|
|
e977454 |
%global _hardened_build 1
|
|
|
a9dc29a |
%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}}
|
|
|
e977454 |
|
|
|
75c2d93 |
%define GPG_CHECK 1
|
|
|
0c7970f |
%define VERSION 5.0.0
|
|
|
75c2d93 |
%define repodir %{_builddir}/%{name}-%{version}
|
|
|
0befa7b |
%define NINJA ninja-build
|
|
|
75c2d93 |
|
|
|
e977454 |
Name: knot-resolver
|
|
|
75c2d93 |
Version: %{VERSION}
|
|
|
3300f4d |
Release: 1%{?dist}
|
|
|
e977454 |
Summary: Caching full DNS Resolver
|
|
|
e977454 |
|
|
|
e977454 |
License: GPLv3
|
|
|
e977454 |
URL: https://www.knot-resolver.cz/
|
|
|
75c2d93 |
Source0: https://secure.nic.cz/files/%{name}/%{name}-%{version}.tar.xz
|
|
|
fd4eae6 |
|
|
|
1efd2a2 |
# LuaJIT only on these arches
|
|
Petr Špaček |
3d4efe3 |
%if 0%{?rhel}
|
|
Petr Špaček |
3d4efe3 |
# RHEL 7 does not have aarch64 LuaJIT
|
|
|
399ff66 |
ExclusiveArch: %{ix86} x86_64
|
|
Petr Špaček |
3d4efe3 |
%else
|
|
|
399ff66 |
ExclusiveArch: %{arm} aarch64 %{ix86} x86_64
|
|
Petr Špaček |
3d4efe3 |
%endif
|
|
|
1efd2a2 |
|
|
|
75c2d93 |
%if 0%{GPG_CHECK}
|
|
|
75c2d93 |
Source1: https://secure.nic.cz/files/%{name}/%{name}-%{version}.tar.xz.asc
|
|
|
a77666b |
# PGP keys used to sign upstream releases
|
|
|
5648f15 |
# Export with --armor using command from https://fedoraproject.org/wiki/PackagingDrafts:GPGSignatures
|
|
|
75c2d93 |
# Don't forget to update %%prep section when adding/removing keys
|
|
|
399ff66 |
Source100: gpgkey-B6006460B60A80E782062449E747DF1F9575A3AA.gpg.asc
|
|
|
399ff66 |
Source101: gpgkey-BE26EBB9CBE059B3910CA35BCE8DD6A1A50A21E4.gpg.asc
|
|
|
399ff66 |
Source102: gpgkey-4A8BA48C2AED933BD495C509A1FBA5F7EF8C4869.gpg.asc
|
|
|
a77666b |
BuildRequires: gnupg2
|
|
|
75c2d93 |
%endif
|
|
|
a77666b |
|
|
|
3cc696f |
BuildRequires: gcc
|
|
|
3cc696f |
BuildRequires: gcc-c++
|
|
|
0befa7b |
BuildRequires: meson
|
|
|
399ff66 |
BuildRequires: pkgconfig(cmocka)
|
|
|
399ff66 |
BuildRequires: pkgconfig(gnutls)
|
|
|
399ff66 |
BuildRequires: pkgconfig(libedit)
|
|
|
0befa7b |
BuildRequires: pkgconfig(libknot) >= 2.8
|
|
|
0befa7b |
BuildRequires: pkgconfig(libzscanner) >= 2.8
|
|
|
0befa7b |
BuildRequires: pkgconfig(libdnssec) >= 2.8
|
|
|
399ff66 |
BuildRequires: pkgconfig(libsystemd)
|
|
|
3300f4d |
BuildRequires: pkgconfig(libcap-ng)
|
|
|
8c88fb4 |
BuildRequires: pkgconfig(libuv)
|
|
|
fd4eae6 |
BuildRequires: pkgconfig(luajit) >= 2.0
|
|
|
0befa7b |
|
|
|
0befa7b |
Requires: systemd
|
|
|
0c7970f |
Requires(post): systemd
|
|
|
e977454 |
|
|
|
a9dc29a |
# Distro-dependent dependencies
|
|
Petr Špaček |
dac5294 |
%if 0%{?rhel}
|
|
|
399ff66 |
BuildRequires: lmdb-devel
|
|
|
399ff66 |
# Lua 5.1 version of the libraries have different package names
|
|
|
0befa7b |
Requires: lua-basexx
|
|
|
d7e4af5 |
Requires: lua-psl
|
|
|
0c7970f |
Requires: lua-http
|
|
|
0befa7b |
Requires(pre): shadow-utils
|
|
|
a9dc29a |
%endif
|
|
|
a9dc29a |
%if 0%{?fedora}
|
|
|
399ff66 |
BuildRequires: pkgconfig(lmdb)
|
|
|
a9dc29a |
BuildRequires: python3-sphinx
|
|
|
0befa7b |
Requires: lua5.1-basexx
|
|
|
0befa7b |
Requires: lua5.1-cqueues
|
|
|
0c7970f |
Requires: lua5.1-http
|
|
|
d7e4af5 |
Recommends: lua5.1-psl
|
|
|
0befa7b |
Requires(pre): shadow-utils
|
|
|
a9dc29a |
%endif
|
|
|
3300f4d |
|
|
|
3300f4d |
# we do not build HTTP module on SuSE so the build requires is not needed
|
|
|
3300f4d |
%if "x%{?suse_version}" == "x"
|
|
|
3300f4d |
BuildRequires: openssl-devel
|
|
|
3300f4d |
%endif
|
|
|
3300f4d |
|
|
|
a9dc29a |
%if 0%{?suse_version}
|
|
|
0befa7b |
%define NINJA ninja
|
|
|
a9dc29a |
BuildRequires: lmdb-devel
|
|
|
a9dc29a |
BuildRequires: python3-Sphinx
|
|
|
0befa7b |
Requires(pre): shadow
|
|
Petr Špaček |
dac5294 |
%endif
|
|
|
fd4eae6 |
|
|
|
a9dc29a |
%if "x%{?rhel}" == "x"
|
|
|
a13c266 |
# dependencies for doc package
|
|
|
0c7970f |
# NOTE: doc isn't possible to build on CentOS 7
|
|
|
0c7970f |
# python2-sphinx is too old and python36-breathe is broken
|
|
|
399ff66 |
BuildRequires: doxygen
|
|
|
399ff66 |
BuildRequires: python3-breathe
|
|
|
399ff66 |
BuildRequires: python3-sphinx_rtd_theme
|
|
|
399ff66 |
%endif
|
|
|
399ff66 |
|
|
|
e977454 |
%description
|
|
|
0befa7b |
The Knot Resolver is a DNSSEC-enabled caching full resolver implementation
|
|
|
0befa7b |
written in C and LuaJIT, including both a resolver library and a daemon.
|
|
|
0befa7b |
Modular architecture of the library keeps the core tiny and efficient, and
|
|
|
0befa7b |
provides a state-machine like API for extensions.
|
|
|
e977454 |
|
|
Petr Špaček |
c235144 |
The package is pre-configured as local caching resolver.
|
|
|
75c2d93 |
To start using it, start a single kresd instance:
|
|
|
0713c0e |
$ systemctl start kresd@1.service
|
|
Petr Špaček |
c235144 |
|
|
|
e977454 |
%package devel
|
|
|
d955512 |
Summary: Development headers for Knot Resolver
|
|
|
e977454 |
Requires: %{name}%{?_isa} = %{version}-%{release}
|
|
|
e977454 |
|
|
|
e977454 |
%description devel
|
|
|
d955512 |
The package contains development headers for Knot Resolver.
|
|
|
e977454 |
|
|
|
a9dc29a |
%if "x%{?rhel}" == "x"
|
|
|
867b52d |
%package doc
|
|
|
d955512 |
Summary: Documentation for Knot Resolver
|
|
|
75c2d93 |
BuildArch: noarch
|
|
|
75c2d93 |
Requires: %{name} = %{version}-%{release}
|
|
|
867b52d |
|
|
|
867b52d |
%description doc
|
|
|
d955512 |
Documentation for Knot Resolver
|
|
|
395c8b1 |
%endif
|
|
|
867b52d |
|
|
|
0befa7b |
%if "x%{?suse_version}" == "x"
|
|
|
0befa7b |
%package module-http
|
|
|
0befa7b |
Summary: HTTP/2 module for Knot Resolver
|
|
|
3300f4d |
Requires: %{name} = %{version}-%{release}
|
|
|
0befa7b |
%if 0%{?fedora}
|
|
|
0befa7b |
Requires: lua5.1-http
|
|
|
0befa7b |
Requires: lua5.1-mmdb
|
|
|
0befa7b |
%else
|
|
|
0befa7b |
Requires: lua-http
|
|
|
0befa7b |
Requires: lua-mmdb
|
|
|
0befa7b |
%endif
|
|
|
0befa7b |
|
|
|
0befa7b |
%description module-http
|
|
|
0befa7b |
HTTP/2 module for Knot Resolver has multiple uses. It enables use of
|
|
|
0befa7b |
DNS-over-HTTP, can serve as API ednpoint for other modules or provide a web
|
|
|
0befa7b |
interface for local visualization of the resolver cache and queries.
