Merge branch 'f27' into epel7

Use Knot DNS 2.6.x branch to keep compatibility with Knot Resolver < 3.0
in released distros.

This reverts commit 6216b6570b.

knot.conf

@@ -0,0 +1,23 @@
+# See knot.conf(5) manual page for documentation.
+
+server:
+    rundir: "/var/run/knot"
+    user: knot:knot
+    listen: [ 127.0.0.1@53, ::1@53 ]
+
+control:
+    listen: "knot.sock"
+
+log:
+  - target: syslog
+    any: info
+
+template:
+  - id: default
+    storage: "/var/lib/knot"
+    file: "%s.zone"
+    kasp-db: "keys"
+    dnssec-signing: false
+
+zone:
+#  - domain: example.com

knot.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Knot DNS server daemon
+
+[Service]
+Type=notify
+ExecStart=/usr/sbin/knotd
+ExecReload=/usr/sbin/knotc reload
+Restart=on-abort
+ExecStartPre=/usr/sbin/knotc conf-check
+
+# Breaks daemon reload
+#CapabilityBoundingSet=cap_net_bind_service cap_setuid cap_setgid
+
+[Install]
+WantedBy=multi-user.target

knot.spec

@@ -1,98 +1,82 @@
 %global _hardened_build 1
-%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}}
+%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}}
 
 %define GPG_CHECK 1
-%define VERSION 2.7.4
+%define VERSION 2.6.9
-%define repodir %{_builddir}/%{name}-%{version}
 
-Summary:	High-performance authoritative DNS server
+Summary: High-performance authoritative DNS server
-Name:		knot
+Name: knot
-Version: 	%{VERSION}
+Version: %{VERSION}
-Release: 	1%{?dist}
+Release: 2%{?dist}
-License:	GPLv3
+License: GPLv3
-Group:		System Environment/Daemons
+Group: System Environment/Daemons
-URL:		https://www.knot-dns.cz
+URL: http://www.knot-dns.cz
-Source0:	https://public.nic.cz/files/knot-dns/%{name}-%{version}.tar.xz
+Source0: http://public.nic.cz/files/knot-dns/%{name}-%{version}.tar.xz
+
+Source2: %{name}.service
+Source3: %{name}.conf
+Source4: %{name}.tmpfiles
 
 %if 0%{GPG_CHECK}
-Source1:	https://public.nic.cz/files/knot-dns/%{name}-%{version}.tar.xz.asc
+Source1: http://public.nic.cz/files/knot-dns/%{name}-%{version}.tar.xz.asc
 # PGP keys used to sign upstream releases
 # Export with --armor using command from https://fedoraproject.org/wiki/PackagingDrafts:GPGSignatures
 # Don't forget to update %%prep section when adding/removing keys
-Source100:	gpgkey-742FA4E95829B6C5EAC6B85710BB7AF6FEBBD6AB.gpg.asc
+Source100: gpgkey-742FA4E95829B6C5EAC6B85710BB7AF6FEBBD6AB.gpg.asc
-BuildRequires:	gnupg2
+BuildRequires:  gnupg2
 %endif
 
 # Required dependencies
-BuildRequires:	gcc
+BuildRequires: gcc
-BuildRequires:	pkgconfig(liburcu)
+BuildRequires: pkgconfig(liburcu) pkgconfig(gnutls) >= 3.3 pkgconfig(nettle) lmdb-devel pkgconfig(libedit)
-BuildRequires:	pkgconfig(gnutls) >= 3.3
-BuildRequires:	pkgconfig(libedit)
-
 # Optional dependencies
-BuildRequires:	pkgconfig(libcap-ng)
+BuildRequires: pkgconfig(libcap-ng) pkgconfig(libidn2) pkgconfig(libsystemd) pkgconfig(libfstrm) pkgconfig(libprotobuf-c)
-BuildRequires:	pkgconfig(libfstrm)
+BuildRequires: systemd
-BuildRequires:	pkgconfig(libidn2)
-BuildRequires:	pkgconfig(libmaxminddb)
-BuildRequires:	pkgconfig(libprotobuf-c)
-BuildRequires:	pkgconfig(libsystemd)
-BuildRequires:	pkgconfig(systemd)
 
-# Distro-dependent dependencies
+Requires: python2-lmdb
-%if 0%{?suse_version}
-BuildRequires:	python3-Sphinx
-BuildRequires:	lmdb-devel
-BuildRequires:	protobuf-c
-Requires(pre):  pwdutils
-%endif
-%if 0%{?rhel}
-BuildRequires:	python-sphinx
-BuildRequires:	lmdb-devel
-%endif
-%if 0%{?fedora}
-BuildRequires:	python3-sphinx
-BuildRequires:	pkgconfig(lmdb)
-%endif
 
-Requires(post):		systemd %{_sbindir}/runuser
+Requires(post): python2-lmdb
-Requires(preun):	systemd
+Requires(post): systemd %{_sbindir}/runuser
-Requires(postun):	systemd
+Requires(preun): systemd
+Requires(postun): systemd
 
-# Knot DNS 2.7+ isn't compatible with earlier knot-resolver
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
-Conflicts:	knot-resolver < 3.0.0
-
-Requires:	%{name}-libs%{?_isa} = %{version}-%{release}
 
 %description
 Knot DNS is a high-performance authoritative DNS server implementation.
 
 %package libs
-Summary:	Libraries used by the Knot DNS server and client applications
+Summary: Libraries used by the Knot DNS server and client applications
 
 %description libs
 The package contains shared libraries used by the Knot DNS server and
 utilities.
 
 %package devel
-Summary:	Development header files for the Knot DNS libraries
+Summary: Development header files for the Knot DNS libraries
-Requires:	%{name}-libs%{?_isa} = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 
 %description devel
 The package contains development header files for the Knot DNS libraries
 included in knot-libs package.
 
 %package utils
-Summary:	DNS client utilities shipped with the Knot DNS server
+Summary: DNS client utilities shipped with the Knot DNS server
-Requires:	%{name}-libs%{?_isa} = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 
 %description utils
 The package contains DNS client utilities shipped with the Knot DNS server.
 
 %package doc
-Summary:	Documentation for the Knot DNS server
+Summary: Documentation for the Knot DNS server
-License:	GPLv3 and BSD and MIT
+License: GPLv3 and BSD and MIT
-BuildArch:	noarch
+BuildArch: noarch
-Provides:	bundled(jquery) = 3.1.0
+%if 0%{?rhel}
+BuildRequires: python-sphinx
+%else
+BuildRequires: python3-sphinx
+%endif
+Provides: bundled(jquery) = 3.1.0
 
 %description doc
 The package contains documentation for the Knot DNS server.
@@ -107,6 +91,9 @@ gpg2 --verify %{SOURCE1} %{SOURCE0}
 %endif
 %setup -q
 
+# make sure embedded LMDB library is not used
+rm -vr src/contrib/lmdb
+
 %build
 # disable debug code (causes unused warnings)
 CFLAGS="%{optflags} -DNDEBUG -Wno-unused"
@@ -114,19 +101,10 @@ CFLAGS="%{optflags} -DNDEBUG -Wno-unused"
 %ifarch armv7hl i686
 # 32-bit architectures sometimes do not have sufficient amount of
 # contiguous address space to handle default values
-%define configure_db_sizes --with-conf-mapsize=64
+%define configure_db_sizes --with-conf-mapsize=64 --with-timer-mapsize=16
 %endif
 
-%configure \
+%configure %{configure_db_sizes} --disable-fastparser  # FIXME
-  --sysconfdir=/etc \
-  --localstatedir=/var/lib \
-  --libexecdir=/usr/lib/knot \
-  --with-rundir=/run/knot \
-  --with-storage=/var/lib/knot \
-  %{?configure_db_sizes} \
-  --disable-static \
-  --enable-dnstap=yes \
-  --with-module-dnstap=yes
 make %{?_smp_mflags}
 make html
 
@@ -134,89 +112,96 @@ make html
 make install DESTDIR=%{buildroot}
 
 # install documentation
-install -d -m 0755 %{buildroot}%{_pkgdocdir}/samples
+mkdir -p %{buildroot}%{_pkgdocdir}
-install -p -m 0644 -t %{buildroot}%{_pkgdocdir}/samples samples/*.zone*
-install -p -m 0644 NEWS README %{buildroot}%{_pkgdocdir}
 cp -av doc/_build/html %{buildroot}%{_pkgdocdir}
 [ -r %{buildroot}%{_pkgdocdir}/html/index.html ] || exit 1
 rm -f %{buildroot}%{_pkgdocdir}/html/.buildinfo
 
-# install configuration file
+# install customized configuration file
 rm %{buildroot}%{_sysconfdir}/%{name}/*
-install -p -m 0644 -D %{repodir}/samples/%{name}.sample.conf %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf
+install -p -m 0644 -D %{SOURCE3} %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf
 
-# install systemd files
+# install service file and create rundir
-install -p -m 0644 -D %{repodir}/distro/common/%{name}.service %{buildroot}%{_unitdir}/%{name}.service
+install -p -m 0644 -D %{SOURCE2} %{buildroot}%{_unitdir}/%{name}.service
-install -p -m 0644 -D %{repodir}/distro/common/%{name}.tmpfiles %{buildroot}%{_tmpfilesdir}/%{name}.conf
+install -p -m 0644 -D %{SOURCE4} %{buildroot}%{_tmpfilesdir}/%{name}.conf
+install -d -m 0755 %{buildroot}%{_localstatedir}/run/%{name}
 
 # create storage dir and key dir
-install -d %{buildroot}%{_sharedstatedir}
+mkdir -p %{buildroot}%{_sharedstatedir}
-install -d -m 0775 -D %{buildroot}%{_sharedstatedir}/%{name}
+install -d -m 0775 %{buildroot}%{_sharedstatedir}/%{name}
-install -d -m 0770 -D %{buildroot}%{_sharedstatedir}/%{name}/keys
+install -d -m 0770 %{buildroot}%{_sharedstatedir}/%{name}/keys
 
-# remove libarchive files
+# install config samples into docdir
-find %{buildroot} -type f -name "*.la" -delete -print
+install -d -m 0755 %{buildroot}%{_pkgdocdir}/samples
+for sample_file in knot.sample.conf example.com.zone; do
+    install -p -m 0644 samples/${sample_file} %{buildroot}%{_pkgdocdir}/samples
+done
+
+# remove static libraries and libarchive files
+rm %{buildroot}%{_libdir}/*.a
+rm %{buildroot}%{_libdir}/*.la
 
 %check
 make check
 
 %pre
 getent group knot >/dev/null || groupadd -r knot
-getent passwd knot >/dev/null || \
+getent passwd knot >/dev/null || useradd -r -g knot -d %{_sysconfdir}/knot -s /sbin/nologin -c "Knot DNS server" knot
-  useradd -r -g knot -d %{_sysconfdir}/knot -s /sbin/nologin \
+exit 0
-  -c "Knot DNS server" knot
-%if 0%{?suse_version}
-%service_add_pre knot.service
-%endif
 
 %post
-systemd-tmpfiles --create %{_tmpfilesdir}/knot.conf &>/dev/null || :
-%if 0%{?suse_version}
-%service_add_post knot.service
-%else
 %systemd_post knot.service
-%endif
+if [ $1 -gt 1 ] ; then  # upgrade
+    if rpm -q --qf=%%{version} knot | grep -q "^1\." ; then  # detect versions 1.y.z
+        echo 'Automatic upgrade from Knot DNS versions 1.y.z is not supported anymore'
+        echo 'Contact https://www.knot-dns.cz/support/'
+        exit 1
+    fi
+
+    # 2.[0-4].z -> 2.5+.z migration
+    if rpm -q --qf=%%{version} knot | grep -q '^2.[0-4]\.' ; then
+        # rename modules
+        echo 'Migrating module names in configuration file /etc/knot/knot.conf'
+        sed -i.rpmsave -e 's/\bmod-online-sign\b/mod-onlinesign/' -e 's/\bmod-synth-record\b/mod-synthrecord/' /etc/knot/knot.conf
+        echo 'Migrating KASP database %{_sharedstatedir}/%{name}/keys from JSON files to LMDB database'
+        # migrate keys into LMDB
+        %{_sbindir}/runuser -u knot -- %{_sbindir}/pykeymgr -i %{_sharedstatedir}/%{name}/keys
+    fi
+fi
+
 
 %preun
-%if 0%{?suse_version}
-%service_del_preun knot.service
-%else
 %systemd_preun knot.service
-%endif
 
 %postun
-%if 0%{?suse_version}
-%service_del_postun knot.service
-%else
 %systemd_postun_with_restart knot.service
-%endif
 
