knot-3.1.4-bp154.1.87

- update to version 3.1.4, see:
  https://www.knot-dns.cz/2021-11-04-version-314.html

- update to version 3.1.3, see:
  https://www.knot-dns.cz/2021-10-18-version-313.html

- migrate to user creation via sysuser-tools
- run spec-cleaner on spec file
- update to version 3.1.2, see:
  https://www.knot-dns.cz/2021-09-08-version-312.html

- update to version 3.1.1, see:
  https://www.knot-dns.cz/2021-08-10-version-311.html

- update to version 3.1.0, see:
  https://www.knot-dns.cz/2021-08-02-version-310.html

- update to version 3.0.7, see:
  https://www.knot-dns.cz/2021-06-16-version-307.html

- make sure we have getent and groupadd/useradd in pre
  * added dependency on shadow and glibc
  * might be related to bnc#1186023

- update to version 3.0.6, see:
  https://www.knot-dns.cz/2021-05-12-version-306.html

- Make /etc/knot directory owned by knot - fix reload action

- Update descriptions, remove unsubstantiated claims.

- update to version 3.0.5, see:
  https://www.knot-dns.cz/2021-03-25-version-305.html
- Update description based on homepage

- Trim marketing wording from description.
- Drop old rpm constructs.

- version update to 3.0.4, see:
  https://www.knot-dns.cz/2021-01-20-version-304.html

- add incompatibility warning about 1.6.X version when updateing
- rename back to knot

- version update to 3.0.3

- version update to 2.9.7, see:
  https://www.knot-dns.cz/2020-08-31-version-296.html
  https://www.knot-dns.cz/2020-10-09-version-297.html
- obsolete only pre-2.0 version

- remove rosedb conditional as lmdb is required in general now

- replace conflicts with Provides/Obsoletes

- fix dependency: python-Sphinx -> python3-Sphinx

- fix dependency: python-Sphinx -> python3-Sphinx

- use upstream example config file with correct syntax

- version update to 2.9.4
  see NEWS

- version update to 2.9.2
  see NEWS

- update to 2.7.6
  - Improvements
  - Zone status also shows when the zone load is scheduled
  - Server workers status also shows background workers
    utilization
  - Default control timeout for knotc was increased to 10 seconds
  - Pkg-config files contain auxiliary variable with library
    filename
  - Bugfixes
  - Configuration commit or server reload can drop some pending
    zone events
  - Nonempty zone journal is created even though it's disabled
    [#635]
  - Zone is completely re-signed during empty dynamic update
    processing
  - Server can crash when storing a big zone difference to the
    journal
  - Failed to link on FreeBSD 12 with Clang

- update to 2.7.5
  - Features:
  - Keymgr supports NSEC3 salt handling
  - Improvements:
  - Zone history in journal is dropped apon AXFR-like zone update
  - Libdnssec is no longer linked against libm #628
  - Libdnssec is explicitly linked against libpthread if PKCS #11
    enabled #629
  - Better support for libknot packaging in Python
  - Manually generated KSK is 'ready' by default
  - Kdig supports '+timeout' as an alias for '+time'
  - Kdig supports '+nocomments' option
  - Kdig no longer prints empty lines between retries
  - Kdig returns failure if operations not successfully resolved
    [#632]
  - Fixed repeating of the 'KSK submission, waiting for
    confirmation' log
  - Various improvements in documentation, Dockerfile, and tests
  - Bugfixes:
  - Knotc fails to unset huge configuration section
  - Kjournalprint sometimes fails to display zone journal content
  - Improper timing of ZSK removal during ZSK rollover
  - Missing UTC time zone indication in the 'iso' keymgr list
    output
  - A race condition in the online signing module