|
|
|
0befa7b |
%endif
|
|
|
0befa7b |
|
|
|
e977454 |
%prep
|
|
|
75c2d93 |
%if 0%{GPG_CHECK}
|
|
|
66ecb7d |
export GNUPGHOME=./gpg-keyring
|
|
|
66ecb7d |
mkdir ${GNUPGHOME}
|
|
|
75c2d93 |
gpg2 --import %{SOURCE100} %{SOURCE101} %{SOURCE102}
|
|
|
66ecb7d |
gpg2 --verify %{SOURCE1} %{SOURCE0}
|
|
|
75c2d93 |
%endif
|
|
|
75c2d93 |
%setup -q -n %{name}-%{version}
|
|
|
a77666b |
|
|
|
e977454 |
%build
|
|
|
0befa7b |
CFLAGS="%{optflags}" LDFLAGS="%{?__global_ldflags}" meson build_rpm \
|
|
|
a9dc29a |
%if "x%{?rhel}" == "x"
|
|
|
0befa7b |
-Ddoc=enabled \
|
|
|
0befa7b |
%endif
|
|
|
0c7970f |
-Dsystemd_files=enabled \
|
|
|
0befa7b |
-Dclient=enabled \
|
|
|
0befa7b |
-Dunit_tests=enabled \
|
|
|
0befa7b |
-Dmanaged_ta=enabled \
|
|
|
3300f4d |
-Dkeyfile_default="%{_sharedstatedir}/knot-resolver/root.keys" \
|
|
|
3300f4d |
-Dinstall_root_keys=enabled \
|
|
|
0befa7b |
-Dinstall_kresd_conf=enabled \
|
|
|
0befa7b |
--buildtype=plain \
|
|
|
0befa7b |
--prefix="%{_prefix}" \
|
|
|
0befa7b |
--sbindir="%{_sbindir}" \
|
|
|
0befa7b |
--libdir="%{_libdir}" \
|
|
|
0befa7b |
--includedir="%{_includedir}" \
|
|
|
0befa7b |
--sysconfdir="%{_sysconfdir}" \
|
|
|
0befa7b |
|
|
|
0befa7b |
%{NINJA} -v -C build_rpm
|
|
|
0befa7b |
%if "x%{?rhel}" == "x"
|
|
|
0befa7b |
%{NINJA} -v -C build_rpm doc
|
|
|
395c8b1 |
%endif
|
|
|
867b52d |
|
|
|
399ff66 |
%check
|
|
|
0befa7b |
meson test -C build_rpm
|
|
|
399ff66 |
|
|
|
e977454 |
%install
|
|
|
0befa7b |
DESTDIR="${RPM_BUILD_ROOT}" %{NINJA} -v -C build_rpm install
|
|
|
0befa7b |
|
|
|
0befa7b |
# add kresd.target to multi-user.target.wants to support enabling kresd services
|
|
|
399ff66 |
install -m 0755 -d %{buildroot}%{_unitdir}/multi-user.target.wants
|
|
|
399ff66 |
ln -s ../kresd.target %{buildroot}%{_unitdir}/multi-user.target.wants/kresd.target
|
|
|
75c2d93 |
|
|
|
0befa7b |
# remove modules with missing dependencies
|
|
|
0befa7b |
rm %{buildroot}%{_libdir}/knot-resolver/kres_modules/etcd.lua
|
|
|
75c2d93 |
|
|
|
0befa7b |
%if 0%{?suse_version}
|
|
|
0befa7b |
rm %{buildroot}%{_libdir}/knot-resolver/kres_modules/experimental_dot_auth.lua
|
|
|
0befa7b |
rm -r %{buildroot}%{_libdir}/knot-resolver/kres_modules/http
|
|
|
0befa7b |
rm %{buildroot}%{_libdir}/knot-resolver/kres_modules/http*.lua
|
|
|
0befa7b |
rm %{buildroot}%{_libdir}/knot-resolver/kres_modules/prometheus.lua
|
|
|
0befa7b |
%endif
|
|
|
e977454 |
|
|
|
0befa7b |
# rename doc directory for centos, opensuse
|
|
|
0befa7b |
%if "x%{?fedora}" == "x"
|
|
|
0befa7b |
install -m 755 -d %{buildroot}/%{_pkgdocdir}
|
|
|
0befa7b |
mv %{buildroot}/%{_datadir}/doc/%{name}/* %{buildroot}/%{_pkgdocdir}/
|
|
|
0befa7b |
%endif
|
|
|
e977454 |
|
|
|
e977454 |
%pre
|
|
|
75c2d93 |
getent group knot-resolver >/dev/null || groupadd -r knot-resolver
|
|
|
d955512 |
getent passwd knot-resolver >/dev/null || useradd -r -g knot-resolver -d %{_sysconfdir}/knot-resolver -s /sbin/nologin -c "Knot Resolver" knot-resolver
|
|
|
e977454 |
|
|
|
0c7970f |
%if "x%{?rhel}" == "x"
|
|
|
0c7970f |
# upgrade-4-to-5
|
|
|
0c7970f |
if [ -f %{_unitdir}/kresd.socket ] ; then
|
|
|
0c7970f |
export UPG_DIR=%{_sharedstatedir}/knot-resolver/.upgrade-4-to-5
|
|
|
0c7970f |
mkdir -p ${UPG_DIR}
|
|
|
0c7970f |
touch ${UPG_DIR}/.unfinished
|
|
|
0c7970f |
|
|
|
0c7970f |
for sock in kresd.socket kresd-tls.socket kresd-webmgmt.socket kresd-doh.socket ; do
|
|
|
0c7970f |
if systemctl is-enabled ${sock} 2>/dev/null | grep -qv masked ; then
|
|
|
0c7970f |
systemctl show ${sock} -p Listen > ${UPG_DIR}/${sock}
|
|
|
0c7970f |
case "$(systemctl show ${sock} -p BindIPv6Only)" in
|
|
|
0c7970f |
*ipv6-only)
|
|
|
0c7970f |
touch ${UPG_DIR}/${sock}.v6only
|
|
|
0c7970f |
;;
|
|
|
0c7970f |
*default)
|
|
|
0c7970f |
if cat /proc/sys/net/ipv6/bindv6only | grep -q 1 ; then
|
|
|
0c7970f |
touch ${UPG_DIR}/${sock}.v6only
|
|
|
0c7970f |
fi
|
|
|
0c7970f |
;;
|
|
|
0c7970f |
esac
|
|
|
0c7970f |
fi
|
|
|
0c7970f |
done
|
|
|
0c7970f |
fi
|
|
|
0c7970f |
%endif
|
|
|
0c7970f |
|
|
|
0c7970f |
|
|
|
e977454 |
%post
|
|
|
0c7970f |
# upgrade-4-to-5
|
|
|
0c7970f |
%if "x%{?rhel}" == "x"
|
|
|
0c7970f |
export UPG_DIR=%{_sharedstatedir}/knot-resolver/.upgrade-4-to-5
|
|
|
0c7970f |
if [ -f ${UPG_DIR}/.unfinished ] ; then
|
|
|
0c7970f |
rm -f ${UPG_DIR}/.unfinished
|
|
|
0c7970f |
kresd -c %{_libdir}/knot-resolver/upgrade-4-to-5.lua &>/dev/null
|
|
|
0c7970f |
echo -e "\n !!! WARNING !!!"
