FEDORA-EPEL-2018-cee77fc9b3 created by tkrizek 3 years ago for Fedora EPEL 7

Knot Resolver 2.1.0 (2018-02-16)

Incompatible changes

  • stats: remove tracking of expiring records (predict uses another way)
  • systemd: re-use a single kresd.socket and kresd-tls.socket
  • ta_sentinel: implement protocol draft-ietf-dnsop-kskroll-sentinel-01 (our draft-ietf-dnsop-kskroll-sentinel-00 implementation had inverted logic)
  • libknot: require version 2.6.4 or newer to get bugfixes for DNS-over-TLS


  • detect_time_jump module: don't clear cache on suspend-resume (#284)
  • stats module: fix stats.list() returning nothing, regressed in 2.0.0
  • policy.TLS_FORWARD: refusal when configuring with multiple IPs (#306)
  • cache: fix broken refresh of insecure records that were about to expire
  • fix the hints module on some systems, e.g. Fedora (came back on 2.0.0)
  • build with older gnutls (conditionally disable features)
  • fix the predict module to work with insecure records & cleanup code

Knot Resolver 2.0.0 (2018-01-31)

Incompatible changes

  • systemd: change unit files to allow running multiple instances, deployments with single instance now must use kresd@1.service instead of kresd.service; see kresd.systemd(7) for details
  • systemd: the directory for cache is now /var/cache/knot-resolver
  • unify default directory and user to knot-resolver
  • directory with trust anchor file specified by -k option must be writeable
  • policy module is now loaded by default to enforce RFC 6761; see documentation for policy.PASS if you use locally-served DNS zones
  • drop support for alternative cache backends memcached, redis, and for Lua bindings for some specific cache operations
  • REORDER_RR option is not implemented (temporarily)

New features

  • aggressive caching of validated records (RFC 8198) for NSEC zones; thanks to ICANN for sponsoring this work.
  • forwarding over TLS, authenticated by SPKI pin or certificate. policy.TLS_FORWARD pipelines queries out-of-order over shared TLS connection Beware: Some resolvers do not support out-of-order query processing. TLS forwarding to such resolvers will lead to slower resolution or failures.
  • trust anchors: you may specify a read-only file via -K or --keyfile-ro
  • trust anchors: at build-time you may set KEYFILE_DEFAULT (read-only)
  • ta_sentinel module implements draft ietf-dnsop-kskroll-sentinel-00, enabled by default
  • serve_stale module is prototype, subject to change
  • extended API for Lua modules


  • fix build on osx - regressed in 1.5.3 (different linker option name)

Knot Resolver 1.5.3 (2018-01-23)


  • fix the hints module on some systems, e.g. Fedora. Symptom: undefined symbol: engine_hint_root_file

Knot Resolver 1.5.2 (2018-01-22)


  • fix CVE-2018-1000002: insufficient DNSSEC validation, allowing attackers to deny existence of some data by forging packets. Some combinations pointed out in RFC 6840 sections 4.1 and 4.3 were not taken into account.


  • memcached: fix fallout from module rename in 1.5.1

Knot Resolver 1.5.1 (2017-12-12)

Incompatible changes

  • script supervisor.py was removed, please migrate to a real process manager
  • module ketcd was renamed to etcd for consistency
  • module kmemcached was renamed to memcached for consistency


  • fix SIGPIPE crashes (#271)
  • tests: work around out-of-space for platforms with larger memory pages
  • lua: fix mistakes in bindings affecting 1.4.0 and 1.5.0 (and 1.99.1-alpha), potentially causing problems in dns64 and workarounds modules
  • predict module: various fixes (!399)


  • add priming module to implement RFC 8109, enabled by default (#220)
  • add modules helping with system time problems, enabled by default; for details see documentation of detect_time_skew and detect_time_jump

This update has been submitted for testing by tkrizek.

3 years ago

This update has obsoleted knot-resolver-1.5.3-1.el7, and has inherited its bugs and notes.

3 years ago

Hallo tkrizek,

just to make sure: this update is tagged as 'security' because it inherited the bugs from FEDORA-2018-f73abc5680 and not because there is a new vulnerability and I am safe from harm through CVE-2018-1000002, if I already installed the former update. Is that correct?


@lewassec That's correct. I've marked this build as security update, because 1.5.3 never made it to stable. There are no new CVEs.

@tkrizek thanks, now that was fast .)

This update has been pushed to testing.

3 years ago

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

3 years ago

This update has been submitted for batched by tkrizek.

3 years ago

This update has been submitted for stable by tkrizek.

3 years ago

This update has been pushed to stable.

3 years ago

Please login to add feedback.

Content Type
Test Gating
Unstable by Karma
Stable by Karma
Stable by Time
3 years ago
in testing
3 years ago
in stable
3 years ago
BZ#1530661 knot-resolver fails systemd socket activation on CentOS 7
BZ#1537462 CVE-2018-1000002 knot-resolver: Insufficient DNSSEC validation
BZ#1537465 CVE-2018-1000002 knot-resolver: Insufficient DNSSEC validation [epel-all]

Automated Test Results