Dear Knot Resolver users,
Knot Resolver versions 5.7.4 (stable) and 6.0.8 (early-access) have been
released!
Both releases include important security fixes, an update is strongly
advised!
Version 6.0.8 additionally brings some improvements, like faster policy
reloads using a new policy-loader process, respecting system-wide crypto
policies, JSON metrics, separate IPv6 and IPv4 metrics, and more.
---
Knot Resolver 5.7.4:
Security:
- reduce buffering of transmitted data, especially TCP-based in userspace
Also expose some of the new tweaks in lua:
(require 'ffi').C.the_worker.engine.net.tcp.user_timeout = 1000
(require
'ffi').C.the_worker.engine.net.listen_{tcp,udp}_buflens.{snd,rcv}
Improvements:
- add the fresh DNSSEC root key "KSK-2024" already, Key ID 38696 (!1556)
Incompatible changes:
- libknot 3.0.x support is dropped (!1558)
Upstream last maintained 3.0.x in spring 2022.
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v5.7.4/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.7.4.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.7.4.tar.xz.asc
Documentation:
https://www.knot-resolver.cz/documentation/v5.7.4/
---
Knot Resolver 6.0.8:
Security:
- reduce buffering of transmitted data, especially TCP-based in userspace
Also expose some of the new tweaks in lua:
(require 'ffi').C.the_worker.engine.net.tcp.user_timeout = 1000
(require
'ffi').C.the_worker.engine.net.listen_{tcp,udp}_buflens.{snd,rcv}
Packaging:
- all packages:
- remove unused dependency on `libedit` (!1553)
- deb packages:
- packages ``knot-resolver-core`` and ``knot-resolver-manager`` have
been merged into a single ``knot-resolver6`` package. Suffix packages
``knot-resolver-*`` have been renamed to ``knot-resolver6-*``. This
change _should_ be transparent, but please do let us know if you
encounter any issues while updating. (!1549)
- package ``python3-prometheus-client`` is now only an optional
dependency
- rpm packages:
- packages ``knot-resolver-core`` and ``knot-resolver-manager`` have
been merged into a single ``knot-resolver`` package. This change
_should_ be transparent, but please do let us know if you encounter
any issues while updating. (!1549)
- bugfix: do not overwrite config.yaml (!1525)
- package ``python3-prometheus_client`` is now only an optional
dependency
- arch package:
- fix after they renamed a dependency (!1536)
Improvements:
- TLS (DoT, DoH): respect crypto policy overrides in OS (!1526)
- manager: export metrics to JSON via management HTTP API (!1527)
* JSON is the new default metrics output format
* the ``prometheus-client`` Python package is now an optional dependency,
required only for Prometheus export to work
- cache: prefetching records
* predict module: prefetching expiring records moved to prefetch module
* prefetch module: new module to prefetch expiring records
- stats: add separate metrics for IPv6 and IPv4 (!1545)
- add the fresh DNSSEC root key "KSK-2024" already, Key ID 38696 (!1556)
- manager: policy-loader: new component for separate loading of policy
rules (!1540)
The ``policy-loader`` ensures that configured policies are loaded
into the rules database
where they are made available to all running kresd workers. This
loading is no longer done
by all kresd workers as it was before, so this should significantly
improve the resolver's
startup/reload time when loading large sets of policy rules, e.g.
large RPZs.
Incompatible changes:
- cache: the ``cache.prediction`` configuration property has been
reorganized
into ``cache.prefetch.expiring`` and ``cache.prefetch.prediction``,
changing
the default behaviour as well. See the `relevant documentation section
<https://www.knot-resolver.cz/documentation/v6.0.8/config-cache-predict.html>`_
for more.
- libknot <=3.2.x support is dropped (!1565)
Bugfixes:
- arch package: fix after they renamed a dependency (!1536)
- fix startup with `dnssec: false` (!1548)
- rpm packages: do not overwrite config.yaml (!1525)
- fix NSEC3 records missing in answer for positive wildcard expansion
with the NSEC3 having over-limit iteration count (#910, !1550)
- views: fix a bug in subnet matching (!1562)
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v6.0.8/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.8.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-6.0.8.tar.xz.asc
Documentation:
https://www.knot-resolver.cz/documentation/v6.0.8/
--
Oto Šťáva | Knot Resolver team lead | CZ.NIC z.s.p.o.
