From 3d0386f27ca66379acf50199e1d1298386eeeeb8 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 6 May 2024 02:55:53 +0200 Subject: Adding upstream version 3.2.1. Signed-off-by: Daniel Baumann --- NEWS | 701 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 701 insertions(+) create mode 100644 NEWS (limited to 'NEWS') diff --git a/NEWS b/NEWS new file mode 100644 index 0000000..d54bb03 --- /dev/null +++ b/NEWS @@ -0,0 +1,701 @@ +Knot Resolver 3.2.1 (2019-01-10) +================================ + +Bugfixes +-------- +- trust_anchors: respect validity time range during TA bootstrap (!748) +- fix TLS rehandshake handling (!739) +- make TLS_FORWARD compatible with GnuTLS 3.3 (!741) +- special thanks to Grigorii Demidov for his long-term work on Knot Resolver! + +Improvements +------------ +- improve handling of timeouted outgoing TCP connections (!734) +- trust_anchors: check syntax of public keys in DNSKEY RRs (!748) +- validator: clarify message about bogus non-authoritative data (!735) +- dnssec validation failures contain more verbose reasoning (!735) +- new function trust_anchors.summary() describes state of DNSSEC TAs (!737), + and logs new state of trust anchors after start up and automatic changes +- trust anchors: refuse revoked DNSKEY even if specified explicitly, + and downgrade missing the SEP bit to a warning + + +Knot Resolver 3.2.0 (2018-12-17) +================================ + +New features +------------ +- module edns_keepalive to implement server side of RFC 7828 (#408) +- module nsid to implement server side of RFC 5001 (#289) +- module bogus_log provides .frequent() table (!629, credit Ulrich Wisser) +- module stats collects flags from answer messages (!629, credit Ulrich Wisser) +- module view supports multiple rules with identical address/TSIG specification + and keeps trying rules until a "non-chain" action is executed (!678) +- module experimental_dot_auth implements an DNS-over-TLS to auth protocol + (!711, credit Manu Bretelle) +- net.bpf bindings allow advanced users to use eBPF socket filters + +Bugfixes +-------- +- http module: only run prometheus in parent process if using --forks=N, + as the submodule collects metrics from all sub-processes as well. +- TLS fixes for corner cases (!700, !714, !716, !721, !728) +- fix build with -DNOVERBOSELOG (#424) +- policy.{FORWARD,TLS_FORWARD,STUB}: respect net.ipv{4,6} setting (!710) +- avoid SERVFAILs due to certain kind of NS dependency cycles, again + (#374) this time seen as 'circular dependency' in verbose logs +- policy and view modules do not overwrite result finished requests (!678) + +Improvements +------------ +- Dockerfile: rework, basing on Debian instead of Alpine +- policy.{FORWARD,TLS_FORWARD,STUB}: give advantage to IPv6 + when choosing whom to ask, just as for iteration +- use pseudo-randomness from gnutls instead of internal ISAAC (#233) +- tune the way we deal with non-responsive servers (!716, !723) +- documentation clarifies interaction between policy and view modules (!678, !730) + +Module API changes +------------------ +- new layer is added: answer_finalize +- kr_request keeps ::qsource.packet beyond the begin layer +- kr_request::qsource.tcp renamed to ::qsource.flags.tcp +- kr_request::has_tls renamed to ::qsource.flags.tls +- kr_zonecut_add(), kr_zonecut_del() and kr_nsrep_sort() changed parameters slightly + + +Knot Resolver 3.1.0 (2018-11-02) +================================ + +Incompatible changes +-------------------- +- hints.use_nodata(true) by default; that's what most users want +- libknot >= 2.7.2 is required + +Improvements +------------ +- cache: handle out-of-space SIGBUS slightly better (#197) +- daemon: improve TCP timeout handling (!686) + +Bugfixes +-------- +- cache.clear('name'): fix some edge cases in API (#401) +- fix error handling from TLS writes (!669) +- avoid SERVFAILs due to certain kind of NS dependency cycles (#374) + + +Knot Resolver 3.0.0 (2018-08-20) +================================ + +Incompatible changes +-------------------- +- cache: fail lua operations if cache isn't open yet (!639) + By default cache is opened *after* reading the configuration, + and older versions were silently ignoring cache operations. + Valid configuration