knot-resolver - Debian Package Tracker

general

source: knot-resolver (main)
version: 5.3.0-1
maintainer: knot-resolver packagers (DMD)
uploaders: Jakub Ružička [DMD] – Santiago Ruano Rincón [DMD] – Ondřej Surý [DMD] – Daniel Kahn Gillmor [DMD]
arch: all amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64 ppc64el
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

old-bpo: 3.2.1-3~bpo9+1
stable: 3.2.1-3
testing: 5.2.1-1
unstable: 5.3.0-1

versioned links

2.3.0-3~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.2.1-3~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.2.1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.2.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.3.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

knot-resolver (4 bugs: 0, 4, 0, 0)
knot-resolver-doc
knot-resolver-module-http (1 bugs: 0, 1, 0, 0)

action needed

Debci reports failed tests high

unstable: pass (log)
The tests ran in 0:01:47
Last run: 2020-07-10 22:35:15 UTC
Previous status: fail

testing: pass (log)
The tests ran in 0:00:39
Last run: 2021-04-09 08:25:46 UTC
Previous status: pass

stable: fail (log)
The tests ran in 0:01:33
Last run: 2021-04-06 05:29:46 UTC
Previous status: fail

Created: 2020-01-03 Last update: 2021-04-11 10:42

A new upstream version is available: 5.3.1 high

A new upstream version 5.3.1 is available, you should consider packaging it.

Created: 2021-04-04 Last update: 2021-04-11 09:05

4 security issues in buster high

There are 4 open security issues in buster.

4 important issues:

CVE-2019-10190: A vulnerability was discovered in DNS resolver component of knot resolver through version 3.2.0 before 4.1.0 which allows remote attackers to bypass DNSSEC validation for non-existence answer. NXDOMAIN answer would get passed through to the client even if its DNSSEC validation failed, instead of sending a SERVFAIL packet. Caching is not affected by this particular bug but see CVE-2019-10191.
CVE-2019-10191: A vulnerability was discovered in DNS resolver of knot resolver before version 4.1.0 which allows remote attackers to downgrade DNSSEC-secure domains to DNSSEC-insecure state, opening possibility of domain hijack using attacks against insecure DNS protocol.
CVE-2019-19331: knot-resolver before version 4.3.0 is vulnerable to denial of service through high CPU utilization. DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several CPU seconds for each such uncached message. For example, a few thousand A records can be squashed into one DNS message (limit is 64kB).
CVE-2020-12667: Knot Resolver before 5.1.1 allows traffic amplification via a crafted DNS answer from an attacker-controlled server, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records.

Created: 2021-02-19 Last update: 2021-03-31 04:24

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 20-day delay is over. Check why.

Created: 2021-03-24 Last update: 2021-04-11 10:36

lintian reports 16 warnings normal

Lintian reports 16 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-01-27 Last update: 2021-04-11 10:17

Multiarch hinter reports 1 issue(s) normal

There are issues with the multiarch metadata for this package.

knot-resolver-module-http could be marked Multi-Arch: same

Created: 2020-12-11 Last update: 2021-04-11 08:01

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 5.3.1-1, distribution unstable) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 9ee0d397010b51c103cecc7c79e477f9a0fc8d5a
Author: Jakub Ružička <jakub.ruzicka@nic.cz>
Date:   Thu Apr 1 16:20:16 2021 +0200

    d/changelog: release 5.3.1-1

commit 749701a0300d075129e2abf68dae52c81e8be3ae
Merge: 822fa47d 0d1780d7
Author: Jakub Ružička <jakub.ruzicka@nic.cz>
Date:   Thu Apr 1 12:36:13 2021 +0000

    Update upstream source from tag 'upstream/5.3.1'
    
    Update to upstream version '5.3.1'
    with Debian dir e2232ec558ae4e3b87986c195ffa9a33353cdc6e

commit 0d1780d7cbd51bcd0342bd3f080f7dd7afae5965
Merge: 3aeca904 58cdfa41
Author: Jakub Ružička <jakub.ruzicka@nic.cz>
Date:   Thu Apr 1 12:36:10 2021 +0000

    New upstream version 5.3.1

commit 58cdfa410cc04725f76209a524b21a1f00f74ea4
Merge: ed0c8a1a 2263f06e
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Wed Mar 31 15:13:36 2021 +0000

    Merge branch 'release-5-3-1' into 'master'
    
    release 5.3.1
    
    See merge request knot/knot-resolver!1162

commit 2263f06e3c7c059ec49069612c48a7863059040f
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Wed Mar 31 16:16:51 2021 +0200

    release 5.3.1

commit c732e45a79fe03f78913a9a6f4d472774cea8013
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Wed Mar 24 13:50:25 2021 +0100

    doc: update required meson version
    
    This change already took place in !1082, this just updates the files to
    correctly reflect the current situation.

commit ed0c8a1a4268e13e9343bc3754c4fd1c024b6447
Merge: e2cb8acf 5922eecd
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Tue Mar 30 16:11:28 2021 +0000

    Merge branch 'nsec3-iters-downgrade' into 'master'
    
    validator: downgrade NSEC3 records with too many iterations
    
    See merge request knot/knot-resolver!1160

commit 5922eecd468d61953cdce54716bc3b38b08aaaab
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Mon Mar 29 12:40:18 2021 +0200

    cache: avoid storing NSEC3 RRsets with high iterations
    
    (in aggressive cache part)  Also bump cache version, so that we clear
    those that have been left by previous kresd releases.

commit 21e50fca15e1229d8d3b907deeab885c4f2b72ce
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Thu Mar 25 19:04:25 2021 +0100

    treewide: add defensive checks for the NSEC3 limit

commit 7107faebc72c14c864622128a20a9b39fe94d733
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Thu Mar 25 18:57:41 2021 +0100

    validate: downgrade zone on high NSEC3 iterations

commit b819108b59ec4194ece336749b428a63b1071ae7
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Thu Mar 25 10:56:14 2021 +0100

    validate: change order of tasks
    
    It seems better to check RRSIGs before checking negative proofs,
    in terms of reasoning, being less error-prone, etc.

commit e2cb8acfb7e705b4b4ad443a5da7fe5d66fe23e9
Merge: 8fd93f12 0a860f93
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Tue Mar 30 13:48:08 2021 +0000

    Merge !1157: revert DoH errors (for now)

commit 0a860f93222fdb3a1df9910c8c680b8b7a521328
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Tue Mar 30 13:30:51 2021 +0200

    Revert "Merge branch '618-doh2-respond-to-invalid-requests-with-proper-status-code' into 'master'"
    
    This reverts commit 4079a1a962cc528b30d8b0b330c329bf83d85fe8, reversing
    changes made to a900fdbf47c181487edf8c6c07a079708c2647e3.

commit 851b2b6dcb10ee5df6bb08d2f895e60704444ea5
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Tue Mar 30 13:29:21 2021 +0200

    Revert "Merge branch 'odvr-doh-assert' into 'master'"
    
    This reverts commit 4dab349e269364b8d27415a548e90446aaac11fb, reversing
    changes made to 4bcf335de92bf51b22fe3d517f532a219c4b76cd.

commit e8a25a5e60cb78b059d7f89add24634ed47d1073
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Tue Mar 30 13:28:54 2021 +0200

    Revert "Merge branch 'doh-remove-asserts' into 'master'"
    
    This reverts commit 99e6e75427031918adeabd8da6b151a5170d3f57, reversing
    changes made to 65bed85f897dd004fbe5234d40aaa60d9cabee1e.

commit 8fd93f124bafd6cf5c036d2a751bfb31f0b2d322
Merge: cc83063f a4606862
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Sat Mar 27 08:45:00 2021 +0000

    Merge !1155: policy.STUB: try to avoid TCP

commit a4606862388b0e18821798d849129a2ab5f40bd0
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Tue Mar 23 11:29:42 2021 +0100

    policy/README: fix "DNS-over-UDP" mentions
    
    Regressed in acd019db2.  The intention was clearly to say that
    encryption (i.e. DNS-over-TLS) is not supported.

commit eeef49d885b131e00077b2dbb3fe388615846c67
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Tue Mar 23 11:16:01 2021 +0100

    lib/selection*: more precise flags.TCP
    
    I'm overall unsure here, but this does seem as improvement.

commit a07a58f739dc48b85aa6ac1e61150ee3847ff4a1
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Tue Mar 23 11:11:44 2021 +0100

    lib/selection*: try to avoid TCP in STUB mode
    
    The target of STUB might commonly not have good support
    for "advanced" features like TCP.

commit cc83063f16a1d0626950690a98ae45f95d34eac0
Merge: 76532284 2cc181ed
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Wed Mar 24 12:43:01 2021 +0000

    Merge branch 'tls_forward-dead_IP' into 'master'
    
    policy.TLS_FORWARD: better avoid dead addresses
    
    See merge request knot/knot-resolver!1156

commit 2cc181ed30ba69791fa2027ff3b2ca36a2cee112
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Wed Mar 24 10:58:25 2021 +0100

    policy.TLS_FORWARD: better avoid dead addresses

commit 765322846a3cffeaf296f5d5e240149b41cab9bf
Merge: 94bf3b00 e3e80088
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Fri Mar 19 16:09:36 2021 +0000

    Merge branch 'modules-return-error' into 'master'
    
    lib/resolve *_LAYERS: detect bad return code from module
    
    See merge request knot/knot-resolver!1151

commit e3e800889035fe5cdba95418bf892f285fde8724
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Sat Mar 13 10:02:20 2021 +0100

    lib/resolve *_LAYERS: detect bad return code from module
    
    Practical example was now in dnstap (060349c9).  This way we detect
    such mistakes more often and closer to their point of origin.

commit 94bf3b0025e5cac24516b27717b84a8dd5868aeb
Merge: d10fdaa6 7bd70e16
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Fri Mar 19 12:51:38 2021 +0000

    Merge branch 'cap-explore-timeout' into 'master'
    
    selection: cap the timeout value when probing a random server
    
    See merge request knot/knot-resolver!1154

commit 7bd70e162d44cae62a8b1ac2b09e5b5790ceab8e
Author: Štěpán Balážik <stepan.balazik@nic.cz>
Date:   Wed Mar 17 15:53:33 2021 +0100

    selection: cap the timeout value when probing a random server
    
    This patch caps the timeout set on UDP queries to servers chosen in the
    EXPLORE phase of the selection algorithm to two times the timeout that
    would be set if we were EXPLOITing.
    
    This measns that we no longer spend an unreasonable amount of time
    probing servers that are probably dead anyway while ensuring that we do
    probe them from time to time to check if they didn't come to life.
    
    If the timeout value is capped and the server fails to respond, we don't
    punish the server for it i.e. we don't cache the timeout.

commit d10fdaa6d89d9887c378cc19f4cd5da15c07d613
Merge: 9679a48b 5e3a6ca2
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Wed Mar 17 17:54:24 2021 +0000

    Merge !1150: selection_iter.c: fix the last stand switch to UDP

commit 5e3a6ca2e656801278eb98d7031bae0979fa1270
Author: Štěpán Balážik <stepan.balazik@nic.cz>
Date:   Fri Mar 12 13:36:42 2021 +0100

    lib/selection_iter.c: fix the last stand switch to UDP
    
    Previously, qry->flags.TCP flag was incorectly set, which led
    to incorrect logging and maybe other troubles down the line.

commit 9679a48b9e1fd0c99b6079cf635eaeaecf6a4566
Merge: 99e6e754 3fbbc909
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Tue Mar 16 11:23:56 2021 +0000

    Merge branch 'gc-rtt' into 'master'
    
    utils/cache_gc: fix crashes/assertions on RTT entries
    
    See merge request knot/knot-resolver!1153

commit 3fbbc90954c1a083f7ac83d198ceb8dd65828874
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Tue Mar 16 11:54:26 2021 +0100

    ci: run simple GC sanity check

commit db85da95bed119601dee4e1ffb3fbec93081fa3d
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Tue Mar 16 10:39:50 2021 +0100

    utils/cache_gc: fix crashes/assertions on RTT entries
    
    I missed some parts when finishing this.  I should've tested it better.
    GC would hit assertions or NULL dereferences when removing entries,
    and eventually that would lead to cache overflowing (and getting
    cleared).

commit 99e6e75427031918adeabd8da6b151a5170d3f57
Merge: 65bed85f f1bf5c12
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Mon Mar 15 13:03:10 2021 +0000

    Merge branch 'doh-remove-asserts' into 'master'
    
    daemon/http: replace assertions
    
    See merge request knot/knot-resolver!1152

commit f1bf5c120f52869fd51f739abab867b7a04a298e
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Mon Mar 15 13:42:21 2021 +0100

    daemon/http: replace assertions

commit 65bed85f897dd004fbe5234d40aaa60d9cabee1e
Merge: 4dab349e 73424e96
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Mon Mar 15 10:17:36 2021 +0000

    Merge branch 'ci-obs-repos' into 'master'
    
    ci: update ODVR distros
    
    See merge request knot/knot-resolver!1148

commit 73424e963053f57e03307056186de4964baf3a80
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Thu Mar 11 17:18:48 2021 +0100

    ci: update ODVR distros

commit 4dab349e269364b8d27415a548e90446aaac11fb
Merge: 4bcf335d 92f96292
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Mon Mar 15 10:16:02 2021 +0000

    Merge branch 'odvr-doh-assert' into 'master'
    
    doh2: refuse stream on failure
    
    See merge request knot/knot-resolver!1149

commit 92f96292c86c7a5e6f636a3311bd55f9bca5ef3f
Author: Lukáš Ježek <lukas.jezek@nic.cz>
Date:   Fri Mar 12 13:36:37 2021 +0100

    daemon/http: fix assertion fail when data frame is recieved

commit c48e846fca4eff3d9bcc17726d50aa68a423af1e
Author: Lukáš Ježek <lukas.jezek@nic.cz>
Date:   Fri Mar 12 12:12:22 2021 +0100

    daemon/http: refuse stream on failure

commit 4bcf335de92bf51b22fe3d517f532a219c4b76cd
Merge: 4079a1a9 060349c9
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Thu Mar 11 15:57:29 2021 +0000

    Merge branch 'dnstap-return-errors' into 'master'
    
    dnstap: don't break request resolution on dnstap errors
    
    See merge request knot/knot-resolver!1147

commit 060349c9d643c1e38940fbd874cf7415dee043ef
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Thu Mar 11 15:23:28 2021 +0100

    dnstap: don't break request resolution on dnstap errors
    
    This isn't a regression of 5.3.0 changes.
    Layer functions are supposed to return new values for ctx->state,
    but here we were sometimes returning kr_error(EFOO) which altered
    processing of the request.
    
    Our case: answers directly from policy module would not end up
    finishing the request and we'd hit an assert at the end of processing.

commit 4079a1a962cc528b30d8b0b330c329bf83d85fe8
Merge: a900fdbf 78afe38a
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Tue Mar 9 10:42:16 2021 +0000

    Merge branch '618-doh2-respond-to-invalid-requests-with-proper-status-code' into 'master'
    
    doh2: send HTTP error status code
    
    Closes #618
    
    See merge request knot/knot-resolver!1102

commit 78afe38a2062aa2843a65d9f27ec1f748d6cc91d
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Mon Mar 8 15:30:49 2021 +0100

    daemon/http: free allocated memory after sending error msg

commit fdfe590a4187e56b168012917b2c68e975ecc628
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Mon Mar 8 12:19:29 2021 +0100

    daemon/http: optimize code by using trie instead of array macros

commit 9357ab1ae1ebc9d45190ad1d81ec30b8c74f6a1e
Author: Lukáš Ježek <lukas.jezek@nic.cz>
Date:   Tue Feb 9 11:58:23 2021 +0100

    doh2: added control stream to each test

commit aa7373a6735ab066719f1533cdff6ccf145ee697
Author: Lukáš Ježek <lukas.jezek@nic.cz>
Date:   Tue Jan 19 15:37:13 2021 +0100

    doh2: fix sending errors

commit c2358a4ed838e65d80bf9e73a9c2d0e2f41dbc66
Author: Lukáš Ježek <lukas.jezek@nic.cz>
Date:   Fri Nov 27 09:43:13 2020 +0100

    doh2: send HTTP error status code

commit 822fa47d907a3b339242617602423328737a11b4
Author: Jakub Ružička <jakub.ruzicka@nic.cz>
Date:   Wed Mar 3 15:32:52 2021 +0100

    debian/changelog: release 5.3.0-1

commit ecd05d58af463729a13d05bc217a257aea601da8
Author: Jakub Ružička <jakub.ruzicka@nic.cz>
Date:   Wed Mar 3 14:21:58 2021 +0100

    Snapshot debian/changelog
    
    Gbp-Dch: Ignore

commit 25cf287b8d10c049ba08c1a94aa564c4f0a63309
Merge: d33030b9 3aeca904
Author: Jakub Ružička <jakub.ruzicka@nic.cz>
Date:   Wed Mar 3 12:55:03 2021 +0000

    Update upstream source from tag 'upstream/5.3.0'
    
    Update to upstream version '5.3.0'
    with Debian dir 47e1f131fea52c434c38135cfdf651863ad4da58

commit 3aeca90443437bf32e2f20e23f586a64ea3d2323
Merge: ca249336 febfdd52
Author: Jakub Ružička <jakub.ruzicka@nic.cz>
Date:   Wed Mar 3 12:55:00 2021 +0000

    New upstream version 5.3.0

commit a900fdbf47c181487edf8c6c07a079708c2647e3
Merge: febfdd52 f1a59816
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Tue Mar 2 17:39:07 2021 +0100

    Merge branch 'doc-predict' into 'master'
    
    predict docs: better explain how it works
    
    See merge request knot/knot-resolver!1145

commit f1a598167bb319847740698853b3a50ce79ea474
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Tue Mar 2 14:39:26 2021 +0100

    predict docs: better explain how it works

commit febfdd52f7c4cc918c415d05f894fe485dd1733f
Merge: 2beece44 4b6d9fee
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Thu Feb 25 14:04:49 2021 +0100

    Merge branch 'release-5.3.0' into 'master'
    
    release 5.3.0
    
    See merge request knot/knot-resolver!1138

commit 4b6d9fee188c8956ab7c8e2f7d56780c54903bf5
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Fri Feb 12 11:18:01 2021 +0100

    release 5.3.0

commit 2beece449b9a4a40a73425b7da36005661e321a5
Merge: 8d43261d 0358ce14
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Thu Feb 25 13:43:18 2021 +0100

    Merge branch 'selection-no6' into 'master'
    
    lib/selection: add simple detection of IPv6 being broken
    
    See merge request knot/knot-resolver!1143

commit 0358ce1491f879080adb5ac1a2ae1b405ca53d4f
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Wed Feb 24 11:33:51 2021 +0100

    lib/selection: add simple detection of IPv6 being broken
    
    Details are described in code comments.

commit 8d43261d382f9f8ee609cef9a482d58d90dfd954
Merge: 2b8b130e 0e6b2826
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Mon Feb 22 11:34:14 2021 +0100

    Merge branch 'selection-tweaks' into 'master'
    
    lib/selection: halve the default timeout (for iteration)
    