PGP: 6DC2 B0CB 5935 EA7A 3961 4AA7 32B2 2D20 C9B4 E680
Dear Knot Resolver users,
Knot Resolver versions 5.7.2 (stable) and 6.0.7 (early-access) have been
released! Both fix running on 32-bit systems with 64-bit time; 6.0.7
additionally brings fixes to RPZ, cache clearing via kresctl, and more.
---
Knot Resolver 5.7.2:
Bugfixes:
- fix on 32-bit systems with 64-bit time_t (!1510)
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v5.7.2/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.7.2.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.7.2.tar.xz.asc
Documentation:
https://www.knot-resolver.cz/documentation/artifacts/1056229/index.html
---
Knot Resolver 6.0.7:
Improvements:
- manager: clear the cache via management HTTP API (#876, !1491)
- manager: added support for Python 3.12 and removed for 3.7 (!1502)
- manager: use build-time install prefix to execute `kresd` instead of
PATH (!1511)
- docs: documentation is now separated into user and developer parts (!1514)
- daemon: ignore UDP requests from ports < 1024 (!1507)
- manager: increase startup timeout for processes (!1518, !1520)
- local-data: increase default DB size to 2G on 64-bit platforms (!1518)
Bugfixes:
- fix listening by interface name containing dashes (#900, !1500)
- fix kresctl http request timeout (!1505)
- fix RPZ if it contains apex NS record (!1516)
- fix RPZ if SOA is repated, as usual in AXFR output (!1521)
- avoid RPZ overriding the root SOA (!1521)
- fix on 32-bit systems with 64-bit time_t (!1510)
- fix paths to knot-dns libs if exec_prefix != prefix (!1503)
- manager: add missing early check that neither a custom port nor TLS is
set for authoritative server forwarding (#902, !1505)
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v6.0.7/NEWS
Documentation:
https://www.knot-resolver.cz/documentation/artifacts/1056245/index.html
--
Oto Šťáva | Knot Resolver team leader | CZ.NIC z.s.p.o.
PGP: 6DC2 B0CB 5935 EA7A 3961 4AA7 32B2 2D20 C9B4 E680
Dear Knot Resolver users,
DNS Shotgun v20240219, our high-performance realistic benchmarking tool
for DNS resolvers, has been released.
This new release, amongst a variety of other improvements, brings
support for testing DNS-over-QUIC.
Incompatible changes:
- CMake is now being used to build dnssim instead of Autotools
- GnuTLS 3.7.5+ is now required
Improvements:
- pcap/extract-clients: always reset UDP port numbers to 53 (!56)
- pcap/extract-clients: ability to write to stdout (!62)
- pcap/filter-dnsq: skip 'special' queries for *.dotnxdomain.net (!58)
- pcap/split-clients: new tool to split larger PCAPs into smaller ones (!61)
- pcap/merge-chunks: allow disabling randomization (!67)
- tools/plot-latency: ability to diversify lines with linestyles (!69)
- tools/plot-response-rate: estimate worst-case drop caused by discarded
packets (!74)
- tools/plot-packet-rate: handle incomplete last sampling period (!71)
- tools/plot-response-rate: ability to ignore RCODEs with small response
rate (!73)
- pcap/filter-dnsq: ability to log malformed queries (!72)
- pcap/generate-const-qps: new tool to generate constant QPS (!33)
- tools: allow customizing plot charts with `SHOTGUN_MPLSTYLES` (!65)
- replay: `--preload` argument, mainly for dnssim debugging with
sanitizers (!76)
- tools/plot-latency: use fractional values for humans in charts (!78)
- pcap/extract-clients: warn if some input packets were skipped (!80)
- dnssim: replace Autotools with CMake (!77, !86)
- configs: DoH configs with exclusively GET/POST methods (!82)
- tools/plot-response-rate: avoid division by zero (!89)
- tools/plot-latency: denser labels to improve logarithmic scale
readability (!90)
- pcap/extract-clients: allow query rewriting - anonymization (!91)
- Support for DNS-over-QUIC (!75)
Bugfixes:
- tools/plot-response-rate: avoid white lines on white background (!55)
- tools/plot-client-distribution: properly handle file limit (!59)
- pcap: proper PCAP write error handling (!60)
- tools/plot-connections: set axis limits properly (!66)
- tools/plot-packet-rate: trim chart whitespace (!79)
- replay: do not exit silently when dnssim returns non-zero (!87)
Full changelog:
https://gitlab.nic.cz/knot/shotgun/-/releases/v20240219
Sources:
https://gitlab.nic.cz/knot/shotgun/-/archive/v20240219/shotgun-v20240219.ta…
Documentation:
https://dns-shotgun.readthedocs.io/en/v20240219/
Oto Šťáva
Knot Resolver
CZ.NIC z.s.p.o.
