Bugfixes

• manager: avoid an uncommon startup race in policy-loader (!1653)
  [WARN] exited: policy-loader (exit status 0; not expected)
• manager: fix processes watchdog errors during shutdown (!1651)
• /cache/prefill/*/ca_file: fix setting this attribute (!1655)

Improvements

• manager: allow multiple instances with different rundirs (!1656)
• tests: disable problematic config.http test (#925, !1662)
• /management/unix-socket: allow path relative to rundir (!1657)
• validator: accept a confusing NODATA proof with insecure delegation (!1659)

Improvements

• avoid multiple log lines when IPv6 isn't available (!1633)
• manager: fix startup on Linux without libsystemd (!1608)
• auto-reload TLS certificate files (!1626)
  • Can be configured using the /network/tls/files-watchdog option. (!1645)
• reload TLS certificate files even if the configuration has not changed (!1644)
• kresctl: bash command-line TAB completion (!1622)
• add request prioritization (defer) to mitigate DoS attacks (!1641)
• views: allow overriding price-factor (!1646)

Improvements

• rate-limiting: add these options, mechanism, docs (!1624)

• manager: secret for TLS session resumption via ticket (RFC5077) (!1567)

  The manager creates and sets the secret for all running kresd workers. The secret is created automatically if the user does not configure their own secret in the configuration. This means that the workers will be able to resume each other's TLS sessions, regardless of whether the user has configured it to do so.

• answer NOTIMPL for meta-types and non-IN RR classes (!1589)

• views: improve interaction with old-style policies (!1576)

• stats: add stale answer counter 'answer.stale' (!1591)

• extended_errors: answer with EDE in more cases (!1585, !1588, !1590, !1592)

• local-data: make DNAMEs work, i.e. generate CNAMEs (!1609)

• daemon: use connected UDP sockets by default (#326, !1618)

• docker: multiplatform builds (#922, !1623)

• docker: shared VOLUMEs are prepared for configuration and cache (!1625, !1627)

  Configuration path was changed to standard /etc/knot-resolver/config.yaml.

Bugfixes

• daemon/proxyv2: fix informing the engine about TCP/TLS from the actual client (!1578)
• forward: fix wrong pin-sha256 length; also log pins on mismatch (!1601, #813)

Incompatible changes

• -f/--forks is removed (#631, !1602)
• gnutls < 3.4 support is dropped, released over 9 years ago (!1601)
• libuv < 1.27 support is dropped, released over 5 years ago (!1618)

Security

• reduce buffering of transmitted data, especially TCP-based in userspace Also expose some of the new tweaks in lua:
  • (require 'ffi').C.the_worker.engine.net.tcp.user_timeout = 1000
  • require 'ffi').C.the_worker.engine.net.listen_{tcp,udp}_buflens.{snd,rcv}

Packaging

• all packages:
  • remove unused dependency on libedit (!1553)
• deb packages:
  • packages knot-resolver-core and knot-resolver-manager have been merged into a single knot-resolver6 package. Suffix packages knot-resolver-* have been renamed to knot-resolver6-*. This change should be transparent, but please do let us know if you encounter any issues while updating. (!1549)
  • package python3-prometheus-client is now only an optional dependency
• rpm packages:
  • packages knot-resolver-core and knot-resolver-manager have been merged into a single knot-resolver package. This change should be transparent, but please do let us know if you encounter any issues while updating. (!1549)
  • bugfix: do not overwrite config.yaml (!1525)
  • package python3-prometheus_client is now only an optional dependency
• arch package:
  • fix after they renamed a dependency (!1536)

Improvements

• TLS (DoT, DoH): respect crypto policy overrides in OS (!1526)
• manager: export metrics to JSON via management HTTP API (!1527)
  • JSON is the new default metrics output format
  • the prometheus-client Python package is now an optional dependency, required only for Prometheus export to work
• cache: prefetching records
  • predict module: prefetching expiring records moved to prefetch module
  • prefetch module: new module to prefetch expiring records
• stats: add separate metrics for IPv6 and IPv4 (!1545)
• add the fresh DNSSEC root key "KSK-2024" already, Key ID 38696 (!1556)
• manager: policy-loader: new component for separate loading of policy rules (!1540) The policy-loader ensures that configured policies are loaded into the rules database where they are made available to all running kresd workers. This loading is no longer done by all kresd workers as it was before, so this should significantly improve the resolver's startup/reload time when loading large sets of policy rules, e.g. large RPZs.

