  964  - Early zone transfer after restart if transfer already scheduled
  965  - Not ignoring empty non-terminal parents during delegation lookup
  966  - CD bit preservation in responses
  967  - Compilation error on GNU/kFreeBSD
  968  - Server crash after double zone-commit if journal error
  969 
  970 Improvements:
  971 -------------
  972  - Speed-up of knotc if control operation and known socket
  973  - Zone purge operation purges also zone timers
  974 
  975 Features:
  976 ---------
  977  - Simple modules don't require empty configuration section
  978  - New zone journal path configuration option
  979  - New timeout configuration option for module dnsproxy
  980 
  981 Knot DNS 2.3.1 (2016-10-07)
  982 ===========================
  983 
  984 Bugfixes:
  985 ---------
  986  - Missing glue records in some responses
  987  - Knsupdate prompt printing on non-terminal
  988  - Mismatch between configuration policy item names and documentation
  989  - Segfault on OS X (Sierra)
  990 
  991 Improvements:
  992 -------------
  993  - Significant speed-up of conf-commit and conf-diff operations (in most cases)
  994  - New EDNS Client Subnet libknot API
  995  - Better semantic-checks error messages
  996 
  997 Features:
  998 ---------
  999  - Print TLS certificate hierarchy in kdig verbose mode
 1000  - New +subnet alias for +client
 1001  - New mod-whoami and mod-noudp modules
 1002  - New zone-purge control command
 1003  - New log-queries and log-responses options for mod-dnstap
 1004 
 1005 Knot DNS 2.3.0 (2016-08-09)
 1006 ===========================
 1007 
 1008 Bugfixes:
 1009 ---------
 1010  - No wildcard expansion below empty non-terminal for NSEC signed zone
 1011  - Avoid multiple loads of the same PKCS #11 module
 1012  - Fix kdig IXFR response processing if the transfer content is empty
 1013  - Don't ignore non-existing records to be removed in IXFR
 1014 
 1015 Improvements:
 1016 -------------
 1017  - Refactored semantic checks and improved error messages
 1018  - Set TC flag in delegation only if mandatory glue doesn't fit the response
 1019  - Separate EDNS(0) payload size configuration for IPv4 and IPv6
 1020 
 1021 Features:
 1022 ---------
 1023  - DNSSEC policy can be defined in server configuration
 1024  - Automatic NSEC3 resalt according to DNSSEC policy
 1025  - Zone content editing using control interface
 1026  - Zone size limit restriction for DDNS, AXFR, and IXFR (CVE-2016-6171)
 1027  - DNS-over-TLS support in kdig (RFC 7858)
 1028  - EDNS(0) padding and alignment support in kdig (RFC 7830)
 1029 
 1030 Knot DNS 2.2.1 (2016-05-24)
 1031 ===========================
 1032 
 1033 Bugfixes:
 1034 ---------
 1035  - Fix separate logging of server and zone events
 1036  - Fix concurrent zone file flushing with many zones
 1037  - Fix possible server crash with empty hostname on OpenWRT
 1038  - Fix control timeout parsing in knotc
 1039  - Fix "Environment maxreaders limit reached" error in knotc
 1040  - Don't apply journal changes on modified zone file
 1041  - Remove broken LTO option from configure script
 1042  - Enable multiple zone names completion in interactive knotc
 1043  - Set the TC flag in a response if a glue doesn't fit the response
 1044  - Disallow server reload when there is an active configuration transaction
 1045 
 1046 Improvements:
 1047 -------------
 1048  - Distinguish unavailable zones from zones with zero serial in log messages
 1049  - Log warning and error messages to standard error output in all utilities
 1050  - Document tested PKCS #11 devices
 1051  - Extended Python configuration interface
 1052 
 1053 Knot DNS 2.2.0 (2016-04-26)
 1054 ===========================
 1055 
 1056 Bugfixes:
 1057 ---------
 1058  - Fix build dependencies on FreeBSD
 1059  - Fix query/response message type setting in dnstap module
 1060  - Fix remote address retrieval from dnstap capture in kdig
 1061  - Fix global modules execution for queries hitting existing zones
 1062  - Fix execution of semantic checks after an IXFR transfer
 1063  - Fix PKCS#11 support detection at build time
 1064  - Fix kdig failure when the first AXFR message contains just the SOA record
 1065  - Exclude non-authoritative types from NSEC/NSEC3 bitmap at a delegation