Dear Knot Resolver users,
Knot Resolver versions 5.7.1 (stable) and 6.0.6 (early-access) have been
released!
These releases include important security fixes, an update is strongly
advised!
Security:
- CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU
* validator: lower the NSEC3 iteration limit (150 -> 50)
* validator: similarly also limit excessive NSEC3 salt length
* cache: limit the amount of work on SHA1 in NSEC3 aggressive cache
* validator: limit the amount of work on SHA1 in NSEC3 proofs
* validator: refuse to validate answers with more than 8 NSEC3 records
- CVE-2023-50387 "KeyTrap": DNSSEC verification complexity
could be exploited to exhaust CPU resources and stall DNS resolvers.
Solution boils down mainly to limiting crypto-validations per packet.
We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel
and Michael Waidner
from the German National Research Center for Applied Cybersecurity ATHENE
for bringing this vulnerability to our attention.
Improvements:
- update addresses of B.root-servers.net (!1478)
Bugfixes:
- fix potential SERVFAIL deadlocks if net.ipv6 = false (#880)
The update affects how some cached records are being treated, which may
trip up some sanity checking mechanisms in Knot Resolver if you have
advanced debugging options enabled (disabled by default),
"debugging.assertion_abort" for version 5 (Lua) and
"logging/debugging/assertation-abort" for version 6 (YAML). In case you
encounter any issues, please try clearing the cache first.
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v5.7.1/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.7.1.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.7.1.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v5.7.1/
--
Ales Mrazek
PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE
Dear Knot Resolver users,
we would like to introduce you to Knot Resolver 6.x!
This future version of the resolver is now in the testing phase.
An article was published on our blog as part of this introduction.
EN: https://en.blog.nic.cz/2023/12/15/knot-resolver-6-x-news
CZ: https://blog.nic.cz/2023/12/15/novinky-v-knot-resolver-6-x
We will be happy if you try the new version and give us any feedback.
--
Ales Mrazek
PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE
Dear Knot Resolver users,
Knot Resolver 5.7.0 has been released!
Security
- avoid excessive TCP reconnections in a few more cases
Like before, the remote server had to behave nonsensically in order
to inflict this upon itself, but it might be abusable for DoS.
We thank Ivan Jedek from OryxLabs for reporting this.
Improvements
- forwarding mode: tweak dealing with failures from forwarders,
in particular prefer sending CD=0 upstream (!1392)
Bugfixes
- fix unusual timestamp format in debug dumps of records (!1386)
- adjust linker options; it should help less common platforms (!1384)
- hints module: fix names inside home.arpa. (!1406)
- EDNS padding (RFC 8467) compatibility with knot-dns 3.3 libs (!1422)
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v5.7.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.7.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.7.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v5.7.0/
--
Ales Mrazek
PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE
Dear Knot Resolver users,
Knot Resolver 5.6.0 has been released!
Security
- avoid excessive TCP reconnections in some cases (!1380)
For example, a DNS server that just closes connections without answer
could cause lots of work for the resolver (and itself, too).
The number of connections could be up to around 100 per client's query.
We thank Xiang Li from NISL Lab, Tsinghua University,
and Xuesong Bai and Qifan Zhang from DSP Lab, UCI.
Improvements
- daemon: feed server selection with more kinds of bad-answer events (!1380)
- cache.max_ttl(): lower the default from six days to one day
and apply both limits to the first uncached answer already (!1323 #127)
- depend on jemalloc, preferably, to improve memory usage (!1353)
- no longer accept DNS messages with trailing data (!1365)
- policy.STUB: avoid applying aggressive DNSSEC denial proofs (!1364)
- policy.STUB: avoid copying +dnssec flag from client to upstream (!1364)
Bugfixes
- policy.DEBUG_IF: don't print client's packet unconditionally (!1366)
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v5.6.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.6.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.6.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v5.6.0/
--
Ales Mrazek
PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE
