diff --git a/net/knot/Makefile b/net/knot/Makefile
index a245d6753..104bd3ec0 100644
--- a/net/knot/Makefile
+++ b/net/knot/Makefile
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2014-2015 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+# Copyright (C) 2014-2016 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@@ -8,125 +8,187 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=knot
-PKG_VERSION:=1.6.5
+PKG_VERSION:=2.1.1
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
 PKG_SOURCE_URL:=https://secure.nic.cz/files/knot-dns/
-PKG_MD5SUM:=934b6feaeefd0df7b3be6709e39b19ce
+PKG_MD5SUM:=ee6a54ec8a7898579b768c66e2eaeb54
 
 PKG_MAINTAINER:=Daniel Salzman <daniel.salzman@nic.cz>
-PKG_LICENSE:=GPL-2.0+
+PKG_LICENSE:=GPL-3.0 LGPL-2.0 0BSD MIT OLDAP-2.8
 
-PKG_BUILD_PARALLEL:=1
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_FIXUP:=autoreconf
 PKG_INSTALL:=1
 
 include $(INCLUDE_DIR)/package.mk
 
+define Package/knot-lib/Default
+	SECTION:=libs
+	CATEGORY:=Libraries
+	TITLE:=Knot DNS
+	URL:=https://www.knot-dns.cz
+endef
+
 define Package/knot/Default
 	SECTION:=net
 	CATEGORY:=Network
+	SUBMENU:=IP Addresses and Names
 	TITLE:=Knot DNS
 	URL:=https://www.knot-dns.cz
-	SUBMENU:=IP Addresses and Names
-	DEPENDS:=+libopenssl +liburcu
+	USERID:=knot=5353:knot=5353
+endef
+
+define Package/knot-libdnssec
+	$(call Package/knot-lib/Default)
+	TITLE+= DNSSEC library
+	DEPENDS=+libpthread +libgnutls +jansson
 endef
 
 define Package/knot-libknot
-	$(call Package/knot/Default)
-	TITLE+= (library)
+	$(call Package/knot-lib/Default)
+	TITLE+= library
+	DEPENDS=+libpthread +knot-libdnssec
+endef
+
+define Package/knot-libzscanner
+	$(call Package/knot-lib/Default)
+	TITLE+= zone parser library
+	DEPENDS=+libpthread
 endef
 
 define Package/knot
 	$(call Package/knot/Default)
-	TITLE+= (server)
-	DEPENDS+=+knot-libknot
+	TITLE+= server
+	DEPENDS=+liburcu +knot-libdnssec +knot-libknot +knot-libzscanner
 endef
 
 define Package/knot-dig
 	$(call Package/knot/Default)
-	TITLE+= lookup utility
-	DEPENDS+=+knot-libknot
+	TITLE+= advanced DNS lookup utility
+	DEPENDS=+knot-libdnssec +knot-libknot
 endef
 
 define Package/knot-host
 	$(call Package/knot/Default)
 	TITLE+= simple DNS lookup utility
-	DEPENDS+=+knot-libknot
+	DEPENDS=+knot-libdnssec +knot-libknot
+endef
+
+define Package/knot-nsupdate
+	$(call Package/knot/Default)
+	TITLE+= dynamic DNS update utility
+	DEPENDS=+knot-libdnssec +knot-libknot +knot-libzscanner
 endef
 
 define Package/knot-nsec3hash
 	$(call Package/knot/Default)
 	TITLE+= simple NSEC3 hash utility
-	DEPENDS+=+knot-libknot
+	DEPENDS=+knot-libdnssec
 endef
 
-define Package/knot-nsupdate
+define Package/knot-keymgr
 	$(call Package/knot/Default)
-	TITLE+= dynamic DNS update utility
-	DEPENDS+=+knot-libknot
+	TITLE+= DNSSEC key management utility
+	DEPENDS=+knot-libdnssec +knot-libzscanner
 endef
 
 define Package/knot-tests
 	$(call Package/knot/Default)
-	TITLE+= (tests)
-	DEPENDS+=+knot-libknot
+	TITLE+= tests
+	DEPENDS=+liburcu +knot-libdnssec +knot-libknot +knot-libzscanner
+endef
+
+define Package/knot-libdnssec/description
+	Knot DNS DNSSEC library.
 endef
 
 define Package/knot-libknot/description
 	Knot DNS library.
 endef
 
+define Package/knot-libdnssec/description
+	Knot DNS zone parser library.
+endef
+
 define Package/knot/description
 	High-performance authoritative-only DNS server.
 endef
 
 define Package/knot-dig/description
-	Knot DNS lookup utility.
+	Knot DNS advanced DNS lookup utility.
 endef
 
 define Package/knot-host/description
 	Knot DNS simple DNS lookup utility.
 endef
 