must open cache using `cache.open()` or `cache.size =` + before executing cache operations like `cache.clear()`. +- libknot >= 2.7.1 is required, which brings also larger API changes +- in case you wrote custom Lua modules, please consult + https://knot-resolver.readthedocs.io/en/latest/lib.html#incompatible-changes-since-3-0-0 +- in case you wrote custom C modules, please see compile against + Knot DNS 2.7 and adjust your module according to messages from C compiler +- DNS cookie module (RFC 7873) is not available in this release, + it will be later reworked to reflect development in IEFT dnsop working group +- version module was permanently removed because it was not really used by users; + if you want to receive notifications abou new releases please subscribe to + https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-resolver-announce + +Bugfixes +-------- +- fix multi-process race condition in trust anchor maintenance (!643) +- ta_sentinel: also consider static trust anchors not managed via RFC 5011 + +Improvements +------------ +- reorder_RR() implementation is brought back +- bring in performace improvements provided by libknot 2.7 +- cache.clear() has a new, more powerful API +- cache documentation was improved +- old name "Knot DNS Resolver" is replaced by unambiguous "Knot Resolver" + to prevent confusion with "Knot DNS" authoritative server + + +Knot Resolver 2.4.1 (2018-08-02) +================================ + +Security +-------- +- fix CVE-2018-10920: Improper input validation bug in DNS resolver component + (security!7, security!9) + +Bugfixes +-------- +- cache: fix TTL overflow in packet due to min_ttl (#388, security!8) +- TLS session resumption: avoid bad scheduling of rotation (#385) +- HTTP module: fix a regression in 2.4.0 which broke custom certs (!632) +- cache: NSEC3 negative cache even without NS record (#384) + This fixes lower hit rate in NSEC3 zones (since 2.4.0). +- minor TCP and TLS fixes (!623, !624, !626) + + +Knot Resolver 2.4.0 (2018-07-03) +================================ + +Incompatible changes +-------------------- +- minimal libknot version is now 2.6.7 to pull in latest fixes (#366) + +Security +-------- +- fix a rare case of zones incorrectly dowgraded to insecure status (!576) + +New features +------------ +- TLS session resumption (RFC 5077), both server and client (!585, #105) + (disabled when compiling with gnutls < 3.5) +- TLS_FORWARD policy uses system CA certificate store by default (!568) +- aggressive caching for NSEC3 zones (!600) +- optional protection from DNS Rebinding attack (module rebinding, !608) +- module bogus_log to log DNSSEC bogus queries without verbose logging (!613) + +Bugfixes +-------- +- prefill: fix ability to read certificate bundle (!578) +- avoid turning off qname minimization in some cases, e.g. co.uk. (#339) +- fix validation of explicit wildcard queries (#274) +- dns64 module: more properties from the RFC implemented (incl. bug #375) + +Improvements +------------ +- systemd: multiple enabled kresd instances can now be started using kresd.target +- ta_sentinel: switch to version 14 of the RFC draft (!596) +- support for glibc systems with a non-Linux kernel (!588) +- support per-request variables for Lua modules (!533) +- support custom HTTP endpoints for Lua modules (!527) + + +Knot Resolver 2.3.0 (2018-04-23) +================================ + +Security +-------- +- fix CVE-2018-1110: denial of service triggered by malformed DNS messages + (!550, !558, security!2, security!4) +- increase resilience against slow lorris attack (security!5) + +New features +------------ +- new policy.REFUSE to reply REFUSED to clients + +Bugfixes +-------- +- validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone (!538) +- validation: fix SERVFAIL for DS . query (!544) +- lib/resolve: don't send unecessary queries to parent zone (!513) +- iterate: fix validation for zones where parent and child share NS (!543) +- TLS: improve error handling and documentation (!536, !555, !559) + +Improvements +------------ +- prefill: new module to periodically import root zone into cache + (replacement for RFC 7706, !511) +- network_listen_fd: always create end point for supervisor supplied file descriptor +- use