Dear Knot Resolver users,
Knot Resolver 5.1.0 has been released!
We also have two important announcements:
1) Ubuntu and Debian repositories
Ubuntu and Debian users have to manually set up the upstream repository
once again by following the instructions at:
https://www.knot-resolver.cz/download/
We apologize for the inconvenience, tests are now in place to prevent
this from happening again.
2) The upcoming major version will contain reworked
hints/policy/prefill/rebinding/view modules and related functionalities.
Please participate in the following survey to ensure we do not forget
about your particular use-case:
https://www.knot-resolver.cz/survey/
It will help us to improve Knot Resolver. Thank you!
Our upstream repositories now also provide packages for CentOS 8,
Ubuntu 20.04 and Fedora 32.
And finally, the release notes for version 5.1.0:
Improvements
------------
- cache garbage collector: reduce filesystem operations when idle (!946)
- policy.DEBUG_ALWAYS and policy.DEBUG_IF for limited verbose logging
(!957)
- daemon: improve TCP query latency under heavy TCP load (!968)
- add policy.ANSWER action (!964, #192)
- policy.rpz support fake A/AAAA (!964, #194)
Bugfixes
--------
- cache: missing filesystem support for pre-allocation is no longer
fatal (#549)
- lua: policy.rpz() no longer watches the file when watch is set to
false (!954)
- fix a strict aliasing problem that might've lead to "miscompilation"
(!962)
- fix handling of DNAMEs, especially signed ones (#234, !965)
- lua resolve(): correctly include EDNS0 in the virtual packet (!963)
Custom modules might have been confused by that.
- do not leak bogus data into SERVFAIL answers (#396)
- improve random Lua number generator initialization (!979)
- cache: fix CNAME caching when validation is disabled (#472, !974)
- cache: fix CNAME caching in policy.STUB mode (!974)
- prefill: fix crash caused by race condition with resolver startup
(!983)
- webmgmt: use javascript scheme detection for websockets' protocol
(#546)
- daf module: fix del(), deny(), drop(), tc(), pass() functions
(#553, !966)
- policy and daf modules: expose initial query when evaluating
postrules (#556)
- cache: fix some cases of caching answers over 4 KiB (!976)
- docs: support sphinx 3.0.0+ (!978)
Incompatible changes
--------------------
- minor changes in module API; see upgrading guide:
https://knot-resolver.readthedocs.io/en/stable/upgrading.html
Full changelog:
https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v5.1.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.1.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.1.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v5.1.0/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
Dear Knot Resolver users,
Knot Resolver 5.0.0 has been released!
This version has a few backward incompatible changes. Most notably, the
network interface configuration has been moved back to the configuration
file and configuration via systemd sockets is no longer supported.
Unfortunately, this change requires a manual modification of your
configuration file if you've previously configured your network
interfaces via systemd sockets. Please follow the instructions printed
out during package upgrade and check out our upgrading guide:
https://knot-resolver.readthedocs.io/en/stable/upgrading.html
We apologize for the inconvenience.
Incompatible changes
--------------------
- see upgrading guide:
https://knot-resolver.readthedocs.io/en/stable/upgrading.html
- systemd sockets are no longer supported (#485)
- net.listen() throws an error if it fails to bind; use freebind option
if needed
- control socket location has changed (!922)
- -f/--forks is deprecated (#529, !919)
Improvements
------------
- logging: control-socket commands don't log unless --verbose (#528)
- use SO_REUSEPORT_LB if available (FreeBSD 12.0+)
- lua: remove dependency on lua-socket and lua-sec, used lua-http and
cqueues (#512, #521, !894)
- lua: remove dependency on lua-filesystem (#520, !912)
- net.listen(): allow binding to non-local address with freebind
option (!898)
- cache: pre-allocate the file to avoid SIGBUS later (not macOS;
!917, #525)
- lua: be stricter around nonsense returned from modules (!901)
- user documentation was reorganized and extended (!900, !867)
- multiple config files can be used with --config/-c option (!909)
- lua: stop trying to tweak lua's GC (!201)
- systemd: add SYSTEMD_INSTANCE env variable to identify different
instances (!906)
Bugfixes
--------
- correctly use EDNS(0) padding in failed answers (!921)
- policy and daf modules: fix postrules and reroute rules (!901)
- renumber module: don't accidentally zero-out request's .state (!901)
Full changelog:
https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v5.0.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.0.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.0.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v5.0.0/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
Dear Knot Resolver users,
Knot Resolver 4.2.1 has been released!
Note for Debian users: If you have previously installed
knot-resolver-dbgsym package on Debian, please remove it and install
knot-resolver-dbg instead.