|
|
|
0c7970f |
echo -e "Knot Resolver configuration file requires manual upgrade.\n"
|
|
|
0c7970f |
cat ${UPG_DIR}/kresd.conf.net 2>/dev/null
|
|
|
0c7970f |
fi
|
|
|
0c7970f |
%endif
|
|
|
0c7970f |
|
|
|
0c7970f |
# in case service files are updated
|
|
|
0c7970f |
systemctl daemon-reload &>/dev/null ||:
|
|
|
399ff66 |
%systemd_post 'kresd@*.service'
|
|
|
0c7970f |
%tmpfiles_create %{_tmpfilesdir}/knot-resolver.conf
|
|
|
0c7970f |
%if "x%{?fedora}" == "x"
|
|
|
e977454 |
/sbin/ldconfig
|
|
|
0befa7b |
%endif
|
|
|
e977454 |
|
|
|
e977454 |
%preun
|
|
|
0c7970f |
%systemd_preun kres-cache-gc.service kresd.target
|
|
|
e977454 |
|
|
|
e977454 |
%postun
|
|
|
399ff66 |
%systemd_postun_with_restart 'kresd@*.service'
|
|
|
0c7970f |
%if "x%{?fedora}" == "x"
|
|
|
e977454 |
/sbin/ldconfig
|
|
|
0befa7b |
%endif
|
|
|
e977454 |
|
|
|
e977454 |
%files
|
|
|
0befa7b |
%dir %{_pkgdocdir}
|
|
|
0befa7b |
%license %{_pkgdocdir}/COPYING
|
|
|
0befa7b |
%doc %{_pkgdocdir}/AUTHORS
|
|
|
0befa7b |
%doc %{_pkgdocdir}/NEWS
|
|
|
0befa7b |
%doc %{_pkgdocdir}/examples
|
|
|
3300f4d |
%attr(755,root,knot-resolver) %dir %{_sysconfdir}/knot-resolver
|
|
|
75c2d93 |
%attr(644,root,knot-resolver) %config(noreplace) %{_sysconfdir}/knot-resolver/kresd.conf
|
|
|
75c2d93 |
%attr(644,root,knot-resolver) %config(noreplace) %{_sysconfdir}/knot-resolver/root.hints
|
|
|
3300f4d |
%attr(644,root,knot-resolver) %{_sysconfdir}/knot-resolver/icann-ca.pem
|
|
|
3300f4d |
%attr(775,root,knot-resolver) %dir %{_sharedstatedir}/knot-resolver
|
|
|
3300f4d |
%attr(664,root,knot-resolver) %{_sharedstatedir}/knot-resolver/root.keys
|
|
|
0befa7b |
%{_unitdir}/kresd@.service
|
|
|
a13c266 |
%{_unitdir}/kres-cache-gc.service
|
|
|
399ff66 |
%{_unitdir}/kresd.target
|
|
|
0befa7b |
%dir %{_unitdir}/multi-user.target.wants
|
|
|
399ff66 |
%{_unitdir}/multi-user.target.wants/kresd.target
|
|
|
0befa7b |
%{_mandir}/man7/kresd.systemd.7.gz
|
|
|
75c2d93 |
%{_tmpfilesdir}/knot-resolver.conf
|
|
|
0c7970f |
%ghost /run/%{name}
|
|
|
0c7970f |
%ghost %{_localstatedir}/cache/%{name}
|
|
|
0c7970f |
%attr(750,knot-resolver,knot-resolver) %dir %{_libdir}/%{name}
|
|
|
fd4eae6 |
%{_sbindir}/kresd
|
|
Petr Špaček |
46ab618 |
%{_sbindir}/kresc
|
|
|
a13c266 |
%{_sbindir}/kres-cache-gc
|
|
|
e977454 |
%{_libdir}/libkres.so.*
|
|
|
0befa7b |
%dir %{_libdir}/knot-resolver
|
|
|
0befa7b |
%{_libdir}/knot-resolver/*.so
|
|
|
0befa7b |
%{_libdir}/knot-resolver/*.lua
|
|
|
0befa7b |
%dir %{_libdir}/knot-resolver/kres_modules
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/*.so
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/daf
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/daf.lua
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/detect_time_jump.lua
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/detect_time_skew.lua
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/dns64.lua
|
|
|
0befa7b |
%if "x%{?suse_version}" == "x"
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/experimental_dot_auth.lua
|
|
|
0befa7b |
%endif
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/graphite.lua
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/policy.lua
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/predict.lua
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/prefill.lua
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/priming.lua
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/rebinding.lua
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/renumber.lua
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/serve_stale.lua
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/ta_sentinel.lua
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/ta_signal_query.lua
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/ta_update.lua
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/view.lua
|
|
|
3300f4d |
%{_libdir}/knot-resolver/kres_modules/watchdog.lua
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/workarounds.lua
|
|
|
75c2d93 |
%{_mandir}/man8/kresd.8.gz
|
|
|
e977454 |
|
|
|
e977454 |
%files devel
|
|
|
e977454 |
%{_includedir}/libkres
|
|
|
e977454 |
%{_libdir}/pkgconfig/libkres.pc
|
|
|
e977454 |
%{_libdir}/libkres.so
|
|
|
e977454 |
|
|
|
a9dc29a |
%if "x%{?rhel}" == "x"
|
|
|
867b52d |
%files doc
|
|
|
0befa7b |
%dir %{_pkgdocdir}
|
|
|
0befa7b |
%doc %{_pkgdocdir}/html
|
|
|
0befa7b |
%endif
|
|
|
0befa7b |
|
|
|
0befa7b |
%if "x%{?suse_version}" == "x"
|
|
|
0befa7b |
%files module-http
|
|
|
3300f4d |
%{_libdir}/knot-resolver/debug_opensslkeylog.so
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/http
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/http*.lua
|
|
|
0befa7b |
%{_libdir}/knot-resolver/kres_modules/prometheus.lua
|
|
|
395c8b1 |
%endif
|
|
|
867b52d |
|
|
|
e977454 |
%changelog
|
|
|
0c7970f |
* Mon Jan 27 2020 Tomas Krizek <tomas.krizek@nic.cz> - 5.0.0-1
|
|
|
0c7970f |
- update to new upstream version 5.0.0
|
|
|
0c7970f |
- removed systemd socket files (no longer supported)
|
|
|
0c7970f |
- add upgrade scriptlets for 5.x
|
|
|
0c7970f |
- remove lua-sec, lua-socket, lua-filesystem dependencies
|
|
|
0c7970f |
- create tmpfiles dirs with macro
|
|
|
0c7970f |
|
|
|
3300f4d |
* Wed Dec 04 2019 Tomas Krizek <tomas.krizek@nic.cz> - 4.3.0-1
|
|
|
3300f4d |
- update to new upstream version 4.3.0
|
|
|
3300f4d |
- make config directory read-only for knot-resolver, relocate root.keys to /var/lib
|
|
|
3300f4d |
- http module now depends on the exact same binary version of knot-resolver
|
|
|
3300f4d |
|
|
|
181d13c |
* Tue Nov 12 2019 Tomas Krizek <tomas.krizek@nic.cz> - 4.2.2-2
|
|
|
181d13c |
- rebuild for libknot10 (Knot DNS 2.9.1)
|
|
|
181d13c |
|
|
|
dfaaabe |
* Mon Oct 07 2019 Tomas Krizek <tomas.krizek@nic.cz> - 4.2.2-1
|
|
|
dfaaabe |
- update to new upstream version 4.2.2
|
|
|
dfaaabe |
|
|
|
e034bcc |
* Thu Sep 26 2019 Tomas Krizek <tomas.krizek@nic.cz> - 4.2.1-1
|
|
|
e034bcc |
- update to new upstream version 4.2.1
|
|
|
e034bcc |
|
|
|
d7e4af5 |
* Wed Aug 21 2019 Tomas Krizek <tomas.krizek@nic.cz> - 4.2.0-1
|
|
|
d7e4af5 |
- update to new upstream version 4.2.0
|
|
|
d7e4af5 |
- added lua-psl dependency for policy.slice() functionality
|
|
|
d7e4af5 |
|
|
|
0c52de4 |
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.1.0-2
|
|
|
0c52de4 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
|
|
0c52de4 |
|
|
|
a13c266 |
* Wed Jul 10 2019 Tomas Krizek <tomas.krizek@nic.cz> - 4.1.0-1
|
|
|
a13c266 |
- update to new upstream version 4.1.0
|
|
|
a13c266 |
- add kres-cache-gc.service
|
|
|
a13c266 |
|
|
|
0befa7b |
* Wed May 29 2019 Tomas Krizek <tomas.krizek@nic.cz> - 4.0.0.-1
|
|
|
0befa7b |
- rebase to new upstream release 4.0.0
|
|
|
0befa7b |
- bump Knot DNS libraries to 2.8 (ABI compat)
|
|
|
0befa7b |
- use new upstream build system - meson
|
|
|
0befa7b |
- add knot-resolver-module-http package along with new lua dependecies
|
|
|
0befa7b |
|
|
|
761d673 |
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.2.1-2
|
|
|
761d673 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
|
|
761d673 |
|
|
|
50cb6ea |
* Thu Jan 10 2019 Tomas Krizek <tomas.krizek@nic.cz> - 3.2.1-1
|
|
|
50cb6ea |
Knot Resolver 3.2.1 (2019-01-10)
|
|
|
50cb6ea |
================================
|
|
|
50cb6ea |
|
|
|
50cb6ea |
Bugfixes
|
|
|
50cb6ea |
--------
|
|
|
50cb6ea |
- trust_anchors: respect validity time range during TA bootstrap (!748)
|
|
|
50cb6ea |
- fix TLS rehandshake handling (!739)
|
|
|
50cb6ea |
- make TLS_FORWARD compatible with GnuTLS 3.3 (!741)
|
|
|
50cb6ea |
- special thanks to Grigorii Demidov for his long-term work on Knot Resolver!
|
|
|
50cb6ea |
|
|
|
50cb6ea |
Improvements
|
|
|
50cb6ea |
------------
|
|
|
50cb6ea |
- improve handling of timeouted outgoing TCP connections (!734)
|
|
|
50cb6ea |
- trust_anchors: check syntax of public keys in DNSKEY RRs (!748)
|
|
|
50cb6ea |
- validator: clarify message about bogus non-authoritative data (!735)
|
|
|
50cb6ea |
- dnssec validation failures contain more verbose reasoning (!735)
|
|
|
50cb6ea |
- new function trust_anchors.summary() describes state of DNSSEC TAs (!737),
|
|
|
50cb6ea |
and logs new state of trust anchors after start up and automatic changes
|
|
|
50cb6ea |
- trust anchors: refuse revoked DNSKEY even if specified explicitly,
|
|
|
50cb6ea |
and downgrade missing the SEP bit to a warning
|
|
|
50cb6ea |
|
|
|
50cb6ea |
|
|
|
d280f71 |
* Mon Dec 17 2018 Tomas Krizek <tomas.krizek@nic.cz> - 3.2.0-1
|
|
|
d280f71 |
Knot Resolver 3.2.0 (2018-12-17)
|
|
|
d280f71 |
================================
|
|
|
d280f71 |
|
|
|
d280f71 |
New features
|
|
|
d280f71 |
------------
|
|
|
d280f71 |
- module edns_keepalive to implement server side of RFC 7828 (#408)
|
|
|
d280f71 |
- module nsid to implement server side of RFC 5001 (#289)
|
|
|
d280f71 |
- module bogus_log provides .frequent() table (!629, credit Ulrich Wisser)
|
|
|
d280f71 |
- module stats collects flags from answer messages (!629, credit Ulrich Wisser)
|
|
|
d280f71 |
- module view supports multiple rules with identical address/TSIG specification
|
|
|
d280f71 |
and keeps trying rules until a "non-chain" action is executed (!678)
|
|
|
d280f71 |
- module experimental_dot_auth implements an DNS-over-TLS to auth protocol
|
|
|
d280f71 |
(!711, credit Manu Bretelle)
|
|
|
d280f71 |
- net.bpf bindings allow advanced users to use eBPF socket filters
|
|
|
d280f71 |
|
|
|
d280f71 |
Bugfixes
|
|
|
d280f71 |
--------
|
|
|
d280f71 |
- http module: only run prometheus in parent process if using --forks=N,
|
|
|
d280f71 |
as the submodule collects metrics from all sub-processes as well.
|
|
|
d280f71 |
- TLS fixes for corner cases (!700, !714, !716, !721, !728)
|
|
|
d280f71 |
- fix build with -DNOVERBOSELOG (#424)
|
|
|
d280f71 |
- policy.{FORWARD,TLS_FORWARD,STUB}: respect net.ipv{4,6} setting (!710)
|
|
|
d280f71 |
- avoid SERVFAILs due to certain kind of NS dependency cycles, again
|
|
|
d280f71 |
(#374) this time seen as 'circular dependency' in verbose logs
|
|
|
d280f71 |
- policy and view modules do not overwrite result finished requests (!678)
|
|
|
d280f71 |
|
|
|
d280f71 |
Improvements
|
|
|
d280f71 |
------------
|
|
|
d280f71 |
- Dockerfile: rework, basing on Debian instead of Alpine
|
|
|
d280f71 |
- policy.{FORWARD,TLS_FORWARD,STUB}: give advantage to IPv6
|
|
|
d280f71 |
when choosing whom to ask, just as for iteration
|
|
|
d280f71 |
- use pseudo-randomness from gnutls instead of internal ISAAC (#233)
|
|
|
d280f71 |
- tune the way we deal with non-responsive servers (!716, !723)
|
|
|
d280f71 |
- documentation clarifies interaction between policy and view modules (!678, !730)
|
|
|
d280f71 |
|
|
|
d280f71 |
Module API changes
|
|
|
d280f71 |
------------------
|
|
|
d280f71 |
- new layer is added: answer_finalize
|
|
|
d280f71 |
- kr_request keeps ::qsource.packet beyond the begin layer
|
|
|
d280f71 |
- kr_request::qsource.tcp renamed to ::qsource.flags.tcp
|
|
|
d280f71 |
- kr_request::has_tls renamed to ::qsource.flags.tls
|
|
|
d280f71 |
- kr_zonecut_add(), kr_zonecut_del() and kr_nsrep_sort() changed parameters slightly
|
|
|
d280f71 |
|
|
|
d280f71 |
|
|
|
a9dc29a |
* Fri Nov 02 2018 Tomas Krizek <tomas.krizek@nic.cz> - 3.1.0-1
|
|
|
a9dc29a |
Knot Resolver 3.1.0 (2018-11-02)
|
|
|
a9dc29a |
================================
|
|
|
a9dc29a |
|
|
|
a9dc29a |
Incompatible changes
|
|
|
a9dc29a |
--------------------
|
|
|
a9dc29a |
- hints.use_nodata(true) by default; that's what most users want
|
|
|
a9dc29a |
- libknot >= 2.7.2 is required
|
|
|
a9dc29a |
|
|
|
a9dc29a |
Improvements
|
|
|
a9dc29a |
------------
|
|
|
a9dc29a |
- cache: handle out-of-space SIGBUS slightly better (#197)
|
|
|
a9dc29a |
- daemon: improve TCP timeout handling (!686)
|
|
|
a9dc29a |
|
|
|
a9dc29a |
Bugfixes
|
|
|
a9dc29a |
--------
|
|
|
a9dc29a |
- cache.clear('name'): fix some edge cases in API (#401)
|
|
|
a9dc29a |
- fix error handling from TLS writes (!669)
|
|
|
a9dc29a |
- avoid SERVFAILs due to certain kind of NS dependency cycles (#374)
|
|
|
a9dc29a |
|
|
|
d955512 |
* Mon Aug 20 2018 Tomas Krizek <tomas.krizek@nic.cz> - 3.0.0-1
|
|
|
d955512 |
Knot Resolver 3.0.0 (2018-08-20)
|
|
|
d955512 |
================================
|
|
|
d955512 |
|
|
|
d955512 |
Incompatible changes
|
|
|
d955512 |
--------------------
|
|
|
d955512 |
- cache: fail lua operations if cache isn't open yet (!639)
|
|
|
d955512 |
By default cache is opened *after* reading the configuration,
|
|
|
d955512 |
and older versions were silently ignoring cache operations.
|
|
|
d955512 |
Valid configuration must open cache using `cache.open()` or `cache.size =`
|
|
|
d955512 |
before executing cache operations like `cache.clear()`.
|
|
|
d955512 |
- libknot >= 2.7.1 is required, which brings also larger API changes
|
|
|
d955512 |
- in case you wrote custom Lua modules, please consult
|
|
|
d955512 |
https://knot-resolver.readthedocs.io/en/latest/lib.html#incompatible-changes-since-3-0-0
|
|
|
d955512 |
- in case you wrote custom C modules, please see compile against
|
|
|
d955512 |
Knot DNS 2.7 and adjust your module according to messages from C compiler
|
|
|
d955512 |
- DNS cookie module (RFC 7873) is not available in this release,
|
|
|
d955512 |
it will be later reworked to reflect development in IEFT dnsop working group
|
|
|
d955512 |
- version module was permanently removed because it was not really used by users;
|
|
|
d955512 |
if you want to receive notifications abou new releases please subscribe to
|
|
|
d955512 |
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-resolver-announce
|
|
|
d955512 |
|
|
|
d955512 |
Bugfixes
|
|
|
d955512 |
--------
|
|
|
d955512 |
- fix multi-process race condition in trust anchor maintenance (!643)
|
|
|
d955512 |
- ta_sentinel: also consider static trust anchors not managed via RFC 5011
|
|
|
d955512 |
|
|
|
d955512 |
Improvements
|
|
|
d955512 |
------------
|
|
|
d955512 |
- reorder_RR() implementation is brought back
|
|
|
d955512 |
- bring in performace improvements provided by libknot 2.7
|
|
|
d955512 |
- cache.clear() has a new, more powerful API
|
|
|
d955512 |
- cache documentation was improved
|
|
|
d955512 |
- old name "Knot DNS Resolver" is replaced by unambiguous "Knot Resolver"
|
|
|
d955512 |
to prevent confusion with "Knot DNS" authoritative server
|
|
|
d955512 |
|
|
|
793ada7 |
* Thu Aug 02 2018 Tomas Krizek <tomas.krizek@nic.cz> - 2.4.1-1
|
|
|
793ada7 |
Knot Resolver 2.4.1 (2018-08-02)
|
|
|
793ada7 |
================================
|
|
|
793ada7 |
|
|
|
793ada7 |
Security
|
|
|
793ada7 |
--------
|
|
|
793ada7 |
- fix CVE-2018-10920: Improper input validation bug in DNS resolver component
|
|
|
793ada7 |
(security!7, security!9)
|
|
|
793ada7 |
|
|
|
793ada7 |
Bugfixes
|
|
|
793ada7 |
--------
|
|
|
793ada7 |
- cache: fix TTL overflow in packet due to min_ttl (#388, security!8)
|
|
|
793ada7 |
- TLS session resumption: avoid bad scheduling of rotation (#385)
|
|
|
793ada7 |
- HTTP module: fix a regression in 2.4.0 which broke custom certs (!632)
|
|
|
793ada7 |
- cache: NSEC3 negative cache even without NS record (#384)
|
|
|
793ada7 |
This fixes lower hit rate in NSEC3 zones (since 2.4.0).
|
|
|
793ada7 |
- minor TCP and TLS fixes (!623, !624, !626)
|
|
|
793ada7 |
|
|
|
793ada7 |
|
|
|
c4beec3 |
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.0-2
|
|
|
c4beec3 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
|
|
c4beec3 |
|
|
|
399ff66 |
* Tue Jul 03 2018 Tomas Krizek <tomas.krizek@nic.cz> - 2.4.0-1
|
|
|
399ff66 |
Knot Resolver 2.4.0 (2018-07-03)
|
|
|
399ff66 |
================================
|
|
|
399ff66 |
|
|
|
399ff66 |
Incompatible changes
|
|
|
399ff66 |
--------------------
|
|
|
399ff66 |
- minimal libknot version is now 2.6.7 to pull in latest fixes (#366)
|
|
|
399ff66 |
|
|
|
399ff66 |
Security
|
|
|
399ff66 |
--------
|
|
|
399ff66 |
- fix a rare case of zones incorrectly dowgraded to insecure status (!576)
|
|
|
399ff66 |
|
|
|
399ff66 |
New features
|
|
|
399ff66 |
------------
|
|
|
399ff66 |
- TLS session resumption (RFC 5077), both server and client (!585, #105)
|
|
|
399ff66 |
(disabled when compiling with gnutls < 3.5)
|
|
|
399ff66 |
- TLS_FORWARD policy uses system CA certificate store by default (!568)
|
|
|
399ff66 |
- aggressive caching for NSEC3 zones (!600)
|
|
|
399ff66 |
- optional protection from DNS Rebinding attack (module rebinding, !608)
|
|
|
399ff66 |
- module bogus_log to log DNSSEC bogus queries without verbose logging (!613)
|
|
|
399ff66 |
|
|
|
399ff66 |
Bugfixes
|
|
|
399ff66 |
--------
|
|
|
399ff66 |
- prefill: fix ability to read certificate bundle (!578)
|
|
|
399ff66 |
- avoid turning off qname minimization in some cases, e.g. co.uk. (#339)
|
|
|
399ff66 |
- fix validation of explicit wildcard queries (#274)
|
|
|
399ff66 |
- dns64 module: more properties from the RFC implemented (incl. bug #375)
|
|
|
399ff66 |
|
|
|
399ff66 |
Improvements
|
|
|
399ff66 |
------------
|
|
|
399ff66 |
- systemd: multiple enabled kresd instances can now be started using kresd.target
|
|
|
399ff66 |
- ta_sentinel: switch to version 14 of the RFC draft (!596)
|
|
|
399ff66 |
- support for glibc systems with a non-Linux kernel (!588)
|
|
|
399ff66 |
- support per-request variables for Lua modules (!533)
|
|
|
399ff66 |
- support custom HTTP endpoints for Lua modules (!527)
|
|
|
399ff66 |
|
|
|
399ff66 |
|
|
|
cb122c5 |
* Mon Apr 23 2018 Tomas Krizek <tomas.krizek@nic.cz> - 2.3.0-1
|
|
|
cb122c5 |
Knot Resolver 2.3.0 (2018-04-23)
|
|
|
cb122c5 |
================================
|
|
|
cb122c5 |
|
|
|
cb122c5 |
Security
|
|
|
cb122c5 |
--------
|
|
|
cb122c5 |
- fix CVE-2018-1110: denial of service triggered by malformed DNS messages
|
|
|
cb122c5 |
(!550, !558, security!2, security!4)
|
|
|
cb122c5 |
- increase resilience against slow lorris attack (security!5)
|
|
|
cb122c5 |
|
|
|
cb122c5 |
Bugfixes
|
|
|
cb122c5 |
--------
|
|
|
cb122c5 |
- validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone (!538)
|
|
|
cb122c5 |
- validation: fix SERVFAIL for DS . query (!544)
|
|
|
cb122c5 |
- lib/resolve: don't send unecessary queries to parent zone (!513)
|
|
|
cb122c5 |
- iterate: fix validation for zones where parent and child share NS (!543)
|
|
|
cb122c5 |
- TLS: improve error handling and documentation (!536, !555, !559)
|
|
|
cb122c5 |
|
|
|
cb122c5 |
Improvements
|
|
|
cb122c5 |
------------
|
|
|
cb122c5 |
- prefill: new module to periodically import root zone into cache
|
|
|
cb122c5 |
(replacement for RFC 7706, !511)
|
|
|
cb122c5 |
- network_listen_fd: always create end point for supervisor supplied file descriptor
|
|
|
cb122c5 |
- use CPPFLAGS build environment variable if set (!547)
|
|
|
cb122c5 |
|
|
|
cb122c5 |
|
|
|
3ee2f38 |
* Wed Mar 28 2018 Tomas Krizek <tomas.krizek@nic.cz> - 2.2.0-1
|
|
|
3ee2f38 |
Knot Resolver 2.2.0 (2018-03-28)
|
|
|
3ee2f38 |
================================
|
|
|
3ee2f38 |
|
|
|
3ee2f38 |
New features
|
|
|
3ee2f38 |
------------
|
|
|
3ee2f38 |
- cache server unavailability to prevent flooding unreachable servers
|
|
|
3ee2f38 |
(Please note that caching algorithm needs further optimization
|
|
|
3ee2f38 |
and will change in further versions but we need to gather operational
|
|
|
3ee2f38 |
experience first.)
|
|
|
3ee2f38 |
|
|
|
3ee2f38 |
Bugfixes
|
|
|
3ee2f38 |
--------
|
|
|
3ee2f38 |
- don't magically -D_FORTIFY_SOURCE=2 in some cases
|
|
|
3ee2f38 |
- allow large responses for outbound over TCP
|
|
|
3ee2f38 |
- fix crash with RR sets with over 255 records
|
|
|
3ee2f38 |
|
|
|
3ee2f38 |
|
|
|
c202d17 |
* Mon Feb 26 2018 Tomas Krizek <tomas.krizek@nic.cz> - 2.1.1-1
|
|
|
c202d17 |
Knot Resolver 2.1.1 (2018-02-23)
|
|
|
c202d17 |
================================
|
|
|
c202d17 |
|
|
|
c202d17 |
Bugfixes
|
|
|
c202d17 |
--------
|
|
|
c202d17 |
- when iterating, avoid unnecessary queries for NS in insecure parent.
|
|
|
c202d17 |
This problem worsened in 2.0.0. (#246)
|
|
|
c202d17 |
- prevent UDP packet leaks when using TLS forwarding
|
|
|
c202d17 |
- fix the hints module also on some other systems, e.g. Gentoo.
|
|
|
c202d17 |
|
|
|
75c2d93 |
* Fri Feb 16 2018 Tomas Krizek <tomas.krizek@nic.cz> - 2.1.0-1
|
|
|
75c2d93 |
- New upstream release 2.1.0
|
|
|
75c2d93 |
|
|
|
75c2d93 |
Knot Resolver 2.1.0 (2018-02-16)
|
|
|
75c2d93 |
================================
|
|
|
75c2d93 |
|
|
|
75c2d93 |
Incompatible changes
|
|
|
75c2d93 |
--------------------
|
|
|
75c2d93 |
- stats: remove tracking of expiring records (predict uses another way)
|
|
|
75c2d93 |
- systemd: more chages in default unit files (TODO)
|
|
|
75c2d93 |
- ta_sentinel: implement protocol draft-ietf-dnsop-kskroll-sentinel-01
|
|
|
75c2d93 |
(our draft-ietf-dnsop-kskroll-sentinel-00 implementation had inverted logic)
|
|
|
75c2d93 |
- libknot: require version 2.6.4 or newer to get bugfixes for DNS-over-TLS
|
|
|
75c2d93 |
|
|
|
75c2d93 |
Bugfixes
|
|
|
75c2d93 |
--------
|
|
|
75c2d93 |
- detect_time_jump module: don't clear cache on suspend-resume (#284)
|
|
|
75c2d93 |
- stats module: fix stats.list() returning nothing, regressed in 2.0.0
|
|
|
75c2d93 |
- policy.TLS_FORWARD: refusal when configuring with multiple IPs (#306)
|
|
|
75c2d93 |
- cache: fix broken refresh of insecure records that were about to expire
|
|
|
75c2d93 |
- fix the hints module on some systems, e.g. Fedora (came back on 2.0.0)
|
|
|
75c2d93 |
- build with older gnutls (conditionally disable features)
|
|
|
75c2d93 |
- fix the predict module to work with insecure records & cleanup code
|
|
|
75c2d93 |
|
|
|
75c2d93 |
|
|
|
75c2d93 |
Knot Resolver 2.0.0 (2018-01-31)
|
|
|
75c2d93 |
================================
|
|
|
75c2d93 |
|
|
|
75c2d93 |
Incompatible changes
|
|
|
75c2d93 |
--------------------
|
|
|
75c2d93 |
- systemd: change unit files to allow running multiple instances,
|
|
|
75c2d93 |
deployments with single instance now must use `kresd@1.service`
|
|
|
75c2d93 |
instead of `kresd.service`; see kresd.systemd(8) for details
|
|
|
75c2d93 |
- systemd: the directory for cache is now /var/cache/knot-resolver
|
|
|
75c2d93 |
- unify default directory and user to `knot-resolver`
|
|
|
75c2d93 |
- directory with trust anchor file specified by -k option must be writeable
|
|
|
75c2d93 |
- policy module is now loaded by default to enforce RFC 6761;
|
|
|
75c2d93 |
see documentation for policy.PASS if you use locally-served DNS zones
|
|
|
75c2d93 |
- drop support for alternative cache backends memcached, redis,
|
|
|
75c2d93 |
and for Lua bindings for some specific cache operations
|
|
|
75c2d93 |
- REORDER_RR option is not implemented (temporarily)
|
|
|
75c2d93 |
|
|
|
75c2d93 |
New features
|
|
|
75c2d93 |
------------
|
|
|
75c2d93 |
- aggressive caching of validated records (RFC 8198) for NSEC zones;
|
|
|
75c2d93 |
thanks to ICANN for sponsoring this work.
|
|
|
75c2d93 |
- forwarding over TLS, authenticated by SPKI pin or certificate.
|
|
|
75c2d93 |
policy.TLS_FORWARD pipelines queries out-of-order over shared TLS connection
|
|
|
75c2d93 |
Beware: Some resolvers do not support out-of-order query processing.
|
|
|
75c2d93 |
TLS forwarding to such resolvers will lead to slower resolution or failures.
