diff options
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 1359 |
1 files changed, 1359 insertions, 0 deletions
@@ -0,0 +1,1359 @@ +Knot Resolver 5.7.1 (2024-02-13) +================================ + +Security +-------- +- CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU + * validator: lower the NSEC3 iteration limit (150 -> 50) + * validator: similarly also limit excessive NSEC3 salt length + * cache: limit the amount of work on SHA1 in NSEC3 aggressive cache + * validator: limit the amount of work on SHA1 in NSEC3 proofs + * validator: refuse to validate answers with more than 8 NSEC3 records + +- CVE-2023-50387 "KeyTrap": DNSSEC verification complexity + could be exploited to exhaust CPU resources and stall DNS resolvers. + Solution boils down mainly to limiting crypto-validations per packet. + + We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel and Michael Waidner + from the German National Research Center for Applied Cybersecurity ATHENE + for bringing this vulnerability to our attention. + +Improvements +------------ +- update addresses of B.root-servers.net (!1478) + +Bugfixes +-------- +- fix potential SERVFAIL deadlocks if net.ipv6 = false (#880) + + +Knot Resolver 5.7.0 (2023-08-22) +================================ + +Security +-------- +- avoid excessive TCP reconnections in a few more cases (!1448) + Like before, the remote server had to behave nonsensically in order + to inflict this upon itself, but it might be abusable for DoS. + + We thank Ivan Jedek from OryxLabs for reporting this. + CVE-2023-46317 got later assigned to this issue. + +Improvements +------------ +- forwarding mode: tweak dealing with failures from forwarders, + in particular prefer sending CD=0 upstream (!1392) + +Bugfixes +-------- +- fix unusual timestamp format in debug dumps of records (!1386) +- adjust linker options; it should help less common platforms (!1384) +- hints module: fix names inside home.arpa. (!1406) +- EDNS padding (RFC 8467) compatibility with knot-dns 3.3 libs (!1422) + + +Knot Resolver 5.6.0 (2023-01-26) +================================ + +Security +-------- +- avoid excessive TCP reconnections in some cases (!1380) + For example, a DNS server that just closes connections without answer + could cause lots of work for the resolver (and itself, too). + The number of connections could be up to around 100 per client's query. + + We thank Xiang Li from NISL Lab, Tsinghua University, + and Xuesong Bai and Qifan Zhang from DSP Lab, UCI. + +Improvements +------------ +- daemon: feed server selection with more kinds of bad-answer events (!1380) +- cache.max_ttl(): lower the default from six days to one day + and apply both limits to the first uncached answer already (!1323 #127) +- depend on jemalloc, preferably, to improve memory usage (!1353) +- no longer accept DNS messages with trailing data (!1365) +- policy.STUB: avoid applying aggressive DNSSEC denial proofs (!1364) +- policy.STUB: avoid copying +dnssec flag from client to upstream (!1364) + +Bugfixes +-------- +- policy.DEBUG_IF: don't print client's packet unconditionally (!1366) + + +Knot Resolver 5.5.3 (2022-09-21) +================================ + +Security +-------- +- fix CPU-expensive DoS by malicious domains - CVE-2022-40188 + +Improvements +------------ +- fix config_tests on macOS (both HW variants) + + +Knot Resolver 5.5.2 (2022-08-16) +================================ + +Improvements +------------ +- support libknot 3.2 (!1309) +- priming module: hide failures from the default log level (!1310) +- reduce memory usage in some cases (!1328) + +Bugfixes +-------- +- daemon/http: improve URI checks to fix some proxies (#746, !1311) +- daemon/tls: fix a double-free for some cases of policy.TLS_FORWARD (!1314) +- hints module: improve parsing comments in hosts files (!1315) +- renumber module: fix renumbering with name matching again (#760, !1334) + + +Knot Resolver 5.5.1 (2022-06-14) +================================ + +Improvements +------------ +- daemon/tls: disable TLS resumption via tickets for TLS <= 1.2 (#742, !1295) +- daemon/http: DoH now responds with proper HTTP codes (#728, !1279) +- renumber module: allow rewriting subnet to a single IP (!1302) +- renumber module: allow arbitrary netmask (!1306) +- nameserver selection algorithm: improve IPv6 avoidance if broken (!1298) + +Bugfixes +-------- +- modules/dns64: fix incorrect packet writes for cached packets (#727, !1275) +- xdp: make it work also with libknot 3.1 (#735, !1276) +- prefill module: fix lockup when starting multiple idle instances (!1285) +- validator: fix some failing negative NSEC proofs (!1294, #738, #443) + + +Knot Resolver 5.5.0 (2022-03-15) +================================ + +Improvements +------------ +- extended_errors: module for extended DNS error support, RFC8914 (!1234) +- policy: log policy actions; useful for RPZ debugging (!1239) +- policy: new action policy.IPTRACE for logging request origin (!1239) +- prefill module: prepare for ZONEMD, improve performance (!1225) +- validator: conditionally ignore SHA1 DS, as SHOULD by RFC4509 (!1251) +- lib/resolve: use EDNS padding for outgoing TLS queries (!1254) +- support for PROXYv2 protocol (!1238) +- lib/resolve, policy: new NO_ANSWER flag for not responding to clients (!1257) + +Incompatible changes +-------------------- +- libknot >= 3.0.2 is required + +Bugfixes +-------- +- doh2: fix CORS by adding `access-control-allow-origin: *` (!1246) +- net: fix listen by interface - add interface suffix to link-local IPv6 (!1253) +- daemon/tls: fix resumption for outgoing TLS (e.g. TLS_FORWARD) (!1261) +- nameserver selection: fix interaction of timeouts with reboots (#722, !1269) + + +Knot Resolver 5.4.4 (2022-01-05) +================================ + +Bugfixes +-------- +- fix bad zone cut update in certain cases (e.g. AWS; !1237) + + +Knot Resolver 5.4.3 (2021-12-01) +================================ + +Improvements +------------ +- lua: add kres.parse_rdata() to parse RDATA from string to wire format (!1233) +- lua: add policy.domains() for exact domain name matching (!1228) + +Bugfixes +-------- +- policy.rpz: fix origin detection in files without $ORIGIN (!1215) +- lua: log() works again; broken in 5.4.2 (!1223) +- policy: correctly include EDNS0 previously omitted by some actions (!1230) +- edns_keepalive: module is now properly loaded (!1229, thanks Josh Soref!) + + +Knot Resolver 5.4.2 (2021-10-13) +================================ + +Improvements +------------ +- dns64 module: also map the reverse (PTR) subtree (#478, !1201) +- dns64 module: allow disabling based on client address (#368, !1201) +- dns64 module: allow configuring AAAA subnets not allowed in answer (!1201) +- nameserver selection algorithm: improve IPv6 avoidance if broken (!1207) + +Bugfixes +-------- +- lua: log() output is visible with default log level again (!1208) +- build: fix when knot-dns headers are on non-standard location (!1210) + + +Knot Resolver 5.4.1 (2021-08-19) +================================ + +Improvements +------------ +- docker: base image on Debian 11 (!1203) + +Bugfixes +-------- +- fix build without doh2 support after 5.4.0 (!1197) +- fix policy.DEBUG* logging and -V/--version after 5.4.0 (!1199) +- doh2: ensure memory from unsent streams is freed (!1202) + + +Knot Resolver 5.4.0 (2021-07-29) +================================ + +Improvements +------------ +- fine grained logging and syslog support (!1181) +- expose HTTP headers for processing DoH requests (!1165) +- improve assertion mechanism for debugging (!1146) +- support apkg tool for packaging workflow (!1178) +- support Knot DNS 3.1 (!1192, !1194) + +Bugfixes +-------- +- trust_anchors.set_insecure: improve precision (#673, !1177) +- plug memory leaks related to TCP (!1182) +- policy.FLAGS: fix not applying properly in edge cases (!1179) +- fix a crash with older libuv inside timer processing (!1195) + +Incompatible changes +-------------------- +- see upgrading guide: + https://knot-resolver.readthedocs.io/en/stable/upgrading.html#to-5-4 +- legacy DoH implementation configuration in net.listen() was renamed from + kind="doh" to kind="doh_legacy" (!1180) + + +Knot Resolver 5.3.2 (2021-05-05) +================================ + +Security +-------- +- validator: fix 5.3.1 regression on over-limit NSEC3 edge case (!1169) + Assertion might be triggered by query/answer, potentially DoS. + CVE-2021-40083 was later assigned. + +Improvements +------------ +- cache: improve handling write errors from LMDB (!1159) +- doh2: improve handling of stream errors (!1164) + +Bugfixes +-------- +- dnstap module: fix repeated configuration (!1168) +- validator: fix SERVFAIL for some rare dynamic proofs (!1166) +- fix SIGBUS on uncommon ARM machines (unaligned access; !1167, #426) +- cache: better resilience on abnormal termination/restarts (!1172) +- doh2: fix memleak on stream write failures (!1161) + + +Knot Resolver 5.3.1 (2021-03-31) +================================ + +Improvements +------------ +- policy.STUB: try to avoid TCP (compared to 5.3.0; !1155) +- validator: downgrade NSEC3 records with too many iterations (>150; !1160) +- additional improvements to nameserver selection algorithm (!1154, !1150) + +Bugfixes +-------- +- dnstap module: don't break request resolution on dnstap errors (!1147) +- cache garbage collector: fix crashes introduced in 5.3.0 (!1153) +- policy.TLS_FORWARD: better avoid dead addresses (#671, !1156) + + +Knot Resolver 5.3.0 (2021-02-25) +================================ + +Improvements +------------ +- more consistency in using parent-side records for NS addresses (!1097) +- better algorithm for choosing nameservers (!1030, !1126, !1140, !1141, !1143) +- daf module: add daf.clear() (!1114) +- dnstap module: more features and don't log internal requests (!1103) +- dnstap module: include in upstream packages and Docker image (!1110, !1118) +- randomize record order by default, i.e. reorder_RR(true) (!1124) +- prometheus module: transform graphite tags into prometheus labels (!1109) +- avoid excessive logging of UDP replies with sendmmsg (!1138) + +Bugfixes +-------- +- view: fail config if bad subnet is specified (!1112) +- doh2: fix memory leak (!1117) +- policy.ANSWER: minor fixes, mainly around NODATA answers (!1129) +- http, watchdog modules: fix stability problems (!1136) + +Incompatible changes +-------------------- +- dnstap module: `log_responses` option gets nested under `client`; + see new docs for config example (!1103) +- libknot >= 2.9 is required + + +Knot Resolver 5.2.1 (2020-12-09) +================================ + +Improvements +------------ +- doh2: send Cache-Control header with TTL (#617, !1095) + +Bugfixes +-------- +- fix map() command on 32-bit platforms; regressed in 5.2.0 (!1093) +- doh2: restrict endpoints to doh and dns-query (#636, !1104) +- renumber: map to correct subnet when using multiple rules (!1107) + + +Knot Resolver 5.2.0 (2020-11-11) +================================ + +Improvements +------------ +- doh2: add native C module for DNS-over-HTTPS (#600, !997) +- xdp: add server-side XDP support for higher UDP performance (#533, !1083) +- lower default EDNS buffer size to 1232 bytes (#538, #300, !920); + see https://www.dnsflagday.net/2020/ +- net: split the EDNS buffer size into upstream and downstream (!1026) +- lua-http doh: answer to /dns-query endpoint as well as /doh (!1069) +- improve resiliency against UDP fragmentation attacks (disable PMTUD) (!1061) +- ta_update: warn if there are differences between statically configured + keys and upstream (#251, !1051) +- human readable output in interactive mode was improved +- doc: generate info page (!1079) +- packaging: improve sysusers and tmpfiles support (!1080) + +Bugfixes +-------- +- avoid an assert() error in stash_rrset() (!1072) +- fix emergency cache locking bug introduced in 5.1.3 (!1078) +- migrate map() command to control sockets; fix systemd integration (!1000) +- fix crash when sending back errors over control socket (!1000) +- fix SERVFAIL while processing forwarded CNAME to a sibling zone (#614, !1070) + +Incompatible changes +-------------------- +- see upgrading guide: + https://knot-resolver.readthedocs.io/en/stable/upgrading.html#to-5-2 +- minor changes in module API +- control socket API commands have to be terminated by "\n" +- graphite: default prefix now contains instance identifier (!1000) +- build: meson >= 0.49 is required (!1082) + + +Knot Resolver 