Bugfixes
--------
- rebinding module: fix handling some requests, respect ALLOW_LOCAL flag
- fix incorrect SERVFAIL on cached bogus answer for +cd request (!860)
(regression since 4.1.0 release, in less common cases)
- prefill module: allow a different module-loading style (#506)
- validation: trim TTLs by RRSIG's expiration and original TTL (#319,
#504)
- NS choice algorithm: fix a regression since 4.0.0 (#497, !868)
- policy: special domains home.arpa. and local. get NXDOMAIN (!855)
Improvements
------------
- add compatibility with (future) libknot 2.9
Full changelog:
https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v4.2.1/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-4.2.1.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-4.2.1.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v4.2.1/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Dear Knot Resolver users,
Knot Resolver 4.1.0 has been released!
This is a minor release with couple improvements and many bugfixes,
including security fixes for CVE-2019-10190 and CVE-2019-10191.
Packages for supported distributions are now available from
https://www.knot-resolver.cz/download/
Highlights
==========
- - security fixes, we encourage all users to upgrade as soon as possible
- - new garbage collector improves cache utilization on busy machines
- - ARM64 (aarch64) is now experimentally supported, please report issues
- - compatibility with non-standard DoH clients was improved
Full release notes:
Knot Resolver 4.1.0 (2019-07-10)
================================
Security
- --------
- - fix CVE-2019-10190: do not pass bogus negative answer to client (!827)
- - fix CVE-2019-10191: do not cache negative answer with forged
QNAME+QTYPE (!839)
Improvements
- ------------
- - new cache garbage collector is available and enabled by default (#257)
This improves cache efficiency on big installations.
- - DNS-over-HTTPS: unknown HTTP parameters are ignored to improve
compatibility with non-standard clients (!832)
- - DNS-over-HTTPS: answers include `access-control-allow-origin: *`
which allows JavaScript to use DoH endpoint (!823).
- - http module: support named AF_UNIX stream sockets (again)
- - aggressive caching is disabled on minimal NSEC* ranges (!826)
This improves cache effectivity with DNSSEC black lies and also
accidentally works around bug in proofs-of-nonexistence from F5 BIG-IP
load-balancers.
- - aarch64 support, even kernels with ARM64_VA_BITS >= 48 (#216, !797)
This is done by working around a LuaJIT incompatibility.
Please report bugs.
- - lua tables for C modules are more strict by default, e.g. `nsid.foo`
will throw an error instead of returning `nil` (!797)
- - systemd: basic watchdog is now available and enabled by default (#275)
Bugfixes
- --------
- - TCP to upstream: fix unlikely case of sending out wrong message length
(!816)
- - http module: fix problems around maintenance of ephemeral certs (!819)
- - http module: also send intermediate TLS certificate to clients,
if available and luaossl >= 20181207 (!819)
- - send EDNS with SERVFAILs, e.g. on validation failures (#180, !827)
- - prefill module: avoid crash on empty zone file (#474, !840)
- - rebinding module: avoid excessive iteration on blocked attempts (!842)
- - rebinding module: fix crash caused by race condition (!842)
- - rebinding module: log each blocked query only in verbose mode (!842)
- - cache: automatically clear stale reader locks (!844)
Module API changes
- ------------------
- - lua modules may omit casting parameters of layer functions (!797)
- --
Petr Špaček @ CZ.NIC
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvibrucvgWbORDKNbzo3WoaUKIeQFAl0mBC0ACgkQzo3WoaUK
IeT3uw/9Fqz2PWYmEtF50nlnFIyM44EAClQFVboM8djVQVffN347nZTo4WPI+rsj
exUg5tYKIEC6xrihRLwojbTfFcGVXcEHo0NZsvyv51qIP+lT6yHOVMz+tckmGyPI
qG4JxvF7juUz1oLNCLUJfuZX/rOBgcOID2hga6q8ZXmkE5GFkyPsz7giaxjNWCGY
Hf+uxzR2oezd4GGaOS2bIpqSjBmQwjaLvN3odG0xGZEHQCm+MkblVIbpiKuyR79e
CulWcLNU1KL4V4o/rF5BUXHCnArGP/TM0JoVifPZepZVyB8xMEfBuyew9k1EAuX6
+5oJ9H1JcsftMtBgGUtksltTVK+9Mst9Rc52oiP5RA8ffpc5j0TtQi/lgNSgGnfQ
P10t7fnlotseBYsHeQ0dm54TlGKBgsECuk1/wgjlytbUU9AUQMkmop696xZEcw1w
gVY7FhAq09ciqtNTKuPJLoNTN/uhIdnyvt496Xf15OA3znZlMxdrI+rdVvf3btX/
SV9/bzNyWtJOhiYoN4hIPUqcvq6rFqxBbZpDA3pX9ks/lsWil7Y8sm96GzOjvaSx
EjhDbBaFLBtX4kOPbrREDs8DbCTsxD1rLEruPos+Mp8PfAISEa/RvjyhuI/yyjwE
qpNksYdKNHeniYEcycJ1khJBs1cz+9GlBFdCnSdFG2tFFu4nY4g=
=pAEs
-----END PGP SIGNATURE-----
