Dear Knot Resolver users,
Knot Resolver 2.3.0 has been released. This is a security release that
fixes CVE-2018-1110.
We're also introducing a new mailing list, knot-resolver-announce. Only
notifications about new releases or important announcements will be
posted there.
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-resolver-announce
Security
--------
- fix CVE-2018-1110: denial of service triggered by malformed DNS
messages (!550, !558, security!2, security!4)
- increase resilience against slow lorris attack (security!5)
Bugfixes
--------
- validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single
zone (!538)
- validation: fix SERVFAIL for DS . query (!544)
- lib/resolve: don't send unecessary queries to parent zone (!513)
- iterate: fix validation for zones where parent and child share
NS (!543)
- TLS: improve error handling and documentation (!536, !555, !559)
Improvements
------------
- prefill: new module to periodically import root zone into cache
(replacement for RFC 7706, !511)
- network_listen_fd: always create end point for supervisor supplied
file descriptor
- use CPPFLAGS build environment variable if set (!547)
Full changelog:
https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v2.3.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-2.3.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-2.3.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v2.3.0/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