+define Package/knot-nsupdate/description
+	Knot DNS dynamic DNS update utility.
+endef
+
 define Package/knot-nsec3hash/description
-	Knot DNS simple utility to compute NSEC3 hash.
+	Knot DNS simple NSEC3 hash utility.
 endef
 
-define Package/knot-nsupdate/description
-	Knot DNS dynamic DNS update utility.
+define Package/knot-keymgr/description
+	Knot DNS DNSSEC key management utility.
 endef
 
 define Package/knot-tests/description
-	Unit tests for Knot DNS server.
+	Unit tests for the Knot DNS server and libraries.
 	Usage: /usr/share/knot/runtests.sh
 endef
 
-define Package/knot/conffiles
-/etc/knot/knot.conf
-endef
-
 CONFIGURE_ARGS += 			\
 	--enable-recvmmsg=no		\
 	--disable-fastparser		\
 	--without-libidn		\
-	--with-rundir=/var/run		\
-	--with-storage=/etc/knot
+	--with-rundir=/var/run/knot	\
+	--with-storage=/var/lib/knot	\
+	--with-configdir=/etc/knot	\
+	--with-timer-mapsize=50		\
+	--with-conf-mapsize=50
 
-TARGET_CFLAGS += -std=gnu99 -DPSELECT_COMPAT
+TARGET_CFLAGS += -DPSELECT_COMPAT -DNDEBUG
+
+define Package/knot/conffiles
+/etc/knot/knot.conf
+endef
 
 define Build/Compile
 	$(MAKE) -C $(PKG_BUILD_DIR)
 	$(MAKE) -C $(PKG_BUILD_DIR)/libtap check
+	$(MAKE) -C $(PKG_BUILD_DIR)/src/dnssec/tests check-compile-only
 	$(MAKE) -C $(PKG_BUILD_DIR)/tests check-compile-only
 	$(MAKE) -C $(PKG_BUILD_DIR)/src/zscanner check-compile-only
 endef
 
+define Build/InstallDev
+	$(INSTALL_DIR)					$(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/*.{a,so*}	$(1)/usr/lib/
+
+	$(INSTALL_DIR)						$(1)/usr/include/libknot
+	$(CP) $(PKG_INSTALL_DIR)/usr/include/libknot/*		$(1)/usr/include/libknot/
+
+	$(INSTALL_DIR)							$(1)/usr/lib/pkgconfig
+	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/*.pc	$(1)/usr/lib/pkgconfig/
+endef
+
+define Package/knot-libdnssec/install
+	$(INSTALL_DIR) 						$(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libdnssec.so.*		$(1)/usr/lib/
+endef
+
 define Package/knot-libknot/install
 	$(INSTALL_DIR) 						$(1)/usr/lib
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libknot.so.*		$(1)/usr/lib/
+endef
+
+define Package/knot-libzscanner/install
+	$(INSTALL_DIR) 						$(1)/usr/lib
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libzscanner.so.*	$(1)/usr/lib/
 endef
 
@@ -137,7 +199,6 @@ define Package/knot/install
 
 	$(INSTALL_DIR) 							$(1)/etc/knot
 	$(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/knot/knot.sample.conf	$(1)/etc/knot/knot.conf
-	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/knot/example.com.zone	$(1)/etc/knot/
 
 	$(INSTALL_DIR)				$(1)/etc/init.d
 	$(INSTALL_BIN) ./files/knotd.init	$(1)/etc/init.d/knotd
@@ -153,14 +214,19 @@ define Package/knot-host/install
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/khost		$(1)/usr/bin/
 endef
 
+define Package/knot-nsupdate/install
+	$(INSTALL_DIR)						$(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/knsupdate	$(1)/usr/bin/
+endef
+
 define Package/knot-nsec3hash/install
 	$(INSTALL_DIR)						$(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/knsec3hash	$(1)/usr/bin/
 endef
 
