Dear Knot Resolver users,
Knot Resolver 6.0.12 (early-access) has been released!
Security:
- DoS: fix rare crashes with either of the lines below (!1682)
[system] requirement "h && h->end > h->begin" failed in queue_pop_impl
[system] requirement "val == task" failed in session2_tasklist_del
Bugfixes:
- daemon: fix DoH with multiple "parallel" queries in one connection
(#931, !1677)
- /management/unix-socket: revert to absolute path (#926, !1664)
- fix `tags` when used in /local-data/rules/*/records (!1670)
- stats: request latency was very incorrect in some cases (!1676)
Improvements:
- /local-data/rpz/*/watchdog: new configuration to enable watchdog for
RPZ files (!1665)
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v6.0.12/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.12.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.12.tar.xz.asc
Documentation:
https://www.knot-resolver.cz/documentation/v6.0.12/
--
Ales Mrazek
PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE
Dear Knot Resolver users,
Knot Resolver 6.0.9 (early-access) has been released!
Improvements:
- rate-limiting: add these options, mechanism, docs (!1624)
- manager: secret for TLS session resumption via ticket (RFC5077) (!1567)
The manager creates and sets the secret for all running 'kresd' workers.
The secret is created automatically if the user does not configure
their own secret in the configuration.
This means that the workers will be able to resume each other's TLS
sessions, regardless of whether the user has configured it to do so.
- answer NOTIMPL for meta-types and non-IN RR classes (!1589)
- views: improve interaction with old-style policies (!1576)
- stats: add stale answer counter 'answer.stale' (!1591)
- extended_errors: answer with EDE in more cases (!1585, !1588, !1590,
!1592)
- local-data: make DNAMEs work, i.e. generate CNAMEs (!1609)
- daemon: use connected UDP sockets by default (#326, !1618)
- docker: multiplatform builds (#922, !1623)
- docker: shared VOLUMEs are prepared for configuration and cache
(!1625, !1627)
Configuration path was changed to standard
'/etc/knot-resolver/config.yaml'.
Bugfixes:
- daemon/proxyv2: fix informing the engine about TCP/TLS from the actual
client (!1578)
- forward: fix wrong pin-sha256 length; also log pins on mismatch
(!1601, #813)
Incompatible changes:
- -f/--forks is removed (#631, !1602)
- gnutls < 3.4 support is dropped, released over 9 years ago (!1601)
- libuv < 1.27 support is dropped, released over 5 years ago (!1618)
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v6.0.9/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.9.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.9.tar.xz.asc
Documentation:
https://www.knot-resolver.cz/documentation/v6.0.9/
--
Ales Mrazek
PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE
Hello.
In case you're using our 5.x upstream repositories for Debian or Ubuntu,
as originally suggested on https://www.knot-resolver.cz/download/
<https://www.knot-resolver.cz/download/> you'll be running into an
expired signing key since yesterday. As we haven't updated in time
again, manual action is needed on every machine, I'm afraid.
Let's take this as an opportunity to migrate to our newer repositories
that should work better. You may already know them e.g. from version
6.x or Knot DNS. Setup is described at
https://pkg.labs.nic.cz/doc/?project=knot-resolver
<https://pkg.labs.nic.cz/doc/?project=knot-resolver>
You may want to also uninstall the original helper package by:
apt purge knot-resolver-release
Thanks for bearing with this inconvenience.
--Vladimir
Dear Knot Resolver users,
Knot Resolver versions 5.7.4 (stable) and 6.0.8 (early-access) have been
released!
Both releases include important security fixes, an update is strongly
advised!
Version 6.0.8 additionally brings some improvements, like faster policy
reloads using a new policy-loader process, respecting system-wide crypto
policies, JSON metrics, separate IPv6 and IPv4 metrics, and more.