 1066  - Mark PKCS#11 generated keys as sensitive (required by Luna SA)
 1067  - Fix error when removing the only zone from the server
 1068  - Don't abort knotc transaction when some check fails
 1069 
 1070 Features:
 1071 ---------
 1072  - URI and CAA resource record types support
 1073  - RRL client address based white list
 1074  - knotc interactive mode
 1075 
 1076 Improvements:
 1077 -------------
 1078  - Consistent IXFR error messages
 1079  - Various fixes for better compatibility with PKCS#11 devices
 1080  - Various keymgr user interface improvements
 1081  - Better zone event scheduler performance with many zones
 1082  - New server control interface
 1083  - kdig uses local resolver if resolv.conf is empty
 1084 
 1085 Knot DNS 2.1.1 (2016-02-10)
 1086 ===========================
 1087 
 1088 Bugfixes:
 1089 ---------
 1090  - DNSSEC: Allow import of duplicate private key into the KASP
 1091  - DNSSEC: Avoid duplicate NSEC for Wildcard No Data answer
 1092  - Fix server crash when an incoming transfer is in progress and reload is issued
 1093  - Fix socket polling when configured with many interfaces and threads
 1094  - Fix compilation against Nettle 3.2
 1095 
 1096 Improvements:
 1097 -------------
 1098  - Select correct source address for UDP messages received on ANY address
 1099  - Extend documentation of knotc commands
 1100 
 1101 Knot DNS 2.1.0 (2016-01-14)
 1102 ===========================
 1103 
 1104 Features:
 1105 ---------
 1106  - Per-thread UDP socket binding using SO_REUSEPORT on Linux
 1107  - Support for dynamic configuration database
 1108  - DNSSEC: Support for cryptographic tokens via PKCS #11 interface
 1109  - DNSSEC: Experimental support for online signing
 1110 
 1111 Improvements:
 1112 -------------
 1113  - Support for zone file name patterns
 1114  - Configurable location of zone timer database
 1115  - Non-blocking network operations and better timeout handling
 1116  - Caching of Critical configuration values for better performance
 1117  - Logging of ACL failures
 1118  - RRL: Add rate-limit-slip zero support to drop all responses
 1119  - RRL: Document behavior for different rate-limit-slip options
 1120  - kdig: Warning instead of error on TSIG validation failure
 1121  - Cleanup of support libraries interfaces (libknot, libzscanner, libdnssec)
 1122  - Remove possibly insecure server control over a network socket
 1123  - Remove implementation limit for the number of network interfaces
 1124 
 1125 Bugfixes:
 1126 ---------
 1127  - synth-record module: Fix application of default configuration options
 1128  - TSIG: Allow compressed TSIG name when forwarding DDNS updates
 1129  - Schedule zone bootstrap after slave zone fails to load from disk
 1130 
 1131 Knot DNS 2.0.2 (2015-11-24)
 1132 ===========================
 1133 
 1134 Bugfixes:
 1135 ---------
 1136  - Out-of-bound read in packet parser for malformed NAPTR records (LibFuzzer)
 1137 
 1138 Knot DNS 2.0.1 (2015-09-02)
 1139 ===========================
 1140 
 1141 Bugfixes:
 1142 ---------
 1143  - Do not reload expired zones on 'knotc reload' and server startup
 1144  - Fix rare race-condition in event scheduling causing delayed event execution
 1145  - Fix skipping of non-authoritative nodes in NSEC proofs
 1146  - Fix TC flag setting in RRL slipped answers
 1147  - Disable domain name compression for root label
 1148  - Log via journald only when running under systemd
 1149  - Fix CNAME following when quering for NSEC RR type
 1150  - Fix refreshing of DNSSEC signatures for zone keys
 1151  - Fix binding an unavailable IPv6 address on Linux (IP_FREEBIND)
 1152  - Fix infinite loop in knotc zonestatus and memstats
 1153  - Fix memory leak in configuration on server shutdown
 1154  - Fix broken dnsproxy module
 1155  - Fix DNSSEC KASP timestamps parsing in strict POSIX environment
 1156  - Fix multi value parsing on big-endian
 1157  - Adapt to Nettle 3 API break causing base64 decoding failures on big-endian
 1158 
 1159 Features:
 1160 ---------
 1161  - Add 'keymgr zone key ds' to show key's DS record
 1162  - Add 'keymgr tsig generate' to generate TSIG keys
 1163  - Add query module scoping to process either all queries or zone queries only
 1164  - Add support for file name globbing in config file includes
