Release notes

Version numbering

Version number format is major.minor.patch. Knot Resolver does not use semantic versioning even though the version number looks similar.

Leftmost number which was changed signalizes what to expect when upgrading:

Major version
  • Manual upgrade steps might be necessary, please follow instructions in Upgrading section.

  • Major releases may contain significant changes including changes to configuration format.

  • We might release a new major also when internal implementation details change significantly.

Minor version
  • Configuration stays compatible with the previous version, except for undocumented or very obscure options.

  • Upgrade should be seamless for users who use modules shipped as part of Knot Resolver distribution.

  • Incompatible changes in internal APIs are allowed in minor versions. Users who develop or use custom modules (i.e. modules not distributed together with Knot Resolver) need to double check their modules for incompatibilities. Upgrading section should contain hints for module authors.

Patch version
  • Everything should be compatible with the previous version.

  • API for modules should be stable on best effort basis, i.e. API is very unlikely to break in patch releases.

  • Custom modules might need to be recompiled, i.e. ABI compatibility is not guaranteed.

This definition is not applicable to versions older than 5.2.0.

Knot Resolver 6.0.6 (2024-02-13)

Security

  • CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU * validator: lower the NSEC3 iteration limit (150 -> 50) * validator: similarly also limit excessive NSEC3 salt length * cache: limit the amount of work on SHA1 in NSEC3 aggressive cache * validator: limit the amount of work on SHA1 in NSEC3 proofs * validator: refuse to validate answers with more than 8 NSEC3 records

  • CVE-2023-50387 “KeyTrap”: DNSSEC verification complexity could be exploited to exhaust CPU resources and stall DNS resolvers. Solution boils down mainly to limiting crypto-validations per packet.

    We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel and Michael Waidner from the German National Research Center for Applied Cybersecurity ATHENE for bringing this vulnerability to our attention.

Improvements

  • update addresses of B.root-servers.net (!1478)

  • tweak the default run_dir on non-Linux (!1481)

Bugfixes

  • fix potential SERVFAIL deadlocks if net.ipv6 = false (#880)

  • fix validation of RRsets around 64 KiB size; needs libknot >= 3.4 (!1497)

Knot Resolver 6.0.5 (2024-01-09)

6.0.x are “early access” versions, not generally recommended for production use.

6.0 contains biggest changes in the history of Knot Resolver releases. You will have to rewrite your configuration. See documentation, in particular: https://knot.pages.nic.cz/knot-resolver/upgrading-to-6.html