--------
- trust_anchors.set_insecure: improve precision (#673, !1177)
+Incompatible changes
+--------------------
+- legacy DoH implementation configuration in net.listen() was renamed from
+ kind="doh" to kind="doh_legacy" (!1180)
+
Knot Resolver 5.3.2 (2021-05-05)
================================
} else if (k) {
flags.kind = k;
if (strcasecmp(k, "doh") == 0) {
- kr_log_deprecate(
- "kind=\"doh\" is an obsolete DoH implementation, use kind=\"doh2\" instead\n");
+ lua_error_p(L, "kind=\"doh\" was renamed to kind=\"doh_legacy\", switch to the new implementation with kind=\"doh2\" or update your config");
}
}
":ref:`dns-over-https`","``doh2``"
":ref:`Web management <mod-http-built-in-services>`","``webmgmt``"
":ref:`Control socket <control-sockets>`","``control``"
- ":ref:`mod-http-doh`","``doh``"
+ ":ref:`mod-http-doh`","``doh_legacy``"
.. note:: By default, **unencrypted DNS and DNS-over-TLS** are configured to **listen
on localhost**.
elseif (socket.kind == 'dns' or
socket.kind == 'xdp' or
socket.kind == 'tls' or
- socket.kind == 'doh' or
+ socket.kind == 'doh_legacy' or
socket.kind == 'doh2') then
dns_socks = dns_socks + 1
end
blockinfile:
marker: -- {mark} ANSIBLE MANAGED BLOCK
block: |
- net.listen('127.0.0.1', 44353, { kind = 'doh' })
+ net.listen('127.0.0.1', 44353, { kind = 'doh_legacy' })
modules.load('http')
path: /etc/knot-resolver/kresd.conf
insertbefore: BOF
We advise users to prepare for these changes sooner rather than later to make it easier to upgrade to
newer versions when they are released.
-* Going forward DNS-over-HTTP (DoH) will be supported only over HTTP/2 with TLS.
- This limitation allows us to provide a new :ref:`more reliable and scalable implementation
- of DoH <dns-over-https>` (``kind='doh2'``).
* Command line option ``--forks`` (``-f``) `is deprecated and will be eventually removed
<https://gitlab.nic.cz/knot/knot-resolver/-/issues/631>`_.
Preferred way to manage :ref:`systemd-multiple-instances` is to use a process manager,
.. _`systemd`: https://systemd.io/
.. _`supervisord`: http://supervisord.org/
+5.3 to 5.4
+==========
+
+Configuration file
+------------------
+
+* ``kind='doh'`` in :func:`net.listen` was renamed to ``kind='doh_legacy'``. It is recommended to switch to the new DoH implementation with ``kind='doh2'``.
5.2 to 5.3
==========
+--------------+---------------------------------------------------------------------------------+
| webmgmt | :ref:`built-in web management <mod-http-built-in-services>` APIs (includes DoH) |
+--------------+---------------------------------------------------------------------------------+
-| doh | :ref:`mod-http-doh` |
+| doh_legacy | :ref:`mod-http-doh` |
+--------------+---------------------------------------------------------------------------------+
Each network address and port combination can be configured to expose
tls = true,
cert = '/etc/knot-resolver/mycert.crt',
key = '/etc/knot-resolver/mykey.key',
- }, 'doh')
+ }, 'doh_legacy')
The format of both certificate and key is expected to be PEM, e.g. equivalent to
the outputs of following:
Legacy DNS-over-HTTPS (DoH)
---------------------------
-.. warning:: The legacy DoH implementation using ``http`` module (``kind='doh'``)
+.. warning:: The legacy DoH implementation using ``http`` module (``kind='doh_legacy'``)
is deprecated. It has known performance and stability issues that won't be fixed.
Use new :ref:`dns-over-https` implementation instead.
-This was an experimental implementation of :rfc:`8484`. It was configured using
-``doh`` kind in :func:`net.listen`. Its configuration (such as certificates)
-took place in ``http.config()``.
+This was an experimental implementation of :rfc:`8484`. It can be configured using
+``doh_legacy`` kind in :func:`net.listen`. Its configuration (such as certificates)
+takes place in ``http.config()``.
Queries were served on ``/doh`` and ``/dns-query`` endpoints.
Please read HTTP module basics in chapter :ref:`mod-http` before continuing.
Each network address+protocol+port combination configured using :func:`net.listen`
-is associated with *kind* of endpoint, e.g. ``doh`` or ``webmgmt``.
+is associated with *kind* of endpoint, e.g. ``doh_legacy`` or ``webmgmt``.
Each of these *kind* names is associated with table of HTTP endpoints,
and the default table can be replaced using ``http.config()`` configuration call
M.configs._all = {}
-- DoH
-M.configs._builtin.doh = {}
+M.configs._builtin.doh_legacy = {}
-- management endpoint
M.configs._builtin.webmgmt = {}
end
-- Export HTTP service endpoints
-M.configs._builtin.doh.endpoints = {}
+M.configs._builtin.doh_legacy.endpoints = {}
M.configs._builtin.webmgmt.endpoints = {}
local mgmt_endpoints = M.configs._builtin.webmgmt.endpoints
end
M.trace = http_trace
-M.configs._builtin.doh.endpoints = {}
+M.configs._builtin.doh_legacy.endpoints = {}
local http_doh = require('kres_modules.http_doh')
for k, v in pairs(http_doh.endpoints) do
mgmt_endpoints[k] = v
- M.configs._builtin.doh.endpoints[k] = v
+ M.configs._builtin.doh_legacy.endpoints[k] = v
end
M.doh = http_doh
-- @function Init module
function M.init()
- net.register_endpoint_kind('doh', cb_socket)
+ net.register_endpoint_kind('doh_legacy', cb_socket)
net.register_endpoint_kind('webmgmt', cb_socket)
end
remove_socket(fd)
end
tls_cert.ephemeral_state_destroy(M.ephem_state)
- net.register_endpoint_kind('doh')
+ net.register_endpoint_kind('doh_legacy')
net.register_endpoint_kind('webmgmt')
end
-- @function Configure module, i.e. store new configuration template
--- kind = socket type (doh/webmgmt)
+-- kind = socket type (doh_legacy/webmgmt)
function M.config(conf, kind)
if conf == nil and kind == nil then
-- default module config, nothing to do
modules.load('http')
http.config({
tls = false,
- }, 'doh')
+ }, 'doh_legacy')
local bound
for _ = 1,1000 do
- bound, _err = pcall(net.listen, '127.0.0.1', math.random(30000, 39999), { kind = 'doh' })
+ bound, _err = pcall(net.listen, '127.0.0.1', math.random(30000, 39999), { kind = 'doh_legacy' })
if bound then
break
end
projects / thirdparty / knot-resolver.git / commitdiff
