Release notes¶

Version numbering¶

Version number format is major.minor.patch. Knot Resolver does not use semantic versioning even though the version number looks similar.

Leftmost number which was changed signalizes what to expect when upgrading:

Major version

Manual upgrade steps might be necessary, please follow instructions in Upgrading section.
Major releases may contain significant changes including changes to configuration format.
We might release a new major also when internal implementation details change significantly.

Minor version

Configuration stays compatible with the previous version, except for undocumented or very obscure options.
Upgrade should be seamless for users who use modules shipped as part of Knot Resolver distribution.
Incompatible changes in internal APIs are allowed in minor versions. Users who develop or use custom modules (i.e. modules not distributed together with Knot Resolver) need to double check their modules for incompatibilities. Upgrading section should contain hints for module authors.

Patch version

Everything should be compatible with the previous version.
API for modules should be stable on best effort basis, i.e. API is very unlikely to break in patch releases.
Custom modules might need to be recompiled, i.e. ABI compatibility is not guaranteed.

This definition is not applicable to versions older than 5.2.0.

manager: secret for TLS session resumption via ticket (RFC5077) (!1567)

The manager creates and sets the secret for all running kresd workers. The secret is created automatically if the user does not configure their own secret in the configuration. This means that the workers will be able to resume each other’s TLS sessions, regardless of whether the user has configured it to do so.
answer NOTIMPL for meta-types and non-IN RR classes (!1589)
views: improve interaction with old-style policies (!1576)
stats: add stale answer counter ‘answer.stale’ (!1591)
extended_errors: answer with EDE in more cases (!1585, !1588, !1590, !1592)
local-data: make DNAMEs work, i.e. generate CNAMEs (!1609)
daemon: use connected UDP sockets by default (#326, !1618)
docker: multiplatform builds (#922, !1623)
docker: shared VOLUMEs are prepared for configuration and cache (!1625, !1627)

Configuration path was changed to standard /etc/knot-resolver/config.yaml.

daemon/proxyv2: fix informing the engine about TCP/TLS from the actual client (!1578)
forward: fix wrong pin-sha256 length; also log pins on mismatch (!1601, #813)

reduce buffering of transmitted data, especially TCP-based in userspace Also expose some of the new tweaks in lua: - (require ‘ffi’).C.the_worker.engine.net.tcp.user_timeout = 1000 - (require ‘ffi’).C.the_worker.engine.net.listen_{tcp,udp}_buflens.{snd,rcv}

all packages:
- remove unused dependency on libedit (!1553)
deb packages:
- packages knot-resolver-core and knot-resolver-manager have been merged into a single knot-resolver6 package. Suffix packages knot-resolver-* have been renamed to knot-resolver6-*. This change _should_ be transparent, but please do let us know if you encounter any issues while updating. (!1549)
- package python3-prometheus-client is now only an optional dependency
rpm packages:
- packages knot-resolver-core and knot-resolver-manager have been merged into a single knot-resolver package. This change _should_ be transparent, but please do let us know if you encounter any issues while updating. (!1549)
- bugfix: do not overwrite config.yaml (!1525)
- package python3-prometheus_client is now only an optional dependency
arch package:
- fix after they renamed a dependency (!1536)

TLS (DoT, DoH): respect crypto policy overrides in OS (!1526)
manager: export metrics to JSON via management HTTP API (!1527) - JSON is the new default metrics output format - the prometheus-client Python package is now an optional dependency, required only for Prometheus export to work
cache: prefetching records - predict module: prefetching expiring records moved to prefetch module - prefetch module: new module to prefetch expiring records
stats: add separate metrics for IPv6 and IPv4 (!1545)
add the fresh DNSSEC root key “KSK-2024” already, Key ID 38696 (!1556)
manager: policy-loader: new component for separate loading of policy rules (!1540) The policy-loader ensures that configured policies are loaded into the rules database where they are made available to all running kresd workers. This loading is no longer done by all kresd workers as it was before, so this should significantly improve the resolver’s startup/reload time when loading large sets of policy rules, e.g. large RPZs.

cache: the cache.prediction configuration property has been reorganized into cache.prefetch.expiring and cache.prefetch.prediction, changing the default behaviour as well. See the relevant documentation section for more.
libknot <=3.2.x support is dropped (!1565)

arch package: fix after they renamed a dependency (!1536)
fix startup with dnssec: false (!1548)
rpm packages: do not overwrite config.yaml (!1525)
fix NSEC3 records missing in answer for positive wildcard expansion with the NSEC3 having over-limit iteration count (#910, !1550)
views: fix a bug in subnet matching (!1562)

fix listening by interface name containing dashes (#900, !1500)
fix kresctl http request timeout (!1505)
fix RPZ if it contains apex NS record (!1516)
fix RPZ if SOA is repated, as usual in AXFR output (!1521)
avoid RPZ overriding the root SOA (!1521)
fix on 32-bit systems with 64-bit time_t (!1510)
fix paths to knot-dns libs if exec_prefix != prefix (!1503)
manager: add missing early check that neither a custom port nor TLS is set for authoritative server forwarding (#902, !1505)

CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU
- validator: lower the NSEC3 iteration limit (150 -> 50)
- validator: similarly also limit excessive NSEC3 salt length
- cache: limit the amount of work on SHA1 in NSEC3 aggressive cache
- validator: limit the amount of work on SHA1 in NSEC3 proofs
- validator: refuse to validate answers with more than 8 NSEC3 records
CVE-2023-50387 “KeyTrap”: DNSSEC verification complexity could be exploited to exhaust CPU resources and stall DNS resolvers. Solution boils down mainly to limiting crypto-validations per packet.

We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel and Michael Waidner from the German National Research Center for Applied Cybersecurity ATHENE for bringing this vulnerability to our attention.

6.0.x are “early access” versions, not generally recommended for production use.

6.0 contains biggest changes in the history of Knot Resolver releases. You will have to rewrite your configuration. See documentation, in particular: https://www.knot-resolver.cz/documentation/latest/upgrading-to-6.html