--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2018-c894f896fd
2018-07-12 14:18:11.697524
--------------------------------------------------------------------------------
Name : knot-resolver
Product : Fedora 28
Version : 2.4.0
Release : 1.fc28
URL :
https://www.knot-resolver.cz/
Summary : Caching full DNS Resolver
Description :
The Knot DNS Resolver is a caching full resolver implementation written in C
and LuaJIT, including both a resolver library and a daemon. Modular
architecture of the library keeps the core tiny and efficient, and provides
a state-machine like API for extensions.
The package is pre-configured as local caching resolver.
To start using it, start a single kresd instance:
$ systemctl start kresd(a)1.service
--------------------------------------------------------------------------------
Update Information:
Knot Resolver 2.4.0 (2018-07-03) ================================ Incompatible
changes -------------------- - minimal libknot version is now 2.6.7 to pull in
latest fixes (#366) Security -------- - fix a rare case of zones incorrectly
dowgraded to insecure status (!576) New features ------------ - TLS session
resumption (RFC 5077), both server and client (!585, #105) (disabled when
compiling with gnutls < 3.5) - TLS_FORWARD policy uses system CA certificate
store by default (!568) - aggressive caching for NSEC3 zones (!600) - optional
protection from DNS Rebinding attack (module rebinding, !608) - module bogus_log
to log DNSSEC bogus queries without verbose logging (!613) Bugfixes -------- -
prefill: fix ability to read certificate bundle (!578) - avoid turning off qname
minimization in some cases, e.g. co.uk. (#339) - fix validation of explicit
wildcard queries (#274) - dns64 module: more properties from the RFC implemented
(incl. bug #375) Improvements ------------ - systemd: multiple enabled kresd
instances can now be started using kresd.target - ta_sentinel: switch to version
14 of the RFC draft (!596) - support for glibc systems with a non-Linux kernel
(!588) - support per-request variables for Lua modules (!533) - support custom
HTTP endpoints for Lua modules (!527)
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jul 3 2018 Tomas Krizek <tomas.krizek(a)nic.cz> - 2.4.0-1
Knot Resolver 2.4.0 (2018-07-03)
================================
Incompatible changes
--------------------
- minimal libknot version is now 2.6.7 to pull in latest fixes (#366)
Security
--------
- fix a rare case of zones incorrectly dowgraded to insecure status (!576)
New features
------------
- TLS session resumption (RFC 5077), both server and client (!585, #105)
(disabled when compiling with gnutls < 3.5)
- TLS_FORWARD policy uses system CA certificate store by default (!568)
- aggressive caching for NSEC3 zones (!600)
- optional protection from DNS Rebinding attack (module rebinding, !608)
- module bogus_log to log DNSSEC bogus queries without verbose logging (!613)
Bugfixes
--------
- prefill: fix ability to read certificate bundle (!578)
- avoid turning off qname minimization in some cases, e.g. co.uk. (#339)
- fix validation of explicit wildcard queries (#274)
- dns64 module: more properties from the RFC implemented (incl. bug #375)
Improvements
------------
- systemd: multiple enabled kresd instances can now be started using kresd.target
- ta_sentinel: switch to version 14 of the RFC draft (!596)
- support for glibc systems with a non-Linux kernel (!588)
- support per-request variables for Lua modules (!533)
- support custom HTTP endpoints for Lua modules (!527)
* Mon Apr 23 2018 Tomas Krizek <tomas.krizek(a)nic.cz> - 2.3.0-1
Knot Resolver 2.3.0 (2018-04-23)
================================
Security
--------
- fix CVE-2018-1110: denial of service triggered by malformed DNS messages
(!550, !558, security!2, security!4)
- increase resilience against slow lorris attack (security!5)
Bugfixes
--------
- validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone (!538)
- validation: fix SERVFAIL for DS . query (!544)
- lib/resolve: don't send unecessary queries to parent zone (!513)
- iterate: fix validation for zones where parent and child share NS (!543)
- TLS: improve error handling and documentation (!536, !555, !559)
Improvements
------------
- prefill: new module to periodically import root zone into cache
(replacement for RFC 7706, !511)
- network_listen_fd: always create end point for supervisor supplied file descriptor
- use CPPFLAGS build environment variable if set (!547)
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2018-c894f896fd' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------