|
|
|
75c2d93 |
- trust anchors: you may specify a read-only file via -K or --keyfile-ro
|
|
|
75c2d93 |
- trust anchors: at build-time you may set KEYFILE_DEFAULT (read-only)
|
|
|
75c2d93 |
- ta_sentinel module implements draft ietf-dnsop-kskroll-sentinel-00,
|
|
|
75c2d93 |
enabled by default
|
|
|
75c2d93 |
- serve_stale module is prototype, subject to change
|
|
|
75c2d93 |
- extended API for Lua modules
|
|
|
75c2d93 |
|
|
|
75c2d93 |
Bugfixes
|
|
|
75c2d93 |
--------
|
|
|
75c2d93 |
- fix build on osx - regressed in 1.5.3 (different linker option name)
|
|
|
75c2d93 |
|
|
|
8d47931 |
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.3-1.1
|
|
|
8d47931 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
|
|
8d47931 |
|
|
|
ca845e1 |
* Tue Jan 23 2018 Tomas Krizek <tomas.krizek@nic.cz> - 1.5.3-1
|
|
|
ca845e1 |
- New upstream release 1.5.3
|
|
|
ca845e1 |
|
|
|
ca845e1 |
Knot Resolver 1.5.3 (2018-01-23)
|
|
|
ca845e1 |
================================
|
|
|
ca845e1 |
|
|
|
ca845e1 |
Bugfixes
|
|
|
ca845e1 |
--------
|
|
|
ca845e1 |
- fix the hints module on some systems, e.g. Fedora.
|
|
|
ca845e1 |
Symptom: `undefined symbol: engine_hint_root_file`
|
|
|
ca845e1 |
|
|
|
ca845e1 |
|
|
|
ca845e1 |
Knot Resolver 1.5.2 (2018-01-22)
|
|
|
ca845e1 |
================================
|
|
|
ca845e1 |
|
|
|
ca845e1 |
Security
|
|
|
ca845e1 |
--------
|
|
|
ca845e1 |
- fix CVE-2018-1000002: insufficient DNSSEC validation, allowing
|
|
|
ca845e1 |
attackers to deny existence of some data by forging packets.
|
|
|
ca845e1 |
Some combinations pointed out in RFC 6840 sections 4.1 and 4.3
|
|
|
ca845e1 |
were not taken into account.
|
|
|
ca845e1 |
|
|
|
ca845e1 |
Bugfixes
|
|
|
ca845e1 |
--------
|
|
|
ca845e1 |
- memcached: fix fallout from module rename in 1.5.1
|
|
|
ca845e1 |
|
|
|
ca845e1 |
|
|
|
ca845e1 |
Knot Resolver 1.5.1 (2017-12-12)
|
|
|
ca845e1 |
================================
|
|
|
ca845e1 |
|
|
|
ca845e1 |
Incompatible changes
|
|
|
ca845e1 |
--------------------
|
|
|
ca845e1 |
- script supervisor.py was removed, please migrate to a real process manager
|
|
|
ca845e1 |
- module ketcd was renamed to etcd for consistency
|
|
|
ca845e1 |
- module kmemcached was renamed to memcached for consistency
|
|
|
ca845e1 |
|
|
|
ca845e1 |
Bugfixes
|
|
|
ca845e1 |
--------
|
|
|
ca845e1 |
- fix SIGPIPE crashes (#271)
|
|
|
ca845e1 |
- tests: work around out-of-space for platforms with larger memory pages
|
|
|
ca845e1 |
- lua: fix mistakes in bindings affecting 1.4.0 and 1.5.0 (and 1.99.1-alpha),
|
|
|
ca845e1 |
potentially causing problems in dns64 and workarounds modules
|
|
|
ca845e1 |
- predict module: various fixes (!399)
|
|
|
ca845e1 |
|
|
|
ca845e1 |
Improvements
|
|
|
ca845e1 |
------------
|
|
|
ca845e1 |
- add priming module to implement RFC 8109, enabled by default (#220)
|
|
|
ca845e1 |
- add modules helping with system time problems, enabled by default;
|
|
|
ca845e1 |
for details see documentation of detect_time_skew and detect_time_jump
|
|
|
ca845e1 |
|
|
|
867b52d |
* Fri Jan 05 2018 Tomas Krizek <tomas.krizek@nic.cz> - 1.5.0-2
|
|
|
867b52d |
- add doc package
|
|
|
867b52d |
- configure tarball signature verification
|
|
|
5648f15 |
- add root.hints file
|
|
|
75c2d93 |
- use upstream systemd unit files, paths and user name
|
|
|
75c2d93 |
- migrate configuration to /etc/knot-resolver
|
|
|
75c2d93 |
- use user knot-resolver
|
|
|
75c2d93 |
- store cache in /var/cache/knot-resolver
|
|
|
75c2d93 |
- use systemd alias knot-resolver -> kresd
|
|
|
867b52d |
|
|
Petr Špaček |
c502924 |
* Mon Nov 06 2017 Petr Špaček <petr.spacek@nic.cz> - 1.5.0-1
|
|
Petr Špaček |
c502924 |
- New upstream release 1.5.0
|
|
Petr Špaček |
c502924 |
|
|
Petr Špaček |
c502924 |
Knot Resolver 1.5.0 (2017-11-02)
|
|
Petr Špaček |
c502924 |
================================
|
|
Petr Špaček |
c502924 |
|
|
Petr Špaček |
c502924 |
Bugfixes
|
|
Petr Špaček |
c502924 |
--------
|
|
Petr Špaček |
c502924 |
- fix loading modules on Darwin
|
|
Petr Špaček |
c502924 |
|
|
Petr Špaček |
c502924 |
Improvements
|
|
Petr Špaček |
c502924 |
------------
|
|
Petr Špaček |
c502924 |
- new module ta_signal_query supporting Signaling Trust Anchor Knowledge
|
|
Petr Špaček |
c502924 |
using Keytag Query (RFC 8145 section 5); it is enabled by default
|
|
Petr Špaček |
c502924 |
- attempt validation for more records but require it for fewer of them
|
|
Petr Špaček |
c502924 |
(e.g. avoids SERVFAIL when server adds extra records but omits RRSIGs)
|
|
Petr Špaček |
c502924 |
|
|
Petr Špaček |
c502924 |
|
|
Petr Špaček |
c502924 |
Knot Resolver 1.4.0 (2017-09-22)
|
|
Petr Špaček |
c502924 |
================================
|
|
Petr Špaček |
c502924 |
|
|
Petr Špaček |
c502924 |
Incompatible changes
|
|
Petr Špaček |
c502924 |
--------------------
|
|
Petr Špaček |
c502924 |
- lua: query flag-sets are no longer represented as plain integers.
|
|
Petr Špaček |
c502924 |
kres.query.* no longer works, and kr_query_t lost trivial methods
|
|
Petr Špaček |
c502924 |
'hasflag' and 'resolved'.
|
|
Petr Špaček |
c502924 |
You can instead write code like qry.flags.NO_0X20 = true.
|
|
Petr Špaček |
c502924 |
|
|
Petr Špaček |
c502924 |
Bugfixes
|
|
Petr Špaček |
c502924 |
--------
|
|
Petr Špaček |
c502924 |
- fix exiting one of multiple forks (#150)
|
|
Petr Špaček |
c502924 |
- cache: change the way of using LMDB transactions. That in particular
|
|
Petr Špaček |
c502924 |
fixes some cases of using too much space with multiple kresd forks (#240).
|
|
Petr Špaček |
c502924 |
|
|
Petr Špaček |
c502924 |
Improvements
|
|
Petr Špaček |
c502924 |
------------
|
|
Petr Špaček |
c502924 |
- policy.suffix: update the aho-corasick code (#200)
|
|
Petr Špaček |
c502924 |
- root hints are now loaded from a zonefile; exposed as hints.root_file().
|
|
Petr Špaček |
c502924 |
You can override the path by defining ROOTHINTS during compilation.
|
|
Petr Špaček |
c502924 |
- policy.FORWARD: work around resolvers adding unsigned NS records (#248)
|
|
Petr Špaček |
c502924 |
- reduce unneeded records previously put into authority in wildcarded answers
|
|
Petr Špaček |
c502924 |
|
|
Petr Špaček |
c502924 |
|
|
Petr Špaček |
c502924 |
Knot Resolver 1.3.3 (2017-08-09)
|
|
Petr Špaček |
c502924 |
================================
|
|
Petr Špaček |
c502924 |
|
|
Petr Špaček |
c502924 |
Security
|
|
Petr Špaček |
c502924 |
--------
|
|
Petr Špaček |
c502924 |
- Fix a critical DNSSEC flaw. Signatures might be accepted as valid
|
|
Petr Špaček |
c502924 |
even if the signed data was not in bailiwick of the DNSKEY used to
|
|
Petr Špaček |
c502924 |
sign it, assuming the trust chain to that DNSKEY was valid.
