Version 3.5.0

Thursday, September 18, 2025

Features:

  • knotd: database zone backend using Redis/Valkey (see 'Database zone backend')
  • knotd: support for multiple control sockets (see 'control.listen')
  • knotd: external zone validation (see 'External validation')
  • knotd: authorization based on certificate hostname validation (see 'DNS over QUIC')
  • knotd: multiple keystores can be specified per policy (see 'DNSSEC multiple keystores')
  • knotd: specified resource record types can be omitted when loading (see 'zone.zonefile-skip')
  • knotd: configurable delay before zone change processing (see 'zone.update-delay')
  • knotd: subzone flattening (see 'zone.include-from')

Improvements:

  • knotd: optimized dynamic zone addition/removal for many zones
  • knotd: optimized catalog updates for many zones
  • knotd: replaced a poor atomic fallback with a spin-lock-protected version
  • knotd: support for independent SOA serial series on the secondary side
  • knotd: self-signed certificate contains SAN instead of CN
  • knotd: removed RCU synchronization lock between unrelated zones' updates
  • knotd: zone-reload/reload fails if there is a module configuration error
  • knotd: control interfaces are started before zones loading
  • knotd: session ticket pool is purged on server reload if changed credentials
  • knotc: status returns 'Loading' if the server is not yet answering
  • knotc: extended tab completion for details, filters, and paths
  • kzonecheck: zone origin auto-detection uses SOA owner from the checked zone file
  • libknot: XDP drops packets with too many or inappropriate extended IPv6 headers
  • libknot: extended XDP checks for correct packets
  • libknot: semantically malformed resource records are dumped in generic format
  • libs: upgraded embedded libngtcp2 to 1.15.0
  • knot-exporter: less confusing option parsing and documentation
  • doc: various improvements

Bugfixes:

  • knotd: if multiple primaries send NOTIFY concurrently, only the last remote is queried
  • knotd: failed to build on macOS with POSIX semaphores
  • knotd: early zone free due to RCU-delayed update cleanup
  • knotd: server crashes if "" value overrides template master value
  • knot-exporter: label collisions caused by duplicate metrics (Thanks to Guillaume Cornet)

Packaging:

  • deb,rpm: keymgr extracted to a separate package knot-keymgr
  • deb,rpm: new package redis-knot with a Knot module for Redis/Valkey
  • docker: upgraded to Debian trixie-slim

Compatibility:

  • license: project relicensed to GPL-2.0-or-later
  • knotd: new default value of 'policy.nsec3-salt-length' is 0
  • knot-exporter: renamed some metrics, labes, or units (see 'Migration')