mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-19 07:23:03 +02:00
025cf4aafc
- Update from version 3.2.4 to 3.3.5
- Update of rootfile
- Changelog
3.3.5 (2024-03-06)
Features:
- knotd: new module mod-authsignal for automatic authenticated DNSSEC
bootstrapping records synthesis (Thanks to Peter Thomassen)
- kzonecheck: new optional ZONEMD verification (see option '-z')
Improvements:
- knotd: new DNSSEC key rollover log informs about next planned key action
- knotd, kzonecheck: added limit on non-matching keys with a duplicate keytag
- knot-exporter: added counter-type variant for each metric (Thanks to Marcel Koch)
- libs: upgraded embedded libngtcp2 to 1.3.0
- doc: various fixes and updates
Bugfixes:
- knotd, kzonecheck: failed to validate RRSIG if there are more keys with the same keytag
- knotd, kzonecheck: failed to validate zone with more CSK keys
- libknot: insufficient check for malformed TCP header options over XDP
3.3.4 (2024-01-24)
Features:
- knotd: new configuration item for clearing configuration sections (see 'clear')
- knotc: configuration import can preserve database contents (see '+nopurge' flag)
- kxdpgun: new parameter for setting UDP payload size in EDNS (see '--edns-size') #915
Improvements:
- knotd: extended configuration check for 'zonefile-load' and 'journal-content'
- knotd: lowered check limit for additional NSEC3 iterations to 0
- knotd: lowered severity level of an informational backup log
- knotd: better log message when flushing the journal
- knotd: zone restore checks if requested contents are in the provided backup
- knotc: '+quic' is default for zone backup, '+noquic' is default for zone restore
- kdig: better processing of timeouts and reduced sent datagrams over QUIC
- kdig: no retries are attempted over QUIC
- keymgr: improved compatibility with bind9-generated keys
- libs: some improvements in XDP buffer allocation
- libs: upgraded embedded libngtcp2 to 1.2.0
- doc: various fixes and updates
Bugfixes:
- knotd: failed to build on macOS #909
- knotd: 'nsec3-salt-lifetime: -1' doesn't work if 'ixfr-from-axfr' is enabled
- knotd: unnecessarily updated RRSIGs if 'ixfr-from-axfr' and signing are enabled
- knotc: zone check complains about missing zone file #913
- kdig: failed to try another target address over QUIC
- libknot: infinite loop in knot_rrset_to_wire_extra() #916
3.3.3 (2023-12-13)
Features:
- knotd: new 'pattern' mode of ACL update owner matching (see 'acl.update-owner-match')
- knotc: new '+keysonly' filter for zone backup/restore
Improvements:
- knotd: zone purging waits for finished zone expiration for better reliability
- knotd: remote configuration considers more 'via' with the same address family
- knotd: refresh doesn't fall back from IXFR to AXFR upon a network error
- knotd: increased default for 'policy.rrsig-refresh' by (0.1 * 'rrsig-lifetime')
- knotd: new control flag 'u' for unix time output format from zone status
- knotd: extended check for inconsistent acl settings
- knotd/libknot: simplified TCP/QUIC sweep logging
- mod-dnsproxy: all configured remote addresses are used for fallback operation
- mod-dnsproxy: module responds locally if forwarding fails instead of SERVFAIL
- libs: upgraded embedded libngtcp2 to 1.1.0
- doc: various fixes and extensions
Bugfixes:
- knotd: zone backup fails due to improper backup context deinitialization #891
- knotd: failed to sign the zone if maximum zone's TTL is too high
- knotd: malformed TCP header if used with QUIC in the generic XDP mode
- knotd: server can crash when processing new TCP connections over XDP
- knotd: incorrect initialization of TCP limits
- knotd: orphaned PEM file not deleted when key generation fails
- knotd/libknot: connection timeouts over QUIC due to incomplete retransfer handling #894
- kdig: crashed when querying DNS over TLS if TLS handshake times out #896
- kzonecheck: failed to check DS with SHA-1 or GOST if not supported by local policy
- libdnssec: failed to compile with GnuTLS if PKCS #11 support is disabled
3.3.2 (2023-10-20)
Features:
- knotd: support for IXFR from AXFR computation (see 'zone.ixfr-from-axfr')
- knotd: support benevolent IXFR (see 'zone.ixfr-benevolent')
- knot-exporter: new configuration option '--no-zone-serial' #880
Improvements:
- libs: upgraded embedded libngtcp2 to 1.0.0
- knotd: added logging of new SOA serial when signing is finished
- knotd: unified some XDP-related logging
- keymgr: improved error message if a key file is not accessible
- keymgr: added offline RRSIGs validation at the end of their validity intervals
- kdig: upgraded EDNS presentation format to draft version -02
- kdig: simplified QUIC connection without extra PING frames
- kzonecheck: removed requirement that DS is at delegation point
- doc: various fixes and improvements
Bugfixes:
- knotd: logged incorrect new SOA serial if 'zonefile-load: difference' is set #875