5.1.3 (2020-09-08) +================================ + +Improvements +------------ +- capabilities are no longer constrained when running as root (!1012) +- cache: add percentage usage to cache.stats() (#580, !1025) +- cache: add number of cache entries to cache.stats() (#510, !1028) +- aarch64 support again, as some systems still didn't work (!1033) +- support building against Knot DNS 3.0 (!1053) + +Bugfixes +-------- +- tls: fix compilation to support net.tls_sticket_secret() (!1021) +- validator: ignore bogus RRSIGs present in insecure domains (!1022, #587) +- build if libsystemd version isn't detected as integer (#592, !1029) +- validator: more robust reaction on missing RRSIGs (#390, !1020) +- ta_update module: fix broken RFC5011 rollover (!1035) +- garbage collector: avoid keeping multiple copies of cache (!1042) + + +Knot Resolver 5.1.2 (2020-07-01) +================================ + +Bugfixes +-------- +- hints module: NODATA answers also for non-address queries (!1005) +- tls: send alert to peer if handshake fails (!1007) +- cache: fix interaction between LMDB locks and preallocation (!1013) +- cache garbage collector: fix flushing of messages to logs (!1009) +- cache garbage collector: fix insufficient GC on 32-bit systems (!1009) +- graphite module: do not block resolver on TCP failures (!1014) +- policy.rpz various fixes (!1016): $ORIGIN issues, + precision of warnings, allow answering with multi-RR sets + + +Knot Resolver 5.1.1 (2020-05-19) +================================ + +Security +-------- +- fix CVE-2020-12667: mitigation for NXNSAttack DNS protocol vulnerability + +Bugfixes +-------- +- control sockets: recognize newline as command boundary + + +Knot Resolver 5.1.0 (2020-04-29) +================================ + +Improvements +------------ +- cache garbage collector: reduce filesystem operations when idle (!946) +- policy.DEBUG_ALWAYS and policy.DEBUG_IF for limited verbose logging (!957) +- daemon: improve TCP query latency under heavy TCP load (!968) +- add policy.ANSWER action (!964, #192) +- policy.rpz support fake A/AAAA (!964, #194) + +Bugfixes +-------- +- cache: missing filesystem support for pre-allocation is no longer fatal (#549) +- lua: policy.rpz() no longer watches the file when watch is set to false (!954) +- fix a strict aliasing problem that might've lead to "miscompilation" (!962) +- fix handling of DNAMEs, especially signed ones (#234, !965) +- lua resolve(): correctly include EDNS0 in the virtual packet (!963) + Custom modules might have been confused by that. +- do not leak bogus data into SERVFAIL answers (#396) +- improve random Lua number generator initialization (!979) +- cache: fix CNAME caching when validation is disabled (#472, !974) +- cache: fix CNAME caching in policy.STUB mode (!974) +- prefill: fix crash caused by race condition with resolver startup (!983) +- webmgmt: use javascript scheme detection for websockets' protocol (#546) +- daf module: fix del(), deny(), drop(), tc(), pass() functions (#553, !966) +- policy and daf modules: expose initial query when evaluating postrules (#556) +- cache: fix some cases of caching answers over 4 KiB (!976) +- docs: support sphinx 3.0.0+ (!978) + +Incompatible changes +-------------------- +- minor changes in module API; see upgrading guide: + https://knot-resolver.readthedocs.io/en/stable/upgrading.html + + +Knot Resolver 5.0.1 (2020-02-05) +================================ + +Bugfixes +-------- +- systemd: use correct cache location for garbage collector (#543) + +Improvements +------------ +- cache: add cache.fssize() lua function to configure entire free disk space on + dedicated cache partition (#524, !932) + + +Knot Resolver 5.0.0 (2020-01-27) +================================ + +Incompatible changes +-------------------- +- see upgrading guide: https://knot-resolver.readthedocs.io/en/stable/upgrading.html +- systemd sockets are no longer supported (#485) +- net.listen() throws an error if it fails to bind; use freebind option if needed +- control socket location has changed (!922) +- -f/--forks is deprecated (#529, !919) + +Improvements +------------ +- logging: control-socket commands don't log unless --verbose (#528) +- use SO_REUSEPORT_LB if available (FreeBSD 12.0+) +- lua: remove dependency on lua-socket and lua-sec, used lua-http and cqueues (#512, #521, !894) +- lua: remove dependency on lua-filesystem (#520, !912) +- net.listen(): allow binding to non-local address with freebind option (!898) +- cache: pre-allocate the file to avoid SIGBUS later (not macOS; !917, #525) +- lua: be stricter around nonsense returned from modules (!901) +- user documentation was reorganized and extended (!900, !867) +- multiple config files can be used with --config/-c option (!909) +- lua: stop trying to tweak lua's GC (!201) +- systemd: add SYSTEMD_INSTANCE env variable to identify different instances (!906) + +Bugfixes +-------- +- correctly use EDNS(0) padding in failed answers (!921) +- policy and daf modules: fix postrules and reroute rules (!901) +- renumber module: don't accidentally zero-out request's .state (!901) + + +Knot Resolver 4.3.0 (2019-12-04) +================================ + +Security - CVE-2019-19331 +------------------------- +- fix speed of processing large RRsets (DoS, #518) +- improve CNAME chain length accounting (DoS, !899) + +Bugfixes +-------- +- http module: use SO_REUSEPORT (!879) +- systemd: kresd@.service now properly starts after network interfaces + have been configured with IP addresses after reboot (!884) +- sendmmsg: improve reliability (!704) +- cache: fix crash on insertion via lua for NS and CNAME (!889) +- rpm package: move root.keys to /var/lib/knot-resolver (#513, !888) + +Improvements +------------ +- increase file-descriptor count limit to maximum allowed value (hard limit; !876) +- watchdog module: support testing a DNS query (and switch C -> lua; !878, !881) +- performance: use sendmmsg syscall towards clients by default (!877) +- performance: avoid excessive getsockname() syscalls (!854) +- performance: lua-related improvements (!874) +- daemon now attempts to drop all capabilities (!896) +- reduce CNAME chain length limit - now <= 12 (!899) + + +Knot Resolver 4.2.2 (2019-10-07) +================================ + +Bugfixes +-------- +- lua bindings: fix a 4.2.1 regression on 32-bit systems (#514) + which also fixes libknot 2.9 support on all systems + + +Knot Resolver 4.2.1 (2019-09-26) +================================ + +Bugfixes +-------- +- rebinding module: fix handling some requests, respect ALLOW_LOCAL flag +- fix incorrect SERVFAIL on cached bogus answer for +cd request (!860) + (regression since 4.1.0 release, in less common cases) +- prefill module: allow a different module-loading style (#506) +- validation: trim TTLs by RRSIG's expiration and original TTL (#319, #504) +- NS choice algorithm: fix a regression since 4.0.0 (#497, !868) +- policy: special domains home.arpa. and local. get NXDOMAIN (!855) + +Improvements +------------ +- add compatibility with (future) libknot 2.9 + + +Knot Resolver 4.2.0 (2019-08-05) +================================ + +Improvements +------------ +- queries without RD bit set are REFUSED by default (!838) +- support forwarding to multiple targets (!825) + +Bugfixes +-------- +- tls_client: fix issue with TLS session resumption (#489) +- rebinding module: fix another false-positive assertion case (!851) + +Module API changes +------------------ +- kr_request::add_selected is now really put into answer, + instead of the "duplicate" ::additional field (#490) + + +Knot Resolver 4.1.0 (2019-07-10) +================================ + +Security +-------- +- fix CVE-2019-10190: do not pass bogus negative answer to client (!827) +- fix CVE-2019-10191: do not cache negative answer with forged QNAME+QTYPE (!839) + +Improvements +------------ +- new cache garbage collector is available and enabled by default (#257) + This improves cache efficiency on big installations. +- DNS-over-HTTPS: unknown HTTP parameters are ignored to improve compatibility + with non-standard clients (!832) +- DNS-over-HTTPS: answers include `access-control-allow-origin: *` (!823) + which allows JavaScript to use DoH endpoint. +- http module: support named AF_UNIX stream sockets (again) +- aggressive caching is disabled on minimal NSEC* ranges (!826) + This improves cache effectivity with DNSSEC black lies and also accidentally + works around bug in proofs-of-nonexistence from F5 BIG-IP load-balancers. +- aarch64 support, even kernels with ARM64_VA_BITS >= 48 (#216, !797) + This is done by working around a LuaJIT incompatibility. Please report bugs. +- lua tables for C modules are more strict by default, e.g. `nsid.foo` + will throw an error instead of returning `nil` (!797) +- systemd: basic watchdog is now available and enabled by default (#275) + +Bugfixes +-------- +- TCP to upstream: fix unlikely case of sending out wrong message length (!816) +- http module: fix problems around maintenance of ephemeral certs (!819) +- http module: also send intermediate TLS certificate to clients, + if available and luaossl >= 20181207 (!819) +- send EDNS with SERVFAILs, e.g. on validation failures (#180, !827) +- prefill module: avoid crash on empty zone file (#474, !840) +- rebinding module: avoid excessive iteration on blocked attempts (!842) +- rebinding module: fix crash caused by race condition (!842) +- rebinding module: log each blocked query only in verbose mode (!842) +- cache: automatically clear stale reader locks (!844) + + +Module API changes +------------------ +- lua modules may omit casting parameters of layer functions (!797) + + +Knot Resolver 4.0.0 (2019-04-18) +================================ + +Incompatible changes +-------------------- +- see upgrading guide: https://knot-resolver.readthedocs.io/en/stable/upgrading.html +- configuration: trust_anchors aliases .file, .config() and .negative were removed (!788) +- configuration: trust_anchors.keyfile_default is no longer accessible (!788) +- daemon: -k/--keyfile and -K/--keyfile-ro options were removed +- meson build system is now used for builds (!771) +- build with embedded LMBD is no longer supported +- default modules dir location has changed +- DNSSEC is enabled by default +- upstream packages for Debian now require systemd +- libknot >= 2.8 is required +- net.list() output format changed (#448) +- net.listen() reports error when address-port pair is in use +- bind to DNS-over-TLS port by default (!792) +- stop versioning libkres library +- default port for web management and APIs changed to 8453 + +Improvements +------------ +- policy.TLS_FORWARD: if hostname is configured, send it on wire (!762) +- hints module: allow configuring the TTL and change default from 0 to 5s +- policy module: policy.rpz() will watch the file for changes by default +- packaging: lua cqueues added to default dependencies where available +- systemd: service is no longer auto-restarted on configuration errors +- always send DO+CD flags upstream, even in insecure zones (#153) +- cache.stats() output is completely new; see docs (!775) +- improve usability of table_print() (!790, !801) +- add DNS-over-HTTPS support (#280) +- docker image supports and exposes DNS-over-HTTPS + +Bugfixes +-------- +- predict module: load stats module if config didn't specify period (!755) +- trust_anchors: don't do 5011-style updates on anchors from files + that were loaded as unmanaged trust anchors (!753) +- trust_anchors.add(): include these TAs in .summary() (!753) +- policy module: support '#' for separating port numbers, for consistency +- fix startup on macOS+BSD when </dev/null and cqueues installed +- policy.RPZ: log problems from zone-file level of parser as well (#453) +- fix flushing of messages to logs in some cases (notably systemd) (!781) +- fix fallback when SERVFAIL or REFUSED is received from upstream (!784) +- fix crash when dealing with unknown TA key algorithm (#449) +- go insecure due to algorithm support even if DNSKEY is NODATA (!798) +- fix mac addresses in the output of net.interfaces() command (!804) +- http module: fix too early renewal of ephemeral certificates (!808) + +Module API changes +------------------ +- kr_straddr_split() changed API a bit (compiler will catch that) +- C modules defining `*_layer` or `*_props` symbols need to change a bit + See the upgrading guide for details. It's detected on module load. + + +Knot Resolver 3.2.1 (2019-01-10) +================================ + +Bugfixes +-------- +- trust_anchors: respect validity time range during TA bootstrap (!748) +- fix TLS rehandshake handling (!739) +- make TLS_FORWARD compatible with GnuTLS 3.3 (!741) +- special thanks to Grigorii Demidov for his long-term work on Knot Resolver! + +Improvements +------------ +- improve handling of timed out outgoing TCP connections (!734) +- trust_anchors: check syntax of public keys in DNSKEY RRs (!748) +- validator: clarify message about bogus non-authoritative data (!735) +- dnssec validation failures contain more verbose reasoning (!735) +- new function trust_anchors.summary() describes state of DNSSEC TAs (!737), + and logs new state of trust anchors after start up and automatic changes +- trust anchors: refuse revoked DNSKEY even if specified explicitly, + and downgrade missing the SEP bit to a warning + + +Knot Resolver 3.2.0 (2018-12-17) +================================ + +New features +------------ +- module edns_keepalive to implement server side of RFC 7828 (#408) +- module nsid to implement server side of RFC 5001 (#289) +- module bogus_log provides .frequent() table (!629, credit Ulrich Wisser) +- module stats collects flags from answer messages (!629, credit Ulrich Wisser) +- module view supports multiple rules with identical address/TSIG specification + and keeps trying rules until a "non-chain" action is executed (!678) +- module experimental_dot_auth implements an DNS-over-TLS to auth protocol + (!711, credit Manu Bretelle) +- net.bpf bindings allow advanced users to use eBPF socket filters + +Bugfixes +-------- +- http module: only run prometheus in parent process if using --forks=N, + as the submodule collects metrics from all sub-processes as well. +- TLS fixes for corner cases (!700, !714, !716, !721, !728) +- fix build with -DNOVERBOSELOG (#424) +- policy.{FORWARD,TLS_FORWARD,STUB}: respect net.ipv{4,6} setting (!710) +- avoid SERVFAILs due to certain kind of NS dependency cycles, again + (#374) this time seen as 'circular dependency' in verbose logs +- policy and view modules do not overwrite result finished requests (!678) + +Improvements +------------ +- Dockerfile: rework, basing on Debian instead of Alpine +- policy.{FORWARD,TLS_FORWARD,STUB}: give advantage to IPv6 + when choosing whom to ask, just as for iteration +- use pseudo-randomness from gnutls instead of internal ISAAC (#233) +- tune the way we deal with non-responsive servers (!716, !723) +- documentation clarifies interaction between policy and view modules (!678, !730) + +Module API changes +------------------ +- new layer is added: answer_finalize +- kr_request keeps ::qsource.packet beyond the begin layer +- kr_request::qsource.tcp renamed to ::qsource.flags.tcp +- kr_request::has_tls renamed to ::qsource.flags.tls +- kr_zonecut_add(), kr_zonecut_del() and kr_nsrep_sort() changed parameters slightly + + +Knot Resolver 3.1.0 (2018-11-02) +================================ + +Incompatible changes +-------------------- +- hints.use_nodata(true) by default; that's what most users want +- libknot >= 2.7.2 is required + +Improvements +------------ +- cache: handle out-of-space SIGBUS slightly better (#197) +- daemon: improve TCP timeout handling (!686) + +Bugfixes +-------- +- cache.clear('name'): fix some edge cases in API (#401) +- fix error handling from TLS writes (!669) +- avoid SERVFAILs due to certain kind of NS dependency cycles (#374) + + +Knot Resolver 3.0.0 (2018-08-20) +================================ + +Incompatible changes +-------------------- +- cache: fail lua operations if cache isn't open yet (!639) + By default cache is opened *after* reading the configuration, + and older versions were silently ignoring cache operations. + Valid configuration must open cache using `cache.open()` or `cache.size =` + before executing cache operations like `cache.clear()`. +- libknot >= 2.7.1 is required, which brings also larger API changes +- in case you wrote custom Lua modules, please consult + https://knot-resolver.readthedocs.io/en/latest/lib.html#incompatible-changes-since-3-0-0 +- in case you wrote custom C modules, please see compile against + Knot DNS 2.7 and adjust your module according to messages from C compiler +- DNS cookie module (RFC 7873) is not available in this release, + it will be later reworked to reflect development in IEFT dnsop working group +- version module was permanently removed because it was not really used by users; + if you want to receive notifications about new releases please subscribe to + https://lists.nic.cz/postorius/lists/knot-resolver-announce.lists.nic.cz/ + +Bugfixes +-------- +- fix multi-process race condition in trust anchor maintenance (!643) +- ta_sentinel: also consider static trust anchors not managed via RFC 5011 + +Improvements +------------ +- reorder_RR() implementation is brought back +- bring in performance improvements provided by libknot 2.7 +- cache.clear() has a new, more powerful API +- cache documentation was improved +- old name "Knot DNS Resolver" is replaced by unambiguous "Knot Resolver" + to prevent confusion with "Knot DNS" authoritative server + + +Knot Resolver 2.4.1 (2018-08-02) +================================ + +Security +-------- +- fix CVE-2018-10920: Improper input validation bug in DNS resolver component + (security!7, security!9) + +Bugfixes +-------- +- cache: fix TTL overflow in packet due to min_ttl (#388, security!8) +- TLS session resumption: avoid bad scheduling of rotation (#385) +- HTTP module: fix a regression in 2.4.0 which broke custom certs (!632) +- cache: NSEC3 negative cache even without NS record (#384) + This fixes lower hit rate in NSEC3 zones (since 2.4.0). +- minor TCP and TLS fixes (!623, !624, !626) + + +Knot Resolver 2.4.0 (2018-07-03) +================================ + +Incompatible changes +-------------------- +- minimal libknot version is now 2.6.7 to pull in latest fixes (#366) + +Security +-------- +- fix a rare case of zones incorrectly downgraded to insecure status (!576) + +New features +------------ +- TLS session resumption (RFC 5077), both server and client (!585, #105) + (disabled when compiling with gnutls < 3.5) +- TLS_FORWARD policy uses system CA certificate store by