    See merge request knot/knot-resolver!1141

commit 0e6b28269563da4facc626f22668542a85b35159
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Fri Feb 19 10:40:22 2021 +0100

    lib/selection: halve the default timeout (for iteration)

commit 2b8b130e590642ada3f3cda035050596de6425ea
Merge: 34b92c92 f032e5ec
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Fri Feb 19 11:15:12 2021 +0100

    Merge branch 'switch_to_udp' into 'master'
    
    lib/selection{,_iter}.c: allow switching back to UDP
    
    See merge request knot/knot-resolver!1140

commit f032e5ec056c332458a3cf766a0875c3918b725d
Author: Štěpán Balážik <stepan.balazik@nic.cz>
Date:   Thu Feb 18 12:10:26 2021 +0100

    lib/selection{,_iter}.c: allow switching back to UDP
    
    Switching to TCP instead of querying very slow servers over UDP has had
    unwanted side effect – we would sometimes get stuck with a server
    permanently switched to TCP. And if the server happens to not reply over
    TCP we were in trouble.
    
    Therefore after we TCP connect fails or timeouts we provide one last
    chance for the server over UDP. This will not prevent the next request
    to try TCP again on this server again, but we don't care because
    DNS MUST ******* work over TCP.

commit 34b92c92c75089d34f7e86d131afb3a785cbe992
Merge: 49169192 9ec48167
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Fri Feb 12 13:03:41 2021 +0100

    Merge branch 'sendmmsg-logs' into 'master'
    
    daemon/udp_queue: drop the error logging
    
    See merge request knot/knot-resolver!1139

commit 9ec48167e479231e6b5e8eb26d73bb40f4e18533
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Fri Feb 12 10:06:25 2021 +0100

    daemon/udp_queue: drop the error logging
    
    We should do this for all transports and probably just in verbose mode.
    We were printing lots of these on Turris OS (for one user at least):
    https://forum.turris.cz/t/5-1-8-kresd-throwing-many-errors-in-var-log-messages/14775
    
    EACCESS in particular apparently may happen (on Linux) when the network
    is "unavailable", EPERM because of firewall/netfilter:
    https://stackoverflow.com/a/23869102

commit 49169192e78df9ba3bab71de65c0cb6876745adf
Merge: babc4033 559d61b3
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Fri Feb 12 11:03:10 2021 +0100

    Merge !1137: bump required Knot DNS version to 2.9

commit 559d61b38e5dc036584261be5a8007a79ddeb120
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Wed Feb 10 16:01:17 2021 +0100

    bump required Knot DNS version to 2.9

commit babc4033810bed3ae6998fa84fb4d37bd62c5f47
Merge: fdb3d720 c0767654
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Thu Feb 11 11:25:43 2021 +0100

    Merge branch 'http-trace-stability' into 'master'
    
    modules/{http,watchdog}: fix stability problems
    
    See merge request knot/knot-resolver!1136

commit c07676547c037a721e5c842453adc4b8dd43c8ae
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Wed Feb 10 12:56:14 2021 +0100

    modules/{http,watchdog}: fix stability problems
    
    As first noted in commit d1a229ae9, in some cases we do call chains that
    are not supported for JIT in LuaJIT.
    
    I'm not 100% sure all of these are needed to comply, but the functions
    here are really small and probably not to be that heavily used,
    so I don't think it will be costly to interpret them
    (and avoiding crashes is more important).
    
    In my tests this fixed occasional crashes when using http://*/trace/*

commit fdb3d720f425d298d4373a492a970f8ce0834afd
Merge: f38c4400 c6a39048
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Thu Feb 11 10:59:17 2021 +0100

    Merge branch 'knot-3.1' into 'master'
    
    adapt to knot 3.1 changes
    
    See merge request knot/knot-resolver!1134

commit c6a390480371a604f2cedaad29ea187087dd5593
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Tue Dec 22 09:07:27 2020 +0100

    adapt to libknot 3.1 API changes in XDP

commit f38c4400e34b17fcbe70694d3c63efef3f6254cb
Merge: a8368530 cf7ad122
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Tue Feb 9 17:33:00 2021 +0100

    Merge branch 'sonarcloud-fixup' into 'master'
    
    ci: Sonarcloud fixup
    
    See merge request knot/knot-resolver!1135

commit cf7ad122f0b393eaf330dc3cd9c769fbb6819830
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Tue Feb 9 17:13:19 2021 +0100

    ci: fix .gitlabci sonarcloud line folding

commit d33030b95ffed9aa99364cef3de450abb761e40b
Author: Santiago Ruano Rincón <santiagorr@riseup.net>
Date:   Tue Feb 9 14:58:53 2021 +0100

    Snapshot debian/changelog
    
    Gbp-Dch: Ignore

commit d07636820a7f76a00e8814d0fd48f4b2d89b6b95
Author: Santiago Ruano Rincón <santiagorr@riseup.net>
Date:   Tue Feb 9 14:55:38 2021 +0100

