[knot-resolver-announce] Knot Resolver 4.1.0

Petr Špaček petr.spacek at nic.cz
Wed Jul 10 17:28:45 CEST 2019


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear Knot Resolver users,

Knot Resolver 4.1.0 has been released!

This is a minor release with couple improvements and many bugfixes,
including security fixes for CVE-2019-10190 and CVE-2019-10191.

Packages for supported distributions are now available from
https://www.knot-resolver.cz/download/

Highlights
==========
- - security fixes, we encourage all users to upgrade as soon as possible
- - new garbage collector improves cache utilization on busy machines
- - ARM64 (aarch64) is now experimentally supported, please report issues
- - compatibility with non-standard DoH clients was improved


Full release notes:

Knot Resolver 4.1.0 (2019-07-10)
================================

Security
- --------
- - fix CVE-2019-10190: do not pass bogus negative answer to client (!827)
- - fix CVE-2019-10191: do not cache negative answer with forged
  QNAME+QTYPE (!839)

Improvements
- ------------
- - new cache garbage collector is available and enabled by default (#257)
  This improves cache efficiency on big installations.
- - DNS-over-HTTPS: unknown HTTP parameters are ignored to improve
  compatibility with non-standard clients (!832)
- - DNS-over-HTTPS: answers include `access-control-allow-origin: *`
  which allows JavaScript to use DoH endpoint (!823).
- - http module: support named AF_UNIX stream sockets (again)
- - aggressive caching is disabled on minimal NSEC* ranges (!826)
  This improves cache effectivity with DNSSEC black lies and also
  accidentally works around bug in proofs-of-nonexistence from F5 BIG-IP
  load-balancers.
- - aarch64 support, even kernels with ARM64_VA_BITS >= 48 (#216, !797)
  This is done by working around a LuaJIT incompatibility.
  Please report bugs.
- - lua tables for C modules are more strict by default, e.g. `nsid.foo`
  will throw an error instead of returning `nil` (!797)
- - systemd: basic watchdog is now available and enabled by default (#275)

Bugfixes
- --------
- - TCP to upstream: fix unlikely case of sending out wrong message length
  (!816)
- - http module: fix problems around maintenance of ephemeral certs (!819)
- - http module: also send intermediate TLS certificate to clients,
  if available and luaossl >= 20181207 (!819)
- - send EDNS with SERVFAILs, e.g. on validation failures (#180, !827)
- - prefill module: avoid crash on empty zone file (#474, !840)
- - rebinding module: avoid excessive iteration on blocked attempts (!842)
- - rebinding module: fix crash caused by race condition (!842)
- - rebinding module: log each blocked query only in verbose mode (!842)
- - cache: automatically clear stale reader locks (!844)

Module API changes
- ------------------
- - lua modules may omit casting parameters of layer functions (!797)

- -- 
Petr Špaček  @  CZ.NIC
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEvibrucvgWbORDKNbzo3WoaUKIeQFAl0mBC0ACgkQzo3WoaUK
IeT3uw/9Fqz2PWYmEtF50nlnFIyM44EAClQFVboM8djVQVffN347nZTo4WPI+rsj
exUg5tYKIEC6xrihRLwojbTfFcGVXcEHo0NZsvyv51qIP+lT6yHOVMz+tckmGyPI
qG4JxvF7juUz1oLNCLUJfuZX/rOBgcOID2hga6q8ZXmkE5GFkyPsz7giaxjNWCGY
Hf+uxzR2oezd4GGaOS2bIpqSjBmQwjaLvN3odG0xGZEHQCm+MkblVIbpiKuyR79e
CulWcLNU1KL4V4o/rF5BUXHCnArGP/TM0JoVifPZepZVyB8xMEfBuyew9k1EAuX6
+5oJ9H1JcsftMtBgGUtksltTVK+9Mst9Rc52oiP5RA8ffpc5j0TtQi/lgNSgGnfQ
P10t7fnlotseBYsHeQ0dm54TlGKBgsECuk1/wgjlytbUU9AUQMkmop696xZEcw1w
gVY7FhAq09ciqtNTKuPJLoNTN/uhIdnyvt496Xf15OA3znZlMxdrI+rdVvf3btX/
SV9/bzNyWtJOhiYoN4hIPUqcvq6rFqxBbZpDA3pX9ks/lsWil7Y8sm96GzOjvaSx
EjhDbBaFLBtX4kOPbrREDs8DbCTsxD1rLEruPos+Mp8PfAISEa/RvjyhuI/yyjwE
qpNksYdKNHeniYEcycJ1khJBs1cz+9GlBFdCnSdFG2tFFu4nY4g=
=pAEs
-----END PGP SIGNATURE-----


More information about the knot-resolver-announce mailing list