[knot-resolver-users] Knot Resolver 2.0.0 feature release
vladimir.cunat at nic.cz
Wed Jan 31 14:56:21 CET 2018
Dear Knot Resolver users,
Knot Resolver 2.0.0 brings lots of changed code, including two
bigger new features: aggressive cache and pipelined TLS forwarding.
- systemd: change unit files to allow running multiple instances,
deployments with single instance now must use `kresd at 1.service`
instead of `kresd.service`; see kresd.systemd(8) for details
- systemd: the directory for cache is now /var/cache/knot-resolver
- unify default directory and user to `knot-resolver`
- directory with trust anchor file specified by -k option must be writeable
- policy module is now loaded by default to enforce RFC 6761;
see documentation for policy.PASS if you use locally-served DNS zones
- drop support for alternative cache backends memcached, redis,
and for Lua bindings for some specific cache operations
- REORDER_RR option is not implemented (temporarily)
- aggressive caching of validated records (RFC 8198) for NSEC zones;
thanks to ICANN for sponsoring this work.
- forwarding over TLS, authenticated by SPKI pin or certificate.
policy.TLS_FORWARD pipelines queries out-of-order over shared TLS connection
Beware: Some resolvers do not support out-of-order query processing.
TLS forwarding to such resolvers will lead to slower resolution or failures.
- trust anchors: you may specify a read-only file via -K or --keyfile-ro
- trust anchors: at build-time you may set KEYFILE_DEFAULT (read-only)
- ta_sentinel module implements draft ietf-dnsop-kskroll-sentinel-00,
enabled by default
- serve_stale module is prototype, subject to change
- extended API for Lua modules
- fix build on osx - regressed in 1.5.3 (different linker option name)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the knot-resolver-users