summaryrefslogtreecommitdiffstats
path: root/NEWS
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:26:00 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:26:00 +0000
commit830407e88f9d40d954356c3754f2647f91d5c06a (patch)
treed6a0ece6feea91f3c656166dbaa884ef8a29740e /NEWS
parentInitial commit. (diff)
downloadknot-resolver-830407e88f9d40d954356c3754f2647f91d5c06a.tar.xz
knot-resolver-830407e88f9d40d954356c3754f2647f91d5c06a.zip
Adding upstream version 5.6.0.upstream/5.6.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--NEWS1305
1 files changed, 1305 insertions, 0 deletions
diff --git a/NEWS b/NEWS
new file mode 100644
index 0000000..45078d3
--- /dev/null
+++ b/NEWS
@@ -0,0 +1,1305 @@
+Knot Resolver 5.6.0 (2023-01-26)
+================================
+
+Security
+--------
+- avoid excessive TCP reconnections in some cases (!1380)
+ For example, a DNS server that just closes connections without answer
+ could cause lots of work for the resolver (and itself, too).
+ The number of connections could be up to around 100 per client's query.
+
+ We thank Xiang Li from NISL Lab, Tsinghua University,
+ and Xuesong Bai and Qifan Zhang from DSP Lab, UCI.
+
+Improvements
+------------
+- daemon: feed server selection with more kinds of bad-answer events (!1380)
+- cache.max_ttl(): lower the default from six days to one day
+ and apply both limits to the first uncached answer already (!1323 #127)
+- depend on jemalloc, preferably, to improve memory usage (!1353)
+- no longer accept DNS messages with trailing data (!1365)
+- policy.STUB: avoid applying aggressive DNSSEC denial proofs (!1364)
+- policy.STUB: avoid copying +dnssec flag from client to upstream (!1364)
+
+Bugfixes
+--------
+- policy.DEBUG_IF: don't print client's packet unconditionally (!1366)
+
+
+Knot Resolver 5.5.3 (2022-09-21)
+================================
+
+Security
+--------
+- fix CPU-expensive DoS by malicious domains - CVE-2022-40188
+
+Improvements
+------------
+- fix config_tests on macOS (both HW variants)
+
+
+Knot Resolver 5.5.2 (2022-08-16)
+================================
+
+Improvements
+------------
+- support libknot 3.2 (!1309)
+- priming module: hide failures from the default log level (!1310)
+- reduce memory usage in some cases (!1328)
+
+Bugfixes
+--------
+- daemon/http: improve URI checks to fix some proxies (#746, !1311)
+- daemon/tls: fix a double-free for some cases of policy.TLS_FORWARD (!1314)
+- hints module: improve parsing comments in hosts files (!1315)
+- renumber module: fix renumbering with name matching again (#760, !1334)
+
+
+Knot Resolver 5.5.1 (2022-06-14)
+================================
+
+Improvements
+------------
+- daemon/tls: disable TLS resumption via tickets for TLS <= 1.2 (#742, !1295)
+- daemon/http: DoH now responds with proper HTTP codes (#728, !1279)
+- renumber module: allow rewriting subnet to a single IP (!1302)
+- renumber module: allow arbitrary netmask (!1306)
+- nameserver selection algorithm: improve IPv6 avoidance if broken (!1298)
+
+Bugfixes
+--------
+- modules/dns64: fix incorrect packet writes for cached packets (#727, !1275)
+- xdp: make it work also with libknot 3.1 (#735, !1276)
+- prefill module: fix lockup when starting multiple idle instances (!1285)
+- validator: fix some failing negative NSEC proofs (!1294, #738, #443)
+
+
+Knot Resolver 5.5.0 (2022-03-15)
+================================
+
+Improvements
+------------
+- extended_errors: module for extended DNS error support, RFC8914 (!1234)
+- policy: log policy actions; useful for RPZ debugging (!1239)
+- policy: new action policy.IPTRACE for logging request origin (!1239)
+- prefill module: prepare for ZONEMD, improve performance (!1225)
+- validator: conditionally ignore SHA1 DS, as SHOULD by RFC4509 (!1251)
+- lib/resolve: use EDNS padding for outgoing TLS queries (!1254)
+- support for PROXYv2 protocol (!1238)
+- lib/resolve, policy: new NO_ANSWER flag for not responding to clients (!1257)
+
+Incompatible changes
+--------------------
+- libknot >= 3.0.2 is required
+
+Bugfixes
+--------
+- doh2: fix CORS by adding `access-control-allow-origin: *` (!1246)
+- net: fix listen by interface - add interface suffix to link-local IPv6 (!1253)
+- daemon/tls: fix resumption for outgoing TLS (e.g. TLS_FORWARD) (!1261)
+- nameserver selection: fix interaction of timeouts with reboots (#722, !1269)
+
+
+Knot Resolver 5.4.4 (2022-01-05)
+================================
+
+Bugfixes
+--------
+- fix bad zone cut update in certain cases (e.g. AWS; !1237)
+
+
+Knot Resolver 5.4.3 (2021-12-01)
+================================
+
+Improvements
+------------
+- lua: add kres.parse_rdata() to parse RDATA from string to wire format (!1233)
+- lua: add policy.domains() for exact domain name matching (!1228)
+
+Bugfixes
+--------
+- policy.rpz: fix origin detection in files without $ORIGIN (!1215)
+- lua: log() works again; broken in 5.4.2 (!1223)
+- policy: correctly include EDNS0 previously omitted by some actions (!1230)
+- edns_keepalive: module is now properly loaded (!1229, thanks Josh Soref!)