 1165  - Add 'request-edns-option' config option to add custom EDNS0 option into
 1166    server initiated queries
 1167 
 1168 Improvements:
 1169 -------------
 1170  - Send minimal responses (remove NS from Authority section for NOERROR)
 1171  - Update persistent timers only on shutdown for better performance
 1172  - Allow change of RR TTL over DDNS
 1173  - Documentation fixes, updates, and improvements in formatting
 1174  - Install yparser and zscanner header files
 1175  - Improve lookup of libsystemd build dependencies
 1176  - Fix compilation warnings in endian conversion functions on OpenBSD
 1177 
 1178 Knot DNS 2.0.0 (2015-06-26)
 1179 ===========================
 1180 
 1181 Bugfixes:
 1182 ---------
 1183  - Fix lost NOTIFY message if received during zone transfer
 1184  - Disable fast zone parser when compiled in Clang (workaround for Clang bug)
 1185  - kdig: Record correct dnstap SocketProtocol when retrying over TCP
 1186  - kdig: Hide TSIG section with +noall
 1187  - Do not set AA flag for AXFR/IXFR queries
 1188 
 1189 Features:
 1190 ---------
 1191  - DNSSEC: separate library, switch to GnuTLS, new utilities
 1192  - DNSSEC: basic KASP support (generate initial keys, ZSK rollover)
 1193  - Configuration: New text format in YAML, binary store in LMDB
 1194  - Zone parser: Split long TXT/SPF strings into multiple strings
 1195  - kdig: Add generic dump style option (+generic)
 1196  - Try all master servers in multi-master environment
 1197  - Improved remotes and ACLs (multiple addresses, multiple keys)
 1198  - Basic support for zone file patterns (%s to substitute zone name)
 1199  - Disable zone file synchronization by setting 'zonefile_sync' to '-1'
 1200  - knsupdate: Add input prompt in interactive mode and 'quit' command
 1201  - knsupdate: Allow TSIG algorithm specification in interactive prompt
 1202 
 1203 Improvements:
 1204 -------------
 1205  - Zone dump: Do not write class for SOA record (unified with other RR types)
 1206  - Zone dump: Do not write master server address into the zone file
 1207  - Documentation: Manual pages are included in HTML and PDF
 1208 
 1209 Knot DNS 1.6.3 (2015-04-08)
 1210 ===========================
 1211 
 1212 Bugfixes:
 1213 ---------
 1214  - Performance drop for NSEC-signed zones
 1215  - Proper handling of TCP short-writes
 1216  - Out-of-bound read in zone parser for long domain names in origin (AFL fuzzer)
 1217  - Out-of-bound read in packet parser for TSIG RR without RDATA (AFL fuzzer)
 1218  - Out-of-bound read in packet parser for malformed NAPTR RR (AFL fuzzer)
 1219 
 1220 Features:
 1221 --------
 1222  - CDS and CDNSKEY support in zone parser
 1223 
 1224 Improvements:
 1225 -------------
 1226  - Add defaults for TCP config options into documentation
 1227  - Detailed error message if zone reload fails
 1228 
 1229 Knot DNS 1.6.2 (2015-02-19)
 1230 ===========================
 1231 
 1232 Features:
 1233 ---------
 1234  - Limiting number of parallel TCP clients (max-tcp-clients config option)
 1235 
 1236 Bugfixes:
 1237 ---------
 1238  - Ignore refresh and transfer events on non-slave zones
 1239  - Compilation with Dnstap support on FreeBSD
 1240  - Possible file descriptor leak when terminating inactive TCP clients
 1241 
 1242 Knot DNS 1.6.1 (2014-12-13)
 1243 ===========================
 1244 
 1245 Bugfixes:
 1246 ---------
 1247  - Journal file would sometimes outgrow its limit (ixfr-fslimit in configuration)
 1248  - Fixed incompatibility with OpenSSL 0.9.8
 1249  - Proper handling when hostname cannot be retreived (for NSID and CH)
 1250 
 1251 Features:
 1252 ---------
 1253  - DNSSEC Single Type Signing Scheme is now supported
 1254 
 1255 Knot DNS 1.6.0 (2014-10-23)
 1256 ===========================
 1257 
 1258 Bugfixes:
 1259 ---------
 1260  - Fix zone expiration when AXFR/IXFR is being refused by master
 1261  - Fix forced zone refresh on slave (knotc refresh -f)
 1262 
 1263 Knot DNS 1.6.0-rc2 (2014-10-17)
 1264 ===============================
 1265 
 1266 Improvements:
 1267 -------------
 1268  - Maximal size of persistent timers database increased from 10 MB to 100 MB
 1269  - Added logging of persistent timers database errors
 1270 
 1271 Bugfixes:
 1272 ---------
 1273  - Persistent timers database opening after privileges has been dropped
