Release notes¶
Version numbering¶
Version number format is major.minor.patch
. Knot Resolver does not use semantic versioning even though the version number looks similar.
Leftmost number which was changed signalizes what to expect when upgrading:
- Major version
Manual upgrade steps might be necessary, please follow instructions in Upgrading section.
Major releases may contain significant changes including changes to configuration format.
We might release a new major also when internal implementation details change significantly.
- Minor version
Configuration stays compatible with the previous version, except for undocumented or very obscure options.
Upgrade should be seamless for users who use modules shipped as part of Knot Resolver distribution.
Incompatible changes in internal APIs are allowed in minor versions. Users who develop or use custom modules (i.e. modules not distributed together with Knot Resolver) need to double check their modules for incompatibilities. Upgrading section should contain hints for module authors.
- Patch version
Everything should be compatible with the previous version.
API for modules should be stable on best effort basis, i.e. API is very unlikely to break in patch releases.
Custom modules might need to be recompiled, i.e. ABI compatibility is not guaranteed.
This definition is not applicable to versions older than 5.2.0.
Knot Resolver 6.0.8 (2024-07-23)¶
Security¶
reduce buffering of transmitted data, especially TCP-based in userspace Also expose some of the new tweaks in lua:
(require ‘ffi’).C.the_worker.engine.net.tcp.user_timeout = 1000 (require ‘ffi’).C.the_worker.engine.net.listen_{tcp,udp}_buflens.{snd,rcv}
Packaging¶
- all packages:
remove unused dependency on libedit (!1553)
- deb packages:
packages
knot-resolver-core
andknot-resolver-manager
have been merged into a singleknot-resolver6
package. Suffix packagesknot-resolver-*
have been renamed toknot-resolver6-*
. This change _should_ be transparent, but please do let us know if you encounter any issues while updating. (!1549)package
python3-prometheus-client
is now only an optional dependency
- rpm packages:
packages
knot-resolver-core
andknot-resolver-manager
have been merged into a singleknot-resolver
package. This change _should_ be transparent, but please do let us know if you encounter any issues while updating. (!1549)bugfix: do not overwrite config.yaml (!1525)
package
python3-prometheus_client
is now only an optional dependency
- arch package:
fix after they renamed a dependency (!1536)
Improvements¶
TLS (DoT, DoH): respect crypto policy overrides in OS (!1526)
manager: export metrics to JSON via management HTTP API (!1527) * JSON is the new default metrics output format * the
prometheus-client
Python package is now an optional dependency,required only for Prometheus export to work
cache: prefetching records * predict module: prefetching expiring records moved to prefetch module * prefetch module: new module to prefetch expiring records
stats: add separate metrics for IPv6 and IPv4 (!1545)
add the fresh DNSSEC root key “KSK-2024” already, Key ID 38696 (!1556)
manager: policy-loader: new component for separate loading of policy rules (!1540) The
policy-loader
ensures that configured policies are loaded into the rules database where they are made available to all running kresd workers. This loading is no longer done by all kresd workers as it was before, so this should significantly improve the resolver’s startup/reload time when loading large sets of policy rules, e.g. large RPZs.
Incompatible changes¶
cache: the
cache.prediction
configuration property has been reorganized intocache.prefetch.expiring
andcache.prefetch.prediction
, changing the default behaviour as well. See the relevant documentation section for more.libknot <=3.2.x support is dropped (!1565)
Bugfixes¶
arch package: fix after they renamed a dependency (!1536)
fix startup with dnssec: false (!1548)
rpm packages: do not overwrite config.yaml (!1525)
fix NSEC3 records missing in answer for positive wildcard expansion with the NSEC3 having over-limit iteration count (#910, !1550)
views: fix a bug in subnet matching (!1562)
Knot Resolver 6.0.7 (2024-03-27)¶
Improvements¶
manager: clear the cache via management HTTP API (#876, !1491)
manager: added support for Python 3.12 and removed for 3.7 (!1502)
manager: use build-time install prefix to execute kresd instead of PATH (!1511)
docs: documentation is now separated into user and developer parts (!1514)
daemon: ignore UDP requests from ports < 1024 (!1507)
manager: increase startup timeout for processes (!1518, !1520)
local-data: increase default DB size to 2G on 64-bit platforms (!1518)
Bugfixes¶
fix listening by interface name containing dashes (#900, !1500)
fix kresctl http request timeout (!1505)
fix RPZ if it contains apex NS record (!1516)
fix RPZ if SOA is repated, as usual in AXFR output (!1521)
avoid RPZ overriding the root SOA (!1521)
fix on 32-bit systems with 64-bit time_t (!1510)
fix paths to knot-dns libs if exec_prefix != prefix (!1503)
manager: add missing early check that neither a custom port nor TLS is set for authoritative server forwarding (#902, !1505)
Knot Resolver 6.0.6 (2024-02-13)¶
Security¶
CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU
validator: lower the NSEC3 iteration limit (150 -> 50)
validator: similarly also limit excessive NSEC3 salt length
cache: limit the amount of work on SHA1 in NSEC3 aggressive cache
validator: limit the amount of work on SHA1 in NSEC3 proofs
validator: refuse to validate answers with more than 8 NSEC3 records
CVE-2023-50387 “KeyTrap”: DNSSEC verification complexity could be exploited to exhaust CPU resources and stall DNS resolvers. Solution boils down mainly to limiting crypto-validations per packet.
We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel and Michael Waidner from the German National Research Center for Applied Cybersecurity ATHENE for bringing this vulnerability to our attention.
Improvements¶
update addresses of B.root-servers.net (!1478)
tweak the default run_dir on non-Linux (!1481)
Bugfixes¶
fix potential SERVFAIL deadlocks if net.ipv6 = false (#880)
fix validation of RRsets around 64 KiB size; needs libknot >= 3.4 (!1497)
Knot Resolver 6.0.5 (2024-01-09)¶
6.0.x are “early access” versions, not generally recommended for production use.
6.0 contains biggest changes in the history of Knot Resolver releases. You will have to rewrite your configuration. See documentation, in particular: https://www.knot-resolver.cz/documentation/latest/upgrading-to-6.html