+
+
+Knot Resolver 5.4.2 (2021-10-13)
+================================
+
+Improvements
+------------
+- dns64 module: also map the reverse (PTR) subtree (#478, !1201)
+- dns64 module: allow disabling based on client address (#368, !1201)
+- dns64 module: allow configuring AAAA subnets not allowed in answer (!1201)
+- nameserver selection algorithm: improve IPv6 avoidance if broken (!1207)
+
+Bugfixes
+--------
+- lua: log() output is visible with default log level again (!1208)
+- build: fix when knot-dns headers are on non-standard location (!1210)
+
+
+Knot Resolver 5.4.1 (2021-08-19)
+================================
+
+Improvements
+------------
+- docker: base image on Debian 11 (!1203)
+
+Bugfixes
+--------
+- fix build without doh2 support after 5.4.0 (!1197)
+- fix policy.DEBUG* logging and -V/--version after 5.4.0 (!1199)
+- doh2: ensure memory from unsent streams is freed (!1202)
+
+
+Knot Resolver 5.4.0 (2021-07-29)
+================================
+
+Improvements
+------------
+- fine grained logging and syslog support (!1181)
+- expose HTTP headers for processing DoH requests (!1165)
+- improve assertion mechanism for debugging (!1146)
+- support apkg tool for packaging workflow (!1178)
+- support Knot DNS 3.1 (!1192, !1194)
+
+Bugfixes
+--------
+- trust_anchors.set_insecure: improve precision (#673, !1177)
+- plug memory leaks related to TCP (!1182)
+- policy.FLAGS: fix not applying properly in edge cases (!1179)
+- fix a crash with older libuv inside timer processing (!1195)
+
+Incompatible changes
+--------------------
+- see upgrading guide:
+ https://knot-resolver.readthedocs.io/en/stable/upgrading.html#to-5-4
+- legacy DoH implementation configuration in net.listen() was renamed from
+ kind="doh" to kind="doh_legacy" (!1180)
+
+
+Knot Resolver 5.3.2 (2021-05-05)
+================================
+
+Security
+--------
+- validator: fix 5.3.1 regression on over-limit NSEC3 edge case (!1169)
+ Assertion might be triggered by query/answer, potentially DoS.
+ CVE-2021-40083 was later assigned.
+
+Improvements
+------------
+- cache: improve handling write errors from LMDB (!1159)
+- doh2: improve handling of stream errors (!1164)
+
+Bugfixes
+--------
+- dnstap module: fix repeated configuration (!1168)
+- validator: fix SERVFAIL for some rare dynamic proofs (!1166)
+- fix SIGBUS on uncommon ARM machines (unaligned access; !1167, #426)
+- cache: better resilience on abnormal termination/restarts (!1172)
+- doh2: fix memleak on stream write failures (!1161)
+
+
+Knot Resolver 5.3.1 (2021-03-31)
+================================
+
+Improvements
+------------
+- policy.STUB: try to avoid TCP (compared to 5.3.0; !1155)
+- validator: downgrade NSEC3 records with too many iterations (>150; !1160)
+- additional improvements to nameserver selection algorithm (!1154, !1150)
+
+Bugfixes
+--------
+- dnstap module: don't break request resolution on dnstap errors (!1147)
+- cache garbage collector: fix crashes introduced in 5.3.0 (!1153)
+- policy.TLS_FORWARD: better avoid dead addresses (#671, !1156)
+
+
+Knot Resolver 5.3.0 (2021-02-25)
+================================
+
+Improvements
+------------
+- more consistency in using parent-side records for NS addresses (!1097)
+- better algorithm for choosing nameservers (!1030, !1126, !1140, !1141, !1143)
+- daf module: add daf.clear() (!1114)
+- dnstap module: more features and don't log internal requests (!1103)
+- dnstap module: include in upstream packages and Docker image (!1110, !1118)
+- randomize record order by default, i.e. reorder_RR(true) (!1124)
+- prometheus module: transform graphite tags into prometheus labels (!1109)
+- avoid excessive logging of UDP replies with sendmmsg (!1138)
+
+Bugfixes
+--------
+- view: fail config if bad subnet is specified (!1112)
+- doh2: fix memory leak (!1117)
+- policy.ANSWER: minor fixes, mainly around NODATA answers (!1129)
+- http, watchdog modules: fix stability problems (!1136)
+
+Incompatible changes
+--------------------
+- dnstap module: `log_responses` option gets nested under `client`;
+ see new docs for config example (!1103)
+- libknot >= 2.9 is required
+
+
+Knot Resolver 5.2.1 (2020-12-09)
+================================
+
+Improvements
+------------
+- doh2: send Cache-Control header with TTL (#617, !1095)
+
+Bugfixes
+--------
+- fix map() command on 32-bit platforms; regressed in 5.2.0 (!1093)
+- doh2: restrict endpoints to doh and dns-query (#636, !1104)
+- renumber: map to correct subnet when using multiple rules (!1107)
+
+
+Knot Resolver 5.2.0 (2020-11-11)
+================================
+
+Improvements
+------------
+- doh2: add native C module for DNS-over-HTTPS (#600, !997)
+- xdp: add server-side XDP support for higher UDP performance (#533, !1083)
+- lower default EDNS buffer size to 1232 bytes (#538, #300, !920);
+ see https://www.dnsflagday.net/2020/
+- net: split the EDNS buffer size into upstream and downstream (!1026)
+- lua-http doh: answer to /dns-query endpoint as well as /doh (!1069)
+- improve resiliency against UDP fragmentation attacks (disable PMTUD) (!1061)
+- ta_update: warn if there are differences between statically configured
+ keys and upstream (#251, !1051)
+- human readable output in interactive mode was improved
+- doc: generate info page (!1079)
+- packaging: improve sysusers and tmpfiles support (!1080)
+
+Bugfixes
+--------
+- avoid an assert() error in stash_rrset() (!1072)
+- fix emergency cache locking bug introduced in 5.1.3 (!1078)
+- migrate map() command to control sockets; fix systemd integration (!1000)
+- fix crash when sending back errors over control socket (!1000)
+- fix SERVFAIL while processing forwarded CNAME to a sibling zone (#614, !1070)
+
+Incompatible changes
+--------------------
+- see upgrading guide:
+ https://knot-resolver.readthedocs.io/en/stable/upgrading.html#to-5-2
+- minor changes in module API
+- control socket API commands have to be terminated by "\n"
+- graphite: default prefix now contains instance identifier (!1000)
+- build: meson >= 0.49 is required (!1082)
+
+
+Knot Resolver 5.1.3 (2020-09-08)
+================================
+
+Improvements
+------------
+- capabilities are no longer constrained when running as root (!1012)
+- cache: add percentage usage to cache.stats() (#580, !1025)
+- cache: add number of cache entries to cache.stats() (#510, !1028)
+- aarch64 support again, as some systems still didn't work (!1033)
+- support building against Knot DNS 3.0 (!1053)
+
+Bugfixes
+--------
+- tls: fix compilation to support net.tls_sticket_secret() (!1021)
+- validator: ignore bogus RRSIGs present in insecure domains (!1022, #587)
+- build if libsystemd version isn't detected as integer (#592, !1029)
+- validator: more robust reaction on missing RRSIGs (#390, !1020)
+- ta_update module: fix broken RFC5011 rollover (!1035)
+- garbage collector: avoid keeping multiple copies of cache (!1042)
+
+
+Knot Resolver 5.1.2 (2020-07-01)
+================================
+
+Bugfixes
+--------