- knotd: more signing threads with a PKCS #11 keystore has no effect #876
- knotd: DNAME record returned with query domain name instead of actual name #873
- knotd: failed to import configuration file if mod-geoip is in use #881
- knotd: failed to sign RRSet that fits to 64k only if compressed
- knotd: broken zone update context upon failed operation over control interface
- keymgr: offline RRSIGs not refreshed if 'rrsig-refresh' is not set
- knsupdate: incorrect processing of @ in the delete operation #879
- knot-exporter: failed to parse knotd PIDs on FreeBSD
Packaging:
- docker: added support for (inter-container) D-Bus signaling
3.3.1 (2023-09-11)
Improvements:
- knotd: multiple catalog groups per member are tolerated, but only one is used
- modules: added const qualifier to various function parameters #877 (Thanks to Robert Edmonds)
- libs: upgraded embedded libngtcp2 to 0.19.1
Bugfixes:
- knotd: TCP over XDP fails to respond
- knotd: server can crash when adjusting a wildcard glue
- knotd: failed to forward DDNS if 'zone.master' points to 'remotes'
- knotd: broken YAML statistics if more modules are configured #874
- knotd: DDNS forwarding isn't RFC 8945 compliant
3.3.0 (2023-08-28)
Features:
- knotd: full DNS over QUIC (DoQ, RFC 9250) implementation, also without XDP
- knotd: bidirectional XFR over QUIC (XoQ) support with opportunistic, strict,
and mutual authentication profiles
- knotd: automatic reverse PTR records pre-generation (see 'zone.reverse-generate')
- knotd: new per zone statistic counters 'zone.size' and 'zone.max-ttl'
- knotd: new primary server pinning (see 'zone.master-pin-tolerance')
- knotd: new SOA serial modulo policy (see 'zone.serial-modulo')
- knotd: new multi-signer operation mode (see 'policy.dnskey-sync' and 'DNSSEC multi-signer')
- kdig: support for EDNS presentation format, also in JSON mode (see '+optpresent')
- kxdpgun: new TCP/QUIC debug mode 'R' for connection reuse
- kxdpgun: new XDP mode parameter '--mode' (Thanks to Jan Včelák)
- kxdpgun: new parameter '--qlog' for qlog destination specification
- kzonecheck: new '--print' parameter for dumping the zone on stdout
Improvements:
- knotd: secondary can be configured not to forward DDNS (see 'zone.ddns-master')
- knotd: extended support for UNIX socket configuration (remote, acl)
- knotd: stats no longer dump empty or zero counters
- knotd: new 'keys-updated' D-Bus event
- knotd: added transport protocol information to outgoing event and nameserver logs
- knotd: server cleans up stale LMDB readers when opening a RW transaction
- knotd,kzonecheck: semantic check allows DS only at delegation point
- knotc: new zone backup filters '+quic' and '+noquic' for QUIC key backup
- mod-dnstap: DNS over QUIC traffic is marked as QUIC
- kxdpgun: QUIC connections are closed by default
- libs: upgraded embedded libngtcp2 to 0.18.0
- kdig: QUIC, TLS, or HTTPS protocol is printed in the final statistics
- doc: new sections 'DNS over QUIC' and 'DNSSEC multi-signer'
- doc: various improvements
Bugfixes:
- knotd: server can crash if a shared module is loaded and dynamic configuration used
- knotd: inaccurate transfer size is logged if EDNS EXPIRE, PADDING, or TSIG is present
- knotd: subsequent addition and removal to catalog zone isn't handled properly
- knotc: configuration import fails if an explicit shared module is configured
- utils: database transactions not properly closed when terminated prematurely
- kdig: double-free on some malformed responses over QUIC #869
- kdig: some TLS parameters override QUIC parameters
- libs: NULL record with empty RDATA isn't allowed
- tests: dthreads destructor test sometimes fails
Compatibility:
- knotd: responses to forwarded DDNS requests are signed with local TSIG key
- knotd: NOTIFY-initiated refresh tries all configured addresses of the remote
- knotd: configuration option 'xdp.quic-log' was replaced with 'log.quic'
- libs: removed embedded libbpf, an external one is necessary for XDP
- libs: DNS over QUIC implementation only supports 'doq' ALPN
- ctl: removed 'Version: ' prefix from 'status version' output
- modules: reduced parameters of 'knotd_qdata_local_addr()'
Packaging:
- knot-exporter: Prometheus exporter imported from GitHub
- knot-exporter: packages for Debian, Ubuntu, and PyPI
- debian,ubuntu: new self-hosted repository (see https://pkg.labs.nic.cz/doc/)
- docker: upgraded to Debian bookworm-slim
3.2.9 (2023-07-27)
Improvements:
- keymgr: 'import-pkcs11' not allowed if no PKCS #11 keystore backend is configured
- keymgr: more verbose key import errors
- doc: extended migration notes
- doc: various improvements
Bugfixes:
- knotd: server may crash when storing changeset of a big zone migrating to/from NSEC3
- knotd: zone refresh loop when all masters are outdated and timers cleared
- knotd: failed to active D-Bus notifications if not started as systemd service