|
|
Petr Špaček |
c502924 |
|
|
Petr Špaček |
c502924 |
Bugfixes
|
|
Petr Špaček |
c502924 |
--------
|
|
Petr Špaček |
c502924 |
- iterate: skip RRSIGs with bad label count instead of immediate SERVFAIL
|
|
Petr Špaček |
c502924 |
- utils: fix possible incorrect seeding of the random generator
|
|
Petr Špaček |
c502924 |
- modules/http: fix compatibility with the Prometheus text format
|
|
Petr Špaček |
c502924 |
|
|
Petr Špaček |
c502924 |
Improvements
|
|
Petr Špaček |
c502924 |
------------
|
|
Petr Špaček |
c502924 |
- policy: implement remaining special-use domain names from RFC6761 (#205),
|
|
Petr Špaček |
c502924 |
and make these rules apply only if no other non-chain rule applies
|
|
Petr Špaček |
c502924 |
|
|
Petr Špaček |
43d3a58 |
* Tue Aug 01 2017 Petr Spacek <petr.spacek@nic.cz> - 1.3.2-1
|
|
Petr Špaček |
43d3a58 |
New upstream release:
|
|
Petr Špaček |
43d3a58 |
Knot Resolver 1.3.2 (2017-07-28)
|
|
Petr Špaček |
43d3a58 |
================================
|
|
Petr Špaček |
43d3a58 |
|
|
Petr Špaček |
43d3a58 |
Security
|
|
Petr Špaček |
43d3a58 |
--------
|
|
Petr Špaček |
43d3a58 |
- fix possible opportunities to use insecure data from cache as keys
|
|
Petr Špaček |
43d3a58 |
for validation
|
|
Petr Špaček |
43d3a58 |
|
|
Petr Špaček |
43d3a58 |
Bugfixes
|
|
Petr Špaček |
43d3a58 |
--------
|
|
Petr Špaček |
43d3a58 |
- daemon: check existence of config file even if rundir isn't specified
|
|
Petr Špaček |
43d3a58 |
- policy.FORWARD and STUB: use RTT tracking to choose servers (#125, #208)
|
|
Petr Špaček |
43d3a58 |
- dns64: fix CNAME problems (#203) It still won't work with policy.STUB.
|
|
Petr Špaček |
43d3a58 |
- hints: better interpretation of hosts-like files (#204)
|
|
Petr Špaček |
43d3a58 |
also, error out if a bad entry is encountered in the file
|
|
Petr Špaček |
43d3a58 |
- dnssec: handle unknown DNSKEY/DS algorithms (#210)
|
|
Petr Špaček |
43d3a58 |
- predict: fix the module, broken since 1.2.0 (#154)
|
|
Petr Špaček |
43d3a58 |
|
|
Petr Špaček |
43d3a58 |
Improvements
|
|
Petr Špaček |
43d3a58 |
------------
|
|
Petr Špaček |
43d3a58 |
- embedded LMDB fallback: update 0.9.18 -> 0.9.21
|
|
Petr Špaček |
43d3a58 |
|
|
|
d5833e9 |
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.1-1.1
|
|
|
d5833e9 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
|
|
d5833e9 |
|
|
Petr Špaček |
8a62324 |
* Tue Jul 11 2017 Petr Spacek <petr.spacek@nic.cz> - 1.3.1-2
|
|
Petr Špaček |
8a62324 |
- build experimental command line interface "kresc"
|
|
Petr Špaček |
8a62324 |
|
|
Petr Špaček |
239782e |
* Tue Jul 11 2017 Petr Spacek <petr.spacek@nic.cz> - 1.3.1-1
|
|
Petr Špaček |
239782e |
New upstream release:
|
|
Petr Špaček |
239782e |
Knot Resolver 1.3.1 (2017-06-23)
|
|
Petr Špaček |
239782e |
================================
|
|
Petr Špaček |
239782e |
|
|
Petr Špaček |
239782e |
Bugfixes
|
|
Petr Špaček |
239782e |
--------
|
|
Petr Špaček |
239782e |
- modules/http: fix finding the static files (bug from 1.3.0)
|
|
Petr Špaček |
239782e |
- policy.FORWARD: fix some cases of CNAMEs obstructing search for zone cuts
|
|
Petr Špaček |
239782e |
|
|
Petr Špaček |
239782e |
|
|
Petr Špaček |
239782e |
Knot Resolver 1.3.0 (2017-06-13)
|
|
Petr Špaček |
239782e |
================================
|
|
Petr Špaček |
239782e |
|
|
Petr Špaček |
239782e |
Security
|
|
Petr Špaček |
239782e |
--------
|
|
Petr Špaček |
239782e |
- Refactor handling of AD flag and security status of resource records.
|
|
Petr Špaček |
239782e |
In some cases it was possible for secure domains to get cached as
|
|
Petr Špaček |
239782e |
insecure, even for a TLD, leading to disabled validation.
|
|
Petr Špaček |
239782e |
It also fixes answering with non-authoritative data about nameservers.
|
|
Petr Špaček |
239782e |
|
|
Petr Špaček |
239782e |
Improvements
|
|
Petr Špaček |
239782e |
------------
|
|
Petr Špaček |
239782e |
- major feature: support for forwarding with validation (#112).
|
|
Petr Špaček |
239782e |
The old policy.FORWARD action now does that; the previous non-validating
|
|
Petr Špaček |
239782e |
mode is still avaliable as policy.STUB except that also uses caching (#122).
|
|
Petr Špaček |
239782e |
- command line: specify ports via @ but still support # for compatibility
|
|
Petr Špaček |
239782e |
- policy: recognize 100.64.0.0/10 as local addresses
|
|
Petr Špaček |
239782e |
- layer/iterate: *do* retry repeatedly if REFUSED, as we can't yet easily
|
|
Petr Špaček |
239782e |
retry with other NSs while avoiding retrying with those who REFUSED
|
|
Petr Špaček |
239782e |
- modules: allow changing the directory where modules are found,
|
|
Petr Špaček |
239782e |
and do not search the default library path anymore.
|
|
Petr Špaček |
239782e |
|
|
Petr Špaček |
239782e |
Bugfixes
|
|
Petr Špaček |
239782e |
--------
|
|
Petr Špaček |
239782e |
- validate: fix insufficient caching for some cases (relatively rare)
|
|
Petr Špaček |
239782e |
- avoid putting "duplicate" record-sets into the answer (#198)
|
|
Petr Špaček |
239782e |
|
|
Petr Špaček |
239782e |
|
|
Petr Špaček |
239782e |
Knot Resolver 1.2.6 (2017-04-24)
|
|
Petr Špaček |
239782e |
================================
|
|
Petr Špaček |
239782e |
|
|
Petr Špaček |
239782e |
Security
|
|
Petr Špaček |
239782e |
--------
|
|
Petr Špaček |
239782e |
- dnssec: don't set AD flag for NODATA answers if wildcard non-existence
|
|
Petr Špaček |
239782e |
is not guaranteed due to opt-out in NSEC3
|
|
Petr Špaček |
239782e |
|
|
Petr Špaček |
239782e |
Improvements
|
|
Petr Špaček |
239782e |
------------
|
|
Petr Špaček |
239782e |
- layer/iterate: don't retry repeatedly if REFUSED
|
|
Petr Špaček |
239782e |
|
|
Petr Špaček |
239782e |
Bugfixes
|
|
Petr Špaček |
239782e |
--------
|
|
Petr Špaček |
239782e |
- lib/nsrep: revert some changes to NS reputation tracking that caused
|
|
Petr Špaček |
239782e |
severe problems to some users of 1.2.5 (#178 and #179)
|
|
Petr Špaček |
239782e |
- dnssec: fix verification of wildcarded non-singleton RRsets
|
|
Petr Špaček |
239782e |
- dnssec: allow wildcards located directly under the root
|
|
Petr Špaček |
239782e |
- layer/rrcache: avoid putting answer records into queries in some cases
|
|
Petr Špaček |
239782e |
|
|
Petr Špaček |
46ab618 |
* Thu Apr 06 2017 Petr Spacek <petr.spacek@nic.cz> - 1.2.5-1
|
|
Petr Špaček |
46ab618 |
- new upstream relase
|
|
Petr Špaček |
46ab618 |
+ security: layer/validate: clear AD if closest encloser proof has opt-outed NSEC3 (#169)
|
|
Petr Špaček |
46ab618 |
+ security: layer/validate: check if NSEC3 records in wildcard expansion proof has an opt-out
|
|
Petr Špaček |
46ab618 |
+ security: dnssec/nsec: missed wildcard no-data answers validation has been implemented
|
|
Petr Špaček |
46ab618 |
+ fix: trust anchors: Improve trust anchors storage format (#167)
|
|
Petr Špaček |
46ab618 |
+ fix: trust anchors: support non-root TAs, one domain per file
|
|
Petr Špaček |
46ab618 |
+ fix: policy.DENY: set AA flag and clear AD flag
|
|
Petr Špaček |
46ab618 |
+ fix: lib/resolve: avoid unnecessary DS queries
|
|
Petr Špaček |
46ab618 |
+ fix: lib/nsrep: don't treat servers with NOIP4 + NOIP6 flags as timeouted
|
|
Petr Špaček |
46ab618 |
+ fix: layer/iterate: During packet classification (answer vs. referral) don't analyze
|
|
Petr Špaček |
46ab618 |
AUTHORITY section in authoritative answer if ANSWER section contains records
|
|
Petr Špaček |
46ab618 |
that have been requested
|
|
Petr Špaček |
46ab618 |
+ enhancement: modules/dnstap: a DNSTAP support module (Contributed by Vicky Shrestha)
|
|
Petr Špaček |
46ab618 |
+ enhancement: modules/workarounds: a module adding workarounds for known DNS protocol violators
|
|
Petr Špaček |
46ab618 |
+ enhancement: layer/iterate: fix logging of glue addresses
|
|
Petr Špaček |
46ab618 |
+ enhancement: kr_bitcmp: allow bits=0 and consequently 0.0.0.0/0 matches in view and renumber modules.