CPPFLAGS build environment variable if set (!547) + + +Knot Resolver 2.2.0 (2018-03-28) +================================ + +New features +------------ +- cache server unavailability to prevent flooding unreachable servers + (Please note that caching algorithm needs further optimization + and will change in further versions but we need to gather operational + experience first.) + +Bugfixes +-------- +- don't magically -D_FORTIFY_SOURCE=2 in some cases +- allow large responses for outbound over TCP +- fix crash with RR sets with over 255 records + + +Knot Resolver 2.1.1 (2018-02-23) +================================ + +Bugfixes +-------- +- when iterating, avoid unnecessary queries for NS in insecure parent. + This problem worsened in 2.0.0. (#246) +- prevent UDP packet leaks when using TLS forwarding +- fix the hints module also on some other systems, e.g. Gentoo. + + +Knot Resolver 2.1.0 (2018-02-16) +================================ + +Incompatible changes +-------------------- +- stats: remove tracking of expiring records (predict uses another way) +- systemd: re-use a single kresd.socket and kresd-tls.socket +- ta_sentinel: implement protocol draft-ietf-dnsop-kskroll-sentinel-01 + (our draft-ietf-dnsop-kskroll-sentinel-00 implementation had inverted logic) +- libknot: require version 2.6.4 or newer to get bugfixes for DNS-over-TLS + +Bugfixes +-------- +- detect_time_jump module: don't clear cache on suspend-resume (#284) +- stats module: fix stats.list() returning nothing, regressed in 2.0.0 +- policy.TLS_FORWARD: refusal when configuring with multiple IPs (#306) +- cache: fix broken refresh of insecure records that were about to expire +- fix the hints module on some systems, e.g. Fedora (came back on 2.0.0) +- build with older gnutls (conditionally disable features) +- fix the predict module to work with insecure records & cleanup code + + +Knot Resolver 2.0.0 (2018-01-31) +================================ + +Incompatible changes +-------------------- +- systemd: change unit files to allow running multiple instances, + deployments with single instance now must use `kresd@1.service` + instead of `kresd.service`; see kresd.systemd(7) for details +- systemd: the directory for cache is now /var/cache/knot-resolver +- unify default directory and user to `knot-resolver` +- directory with trust anchor file specified by -k option must be writeable +- policy module is now loaded by default to enforce RFC 6761; + see documentation for policy.PASS if you use locally-served DNS zones +- drop support for alternative cache backends memcached, redis, + and for Lua bindings for some specific cache operations +- REORDER_RR option is not implemented (temporarily) + +New features +------------ +- aggressive caching of validated records (RFC 8198) for NSEC zones; + thanks to ICANN for sponsoring this work. +- forwarding over TLS, authenticated by SPKI pin or certificate. + policy.TLS_FORWARD pipelines queries out-of-order over shared TLS connection + Beware: Some resolvers do not support out-of-order query processing. + TLS forwarding to such resolvers will lead to slower resolution or failures. +- trust anchors: you may specify a read-only file via -K or --keyfile-ro +- trust anchors: at build-time you may set KEYFILE_DEFAULT (read-only) +- ta_sentinel module implements draft ietf-dnsop-kskroll-sentinel-00, + enabled by default +- serve_stale module is prototype, subject to change +- extended API for Lua modules + +Bugfixes +-------- +- fix build on osx - regressed in 1.5.3 (different linker option name) + + +Knot Resolver 1.5.3 (2018-01-23) +================================ + +Bugfixes +-------- +- fix the hints module on some systems, e.g. Fedora. + Symptom: `undefined symbol: engine_hint_root_file` + + +Knot Resolver 1.5.2 (2018-01-22) +================================ + +Security +-------- +- fix CVE-2018-1000002: insufficient DNSSEC validation, allowing + attackers to deny existence of some data by forging packets. + Some combinations pointed out in RFC 6840 sections 4.1 and 4.3 + were not taken into account. + +Bugfixes +-------- +- memcached: fix fallout from module rename in 1.5.1 + + +Knot Resolver 1.5.1 (2017-12-12) +================================ + +Incompatible