+Knot Resolver 6.0.7 (2024-0m-dd)
+================================
+
+Improvements
+------------
+- manager: clear the cache via management HTTP API (#876,!1491)
+- docs: documentation is now separated into user and developer parts (!1514)
+
+Bugfixes
+--------
+- fix listening by interface name containing dashes (#900, !1500)
+- fix kresctl http request timeout (!1505)
+- fix RPZ if it contains apex NS record (!1516)
++- fix on 32-bit systems with 64-bit time_t (!1510)
+
+
+Knot Resolver 6.0.6 (2024-02-13)
+================================
+
+Security
+--------
+- CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU
+ * validator: lower the NSEC3 iteration limit (150 -> 50)
+ * validator: similarly also limit excessive NSEC3 salt length
+ * cache: limit the amount of work on SHA1 in NSEC3 aggressive cache
+ * validator: limit the amount of work on SHA1 in NSEC3 proofs
+ * validator: refuse to validate answers with more than 8 NSEC3 records
+
+- CVE-2023-50387 "KeyTrap": DNSSEC verification complexity
+ could be exploited to exhaust CPU resources and stall DNS resolvers.
+ Solution boils down mainly to limiting crypto-validations per packet.
+
+ We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel and Michael Waidner
+ from the German National Research Center for Applied Cybersecurity ATHENE
+ for bringing this vulnerability to our attention.
+
+Improvements
+------------
+- update addresses of B.root-servers.net (!1478)
+- tweak the default run_dir on non-Linux (!1481)
+
+Bugfixes
+--------
+- fix potential SERVFAIL deadlocks if net.ipv6 = false (#880)
+- fix validation of RRsets around 64 KiB size; needs libknot >= 3.4 (!1497)
+
+
+Knot Resolver 6.0.5 (2024-01-09)
+================================
+
+6.0.x are "early access" versions,
+not generally recommended for production use.
+
+6.0 contains biggest changes in the history of Knot Resolver releases.
+You will have to rewrite your configuration. See documentation, in particular:
+https://knot.pages.nic.cz/knot-resolver/upgrading-to-6.html
+
+
+
+
+5.x branch longterm support
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ Knot Resolver 5.7.2 (2024-0m-dd)
+ ================================
+
+ Bugfixes
+ --------
+ - fix on 32-bit systems with 64-bit time_t (!1510)
+
Knot Resolver 5.7.1 (2024-02-13)
================================
size_t addr_size;
switch (saddr->sa_family) {
case AF_INET:
- if (net->proxy_all4)
+ if (the_network->proxy_all4)
return true;
- trie = net->proxy_addrs4;
+ trie = the_network->proxy_addrs4;
addr_size = sizeof(addr.ip4);
- addr.ip4 = ((struct sockaddr_in *) saddr)->sin_addr;
+ addr.ip4 = ((struct sockaddr_in *)saddr)->sin_addr;
break;
case AF_INET6:
- if (net->proxy_all6)
+ if (the_network->proxy_all6)
return true;
- trie = net->proxy_addrs6;
+ trie = the_network->proxy_addrs6;
addr_size = sizeof(addr.ip6);
- addr.ip6 = ((struct sockaddr_in6 *) saddr)->sin6_addr;
+ addr.ip6 = ((struct sockaddr_in6 *)saddr)->sin6_addr;
break;
default:
kr_assert(false); // Only IPv4 and IPv6 proxy addresses supported
kr_assert(val);
const struct net_proxy_data *found = *val;
kr_assert(found);
- return kr_bitcmp((char *) &addr, (char *) &found->addr, found->netmask) == 0;
+ return kr_bitcmp((char *)&addr, (char *)&found->addr, found->netmask) == 0;
}
-ssize_t proxy_process_header(struct proxy_result *out, struct session *s,
+ssize_t proxy_process_header(struct proxy_result *out,
const void *buf, const ssize_t nread)
{
if (!buf)
projects / thirdparty / knot-resolver.git / commitdiff
