Dear Knot Resolver users,
Knot Resolver 5.3.0 has been released!
Note regarding CentOS 8 packages: Due to the Red Hat's hostile decision
to exclude devel packages from their distribution, we won't be providing
upstream packages or maintaining knot-resolver package in EPEL8 until
libuv-devel has been included in official RHEL8 release [rhbz#1895872].
If you depend on these, we can find a solution for your use-case as part
of the paid support we offer [1].
[rhbz#1895872] - https://bugzilla.redhat.com/show_bug.cgi?id=1895872
[1] - https://www.knot-resolver.cz/support/pro/
Improvements
------------
- more consistency in using parent-side records for NS addresses (!1097)
- better algorithm for choosing nameservers (!1030, !1126, !1140, !1141,
!1143)
- daf module: add daf.clear() (!1114)
- dnstap module: more features and don't log internal requests (!1103)
- dnstap module: include in upstream packages and Docker image (!1110,
!1118)
- randomize record order by default, i.e. reorder_RR(true) (!1124)
- prometheus module: transform graphite tags into prometheus labels
(!1109)
- avoid excessive logging of UDP replies with sendmmsg (!1138)
Bugfixes
--------
- view: fail config if bad subnet is specified (!1112)
- doh2: fix memory leak (!1117)
- policy.ANSWER: minor fixes, mainly around NODATA answers (!1129)
- http, watchdog modules: fix stability problems (!1136)
Incompatible changes
--------------------
- dnstap module: `log_responses` option gets nested under `client`;
see new docs for config example (!1103)
- libknot >= 2.9 is required
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v5.3.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.3.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.3.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v5.3.0/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
Dear Knot Resolver users,
I have an early notification for those who rely on our upstream package
repositories for Debian 9 and Ubuntu 16.04.
Ubuntu 16.04: We'll no longer provide packages after April 2021 when the
distribution reaches end of life.
Debian 9: Knot Resolver 5.x is the last supported major version for
Debian 9. Once we release a new major version, we'll no longer provide
packages for Debian 9. We expect to release our next major version in
the second half of 2021.
Packages for other distributions remain unaffected and are supported as
usual.
Thanks for understanding.
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
Dear Knot Resolver users,
Knot Resolver 5.2.0 has been released!
One of the notable features is a new DNS-over-HTTTPS implementation
which is more scalable and stable than the old one. It also has less
dependencies and simpler configuration.
Another new feature is experimental eXpress Data Path (XDP) support for
UDP. With support from both the network card and the kernel, it can
provide superior performance and lower latency for UDP answers.
Some of the improvements and bugfixes required a few backward
incompatible changes, mainly regarding control sockets or module API.
Please refer to our upgrading guide for details:
https://knot-resolver.readthedocs.io/en/v5.2.0/upgrading.html#to-5-2
Improvements
------------
- doh2: add native C module for DNS-over-HTTPS (#600, !997)
- xdp: add server-side XDP support for higher UDP performance (#533,
!1083)
- lower default EDNS buffer size to 1232 bytes (#538, #300, !920);
see https://dnsflagday.net/2020/
- net: split the EDNS buffer size into upstream and downstream (!1026)
- lua-http doh: answer to /dns-query endpoint as well as /doh (!1069)
- improve resiliency against UDP fragmentation attacks (disable PMTUD)
(!1061)
- ta_update: warn if there are differences between statically configured
keys and upstream (#251, !1051)
- human readable output in interactive mode was improved (!1020)
- doc: generate info page (!1079)
- packaging: improve sysusers and tmpfiles support (!1080)
Bugfixes
--------
- avoid an assert() error in stash_rrset() (!1072)
- fix emergency cache locking bug introduced in 5.1.3 (!1078)
- migrate map() command to control sockets; fix systemd integration
(!1000)
- fix crash when sending back errors over control socket (!1000)
- fix SERVFAIL while processing forwarded CNAME to a sibling zone (#614,
!1070)
Incompatible changes
--------------------
- see upgrading guide:
https://knot-resolver.readthedocs.io/en/v5.2.0/upgrading.html#to-5-2
- minor changes in module API
- control socket API commands have to be terminated by "\n"
- graphite: default prefix now contains instance identifier (!1000)
- build: meson >= 0.49 is required (!1082)
- planned changes in future versions:
https://knot-resolver.readthedocs.io/en/v5.2.0/upgrading.html#upcoming-chan…
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v5.2.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.2.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.2.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v5.2.0/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Dear Knot Resolver users,
we would like to inform you about certain changes in upcoming Knot Resolver 5.2.0:
- - Users of Control sockets API need to terminate each command sent to resolver with newline character (ASCII \n). Correct usage: "cache.stats()\n". Newline terminated commands are accepted by all resolver versions >= 1.0.0.
- - Human readable output from Control sockets is not stable and changes from time to time. Users who need machine readable output for scripts should use Lua function "tojson()" to convert Lua values into standard JSON format instead of attempting to parse the human readable output. For example API call "tojson(cache.stats())\n" will return JSON string with "cache.stats()" results represented as dictionary. Function "tojson()" is available in all resolver versions >= 1.0.0.
- - DoH served with http module DNS-over-HTTP (DoH) will be marked as legacy and won’t receive any more bugfixes. A more reliable and scalable DoH module will be available instead. The new DoH module will only support HTTP/2 over TLS.
- - New releases since October 2020 will contain changes for DNS Flag Day 2020. Please double-check your firewall, it has to allow DNS traffic on UDP and also TCP port 53. See https://dnsflagday.net/2020/ for more information.