changes +-------------------- +- script supervisor.py was removed, please migrate to a real process manager +- module ketcd was renamed to etcd for consistency +- module kmemcached was renamed to memcached for consistency + +Bugfixes +-------- +- fix SIGPIPE crashes (#271) +- tests: work around out-of-space for platforms with larger memory pages +- lua: fix mistakes in bindings affecting 1.4.0 and 1.5.0 (and 1.99.1-alpha), + potentially causing problems in dns64 and workarounds modules +- predict module: various fixes (!399) + +Improvements +------------ +- add priming module to implement RFC 8109, enabled by default (#220) +- add modules helping with system time problems, enabled by default; + for details see documentation of detect_time_skew and detect_time_jump + + +Knot Resolver 1.5.0 (2017-11-02) +================================ + +Bugfixes +-------- +- fix loading modules on Darwin + +Improvements +------------ +- new module ta_signal_query supporting Signaling Trust Anchor Knowledge + using Keytag Query (RFC 8145 section 5); it is enabled by default +- attempt validation for more records but require it for fewer of them + (e.g. avoids SERVFAIL when server adds extra records but omits RRSIGs) + + +Knot Resolver 1.99.1-alpha (2017-10-26) +======================================= +This is an experimental release meant for testing aggressive caching. +It contains some regressions and might (theoretically) be even vulnerable. +The current focus is to minimize queries into the root zone. + +Improvements +------------ +- negative answers from validated NSEC (NXDOMAIN, NODATA) +- verbose log is very chatty around cache operations (maybe too much) + +Regressions +----------- +- dropped support for alternative cache backends + and for some specific cache operations +- caching doesn't yet work for various cases: + * negative answers without NSEC (i.e. with NSEC3 or insecure) + * +cd queries (needs other internal changes) + * positive wildcard answers +- spurious SERVFAIL on specific combinations of cached records, printing: + <= bad keys, broken trust chain +- make check +- a few Deckard tests are broken, probably due to some problems above +- also unknown ones? + + + +Knot Resolver 1.4.0 (2017-09-22) +================================ + +Incompatible changes +-------------------- +- lua: query flag-sets are no longer represented as plain integers. + kres.query.* no longer works, and kr_query_t lost trivial methods + 'hasflag' and 'resolved'. + You can instead write code like qry.flags.NO_0X20 = true. + +Bugfixes +-------- +- fix exiting one of multiple forks (#150) +- cache: change the way of using LMDB transactions. That in particular + fixes some cases of using too much space with multiple kresd forks (#240). + +Improvements +------------ +- policy.suffix: update the aho-corasick code (#200) +- root hints are now loaded from a zonefile; exposed as hints.root_file(). + You can override the path by defining ROOTHINTS during compilation. +- policy.FORWARD: work around resolvers adding unsigned NS records (#248) +- reduce unneeded records previously put into authority in wildcarded answers + + +Knot Resolver 1.3.3 (2017-08-09) +================================ + +Security +-------- +- Fix a critical DNSSEC flaw. Signatures might be accepted as valid + even if the signed data was not in bailiwick of the DNSKEY used to + sign it, assuming the trust chain to that DNSKEY was valid. + +Bugfixes +-------- +- iterate: skip RRSIGs with bad label count instead of immediate SERVFAIL +- utils: fix possible incorrect seeding of the random generator +- modules/http: fix compatibility with the Prometheus text format + +Improvements +------------ +- policy: implement remaining special-use domain names from RFC6761 (#205), + and make these rules apply only if no other non-chain rule applies + + +Knot Resolver 1.3.2 (2017-07-28) +================================ + +Security +-------- +- fix possible opportunities to use insecure data from cache as keys + for validation + +Bugfixes +-------- +- daemon: check existence of config file even if rundir isn't specified +- policy.FORWARD and STUB: use RTT tracking to choose servers (#125, #208) +- dns64: fix CNAME problems (#203) It still won't