- update to 2.7.4
  Features:
  - --------
  - Added SNI configuration for TLS in kdig (Thanks to Alexander Schultz)
  Improvements:
  - ------------
  - Added warning log when DNSSEC events not successfully scheduled
  - New semantic check on timer values in keymgr
  - DS query no longer asks other addresses if got a negative answer
  - Reintroduced 'rollover' configuration option for CDS/CDNSKEY publication
  - Extended logging for zone loading
  - Various documentation improvements
  Bugfixes:
  - --------
  - Failed to import module configuration #613
  - Improper Cflags value in libknot.pc if built with embedded LMDB #615
  - IXFR doesn't fall back to AXFR if malformed reply
  - DNSSEC events not correctly scheduled for empty zone updates
  - During algorithm rollover old keys get removed before DS TTL expires #617
  - Maximum zone's RRSIG TTL not considered during algorithm rollover #620

- seems we no longer need jansson

- limit geoip support to opensuse

- update to 2.7.3
  - Features:
  - New queryacl module for query access control
  - Configurable answer rrset rotation #612
  - Configurable NSEC bitmap in online signing
  - Improvements:
  - Better error logging for KASP DB operations #601
  - Some documentation improvements
  - Bugfixes:
  - Keymgr "list" output doesn't show key size for ECDSA algorithms #602
  - Failed to link statically with embedded LMDB
  - Configuration commit causes zone reload for all zones
  - The statistics module overlooks TSIG record in a request
  - Improper processing of an AXFR-style-IXFR response consisting of one-record messages
  - Race condition in online signing during key rollover #600
  - Server can crash if geoip module is enabled in the geo mode
- changes from 2.7.2
  - Improvements:
  - Keymgr list command displays also key size
  - Kjournalprint displays total occupied size in the debug mode
  - Server doesn't stop if failed to load a shared module from the module directory
  - Libraries libcap-ng, pthread, and dl are linked selectively if needed
  - Bugfixes:
  - Sometimes incorrect result from dnssec_nsec_bitmap_contains (libdnssec)
  - Server can crash when loading zone file difference and zone-in-journal is set
  - Incorrect treatment of specific queries in the module RRL
  - Failed to link module Cookies as a shared library
- changes from 2.7.1
  - Improvements:
  - Added zone wire size information to zone loading log message
  - Added debug log message for each unsuccessful remote address operation
  - Various improvements for packaging
  - Bugfixes:
  - Incompatible handling of RRSIG TTL value when creating a DNS message
  - Incorrect RRSIG TTL value in zone differences and knotc zone operation outputs
  - Default configure prefix is ignored
- changes from 2.7.0
  - Features:
  - New DNS Cookies module and related '+cookie' kdig option
  - New module for response tailoring according to client's subnet or geographic location
  - General EDNS Client Subnet support in the server
  - OSS-Fuzz integration (Thanks to Jonathan Foote)
  - New '+ednsopt' kdig option (Thanks to Jan V?elák)
  - Online Signing support for automatic key rollover
  - Non-normal file (e.g. pipe) loading support in zscanner #542
  - Automatic SOA serial incrementation if non-empty zone difference
  - New zone file load option for ignoring zone file's SOA serial
  - New build-time option for alternative malloc specification
  - Structured logging for DNSSEC key submission event
  - Empty QNAME support in kdig
  - Improvements:
  - Various library and server optimizations
  - Reduced memory consumption of outgoing IXFR processing
  - Linux capabilities use overhaul #546 (Thanks to Robert Edmonds)
  - Online Signing properly signs delegations and CNAME records
  - CDS/CDNSKEY rrset is signed with KSK instead of ZSK
  - DNSSEC-related records are ignored when loading zone difference with signing enabled
  - Minimum allowed RSA key length was increased to 1024
  - Bugfixes:
  - Possible uninitialized address buffer use in zscanner
  - Possible index overflow during multiline record parsing in zscanner
  - kdig +tls sometimes consumes 100 % CPU #561
  - Single-Type Signing doesn't work with single ZSK key #566
  - Zone not flushed after re-signing during zone load #594
  - Server crashes when committing empty zone transaction
  - Incoming IXFR with on-slave signing sometimes leads to memory corruption #595
  - Compatibility:
  - Removed obsolete RRL configuration
  - Removed obsolete module names 'mod-online-sign' and 'mod-synth-record'
  - Removed obsolete 'ixfr-from-differences' configuration option
  - Removed old journal migration
  - Removed module rosedb
- changes from 2.6.9
  - Improvements:
  - Added zone wire size to zone loading log message
  - Added debug log message for each unsuccessful remote address operation
  - Bugfixes:
  - Zone not flushed after re-signing during zone load #594
  - Server crashes when committing empty zone transaction
  - Incoming IXFR with on-slave signing sometimes leads to memory corruption #595
- packaging changes:
  - enabled geoip module: new BR: pkgconfig(libmaxminddb)
  - enabled cookies module
  - enabled queryacl module