|
|
Petr Špaček |
46ab618 |
+ enhancement: modules/padding: Improve default padding of responses (Contributed by Daniel Kahn Gillmor)
|
|
Petr Špaček |
46ab618 |
+ enhancement: New kresc client utility (experimental; don't rely on the API yet)
|
|
Petr Špaček |
46ab618 |
|
|
Petr Špaček |
62060c9 |
* Thu Mar 09 2017 Petr Spacek <petr.spacek@nic.cz> - 1.2.4-1
|
|
Petr Špaček |
62060c9 |
- new upstream release
|
|
Petr Špaček |
62060c9 |
+ security: Knot Resolver 1.2.0 and higher could return AD flag for insecure
|
|
Petr Špaček |
62060c9 |
answer if the daemon received answer with invalid RRSIG several
|
|
Petr Špaček |
62060c9 |
times in a row.
|
|
Petr Špaček |
62060c9 |
+ fix: layer/iterate: some improvements in cname chain unrolling
|
|
Petr Špaček |
62060c9 |
+ fix: layer/validate: fix duplicate records in AUTHORITY section in case
|
|
Petr Špaček |
62060c9 |
+ fix: of WC expansion proof
|
|
Petr Špaček |
62060c9 |
+ fix: lua: do *not* truncate cache size to unsigned
|
|
Petr Špaček |
62060c9 |
+ fix: forwarding mode: correctly forward +cd flag
|
|
Petr Špaček |
62060c9 |
+ fix: fix a potential memory leak
|
|
Petr Špaček |
62060c9 |
+ fix: don't treat answers that contain DS non-existance proof as insecure
|
|
Petr Špaček |
62060c9 |
+ fix: don't store NSEC3 and their signatures in the cache
|
|
Petr Špaček |
62060c9 |
+ fix: layer/iterate: when processing delegations,
|
|
Petr Špaček |
62060c9 |
check if qname is at or below new authority
|
|
Petr Špaček |
62060c9 |
+ enhancement: modules/policy: allow QTRACE policy to be chained
|
|
Petr Špaček |
62060c9 |
with other policies
|
|
Petr Špaček |
62060c9 |
+ enhancement: hints.add_hosts(path): a new property
|
|
Petr Špaček |
62060c9 |
+ enhancement: module: document the API and simplify the code
|
|
Petr Špaček |
62060c9 |
+ enhancement: policy.MIRROR: support IPv6 link-local addresses
|
|
Petr Špaček |
62060c9 |
+ enhancement: policy.FORWARD: support IPv6 link-local addresses
|
|
Petr Špaček |
62060c9 |
+ enhancement: add net.outgoing_{v4,v6} to allow specifying address
|
|
Petr Špaček |
62060c9 |
to use for connections
|
|
Petr Špaček |
62060c9 |
|
|
Petr Špaček |
f05d307 |
* Mon Feb 27 2017 Petr Spacek <petr.spacek@nic.cz> - 1.2.3-1
|
|
Petr Špaček |
f05d307 |
- new upstream release
|
|
Petr Špaček |
f05d307 |
+ security: a cached negative answer from a CD query would be reused
|
|
Petr Špaček |
f05d307 |
to construct response for non-CD queries, resulting in Insecure status
|
|
Petr Špaček |
f05d307 |
instead of Bogus.
|
|
Petr Špaček |
f05d307 |
+ fix: lua: make the map command check its arguments
|
|
Petr Špaček |
f05d307 |
+ fix: -k argument processing to avoid out-of-bounds memory accesses
|
|
Petr Špaček |
f05d307 |
+ fix: lib/resolve: fix zonecut fetching for explicit DS queries
|
|
Petr Špaček |
f05d307 |
+ fix: hints: more NULL checks
|
|
Petr Špaček |
f05d307 |
+ fix: TA bootstrapping for multiple TAs in the IANA XML file
|
|
Petr Špaček |
f05d307 |
+ fix: Disable storing GLUE records into the cache even in the
|
|
Petr Špaček |
f05d307 |
+ fix: (non-default) QUERY_PERMISSIVE mode
|
|
Petr Špaček |
f05d307 |
+ fix: iterate: skip answer RRs that don't match the query
|
|
Petr Špaček |
f05d307 |
+ fix: layer/iterate: some additional processing for referrals
|
|
Petr Špaček |
f05d307 |
+ fix: lib/resolve: zonecut fetching error was fixed
|
|
Petr Špaček |
f05d307 |
|
|
|
b8d5646 |
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-2.1
|
|
|
b8d5646 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
|
|
b8d5646 |
|
|
Petr Špaček |
3709d6c |
* Fri Jan 27 2017 Petr Spacek <petr.spacek@nic.cz> - 1.2.0-2
|
|
Petr Špaček |
3709d6c |
- rebuild against knot-2.4.0
|
|
Petr Špaček |
3709d6c |
|
|
Petr Špaček |
1f4067a |
* Fri Jan 27 2017 Petr Spacek <petr.spacek@nic.cz> - 1.2.0
|
|
Petr Špaček |
1f4067a |
- new upstream release:
|
|
Petr Špaček |
1f4067a |
+ fix: reworked DNSSEC Validation, that fixes several know problems with less standard DNS configurations
|
|
Petr Špaček |
1f4067a |
+ fix: the resolver was setting AD flag when running in a forwarding mode
|
|
Petr Špaček |
1f4067a |
+ fix: correctly return RCODE=NOTIMPL on meta-queries and non IN class queries
|
|
Petr Špaček |
1f4067a |
+ fix: crash in hints module when hints file was empty
|
|
Petr Špaček |
1f4067a |
+ fix: non-lowercase hints
|
|
Petr Špaček |
1f4067a |
+ features: optional EDNS(0) Padding support for DNS over TLS
|
|
Petr Špaček |
1f4067a |
+ features: support for debugging DNSSEC with CD bit
|
|
Petr Špaček |
1f4067a |
+ features: DNS over TLS is now able to create ephemeral certs on the runtime (Thanks Daniel Kahn Gilmore for contributing to DNS over TLS implementation in Knot Resolver.)
|
|
Petr Špaček |
1f4067a |
+ features: configurable minimum and maximum TTL (default 6 days)
|
|
Petr Špaček |
1f4067a |
+ features: configurable pseudo-random reordering of RR sets
|
|
Petr Špaček |
1f4067a |
+ features: new module 'version' that can call home and report new versions and security vulnerabilities to the log file
|
|
Petr Špaček |
1f4067a |
|
|
Petr Špaček |
35ce4ae |
* Mon Jan 23 2017 Petr Spacek <petr.spacek@nic.cz> - 1.2.0-rc1
|
|
Petr Špaček |
35ce4ae |
- Update to latest upstream version
|
|
Petr Špaček |
35ce4ae |
- Fix packaging bug: depend on proper Lua library versions
|
|
Petr Špaček |
35ce4ae |
- Allow automatic trust anchor management to work
|
|
Petr Špaček |
35ce4ae |
|
|
|
1efd2a2 |
* Sat Nov 19 2016 Peter Robinson <pbrobinson@fedoraproject.org> 1.1.1-3
|
|
|
1efd2a2 |
- Add ExclusiveArch for architectures with LuaJIT
|
|
|
1efd2a2 |
|
|
Igor Gnatenko |
360be18 |
* Mon Aug 29 2016 Igor Gnatenko <ignatenko@redhat.com> - 1.1.1-2
|
|
Igor Gnatenko |
360be18 |
- Rebuild for LuaJIT 2.1.0
|
|
Igor Gnatenko |
360be18 |
|
|
|
b6eb3ba |
* Wed Aug 24 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 1.1.1-1
|
|
|
b6eb3ba |
- new upstream release:
|
|
|
b6eb3ba |
+ fix name server fallback in case some of the servers are unreachable
|
|
|
b6eb3ba |
|
|
|
fd4eae6 |
* Fri Aug 12 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 1.1.0-1
|
|
|
fd4eae6 |
- new upstream release:
|
|
|
fd4eae6 |
+ RFC7873 DNS Cookies
|
|
|
fd4eae6 |
+ RFC7858 DNS over TLS
|
|
|
fd4eae6 |
+ Metrics exported in Prometheus
|
|
|
fd4eae6 |
+ DNS firewall module
|
|
|
fd4eae6 |
+ Explicit CNAME target fetching in strict mode
|
|
|
5648f15 |
+ Query minimisation improvements
|
|
|
fd4eae6 |
+ Improved integration with systemd
|
|
|
fd4eae6 |
|
|
|
c865a09 |
* Tue May 31 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 1.0.0-1
|
|
|
c865a09 |
- final release
|
|
|
c865a09 |
|
|
|
e977454 |
* Thu May 05 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 1.0.0-0.3.4f463d7
|
|
|
e977454 |
- update to latest git version
|
|
|
e977454 |
- re-enable unit-test
|
|
|
e977454 |
|
|
|
e977454 |
* Sat Apr 09 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 1.0.0-0.2.79a8440
|
|
|
e977454 |
- update to latest git version
|
|
|
e977454 |
- fix package review issues
|
|
|
e977454 |
|
|
|
e977454 |
* Tue Feb 02 2016 Jan Vcelak <jvcelak@fedoraproject.org> - 1.0.0-0.1.beta3
|
|
|
e977454 |
- initial package
|