Dear Knot Resolver users, Knot Resolver 2.0.0 brings lots of changed code, including two bigger new features: aggressive cache and pipelined TLS forwarding. Incompatible changes -------------------- - systemd: change unit files to allow running multiple instances, deployments with single instance now must use `kresd(a)1.service` instead of `kresd.service`; see kresd.systemd(8) for details - systemd: the directory for cache is now /var/cache/knot-resolver - unify default directory and user to `knot-resolver` - directory with trust anchor file specified by -k option must be writeable - policy module is now loaded by default to enforce RFC 6761; see documentation for policy.PASS if you use locally-served DNS zones - drop support for alternative cache backends memcached, redis, and for Lua bindings for some specific cache operations - REORDER_RR option is not implemented (temporarily) New features ------------ - aggressive caching of validated records (RFC 8198) for NSEC zones; thanks to ICANN for sponsoring this work. - forwarding over TLS, authenticated by SPKI pin or certificate. policy.TLS_FORWARD pipelines queries out-of-order over shared TLS connection Beware: Some resolvers do not support out-of-order query processing. TLS forwarding to such resolvers will lead to slower resolution or failures. - trust anchors: you may specify a read-only file via -K or --keyfile-ro - trust anchors: at build-time you may set KEYFILE_DEFAULT (read-only) - ta_sentinel module implements draft ietf-dnsop-kskroll-sentinel-00, enabled by default - serve_stale module is prototype, subject to change - extended API for Lua modules Bugfixes -------- - fix build on osx - regressed in 1.5.3 (different linker option name) Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v2.0.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-2.0.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-2.0.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v2.0.0/ --Vladimir