- update to 2.6.8
  - Features:
  - New 'import-pkcs11' command in keymgr
  - Improvements:
  - Unixtime serial policy mimics Bind ? increment if lower #593
  - Bugfixes:
  - Creeping memory consuption upon server reload #584
  - Kdig incorrectly detects QNAME if 'notify' is a prefix
  - Server crashes when zone sign fails #587
  - CSK->KZSK rollover retires CSK early #588
  - Server crashes when zone expires during outgoing
    multi-message transfer
  - Kjournalprint doesn't convert zone name argument to
    lower-case
  - Cannot switch to a previously used ksk-shared dnssec policy
    [#589]
- update to 2.6.7
  - Features:
  - Added 'dateserial' (YYYYMMDDnn) serial policy configuration
    (Thanks to Wolfgang Jung)
  - Improvements:
  - Trailing data indication from the packet parser (libknot)
  - Better configuration check for a problematical option
    combination
  - Bugfixes:
  - Incomplete configuration option item name check
  - Possible buffer overflow in 'knot_dname_to_str' (libknot)
  - Module dnsproxy doesn't preserve letter case of QNAME
  - Module dnsproxy duplicates OPT and TSIG in the non-fallback
    mode

- Update to 2.6.6
  - Features:
  - New EDNS option counters in the statistics module
  - New '+orphan' filter for the 'zone-purge' operation
  - Improvements:
  - Reduced memory consuption of disabled statistics metrics
  - Some spelling fixes (Thanks to Daniel Kahn Gillmor)
  - Server no longer fails to start if MODULE_DIR doesn't exist
  - Configuration include doesn't fail if empty wildcard match
  - Added a configuration check for a problematical option combination
  - Bugfixes:
  - NSEC3 chain not re-created when SOA minimum TTL changed
  - Failed to start server if no template is configured
  - Possibly incorrect SOA serial upon changed zone reload with DNSSEC signing
  - Inaccurate outgoing zone transfer size in the log message
  - Invalid dname compression if empty question section
  - Missing EDNS in EMALF responses

- update to 2.6.5
  - Features:
  - New 'zone-notify' command in knotc
  - Kdig uses '@server' as a hostname for TLS authenticaion if
    '+tls-ca' is set
  - Improvements:
  - Better heap memory trimming for zone operations
  - Added proper polling for TLS operations in kdig
  - Configuration export uses stdout as a default output
  - Simplified detection of atomic operations
  - Added '--disable-modules' configure option
  - Small documentation updates
  - Bugfixes:
  - Zone retransfer doesn't work well if more masters configured
  - Kdig can leak or double free memory in corner cases
  - Inconsistent error outputs from dynamic configuration
    operations

- CVE-2017-11104: Fixed an improper implementation of TSIG protocol
  which could have allowed an attacker with a valid key name and
  algorithm to bypass TSIG authentication (bsc#1047841).
  Added knot-CVE-2017-11104.patch

- add knot-openssl-1.1+.patch
  * fix build with openssl 1.1+

- refreshed 0002-make-configure.ac-compatible-with-old-tools.patch
  to fix build

- update to 1.6.8
  - Zone size limit restriction for DDNS, AXFR, and IXFR
    (CVE-2016-6171)

- fix the sphinx buildrequires so we can build on sle12

- update to 1.6.7
  - Improvements:
  - IXFR: Log change of the zone serial number after the
    transfer.
  - RRL: Document operational impact of various settings.
  - RRL: Add support for zero slip (dropping of all limited
    responses).