    Add Portuguese debconf template translation
    
    Closes: #982329

commit a8368530928d7a0be07128660086bf8df1bdb96e
Merge: 9a854946 9f2b5edd
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Tue Feb 9 14:04:04 2021 +0100

    Merge branch 'sonarcloud' into 'master'
    
    ci: sonarcloud improvements
    
    See merge request knot/knot-resolver!1121

commit 9f2b5edd9a7e86e47a75c99dc10456bc518d490c
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Thu Jan 7 12:23:39 2021 +0100

    ci sonarcloud: add project version (git describe)
    
    and break the overlong line

commit 9a854946c06b6124894f678e07c58d7b7f1e194c
Merge: f9ba4b64 3ad3dca7
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Mon Feb 8 16:41:43 2021 +0100

    Merge branch 'policy.ANSWER' into 'master'
    
    policy.ANSWER: minor fixes, mainly around NODATA answers
    
    See merge request knot/knot-resolver!1129

commit 3ad3dca7b9eec868fdd7f9ec6ad3500e27e18615
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Mon Feb 8 14:34:05 2021 +0100

    doc: fix a tiny typo
    
    Reported on:
    https://gitter.im/CZ-NIC/knot-resolver?at=60213c720eed905f189da4d7

commit a561b0585a92b4a2d03921c06f176377118b8862
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Thu Jan 28 11:37:05 2021 +0100

    policy.ANSWER: minor fixes, mainly around NODATA answers
    
    - return SOA in NODATA answers and allow customizing it
    - only call ensure_answer() if really generating an answer
      (otherwise we might e.g. deplete XDP buffers, in extreme cases)

commit f9ba4b6422cf602ab3a96f8c39cb38122f996343
Merge: a83b7f7d f4f8fde0
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Mon Feb 8 09:55:51 2021 +0100

    Merge !1133: packaging: link to Arch Linux package

commit f4f8fde0709bdcc1911116d6c7c317966bde441d
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Fri Feb 5 18:22:31 2021 +0100

    packaging: link to Arch Linux package
    
    Arch Linux now ships knot-resolver in their repositories, delete
    reference to AUR.
    
    Thanks to daurnimator who adopted the package!

commit a83b7f7d4db0697206e03e736aa2f66fb40ceb64
Merge: 5eec8953 e3bc56ec
Author: Tomas Krizek <tomas.krizek@nic.cz>
Date:   Thu Feb 4 15:24:41 2021 +0100

    Merge branch 'modules-docs' into 'master'
    
    minor module docs fixes
    
    See merge request knot/knot-resolver!1131

commit e3bc56ecd760d9fbd3fe338a02164603ca6f405c
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Thu Feb 4 10:37:42 2021 +0100

    modules/stats: fix README mistake in .set()
    
    Reported on:
    https://gitter.im/CZ-NIC/knot-resolver?at=601ae90e9fa6765ef8f6b408

commit 3b35861ed0e6b9d24fa5d111953a41ba42a69567
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Thu Feb 4 10:08:29 2021 +0100

    modules/prefill: fix README typo
    
    (and regularize indentation)  Reported on:
    https://gitter.im/CZ-NIC/knot-resolver?at=601b36f6aa6a6f319d0235f5

commit 5eec89533229cda904e840cb844a4d18b77af210
Merge: 599f0daa 2cdd2d23
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Tue Feb 2 20:15:09 2021 +0100

    Merge !1130: when FORMERR comes, differentiate based on OPT

commit 2cdd2d234183ad1050e3e00559fc700a0435e8be
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Mon Feb 1 10:09:16 2021 +0100

    when FORMERR comes, differentiate based on OPT
    
    In particular, non-support of EDNS is implied iff FORMERR without OPT
    comes.  If OPT is there, one possibility is that there was something
    wrong in the OPT that *we* sent, but it seems much more likely that
    this particular server is just bad and we want to try another one.
    https://tools.ietf.org/html/rfc6891#section-7
    In particular, we would be in trouble if we dropped OPT in a zone
    that is covered by DNSSEC.

commit a2de00222490a616657c30a5b2766623a9f01aa2
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Mon Feb 1 09:57:46 2021 +0100

    lib/selection: rename to *_FORMERR for consistency
    
    It's now consistent with KNOT_RCODE_FORMERR and the official name
    https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6

commit 599f0daa78b46ed5c6557bdffdefb415c38f7af0
Merge: e52c8dd0 c678c1da
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Thu Jan 28 15:38:56 2021 +0100

    Merge !1128: remove NO_THROTTLE option

commit c678c1dac03a7c9b3053d3086df45cfc1b51c1b9
Author: Štěpán Balážik <stepan.balazik@nic.cz>
Date:   Wed Jan 20 12:48:45 2021 +0100

    remove NO_THROTTLE option
    
    It wasn't really used for a long time and became completely obsolete after
    !1030.

