[knot-resolver-users] Knot Resolver 4.0.0

Dear Knot Resolver users, Knot Resolver 4.0.0 has been released! This is a major release with many improvements and also some breaking changes, please see our upgrading guide: https://knot-resolver.readthedocs.io/en/stable/upgrading.html Those interested in DNS-over-HTTPS are welcome to look for unintentional Easter Bugs we may have accidentally hidden in our experimental implementation. Upstream packages with DNS-over-HTTPS support are available for Debian 9, CentOS 7, Ubuntu 18, Fedora and Arch. Incompatible changes -------------------- - see upgrading guide: https://knot-resolver.readthedocs.io/en/stable/upgrading.html - configuration: trust_anchors aliases .file, .config() and .negative were removed (!788) - configuration: trust_anchors.keyfile_default is no longer accessible (!788) - daemon: -k/--keyfile and -K/--keyfile-ro options were removed - meson build system is now used for builds (!771) - build with embedded LMBD is no longer supported - default modules dir location has changed - DNSSEC is enabled by default - upstream packages for Debian now require systemd - libknot >= 2.8 is required - net.list() output format changed (#448) - net.listen() reports error when address-port pair is in use - bind to DNS-over-TLS port by default (!792) - stop versioning libkres library - default port for web management and APIs changed to 8453 Improvements ------------ - policy.TLS_FORWARD: if hostname is configured, send it on wire (!762) - hints module: allow configuring the TTL and change default from 0 to 5s - policy module: policy.rpz() will watch the file for changes by default - packaging: lua cqueues added to default dependencies where available - systemd: service is no longer auto-restarted on configuration errors - always send DO+CD flags upstream, even in insecure zones (#153) - cache.stats() output is completely new; see docs (!775) - improve usability of table_print() (!790, !801) - add DNS-over-HTTPS support (#280) - docker image supports and exposes DNS-over-HTTPS Bugfixes -------- - predict module: load stats module if config didn't specify period (!755) - trust_anchors: don't do 5011-style updates on anchors from files that were loaded as unmanaged trust anchors (!753) - trust_anchors.add(): include these TAs in .summary() (!753) - policy module: support '#' for separating port numbers, for consistency - fix startup on macOS+BSD when </dev/null and cqueues installed - policy.RPZ: log problems from zone-file level of parser as well (#453) - fix flushing of messages to logs in some cases (notably systemd) (!781) - fix fallback when SERVFAIL or REFUSED is received from upstream (!784) - fix crash when dealing with unknown TA key algorhitm (#449) - go insecure due to algorithm support even if DNSKEY is NODATA (!798) - fix mac addresses in the output of net.interfaces() command (!804) - http module: fix too early renewal of ephemeral certificates (!808) Module API changes ------------------ - kr_straddr_split() changed API a bit (compiler will catch that) - C modules defining `*_layer` or `*_props` symbols need to change a bit See the upgrading guide for details. It's detected on module load. Full changelog: https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v4.0.0/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-4.0.0.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-4.0.0.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v4.0.0/ -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869