---
Knot Resolver 5.7.4:
Security:
- reduce buffering of transmitted data, especially TCP-based in userspace
Also expose some of the new tweaks in lua:
(require 'ffi').C.the_worker.engine.net.tcp.user_timeout = 1000
(require
'ffi').C.the_worker.engine.net.listen_{tcp,udp}_buflens.{snd,rcv}
Improvements:
- add the fresh DNSSEC root key "KSK-2024" already, Key ID 38696 (!1556)
Incompatible changes:
- libknot 3.0.x support is dropped (!1558)
Upstream last maintained 3.0.x in spring 2022.
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v5.7.4/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.7.4.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.7.4.tar.xz.asc
Documentation:
https://www.knot-resolver.cz/documentation/v5.7.4/
---
Knot Resolver 6.0.8:
Security:
- reduce buffering of transmitted data, especially TCP-based in userspace
Also expose some of the new tweaks in lua:
(require 'ffi').C.the_worker.engine.net.tcp.user_timeout = 1000
(require
'ffi').C.the_worker.engine.net.listen_{tcp,udp}_buflens.{snd,rcv}
Packaging:
- all packages:
- remove unused dependency on `libedit` (!1553)
- deb packages:
- packages ``knot-resolver-core`` and ``knot-resolver-manager`` have
been merged into a single ``knot-resolver6`` package. Suffix packages
``knot-resolver-*`` have been renamed to ``knot-resolver6-*``. This
change _should_ be transparent, but please do let us know if you
encounter any issues while updating. (!1549)
- package ``python3-prometheus-client`` is now only an optional
dependency
- rpm packages:
- packages ``knot-resolver-core`` and ``knot-resolver-manager`` have
been merged into a single ``knot-resolver`` package. This change
_should_ be transparent, but please do let us know if you encounter
any issues while updating. (!1549)
- bugfix: do not overwrite config.yaml (!1525)
- package ``python3-prometheus_client`` is now only an optional
dependency
- arch package:
- fix after they renamed a dependency (!1536)
Improvements:
- TLS (DoT, DoH): respect crypto policy overrides in OS (!1526)
- manager: export metrics to JSON via management HTTP API (!1527)
* JSON is the new default metrics output format
* the ``prometheus-client`` Python package is now an optional dependency,
required only for Prometheus export to work
- cache: prefetching records
* predict module: prefetching expiring records moved to prefetch module
* prefetch module: new module to prefetch expiring records
- stats: add separate metrics for IPv6 and IPv4 (!1545)
- add the fresh DNSSEC root key "KSK-2024" already, Key ID 38696 (!1556)
- manager: policy-loader: new component for separate loading of policy
rules (!1540)
The ``policy-loader`` ensures that configured policies are loaded
into the rules database
where they are made available to all running kresd workers. This
loading is no longer done
by all kresd workers as it was before, so this should significantly
improve the resolver's
startup/reload time when loading large sets of policy rules, e.g.
large RPZs.
Incompatible changes:
- cache: the ``cache.prediction`` configuration property has been
reorganized
into ``cache.prefetch.expiring`` and ``cache.prefetch.prediction``,
changing
the default behaviour as well. See the `relevant documentation section
<https://www.knot-resolver.cz/documentation/v6.0.8/config-cache-predict.html>`_
for more.
- libknot <=3.2.x support is dropped (!1565)
Bugfixes:
- arch package: fix after they renamed a dependency (!1536)
- fix startup with `dnssec: false` (!1548)
- rpm packages: do not overwrite config.yaml (!1525)
- fix NSEC3 records missing in answer for positive wildcard expansion
with the NSEC3 having over-limit iteration count (#910, !1550)
- views: fix a bug in subnet matching (!1562)
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v6.0.8/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.8.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.8.tar.xz.asc
Documentation:
https://www.knot-resolver.cz/documentation/v6.0.8/
--
Oto Šťáva | Knot Resolver team lead | CZ.NIC z.s.p.o.
PGP: 6DC2 B0CB 5935 EA7A 3961 4AA7 32B2 2D20 C9B4 E680