This text with links to further documentation can be found here:
https://knot-resolver.readthedocs.io/en/latest/upgrading.html#upcoming-chan…
We plan to use the same URL to publish planned changes in not-yet-released versions.
To make our version numbers easier to understand we have documented how we version new releases:
https://knot-resolver.readthedocs.io/en/latest/NEWS.html#version-numbering
Feedback is more than welcome. Do not hesitate to reach out on the usual channels:
https://www.knot-resolver.cz/support/
- --
Petr Špaček @ CZ.NIC
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvibrucvgWbORDKNbzo3WoaUKIeQFAl9+9kcACgkQzo3WoaUK
IeR7Jg/5AT4QLP1ZJBR8Vkoa5DirCnTBrBx3GPkiW+hVEXZPl55AXWMu54i9ZTuY
4R38+I1PypAM924n5xk98AaX7iRbISVZ87kOEfeJOKR2tzB8TiYwzufl2Y3PUYo8
IlazzcUyNFcQw4ARE3BqiQF6DLKl/s8U812XMEUlRdryE7lURWVEJyo711XNLPPy
6PWuGpsNboMR2V6z/7yrX/i+/0XGpxoSL8S9Fv4hQrOJB3c0lIZNSfaj23GywDao
ZgkqlxwBgPkOGAhSIq3r5Xqitl9fTh2Gb1565Lrbj+4OY5WbL8YqaNArZMp3poUD
T2QCH1bUypa0EP+smzdcriuFDWwl3L0zwODsnH2ofLAnosWeGfxtHXHI5W7rwskF
gAAZJJe+UhxSeBzwr01r6YwZbDYlHiDA9+AkGkYGjYwQmfLCTftXRhlqmJ3BvpeR
Nr97D8lSuct9XugIN2pUJfR1cVIr40ViiO3TG4m2eL2dHExELB4OOf/ZCOTX5dQk
KJuQSspz5zQvVFWZZh17L6iT9WUdgwmi0TkvR8aMmPlr75vokFvioQMAOHfHgGtq
7s10W9TtRGX5o9ioHtTLrDaqEC/0P79bMTVU5HCap1dSCzgk1AYXtUDu4AVc0pWC
Aui8tih9ykESC8rPUaEBc6wpR3wgKSPclfIWgiJira4xB8eRCUs=
=9lwy
-----END PGP SIGNATURE-----
Dear Knot Resolver users,
Knot Resolver 5.1.3 has been released!
Improvements
------------
- capabilities are no longer constrained when running as root (!1012)
- cache: add percentage usage to cache.stats() (#580, !1025)
- cache: add number of cache entries to cache.stats() (#510, !1028)
- aarch64 support again, as some systems still didn't work (!1033)
- support building against Knot DNS 3.0 (!1053)
Bugfixes
--------
- tls: fix compilation to support net.tls_sticket_secret() (!1021)
- validator: ignore bogus RRSIGs present in insecure domains (!1022,
#587)
- build if libsystemd version isn't detected as integer (#592, !1029)
- validator: more robust reaction on missing RRSIGs (#390, !1020)
- ta_update module: fix broken RFC5011 rollover (!1035)
- garbage collector: avoid keeping multiple copies of cache (!1042)
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v5.1.3/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.1.3.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.1.3.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v5.1.3/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
Dear Knot Resolver users,
Knot Resolver 5.1.0 has been released!
We also have two important announcements:
1) Ubuntu and Debian repositories
Ubuntu and Debian users have to manually set up the upstream repository
once again by following the instructions at:
https://www.knot-resolver.cz/download/
We apologize for the inconvenience, tests are now in place to prevent
this from happening again.
2) The upcoming major version will contain reworked
hints/policy/prefill/rebinding/view modules and related functionalities.
Please participate in the following survey to ensure we do not forget
about your particular use-case:
https://www.knot-resolver.cz/survey/
It will help us to improve Knot Resolver. Thank you!
Our upstream repositories now also provide packages for CentOS 8,
Ubuntu 20.04 and Fedora 32.
And finally, the release notes for version 5.1.0:
Improvements
------------
- cache garbage collector: reduce filesystem operations when idle (!946)
- policy.DEBUG_ALWAYS and policy.DEBUG_IF for limited verbose logging
(!957)
- daemon: improve TCP query latency under heavy TCP load (!968)
- add policy.ANSWER action (!964, #192)
- policy.rpz support fake A/AAAA (!964, #194)
Bugfixes
--------
- cache: missing filesystem support for pre-allocation is no longer
fatal (#549)
- lua: policy.rpz() no longer watches the file when watch is set to
false (!954)
- fix a strict aliasing problem that might've lead to "miscompilation"
(!962)
- fix handling of DNAMEs, especially signed ones (#234, !965)
- lua resolve(): correctly include EDNS0 in the virtual packet (!963)
Custom modules might have been confused by that.
- do not leak bogus data into SERVFAIL answers (#396)
- improve random Lua number generator initialization (!979)
- cache: fix CNAME caching when validation is disabled (#472, !974)
- cache: fix CNAME caching in policy.STUB mode (!974)
- prefill: fix crash caused by race condition with resolver startup
(!983)
- webmgmt: use javascript scheme detection for websockets' protocol
(#546)
- daf module: fix del(), deny(), drop(), tc(), pass() functions
(#553, !966)
- policy and daf modules: expose initial query when evaluating
postrules (#556)
- cache: fix some cases of caching answers over 4 KiB (!976)
- docs: support sphinx 3.0.0+ (!978)
Incompatible changes
--------------------
- minor changes in module API; see upgrading guide:
https://knot-resolver.readthedocs.io/en/stable/upgrading.html
Full changelog:
https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v5.1.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.1.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.1.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v5.1.0/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
