+ Knot Resolver 1.4.0 (2017-0x-yy)
+ ================================
+
+ Incompatible changes
+ --------------------
+ - lua: query flag-sets are no longer represented as plain integers.
+ kres.query.* no longer works, and kr_query_t lost trivial methods
+ 'hasflag' and 'resolved'.
+ You can instead write code like qry.flags.NO_0X20 = true.
+
+Improvements
+------------
+- policy.suffix: update the aho-corasick code (#200)
+
+ Knot Resolver 1.3.3 (2017-08-09)
+ ================================
+
+ Security
+ --------
+ - Fix a critical DNSSEC flaw. Signatures might be accepted as valid
+ even if the signed data was not in bailiwick of the DNSKEY used to
+ sign it, assuming the trust chain to that DNSKEY was valid.
+
+ Bugfixes
+ --------
+ - iterate: skip RRSIGs with bad label count instead of immediate SERVFAIL
+ - utils: fix possible incorrect seeding of the random generator
+ - modules/http: fix compatibility with the Prometheus text format
+
+ Improvements
+ ------------
+ - policy: implement remaining special-use domain names from RFC6761 (#205),
+ and make these rules apply only if no other non-chain rule applies
+
+
Knot Resolver 1.3.2 (2017-07-28)
================================
--------------
This module can block, rewrite, or alter inbound queries based on user-defined policies.
- By default, it blocks queries to reverse lookups in private subnets as per :rfc:`1918`, :rfc:`5735` and :rfc:`5737`.
- You can however extend it to deflect `Slow drip DNS attacks <https://blog.secure64.com/?p=377>`_ for example, or gray-list resolution of misbehaving zones.
+ By default, if no rule applies to a query, rules for special-use domain names are applied, as required by :rfc:`6761`.
- There are several policies implemented:
+ You can however extend it e.g. to deflect `Slow drip DNS attacks <https://secure64.com/water-torture-slow-drip-dns-ddos-attack>`_ or gray-list resolution of misbehaving zones.
- * ``pattern``
- - applies action if QNAME matches `regular expression <http://lua-users.org/wiki/PatternsTutorial>`_
- * ``suffix``
- - applies action if QNAME suffix matches given list of suffixes (useful for "is domain in zone" rules),
+ There are several policy filters available in the ``policy.`` table:
+
+ * ``all(action)``
+ - always applies the action
+ * ``pattern(action, pattern)``
+ - applies the action if QNAME matches a `regular expression <http://lua-users.org/wiki/PatternsTutorial>`_
+ * ``suffix(action, table)``
+ - applies the action if QNAME suffix matches one of suffixes in the table (useful for "is domain in zone" rules),
- uses `Aho-Corasick`_ string matching algorithm implemented by `@jgrahamc`_ (CloudFlare, Inc.) (BSD 3-clause)
+ uses `Aho-Corasick`_ string matching algorithm `from CloudFlare <https://github.com/cloudflare/lua-aho-corasick>`_ (BSD 3-clause)
+ * :any:`policy.suffix_common`
* ``rpz``
- - implementes a subset of the RPZ_ format. Currently it can be used with a zonefile, a binary database support is on the way. Binary database can be updated by an external process on the fly.
+ - implements a subset of RPZ_ in zonefile format. See below for details: :any:`policy.rpz`.
* custom filter function
- There are several defined actions:
+ There are several actions available in the ``policy.`` table:
- * ``PASS`` - let the query pass through
- * ``DENY`` - return NXDOMAIN answer
- * ``DROP`` - terminate query resolution, returns SERVFAIL to requestor
+ * ``PASS`` - let the query pass through; it's useful to make exceptions before wider rules
+ * ``DENY`` - reply NXDOMAIN authoritatively
+ * ``DROP`` - terminate query resolution and return SERVFAIL to the requestor
* ``TC`` - set TC=1 if the request came through UDP, forcing client to retry with TCP
* ``FORWARD(ip)`` - solve a query via forwarding to an IP while validating and caching locally;
the parameter can be a single IP (string) or a lua list of up to four IPs.
projects / thirdparty / knot-resolver.git / commitdiff