+- hints module: NODATA answers also for non-address queries (!1005)
+- tls: send alert to peer if handshake fails (!1007)
+- cache: fix interaction between LMDB locks and preallocation (!1013)
+- cache garbage collector: fix flushing of messages to logs (!1009)
+- cache garbage collector: fix insufficient GC on 32-bit systems (!1009)
+- graphite module: do not block resolver on TCP failures (!1014)
+- policy.rpz various fixes (!1016): $ORIGIN issues,
+ precision of warnings, allow answering with multi-RR sets
+
+
+Knot Resolver 5.1.1 (2020-05-19)
+================================
+
+Security
+--------
+- fix CVE-2020-12667: mitigation for NXNSAttack DNS protocol vulnerability
+
+Bugfixes
+--------
+- control sockets: recognize newline as command boundary
+
+
+Knot Resolver 5.1.0 (2020-04-29)
+================================
+
+Improvements
+------------
+- cache garbage collector: reduce filesystem operations when idle (!946)
+- policy.DEBUG_ALWAYS and policy.DEBUG_IF for limited verbose logging (!957)
+- daemon: improve TCP query latency under heavy TCP load (!968)
+- add policy.ANSWER action (!964, #192)
+- policy.rpz support fake A/AAAA (!964, #194)
+
+Bugfixes
+--------
+- cache: missing filesystem support for pre-allocation is no longer fatal (#549)
+- lua: policy.rpz() no longer watches the file when watch is set to false (!954)
+- fix a strict aliasing problem that might've lead to "miscompilation" (!962)
+- fix handling of DNAMEs, especially signed ones (#234, !965)
+- lua resolve(): correctly include EDNS0 in the virtual packet (!963)
+ Custom modules might have been confused by that.
+- do not leak bogus data into SERVFAIL answers (#396)
+- improve random Lua number generator initialization (!979)
+- cache: fix CNAME caching when validation is disabled (#472, !974)
+- cache: fix CNAME caching in policy.STUB mode (!974)
+- prefill: fix crash caused by race condition with resolver startup (!983)
+- webmgmt: use javascript scheme detection for websockets' protocol (#546)
+- daf module: fix del(), deny(), drop(), tc(), pass() functions (#553, !966)
+- policy and daf modules: expose initial query when evaluating postrules (#556)
+- cache: fix some cases of caching answers over 4 KiB (!976)
+- docs: support sphinx 3.0.0+ (!978)
+
+Incompatible changes
+--------------------
+- minor changes in module API; see upgrading guide:
+ https://knot-resolver.readthedocs.io/en/stable/upgrading.html
+
+
+Knot Resolver 5.0.1 (2020-02-05)
+================================
+
+Bugfixes
+--------
+- systemd: use correct cache location for garbage collector (#543)
+
+Improvements
+------------
+- cache: add cache.fssize() lua function to configure entire free disk space on
+ dedicated cache partition (#524, !932)
+
+
+Knot Resolver 5.0.0 (2020-01-27)
+================================
+
+Incompatible changes
+--------------------
+- see upgrading guide: https://knot-resolver.readthedocs.io/en/stable/upgrading.html
+- systemd sockets are no longer supported (#485)
+- net.listen() throws an error if it fails to bind; use freebind option if needed
+- control socket location has changed (!922)
+- -f/--forks is deprecated (#529, !919)
+
+Improvements
+------------
+- logging: control-socket commands don't log unless --verbose (#528)
+- use SO_REUSEPORT_LB if available (FreeBSD 12.0+)
+- lua: remove dependency on lua-socket and lua-sec, used lua-http and cqueues (#512, #521, !894)
+- lua: remove dependency on lua-filesystem (#520, !912)
+- net.listen(): allow binding to non-local address with freebind option (!898)
+- cache: pre-allocate the file to avoid SIGBUS later (not macOS; !917, #525)
+- lua: be stricter around nonsense returned from modules (!901)
+- user documentation was reorganized and extended (!900, !867)
+- multiple config files can be used with --config/-c option (!909)
+- lua: stop trying to tweak lua's GC (!201)
+- systemd: add SYSTEMD_INSTANCE env variable to identify different instances (!906)
+
+Bugfixes
+--------
+- correctly use EDNS(0) padding in failed answers (!921)
+- policy and daf modules: fix postrules and reroute rules (!901)
+- renumber module: don't accidentally zero-out request's .state (!901)
+
+
+Knot Resolver 4.3.0 (2019-12-04)
+================================
+
+Security - CVE-2019-19331
+-------------------------
+- fix speed of processing large RRsets (DoS, #518)
+- improve CNAME chain length accounting (DoS, !899)
+
+Bugfixes
+--------
+- http module: use SO_REUSEPORT (!879)
+- systemd: kresd@.service now properly starts after network interfaces
+ have been configured with IP addresses after reboot (!884)
+- sendmmsg: improve reliability (!704)
+- cache: fix crash on insertion via lua for NS and CNAME (!889)
+- rpm package: move root.keys to /var/lib/knot-resolver (#513, !888)
+
+Improvements
+------------
+- increase file-descriptor count limit to maximum allowed value (hard limit; !876)
+- watchdog module: support testing a DNS query (and switch C -> lua; !878, !881)
+- performance: use sendmmsg syscall towards clients by default (!877)
+- performance: avoid excessive getsockname() syscalls (!854)
+- performance: lua-related improvements (!874)
+- daemon now attempts to drop all capabilities (!896)
+- reduce CNAME chain length limit - now <= 12 (!899)
+
+
+Knot Resolver 4.2.2 (2019-10-07)
+================================
+
+Bugfixes
+--------
+- lua bindings: fix a 4.2.1 regression on 32-bit systems (#514)
+ which also fixes libknot 2.9 support on all systems
+
+
+Knot Resolver 4.2.1 (2019-09-26)
+================================
+
+Bugfixes
+--------
+- rebinding module: fix handling some requests, respect ALLOW_LOCAL flag
+- fix incorrect SERVFAIL on cached bogus answer for +cd request (!860)
+ (regression since 4.1.0 release, in less common cases)
+- prefill module: allow a different module-loading style (#506)
+- validation: trim TTLs by RRSIG's expiration and original TTL (#319, #504)
+- NS choice algorithm: fix a regression since 4.0.0 (#497, !868)
+- policy: special domains home.arpa. and local. get NXDOMAIN (!855)
+
+Improvements
+------------
+- add compatibility with (future) libknot 2.9
+
+
+Knot Resolver 4.2.0 (2019-08-05)
+================================
+
+Improvements
+------------
+- queries without RD bit set are REFUSED by default (!838)
+- support forwarding to multiple targets (!825)
+
+Bugfixes
+--------
+- tls_client: fix issue with TLS session resumption (#489)
+- rebinding module: fix another false-positive assertion case (!851)
+
+Module API changes
+------------------
+- kr_request::add_selected is now really put into answer,
+ instead of the "duplicate" ::additional field (#490)
+
+
+Knot Resolver 4.1.0 (2019-07-10)
+================================
+
+Security
+--------
+- fix CVE-2019-10190: do not pass bogus negative answer to client (!827)
+- fix CVE-2019-10191: do not cache negative answer with forged QNAME+QTYPE (!839)
+
+Improvements
+------------
+- new cache garbage collector is available and enabled by default (#257)
+ This improves cache efficiency on big installations.
