Dear Knot Resolver users,
Knot Resolver 6.0.16 (early-access) has been released!
Improvements:
- reduce validation strictness for domain names (#934, !1727)
- manager: force a configuration reload via management HTTP API
'api/reload/force' (#939, !1748)
- kresctl: reload: added '--force' flag
- /fallback: add this feature/module (!1733)
- systemd: do not force-fail knot-resolver.service on OOM (!1724)
In basically all cases the OOM killer will kill a kresd process
and supervisord will just restart it, and everything will keep working.
Bugfixes:
- /options/query-case-randomization: respect this even on TCP issues (!1732)
- prometheus metrics: make the latency histogram cumulative (!1731, GH#117)
- fix file permission checks when running as root (!1741)
- /network/address-renumbering: fix conversion to Lua configuration (!1739)
- manager: avoid uncommon bugs when starting/quitting policy-loader (!1742)
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v6.0.16/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.16.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.16.tar.xz.asc
Documentation:
https://www.knot-resolver.cz/documentation/v6.0.16/
--
Ales Mrazek
PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE
Dear Knot Resolver users,
Knot Resolver 6.0.15 (early-access) has been released!
Security:
- DoS: fix a rare segfault in `resolve` function (!1717)
Someone controlling the DNS traffic might be able
to trigger this crash intentionally and too often.
- DoS: drop a wrong assertion/crash (!1718)
Someone controlling the DNS traffic will most likely be able
to trigger this crash intentionally and too often.
Bugfixes:
- manager: prometheus metrics update (!1703, #917, !1712)
- added missing metrics split by IPv4 and IPv6
- typo: resolver_answer_flags_rd_total -> resolver_answer_flag_rd_total
- /dnssec/trust-anchors-files: fix resolver startup (!1704)
- /network/edns-buffer-size: fix swapped upstream+downstream (!1711)
- cache: fix a crash in case garbage collection is too slow (!1713)
[system] assertion "env->is_cache" failed in cdb_write
- /cache/prefill: fix 6.0.13 regression (!1705)
- datamodel: improve file permission check (#933, !1714)
- NO_CACHE flag: fix and tweak its behavior (!1715)
Improvements:
- update/more precise default answers for special names (!1709)
https://www.iana.org/assignments/special-use-domain-nameshttps://www.iana.org/assignments/locally-served-dns-zones
- kresctl: strict validation is now disabled by default (!1714)
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v6.0.15/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.15.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.15.tar.xz.asc
Documentation:
https://www.knot-resolver.cz/documentation/v6.0.15/
--
Ales Mrazek
PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE
Dear Knot Resolver users,
Knot Resolver 6.0.12 (early-access) has been released!
Security:
- DoS: fix rare crashes with either of the lines below (!1682)
[system] requirement "h && h->end > h->begin" failed in queue_pop_impl
[system] requirement "val == task" failed in session2_tasklist_del
Bugfixes:
- daemon: fix DoH with multiple "parallel" queries in one connection
(#931, !1677)
- /management/unix-socket: revert to absolute path (#926, !1664)
- fix `tags` when used in /local-data/rules/*/records (!1670)
- stats: request latency was very incorrect in some cases (!1676)
Improvements:
- /local-data/rpz/*/watchdog: new configuration to enable watchdog for
RPZ files (!1665)
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v6.0.12/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.12.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.12.tar.xz.asc
Documentation:
https://www.knot-resolver.cz/documentation/v6.0.12/
--
Ales Mrazek
PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE
Dear Knot Resolver users,
Knot Resolver 6.0.9 (early-access) has been released!
Improvements:
- rate-limiting: add these options, mechanism, docs (!1624)
- manager: secret for TLS session resumption via ticket (RFC5077) (!1567)
The manager creates and sets the secret for all running 'kresd' workers.
The secret is created automatically if the user does not configure
their own secret in the configuration.
This means that the workers will be able to resume each other's TLS
sessions, regardless of whether the user has configured it to do so.
- answer NOTIMPL for meta-types and non-IN RR classes (!1589)
- views: improve interaction with old-style policies (!1576)
- stats: add stale answer counter 'answer.stale' (!1591)
- extended_errors: answer with EDE in more cases (!1585, !1588, !1590,
!1592)
- local-data: make DNAMEs work, i.e. generate CNAMEs (!1609)
- daemon: use connected UDP sockets by default (#326, !1618)
- docker: multiplatform builds (#922, !1623)
- docker: shared VOLUMEs are prepared for configuration and cache
(!1625, !1627)
Configuration path was changed to standard
'/etc/knot-resolver/config.yaml'.
Bugfixes:
- daemon/proxyv2: fix informing the engine about TCP/TLS from the actual
client (!1578)
- forward: fix wrong pin-sha256 length; also log pins on mismatch
(!1601, #813)
Incompatible changes:
- -f/--forks is removed (#631, !1602)
- gnutls < 3.4 support is dropped, released over 9 years ago (!1601)
- libuv < 1.27 support is dropped, released over 5 years ago (!1618)
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v6.0.9/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.9.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.9.tar.xz.asc
Documentation:
https://www.knot-resolver.cz/documentation/v6.0.9/
--
Ales Mrazek
PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE
