Hello List! Today, we release Knot DNS 1.4.6 with two minor fixes. First issue we've fixed would only occur when doing DNSSEC key rollover using the key metadata (via the dnssec-settime tool, for example) - there was a possibility that the server would try to sign the zone continuously for a limited amount of time. DNSSEC data would stay valid all the time though. The other fix concerns mainly RRL users with recvmmsg enabled - when using SLIP other than 1, responses that should have been dropped were actually sent as empty UDP datagrams. Such responses would not be helpful to the attacker, as they are actually smaller than the queries, but they could confuse legitimate clients. This applies for the responses to malformed query messages as well, even if the RRL is disabled. All in all, if you do not use the automatic DNSSEC or RRL, there's probably no need to update. Hopefully, this is the last release before the 1.5RC1 comes out, so stay tuned. Full changelog: https://gitlab.labs.nic.cz/labs/knot/blob/v1.4.6/NEWS Sources: https://secure.nic.cz/files/knot-dns/knot-1.4.6.tar.gz https://secure.nic.cz/files/knot-dns/knot-1.4.6.tar.xz GPG signatures: https://secure.nic.cz/files/knot-dns/knot-1.4.6.tar.gz.asc https://secure.nic.cz/files/knot-dns/knot-1.4.6.tar.xz.asc Updated packages will be available shortly. Thank you for using Knot DNS. Regards, Jan -- Jan Kadlec, Knot DNS CZ.NIC Labs http://www.knot-dns.cz ------------------------------------------- Americká 23, 120 00 Praha 2, Czech Republic WWW: http://labs.nic.cz http://www.nic.cz