+- DNS-over-HTTPS: unknown HTTP parameters are ignored to improve compatibility
+ with non-standard clients (!832)
+- DNS-over-HTTPS: answers include `access-control-allow-origin: *` (!823)
+ which allows JavaScript to use DoH endpoint.
+- http module: support named AF_UNIX stream sockets (again)
+- aggressive caching is disabled on minimal NSEC* ranges (!826)
+ This improves cache effectivity with DNSSEC black lies and also accidentally
+ works around bug in proofs-of-nonexistence from F5 BIG-IP load-balancers.
+- aarch64 support, even kernels with ARM64_VA_BITS >= 48 (#216, !797)
+ This is done by working around a LuaJIT incompatibility. Please report bugs.
+- lua tables for C modules are more strict by default, e.g. `nsid.foo`
+ will throw an error instead of returning `nil` (!797)
+- systemd: basic watchdog is now available and enabled by default (#275)
+
+Bugfixes
+--------
+- TCP to upstream: fix unlikely case of sending out wrong message length (!816)
+- http module: fix problems around maintenance of ephemeral certs (!819)
+- http module: also send intermediate TLS certificate to clients,
+ if available and luaossl >= 20181207 (!819)
+- send EDNS with SERVFAILs, e.g. on validation failures (#180, !827)
+- prefill module: avoid crash on empty zone file (#474, !840)
+- rebinding module: avoid excessive iteration on blocked attempts (!842)
+- rebinding module: fix crash caused by race condition (!842)
+- rebinding module: log each blocked query only in verbose mode (!842)
+- cache: automatically clear stale reader locks (!844)
+
+
+Module API changes
+------------------
+- lua modules may omit casting parameters of layer functions (!797)
+
+
+Knot Resolver 4.0.0 (2019-04-18)
+================================
+
+Incompatible changes
+--------------------
+- see upgrading guide: https://knot-resolver.readthedocs.io/en/stable/upgrading.html
+- configuration: trust_anchors aliases .file, .config() and .negative were removed (!788)
+- configuration: trust_anchors.keyfile_default is no longer accessible (!788)
+- daemon: -k/--keyfile and -K/--keyfile-ro options were removed
+- meson build system is now used for builds (!771)
+- build with embedded LMBD is no longer supported
+- default modules dir location has changed
+- DNSSEC is enabled by default
+- upstream packages for Debian now require systemd
+- libknot >= 2.8 is required
+- net.list() output format changed (#448)
+- net.listen() reports error when address-port pair is in use
+- bind to DNS-over-TLS port by default (!792)
+- stop versioning libkres library
+- default port for web management and APIs changed to 8453
+
+Improvements
+------------
+- policy.TLS_FORWARD: if hostname is configured, send it on wire (!762)
+- hints module: allow configuring the TTL and change default from 0 to 5s
+- policy module: policy.rpz() will watch the file for changes by default
+- packaging: lua cqueues added to default dependencies where available
+- systemd: service is no longer auto-restarted on configuration errors
+- always send DO+CD flags upstream, even in insecure zones (#153)
+- cache.stats() output is completely new; see docs (!775)
+- improve usability of table_print() (!790, !801)
+- add DNS-over-HTTPS support (#280)
+- docker image supports and exposes DNS-over-HTTPS
+
+Bugfixes
+--------
+- predict module: load stats module if config didn't specify period (!755)
+- trust_anchors: don't do 5011-style updates on anchors from files
+ that were loaded as unmanaged trust anchors (!753)
+- trust_anchors.add(): include these TAs in .summary() (!753)
+- policy module: support '#' for separating port numbers, for consistency
+- fix startup on macOS+BSD when </dev/null and cqueues installed
+- policy.RPZ: log problems from zone-file level of parser as well (#453)
+- fix flushing of messages to logs in some cases (notably systemd) (!781)
+- fix fallback when SERVFAIL or REFUSED is received from upstream (!784)
+- fix crash when dealing with unknown TA key algorithm (#449)
+- go insecure due to algorithm support even if DNSKEY is NODATA (!798)
+- fix mac addresses in the output of net.interfaces() command (!804)
+- http module: fix too early renewal of ephemeral certificates (!808)
+
+Module API changes
+------------------
+- kr_straddr_split() changed API a bit (compiler will catch that)
+- C modules defining `*_layer` or `*_props` symbols need to change a bit
+ See the upgrading guide for details. It's detected on module load.
+
+
+Knot Resolver 3.2.1 (2019-01-10)
+================================
+
+Bugfixes
+--------
+- trust_anchors: respect validity time range during TA bootstrap (!748)
+- fix TLS rehandshake handling (!739)
+- make TLS_FORWARD compatible with GnuTLS 3.3 (!741)
+- special thanks to Grigorii Demidov for his long-term work on Knot Resolver!
+
+Improvements
+------------
+- improve handling of timed out outgoing TCP connections (!734)
+- trust_anchors: check syntax of public keys in DNSKEY RRs (!748)
+- validator: clarify message about bogus non-authoritative data (!735)
+- dnssec validation failures contain more verbose reasoning (!735)
+- new function trust_anchors.summary() describes state of DNSSEC TAs (!737),
+ and logs new state of trust anchors after start up and automatic changes
+- trust anchors: refuse revoked DNSKEY even if specified explicitly,
+ and downgrade missing the SEP bit to a warning
+
+
+Knot Resolver 3.2.0 (2018-12-17)
+================================
+
+New features
+------------
+- module edns_keepalive to implement server side of RFC 7828 (#408)
+- module nsid to implement server side of RFC 5001 (#289)
+- module bogus_log provides .frequent() table (!629, credit Ulrich Wisser)
+- module stats collects flags from answer messages (!629, credit Ulrich Wisser)
+- module view supports multiple rules with identical address/TSIG specification
+ and keeps trying rules until a "non-chain" action is executed (!678)
+- module experimental_dot_auth implements an DNS-over-TLS to auth protocol
+ (!711, credit Manu Bretelle)
+- net.bpf bindings allow advanced users to use eBPF socket filters
+
+Bugfixes
+--------
+- http module: only run prometheus in parent process if using --forks=N,
+ as the submodule collects metrics from all sub-processes as well.
+- TLS fixes for corner cases (!700, !714, !716, !721, !728)
+- fix build with -DNOVERBOSELOG (#424)
+- policy.{FORWARD,TLS_FORWARD,STUB}: respect net.ipv{4,6} setting (!710)
+- avoid SERVFAILs due to certain kind of NS dependency cycles, again
+ (#374) this time seen as 'circular dependency' in verbose logs
+- policy and view modules do not overwrite result finished requests (!678)
+
+Improvements
+------------
+- Dockerfile: rework, basing on Debian instead of Alpine
+- policy.{FORWARD,TLS_FORWARD,STUB}: give advantage to IPv6
+ when choosing whom to ask, just as for iteration
+- use pseudo-randomness from gnutls instead of internal ISAAC (#233)
+- tune the way we deal with non-responsive servers (!716, !723)
+- documentation clarifies interaction between policy and view modules (!678, !730)
+
+Module API changes
+------------------
+- new layer is added: answer_finalize
+- kr_request keeps ::qsource.packet beyond the begin layer
+- kr_request::qsource.tcp renamed to ::qsource.flags.tcp
+- kr_request::has_tls renamed to ::qsource.flags.tls
+- kr_zonecut_add(), kr_zonecut_del() and kr_nsrep_sort() changed parameters slightly
+
+
+Knot Resolver 3.1.0 (2018-11-02)
+================================
+
+Incompatible changes
+--------------------
+- hints.use_nodata(true) by default; that's what most users want
+- libknot >= 2.7.2 is required
+
+Improvements
+------------
+- cache: handle out-of-space SIGBUS slightly better (#197)
+- daemon: improve TCP timeout handling (!686)
+
+Bugfixes
+--------
+- cache.clear('name'): fix some edge cases in API (#401)
+- fix error handling from TLS writes (!669)
+- avoid SERVFAILs due to certain kind of NS dependency cycles (#374)
+
+
+Knot Resolver 3.0.0 (2018-08-20)
+================================
+
+Incompatible changes
+--------------------
+- cache: fail lua operations if cache isn't open yet (!639)
+ By default cache is opened *after* reading the configuration,
+ and older versions were silently ignoring cache operations.
+ Valid configuration must open cache using `cache.open()` or `cache.size =`
+ before executing cache operations like `cache.clear()`.
+- libknot >= 2.7.1 is required, which brings also larger API changes
+- in case you wrote custom Lua modules, please consult
+ https://knot-resolver.readthedocs.io/en/latest/lib.html#incompatible-changes-since-3-0-0
+- in case you wrote custom C modules, please see compile against
+ Knot DNS 2.7 and adjust your module according to messages from C compiler
+- DNS cookie module (RFC 7873) is not available in this release,
+ it will be later reworked to reflect development in IEFT dnsop working group
+- version module was permanently removed because it was not really used by users;
+ if you want to receive notifications about new releases please subscribe to
+ https://lists.nic.cz/postorius/lists/knot-resolver-announce.lists.nic.cz/
+
+Bugfixes
+--------
+- fix multi-process race condition in trust anchor maintenance (!643)
+- ta_sentinel: also consider static trust anchors not managed via RFC 5011
+
+Improvements
+------------
+- reorder_RR() implementation is brought back
+- bring in performance improvements provided by libknot 2.7
+- cache.clear() has a new, more powerful API
+- cache documentation was improved
+- old name "Knot DNS Resolver" is replaced by unambiguous "Knot Resolver"
+ to prevent confusion with "Knot DNS" authoritative server
+
+
+Knot Resolver 2.4.1 (2018-08-02)
+================================
+
+Security
+--------
+- fix CVE-2018-10920: Improper input validation bug in DNS resolver component
+ (security!7, security!9)
+
+Bugfixes
+--------
+- cache: fix TTL overflow in packet due to min_ttl (#388, security!8)
+- TLS session resumption: avoid bad scheduling of rotation (#385)
+- HTTP module: fix a regression in 2.4.0 which broke custom certs (!632)
+- cache: NSEC3 negative cache even without NS record (#384)
+ This fixes lower hit rate in NSEC3 zones (since 2.4.0).
+- minor TCP and TLS fixes (!623, !624, !626)
+
+
+Knot Resolver 2.4.0 (2018-07-03)
+================================
+
+Incompatible changes
+--------------------
+- minimal libknot version is now 2.6.7 to pull in latest fixes (#366)
+
+Security
+--------
+- fix a rare case of zones incorrectly downgraded to insecure status (!576)
+
+New features
+------------
+- TLS session resumption (RFC 5077), both server and client (!585, #105)
+ (disabled when compiling with gnutls < 3.5)
+- TLS_FORWARD policy uses system CA certificate store by default (!568)
+- aggressive caching for NSEC3 zones (!600)
+- optional protection from DNS Rebinding attack (module rebinding, !608)
+- module bogus_log to log DNSSEC bogus queries without verbose logging (!613)
+
+Bugfixes
+--------
+- prefill: fix ability to read certificate bundle (!578)
+- avoid turning off qname minimization in some cases, e.g. co.uk. (#339)
+- fix validation of explicit wildcard queries (#274)
+- dns64 module: more properties from the RFC implemented (incl. bug #375)
+
+Improvements
+------------
+- systemd: multiple enabled kresd instances can now be started using kresd.target
+- ta_sentinel: switch to version 14 of the RFC draft (!596)
+- support for glibc systems with a non-Linux kernel (!588)
+- support per-request variables for Lua modules (!533)
+- support custom HTTP endpoints for Lua modules (!527)
+
+
+Knot Resolver 2.3.0 (2018-04-23)
+================================
+
+Security
+--------
+- fix CVE-2018-1110: denial of service triggered by malformed DNS messages
+ (!550, !558, security!2, security!4)
+- increase resilience against slow lorris attack (security!5)
+
+New features
+------------
+- new policy.REFUSE to reply REFUSED to clients
+
+Bugfixes
+--------
+- validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone (!538)
+- validation: fix SERVFAIL for DS . query (!544)
+- lib/resolve: don't send unnecessary queries to parent zone (!513)
+- iterate: fix validation for zones where parent and child share NS (!543)
+- TLS: improve error handling and documentation (!536, !555, !559)
+
+Improvements
+------------
+- prefill: new module to periodically import root zone into cache
+ (replacement for RFC 7706, !511)
+- network_listen_fd: always create end point for supervisor supplied file descriptor
+- use CPPFLAGS build environment variable if set (!547)
+
+
+Knot Resolver 2.2.0 (2018-03-28)
+================================
+
+New features
+------------
+- cache server unavailability to prevent flooding unreachable servers
+ (Please note that caching algorithm needs further optimization
+ and will change in further versions but we need to gather operational
+ experience first.)
+
+Bugfixes
+--------
+- don't magically -D_FORTIFY_SOURCE=2 in some cases
+- allow large responses for outbound over TCP
+- fix crash with RR sets with over 255 records
+
+
+Knot Resolver 2.1.1 (2018-02-23)
+================================
+
+Bugfixes
+--------
+- when iterating, avoid unnecessary queries for NS in insecure parent.
+ This problem worsened in 2.0.0. (#246)
+- prevent UDP packet leaks when using TLS forwarding
+- fix the hints module also on some other systems, e.g. Gentoo.
+
+
+Knot Resolver 2.1.0 (2018-02-16)
+================================
+
+Incompatible changes
+--------------------
+- stats: remove tracking of expiring records (predict uses another way)
+- systemd: re-use a single kresd.socket and kresd-tls.socket
+- ta_sentinel: implement protocol draft-ietf-dnsop-kskroll-sentinel-01
+ (our draft-ietf-dnsop-kskroll-sentinel-00 implementation had inverted logic)
+- libknot: require version 2.6.4 or newer to get bugfixes for DNS-over-TLS
+
+Bugfixes
+--------
+- detect_time_jump module: don't clear cache on suspend-resume (#284)
+- stats module: fix stats.list() returning nothing, regressed in 2.0.0
+- policy.TLS_FORWARD: refusal when configuring with multiple IPs (#306)
+- cache: fix broken refresh of insecure records that were about to expire
+- fix the hints module on some systems, e.g. Fedora (came back on 2.0.0)
+- build with older gnutls (conditionally disable features)
+- fix the predict module to work with insecure records & cleanup code
+
+
+Knot Resolver 2.0.0 (2018-01-31)
+================================
+
+Incompatible changes
+--------------------
+- systemd: change unit files to allow running multiple instances,
+ deployments with single instance now must use `kresd@1.service`
+ instead of `kresd.service`; see kresd.systemd(7) for details
+- systemd: the directory for cache is now /var/cache/knot-resolver
+- unify default directory and user to `knot-resolver`
+- directory with trust anchor file specified by -k option must be writeable
+- policy module is now loaded by default to enforce RFC 6761;
+ see documentation for policy.PASS if you use locally-served DNS zones
+- drop support for alternative cache backends memcached, redis,
+ and for Lua bindings for some specific cache operations
+- REORDER_RR option is not implemented (temporarily)
+
+New features
+------------
+- aggressive caching of validated records (RFC 8198) for NSEC zones;
+ thanks to ICANN for sponsoring this work.
+- forwarding over TLS, authenticated by SPKI pin or certificate.
+ policy.TLS_FORWARD pipelines queries out-of-order over shared TLS connection
+ Beware: Some resolvers do not support out-of-order query processing.
+ TLS forwarding to such resolvers will lead to slower resolution or failures.
+- trust anchors: you may specify a read-only file via -K or --keyfile-ro
+- trust anchors: at build-time you may set KEYFILE_DEFAULT (read-only)
+- ta_sentinel module implements draft ietf-dnsop-kskroll-sentinel-00,
+ enabled by default
+- serve_stale module is prototype, subject to change
+- extended API for Lua modules
+
+Bugfixes
+--------
+- fix build on osx - regressed in 1.5.3 (different linker option name)
+
+
+Knot Resolver 1.5.3 (2018-01-23)
+================================
+
+Bugfixes
+--------
+- fix the hints module on some systems, e.g. Fedora.
+ Symptom: `undefined symbol: engine_hint_root_file`
+
+
+Knot Resolver 1.5.2 (2018-01-22)
+================================
+
+Security
+--------
+- fix CVE-2018-1000002: insufficient DNSSEC validation, allowing
+ attackers to deny existence of some data by forging packets.
+ Some combinations pointed out in RFC 6840 sections 4.1 and 4.3
+ were not taken into account.
+
+Bugfixes
+--------
+- memcached: fix fallout from module rename in 1.5.1
+
+
+Knot Resolver 1.5.1 (2017-12-12)
+================================
+
+Incompatible changes
+--------------------
+- script supervisor.py was removed, please migrate to a real process manager
+- module ketcd was renamed to etcd for consistency
+- module kmemcached was renamed to memcached for consistency
+
+Bugfixes
+--------
+- fix SIGPIPE crashes (#271)
+- tests: work around out-of-space for platforms with larger memory pages
+- lua: fix mistakes in bindings affecting 1.4.0 and 1.5.0 (and 1.99.1-alpha),
+ potentially causing problems in dns64 and workarounds modules
+- predict module: various fixes (!399)
+
+Improvements
+------------
+- add priming module to implement RFC 8109, enabled by default (#220)
+- add modules helping with system time problems, enabled by default;
+ for details see documentation of detect_time_skew and detect_time_jump
+
+
+Knot Resolver 1.5.0 (2017-11-02)
+================================
+
+Bugfixes
+--------
+- fix loading modules on Darwin
+
+Improvements
+------------
+- new module ta_signal_query supporting Signaling Trust Anchor Knowledge
+ using Keytag Query (RFC 8145 section 5); it is enabled by default
+- attempt validation for more records but require it for fewer of them
+ (e.g. avoids SERVFAIL when server adds extra records but omits RRSIGs)
+
+
+Knot Resolver 1.99.1-alpha (2017-10-26)
+=======================================
+This is an experimental release meant for testing aggressive caching.
+It contains some regressions and might (theoretically) be even vulnerable.
+The current focus is to minimize queries into the root zone.
+
+Improvements
+------------
+- negative answers from validated NSEC (NXDOMAIN, NODATA)
+- verbose log is very chatty around cache operations (maybe too much)
+
+Regressions
+-----------
+- dropped support for alternative cache backends
+ and for some specific cache operations
+- caching doesn't yet work for various cases:
+ * negative answers without NSEC (i.e. with NSEC3 or insecure)
+ * +cd queries (needs other internal changes)
+ * positive wildcard answers
+- spurious SERVFAIL on specific combinations of cached records, printing:
+ <= bad keys, broken trust chain
+- make check
+- a few Deckard tests are broken, probably due to some problems above
+- also unknown ones?
+
+
+
+Knot Resolver 1.4.0 (2017-09-22)
+================================
+
+Incompatible changes
+--------------------
+- lua: query flag-sets are no longer represented as plain integers.
+ kres.query.* no longer works, and kr_query_t lost trivial methods
+ 'hasflag' and 'resolved'.
+ You can instead write code like qry.flags.NO_0X20 = true.
+
+Bugfixes
+--------
+- fix exiting one of multiple forks (#150)
+- cache: change the way of using LMDB transactions. That in particular
+ fixes some cases of using too much space with multiple kresd forks (#240).
+
+Improvements
+------------
+- policy.suffix: update the aho-corasick code (#200)
+- root hints are now loaded from a zonefile; exposed as hints.root_file().
+ You can override the path by defining ROOTHINTS during compilation.
+- policy.FORWARD: work around resolvers adding unsigned NS records (#248)
+- reduce unneeded records previously put into authority in wildcarded answers
+
+
+Knot Resolver 1.3.3 (2017-08-09)
+================================
+
+Security
+--------
+- Fix a critical DNSSEC flaw. Signatures might be accepted as valid
+ even if the signed data was not in bailiwick of the DNSKEY used to
+ sign it, assuming the trust chain to that DNSKEY was valid.
+
+Bugfixes
+--------
+- iterate: skip RRSIGs with bad label count instead of immediate SERVFAIL
+- utils: fix possible incorrect seeding of the random generator
+- modules/http: fix compatibility with the Prometheus text format
+
+Improvements
+------------
+- policy: implement remaining special-use domain names from RFC6761 (#205),
+ and make these rules apply only if no other non-chain rule applies
+
+
+Knot Resolver 1.3.2 (2017-07-28)
+================================
+
+Security
+--------
+- fix possible opportunities to use insecure data from cache as keys
+ for validation
+
+Bugfixes
+--------
+- daemon: check existence of config file even if rundir isn't specified
+- policy.FORWARD and STUB: use RTT tracking to choose servers (#125, #208)
+- dns64: fix CNAME problems (#203) It still won't work with policy.STUB.
+- hints: better interpretation of hosts-like files (#204)
+ also, error out if a bad entry is encountered in the file
+- dnssec: handle unknown DNSKEY/DS algorithms (#210)
+- predict: fix the module, broken since 1.2.0 (#154)
+
+Improvements
+------------
+- embedded LMDB fallback: update 0.9.18 -> 0.9.21
+
+
+Knot Resolver 1.3.1 (2017-06-23)
+================================
+
+Bugfixes
+--------
+- modules/http: fix finding the static files (bug from 1.3.0)
+- policy.FORWARD: fix some cases of CNAMEs obstructing search for zone cuts
+
+
+Knot Resolver 1.3.0 (2017-06-13)
+================================
+
+Security
+--------
+- Refactor handling of AD flag and security status of resource records.
+ In some cases it was possible for secure domains to get cached as
+ insecure, even for a TLD, leading to disabled validation.
+ It also fixes answering with non-authoritative data about nameservers.
+
+Improvements
+------------
+- major feature: support for forwarding with validation (#112).
+ The old policy.FORWARD action now does that; the previous non-validating
+ mode is still available as policy.STUB except that also uses caching (#122).
+- command line: specify ports via @ but still support # for compatibility
+- policy: recognize 100.64.0.0/10 as local addresses
+- layer/iterate: *do* retry repeatedly if REFUSED, as we can't yet easily
+ retry with other NSs while avoiding retrying with those who REFUSED
+- modules: allow changing the directory where modules are found,
+ and do not search the default library path anymore.
+
+Bugfixes
+--------
+- validate: fix insufficient caching for some cases (relatively rare)
+- avoid putting "duplicate" record-sets into the answer (#198)
+
+
+Knot Resolver 1.2.6 (2017-04-24)
+================================
+
+Security
+--------
+- dnssec: don't set AD flag for NODATA answers if wildcard non-existence
+ is not guaranteed due to opt-out in NSEC3
+
+Improvements
+------------
+- layer/iterate: don't retry repeatedly if REFUSED
+
+Bugfixes
+--------
+- lib/nsrep: revert some changes to NS reputation tracking that caused
+ severe problems to some users of 1.2.5 (#178 and #179)
+- dnssec: fix verification of wildcarded non-singleton RRsets
+- dnssec: allow wildcards located directly under the root
+- layer/rrcache: avoid putting answer records into queries in some cases
+
+
+Knot Resolver 1.2.5 (2017-04-05)
+================================
+
+Security
+--------
+- layer/validate: clear AD if closest encloser proof has opt-outed
+ NSEC3 (#169)
+- layer/validate: check if NSEC3 records in wildcard expansion proof
+ has an opt-out
+- dnssec/nsec: missed wildcard no-data answers validation has been
+ implemented
+
+Improvements
+------------
+- modules/dnstap: a DNSTAP support module
+ (Contributed by Vicky Shrestha)
+- modules/workarounds: a module adding workarounds for known
+ DNS protocol violators
+- layer/iterate: fix logging of glue addresses
+- kr_bitcmp: allow bits=0 and consequently 0.0.0.0/0 matches in view
+ and renumber modules.
