knot: Update to 3.1.0

Changelog:
Version 3.1.0

Monday, August 2, 2021

Features:

      + knotd: automatic zone catalog generation based on actual configuration
      + knotd: zone catalog supports configuration groups
      + knotd: support for ZONEMD validation and generation
      + knotd: basic support for TCP over XDP processing
      + knotd: configuration option for enabling IP route check in the XDP mode
      + knotd: support for epoll (Linux) and kqueue (*BSD, macOS) socket
        polling
      + knotd: extended EDNS error (EDE) is added to the response if
        appropriate
      + knotd: DNSSEC operation with extra ready public-only KSK is newly
        allowed
      + knotd: new zone backup/restore filters for more variable component
        specification
      + knotd: adaptive systemd service start timeout and new zone loading
        status #733
      + knotd: configuration option for enabling TCP Fast Open on outbound
        communication
      + knotd: when the server starts, zone NOTIFY is send only if not sent
        already
      + knotc: zone reload with the force flag triggers reload of the zone and
        its modules
      + libs: support for parsing and dumping SVCB and HTTPS resource records
      + kdig: support for TCP Fast Open along with DoT/DoH #549
      + kxdpgun: basic support for DNS over TCP processing
      + kxdpgun: current traffic statistics can be printed using a USR1 signal
      + python: new libknot/probe API wrapper

Improvements:

      + knotd: PID file is created even in the foreground mode
      + knotd: more robust and enhanced zone data backup and restore operations
      + knotd: maximum length of an XFR message is limited to 16 KiB for better
        compression
      + knotd: maximum CNAME/DNAME chain depth per reply was decreased from 20
        to 5
      + knotd: improved performance of processing domain names with many short
        labels
      + knotd: adaptive limit on the number of LMDB readers to avoid problems
        with many workers
      + knotd: TTL of generated NSEC(3) records is set to min(SOA TTL, SOA
        minimum)
      + knotd: TTL of generated NSEC3PARAM is equal to TTL of NSEC3 records
      + knotd: maximum TCP segment size is restricted to 1220 octets on Linux #
        468
      + knotc: various improvements in error reporting
      + knotc: default control timeout is infinity in the blocking mode
      + dnssec: dnskey generator tries to return a key with a unique keytag
      + kxdpgun: RLIMIT_MEMLOCK is increased only if not high enough
      + kxdpgun: RTNETLINK is used for getting network information instead of
        the ip command

Bugfixes:

      + knotd: DNAME not applied more than once to resolve the query #714
      + knotd: root zone not correctly purged from the journal
      + kzonecheck: incorrect check for opt-outed empty non-terminal nodes
      + libzscanner: wrong error line number
      + libzscanner: broken multiline rdata processing if an error occurs
      + mod-geoip: NXDOMAIN is responded instead of NODATA #745
      + make: build fails with undefined references if building using slibtool
        #722

Packaging:

      + knotd: systemd service reload uses 'kill -HUP' instead of 'knotc
        reload'
      + kxdpgun: new library dependency libmnl
      + mod-dnstap: new package separate from the knot package
      + mod-geoip: new package separate from the knot package

Compatibility:

      + configure: option '--enable-xdp=yes' means use an external libbpf if
            available
            or use the embedded one

      + libzsanner: omitted TTL value is correctly set to the last explicitly
        stated value (RFC 1035)
      + knotc: zone restore from an old backup (3.0.x) requires forced
        operation
      + knotd: configuration option 'server.listen-xdp' is replaced with
        'xdp.listen'
      + knotd: zone file loading with automatic SOA serial incrementation newly
            requires having full zone in the journal

      + knotd: obsolete configuration options 'zone.disable-any',
            'server.tcp-handshake-timeout'
            are silently ignored

      + knotd: obsolete configuration options 'zone.max-zone-size',
            'zone.max-journal-depth',
            'zone.max-journal-usage', 'zone.max-refresh-interval',
            'zone.min-refresh-interval' 'server.max-ipv4-udp-payload',
            'server.max-ipv6-udp-payload', 'server.max-udp-payload',
            'server.tcp-reply-timeout', 'server.max-tcp-clients' are ignored

      + knotd: obsolete default template options 'template.journal-db',
            'template.kasp-db', 'template.timer-db',
            'template.max-journal-db-size', 'template.journal-db-mode',
            'template.max-timer-db-size', 'template.max-kasp-db-size' are
            ignored

Version 3.0.8

Friday, July 16, 2021

Features:

      + knotc: new command for loading DNSSEC keys without dropping all RRSIGs
        when re-signing
      + knotd: new policy configuration option for disabling some DNSSEC safety
        features #741
      + mod-geoip: new dnssec and policy configuration options

Bugfixes:

      + knotd: early KSK removal during a KSK rollover if automatic KSK
            submission check
            is enabled and DNSKEY TTL is lower than the corresponding DS TTL

