[knot-dns-users] Knot DNS 2.0.1 patch release

Jan Včelák jan.vcelak at nic.cz
Wed Sep 2 18:28:41 CEST 2015

Hello everyone!

CZ.NIC Labs just released Knot DNS 2.0.1. There is a lot of bug fixes, new 
features, and improvements since the final release. 

Let's start with the bug fixes:

- The 2.0.1 received all the relevant bug fixes included in the 1.6.5. Namely
  fix for expired zones reloading, fix for race-condition in event scheduling,
  fix for NSEC proofs with zones containing lots of delegations, fix for TC
  flag setting in RRL slipped answers, fix for root label compression, and fix
  for journald logging without systemd.

- The old version was incorrectly following CNAME when queried for the NSEC
  record. This is fixed in the new version.

- There was a bug in the code planning DNSSEC resigning. The code hadn't
  considered expiration of DNSKEY RRSIGs and therefore these signatures
  could have had expired. This problem is resolved now.

- Binding to an unavailable IPv6 address was broken on Linux (IP_FREEBIND).
  When the daemon was started before the network was fully up, the daemon
  failed to bind IPv6 addresses. This problem is fixed as well.

- The knotc utility entered an infinite loop when the zonestatus or memstats
  command was executed for an individual zone. This shouldn't happen any more.

- The dnsproxy module was not working properly as we have changed the request
  processing code without updating the module. This has been addressed.

- There was a problem with parsing time stamps in the DNSSEC KASP database
  when compiled against the uClibc standard C library (e.g., in Alpine Linux).
  The parsing has been rewritten to work in strict POSIX environment.

- We have fixed multiple problems related to endianness. We have eliminated
  compilation warnings on OpenBSD related to endian conversion functions. The
  multi-value config options parsing didn't work on big-endian machines. And
  we also added detection of the Nettle library version, because the version
  3 changed the Base64 decoding API incompatibly.

As for the new features:

- The keymgr utility now supports 'zone key ds' command to retrieve DS records
  for a key. And also 'tsig generate' command to generate TSIG key in the
  format accepted by Knot DNS.

- We have added module scoping. So the modules can be configured either to
  process all queries received by the server. Or their scope is limited to
  individual zones.

- The 'include' config directive supports file name globbing. So you can
  import multiple files at once (e.g., include: conf.d/*.conf).

- Same as in the 1.6.5, the 2.0.1 supports the 'request-edns-option' config
  option allowing to add custom EDNS0 options into the DNS queries initiated
  by the server.

And at last but not least, the improvements:

- We have decided to remove NS record from the Authority section for NOERROR
  responses. We used to put these records there because BIND and NSD did it.
  But these records are not required by any RFC and just increase the size of
  the response.

- The persistent zone timers are written only on server shutdown for better
  startup performance.

- The change of TTL over DDNS is now allowed without removing the existing

- We have reviewed the documentation and fixed a couple of grammar mistakes,
  updated some sections, and improved formatting a little bit.

- The yparser and zscanner header files are now installed.

As you may see, we are not lagging behind. This list is quite long for a patch 
release. And we have much more up in our sleeve. Thank you for reading this 
far. And we are looking forward to your feedback.

Full changelog:


GPG signature:



 Jan Včelák, Knot DNS
 CZ.NIC Labs https://www.knot-dns.cz
 Milešovská 5, 130 00 Praha 3, Czech Republic
 WWW: https://labs.nic.cz https://www.nic.cz

More information about the knot-dns-users mailing list