+- modules/padding: Improve default padding of responses
+ (Contributed by Daniel Kahn Gillmor)
+- New kresc client utility (experimental; don't rely on the API yet)
+
+Bugfixes
+--------
+- trust anchors: Improve trust anchors storage format (#167)
+- trust anchors: support non-root TAs, one domain per file
+- policy.DENY: set AA flag and clear AD flag
+- lib/resolve: avoid unnecessary DS queries
+- lib/nsrep: don't treat servers with NOIP4 + NOIP6 flags as timed out
+- layer/iterate: During packet classification (answer vs. referral)
+ don't analyze AUTHORITY section in authoritative answer if ANSWER
+ section contains records that have been requested
+
+
+Knot Resolver 1.2.4 (2017-03-09)
+================================
+
+Security
+--------
+- Knot Resolver 1.2.0 and higher could return AD flag for insecure
+ answer if the daemon received answer with invalid RRSIG several
+ times in a row.
+
+Improvements
+------------
+- modules/policy: allow QTRACE policy to be chained with other
+ policies
+- hints.add_hosts(path): a new property
+- module: document the API and simplify the code
+- policy.MIRROR: support IPv6 link-local addresses
+- policy.FORWARD: support IPv6 link-local addresses
+- add net.outgoing_{v4,v6} to allow specifying address to use for
+ connections
+
+Bugfixes
+--------
+- layer/iterate: some improvements in cname chain unrolling
+- layer/validate: fix duplicate records in AUTHORITY section in case
+ of WC expansion proof
+- lua: do *not* truncate cache size to unsigned
+- forwarding mode: correctly forward +cd flag
+- fix a potential memory leak
+- don't treat answers that contain DS non-existence proof as insecure
+- don't store NSEC3 and their signatures in the cache
+- layer/iterate: when processing delegations, check if qname is at or
+ below new authority
+
+
+Knot Resolver 1.2.3 (2017-02-23)
+================================
+
+Bugfixes
+--------
+- Disable storing GLUE records into the cache even in the
+ (non-default) QUERY_PERMISSIVE mode
+- iterate: skip answer RRs that don't match the query
+- layer/iterate: some additional processing for referrals
+- lib/resolve: zonecut fetching error was fixed
+
+
+Knot Resolver 1.2.2 (2017-02-10)
+================================
+
+Bugfixes:
+---------
+- Fix -k argument processing to avoid out-of-bounds memory accesses
+- lib/resolve: fix zonecut fetching for explicit DS queries
+- hints: more NULL checks
+- Fix TA bootstrapping for multiple TAs in the IANA XML file
+
+Testing:
+--------
+- Update tests to run tests with and without QNAME minimization
+
+
+Knot Resolver 1.2.1 (2017-02-01)
+====================================
+
+Security:
+---------
+- Under certain conditions, a cached negative answer from a CD query
+ would be reused to construct response for non-CD queries, resulting
+ in Insecure status instead of Bogus. Only 1.2.0 release was affected.
+
+Documentation
+-------------
+- Update the typo in the documentation: The query trace policy is
+ named policy.QTRACE (and not policy.TRACE)
+
+Bugfixes:
+---------
+- lua: make the map command check its arguments
+
+
+Knot Resolver 1.2.0 (2017-01-24)
+====================================
+
+Security:
+---------
+- In a policy.FORWARD() mode, the AD flag was being always set by mistake.
+ It is now cleared, as the policy.FORWARD() doesn't do DNSSEC validation yet.
+
+Improvements:
+-------------
+- The DNSSEC Validation has been refactored, fixing many resolving
+ failures.
+- Add module `version` that checks for updates and CVEs periodically.
+- Support RFC7830: EDNS(0) padding in responses over TLS.
+- Support CD flag on incoming requests.
+- hints module: previously /etc/hosts was loaded by default, but not anymore.
+ Users can now actually avoid loading any file.
+- DNS over TLS now creates ephemeral certs.
+- Configurable cache.{min,max}_ttl option, with max_ttl defaulting to 6 days.
+- Option to reorder RRs in the response.
+- New policy.QTRACE policy to print packet contents
+
+Bugfixes:
+---------
+- Trust Anchor configuration is now more robust.
+- Correctly answer NOTIMPL for meta-types and non-IN RR classes.
+- Free TCP buffer on cancelled connection.
+- Fix crash in hints module on empty hints file, and fix non-lowercase hints.
+
+Miscellaneous:
+--------------
+- It now requires knot >= 2.3.1 to link successfully.
+- The API+ABI for modules changed slightly.
+- New LRU implementation.
+
+
+Knot Resolver 1.1.1 (2016-08-24)
+================================
+
+Bugfixes:
+---------
+ - Fix 0x20 randomization with retransmit
+ - Fix pass-through for the stub mode
+ - Fix the root hints IPv6 addresses
+ - Fix dst addr for retries over TCP
+
+Improvements:
+-------------
+ - Track RTT of all tried servers for faster retransmit
+ - DAF: Allow forwarding to custom port
+ - systemd: Read EnvironmentFile and user $KRESD_ARGS
+ - systemd: Update systemd units to be named after daemon
+
+
+Knot Resolver 1.1.0 (2016-08-12)
+================================
+
+Improvements:
+-------------
+ - RFC7873 DNS Cookies
+ - RFC7858 DNS over TLS
+ - HTTP/2 web interface, RESTful API
+ - Metrics exported in Prometheus
+ - DNS firewall module
+ - Explicit CNAME target fetching in strict mode
+ - Query minimisation improvements
+ - Improved integration with systemd
+
+
+Knot Resolver 1.0.0 (2016-05-30)
+================================
+
+Initial release:
+----------------
+ - The first initial release