Hello everyone!
Have you been good this year? CZ.NIC Labs just released a Christmas
present for all Knot DNS users — a new and shiny release candidate.
This version contains a bunch of new features, quite a lot of
improvements and also some bug fixes. Let's start with the features:
- If you run Linux, you will get a higher packet throughput for UDP
thanks to the SO_REUSEPORT socket option. In some cases, we have seen
100% packet rate increase.
- As an alternative to the textual configuration file, we now support
a binary configuration database. This is primarily intended for users
with many zones who need to reconfigure their servers quickly. For
this purpose, the knotc utility adds new conf-* commands, which can
be used to query and modify the server configuration on-the-fly.
- DNSSEC newly implements an interface to access cryptographic tokens
via the PKCS #11. This means, that you can store the private key
material for DNSSEC keys more securely than before.
- We have also included an experimental module for DNSSEC online
signing. This can be used for instance with the other modules
synthesizing records on-the-fly.
As for various improvements:
- The zone file name can now include formatters, which will be later
substituted. For example, if you have many zones and want to sort
them into directories based on their TLD, you can use '%l[0]/%s.zone'
as the 'file' config option, and the zone 'example.com' will be loaded
from '$storage/com/example.com.zone'.
- We have added the 'timer-db' option to customize path to the database
with persistent zone timers. This is useful if you have multiple
knotd instances sharing a zone storage directory.
- After the recent DDoS attacks, we have improved the RRL documentation
to include details about the effect of the individual rate-limit-slip
configuration values. We also made this option to accept zero value
which will make the server drop all responses exceeding the limit.
- Other small changes in the server include improved networking code
so we can better handle connection timeouts. The ACL failures are now
logged. And some of the critical configuration values are cached for
better performance.
- The kdig utility now prints a warning instead of failing with an
error when a TSIG validation failure is encountered.
- We've also performed some cleanup of the support libraries: libknot,
libzscanner, and libdnssec. So if you are developing your own
DNS application, take a look at these.
And that's it. Please, refer to the documentation for more information.
And if something is not clear, just ask on the mailing list and we will
try to clarify any ambiguities.
You will find your present under our Christmas tree.
Full changelog:
https://gitlab.labs.nic.cz/labs/knot/raw/v2.1.0-rc1/NEWS
Source tarball:
https://secure.nic.cz/files/knot-dns/knot-2.1.0-rc1.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-dns/knot-2.1.0-rc1.tar.xz.asc
On behalf of our development team, I wish you a merry Christmas and
happy New Year.
Jan
--
Jan Včelák, Knot DNS
CZ.NIC Labs
https://www.knot-dns.cz
--------------------------------------------
Milešovská 5, 130 00 Praha 3, Czech Republic
WWW:
https://labs.nic.cz https://www.nic.cz