 %post libs -p /sbin/ldconfig
 
 %postun libs -p /sbin/ldconfig
 
 %files
-%license COPYING
-%{_pkgdocdir}/NEWS
-%{_pkgdocdir}/README
 %{_pkgdocdir}/samples
 %dir %attr(750,root,knot) %{_sysconfdir}/%{name}
 %config(noreplace) %attr(640,root,knot) %{_sysconfdir}/%{name}/%{name}.conf
 %dir %attr(775,root,knot) %{_sharedstatedir}/%{name}
 %dir %attr(770,root,knot) %{_sharedstatedir}/%{name}/keys
-%{_unitdir}/knot.service
+%dir %attr(-,knot,knot) %{_localstatedir}/run/%{name}
+%{_unitdir}/%{name}.service
 %{_tmpfilesdir}/%{name}.conf
+%{_bindir}/kjournalprint
 %{_bindir}/kzonecheck
-%{_sbindir}/kjournalprint
 %{_sbindir}/keymgr
 %{_sbindir}/knotc
 %{_sbindir}/knotd
+%{_sbindir}/pykeymgr
+%{_mandir}/man1/kjournalprint.*
 %{_mandir}/man1/kzonecheck.*
 %{_mandir}/man5/knot.conf.*
-%{_mandir}/man8/kjournalprint.*
 %{_mandir}/man8/keymgr.*
 %{_mandir}/man8/knotc.*
 %{_mandir}/man8/knotd.*
+%{_mandir}/man8/pykeymgr.*
 
 %files utils
 %{_bindir}/kdig
@@ -229,18 +214,16 @@ systemd-tmpfiles --create %{_tmpfilesdir}/knot.conf &>/dev/null || :
 %{_mandir}/man1/knsupdate.*
 
 %files libs
-%license COPYING
+%doc COPYING AUTHORS NEWS THANKS
-%doc NEWS
-%doc README
 %{_libdir}/libdnssec.so.*
 %{_libdir}/libknot.so.*
 %{_libdir}/libzscanner.so.*
 
 %files devel
-%{_includedir}/libdnssec
+%{_includedir}/dnssec
 %{_includedir}/knot
 %{_includedir}/libknot
-%{_includedir}/libzscanner
+%{_includedir}/zscanner
 %{_libdir}/libdnssec.so
 %{_libdir}/libknot.so
 %{_libdir}/libzscanner.so
@@ -254,139 +237,21 @@ systemd-tmpfiles --create %{_tmpfilesdir}/knot.conf &>/dev/null || :
 %{_pkgdocdir}/html
 
 %changelog
-* Tue Nov 13 2018 Tomas Krizek <tomas.krizek@nic.cz> - 2.7.4-1
+* Mon Oct 01 2018 Tomas Krizek <tomas.krizek@nic.cz> - 2.6.9-1
-Knot DNS 2.7.4 (2018-11-13)
+Knot DNS 2.6.9 (2018-08-14)
-===========================
-
-Features:
----------
- - Added SNI configuration for TLS in kdig (Thanks to Alexander Schultz)
-
-Improvements:
--------------
- - Added warning log when DNSSEC events not successfully scheduled
- - New semantic check on timer values in keymgr
- - DS query no longer asks other addresses if got a negative answer
- - Reintroduced 'rollover' configuration option for CDS/CDNSKEY publication
- - Extended logging for zone loading
- - Various documentation improvements
-
-Bugfixes:
----------
- - Failed to import module configuration #613
- - Improper Cflags value in libknot.pc if built with embedded LMDB #615
- - IXFR doesn't fall back to AXFR if malformed reply
- - DNSSEC events not correctly scheduled for empty zone updates
- - During algorithm rollover old keys get removed before DS TTL expires #617
- - Maximum zone's RRSIG TTL not considered during algorithm rollover #620
-
-* Fri Oct 12 2018 Tomas Krizek <tomas.krizek@nic.cz> - 2.7.3-1
-Knot DNS 2.7.3 (2018-10-11)
-===========================
-
-Features:
----------
- - New queryacl module for query access control
- - Configurable answer rrset rotation #612
- - Configurable NSEC bitmap in online signing
-
-Improvements:
--------------
- - Better error logging for KASP DB operations #601
- - Some documentation improvements
-
-Bugfixes:
----------
- - Keymgr "list" output doesn't show key size for ECDSA algorithms #602
- - Failed to link statically with embedded LMDB
- - Configuration commit causes zone reload for all zones
- - The statistics module overlooks TSIG record in a request
- - Improper processing of an AXFR-style-IXFR response consisting of one-record messages
- - Race condition in online signing during key rollover #600
- - Server can crash if geoip module is enabled in the geo mode
-
-* Wed Aug 29 2018 Tomas Krizek <tomas.krizek@nic.cz> - 2.7.2-1
-Knot DNS 2.7.2 (2018-08-29)
 ===========================
 
