This is long overdue. Honestly I dislike that packaging
is hardcoding it this way. It's error-prone, as we can see.
Knot Resolver source does contain the up to date anchors,
and it also (optionally) installs them. Still, I'm not up to
larger changes in OpenWrt packaging right now.
Signed-off-by: Vladimír Čunát <vladimir.cunat@nic.cz>
Knot Resolver 5.7.6 (2025-07-17)
================================
Security
--------
- DoS: fix a rare segfault in `resolve` function (!1720)
Someone controlling the DNS traffic might be able
to trigger this crash intentionally and too often.
- DoS: drop a wrong assertion/crash (!1721)
Someone controlling the DNS traffic will most likely be able
to trigger this crash intentionally and too often.
Knot Resolver 5.7.5 (2025-04-24)
================================
Security
--------
- DoS: fix unconfirmed crashes with the line below (!1683)
[system] requirement "h && h->end > h->begin" failed in queue_pop_impl
Improvements
------------
- tests: disable problematic config.http test (#925, !1678)
- validator: accept a confusing NODATA proof with insecure delegation (!1678)
Bugfixes
--------
- daemon/http: DoH stream got stuck after returning an error code (!1652)
- stats: request latency was very incorrect in some cases (!1678)
Signed-off-by: Vladimír Čunát <vladimir.cunat@nic.cz>
knot-resolver will attempt to use jemalloc if it's available.
Jemalloc was added to openwrt packages in PR: Add jemalloc and integrate into bind #26721 [1].
At this time, we would rather continue linking with the libc malloc,
so this PR disables jemalloc support explicitly in the knot-resolver build configuration.
[1] https://github.com/openwrt/packages/pull/26721#issuecomment-2973865778
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Knot Resolver 5.7.4 (2024-07-23)
================================
Security
--------
- reduce buffering of transmitted data, especially TCP-based in userspace
Also expose some of the new tweaks in lua:
(require 'ffi').C.the_worker.engine.net.tcp.user_timeout = 1000
(require 'ffi').C.the_worker.engine.net.listen_{tcp,udp}_buflens.{snd,rcv}
Improvements
------------
- add the fresh DNSSEC root key KSK-2024 already, Key ID 38696
Incompatible changes
--------------------
- libknot 3.0.x support is dropped
Upstream last maintained 3.0.x in spring 2022.
Knot Resolver 5.7.3 (2024-05-30)
================================
Improvements
------------
- stats: add separate metrics for IPv6 and IPv4
Bugfixes
--------
- fix NSEC3 records missing in answer for positive wildcard expansion
with the NSEC3 having over-limit iteration count
Knot Resolver 5.7.2 (2024-03-27)
================================
Bugfixes
--------
- fix on 32-bit systems with 64-bit time_t
Signed-off-by: Jan Hák <jan.hak@nic.cz>
- Fixes CVE-2023-50868 and CVE-2023-50387
- Also, the resolver has not been called 'Knot DNS Resolver' for quite
some time, so fix that, too.
Signed-off-by: Michal Hrusecky <michal.hrusecky@turris.com>
'dnstap' module will be built but not loaded by default at runtime
(configuration must be provided for it to be loaded). It is still possible to
disable dnstap build manually using menuconfig.
"The dnstap module supports logging DNS requests and responses to a unix socket
in dnstap format using fstrm framing library. This logging is useful if you need
effectively log all DNS traffic."[^1]
Adds dependency on 'protobuf', 'protobuf-c', 'libfstrm'. Listed packages are
available from OpenWrt packages, have uncomplicated manifests and
while 'protobuf-c' doesn't have a maintainer since spring 2020, all the
packages (including 'protobuf-c') seem to be maintained - the last
updates of all of them in autumn 2021.
As stated by Vladimír Čunát from Knot Resolver team they build dnstap
while packaging for majority of standard Linux distributions.
Therefore this change brings us closer to expected default.
[^1]: https://knot-resolver.readthedocs.io/en/stable/modules-dnstap.html
Signed-off-by: Šimon Bořek <simon.borek@nic.cz>
It was possible to enable dnstap in menuconfig, but the configuration
only added dependencies while leaving dnstap module build disabled.
Signed-off-by: Šimon Bořek <simon.borek@nic.cz>
* refresh patches
* disabling kres_gen_test is not required anymore for cross compilation, it was fixed upstream with the 5.4.1 release
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