Incompatible changes

• cache: the cache.prediction configuration property has been reorganized into cache.prefetch.expiring and cache.prefetch.prediction, changing the default behaviour as well. See the relevant documentation section <https://www.knot-resolver.cz/documentation/v6.0.8/config-cache-predict.html>_ for more.
• libknot <=3.2.x support is dropped (!1565)

Bugfixes

• arch package: fix after they renamed a dependency (!1536)
• fix startup with dnssec: false (!1548)
• rpm packages: do not overwrite config.yaml (!1525)
• fix NSEC3 records missing in answer for positive wildcard expansion with the NSEC3 having over-limit iteration count (#910, !1550)
• views: fix a bug in subnet matching (!1562)

Security

• reduce buffering of transmitted data, especially TCP-based in userspace Also expose some of the new tweaks in lua:
  • (require 'ffi').C.the_worker.engine.net.tcp.user_timeout = 1000
  • (require 'ffi').C.the_worker.engine.net.listen_{tcp,udp}_buflens.{snd,rcv}

Improvements

• add the fresh DNSSEC root key "KSK-2024" already, Key ID 38696 (!1556)

Incompatible changes

• libknot 3.0.x support is dropped (!1558) Upstream last maintained 3.0.x in spring 2022.

Knot Resolver 5.7.3 (2024-05-30)

Improvements

• stats: add separate metrics for IPv6 and IPv4 (!1544)

Bugfixes

• fix NSEC3 records missing in answer for positive wildcard expansion with the NSEC3 having over-limit iteration count (#910, !1550)

Knot Resolver 5.7.2 (2024-03-27)

Bugfixes

• fix on 32-bit systems with 64-bit time_t (!1510)

Knot Resolver 5.7.1 (2024-02-13)

Security

• CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU

  • validator: lower the NSEC3 iteration limit (150 -> 50)
  • validator: similarly also limit excessive NSEC3 salt length
  • cache: limit the amount of work on SHA1 in NSEC3 aggressive cache
  • validator: limit the amount of work on SHA1 in NSEC3 proofs
  • validator: refuse to validate answers with more than 8 NSEC3 records

• CVE-2023-50387 "KeyTrap": DNSSEC verification complexity could be exploited to exhaust CPU resources and stall DNS resolvers. Solution boils down mainly to limiting crypto-validations per packet.

  We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel and Michael Waidner from the German National Research Center for Applied Cybersecurity ATHENE for bringing this vulnerability to our attention.

Improvements

• update addresses of B.root-servers.net (!1478)

Bugfixes

• fix potential SERVFAIL deadlocks if net.ipv6 = false (#880)

---

The update affects how some cached records are being treated, which may trip up some sanity checking mechanisms in Knot Resolver if you have advanced debugging options enabled (disabled by default), "debugging.assertion_abort" for version 5 (Lua) and "logging/debugging/assertation-abort" for version 6 (YAML). In case you encounter any issues, please try clearing the cache first.

Knot Resolver 5.7.0 (2023-08-22)

Security

• avoid excessive TCP reconnections in a few more cases (!1448) Like before, the remote server had to behave nonsensically in order to inflict this upon itself, but it might be abusable for DoS.

  We thank Ivan Jedek from OryxLabs for reporting this.

Improvements

• forwarding mode: tweak dealing with failures from forwarders, in particular prefer sending CD=0 upstream (!1392)

Bugfixes

• fix unusual timestamp format in debug dumps of records (!1386)
• adjust linker options; it should help less common platforms (!1384)
• hints module: fix names inside home.arpa. (!1406)
• EDNS padding (RFC 8467) compatibility with knot-dns 3.3 libs (!1422)

Knot Resolver 5.6.0 (2023-01-26)

Security

• avoid excessive TCP reconnections in some cases (!1380) For example, a DNS server that just closes connections without answer could cause lots of work for the resolver (and itself, too). The number of connections could be up to around 100 per client's query.

  We thank Xiang Li from NISL Lab, Tsinghua University, and Xuesong Bai and Qifan Zhang from DSP Lab, UCI.

Improvements

• daemon: feed server selection with more kinds of bad-answer events (!1380)
• cache.max_ttl(): lower the default from six days to one day and apply both limits to the first uncached answer already (!1323 #127)
• depend on jemalloc, preferably, to improve memory usage (!1353)
• no longer accept DNS messages with trailing data (!1365)
• policy.STUB: avoid applying aggressive DNSSEC denial proofs (!1364)
• policy.STUB: avoid copying +dnssec flag from client to upstream (!1364)

Bugfixes

• policy.DEBUG_IF: don't print client's packet unconditionally (!1366)