Version 2.3.0


  • No wildcard expansion below empty non-terminal for NSEC signed zone
  • Don't ignore non-existing records to be removed in IXFR
  • Fix kdig IXFR response processing if the transfer content is empty
  • Avoid multiple loads of the same PKCS #11 module


  • Refactored semantic checks and improved error messages
  • Set TC flag in delegation only if mandatory glue doesn't fit the response
  • Separate EDNS(0) payload size configuration for IPv4 and IPv6


  • DNSSEC policy can be defined in server configuration
  • Automatic NSEC3 resalt according to DNSSEC policy
  • Zone content editing using control interface
  • Zone size limit restriction for DDNS, AXFR, and IXFR (CVE-2016-6171)
  • DNS-over-TLS support in kdig (RFC 7858)
  • EDNS(0) padding and alignment support in kdig (RFC 7830)

Full Knot DNS 2.3 changelog