work with policy.STUB. +- hints: better interpretation of hosts-like files (#204) + also, error out if a bad entry is encountered in the file +- dnssec: handle unknown DNSKEY/DS algorithms (#210) +- predict: fix the module, broken since 1.2.0 (#154) + +Improvements +------------ +- embedded LMDB fallback: update 0.9.18 -> 0.9.21 + + +Knot Resolver 1.3.1 (2017-06-23) +================================ + +Bugfixes +-------- +- modules/http: fix finding the static files (bug from 1.3.0) +- policy.FORWARD: fix some cases of CNAMEs obstructing search for zone cuts + + +Knot Resolver 1.3.0 (2017-06-13) +================================ + +Security +-------- +- Refactor handling of AD flag and security status of resource records. + In some cases it was possible for secure domains to get cached as + insecure, even for a TLD, leading to disabled validation. + It also fixes answering with non-authoritative data about nameservers. + +Improvements +------------ +- major feature: support for forwarding with validation (#112). + The old policy.FORWARD action now does that; the previous non-validating + mode is still available as policy.STUB except that also uses caching (#122). +- command line: specify ports via @ but still support # for compatibility +- policy: recognize 100.64.0.0/10 as local addresses +- layer/iterate: *do* retry repeatedly if REFUSED, as we can't yet easily + retry with other NSs while avoiding retrying with those who REFUSED +- modules: allow changing the directory where modules are found, + and do not search the default library path anymore. + +Bugfixes +-------- +- validate: fix insufficient caching for some cases (relatively rare) +- avoid putting "duplicate" record-sets into the answer (#198) + + +Knot Resolver 1.2.6 (2017-04-24) +================================ + +Security +-------- +- dnssec: don't set AD flag for NODATA answers if wildcard non-existence + is not guaranteed due to opt-out in NSEC3 + +Improvements +------------ +- layer/iterate: don't retry repeatedly if REFUSED + +Bugfixes +-------- +- lib/nsrep: revert some changes to NS reputation tracking that caused + severe problems to some users of 1.2.5 (#178 and #179) +- dnssec: fix verification of wildcarded non-singleton RRsets +- dnssec: allow wildcards located directly under the root +- layer/rrcache: avoid putting answer records into queries in some cases + + +Knot Resolver 1.2.5 (2017-04-05) +================================ + +Security +-------- +- layer/validate: clear AD if closest encloser proof has opt-outed + NSEC3 (#169) +- layer/validate: check if NSEC3 records in wildcard expansion proof + has an opt-out +- dnssec/nsec: missed wildcard no-data answers validation has been + implemented + +Improvements +------------ +- modules/dnstap: a DNSTAP support module + (Contributed by Vicky Shrestha) +- modules/workarounds: a module adding workarounds for known + DNS protocol violators +- layer/iterate: fix logging of glue addresses +- kr_bitcmp: allow bits=0 and consequently 0.0.0.0/0 matches in view + and renumber modules. +- modules/padding: Improve default padding of responses + (Contributed by Daniel Kahn Gillmor) +- New kresc client utility (experimental; don't rely on the API yet) + +Bugfixes +-------- +- trust anchors: Improve trust anchors storage format (#167) +- trust anchors: support non-root TAs, one domain per file +- policy.DENY: set AA flag and clear AD flag +- lib/resolve: avoid unnecessary DS queries +- lib/nsrep: don't treat servers with NOIP4 + NOIP6 flags as timeouted +- layer/iterate: During packet classification (answer vs. referral) + don't analyze AUTHORITY section in authoritative answer if ANSWER + section contains records that have been requested + + +Knot Resolver 1.2.4 (2017-03-09) +================================ + +Security +-------- +- Knot Resolver 1.2.0 and higher could return AD flag for insecure + answer if the daemon received answer with invalid RRSIG several + times in a row. + +Improvements +------------ +- modules/policy: allow QTRACE policy to be chained with other + policies +- hints.add_hosts(path): a new property +- module: document the API and simplify the code +- policy.MIRROR: support IPv6 link-local addresses +- policy.FORWARD: support IPv6 