commit e52c8dd00ecdcc46aca41eceae9888d82432426b
Merge: e6324fce 96ac3b77
Author: Štěpán Balážik <stepan.balazik@nic.cz>
Date:   Wed Jan 27 12:25:55 2021 +0100

    Merge branch 'remove-safemode' into 'master'
    
    Rework iterate.c/selection.c error handling
    
    Closes #640
    
    See merge request knot/knot-resolver!1126

commit 96ac3b772c1307692c9917921a3d56f93b522851
Author: Štěpán Balážik <stepan.balazik@nic.cz>
Date:   Wed Jan 27 12:23:48 2021 +0100

    mention MR in NEWS

commit 834875808553f67617c3d3d6f762e1019ad6263a
Author: Vladimír Čunát <vladimir.cunat@nic.cz>
Date:   Tue Jan 26 12:25:09 2021 +0100

    lib/selection: refactor kr_selection_error_str()
    
    This way leaves less room for mistakes, etc.  It's just the idea from:
    https://gitlab.nic.cz/knot/knot-resolver/-/commit/dd0c99bdb6332ba3628833a8543a5f9f33141ddd#note_191580

commit c5885d23e69893715c327e003ae90d63682ea63d
Author: Štěpán Balážik <stepan.balazik@nic.cz>
Date:   Mon Jan 25 09:48:57 2021 +0100

    iterate.c: clarify is_authoritative workaround comment

commit aab5be7b71f93e077ddb2cb6cc08595722b812cc
Author: Štěpán Balážik <stepan.balazik@nic.cz>
Date:   Fri Jan 22 19:22:20 2021 +0100

    selection: only report RTT if there is an answer
    
    Previously this would pollute the RTT cache with non-sensical
    measurements from unsuccessful TCP connects for example.

commit 9165f0bc78f090f89810cfb47e24fc25daffa246
Author: Štěpán Balážik <stepan.balazik@nic.cz>
Date:   Mon Jan 25 10:40:13 2021 +0100

    modules/rebinding: fix module logging to new server selection
    
    Module would crash due to the change of `request->upstream`
    structure.

commit 73650cc12fa67a11e50c9e658b92eb42ad1ffbd9
Author: Štěpán Balážik <stepan.balazik@nic.cz>
Date:   Wed Jan 20 19:33:14 2021 +0100

    selection_iter: relax NSNXAttack mitigation
    
    Previously the mitigation would stop some longer benign resolutions.
    We can safely zero the subquery counter when choose a concrete transport
    for the query (i.e. NS name with known IP address).

commit 34b735bdc25b0b4e02d7ac8bb9341f5b90ca4be5
Author: Štěpán Balážik <stepan.balazik@nic.cz>
Date:   Wed Jan 20 16:19:18 2021 +0100

    selection: force resolution of new NS name after lame delegation
    
    Lame delegations are weird, they breed more lame delegations on broken
    zones since trying another server from the same set usualy doesn't help.
    We force resolution of another NS name in hope of getting somewhere.

commit 8d42032468e47645307edc245d3ba4e0c3b42736
Author: Štěpán Balážik <stepan.balazik@nic.cz>
Date:   Wed Jan 20 11:12:12 2021 +0100

    iterate: interpret empty FORMERR answers correctly
    
    Previously a 12B reply with FORMERR would be treated as malformed
    creating a need for a workaround (switching off EDNS for every malformed
    answer).

commit 01e718b5106e5ab49eda5d0128eaece01a80d02e
Author: Štěpán Balážik <stepan.balazik@nic.cz>
Date:   Tue Jan 19 17:03:51 2021 +0100

    bogus_log: fix bogus_log test to new error handling

commit 8ffbf501b040437777e47b62c64dffe13fdf390a
Author: Štěpán Balážik <stepan.balazik@nic.cz>
Date:   Tue Jan 19 16:08:22 2021 +0100

    resolve.c: trigger serve stale on NSNXAttack mitigation from kr_resolve_consume

commit 8db64ae2b508de97e702fdc1a00afb047146c37c
Author: Štěpán Balážik <stepan.balazik@nic.cz>
Date:   Tue Jan 19 13:39:04 2021 +0100

    iterate.c: don't copy NO_MINIMIZE when following a CNAME
    
    Instead copy it from the request's options.
    