default (!568) +- aggressive caching for NSEC3 zones (!600) +- optional protection from DNS Rebinding attack (module rebinding, !608) +- module bogus_log to log DNSSEC bogus queries without verbose logging (!613) + +Bugfixes +-------- +- prefill: fix ability to read certificate bundle (!578) +- avoid turning off qname minimization in some cases, e.g. co.uk. (#339) +- fix validation of explicit wildcard queries (#274) +- dns64 module: more properties from the RFC implemented (incl. bug #375) + +Improvements +------------ +- systemd: multiple enabled kresd instances can now be started using kresd.target +- ta_sentinel: switch to version 14 of the RFC draft (!596) +- support for glibc systems with a non-Linux kernel (!588) +- support per-request variables for Lua modules (!533) +- support custom HTTP endpoints for Lua modules (!527) + + +Knot Resolver 2.3.0 (2018-04-23) +================================ + +Security +-------- +- fix CVE-2018-1110: denial of service triggered by malformed DNS messages + (!550, !558, security!2, security!4) +- increase resilience against slow lorris attack (security!5) + +New features +------------ +- new policy.REFUSE to reply REFUSED to clients + +Bugfixes +-------- +- validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone (!538) +- validation: fix SERVFAIL for DS . query (!544) +- lib/resolve: don't send unnecessary queries to parent zone (!513) +- iterate: fix validation for zones where parent and child share NS (!543) +- TLS: improve error handling and documentation (!536, !555, !559) + +Improvements +------------ +- prefill: new module to periodically import root zone into cache + (replacement for RFC 7706, !511) +- network_listen_fd: always create end point for supervisor supplied file descriptor +- use CPPFLAGS build environment variable if set (!547) + + +Knot Resolver 2.2.0 (2018-03-28) +================================ + +New features +------------ +- cache server unavailability to prevent flooding unreachable servers + (Please note that caching algorithm needs further optimization + and will change in further versions but we need to gather operational + experience first.) + +Bugfixes +-------- +- don't magically -D_FORTIFY_SOURCE=2 in some cases +- allow large responses for outbound over TCP +- fix crash with RR sets with over 255 records + + +Knot Resolver 2.1.1 (2018-02-23) +================================ + +Bugfixes +-------- +- when iterating, avoid unnecessary queries for NS in insecure parent. + This problem worsened in 2.0.0. (#246) +- prevent UDP packet leaks when using TLS forwarding +- fix the hints module also on some other systems, e.g. Gentoo. + + +Knot Resolver 2.1.0 (2018-02-16) +================================ + +Incompatible changes +-------------------- +- stats: remove tracking of expiring records (predict uses another way) +- systemd: re-use a single kresd.socket and kresd-tls.socket +- ta_sentinel: implement protocol draft-ietf-dnsop-kskroll-sentinel-01 + (our draft-ietf-dnsop-kskroll-sentinel-00 implementation had inverted logic) +- libknot: require version 2.6.4 or newer to get bugfixes for DNS-over-TLS + +Bugfixes +-------- +- detect_time_jump module: don't clear cache on suspend-resume (#284) +- stats module: fix stats.list() returning nothing, regressed in 2.0.0 +- policy.TLS_FORWARD: refusal when configuring with multiple IPs (#306) +- cache: fix broken refresh of insecure records that were about to expire +- fix the hints module on some systems, e.g. Fedora (came back on 2.0.0) +- build with older gnutls (conditionally disable features) +- fix the predict module to work with insecure records & cleanup code + + +Knot Resolver 2.0.0 (2018-01-31) +================================ + +Incompatible changes +-------------------- +- systemd: change unit files to allow running multiple instances, + deployments with single instance now must use `kresd@1.service` + instead of `kresd.service`; see kresd.systemd(7) for details +- systemd: the directory for cache is now /var/cache/knot-resolver +- unify default directory and user to `knot-resolver` +- directory with trust anchor file specified by -k option must be writeable +- policy module is now loaded by default to enforce RFC 6761; + see documentation for policy.PASS if you use locally-served DNS zones +- drop support for alternative cache backends memcached, redis, + and for Lua bindings for some specific cache operations +- REORDER_RR option is not implemented (temporarily) + +New features +------------ +- aggressive caching of validated records (RFC 8198) for NSEC zones; + thanks to ICANN for sponsoring this work. +- forwarding over TLS, authenticated by SPKI pin or certificate. + policy.TLS_FORWARD pipelines queries out-of-order over shared TLS connection + Beware: Some resolvers do not support out-of-order query processing. + TLS forwarding to such resolvers will lead to slower resolution or failures. +- trust anchors: you may specify a read-only file via -K or --keyfile-ro +- trust anchors: at build-time you may set KEYFILE_DEFAULT (read-only) +- ta_sentinel module implements draft ietf-dnsop-kskroll-sentinel-00, + enabled by default +- serve_stale module is prototype, subject to change +- extended API for Lua modules + +Bugfixes +-------- +- fix build on osx - regressed in 1.5.3 (different linker option name) + + +Knot Resolver 1.5.3 (2018-01-23) +================================ + +Bugfixes +-------- +- fix the hints module on some systems, e.g. Fedora. + Symptom: `undefined symbol: engine_hint_root_file` + + +Knot Resolver 1.5.2 (2018-01-22) +================================ + +Security +-------- +- fix CVE-2018-1000002: insufficient DNSSEC validation, allowing + attackers to deny existence of some data by forging packets. + Some combinations pointed out in RFC 6840 sections 4.1 and 4.3 + were not taken into account. + +Bugfixes +-------- +- memcached: fix fallout from module rename in 1.5.1 + + +Knot Resolver 1.5.1 (2017-12-12) +================================ + +Incompatible changes +-------------------- +- script supervisor.py was removed, please migrate to a real process manager +- module ketcd was renamed to etcd for consistency +- module kmemcached was renamed to memcached for consistency + +Bugfixes +-------- +- fix SIGPIPE crashes (#271) +- tests: work around out-of-space for platforms with larger memory pages +- lua: fix mistakes in bindings affecting 1.4.0 and 1.5.0 (and 1.99.1-alpha), + potentially causing problems in dns64 and workarounds modules +- predict module: various fixes (!399) + +Improvements +------------ +- add priming module to implement RFC 8109, enabled by default (#220) +- add modules helping with system time problems, enabled by default; + for details see documentation of detect_time_skew and detect_time_jump + + +Knot Resolver 1.5.0 (2017-11-02) +================================ + +Bugfixes +-------- +- fix loading modules on Darwin + +Improvements +------------ +- new module ta_signal_query supporting Signaling Trust Anchor Knowledge + using Keytag Query (RFC 8145 section 5); it is enabled by default +- attempt validation for more records but require it for fewer of them + (e.g. avoids SERVFAIL when server adds extra records but omits RRSIGs) + + +Knot Resolver 1.99.1-alpha (2017-10-26) +======================================= +This is an experimental release meant for testing aggressive caching. +It contains some regressions and might (theoretically) be even vulnerable. +The current focus is to minimize queries into the root zone. + +Improvements +------------ +- negative answers from validated NSEC (NXDOMAIN, NODATA) +- verbose log is very chatty around cache operations (maybe too much) + +Regressions +----------- +- dropped support for alternative cache backends + and for some specific cache operations +- caching doesn't yet work for various cases: + * negative answers without NSEC (i.e. with NSEC3 or insecure) + * +cd queries (needs other internal changes) + * positive wildcard answers +- spurious SERVFAIL on specific combinations of cached records, printing: + <= bad keys, broken trust chain +- make check +- a few Deckard tests are broken, probably due to some problems above +- also unknown ones? + + + +Knot Resolver 1.4.0 (2017-09-22) +================================ + +Incompatible changes +-------------------- +- lua: query flag-sets are no longer represented as plain integers. + kres.query.* no longer works, and kr_query_t lost trivial methods + 'hasflag' and 'resolved'. + You can instead write code like qry.flags.NO_0X20 = true. + +Bugfixes +-------- +- fix exiting one of multiple forks (#150) +- cache: change the way of using LMDB transactions. That in particular + fixes some cases of using too much space with multiple kresd forks (#240). + +Improvements +------------ +- policy.suffix: update the aho-corasick code (#200) +- root hints are now loaded from a zonefile; exposed as hints.root_file(). + You can override the path by defining ROOTHINTS during compilation. +- policy.FORWARD: work around resolvers adding unsigned NS records (#248) +- reduce unneeded records previously put into authority in wildcarded answers + + +Knot Resolver 1.3.3 (2017-08-09) +================================ + +Security +-------- +- Fix a critical DNSSEC flaw. Signatures might be accepted as valid + even if the signed data was not in bailiwick of the DNSKEY used to + sign it, assuming the trust chain to that DNSKEY was valid. + +Bugfixes +-------- +- iterate: skip RRSIGs with bad label count instead of immediate SERVFAIL +- utils: fix possible incorrect seeding of the random generator +- modules/http: fix compatibility with the Prometheus text format + +Improvements +------------ +- policy: implement remaining special-use domain names from RFC6761 (#205), + and make these rules apply only if no other non-chain rule applies + + +Knot Resolver 1.3.2 (2017-07-28) +================================ + +Security +-------- +- fix possible opportunities to use insecure data from cache as keys + for validation + +Bugfixes +-------- +- daemon: check existence of config file even if rundir isn't specified +- policy.FORWARD and STUB: use RTT tracking to choose servers (#125, #208) +- dns64: fix CNAME problems (#203) It still won't work with policy.STUB. +- hints: better interpretation of hosts-like files (#204) + also, error out if a bad entry is encountered in the file +- dnssec: handle unknown DNSKEY/DS algorithms (#210) +- predict: fix the module, broken since 1.2.0 (#154) + +Improvements +------------ +- embedded LMDB fallback: update 0.9.18 -> 0.9.21 + + +Knot Resolver 1.3.1 (2017-06-23) +================================ + +Bugfixes +-------- +- modules/http: fix finding the static files (bug from 1.3.0) +- policy.FORWARD: fix some cases of CNAMEs obstructing search for zone cuts + + +Knot Resolver 1.3.0 (2017-06-13) +================================ + +Security +-------- +- Refactor handling of AD flag and security status of resource records. + In some cases it was possible for secure domains to get cached as + insecure, even for a TLD, leading to disabled validation. + It also fixes answering with non-authoritative data about nameservers. + +Improvements +------------ +- major feature: support for forwarding with validation (#112). + The old policy.FORWARD action now does that; the previous non-validating + mode is still available as policy.STUB except that also uses caching (#122). +- command line: specify ports via @ but still support # for compatibility +- policy: recognize 100.64.0.0/10 as local addresses +- layer/iterate: *do* retry repeatedly if REFUSED, as we can't yet easily + retry with other NSs while avoiding retrying with those who REFUSED +- modules: allow changing the directory where modules are found, + and do not search the default library path anymore. + +Bugfixes +-------- +- validate: fix insufficient caching for some cases (relatively rare) +- avoid putting "duplicate" record-sets into the answer (#198) + + +Knot Resolver 1.2.6 (2017-04-24) +================================ + +Security +-------- +- dnssec: don't set AD flag for NODATA answers if wildcard non-existence + is not guaranteed due to opt-out in NSEC3 + +Improvements +------------ +- layer/iterate: don't retry repeatedly if REFUSED + +Bugfixes +-------- +- lib/nsrep: revert some changes to NS reputation tracking that caused + severe problems to some users of 1.2.5 (#178 and #179) +- dnssec: fix verification of wildcarded non-singleton