 Improvements:
 -------------
- - Keymgr list command displays also key size
+ - Added zone wire size to zone loading log message
- - Kjournalprint displays total occupied size in the debug mode
- - Server doesn't stop if failed to load a shared module from the module directory
- - Libraries libcap-ng, pthread, and dl are linked selectively if needed
-
-Bugfixes:
----------
- - Sometimes incorrect result from dnssec_nsec_bitmap_contains (libdnssec)
- - Server can crash when loading zone file difference and zone-in-journal is set
- - Incorrect treatment of specific queries in the module RRL
- - Failed to link module Cookies as a shared library
-
-* Wed Aug 15 2018 Tomas Krizek <tomas.krizek@nic.cz> - 2.7.1-1
-Knot DNS 2.7.1 (2018-08-14)
-===========================
-
-Improvements:
--------------
- - Added zone wire size information to zone loading log message
  - Added debug log message for each unsuccessful remote address operation
- - Various improvements for packaging
 
 Bugfixes:
 ---------
- - Incompatible handling of RRSIG TTL value when creating a DNS message
- - Incorrect RRSIG TTL value in zone differences and knotc zone operation outputs
- - Default configure prefix is ignored
-
-Knot DNS 2.7.0 (2018-08-03)
-===========================
-
-Features:
----------
- - New DNS Cookies module and related '+cookie' kdig option
- - New module for response tailoring according to client's subnet or geographic location
- - General EDNS Client Subnet support in the server
- - OSS-Fuzz integration (Thanks to Jonathan Foote)
- - New '+ednsopt' kdig option (Thanks to Jan Včelák)
- - Online Signing support for automatic key rollover
- - Non-normal file (e.g. pipe) loading support in zscanner #542
- - Automatic SOA serial incrementation if non-empty zone difference
- - New zone file load option for ignoring zone file's SOA serial
- - New build-time option for alternative malloc specification
- - Structured logging for DNSSEC key submission event
- - Empty QNAME support in kdig
-
-Improvements:
--------------
- - Various library and server optimizations
- - Reduced memory consumption of outgoing IXFR processing
- - Linux capabilities use overhaul #546 (Thanks to Robert Edmonds)
- - Online Signing properly signs delegations and CNAME records
- - CDS/CDNSKEY rrset is signed with KSK instead of ZSK
- - DNSSEC-related records are ignored when loading zone difference with signing enabled
- - Minimum allowed RSA key length was increased to 1024
- - Removed explicit dependency on Nettle
-
-Bugfixes:
----------
- - Possible uninitialized address buffer use in zscanner
- - Possible index overflow during multiline record parsing in zscanner
- - kdig +tls sometimes consumes 100 % CPU #561
- - Single-Type Signing doesn't work with single ZSK key #566
  - Zone not flushed after re-signing during zone load #594
  - Server crashes when committing empty zone transaction
  - Incoming IXFR with on-slave signing sometimes leads to memory corruption #595
 
-Compatibility:
---------------
- - Removed obsolete RRL configuration
- - Removed obsolete module names 'mod-online-sign' and 'mod-synth-record'
- - Removed obsolete 'ixfr-from-differences' configuration option
- - Removed old journal migration
- - Removed module rosedb
-
-
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.8-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
@@ -651,6 +516,15 @@ WARNING: Automatic upgrade from versions 1.y.z is no longer possible.
 To migrate, upgrade your packages gradually or use contacts listed on
 https://www.knot-dns.cz/support/ (if you are in trouble).
 