- kjournalprint: database transaction not properly closed when terminated prematurely
3.2.8 (2023-06-26)
Improvements:
- kdig: malformed messages are parsed and printed using a best-effort approach
- python: new dname from wire initialization
Bugfixes:
- knotd: missing outgoing NOTIFY upon refresh if one of more primaries is up-to-date
- knotd: journal loop detection can prevent zone from loading
- knotd: cryptic error message when journal is full #842
- knotd: failed to query catalog zone over UDP
- configure: libngtcp2 check wrongly requires version 0.13.0 instead of 0.13.1
3.2.7 (2023-06-06)
Features:
- knotd: new configuration option for preserving incoming IXFR changeset history
(see 'zone.ixfr-by-one')
Improvements:
- knotd: journal ensures the stored changeset's SOA serials are strictly increasing
- knotd: more effective handling of zero KNOT_ZONE_LOAD_TIMEOUT_SEC environment value
- knotd, kdig: incoming transfer fails if a message has the TC bit set
- knotd, kjournalprint: store or print the timestamp of changeset creation
- kxdpgun: load only necessary number of queries (Thanks to Petr Špaček)
- kxdpgun: print ratio of sent vs. requested queries (Thanks to Petr Špaček)
- kxdpgun: print percentages as floats (Thanks to Petr Špaček)
- kjournalprint: ability to print a changeset loop
- kjournalprint: added changset serials information to '-z -d' output
- packaging: RHEL9 requires libxdp like fedora since RHEL 9.2 #844
- doc: various improvements
Bugfixes:
- knotd: journal loading can get stuck in a multi-changeset loop
- knotd: missing RCU lock when reading zone through the control interface
- knotd: server start D-Bus signaling doesn't work well if the zone file is
missing, catalog zones are used, or in the async-start mode
- knotd: test suite fails on 32bit architectures on musl 1.2 and newer #843
- knotd: failed to process zero-length messages over QUIC
- libs: compilation with embedded ngtcp2 fails if there is another ngtcp2 in the path
3.2.6 (2023-04-04)
Improvements:
- libs: upgraded embedded libngtcp2 to 0.13.1
- libs: added support for building on Cygwin and MSYS (Thanks to Christopher Ng)
- mod-dnstap: improved precision of stored time values
- kdig: added option for EDNS EXPIRE (see '+expire') #836
- kdig: extended description of SOA timers in the multiline mode
- kdig: reduced latency of TLS communication
- libknot: added EDE codes 28 and 29
- doc: various improvements
Bugfixes:
- knotd: generated catalog zone not updated upon server reload #834
- knotd: failed to check shared module configuration
- knotd: missing RCU registration of the statistics thread (Thanks to Qin Longfei)
- knotd: server logs failed to send QUIC packets in the XDP mode
- libs: inconsistent transformation of IPv4-Compatible IPv6 Addresses
- utils: failed to load configuration if dnstap module is enabled #831
- libknot: missing include string.h
3.2.5 (2023-02-02)
Features:
- knotd: new configuration option for enforcing IXFR fallback (see 'zone.provide-ixfr')
Improvements:
- knotd: changed UNIX socket file mode to 0222 for answering and 0220 for control
- mod-probe: new support for communication over a UNIX socket
- kdig: new support for communication over a UNIX socket
- libs: upgraded embedded libngtcp2 to 0.13.0
- doc: various improvements
Bugfixes:
- knotd: failed to get catalog member configuration if catalog template is in a template
- knotd: failed to respond over a UNIX socket with EDNS
- knotd: unexpected zone update upon restart or zone reload if ZONEMD generation is enabled
- knotd: redundant zone flush of unchanged zone if zone file load is 'difference-no-serial'
- knotd/kxdpgun: failed to receive messages over XDP with drivers tap or ena
- knotc: zone check doesn't report missing zone file #829
- kxdpgun: program crashes when remote closes QUIC connection instead of resumption
- mod-geoip: configuration check leaks memory in the geodb mode
- utils: unwanted color reset sequences in non-color output
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
IPFire 2.x - The Open Source Firewall
What is IPFire?
IPFire is a hardened, versatile, state-of-the-art Open Source firewall based on Linux. Its ease of use, high performance in any scenario and extensibility make it usable for everyone. For a full list of features have a look here.
This repository contains the source code of IPFire 2.x which is used to build the whole distribution from scratch, since IPFire is not based on any other distribution.
Where can I get IPFire?
Just head over to https://www.ipfire.org/download
How do I use this software?
We have a long and detailed wiki located here which should answers most of your questions.
But I have some questions left. Where can I get support?
You can ask your question at our community located here. A complete list of our support channels can be found here.
How can I contribute?
We have another document for this. Please look here.