DNS/KnotResolver/NEWSについて、ここに記述してください。
Knot Resolver 1.2.6 (2017-04-24) ================================
Security -------- - dnssec: don't set AD flag for NODATA answers if wildcard non-existence is not guaranteed due to opt-out in NSEC3 Improvements ------------ - layer/iterate: don't retry repeatedly if REFUSED Bugfixes -------- - lib/nsrep: revert some changes to NS reputation tracking that caused severe problems to some users of 1.2.5 (#178 and #179) - dnssec: fix verification of wildcarded non-singleton RRsets - dnssec: allow wildcards located directly under the root - layer/rrcache: avoid putting answer records into queries in some cases
Knot Resolver 1.2.5 (2017-04-05) ================================
Security -------- - layer/validate: clear AD if closest encloser proof has opt-outed NSEC3 (#169) - layer/validate: check if NSEC3 records in wildcard expansion proof has an opt-out - dnssec/nsec: missed wildcard no-data answers validation has been implemented Improvements ------------ - modules/dnstap: a DNSTAP support module (Contributed by Vicky Shrestha) - modules/workarounds: a module adding workarounds for known DNS protocol violators - layer/iterate: fix logging of glue addresses - kr_bitcmp: allow bits=0 and consequently 0.0.0.0/0 matches in view and renumber modules. - modules/padding: Improve default padding of responses (Contributed by Daniel Kahn Gillmor) - New kresc client utility (experimental; don't rely on the API yet) Bugfixes -------- - trust anchors: Improve trust anchors storage format (#167) - trust anchors: support non-root TAs, one domain per file - policy.DENY: set AA flag and clear AD flag - lib/resolve: avoid unnecessary DS queries - lib/nsrep: don't treat servers with NOIP4 + NOIP6 flags as timeouted - layer/iterate: During packet classification (answer vs. referral) don't analyze AUTHORITY section in authoritative answer if ANSWER section contains records that have been requested
Knot Resolver 1.2.4 (2017-03-09) ================================
Security
--------
- Knot Resolver 1.2.0 and higher could return AD flag for insecure
answer if the daemon received answer with invalid RRSIG several
times in a row.
Improvements
------------
- modules/policy: allow QTRACE policy to be chained with other
policies
- hints.add_hosts(path): a new property
- module: document the API and simplify the code
- policy.MIRROR: support IPv6 link-local addresses
- policy.FORWARD: support IPv6 link-local addresses
- add net.outgoing_{v4,v6} to allow specifying address to use for
connections
Bugfixes
--------
- layer/iterate: some improvements in cname chain unrolling
- layer/validate: fix duplicate records in AUTHORITY section in case
of WC expansion proof
- lua: do *not* truncate cache size to unsigned
- forwarding mode: correctly forward +cd flag
- fix a potential memory leak
- don't treat answers that contain DS non-existance proof as insecure
- don't store NSEC3 and their signatures in the cache
- layer/iterate: when processing delegations, check if qname is at or
below new authorityKnot Resolver 1.2.3 (2017-02-23) ================================
Bugfixes -------- - Disable storing GLUE records into the cache even in the (non-default) QUERY_PERMISSIVE mode - iterate: skip answer RRs that don't match the query - layer/iterate: some additional processing for referrals - lib/resolve: zonecut fetching error was fixed
Knot Resolver 1.2.2 (2017-02-10) ================================
Bugfixes: --------- - Fix -k argument processing to avoid out-of-bounds memory accesses - lib/resolve: fix zonecut fetching for explicit DS queries - hints: more NULL checks - Fix TA bootstrapping for multiple TAs in the IANA XML file Testing: -------- - Update tests to run tests with and without QNAME minimization
Knot Resolver 1.2.1 (2017-02-01) ====================================
Security: --------- - Under certain conditions, a cached negative answer from a CD query would be reused to construct response for non-CD queries, resulting in Insecure status instead of Bogus. Only 1.2.0 release was affected. Documentation ------------- - Update the typo in the documentation: The query trace policy is named policy.QTRACE (and not policy.TRACE) Bugfixes: --------- - lua: make the map command check its arguments
Knot Resolver 1.2.0 (2017-01-24) ====================================
Security:
---------
- In a policy.FORWARD() mode, the AD flag was being always set by mistake.
It is now cleared, as the policy.FORWARD() doesn't do DNSSEC validation yet.
Improvements:
-------------
- The DNSSEC Validation has been refactored, fixing many resolving
failures.
- Add module `version` that checks for updates and CVEs periodically.
- Support RFC7830: EDNS(0) padding in responses over TLS.
- Support CD flag on incoming requests.
- hints module: previously /etc/hosts was loaded by default, but not anymore.
Users can now actually avoid loading any file.
- DNS over TLS now creates ephemeral certs.
- Configurable cache.{min,max}_tll option, with max_ttl defaulting to 6 days.
- Option to reorder RRs in the response.
- New policy.QTRACE policy to print packet contents
Bugfixes:
---------
- Trust Anchor configuration is now more robust.
- Correctly answer NOTIMPL for meta-types and non-IN RR classes.
- Free TCP buffer on cancelled connection.
- Fix crash in hints module on empty hints file, and fix non-lowercase hints.
Miscelaneous:
-------------
- It now requires knot >= 2.3.1 to link successfully.
- The API+ABI for modules changed slightly.
- New LRU implementation.Knot Resolver 1.1.1 (2016-08-24) ================================
Bugfixes: --------- - Fix 0x20 randomization with retransmit - Fix pass-through for the stub mode - Fix the root hints IPv6 addresses - Fix dst addr for retries over TCP Improvements: ------------- - Track RTT of all tried servers for faster retransmit - DAF: Allow forwarding to custom port - systemd: Read EnvironmentFile and user $KRESD_ARGS - systemd: Update systemd units to be named after daemon
Knot Resolver 1.1.0 (2016-08-12) ================================
Improvements: ------------- - RFC7873 DNS Cookies - RFC7858 DNS over TLS - HTTP/2 web interface, RESTful API - Metrics exported in Prometheus - DNS firewall module - Explicit CNAME target fetching in strict mode - Query minimisation improvements - Improved integration with systemd
Knot Resolver 1.0.0 (2016-05-30) ================================
Initial release: ---------------- - The first initial release