    Reasoning: Minimization might have been turned off as a workaround for
    broken authoritative servers which doesn't support it. There is no
    reason to drop minimization when switching zones when following a CNAME.

commit fb807b8c2d30472838067de43ed5473870bd0107
Author: Štěpán Balážik <stepan.balazik@nic.cz>
Date:   Fri Jan 15 00:49:38 2021 +0100

    selection: fix DNSSEC_BOGUS/NSNXAttack mitigation interaction
    
    When cancelling a query due to NSNXAttack mitigation when validator was
    also in BOGUS state, records wouldn't be stripped from the answer.

commit 21ed83e3f5614f7a17d95ea5ef9afb6ee013498f
Author: Štěpán Balážik <stepan.balazik@nic.cz>
Date:   Thu Jan 14 20:09:38 2021 +0100

    selection: better error messages for errors

Created: 2021-02-09 Last update: 2021-04-08 13:35

Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2020-09-16 Last update: 2020-09-16 03:55

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2020-02-28 Last update: 2020-02-28 17:07

testing migrations

excuses:
- Migration status for knot-resolver (5.2.1-1 to 5.3.0-1): BLOCKED: Needs an approval (either due to a freeze, the source suite or a manual hint)
- Issues preventing migration:
- blocked by freeze: autopkgtest not fully successful (Follow the freeze policy when applying for an unblock)
- Additional info:
- Piuparts tested OK - https://piuparts.debian.org/sid/source/k/knot-resolver.html
- autopkgtest for knot-resolver/5.3.0-1: amd64: Pass, arm64: Pass, armhf: Not a regression, i386: Pass, ppc64el: Pass
- 38 days old (needed 20 days)
- Not considered

news

[rss feed]

[2021-03-03] Accepted knot-resolver 5.3.0-1 (source) into unstable (Jakub Ružička) (signed by: Santiago Ruano Rincón)
[2021-01-06] knot-resolver 5.2.1-1 MIGRATED to testing (Debian testing watch)
[2020-12-15] Accepted knot-resolver 5.2.1-1 (source) into unstable (Santiago Ruano Rincón)
[2020-12-07] Accepted knot-resolver 5.2.0-2 (source) into unstable (Santiago Ruano Rincón)
[2020-11-20] Accepted knot-resolver 5.2.0-1 (source) into experimental (Jakub Ružička) (signed by: Santiago Ruano Rincón)
[2020-09-21] knot-resolver 5.1.3-1 MIGRATED to testing (Debian testing watch)
[2020-09-21] knot-resolver 5.1.3-1 MIGRATED to testing (Debian testing watch)
[2020-09-14] Accepted knot-resolver 5.1.3-1 (source) into unstable (Santiago Ruano Rincón)
[2020-08-18] knot-resolver 5.1.2-3 MIGRATED to testing (Debian testing watch)
[2020-08-12] Accepted knot-resolver 5.1.2-3 (source) into unstable (Santiago Ruano Rincón)
[2020-07-31] Accepted knot-resolver 5.1.2-2 (source) into unstable (Santiago Ruano Rincón)
[2020-07-29] Accepted knot-resolver 5.1.2-1 (source) into unstable (Santiago Ruano Rincón)
[2020-07-10] Accepted knot-resolver 5.1.1-1 (source) into unstable (Santiago Ruano Rincón)
[2020-06-14] Accepted knot-resolver 5.1.1-0.1 (source) into unstable (Daniel Baumann)
[2020-02-28] Accepted knot-resolver 5.0.1-2 (source) into unstable (Ondřej Surý)
[2020-02-22] Accepted knot-resolver 5.0.1-1 (source) into unstable (Ondřej Surý)
[2019-08-29] knot-resolver REMOVED from testing (Debian testing watch)
[2019-03-24] Accepted knot-resolver 3.2.1-3~bpo9+1 (source) into stretch-backports->backports-policy, stretch-backports (Daniel Kahn Gillmor)
[2019-03-24] knot-resolver 3.2.1-3 MIGRATED to testing (Debian testing watch)
[2019-03-08] Accepted knot-resolver 3.2.1-3 (source) into unstable (Daniel Kahn Gillmor)
[2019-03-08] Accepted knot-resolver 3.2.1-2 (source) into unstable (Daniel Kahn Gillmor)
[2019-03-07] Accepted knot-resolver 3.2.1-1~bpo9+1 (source amd64 all) into stretch-backports, stretch-backports (Daniel Kahn Gillmor)
[2019-03-03] knot-resolver 3.2.1-1 MIGRATED to testing (Debian testing watch)
[2019-02-21] Accepted knot-resolver 3.2.1-1 (source) into unstable (Ondřej Surý)
[2018-12-31] knot-resolver 3.2.0-1 MIGRATED to testing (Debian testing watch)
[2018-12-23] Accepted knot-resolver 3.2.0-1 (source amd64 all) into unstable, unstable (Daniel Kahn Gillmor)
[2018-12-01] knot-resolver 3.1.0-1 MIGRATED to testing (Debian testing watch)
[2018-11-20] Accepted knot-resolver 3.1.0-1 (source) into unstable (Daniel Kahn Gillmor)
[2018-11-06] knot-resolver 3.0.0-9 MIGRATED to testing (Debian testing watch)
[2018-09-13] knot-resolver REMOVED from testing (Debian testing watch)

bugs [bug history graph]

all: 8
RC: 0
I&N: 8
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 16)
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (100, -)
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 5.2.1-1
6 bugs