Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
knot-resolver6: update to version 6.0.8
Knot Resolver 6.0.8 (2024-07-23)
================================
Security
--------
- reduce buffering of transmitted data, especially TCP-based in userspace
Also expose some of the new tweaks in lua:
(require 'ffi').C.the_worker.engine.net.tcp.user_timeout = 1000
(require 'ffi').C.the_worker.engine.net.listen_{tcp,udp}_buflens.{snd,rcv}
Packaging
---------
- all packages:
- remove unused dependency on `libedit`
- deb packages:
- packages ``knot-resolver-core`` and ``knot-resolver-manager`` have
been merged into a single ``knot-resolver6`` package. Suffix packages
``knot-resolver-*`` have been renamed to ``knot-resolver6-*``. This
change _should_ be transparent, but please do let us know if you
encounter any issues while updating.
- package ``python3-prometheus-client`` is now only an optional dependency
- rpm packages:
- packages ``knot-resolver-core`` and ``knot-resolver-manager`` have
been merged into a single ``knot-resolver`` package. This change
_should_ be transparent, but please do let us know if you encounter
any issues while updating.
- bugfix: do not overwrite config.yaml
- package ``python3-prometheus_client`` is now only an optional dependency
- arch package:
- fix after they renamed a dependency
Improvements
------------
- TLS (DoT, DoH): respect crypto policy overrides in OS
- manager: export metrics to JSON via management HTTP API
* JSON is the new default metrics output format
* the ``prometheus-client`` Python package is now an optional dependency,
required only for Prometheus export to work
- cache: prefetching records
* predict module: prefetching expiring records moved to prefetch module
* prefetch module: new module to prefetch expiring records
- stats: add separate metrics for IPv6 and IPv4
- add the fresh DNSSEC root key "KSK-2024" already, Key ID 38696
- manager: policy-loader: new component for separate loading of policy rules
The ``policy-loader`` ensures that configured policies are loaded into the rules database
where they are made available to all running kresd workers. This loading is no longer done
by all kresd workers as it was before, so this should significantly improve the resolver's
startup/reload time when loading large sets of policy rules, e.g. large RPZs.
Incompatible changes
--------------------
- cache: the ``cache.prediction`` configuration property has been reorganized
into ``cache.prefetch.expiring`` and ``cache.prefetch.prediction``, changing
the default behaviour as well. See the `relevant documentation section
<https://www.knot-resolver.cz/documentation/v6.0.8/config-cache-predict.html>`_
for more.
- libknot <=3.2.x support is dropped
Bugfixes
--------
- arch package: fix after they renamed a dependency
- fix startup with `dnssec: false`
- rpm packages: do not overwrite config.yaml
- fix NSEC3 records missing in answer for positive wildcard expansion
with the NSEC3 having over-limit iteration count
- views: fix a bug in subnet matching
Knot Resolver 6.0.7 (2024-03-27)
================================
Improvements
------------
- manager: clear the cache via management HTTP API
- manager: added support for Python 3.12 and removed for 3.7
- manager: use build-time install prefix to execute `kresd` instead of PATH
- docs: documentation is now separated into user and developer parts
- daemon: ignore UDP requests from ports < 1024
- manager: increase startup timeout for processes
- local-data: increase default DB size to 2G on 64-bit platforms
Bugfixes
--------
- fix listening by interface name containing dashes
- fix kresctl http request timeout
- fix RPZ if it contains apex NS record
- fix RPZ if SOA is repated, as usual in AXFR output
- avoid RPZ overriding the root SOA
- fix on 32-bit systems with 64-bit time_t
- fix paths to knot-dns libs if exec_prefix != prefix
- manager: add missing early check that neither a custom port nor TLS is set for
authoritative server forwarding- Loading branch information