      + knotd: failed to generate a new DNSKEY if previously generated shared
        key not available
      + knotd: periodical error logging when a PKCS #11 keystore failed to
        initialize #742
      + knotd: zone commit doesn't check for missing SOA record

Version 3.0.7

Wednesday, June 16, 2021

Features:

      + knotd: new configuration policy option for CDS digest algorithm setting
        #738
      + keymgr: new command for primary SOA serial manipulation in on-secondary
        signing mode

Improvements:

      + knotd: improved algorithm rollover to shorten the last step of old
        RRSIG publication

Bugfixes:

      + knotd: zone is flushed upon server start, despite DNSSEC signing is
        up-to-date
      + knotd: wildcard nonexistence is proved on empty-non-terminal query
      + knotd: redundant wildcard proof for non-authoritative data in a reply
      + knotd: missing wildcard proofs in a wildcard-cname loop reply
      + knotd: incorrectly synthesized CNAME owner from a wildcard record #715
      + knotd: zone-in-journal changeset ignores journal-max-usage limit #736
      + knotd: incorrect processing of zone-in-journal changeset with SOA
        serial 0
      + knotd: broken initialization of processing workers if SO_REUSEPORT(_LB)
        not available
      + kjournalprint: reported journal usage is incorrect #736
      + keymgr: cannot parse algorithm name ed448 #739
      + keymgr: default key size not set properly
      + kdig: failed to process huge DoH responses
      + libknot/probe: some corner-case bugs

Version 3.0.6

Wednesday, May 12, 2021

Features:

      + mod-probe: new module for simple traffic logging (Python API not yet
        included)

Improvements:

      + keymgr: new mode for listing zones with at least one key stored
      + keymgr: the pregenerate command accepts optional timestamp-from
        parameter
      + kzonecheck: accept '-' as substitution for standard input #727
      + knotd: print an error when unable to change owner of a logging file
      + knotd: new warning log if no interface is configured
      + knotd: new signing policy check for NSEC3 iterations higher than 20
      + knotd: don't allow backup to/restore from the DB storage directory
      + Various code (mostly zone backup/restore), tests, and documentation
        improvements

Bugfixes:

      + knotd: secondary fails to load zone file if HTTPS or SVCB record is
        present #725
      + knotd: (KSK roll-over) new KSK is not signing DNSKEY long enough before
        DS submission
      + knotd: (KSK roll-over) old KSK uselessly published after roll-over
        finished
      + knotd: malformed address in TCP-related logs when listening on a UNIX
        socket
      + knotd: server responds FORMERR instead of BADTIME if TSIG signed time
        is zero #730
      + modules: incorrect local and remote addresses in the XDP mode
      + modules: failed to read configuration from a section without
        identifiers
      + mod-synthrecord: queries on synthesized empty-non-terminals not
        answered with NODATA
      + keymgr: confusing error if del-all-old command fails

1 files changed, 7 insertions, 2 deletions

diff --git a/net/knot/PLIST b/net/knot/PLIST
index e7a601b31b0..605009abdcb 100644
--- a/net/knot/PLIST
+++ b/net/knot/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.17 2020/10/01 03:37:02 ryoon Exp $
+@comment $NetBSD: PLIST,v 1.18 2021/08/07 16:36:18 ryoon Exp $
 bin/kdig
 bin/khost
 bin/knsec3hash
@@ -8,6 +8,7 @@ bin/kzonesign
 include/knot/module.h
 include/libdnssec/binary.h
 include/libdnssec/crypto.h
+include/libdnssec/digest.h
 include/libdnssec/dnssec.h
 include/libdnssec/error.h
 include/libdnssec/key.h
@@ -30,6 +31,7 @@ include/libknot/db/db_lmdb.h
 include/libknot/db/db_trie.h
 include/libknot/descriptor.h
 include/libknot/dname.h
+include/libknot/dynarray.h
 include/libknot/endian.h
 include/libknot/errcode.h
 include/libknot/error.h
@@ -40,6 +42,8 @@ include/libknot/packet/compr.h
 include/libknot/packet/pkt.h
 include/libknot/packet/rrset-wire.h
 include/libknot/packet/wire.h
+include/libknot/probe/data.h
+include/libknot/probe/probe.h
 include/libknot/rdata.h
 include/libknot/rdataset.h
 include/libknot/rrset-dump.h
@@ -55,10 +59,12 @@ include/libknot/rrtype/rdname.h
 include/libknot/rrtype/rrsig.h
 include/libknot/rrtype/soa.h
 include/libknot/rrtype/tsig.h
+include/libknot/rrtype/zonemd.h
 include/libknot/tsig-op.h
 include/libknot/tsig.h
 include/libknot/version.h
 include/libknot/wire.h
+include/libknot/xdp.h
 include/libknot/yparser/yparser.h
 include/libknot/yparser/ypformat.h
 include/libknot/yparser/ypschema.h
@@ -92,4 +98,3 @@ sbin/knotc
 sbin/knotd
 share/examples/knot/example.com.zone
 share/examples/knot/knot.sample.conf
-@pkgdir etc/knot