 1274 
 1275 Knot DNS 1.6.0-rc1 (2014-10-13)
 1276 ===============================
 1277 
 1278 Features:
 1279 ---------
 1280  - Persistent timers for slave zones (expire, refresh, and flush)
 1281 
 1282 Bugfixes:
 1283 ---------
 1284  - DNSSEC: RFC compliant processing of letter case in RDATA domain names
 1285  - EDNS: Return minimal error response for queries with unsupported version
 1286  - EDNS: Fix interpretation of Extended RCODE
 1287 
 1288 Knot DNS 1.5.3 (2014-09-15)
 1289 ===========================
 1290 
 1291 Bugfixes:
 1292 ---------
 1293  - Some specific incoming IXFRs were causing server to crash
 1294  - Rare sychronization error during reload caused read-after-free
 1295  - Response synthetization module did not work properly with DNSSEC-enabled zones
 1296  - When Knot sent AXFR when IXFR was requested, message ID and opcode were wrong
 1297  - Knot failed to send large messages to remote control (present since 1.5.1)
 1298 
 1299 Knot DNS 1.5.2 (2014-09-08)
 1300 ===========================
 1301 
 1302 Bugfixes:
 1303 ---------
 1304  - Some RR parsing corner cases were not handled properly
 1305  - AXFR-style IXFR was refused and had to be retransferred
 1306  - Hash character (#) was not properly escaped when storing text zone file
 1307 
 1308 Knot DNS 1.5.1 (2014-08-19)
 1309 ===========================
 1310 
 1311 Features:
 1312 ---------
 1313  - Basic support for logging using systemd journal
 1314  - DDNS: Ability to process updates in bulk
 1315 
 1316 Improvements:
 1317 -------------
 1318  - Unified logging messages structure
 1319  - DNSSEC: More strict controls for signing keys
 1320 
 1321 Bugfixes:
 1322 ---------
 1323  - DNSSEC: DNAMEs in RDATA were not lowercased before signing
 1324  - EDNS: OPT RR were not put into responsing for some errors
 1325  - TSIG: DDNS responses were not signed with TSIG
 1326  - DDNS: Prerequisite checks failed for some inputs
 1327  - knsupdate: Zone origin was not used for deletions
 1328 
 1329 Knot DNS 1.5.0 (2014-07-08)
 1330 ===========================
 1331 
 1332 Features:
 1333 ---------
 1334  - DDNS forwarding reimplemented
 1335 
 1336 Improvements:
 1337 -------------
 1338  - Transfer sizes logged in bytes if needed
 1339  - Logging outgoing NOTIFY messages
 1340  - Logging unauthorized incoming NOTIFYs
 1341 
 1342 Bugfixes:
 1343 ---------
 1344  - Zone flush planning after bootstrap
 1345  - Incorrect incoming AXFR message sizes
 1346  - DDNS signing changes were freed too soon, posibility of stale data
 1347  - knotc remote control key handling
 1348 
 1349 Knot DNS 1.5.0-rc2 (2014-06-18)
 1350 ===============================
 1351 
 1352 Features:
 1353 ---------
 1354  - edns-client-subnet support in kdig
 1355  - Optional asynchronous startup (config "asynchronous-start")
 1356 
 1357 Improvements:
 1358 -------------
 1359  - Preempt task queue for faster reload
 1360  - Lazy zone file write after zone transfer (governed by
 1361    "zonefile-sync")
 1362 
 1363 Bugfixes:
 1364 ---------
 1365  - Close zone transfer after SERVFAIL response
 1366  - Incremental to full zone transfer fallback, wrong log message
 1367  - Zone events corner cases, reload replanning
 1368 
 1369 Knot DNS 1.5.0-rc1 (2014-06-03)
 1370 ===============================
 1371 
 1372 Features:
 1373 ---------
 1374  - Pluggable query processing modules
 1375  - Synthetic IPv4/IPv6 reverse/forward records (optional module)
 1376  - dnstap support in both utilities & server (optional module)
 1377  - NOTIFY message support and new TSIG section in kdig
 1378  - Zone transfer master failover
 1379 
 1380 Improvements:
 1381 -------------
 1382  - Query processing and core functionality overhaul
 1383  - Performance and reduced memory footprint
 1384  - Faster zone events scheduling
 1385  - RFC compliant queries/responses in some corner cases
 1386  - Log messages
 1387  - New documentation (Sphinx)
 1388 
 1389 Knot DNS 1.4.2 (2014-01-27)
 1390 ===========================
 1391 
 1392 Bugfixes:
 1393 ---------
 1394  - AXFR/IXFR compatibility issues with tinydns/axfrdns
 1395  - Journal file is created only when needed
 1396  - Zone-related log messages are logged into correct category
 1397  - DNSSEC: Refresh signatures earlier (3 days before their expiration