+* Mon Jul 31 2017 Petr Spacek <petr.spacek@nic.cz> - 2.5.3-2
+- disable dnstap on RHEL (depedencies are missing)
+
+* Mon Jul 31 2017 Petr Spacek <petr.spacek@nic.cz> - 2.5.3-1
+- new upstream release
+WARNING: Automatic upgrade from versions 1.y.z is no longer possible.
+To migrate, upgrade your packages gradually or use contacts listed on
+https://www.knot-dns.cz/support/ (if you are in trouble).
+
 Knot DNS 2.5.3 (2017-07-14)
 ===========================
 
@@ -732,23 +606,6 @@ Improvements:
  - Added libidn2 support to kdig (with libidn fallback)
  - Maximum timer database switched from configure to the server configuration
 
-* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.5-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
-
-* Mon Jul 10 2017 Petr Spacek <petr.spacek@nic.cz> - 2.4.5-1
-New upstream release: 2.4.5
-
-Knot DNS 2.4.5 (2017-06-23)
-===========================
-
-Security:
----------
- - Improper TSIG validity period check can allow TSIG forgery (Thanks to Synacktiv!)
-
-Bugfixes:
----------
- - Corner case journal fixes (huge changesets, OpenWRT operation)
-
 Knot DNS 2.4.4 (2017-06-05)
 ===========================
 
@@ -802,22 +659,13 @@ Bugfixes:
  - Incorrect elapsed time in the DDNS log
  - Failed to process forwarded DDNS request with TSIG
 
+* Mon Mar 13 2017 Petr Spacek <petr.spacek@nic.cz> - 2.4.1-2
+- configuration checking was fixed to be compatible with Knot 2.4.x
+
 * Mon Feb 27 2017 Petr Spacek <petr.spacek@nic.cz> - 2.4.1-1
-- new upstream release:
+- new upstream release 2.4.1 replaces old 1.6.x series which is not supported
-  + fix: Transfer of a huge rrset goes into an infinite loop
+- configuration should be upgraded automatically using knot1to2 tool
-  + fix: Huge response over TCP contains useless TC bit instead of SERVFAIL
+- make sure you reviewed the new configuration in /etc/knot directory!
-  + fix: Failed to build utilities with disabled daemon
-  + fix: Memory leaks during keys removal
-  + fix: Rough TSIG packet reservation causes early truncation
-  + fix: Minor out-of-bounds string termination write in rrset dump
-  + fix: Server crash during stop if failed to open timers DB
-  + fix: Failed to compile on OS X older than Sierra
-  + fix: Poor minimum UDP-max-size configuration check
-  + fix: Failed to receive one-record-per-message IXFR-style AXFR
-  + fix: Kdig timeouts when receiving RCODE != NOERROR on subsequent transfer message
-  + improvement: Speed-up of rdata addition into a huge rrset
-  + improvement: Introduce check of minumum timeout for next refresh
-  + improvement: Dnsproxy module can forward all queries without local resolving
 
 * Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
@@ -901,129 +749,51 @@ Bugfixes:
   + improvement: Set TC flag in delegation only if mandatory glue doesn't fit the response
   + improvement: Separate EDNS(0) payload size configuration for IPv4 and IPv6
   + feature: Zone size limit restriction for DDNS, AXFR, and IXFR (CVE-2016-6171)
-  + feature: DNS-over-TLS support in kdig (RFC 7858)
-  + feature: EDNS(0) padding and alignment support in kdig (RFC 7830)
 
-* Fri Jun 24 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.2.1-2
+* Tue Aug 09 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 1.6.8-1
-- rebuild for updated userspace-rcu
-
-* Mon May 30 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.2.1-1
 - new upstream release:
-  + fix: Separate logging of server and zone events
+  + fix: Transfer of a huge rrset goes into an infinite loop
-  + fix: Concurrent zone file flushing with many zones
+  + fix: Huge response over TCP contains useless TC bit instead of SERVFAIL
-  + fix: Control timeout parsing in knotc
+  + fix: Failed to build utilities with disabled daemon
-  + fix: "Environment maxreaders limit reached" error in knotc
+  + fix: Memory leaks during keys removal
-  + fix: Don't apply journal changes on modified zone file
+  + fix: Rough TSIG packet reservation causes early truncation
-  + fix: Enable multiple zone names completion in interactive knotc
+  + fix: Minor out-of-bounds string termination write in rrset dump
-  + fix: Set the TC flag in a response if a glue doesn't fit the response
+  + fix: Server crash during stop if failed to open timers DB
-  + fix: Disallow server reload when there is an active configuration transaction
+  + fix: Failed to compile on OS X older than Sierra
-  + improvement: Distinguish unavailable zones from zones with zero serial in log messages
+  + fix: Poor minimum UDP-max-size configuration check
-  + improvement: Log warning and error messages to standard error output in all utilities
+  + fix: Failed to receive one-record-per-message IXFR-style AXFR
-  + improvement: Document tested PKCS #11 devices
+  + fix: Kdig timeouts when receiving RCODE != NOERROR on subsequent transfer message
-  + improvement: Extended Python configuration interface
+  + improvement: Speed-up of rdata addition into a huge rrset
-- update requirements for Fedora 25
+  + improvement: Introduce check of minumum timeout for next refresh
+  + improvement: Dnsproxy module can forward all queries without local resolving
 
