Dear Knot Resolver users,
Knot Resolver 3.2.0 has been released.
New features
------------
- module edns_keepalive to implement server side of RFC 7828 (#408)
- module nsid to implement server side of RFC 5001 (#289)
- module bogus_log provides .frequent() table (!629, credit Ulrich Wisser)
- module stats collects flags from answer messages (!629, credit Ulrich
Wisser)
- module view supports multiple rules with identical address/TSIG
specification
and keeps trying rules until a "non-chain" action is executed (!678)
- module experimental_dot_auth implements an DNS-over-TLS to auth protocol
(!711, credit Manu Bretelle)
- net.bpf bindings allow advanced users to use eBPF socket filters
Bugfixes
--------
- http module: only run prometheus in parent process if using --forks=N,
as the submodule collects metrics from all sub-processes as well.
- TLS fixes for corner cases (!700, !714, !716, !721, !728)
- fix build with -DNOVERBOSELOG (#424)
- policy.{FORWARD,TLS_FORWARD,STUB}: respect net.ipv{4,6} setting (!710)
- avoid SERVFAILs due to certain kind of NS dependency cycles, again
(#374) this time seen as 'circular dependency' in verbose logs
- policy and view modules do not overwrite result finished requests (!678)
Improvements
------------
- Dockerfile: rework, basing on Debian instead of Alpine
- policy.{FORWARD,TLS_FORWARD,STUB}: give advantage to IPv6
when choosing whom to ask, just as for iteration
- use pseudo-randomness from gnutls instead of internal ISAAC (#233)
- tune the way we deal with non-responsive servers (!716, !723)
- documentation clarifies interaction between policy and view modules
(!678, !730)
Module API changes
------------------
- new layer is added: answer_finalize
- kr_request keeps ::qsource.packet beyond the begin layer
- kr_request::qsource.tcp renamed to ::qsource.flags.tcp
- kr_request::has_tls renamed to ::qsource.flags.tls
- kr_zonecut_add(), kr_zonecut_del() and kr_nsrep_sort() changed
parameters slightly
Full changelog:
https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v3.2.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-3.2.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-3.2.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v3.2.0/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
Dobrý den,
používám knot-resolver ver. 3.1.0 a zjistil, že nevrací A záznamy pro:
www.cezdistribuce.cz
když vymažu cache:
cache.clear('cezdistribuce.cz')
tak se knot-resolver na nedefinovanou dobu umoudří a A záznamy normálně
vrací. Přitom google DNS 8.8.8.8 záznamy vrací v pořádku. Jinou anomálii
jsem nezjistil. V čem může být problém? Konfigurace?
Nefunkční výpis:
$ dig @192.168.100.100 -t A www.cezdistribuce.cz
; <<>> DiG 9.11.4-P2-3~bpo9+1-Debian <<>> @192.168.100.100 -t A
www.cezdistribuce.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26696
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.cezdistribuce.cz. IN A
;; AUTHORITY SECTION:
cezdistribuce.cz. 41952 IN SOA ns10.cez.cz.
netmaster.cezdata.cz. 2018112701 28800 7200 864000 86400
;; Query time: 1 msec
;; SERVER: 192.168.100.100#53(192.168.100.100)
;; WHEN: Po pro 10 07:58:55 CET 2018
;; MSG SIZE rcvd: 112
Funkční, po vymazaní z cache:
$ dig @192.168.100.100 -t A www.cezdistribuce.cz
; <<>> DiG 9.11.4-P2-3~bpo9+1-Debian <<>> @192.168.100.100 -t A
www.cezdistribuce.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 89
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.cezdistribuce.cz. IN A
;; ANSWER SECTION:
www.cezdistribuce.cz. 24 IN A 89.111.76.140
;; Query time: 0 msec
;; SERVER: 192.168.100.100#53(192.168.100.100)
;; WHEN: Po pro 10 08:09:59 CET 2018
;; MSG SIZE rcvd: 65
Děkuji za pomoc.
--
Zdeněk Janiš