 1398     with the default signature lifetime)
 1399  - Fixed RCU synchronization causing deadlock on 'knotc signzone'
 1400  - RRSIG not fitting in the additional records doesn't cause
 1401    truncation
 1402 
 1403 Knot DNS 1.4.1 (2014-01-13)
 1404 ===========================
 1405 
 1406 Bugfixes:
 1407 ---------
 1408  - Empty APL record support
 1409  - 'zonestatus' when using immediate zone syncing
 1410  - Immediate zone syncing after reload
 1411  - Race condition writing time values to zone file
 1412 
 1413 Knot DNS 1.4.0 (2014-01-06)
 1414 ===========================
 1415 
 1416 Features:
 1417 ---------
 1418  - Zone SERIAL policies (INCREMENT, UNIXTIME)
 1419  - IDN support in Knot utilities
 1420  - DNSSEC: support for GOST algorithm
 1421  - Better logging of automatic DNSSEC events
 1422  - Support for DNSSEC key pre-publication
 1423  - Experimental automatic DNSSEC signing
 1424  - Reduced memory usage
 1425 
 1426 Improvements:
 1427 -------------
 1428  - ./configure prints build configuration summary
 1429  - Pretty zone file output (DNSSEC-related data separately)
 1430  - Lower memory consumption
 1431  - config: option 'dnssec-keydir' can be set per zone
 1432  - config: option 'storage' can be set per zone
 1433 
 1434 Bugfixes:
 1435 ---------
 1436  - AXFR crash with specific packet
 1437  - QNAME case-sensitive since 1.4.0-rc0
 1438  - DNSSEC records over DDNS
 1439  - Semantic check fail in AXFR is only soft-error
 1440  - Journal race condition
 1441  - Notifies are sent immediately
 1442  - Crash in particular additionals processing
 1443  - Race condition in event cancellation
 1444  - Journal corruption after failed transactions
 1445  - DNSSEC: fixed detection of ECDSA support
 1446  - Refactored zone loading
 1447  - Improved journal locking and fixed some race conditions
 1448  - Various fixes in client utilities
 1449  - Fixed memory errors in automatic DNSSEC signing
 1450  - 'dnssec-keydir' doesn't auto-enable signing
 1451  - Fixed rescheduling of zone resigns
 1452 
 1453 Knot DNS 1.3.3 (2013-10-28)
 1454 ===========================
 1455 
 1456 Bugfixes:
 1457 ---------
 1458  - Improved zone loading error messages
 1459  - Correct control socket permissions
 1460  - Improved log syntax documentation
 1461  - Fixed wrong assertions in DDNS prerequisites checking
 1462  - Fixed processing of some malformed DNS packets
 1463  - Fixed notify messages being ignored in some cases
 1464 
 1465 Knot DNS 1.3.2 (2013-09-30)
 1466 ===========================
 1467 
 1468 Bugfixes:
 1469 ---------
 1470  - Configuration option for EDNS0 max UDP payload.
 1471  - Max UDP payload from EDNS0 affected TCP responses.
 1472  - Fixed build on SLE 10.
 1473  - knotc reload did not close files included from config.
 1474 
 1475 Knot DNS 1.3.1 (2013-08-26)
 1476 ===========================
 1477 
 1478 Bugfixes:
 1479 ---------
 1480  - Response with NSID contained extra bytes after reload
 1481  - List of remotes is scanned for longest prefix match
 1482  - Multipacket TSIG signatures for transfers
 1483  - Wrongly parsed TSIG key secret without quotes
 1484  - Removed autoconf checks for extended instruction sets
 1485 
 1486 Knot DNS 1.3.0 (2013-08-05)
 1487 ===========================
 1488 
 1489 Features:
 1490 ---------
 1491  - Defaults for CH TXT id.server,version.server (see doc)
 1492  - Much faster bootstrap of many zones
 1493  - --with-configdir option for default config path
 1494  - Reintroducted 'pidfile' config option
 1495  - Utility to estimate memory consumption (see 'knotc memstats')
 1496  - PID file is not created when running on foreground
 1497  - UNIX sockets support for knotc
 1498  - Configurable 'rundir' and 'storage'
 1499  - Faster zone parser
 1500  - Full support for EUI and ILNP resource records
 1501  - Lower memory footprint for large zones
 1502  - No compilation of zones
 1503  - Improved scheduling of zone transfers
 1504  - Logging of serials and timing information for zone transfers
 1505  - Config: 'groups' keyword allowing to create groups of remotes
 1506  - Config: 'include' keyword allowing other file includes
 1507  - Client utilities: kdig, khost, knsupdate
 1508  - Server identification using TXT/CH queries (RFC 4892)