-define Package/knot-nsupdate/install
-	$(INSTALL_DIR)						$(1)/usr/bin
-	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/knsupdate	$(1)/usr/bin/
+define Package/knot-keymgr/install
+	$(INSTALL_DIR)						$(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/keymgr	$(1)/usr/sbin/
 endef
 
 define Package/knot-tests/install
@@ -171,13 +237,19 @@ define Package/knot-tests/install
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/libtap/runtests		$(1)/usr/share/knot/tap/
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/libtap/tap/libtap.sh	$(1)/usr/share/knot/tap/
 
-	$(INSTALL_DIR)								$(1)/usr/share/knot/tests
+	$(INSTALL_DIR)									$(1)/usr/share/knot/tests
+
+	find $(PKG_BUILD_DIR)/src/dnssec/tests -maxdepth 1 -executable -type f | \
+		xargs -I{} basename {} | \
+		xargs -I{} $(INSTALL_BIN) -T $(PKG_BUILD_DIR)/src/dnssec/tests/{}	$(1)/usr/share/knot/tests/dnssec_test_{}
+
 	find $(PKG_BUILD_DIR)/tests/.libs -maxdepth 1 -executable -type f | \
 		xargs -I{} basename {} | \
-		xargs -I{} $(INSTALL_BIN) -T $(PKG_BUILD_DIR)/tests/.libs/{}	$(1)/usr/share/knot/tests/test_{}
+		xargs -I{} $(INSTALL_BIN) -T $(PKG_BUILD_DIR)/tests/.libs/{}		$(1)/usr/share/knot/tests/test_{}
 
-	$(INSTALL_DIR)						$(1)/usr/share/knot/tests/data
-	$(INSTALL_DATA) $(PKG_BUILD_DIR)/tests/data/sample_conf	$(1)/usr/share/knot/tests/data/
+	find $(PKG_BUILD_DIR)/tests/modules/.libs -maxdepth 1 -executable -type f | \
+		xargs -I{} basename {} | \
+		xargs -I{} $(INSTALL_BIN) -T $(PKG_BUILD_DIR)/tests/modules/.libs/{}	$(1)/usr/share/knot/tests/test_module_{}
 
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/zscanner/tests/.libs/zscanner-tool	$(1)/usr/share/knot/tests/
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/zscanner/tests/unittests		$(1)/usr/share/knot/tests/test_zscanner
@@ -185,10 +257,13 @@ define Package/knot-tests/install
 	cp -a $(PKG_BUILD_DIR)/src/zscanner/tests/data				$(1)/usr/share/knot/tests/
 endef
 
+$(eval $(call BuildPackage,knot-libdnssec))
 $(eval $(call BuildPackage,knot-libknot))
+$(eval $(call BuildPackage,knot-libzscanner))
 $(eval $(call BuildPackage,knot))
 $(eval $(call BuildPackage,knot-dig))
 $(eval $(call BuildPackage,knot-host))
-$(eval $(call BuildPackage,knot-nsec3hash))
 $(eval $(call BuildPackage,knot-nsupdate))
+$(eval $(call BuildPackage,knot-nsec3hash))
+$(eval $(call BuildPackage,knot-keymgr))
 $(eval $(call BuildPackage,knot-tests))
diff --git a/net/knot/files/knotd.init b/net/knot/files/knotd.init
index 23d3bd58e..0e5bf03f4 100644
--- a/net/knot/files/knotd.init
+++ b/net/knot/files/knotd.init
@@ -1,45 +1,39 @@
 #!/bin/sh /etc/rc.common
-START=70
-
-knot_bin="/usr/sbin/knotd"
-knot_ctl="/usr/sbin/knotc"
-config_file="/etc/knot/knot.conf"
-pid_file="/var/run/knot.pid"
-
-start() {
-  echo "Starting Knot DNS"
-
-  if [ -e $pid_file ]; then
-     echo "  Already running with PID `cat $pid_file`"
-     return 1
-  fi
-
-  $knot_bin -c $config_file -d
-
-  if [ $? -ne 0 ]; then
-    echo "  Failed to start"
-  fi
+#
+# Copyright (C) 2014-2016 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+#
+# This is free software, licensed under the GNU General Public License v2.
+
+START=50
+USE_PROCD=1
+
+PROG="/usr/sbin/knotd"
+CONFFILE="/etc/knot/knot.conf"
+
+USER="knot"
+USERID="5353"
+RUNDIR="/var/run/knot"
+STORAGE="/var/lib/knot"
+
+fix_perms() {
+	user_exists $USER $USERID || user_add $USER $USERID
+	group_exists $USER $USERID || group_add $USER $USERID
+
+	for dir in $RUNDIR $STORAGE; do
+		test -e $dir || {
+			mkdir -p $dir
+			chgrp $USER $dir
+			chmod g+w $dir
+		}
+		chgrp $USER $CONFFILE
+		chmod g+r $CONFFILE
+	done
 }
 
