{"update": {"autokarma": true, "autotime": false, "stable_karma": 3, "stable_days": 0, "unstable_karma": -3, "require_bugs": true, "require_testcases": true, "display_name": "", "notes": "Major updates for Knot DNS and Knot Resolver:\nKnot Resolver 1.5.0 (2017-11-02)\n================================\n\nBugfixes\n--------\n- fix loading modules on Darwin\n\nImprovements\n------------\n- new module ta_signal_query supporting Signaling Trust Anchor Knowledge\n  using Keytag Query (RFC 8145 section 5); it is enabled by default\n- attempt validation for more records but require it for fewer of them\n  (e.g. avoids SERVFAIL when server adds extra records but omits RRSIGs)\n\n\nKnot Resolver 1.4.0 (2017-09-22)\n================================\n\nIncompatible changes\n--------------------\n- lua: query flag-sets are no longer represented as plain integers.\n  kres.query.* no longer works, and kr_query_t lost trivial methods\n  'hasflag' and 'resolved'.\n  You can instead write code like qry.flags.NO_0X20 = true.\n\nBugfixes\n--------\n- fix exiting one of multiple forks (#150)\n- cache: change the way of using LMDB transactions.  That in particular\n  fixes some cases of using too much space with multiple kresd forks (#240).\n\nImprovements\n------------\n- policy.suffix: update the aho-corasick code (#200)\n- root hints are now loaded from a zonefile; exposed as hints.root_file().\n  You can override the path by defining ROOTHINTS during compilation.\n- policy.FORWARD: work around resolvers adding unsigned NS records (#248)\n- reduce unneeded records previously put into authority in wildcarded answers\n\n\nKnot Resolver 1.3.3 (2017-08-09)\n================================\n\nSecurity\n--------\n- Fix a critical DNSSEC flaw.  Signatures might be accepted as valid\n  even if the signed data was not in bailiwick of the DNSKEY used to\n  sign it, assuming the trust chain to that DNSKEY was valid.\n\nBugfixes\n--------\n- iterate: skip RRSIGs with bad label count instead of immediate SERVFAIL\n- utils: fix possible incorrect seeding of the random generator\n- modules/http: fix compatibility with the Prometheus text format\n\nImprovements\n------------\n- policy: implement remaining special-use domain names from RFC6761 (#205),\n  and make these rules apply only if no other non-chain rule applies\n\n\n\nKnot DNS 2.6.1 (2017-11-02)\n===========================\n\nFeatures:\n---------\n - NSEC3 Opt-Out support in the DNSSEC signing\n - New CDS/CDNSKEY publish configuration option\n\nImprovements:\n-------------\n - Simplified DNSSEC log message with DNSKEY details\n - +tls-hostname in kdig implies +tls-ca if neither +tls-ca nor +tls-pin is given\n - New documentation sections for DNSSEC key rollovers and shared keys\n - Keymgr no longer prints useless algorithm number for generated key\n - Kdig prints unknown RCODE in a numeric format\n - Better support for LLVM libFuzzer\n\nBugfixes:\n---------\n - Faulty DNAME semantic check if present in the zone apex and NSEC3 is used\n - Immediate zone flush not scheduled during the zone load event\n - Server crashes upon dynamic zone addition if a query module is loaded\n - Kdig fails to connect over TLS due to SNI is set to server IP address\n - Possible out-of-bounds memory access at the end of the input\n - TCP Fast Open enabled by default in kdig breaks TLS connection\n\nKnot DNS 2.6.0 (2017-09-29)\n===========================\n\nFeatures:\n---------\n - On-slave (inline) signing support\n - Automatic DNSSEC key algorithm rollover\n - Ed25519 algorithm support in DNSSEC (requires GnuTLS 3.6.0)\n - New 'journal-content' and 'zonefile-load' configuration options\n - keymgr tries to run as user/group set in the configuration\n - Public-only DNSSEC key import into KASP DB via keymgr\n - NSEC3 resalt and parent DS query events are persistent in timer DB\n - New processing state for a response suppression within a query module\n - Enabled server side TCP Fast Open if supported\n - TCP Fast Open support in kdig\n\nImprovements:\n-------------\n - Better record owner compression if related to the previous rdata dname\n - NSEC(3) chain is no longer recomputed whole on every update\n - Remove inconsistent and unnecessary quoting in log files\n - Avoiding of overlapping key rollovers at a time\n - More DNSSSEC-related semantic checks\n - Extended timestamp format in keymgr\n\nBugfixes:\n---------\n - Incorrect journal free space computation causing inefficient space handling\n - Interface-automatic broken on Linux in the presence of asymmetric routing\n\nKnot DNS 2.5.6 (2017-11-02)\n===========================\n\nImprovements:\n-------------\n - Keymgr no longer prints useless algorithm number for generated key\n\nBugfixes:\n---------\n - Faulty DNAME semantic check if present in the zone