 1509  - Improved build scripts
 1510  - Improved dname compression and performance
 1511 
 1512 Bugfixes:
 1513 ---------
 1514  - Progressive interval for bootstrap retry
 1515  - Transfers randomly cancelled
 1516  - Disabling RRL on reload
 1517  - Secondary groups not initialized when dropping privileges
 1518  - Responding to DS queries for names at or below delegation points
 1519  - Removed deprecated 'knotc -w' option
 1520  - Slave ignores out-of-zone records in zone
 1521  - Support for obsolete types in zone transfers
 1522  - Slave zone file names fixes
 1523  - Long transfers being randomly dropped
 1524  - AXFR/IXFR subsystem performance improvements
 1525  - Rescheduling of AXFR in some cases
 1526  - RRSIGs not in the same section for DS records
 1527  - Log messages leaking to syslog
 1528  - 'knotc restart' option removed due to several limitations
 1529  - IXFR with an arbitrary number of diffs
 1530  - Processing of knotc TSIG keyfile
 1531  - Atomic PID file writing, removed deprecated 'knotc start'
 1532  - Performance regression when RRSIGs came before covered RRs in AXFR
 1533  - Label compression related bug
 1534  - Proper resolution of some CNAME chains
 1535  - Unstable response rate in rare cases
 1536  - Several log messages
 1537  - Fixed creating of PID file when dropping privileges
 1538 
 1539 Knot DNS 1.2.0 (2013-03-29)
 1540 ===========================
 1541 
 1542 Features:
 1543 ---------
 1544  - knotc 'zonestatus' command
 1545  - Response rate limiting (see documentation)
 1546  - Dynamic updates, including forwarding (limited on signed zones)
 1547  - Updated remote control utility
 1548  - Configurable TCP timeouts
 1549  - LOC RR support
 1550 
 1551 Bugfixes:
 1552 ---------
 1553  - Memory leaks
 1554  - Check for broken recvmmsg() implementation
 1555  - Changing logfile ownership before dropping privileges
 1556  - knotc respects 'control' section from configuration
 1557  - RRL: resolved bucket collisions
 1558  - RRL: updated bucket mapping to conform RRL technical memo
 1559  - Fixed OpenBSD build
 1560  - Responses to ANY should contain RRSIGs
 1561  - Fixed processing of some non-standard dnames.
 1562  - Correct checking of label length bounds in some cases.
 1563  - More compliant rcodes in case of DDNS/TSIG failures.
 1564  - Correct processing of malformed DDNS prereq section.
 1565 
 1566 Knot DNS 1.1.3 (2012-12-19)
 1567 ===========================
 1568 
 1569 Bugfixes:
 1570 ---------
 1571  - Updated manpage.
 1572  - Fixed answering DS queries (RRSIGs not together with DS, AA bit
 1573     missing).
 1574  - Fixed setting ARCOUNT in some error responses with EDNS enabled.
 1575  - Fixed crash when compiling zone zone with NSEC3PARAM but no NSEC3
 1576     and semantic checks enabled.
 1577 
 1578 Knot DNS 1.1.2 (2012-11-21)
 1579 ===========================
 1580 
 1581 Bugfixes:
 1582 ---------
 1583  - Fixed debug message.
 1584  - Fixed crash on reload when config contained duplicate zones.
 1585  - Fixed scheduling of transfers.
 1586 
 1587 Knot DNS 1.1.1 (2012-10-31)
 1588 ===========================
 1589 
 1590 Features:
 1591 ---------
 1592  - Improved compression of packets. Out-of-zone dnames present in
 1593     RDATA were not compressed.
 1594  - Slave zones are now automatically refreshed after startup.
 1595  - Proper response to IXFR/UDP query (returns SOA in Authority
 1596    section).
 1597 
 1598 Bugfixes:
 1599 ---------
 1600  - Fixed assertion failing when asking directly for a wildcard name.
 1601  - Crash after IXFR in certain cases when adding RRSIG in an IXFR.
 1602  - Fixed behaviour when incoming IXFR removes a zone cut. Previously
 1603     occluded names now become properly visible. Previously lead to a
 1604     crash when the server was asked for the previously occluded name.
 1605  - Fixed handling of zero-length strings in text zone dump. Caused the
 1606     compilation to fail.
 1607  - Fixed TSIG algorithm name comparison - the names should be in
 1608     canonical form.
 1609  - Fixed handling unknown RR types with type less than 251.
 1610 
 1611 Knot DNS 1.1.0 (2012-08-31)
 1612 ===========================
 1613 
 1614 Features:
 1615 ---------
 1616  - Signing SOA with TSIG queries when checking zone version with
 1617    master.