RRsets +- dnssec: allow wildcards located directly under the root +- layer/rrcache: avoid putting answer records into queries in some cases + + +Knot Resolver 1.2.5 (2017-04-05) +================================ + +Security +-------- +- layer/validate: clear AD if closest encloser proof has opt-outed + NSEC3 (#169) +- layer/validate: check if NSEC3 records in wildcard expansion proof + has an opt-out +- dnssec/nsec: missed wildcard no-data answers validation has been + implemented + +Improvements +------------ +- modules/dnstap: a DNSTAP support module + (Contributed by Vicky Shrestha) +- modules/workarounds: a module adding workarounds for known + DNS protocol violators +- layer/iterate: fix logging of glue addresses +- kr_bitcmp: allow bits=0 and consequently 0.0.0.0/0 matches in view + and renumber modules. +- modules/padding: Improve default padding of responses + (Contributed by Daniel Kahn Gillmor) +- New kresc client utility (experimental; don't rely on the API yet) + +Bugfixes +-------- +- trust anchors: Improve trust anchors storage format (#167) +- trust anchors: support non-root TAs, one domain per file +- policy.DENY: set AA flag and clear AD flag +- lib/resolve: avoid unnecessary DS queries +- lib/nsrep: don't treat servers with NOIP4 + NOIP6 flags as timed out +- layer/iterate: During packet classification (answer vs. referral) + don't analyze AUTHORITY section in authoritative answer if ANSWER + section contains records that have been requested + + +Knot Resolver 1.2.4 (2017-03-09) +================================ + +Security +-------- +- Knot Resolver 1.2.0 and higher could return AD flag for insecure + answer if the daemon received answer with invalid RRSIG several + times in a row. + +Improvements +------------ +- modules/policy: allow QTRACE policy to be chained with other + policies +- hints.add_hosts(path): a new property +- module: document the API and simplify the code +- policy.MIRROR: support IPv6 link-local addresses +- policy.FORWARD: support IPv6 link-local addresses +- add net.outgoing_{v4,v6} to allow specifying address to use for + connections + +Bugfixes +-------- +- layer/iterate: some improvements in cname chain unrolling +- layer/validate: fix duplicate records in AUTHORITY section in case + of WC expansion proof +- lua: do *not* truncate cache size to unsigned +- forwarding mode: correctly forward +cd flag +- fix a potential memory leak +- don't treat answers that contain DS non-existence proof as insecure +- don't store NSEC3 and their signatures in the cache +- layer/iterate: when processing delegations, check if qname is at or + below new authority + + +Knot Resolver 1.2.3 (2017-02-23) +================================ + +Bugfixes +-------- +- Disable storing GLUE records into the cache even in the + (non-default) QUERY_PERMISSIVE mode +- iterate: skip answer RRs that don't match the query +- layer/iterate: some additional processing for referrals +- lib/resolve: zonecut fetching error was fixed + + +Knot Resolver 1.2.2 (2017-02-10) +================================ + +Bugfixes: +--------- +- Fix -k argument processing to avoid out-of-bounds memory accesses +- lib/resolve: fix zonecut fetching for explicit DS queries +- hints: more NULL checks +- Fix TA bootstrapping for multiple TAs in the IANA XML file + +Testing: +-------- +- Update tests to run tests with and without QNAME minimization + + +Knot Resolver 1.2.1 (2017-02-01) +==================================== + +Security: +--------- +- Under certain conditions, a cached negative answer from a CD query + would be reused to construct response for non-CD queries, resulting + in Insecure status instead of Bogus. Only 1.2.0 release was affected. + +Documentation +------------- +- Update the typo in the documentation: The query trace policy is + named policy.QTRACE (and not policy.TRACE) + +Bugfixes: +--------- +- lua: make the map command check its arguments + + +Knot Resolver 1.2.0 (2017-01-24) +==================================== + +Security: +--------- +- In a policy.FORWARD() mode, the AD flag was being always set by mistake. + It is now cleared, as the policy.FORWARD() doesn't do DNSSEC validation yet. + +Improvements: +------------- +- The DNSSEC Validation has been refactored, fixing many resolving + failures. +- Add module `version` that checks for updates and CVEs periodically. +- Support RFC7830: EDNS(0) padding in responses over TLS. +- Support CD flag on incoming requests. +- hints module: previously /etc/hosts was loaded by default, but not anymore. + Users can now actually avoid loading any file. +- DNS over TLS now creates ephemeral certs. +- Configurable cache.{min,max}_ttl option, with max_ttl defaulting to 6 days. +- Option to reorder RRs in the response. +- New policy.QTRACE policy to print packet contents + +Bugfixes: +--------- +- Trust Anchor configuration is now more robust. +- Correctly answer NOTIMPL for meta-types and non-IN RR classes. +- Free TCP buffer on cancelled connection. +- Fix crash in hints module on empty hints file, and fix non-lowercase hints. + +Miscellaneous: +-------------- +- It now requires knot >= 2.3.1 to link successfully. +- The API+ABI for modules changed slightly. +- New LRU implementation. + + +Knot Resolver 1.1.1 (2016-08-24) +================================ + +Bugfixes: +--------- + - Fix 0x20 randomization with retransmit + - Fix pass-through for the stub mode + - Fix the root hints IPv6 addresses + - Fix dst addr for retries over TCP + +Improvements: +------------- + - Track RTT of all tried servers for faster retransmit + - DAF: Allow forwarding to custom port + - systemd: Read EnvironmentFile and user $KRESD_ARGS + - systemd: Update systemd units to be named after daemon + + +Knot Resolver 1.1.0 (2016-08-12) +================================ + +Improvements: +------------- + - RFC7873 DNS Cookies + - RFC7858 DNS over TLS + - HTTP/2 web interface, RESTful API + - Metrics exported in Prometheus + - DNS firewall module + - Explicit CNAME target fetching in strict mode + - Query minimisation improvements + - Improved integration with systemd + + +Knot Resolver 1.0.0 (2016-05-30) +================================ + +Initial release: +---------------- + - The first initial release |