-* Sun May 29 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.2.0-3
+* Wed Feb 10 2016 Jan Vcelak <jvcelak@fedoraproject.org> 1.6.7-1
-- update default configuration file
-
-* Sun May 08 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.2.0-2
-- fix: systemd service starting
-
-* Tue Apr 26 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 2.2.0-1
 - new upstream release:
-  + fix: Query/response message type setting in dnstap module
+  + improvement: Log change of the zone serial number after IXFR transfer
-  + fix: Remote address retrieval from dnstap capture in kdig
+  + improvement: Document operational impact of various RRL settings
-  + fix: Global modules execution for queries hitting existing zones
+  + improvement: Add support for rate-limit-slip zero
-  + fix: Execution of semantic checks after an IXFR transfer
+  + improvement: Add 'timer-db' configuration option
-  + fix: kdig failure when the first AXFR message contains just the SOA record
-  + fix: Exclude non-authoritative types from NSEC/NSEC3 bitmap at a delegation
-  + fix: Mark PKCS#11 generated keys as sensitive
-  + fix: Error when removing the only zone from the server
-  + fix: Don't abort knotc transaction when some check fails
-  + feature: URI and CAA resource record types support
-  + feature: RRL client address based white list
-  + feature: knotc interactive mode
-  + improvement: Consistent IXFR error messages
-  + improvement: Various fixes for better compatibility with PKCS#11 devices
-  + improvement: Various keymgr user interface improvements
-  + improvement: Better zone event scheduler performance with many zones
-  + improvement: New server control interface
-  + improvement: kdig uses local resolver if resolv.conf is empty
 
-* Wed Feb 10 2016 Jan Vcelak <jvcelak@fedoraproject.org> 2.1.1-1
+* Wed Nov 25 2015 Jan Vcelak <jvcelak@fedoraproject.org> 1.6.6-1
-- new upstream release:
-  + fix: Allow import of duplicate private key into the KASP
-  + fix: Avoid duplicate NSEC for Wildcard No Data answer
-  + fix: Server crash when an incomming transfer is in progress and reload is issued
-  + fix: Socket polling when configured with many interfaces and threads
-  + improvement: Use correct source address for UDP messages recieved on ANY address
-  + improvement: Extend documentation of knotc commands
-
-* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
-
-* Thu Jan 14 2016 Jan Vcelak <jvcelak@fedoraproject.org> 2.1.0-1
-- new upstream release:
-  + improvement: Remove implementation limit for the number of network interfaces
-  + improvement: Remove possibly insecure server control over a network socket
-  + fix: Schedule zone bootstrap after slave zone fails to load from disk
-
-* Sun Dec 20 2015 Jan Vcelak <jvcelak@fedoraproject.org> 2.1.0-0.1.rc1
-- new upstream pre-release:
-  + feature: Per-thread UDP socket binding using SO_REUSEPORT
-  + feature: Support for dynamic configuration database
-  + feature: DNSSEC, Support for cryptographic tokens via PKCS #11 interface
-  + feature: DNSSEC, Experimental support for online signing
-  + improvement: Support for zone file name patterns
-  + improvement: Configurable location of zone timer database
-  + improvement: Non-blocking network operations and better timeout handling
-  + improvement: Caching of Critical configuration values for better performance
-  + improvement: Logging of ACL failures
-  + improvement: RRL: Add rate-limit-slip zero support to drop all responses
-  + improvement: RRL: Document behavior for different rate-limit-slip options
-  + improvement: kdig: Warning instead of error on TSIG validation failure
-  + improvement: Cleanup of support libraries interfaces (libknot, libzscanner, libdnssec)
-  + fix: synth-record module: Fix application of default configuration options
-  + fix: TSIG: Allow compressed TSIG name when forwarding DDNS updates
-
-* Wed Nov 25 2015 Jan Vcelak <jvcelak@fedoraproject.org> 2.0.2-1
 - new upstream release:
   + security fix: out-of-bound read in packet parser for malformed NAPTR record
+  + fix: systemd startup notifications
 
