Dear Knot Resolver users,
Knot Resolver 4.0.0 has been released!
This is a major release with many improvements and also some breaking
changes, please see our upgrading guide:
https://knot-resolver.readthedocs.io/en/stable/upgrading.html
Those interested in DNS-over-HTTPS are welcome to look for unintentional
Easter Bugs we may have accidentally hidden in our experimental
implementation. Upstream packages with DNS-over-HTTPS support are
available for Debian 9, CentOS 7, Ubuntu 18, Fedora and Arch.
Incompatible changes
--------------------
- see upgrading guide:
https://knot-resolver.readthedocs.io/en/stable/upgrading.html
- configuration: trust_anchors aliases .file, .config() and .negative
were removed (!788)
- configuration: trust_anchors.keyfile_default is no longer accessible
(!788)
- daemon: -k/--keyfile and -K/--keyfile-ro options were removed
- meson build system is now used for builds (!771)
- build with embedded LMBD is no longer supported
- default modules dir location has changed
- DNSSEC is enabled by default
- upstream packages for Debian now require systemd
- libknot >= 2.8 is required
- net.list() output format changed (#448)
- net.listen() reports error when address-port pair is in use
- bind to DNS-over-TLS port by default (!792)
- stop versioning libkres library
- default port for web management and APIs changed to 8453
Improvements
------------
- policy.TLS_FORWARD: if hostname is configured, send it on wire (!762)
- hints module: allow configuring the TTL and change default from 0 to 5s
- policy module: policy.rpz() will watch the file for changes by default
- packaging: lua cqueues added to default dependencies where available
- systemd: service is no longer auto-restarted on configuration errors
- always send DO+CD flags upstream, even in insecure zones (#153)
- cache.stats() output is completely new; see docs (!775)
- improve usability of table_print() (!790, !801)
- add DNS-over-HTTPS support (#280)
- docker image supports and exposes DNS-over-HTTPS
Bugfixes
--------
- predict module: load stats module if config didn't specify period (!755)
- trust_anchors: don't do 5011-style updates on anchors from files
that were loaded as unmanaged trust anchors (!753)
- trust_anchors.add(): include these TAs in .summary() (!753)
- policy module: support '#' for separating port numbers, for consistency
- fix startup on macOS+BSD when </dev/null and cqueues installed
- policy.RPZ: log problems from zone-file level of parser as well (#453)
- fix flushing of messages to logs in some cases (notably systemd) (!781)
- fix fallback when SERVFAIL or REFUSED is received from upstream (!784)
- fix crash when dealing with unknown TA key algorhitm (#449)
- go insecure due to algorithm support even if DNSKEY is NODATA (!798)
- fix mac addresses in the output of net.interfaces() command (!804)
- http module: fix too early renewal of ephemeral certificates (!808)
Module API changes
------------------
- kr_straddr_split() changed API a bit (compiler will catch that)
- C modules defining `*_layer` or `*_props` symbols need to change a bit
See the upgrading guide for details. It's detected on module load.
Full changelog:
https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v4.0.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-4.0.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-4.0.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v4.0.0/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
Hi,
I created new certs with Let's Encrypt and knot-resolver just throws
"invalid argument" when starting. The old one work fine, so first I
thought it's related that they are wildcard certs now, but also new
created certs just for "dns.mydomain.tld" also lead to the error.
Any ideas?
BR
Bjoern
Message "moved" from [knot-dns-users] to [knot-resolver-users]:
-------- Forwarded Message --------
Subject: [knot-dns-users] running knot-resolver with only kresd-tls.socket
Date: Sat, 16 Mar 2019 13:36:50 -0000 (UTC)
From: Daniel Lublin <daniel(a)lublin.se>
To: knot-dns-users(a)lists.nic.cz
Ahoj,
I'm tinkering with running knot-resolver for DNS-over-TLS (only). My kresd@1
is listening on the public interface by using a drop-in override file,
following kresd.systemd(7) (kresd-tls.socket.d/override.conf).
Thing is, I would like knot to not listen on port 53 on any interface, not
even localhost. But this is precisely what it does.
I naively tried to stop it from doing so, first with a
kresd.socket.d/override.conf with:
[Socket]
ListenStream=
But that failed with journalctl -u kresd.socket containing `kresd.socket:
Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=,
...). Refusing.`
And also by trying to disable that "socket-unit", with a
kresd(a)1.service.d/override.conf containing:
[Service]
Sockets=
Sockets=kresd-tls.socket
Sockets=kresd-control(a)%i.socket
But that did nothing.
Finally, using `systemctl mask kresd.socket` I get it to stop listening on
(localhost) port 53. But then instead systemd find itself in "degraded"
mode...
Any tip on how to accomplish this cleanly?
Hello, Knot * users!
Please note that Knot DNS 2.8.x breaks all Knot Resolver versions
released so far (<=3.2.1). The breakage is a bit subtle, and build
system won't detect it.
We plan to release an update soon. If you don't want to wait, you can
apply a simple patch:
https://gitlab.labs.nic.cz/knot/knot-resolver/commit/186f2639
--Vladimir
Hi,
When I request a domain name to the knot-resolver server, I will see that
the uppercase and lowercase letters are randomly converted to log records.
--
Best Regards!!
champion_xie
Hello,
I have at the moment a network with 3 DNS servers. They do
recursive/caching as well as authorative zones (Bind 9). I want to build
a structure with 2 authorative Servers using Knot-DNS and 3 resolvers
using Knot-Resolver.
As our authorative servers are in our network and as I want to get any
changes in their zones as fast as possible to our users I use from the
documentation:
Replacing part of the DNS tree
Interesting is this line:
policy.add(policy.suffix(policy.STUB({'$our ip'}), extraTrees))
Can I put more than one IP at this line to forward the queries? We have
2 authorative servers, so I want ask both of them round robin like.
In my config I have comma separated two servers, kresd is running with
it, but it seems it uses only the first.
Is there a way to get my desired behavior?
Regards
Thomas
P.S.: Versions are Knot-Resolver 3.2.1 and OS is Ubuntu 18.04.02
--
Thomas Belián
Fachhochschule Erfurt
Fak. GTI / FR AI & Hochschulrechenzentrum
Postfach 45 01 55, 99051 Erfurt
Telefon: +49361 6700 - 647
E-Mail: thomas.belian(a)fh-erfurt.de
Dear Knot Resolver users,
Knot Resolver 3.2.1 has been released.
Bugfixes
--------
- trust_anchors: respect validity time range during TA bootstrap (!748)
- fix TLS rehandshake handling (!739)
- make TLS_FORWARD compatible with GnuTLS 3.3 (!741)
- special thanks to Grigorii Demidov for his long-term work on Knot
Resolver!
Improvements
------------
- improve handling of timeouted outgoing TCP connections (!734)
- trust_anchors: check syntax of public keys in DNSKEY RRs (!748)
- validator: clarify message about bogus non-authoritative data (!735)
- dnssec validation failures contain more verbose reasoning (!735)
- new function trust_anchors.summary() describes state of DNSSEC TAs (!737),
and logs new state of trust anchors after start up and automatic changes
- trust anchors: refuse revoked DNSKEY even if specified explicitly,
and downgrade missing the SEP bit to a warning
Full changelog:
https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v3.2.1/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-3.2.1.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-3.2.1.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v3.2.1/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
