Dear Knot Resolver users,
Knot Resolver 3.2.1 has been released.
Bugfixes
--------
- trust_anchors: respect validity time range during TA bootstrap (!748)
- fix TLS rehandshake handling (!739)
- make TLS_FORWARD compatible with GnuTLS 3.3 (!741)
- special thanks to Grigorii Demidov for his long-term work on Knot
Resolver!
Improvements
------------
- improve handling of timeouted outgoing TCP connections (!734)
- trust_anchors: check syntax of public keys in DNSKEY RRs (!748)
- validator: clarify message about bogus non-authoritative data (!735)
- dnssec validation failures contain more verbose reasoning (!735)
- new function trust_anchors.summary() describes state of DNSSEC TAs (!737),
and logs new state of trust anchors after start up and automatic changes
- trust anchors: refuse revoked DNSKEY even if specified explicitly,
and downgrade missing the SEP bit to a warning
Full changelog:
https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v3.2.1/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-3.2.1.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-3.2.1.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v3.2.1/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
Dear Knot Resolver users,
Knot Resolver 3.2.0 has been released.
New features
------------
- module edns_keepalive to implement server side of RFC 7828 (#408)
- module nsid to implement server side of RFC 5001 (#289)
- module bogus_log provides .frequent() table (!629, credit Ulrich Wisser)
- module stats collects flags from answer messages (!629, credit Ulrich
Wisser)
- module view supports multiple rules with identical address/TSIG
specification
and keeps trying rules until a "non-chain" action is executed (!678)
- module experimental_dot_auth implements an DNS-over-TLS to auth protocol
(!711, credit Manu Bretelle)
- net.bpf bindings allow advanced users to use eBPF socket filters
Bugfixes
--------
- http module: only run prometheus in parent process if using --forks=N,
as the submodule collects metrics from all sub-processes as well.
- TLS fixes for corner cases (!700, !714, !716, !721, !728)
- fix build with -DNOVERBOSELOG (#424)
- policy.{FORWARD,TLS_FORWARD,STUB}: respect net.ipv{4,6} setting (!710)
- avoid SERVFAILs due to certain kind of NS dependency cycles, again
(#374) this time seen as 'circular dependency' in verbose logs
- policy and view modules do not overwrite result finished requests (!678)
Improvements
------------
- Dockerfile: rework, basing on Debian instead of Alpine
- policy.{FORWARD,TLS_FORWARD,STUB}: give advantage to IPv6
when choosing whom to ask, just as for iteration
- use pseudo-randomness from gnutls instead of internal ISAAC (#233)
- tune the way we deal with non-responsive servers (!716, !723)
- documentation clarifies interaction between policy and view modules
(!678, !730)
Module API changes
------------------
- new layer is added: answer_finalize
- kr_request keeps ::qsource.packet beyond the begin layer
- kr_request::qsource.tcp renamed to ::qsource.flags.tcp
- kr_request::has_tls renamed to ::qsource.flags.tls
- kr_zonecut_add(), kr_zonecut_del() and kr_nsrep_sort() changed
parameters slightly
Full changelog:
https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v3.2.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-3.2.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-3.2.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v3.2.0/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
Dear Knot Resolver users,
Knot Resolver 3.0.0 has been released.
Incompatible changes
--------------------
- cache: fail lua operations if cache isn't open yet (!639)
By default cache is opened *after* reading the configuration,
and older versions were silently ignoring cache operations.
Valid configuration must open cache using `cache.open()` or
`cache.size =` before executing cache operations like `cache.clear()`.
- libknot >= 2.7.1 is required, which brings also larger API changes
- in case you wrote custom Lua modules, please consult
https://knot-resolver.readthedocs.io/en/latest/lib.html#incompatible-change…
- in case you wrote custom C modules, please see compile against
Knot DNS 2.7 and adjust your module according to messages from C
compiler
- DNS cookie module (RFC 7873) is not available in this release,
it will be later reworked to reflect development in IEFT dnsop working
group
- version module was permanently removed because it was not really used
by users; if you want to receive notifications about new releases
please subscribe to
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-resolver-announce
Bugfixes
--------
- fix multi-process race condition in trust anchor maintenance (!643)
- ta_sentinel: also consider static trust anchors not managed via
RFC 5011
Improvements
------------
- reorder_RR() implementation is brought back
- bring in performace improvements provided by libknot 2.7
- cache.clear() has a new, more powerful API
- cache documentation was improved
- old name "Knot DNS Resolver" is replaced by unambiguous "Knot
Resolver" to prevent confusion with "Knot DNS" authoritative server
Full changelog:
https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v3.0.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-3.0.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-3.0.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v3.0.0/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
Dear Knot Resolver users,
Knot Resolver 2.4.0 has been released.
Incompatible changes
--------------------
- minimal libknot version is now 2.6.7 to pull in latest fixes (#366)
Security
--------
- fix a rare case of zones incorrectly downgraded to insecure status
(!576)
New features
------------
- TLS session resumption (RFC 5077), both server and client (!585, #105)
(disabled when compiling with gnutls < 3.5)
- TLS_FORWARD policy uses system CA certificate store by default (!568)
- aggressive caching for NSEC3 zones (!600)
- optional protection from DNS Rebinding attack (module rebinding, !608)
- module bogus_log to log DNSSEC bogus queries without verbose logging
(!613)
Bugfixes
--------
- prefill: fix ability to read certificate bundle (!578)
- avoid turning off qname minimization in some cases, e.g. co.uk. (#339)
- fix validation of explicit wildcard queries (#274)
- dns64 module: more properties from the RFC implemented (incl.
bug #375)
Improvements
------------
- systemd: multiple enabled kresd instances can now be started using
kresd.target
- ta_sentinel: switch to version 14 of the RFC draft (!596)
- support for glibc systems with a non-Linux kernel (!588)
- support per-request variables for Lua modules (!533)
- support custom HTTP endpoints for Lua modules (!527)
Full changelog:
https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v2.4.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-2.4.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-2.4.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v2.4.0/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
Dear Knot Resolver users,
Knot Resolver 2.3.0 has been released. This is a security release that
fixes CVE-2018-1110.
We're also introducing a new mailing list, knot-resolver-announce. Only
notifications about new releases or important announcements will be
posted there.
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-resolver-announce
Security
--------
- fix CVE-2018-1110: denial of service triggered by malformed DNS
messages (!550, !558, security!2, security!4)
- increase resilience against slow lorris attack (security!5)
Bugfixes
--------
- validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single
zone (!538)
- validation: fix SERVFAIL for DS . query (!544)
- lib/resolve: don't send unecessary queries to parent zone (!513)
- iterate: fix validation for zones where parent and child share
NS (!543)
- TLS: improve error handling and documentation (!536, !555, !559)
Improvements
------------
- prefill: new module to periodically import root zone into cache
(replacement for RFC 7706, !511)
- network_listen_fd: always create end point for supervisor supplied
file descriptor
- use CPPFLAGS build environment variable if set (!547)
Full changelog:
https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v2.3.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-2.3.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-2.3.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v2.3.0/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