apex and NSEC3 is used\n - Immediate zone flush not scheduled during the zone load event\n - Server crashes upon dynamic zone addition if a query module is loaded\n - Kdig fails to connect over TLS due to SNI is set to server IP address\n\nKnot DNS 2.5.5 (2017-09-29)\n===========================\n\nImprovements:\n-------------\n - Constant time memory comparison in the TSIG processing\n - Proper use of the ctype functions\n - Generated RRSIG records have inception time 90 minutes in the past\n\nBugfixes:\n---------\n - Incorrect online signature for NSEC in the case of a CNAME record\n - Incorrect timestamps in dnstap records\n - EDNS Subnet Client validation rejects valid payloads\n - Module configuration semantic checks are not executed\n - Kzonecheck segfaults with unusual inputs\n\nKnot DNS 2.5.4 (2017-08-31)\n===========================\n\nImprovements:\n-------------\n - New minimum and maximum refresh interval config options (Thanks to Manabu Sonoda)\n - New warning when unforced flush with disabled zone file synchronization\n - New 'dnskey' keymgr command\n - Linking with libatomic on architectures that require it (Thanks to Pierre-Olivier Mercier)\n - Removed 'OK' from listing keymgr command outputs\n - Extended journal and keymgr documentation and logging\n\nBugfixes:\n---------\n - Incorrect handling of specific corner-cases with zone-in-journal\n - The 'share' keymgr command doesn't work\n - Server crashes if configured with query-size and reply-size statistics options\n - Malformed big integer configuration values on some 32-bit platforms\n - Keymgr uses local time when parsing date inputs\n - Memory leak in kdig upon IXFR query", "type": "security", "status": "stable", "request": null, "severity": "unspecified", "suggest": "unspecified", "locked": false, "pushed": true, "critpath": false, "critpath_groups": null, "close_bugs": true, "date_submitted": "2017-11-08 08:16:53", "date_modified": null, "date_approved": null, "date_testing": "2017-11-08 23:32:44", "date_stable": "2017-11-16 19:47:47", "alias": "FEDORA-2017-31519ecf40", "test_gating_status": null, "from_tag": null, "date_pushed": "2017-11-16 19:47:47", "meets_testing_requirements": false, "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2017-31519ecf40", "title": "knot-2.6.1-1.fc26 knot-resolver-1.5.0-1.fc26", "version_hash": "daf22e93a8ecbff034b6cadc6f5d2b409f1c48b1", "release": {"name": "F26", "long_name": "Fedora 26", "version": "26", "id_prefix": "FEDORA", "branch": "f26", "dist_tag": "f26", "stable_tag": "f26-updates", "testing_tag": "f26-updates-testing", "candidate_tag": "f26-updates-candidate", "pending_signing_tag": "f26-signing-pending", "pending_testing_tag": "f26-updates-testing-pending", "pending_stable_tag": "f26-updates-pending", "override_tag": "f26-override", "mail_template": "fedora_errata_template", "state": "archived", "composed_by_bodhi": true, "create_automatic_updates": null, "package_manager": "dnf", "testing_repository": "updates-testing", "released_on": null, "eol": null, "critpath_mandatory_days_in_testing": 14, "mandatory_days_in_testing": 7, "critpath_min_karma": 2, "min_karma": 1, "setting_status": null}, "user": {"name": "pspacek", "email": "pspacek@isc.org", "id": 1315, "avatar": "https://seccdn.libravatar.org/avatar/049899d532021a7d606b289ecbf5057881630ce86d462929043ee598de5219a7?s=24&d=retro", "openid": "pspacek.id.fedoraproject.org", "groups": [{"name": "packager"}]}, "comments": [{"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for testing by pspacek. ", "timestamp": "2017-11-08 08:16:53", "update_id": 101667, "user_id": 91, "id": 689528, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to testing.", "timestamp": "2017-11-08 23:59:05", "update_id": 101667, "user_id": 91, "id": 690068, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes", "timestamp": "2017-11-16 00:00:54", "update_id": 101667, "user_id": 91, "id": 695296, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for batched by pspacek. ", "timestamp": "2017-11-16 07:30:10", "update_id": 101667, "user_id": 91, "id": 695461, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for stable by pspacek. ", "timestamp": "2017-11-16 07:31:18", "update_id": 101667, "user_id": 91, "id": 695463, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to stable.", "timestamp": "2017-11-16 20:49:21", "update_id": 101667, "user_id": 91, "id": 695874, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}], "builds": [{"nvr": "knot-2.6.1-1.fc26", "signed": true, "release_id": 16, "type": "rpm", "epoch": 0}, {"nvr": "knot-resolver-1.5.0-1.fc26", "signed": true, "release_id": 16, "type": "rpm", "epoch": 0}], "bugs": [], "updateid": "FEDORA-2017-31519ecf40", "karma": 0, "content_type": "rpm", "test_cases": []}, "can_edit": false, "ci_allowed": false}