- update to 1.6.6
  - Fix daemon startup systemd notification
  - Out-of-bound read in packet parser for malformed NAPTR records
    (LibFuzzer)
  - Add rosedb module
- enable rosedb
- refresh patches to apply cleanly again
  0001-loosen-openssl-dependency.patch
  0002-make-configure.ac-compatible-with-old-tools.patch

- skip silent rule in configure.ac to fix the SLE 11 build

- update to 1.6.5
  - Bugfixes:
  - Do not reload expired zones on 'knotc reload' and server
    startup
  - Fix rare race-condition in event scheduling causing delayed
    event execution
  - Fix skipping of non-authoritative nodes in NSEC proofs
  - Fix TC flag setting in RRL slipped answers
  - Disable domain name compression for root label for better
    compatibility
  - Log via journald only when running under systemd
  - Improve lookup of libsystemd build dependencies
  - Fix compilation warnings in endian conversion functions on
    OpenBSD
  - Features:
  - Update persistent timers only on shutdown for better
    performance
  - Add 'request-edns-option' config option to add custom EDNS0
    option into server initiated queries
  - Allow specification of time units in 'max-conn-idle',
    'max-conn-handshake', 'max-conn-reply', and 'notify-timeout'
    config options
- changes in 1.6.4
  - Bugfixes:
  - Fix lost NOTIFY message if received during zone transfer
  - Fix compilation error with LibreSSL
  - Disable fast zone parser when compiled in Clang (workaround
    for Clang bug)
  - kdig: Record correct dnstap SocketProtocol when retrying
    over TCP
  - kdig: Hide TSIG section with +noall
  - Do not set AA flag for AXFR/IXFR queries
  - Features:
  - Zone parser: Split long TXT/SPF strings into multiple
    strings
  - kdig: Add generic dump style option (+generic)
  - Try all master servers in multi-master environment
  - Improvements:
  - Zone dump: Do not write class for SOA record (unified with
    other RR types)
  - Zone dump: Do not write master server address into the zone
    file
- refresh patches to apply cleanly again
- sync spec file with knot2 spec file
  - use bcond_with for the systemd conditional
  - replace all occurences of %{name} with %{pkg_name}
  - removed duplicated libexecdir
  - also pass disable static and includedir

- local state dir should be just /var

- enable dnstap support for factory and newer:
  - new BR: protobuf-c and libfstrm-devel
- prepared lto support but not enabled yet, still need to find out
  which distros support it

- update to 1.6.3
  - Performance drop for NSEC-signed zones
  - Proper handling of TCP short-writes
  - Out-of-bound read in zone parser for long domain names in
    origin (AFL fuzzer)
  - Out-of-bound read in packet parser for TSIG RR without RDATA
    (AFL fuzzer)
  - Out-of-bound read in packet parser for malformed NAPTR RR (AFL
    fuzzer)
  - CDS and CDNSKEY support in zone parser
  - Add defaults for TCP config options into documentation
  - Detailed error message if zone reload fails
- refreshed patches to apply cleanly again:
  0002-make-configure.ac-compatible-with-old-tools.patch

- update to 1.6.2
  - Limiting number of parallel TCP clients (max-tcp-clients config
    option)
  - Ignore refresh and transfer events on non-slave zones
  - Compilation with Dnstap support on FreeBSD
  - Possible file descriptor leak when terminating inactive TCP
    clients
- refreshed patches to apply cleanly again:
  0002-make-configure.ac-compatible-with-old-tools.patch
- moved autoreconf -fi to %build so it wont be tried in quilt setup
  or similar tools
- move up the %if case for systemd in for the preun scriptlet to
  avoid warning about empty scripts on non systemd distributions.
- used xz tarball: new buildrequires xz

- Add deps on the docu packages to regen documentation
- Enable systemd integration fully
- Add dep on libidn
- Cleanup with spec-cleaner