-stop() {
-  echo "Stopping Knot DNS"
-
-  if [ -e $pid_file ]; then
-    kill `cat $pid_file`
-    rm -f $pid_file
-  else
-    echo "  No PID file $pid_file"
-    return 1
-  fi
-}
-
-restart() {
-  stop
-  start
-}
-
-reload() {
-  echo "Reloading Knot DNS"
-
-  $knot_ctl -c $config_file reload
+start_service() {
+	fix_perms
+	procd_open_instance
+	procd_set_param command $PROG -c $CONFFILE
+	procd_set_param respawn
+	procd_close_instance
 }
diff --git a/net/knot/files/runtests.sh b/net/knot/files/runtests.sh
index 10032cb59..c45868faa 100644
--- a/net/knot/files/runtests.sh
+++ b/net/knot/files/runtests.sh
@@ -1,8 +1,7 @@
 #!/bin/sh
 
 cd `dirname "$0"`/tests
-../tap/runtests -b /tmp ./test_*
-
+../tap/runtests -b /tmp ./dnssec_test_* ./test_*
 ret=$?
 cd -
 
diff --git a/net/knot/patches/01_strptime_susv3.patch b/net/knot/patches/01_strptime_susv3.patch
deleted file mode 100644
index fc14b91d5..000000000
--- a/net/knot/patches/01_strptime_susv3.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff --git a/src/libknot/dnssec/key.c b/src/libknot/dnssec/key.c
-index 7dc0540..3e351bb 100644
---- a/src/libknot/dnssec/key.c
-+++ b/src/libknot/dnssec/key.c
-@@ -260,7 +260,15 @@ static int key_param_time(const void *save_to, char *value)
- 
- 	struct tm parsed = { 0 };
- 
--	if (!strptime(value, "%Y%m%d%H%M%S", &parsed)) {
-+	if (strlen(value) != 14) {
-+		return KNOT_EINVAL;
-+	}
-+
-+	char *v = value;
-+	char buf[32] = "";
-+	int ret = sprintf(buf, "%.4s %.2s %.2s %.2s %.2s %.2s",
-+	                  v, v + 4, v + 6, v + 8, v + 10, v + 12);
-+	if (ret != 19 || !strptime(buf, "%Y %m %d %H %M %S", &parsed)) {
- 		return KNOT_EINVAL;
- 	}
- 
diff --git a/net/knot/patches/01_zscanner_tests.patch b/net/knot/patches/01_zscanner_tests.patch
new file mode 100644
index 000000000..7ea4cfdd8
--- /dev/null
+++ b/net/knot/patches/01_zscanner_tests.patch
@@ -0,0 +1,25 @@
+diff --git a/src/zscanner/tests/unittests.in b/src/zscanner/tests/unittests.in
+index 9a4af53..f9b45bf 100644
+--- a/src/zscanner/tests/unittests.in
++++ b/src/zscanner/tests/unittests.in
+@@ -1,15 +1,14 @@
+ #!/bin/sh
+ 
+-SOURCE=@top_srcdir@/src/zscanner/tests
+-BUILD=@top_builddir@/src/zscanner/tests
++SOURCE="."
++BUILD="/tmp/knot-test"
++mkdir -p "$BUILD"
+ 
+-. @top_srcdir@/libtap/tap/libtap.sh
+-
+-cd "$BUILD"
++. ../tap/libtap.sh
+ 
+ TMPDIR=$(test_tmpdir)
+ TESTS_DIR="$SOURCE"/data
+-ZSCANNER_TOOL="$BUILD"/zscanner-tool
++ZSCANNER_TOOL=./zscanner-tool
+ 
+ plan 71
+ 
diff --git a/net/knot/patches/02_knot.conf.patch b/net/knot/patches/02_knot.conf.patch
index f82af0cfc..215b09fbe 100644
--- a/net/knot/patches/02_knot.conf.patch
+++ b/net/knot/patches/02_knot.conf.patch
@@ -1,28 +1,13 @@
 diff --git a/samples/knot.sample.conf.in b/samples/knot.sample.conf.in
-index 956e8a9..a068e67 100644
+index e07c8a7..ecc13ad 100644
 --- a/samples/knot.sample.conf.in
 +++ b/samples/knot.sample.conf.in
-@@ -14,7 +14,7 @@ system {
+@@ -9,7 +9,7 @@ server:
+     # Listen on all configured IPv6 interfaces.
+     listen: ::@53
+     # User for running the server.
+-    # user: knot:knot
++    user: knot:knot
  