-* Thu Sep 03 2015 Jan Vcelak <jvcelak@fedoraproject.org> 2.0.1-1
+* Wed Sep 02 2015 Jan Vcelak <jvcelak@fedoraproject.org> 1.6.5-1
 - new upstream release:
-  + fix: do not reload expired zones on 'knotc reload' and server startup
+  + fix: don't load expired zones on reload and startup
-  + fix: rare race-condition in event scheduling causing delayed event execution
+  + fix: remove race condition in scheduling causing delaying of events
-  + fix: skipping of non-authoritative nodes in NSEC proofs
+  + fix: NSEC proof construction in zones with many delegations
   + fix: TC flag setting in RRL slipped answers
   + fix: disable domain name compression for root label
-  + fix: fix CNAME following when quering for NSEC RR type
+  + fix: check if executed under systemd before using journald log sink
-  + fix: fix refreshing of DNSSEC signatures for zone keys
+  + feature: write persistent timers on server shutdown for better performance
-  + fix: fix binding an unavailable IPv6 address (IP_FREEBIND)
+  + feature: support time unit specification for 'max-conn-idle',
-  + fix: fix infinite loop in knotc zonestatus and memstats
+    'max-conn-handshake', 'max-conn-reply', and 'notify-timeout' config options
-  + fix: fix memory leak in configuration on server shutdown
+  + feature: add 'request-edns-config' config option
-  + fix: fix broken dnsproxy module
-  + fix: fix multi value parsing on big-endian
-  + fix: adapt to Nettle 3 API break causing base64 decoding failures on big-endian
-  + feature: add 'keymgr zone key ds' to show key's DS record
-  + feature: add 'keymgr tsig generate' to generate TSIG keys
-  + feature: add query module scoping to process either all queries or zone queries only
-  + feature: add support for file name globbing in config file includes
-  + feature: add 'request-edns-option' config option to add custom EDNS0 option into server initiated queries
-  + improvement: send minimal responses (remove NS from Authority section for NOERROR)
-  + improvement: update persistent timers only on shutdown for better performance
-  + improvement: allow change of RR TTL over DDNS
-  + improvement: documentation fixes, updates, and improvements in formatting
-  + improvement: install yparser and zscanner header files
 
-* Mon Jul 20 2015 Jan Vcelak <jvcelak@fedoraproject.org> 2.0.0-1
+* Thu Jun 18 2015 Jan Vcelak <jvcelak@fedoraproject.org> 1.6.4-1
 - new upstream release:
-  + feature: possibility to disable zone file synchronization
-  + feature: knsupdate, add input prompt in interactive mode
-  + feature: knsupdate, TSIG algorithm specification in interactive mode
-
-* Thu Jun 18 2015 Jan Vcelak <jvcelak@fedoraproject.org> 2.0.0-0.1.rc1
-- new upstream pre-release:
   + fix: lost NOTIFY message if received during zone transfer
   + fix: kdig, record correct dnstap SocketProtocol when retrying over TCP
   + fix: kdig, hide TSIG section with +noall

knot.tmpfiles

@@ -0,0 +1,2 @@
+# Knot DNS runtime directory
+d /var/run/knot 0755 knot knot -

sources

@@ -1,2 +1,2 @@
-SHA512 (knot-2.7.4.tar.xz) = e5f60a23817503468b18eaea517c5936945b901f568c56cb1ca67a208cc6206ff103e9ca03f1bf05018d13a688f54580ae816a5d70510f28a98ae31116a3f674
+SHA512 (knot-2.6.9.tar.xz) = 80fcbef17c3e6685c09eb57e59001a5f298a083c18ce077dc2f2d1fadbe7c36e543c205c0820bc7971a8ed7547897aec408f51e1a9555a50dae82d047fac471b
-SHA512 (knot-2.7.4.tar.xz.asc) = 16cd46916d5fbcef28f0f89ad2914edf7d968880002dceb5b83eceb7f7fba2d42b4fde0c5282b04ac68ab069c7537e384a311242018860e36a8f7c4168ff806b
+SHA512 (knot-2.6.9.tar.xz.asc) = 33005006439e7609da39b615fb2e88b7da12178d12ca6965d32aa4d5bd294dc566698e6dbf937ee6fd8e008d9fb981729f4a4c9ce5d17f1325ba42ed932b71ee