 1618  - Optionally disable ANY queries for authoritative answers.
 1619  - Dropping identical records in zone and incoming transfers.
 1620  - Support for '/' in zone names.
 1621  - Generating journal from reloaded zone (EXPERIMENTAL).
 1622  - Outgoing-only interfaces in configuration file.
 1623  - Following DNAME if the synthetized name is in the same zone.
 1624 
 1625 Bugfixes:
 1626 ---------
 1627  - Syncing journal to zone was not updating the compiled zone
 1628    database.
 1629  - Fixed ixfr-from-differences journal generation in case of IPSECKEY
 1630     and APL records.
 1631  - Fixed possible leak on server shutdown with a pending transfer.
 1632  - Crash when zone contained RRSIG signing a CNAME, but did not
 1633     contain the CNAME.
 1634  - Malformed packets parsing.
 1635  - Failed IXFR caused memory leaks.
 1636  - Failed IXFR might have resulted in inconsistent zone structures.
 1637  - Fixed answering to +dnssec queries when NSEC3 chain is corrupted.
 1638  - Fixed answering when transitioning from NSEC3 to NSEC.
 1639  - Fixed answering when zone contains multiple NSEC3 chains.
 1640  - Handling RRSets with different TTLs - TTL from the first RR is
 1641    used.
 1642  - Synchronization of zone reload and zone transfers.
 1643  - Fixed build on NetBSD 5 and FreeBSD.
 1644  - Fixed binding to both IPv4 and IPv6 at the same time on special
 1645     interfaces.
 1646  - Fixed access rights of created files.
 1647  - Semantic checks corrupted RDATA domain names which are covered by
 1648     wildcard in the same zone.
 1649 
 1650 Improvements:
 1651 -------------
 1652  - Improved user manual.
 1653  - Better checks of corrupted zone database.
 1654  - IXFR-in optimized.
 1655  - Many zones loading optimized.
 1656  - More detailed log messages (mostly transfer-related).
 1657  - Copying Question section to error responses.
 1658  - Using zone name from config file as default origin in zone file.
 1659  - Additional records are now added to response also from
 1660     wildcard-covered names.
 1661 
 1662 Knot DNS 1.0.6 (2012-06-13)
 1663 ===========================
 1664 
 1665 Bugfixes:
 1666 ---------
 1667  - Fixed potential problems with RCU synchronization.
 1668  - Adding NSEC/NSEC3 for all wildcard CNAMEs in the response.
 1669 
 1670 Knot DNS 1.0.5 (2012-05-17)
 1671 ===========================
 1672 
 1673 Bugfixes:
 1674 ---------
 1675  - Fixed bug with creating journal files.
 1676 
 1677 Knot DNS 1.0.4 (2012-05-16)
 1678 ===========================
 1679 
 1680 Features:
 1681 ---------
 1682  - Parallel loading of zones to the server.
 1683  - RFC3339-complaint format of log time.
 1684  - Support for TLSA (RR type 52).
 1685  - knotc checkzone (as a dry-run of zone compile).
 1686  - knotc refresh for forcing Knot to update all zones from master
 1687     servers.
 1688  - Reopening log files upon start (used to truncate them).
 1689 
 1690 Improvements:
 1691 -------------
 1692  - Significantly sped up IXFR-in and reduced its memory requirements.
 1693 
 1694 Bugfixes:
 1695 ---------
 1696  - Copying OPCODE and RD bit from query to NOTIMPL responses.
 1697  - Corrected response to CNAME queries if the canonical name was also
 1698     an alias (was adding the whole CNAME chain to the response).
 1699  - Fixed crash when NS or MX points to an alias.
 1700  - Fixed problem with early closing of filedescriptors (lead to crash
 1701     when compiling and loading or bootstrapping and restarting the
 1702     server with a lot of zones).
 1703 
 1704 Knot DNS 1.0.3 (2012-04-17)
 1705 ===========================
 1706 
 1707 Bugfixes:
 1708 ---------
 1709  - Corrected handling of EDNS0 when TCP is used (was applying the UDP
 1710    size limit).
 1711  - Fixed slow compilation of zones.
 1712  - Fixed potential crash with many concurrent transfers.
 1713  - Fixed missing include for FreeBSD.
 1714 
 1715 Knot DNS 1.0.2 (2012-04-13)
 1716 ===========================
 1717 
 1718 Features:
 1719 ---------
 1720  - Configuration checker (invoked via knotc).
 1721  - Specifying source interface for transfers and NOTIFY requests
 1722    directly.
 1723 
 1724 Bugfixes:
 1725 ---------
 1726  - Fixed leak when querying non-existing name and zone SOA TTL >
 1727    minimal.