- Only require lmdb-devel on (Open)SUSE 13.2 and higher

- Updated to 1.6.1
  Bugfixes:
  - Journal file would sometimes outgrow its set limit
  - Fixed incompatibility with OpenSSL 0.9.8
  - Proper handling when machine hostname cannot be retreived
  Features:
  - Support for DNSSEC Single Type Signing Scheme
- Compile with lmdb-devel to add support for persistent timers

- Updated to 1.6.0
  Bugfixes:
  - Fix zone expiration when AXFR/IXFR is being refused by master
  - Fix forced zone refresh on slave (knotc refresh -f)
  - Persistent timers database opening after privileges has been dropped
  - DNSSEC: RFC compliant processing of letter case in RDATA domain names
  - EDNS: Return minimal error response for queries with unsupported version
  - EDNS: Fix interpretation of Extended RCODE
  Improvements:
  - Maximal size of persistent timers database increased from 10 MB to 100 MB
  - Added logging of persistent timers database errors
  Features:
  - Persistent timers for slave zones (expire, refresh, and flush)

- Updated to 1.5.3
  Bugfixes:
  - Some specific incoming IXFRs were causing server to crash
  - Rare sychronization error during reload caused read-after-free
  - Response synthetization module did not work properly with DNSSEC-enabled zones
  - When Knot sent AXFR when IXFR was requested, message ID and opcode were wrong
  - Knot failed to send large messages to remote control (present since 1.5.1)
  - Some RR parsing corner cases were not handled properly
  - AXFR-style IXFR was refused and had to be retransfered
  - Hash character (#) was not properly escaped when storing text zone file
  - DNSSEC: DNAMEs in RDATA were not lowercased before signing
  - EDNS: OPT RR were not put into responsing for some errors
  - TSIG: DDNS responses were not signed with TSIG
  - DDNS: Prerequisite checks failed for some inputs
  - knsupdate: Zone origin was not used for deletions
  Features:
  - Basic support for logging using systemd journal
  - DDNS: Ability to process updates in bulk
  Improvements:
  - Unified logging messages structure
  - DNSSEC: More strict controls for signing keys
- Refreshed patches on top of 1.5.3 release:
  * 0001-loosen-openssl-dependency.patch
  * 0002-make-configure.ac-compatible-with-old-tools.patch

- Squash 0002-remove-AM_SILENT_RULES.patch and 0003-no-dist-xz.patch
  into 0002-make-configure.ac-compatible-with-old-tools.patch that
  removes configure.ac options incompatible with SLES_11_SP[23].
- added patches:
  * 0002-make-configure.ac-compatible-with-old-tools.patch
- removed patches:
  * 0002-remove-AM_SILENT_RULES.patch
  * 0003-no-dist-xz.patch

- Updated to 1.5.0
  Features:
  * DDNS forwarding reimplemented
  * edns-client-subnet support in kdig
  * Optional asynchronous startup (config "asynchronous-start")
  * Pluggable query processing modules
  * Synthetic IPv4/IPv6 reverse/forward records (optional module)
  * dnstap support in both utilities & server (optional module)
  * NOTIFY message support and new TSIG section in kdig
  * Multi-master support
  Improvements:
  * Transfer sizes logged in bytes if needed
  * Logging outgoing NOTIFY messages
  * Logging unauthorized incoming NOTIFYs
  * Preempt task queue for faster reload
  * Lazy zone file write after zone transfer (governed by "zonefile-sync")
  * Query processing and core functionality overhaul
  * Performance and reduced memory footprint
  * Faster zone events scheduling
  * RFC compliant queries/responses in some corner cases
  * Log messages
  * New documentation (Sphinx)
  Bugfixes:
  * Zone flush planning after bootstrap
  * Incorrect incoming AXFR message sizes
  * DDNS signing changes were freed too soon, posibility of stale data
  * knotc remote control key handling
  * Close zone transfer after SERVFAIL response
  * Incremental to full zone transfer fallback, wrong log message
  * Zone events corner cases, reload replanning

- updated to 1.4.7:
  * Fixed DDNS corner cases
  * Fixed zone EXPIRE timer
  * Fixed semantic checks false positives
  * Fixed sending malformed IXFR with automatic DNSSEC
  * Fixed NAPTR record serialization