Version 2.9.4
Tuesday, May 5, 2020
Improvements:
- ANY query over UDP is always answered with one RRSet + possible RRSIG instead of truncated reply
- Server tries to resolve CNAME record generated by geoip module (Thanks to Conrad Hoffmann)
- Earlier OCSP validity check in kdig certificate verification (Thanks to Alexander Schultz)
- Module onlinesign allows KSK + ZSK mode
- Server control listen backlog limit was increased to 5
- Zone signing event is always re-scheduled even after a signing error
- Extended error checks and tiny enhancements in kjournalprint
- kdig logs a more detailed error message when failed to acquire a remote address
- Some documentation improvements
Bugfixes:
- Server can crash when zone update fails due to exceeded zone size limit
- keymgr 'share' command doesn't work
- Shared KSK doesn't work with an initial key
- Self-created RRSIGs are still cryptographically verified in some unnecessary cases
- Changed NSEC3PARAM not correctly detected during zone update
- NSEC(3) chain not fixed if affected by zone udpate
- knotc orphan purge doesn't work on journal
- Online signing configured along with DNSSEC signing can cause MDB_BAD_RSLOT error during server reload
- Zone journal access can stuck if mismanaged zone serial
- Concurrently added and removed same records in a DDNS message are not properly handled
- Zone check logs error instead of warning after a first error occured
