knot-resolver-announce

knot-resolver-announce@lists.nic.cz

45 discussions

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 3.1.0 has been released. Incompatible changes -------------------- - hints.use_nodata(true) by default; that's what most users want - libknot >= 2.7.2 is required Improvements ------------ - cache: handle out-of-space SIGBUS slightly better (#197) - daemon: improve TCP timeout handling (!686) Bugfixes -------- - cache.clear('name'): fix some edge cases in API (#401) - fix error handling from TLS writes (!669) - avoid SERVFAILs due to certain kind of NS dependency cycles (#374) Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v3.1.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.1.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.1.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v3.1.0/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

6 let, 1 měsíc

Knot Resolver 3.0.0

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 3.0.0 has been released. Incompatible changes -------------------- - cache: fail lua operations if cache isn't open yet (!639) By default cache is opened *after* reading the configuration, and older versions were silently ignoring cache operations. Valid configuration must open cache using `cache.open()` or `cache.size =` before executing cache operations like `cache.clear()`. - libknot >= 2.7.1 is required, which brings also larger API changes - in case you wrote custom Lua modules, please consult https://knot-resolver.readthedocs.io/en/latest/lib.html#incompatible-change… - in case you wrote custom C modules, please see compile against Knot DNS 2.7 and adjust your module according to messages from C compiler - DNS cookie module (RFC 7873) is not available in this release, it will be later reworked to reflect development in IEFT dnsop working group - version module was permanently removed because it was not really used by users; if you want to receive notifications about new releases please subscribe to https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-resolver-announce Bugfixes -------- - fix multi-process race condition in trust anchor maintenance (!643) - ta_sentinel: also consider static trust anchors not managed via RFC 5011 Improvements ------------ - reorder_RR() implementation is brought back - bring in performace improvements provided by libknot 2.7 - cache.clear() has a new, more powerful API - cache documentation was improved - old name "Knot DNS Resolver" is replaced by unambiguous "Knot Resolver" to prevent confusion with "Knot DNS" authoritative server Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v3.0.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.0.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-3.0.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v3.0.0/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

6 let, 3 měsíce

Knot Resolver 2.4.1

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 2.4.1 has been released. Security -------- - fix CVE-2018-10920: Improper input validation bug in DNS resolver component (security!7, security!9) Bugfixes -------- - cache: fix TTL overflow in packet due to min_ttl (#388, security!8) - TLS session resumption: avoid bad scheduling of rotation (#385) - HTTP module: fix a regression in 2.4.0 which broke custom certs (!632) - cache: NSEC3 negative cache even without NS record (#384) This fixes lower hit rate in NSEC3 zones (since 2.4.0). - minor TCP and TLS fixes (!623, !624, !626) Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v2.4.1/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-2.4.1.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-2.4.1.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v2.4.1/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

6 let, 4 měsíce

Knot Resolver 2.4.0

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 2.4.0 has been released. Incompatible changes -------------------- - minimal libknot version is now 2.6.7 to pull in latest fixes (#366) Security -------- - fix a rare case of zones incorrectly downgraded to insecure status (!576) New features ------------ - TLS session resumption (RFC 5077), both server and client (!585, #105) (disabled when compiling with gnutls < 3.5) - TLS_FORWARD policy uses system CA certificate store by default (!568) - aggressive caching for NSEC3 zones (!600) - optional protection from DNS Rebinding attack (module rebinding, !608) - module bogus_log to log DNSSEC bogus queries without verbose logging (!613) Bugfixes -------- - prefill: fix ability to read certificate bundle (!578) - avoid turning off qname minimization in some cases, e.g. co.uk. (#339) - fix validation of explicit wildcard queries (#274) - dns64 module: more properties from the RFC implemented (incl. bug #375) Improvements ------------ - systemd: multiple enabled kresd instances can now be started using kresd.target - ta_sentinel: switch to version 14 of the RFC draft (!596) - support for glibc systems with a non-Linux kernel (!588) - support per-request variables for Lua modules (!533) - support custom HTTP endpoints for Lua modules (!527) Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v2.4.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-2.4.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-2.4.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v2.4.0/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

6 let, 5 měsíců

Knot Resolver 2.3.0

by Tomas Krizek

Dear Knot Resolver users, Knot Resolver 2.3.0 has been released. This is a security release that fixes CVE-2018-1110. We're also introducing a new mailing list, knot-resolver-announce. Only notifications about new releases or important announcements will be posted there. https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-resolver-announce Security -------- - fix CVE-2018-1110: denial of service triggered by malformed DNS messages (!550, !558, security!2, security!4) - increase resilience against slow lorris attack (security!5) Bugfixes -------- - validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone (!538) - validation: fix SERVFAIL for DS . query (!544) - lib/resolve: don't send unecessary queries to parent zone (!513) - iterate: fix validation for zones where parent and child share NS (!543) - TLS: improve error handling and documentation (!536, !555, !559) Improvements ------------ - prefill: new module to periodically import root zone into cache (replacement for RFC 7706, !511) - network_listen_fd: always create end point for supervisor supplied file descriptor - use CPPFLAGS build environment variable if set (!547) Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v2.3.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-2.3.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-2.3.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v2.3.0/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

6 let, 7 měsíců

2024

2023

2022

2021

2020

2019

2018

knot-resolver-announce