From: Oto Šťáva Date: Wed, 10 Apr 2024 11:19:27 +0000 (+0200) Subject: Merge remote-tracking branch 'origin/master' into 6.0 X-Git-Tag: v6.0.8~28 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fenvironments%2Fdocs-develop-6-0-mvwoqi%2Fdeployments%2F3738;p=thirdparty%2Fknot-resolver.git Merge remote-tracking branch 'origin/master' into 6.0 --- 60411bb2b9cca259e1edd1189279e6d216e9b4bb diff --cc NEWS index e56187f17,f1e5d30fd..9c9b91b25 --- a/NEWS +++ b/NEWS @@@ -1,85 -1,4 +1,85 @@@ +Knot Resolver 6.0.8 (2024-0m-dd) +================================ + +Improvements +------------ +- TLS (DoT, DoH): respect crypto policy overrides in OS (!1526) + + +Knot Resolver 6.0.7 (2024-03-27) +================================ + +Improvements +------------ +- manager: clear the cache via management HTTP API (#876, !1491) +- manager: added support for Python 3.12 and removed for 3.7 (!1502) +- manager: use build-time install prefix to execute `kresd` instead of PATH (!1511) +- docs: documentation is now separated into user and developer parts (!1514) +- daemon: ignore UDP requests from ports < 1024 (!1507) +- manager: increase startup timeout for processes (!1518, !1520) +- local-data: increase default DB size to 2G on 64-bit platforms (!1518) + +Bugfixes +-------- +- fix listening by interface name containing dashes (#900, !1500) +- fix kresctl http request timeout (!1505) +- fix RPZ if it contains apex NS record (!1516) +- fix RPZ if SOA is repated, as usual in AXFR output (!1521) +- avoid RPZ overriding the root SOA (!1521) +- fix on 32-bit systems with 64-bit time_t (!1510) +- fix paths to knot-dns libs if exec_prefix != prefix (!1503) +- manager: add missing early check that neither a custom port nor TLS is set for + authoritative server forwarding (#902, !1505) + + +Knot Resolver 6.0.6 (2024-02-13) +================================ + +Security +-------- +- CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU + * validator: lower the NSEC3 iteration limit (150 -> 50) + * validator: similarly also limit excessive NSEC3 salt length + * cache: limit the amount of work on SHA1 in NSEC3 aggressive cache + * validator: limit the amount of work on SHA1 in NSEC3 proofs + * validator: refuse to validate answers with more than 8 NSEC3 records + +- CVE-2023-50387 "KeyTrap": DNSSEC verification complexity + could be exploited to exhaust CPU resources and stall DNS resolvers. + Solution boils down mainly to limiting crypto-validations per packet. + + We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel and Michael Waidner + from the German National Research Center for Applied Cybersecurity ATHENE + for bringing this vulnerability to our attention. + +Improvements +------------ +- update addresses of B.root-servers.net (!1478) +- tweak the default run_dir on non-Linux (!1481) + +Bugfixes +-------- +- fix potential SERVFAIL deadlocks if net.ipv6 = false (#880) +- fix validation of RRsets around 64 KiB size; needs libknot >= 3.4 (!1497) + + +Knot Resolver 6.0.5 (2024-01-09) +================================ + +6.0.x are "early access" versions, +not generally recommended for production use. + +6.0 contains biggest changes in the history of Knot Resolver releases. +You will have to rewrite your configuration. See documentation, in particular: +https://www.knot-resolver.cz/documentation/latest/upgrading-to-6.html + + + + +5.x branch longterm support +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + - Knot Resolver 5.7.2 (2024-0m-dd) + Knot Resolver 5.7.2 (2024-03-27) ================================ Bugfixes diff --cc meson.build index 3b7cd3581,d6f9be384..05f093c92 --- a/meson.build +++ b/meson.build @@@ -65,8 -58,21 +65,22 @@@ systemd_cache_dir = prefix / get_option systemd_unit_dir = prefix / 'lib' / 'systemd' / 'system' systemd_tmpfiles_dir = prefix / 'lib' / 'tmpfiles.d' systemd_sysusers_dir = prefix / 'lib' / 'sysusers.d' +completion_dir = prefix / 'share' + ## RPath + # When installing from sources into a non-standard prefix and the library is + # shared/dynamic, we need to set the executables' RPATH so that they can find + # `libkresd`, otherwise running them will fail with dynamic linkage errors + auto_prefixes = ['/', '/usr', '/usr/local'] + rpath_opt = get_option('install_rpath') + if (get_option('default_library') == 'static' or + rpath_opt == 'disabled' or + (rpath_opt == 'auto' and prefix in auto_prefixes)) + rpath = '' + else + rpath = prefix / get_option('libdir') + endif + ## Trust anchors managed_ta = get_option('managed_ta') == 'enabled' keyfile_default = etc_dir / get_option('keyfile_default')