link-local addresses +- add net.outgoing_{v4,v6} to allow specifying address to use for + connections + +Bugfixes +-------- +- layer/iterate: some improvements in cname chain unrolling +- layer/validate: fix duplicate records in AUTHORITY section in case + of WC expansion proof +- lua: do *not* truncate cache size to unsigned +- forwarding mode: correctly forward +cd flag +- fix a potential memory leak +- don't treat answers that contain DS non-existance proof as insecure +- don't store NSEC3 and their signatures in the cache +- layer/iterate: when processing delegations, check if qname is at or + below new authority + + +Knot Resolver 1.2.3 (2017-02-23) +================================ + +Bugfixes +-------- +- Disable storing GLUE records into the cache even in the + (non-default) QUERY_PERMISSIVE mode +- iterate: skip answer RRs that don't match the query +- layer/iterate: some additional processing for referrals +- lib/resolve: zonecut fetching error was fixed + + +Knot Resolver 1.2.2 (2017-02-10) +================================ + +Bugfixes: +--------- +- Fix -k argument processing to avoid out-of-bounds memory accesses +- lib/resolve: fix zonecut fetching for explicit DS queries +- hints: more NULL checks +- Fix TA bootstrapping for multiple TAs in the IANA XML file + +Testing: +-------- +- Update tests to run tests with and without QNAME minimization + + +Knot Resolver 1.2.1 (2017-02-01) +==================================== + +Security: +--------- +- Under certain conditions, a cached negative answer from a CD query + would be reused to construct response for non-CD queries, resulting + in Insecure status instead of Bogus. Only 1.2.0 release was affected. + +Documentation +------------- +- Update the typo in the documentation: The query trace policy is + named policy.QTRACE (and not policy.TRACE) + +Bugfixes: +--------- +- lua: make the map command check its arguments + + +Knot Resolver 1.2.0 (2017-01-24) +==================================== + +Security: +--------- +- In a policy.FORWARD() mode, the AD flag was being always set by mistake. + It is now cleared, as the policy.FORWARD() doesn't do DNSSEC validation yet. + +Improvements: +------------- +- The DNSSEC Validation has been refactored, fixing many resolving + failures. +- Add module `version` that checks for updates and CVEs periodically. +- Support RFC7830: EDNS(0) padding in responses over TLS. +- Support CD flag on incoming requests. +- hints module: previously /etc/hosts was loaded by default, but not anymore. + Users can now actually avoid loading any file. +- DNS over TLS now creates ephemeral certs. +- Configurable cache.{min,max}_tll option, with max_ttl defaulting to 6 days. +- Option to reorder RRs in the response. +- New policy.QTRACE policy to print packet contents + +Bugfixes: +--------- +- Trust Anchor configuration is now more robust. +- Correctly answer NOTIMPL for meta-types and non-IN RR classes. +- Free TCP buffer on cancelled connection. +- Fix crash in hints module on empty hints file, and fix non-lowercase hints. + +Miscellaneous: +-------------- +- It now requires knot >= 2.3.1 to link successfully. +- The API+ABI for modules changed slightly. +- New LRU implementation. + + +Knot Resolver 1.1.1 (2016-08-24) +================================ + +Bugfixes: +--------- + - Fix 0x20 randomization with retransmit + - Fix pass-through for the stub mode + - Fix the root hints IPv6 addresses + - Fix dst addr for retries over TCP + +Improvements: +------------- + - Track RTT of all tried servers for faster retransmit + - DAF: Allow forwarding to custom port + - systemd: Read EnvironmentFile and user $KRESD_ARGS + - systemd: Update systemd units to be named after daemon + + +Knot Resolver 1.1.0 (2016-08-12) +================================ + +Improvements: +------------- + - RFC7873 DNS Cookies + - RFC7858 DNS over TLS + - HTTP/2 web interface, RESTful API + - Metrics exported in Prometheus + - DNS firewall module + - Explicit CNAME target fetching in strict mode + - Query minimisation improvements + - Improved integration with systemd + + +Knot Resolver 1.0.0 (2016-05-30) +================================ + +Initial release: +---------------- + - The first initial release -- cgit v1.2.3