-   # User for running server
-   # May also specify user.group (e.g. knot.knot)
--  user knot.knot;
-+  user root.root;
- 
-   # Directory for storing run-time data
-   # e.g. PID file and control sockets
-@@ -63,11 +63,11 @@ zones {
- #  storage "@storage_dir@";
- #
- #  Example master zone
--#  example.com {
--#    file "@config_dir@/example.com.zone";
-+  example.com {
-+    file "example.com.zone";
- #    xfr-out slave0;
- #    notify-out slave0;
--#  }
-+  }
- #
- #  Example slave zone
- #  example.net {
+ log:
+     # Log info and more serious events to syslog.
diff --git a/net/knot/patches/03_libtap_files.patch b/net/knot/patches/03_libtap_files.patch
new file mode 100644
index 000000000..bb7b34261
--- /dev/null
+++ b/net/knot/patches/03_libtap_files.patch
@@ -0,0 +1,15 @@
+diff --git a/libtap/tap/files.c b/libtap/tap/files.c
+index 0c24075..d33db6c 100644
+--- a/libtap/tap/files.c
++++ b/libtap/tap/files.c
+@@ -27,6 +27,10 @@
+ #include <sys/types.h>
+ #include <unistd.h>
+ 
++#ifndef O_NOFOLLOW
++#define O_NOFOLLOW 0
++#endif
++
+ char *test_mkdtemp(void)
+ {
+ 	char *tmpdir = getenv("TMPDIR");
diff --git a/net/knot/patches/03_zscanner_tests.patch b/net/knot/patches/03_zscanner_tests.patch
deleted file mode 100644
index a0d052421..000000000
--- a/net/knot/patches/03_zscanner_tests.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-diff --git a/src/zscanner/tests/TESTS b/src/zscanner/tests/TESTS
-index c88aef1..4e2148f 100644
---- a/src/zscanner/tests/TESTS
-+++ b/src/zscanner/tests/TESTS
-@@ -18,10 +18,8 @@
- 05-2_TTL
- 05-3_TTL
- 05-4_TTL
--06-0_INCLUDE
- 06-1_INCLUDE
- 06-2_INCLUDE
--06-3_INCLUDE
- 06-4_INCLUDE
- 06-5_INCLUDE
- 06-6_INCLUDE
-diff --git a/src/zscanner/tests/unittests.in b/src/zscanner/tests/unittests.in
-index 846f351..272856c 100644
---- a/src/zscanner/tests/unittests.in
-+++ b/src/zscanner/tests/unittests.in
-@@ -1,9 +1,9 @@
- #!/bin/sh
- 
--SOURCE=@top_srcdir@/src/zscanner/tests
--BUILD=@top_builddir@/src/zscanner/tests
-+SOURCE="."
-+BUILD="."
- 
--. @top_srcdir@/libtap/tap/libtap.sh
-+. ../tap/libtap.sh
- 
- cd "$BUILD"
- 
-@@ -11,7 +11,7 @@ TMPDIR=$(test_tmpdir)
- TESTS_DIR="$SOURCE"/data
- ZSCANNER_TOOL="$BUILD"/zscanner-tool
- 
--plan 71
-+plan 69
- 
- mkdir -p "$TMPDIR"/includes/
- for a in 1 2 3 4 5 6; do