 1728  - Fixed some minor bugs in tansfers.
 1729 
 1730 Improvements:
 1731 -------------
 1732  - Improved log messages (added date and time, better specification of
 1733    XFR remote).
 1734  - Improved saving incoming IXFR to journal (memory optimized).
 1735  - Now using system scheduler (better for Linux).
 1736  - Decreased thread stack size.
 1737 
 1738 Knot DNS 1.0.1 (2012-05-09)
 1739 ===========================
 1740 
 1741 Features:
 1742 ---------
 1743  - Implemented jitter to REFRESH/RETRY timers.
 1744  - Implemented magic bytes for journal.
 1745  - Improved error messages.
 1746 
 1747 Bugfixes:
 1748 ---------
 1749  - Problem with creating IXFR journal for bootstrapped zone.
 1750  - Race condition in processing NOTIFY/SOA queries.
 1751  - Leak when reloading zone with NSEC3.
 1752  - Processing of APL RR.
 1753  - TSIG improper assignment of algorithm type.
 1754 
 1755 Knot DNS 1.0.0 (2012-02-29)
 1756 ===========================
 1757 
 1758 Features:
 1759 ---------
 1760  - Support for subnets in ACL.
 1761  - Debug messages enabling in configure.
 1762  - Optimized memory consuption of zone structures.
 1763  - NSID support (RFC5001).
 1764  - Root zone support.
 1765  - Automatic zone compiling on server start.
 1766  - Setting user to run Knot under in config file.
 1767  - Dropping privileges after binding to port 53.
 1768     + Support for Linux capabilities(7).
 1769  - Setting source address of outgoing transfers in config file.
 1770  - Custom PID file.
 1771  - CNAME loop detection.
 1772  - Timeout on TCP connections.
 1773  - Basic defense against DoS attacks.
 1774 
 1775 Bugfixes:
 1776 ---------
 1777  - Memory errors and leaks.
 1778  - Fixed improper handling of failed IXFR/IN.
 1779  - Several other minor bugfixes.
 1780  - Fixed IXFR processing.
 1781  - Patched URCU so that it compiles on architectures without TLS in
 1782    compiler (NetBSD, OpenBSD).
 1783  - Fixed response to DS query at parent zone.
 1784  - A lot of other bugfixes.
 1785 
 1786 Knot DNS 0.9.1 (2012-01-20)
 1787 ===========================
 1788 
 1789 Features:
 1790 ---------
 1791  - RRSet rotation
 1792 
 1793 Improvements:
 1794 -------------
 1795  - Replaced pseudo-random number generator by one with MIT/BSD
 1796    license.
 1797 
 1798 Bugfixes:
 1799 ---------
 1800  - Fixed build on BSD.
 1801  - Fixes in parsing and dumping of zone RR types IPSECKEY, WKS, DLV,
 1802     APL, NSAP
 1803 
 1804 Knot DNS 0.9.0 (2012-01-13)
 1805 ===========================
 1806 
 1807 Features:
 1808 ---------
 1809  - TSIG support in both client and server.
 1810  - Use of sendmmsg() on Linux 3.0+ (improves performance).
 1811 
 1812 Bugfixes:
 1813 ---------
 1814  - Knot was not accepting AXFR-style IXFR with first SOA in a separate
 1815     packet (i.e. from Power DNS).
 1816  - Wrong SOA TTL in negative answers.
 1817  - Wrong max packet size for outgoing transfers (was causing the
 1818     packets to be malformed).
 1819  - Wrong handling of WKS record in zone compiler.
 1820  - Problems with zone bootstrapping.
 1821 
 1822 Knot DNS 0.8.1 (2011-12-01)
 1823 ===========================
 1824 
 1825 Bugfixes:
 1826 ---------
 1827  - Handling SPF record.
 1828  - Wrong text dump of unknown records.
 1829 
 1830 Knot DNS 0.8.0 (2011-11-03)
 1831 ===========================
 1832 
 1833 Features:
 1834 ---------
 1835  - First Public Release
 1836  - AXFR-in/-out
 1837  - IXFR-in/-out
 1838  - EDNS0
 1839  - DNSSEC
 1840  - NSEC3
 1841  - IPv6
 1842  - Runtime reconfiguration
 1843 
 1844 Known issues:
 1845 -------------
 1846  - Missing support for TSIG
 1847  - Root zone support
 1848  - NSID support
 1849  - Other DNS classes than IN
 1850  - RRSet rotation not implmented
 1851  - Dynamic update support
 1852  - IXFR code might be flaky sometimes
 1853  - IXFR may be slow when too much (10 000+) RRSets are transferred at
 1854    once