Fedora 25: Knot Resolver Update Addresses Security Issues and Enhancements

The Knot DNS Resolver is a caching full resolver implementation written in C

and LuaJIT, including both a resolver library and a daemon. Modular

architecture of the library keeps the core tiny and efficient, and provides

a state-machine like API for extensions.

The package is pre-configured as local caching resolver.

To start using it, just start the local DNS socket:

BEWARE:

Because of https://bugzilla.redhat.com/show_bug.cgi?id=1366968

you need to switch your system to SELinux permissive mode.

new upstream release + security: Knot Resolver 1.2.0 and higher could return AD flag for insecure answer if the daemon received answer with invalid RRSIG several times in a row. + fix: layer/iterate: some improvements in cname chain unrolling + fix: layer/validate: fix duplicate records in AUTHORITY section in case + fix: of WC expansion proof + fix: lua: do *not* truncate cache size to unsigned + fix: forwarding mode: correctly forward +cd flag + fix: fix a potential memory leak + fix: don't treat answers that contain DS non-existance proof as insecure + fix: don't store NSEC3 and their signatures in the cache + fix: layer/iterate: when processing delegations, check if qname is at or below new authority + enhancement: modules/policy: allow QTRACE policy to be chained with other policies + enhancement: hints.add_hosts(path): a new property + enhancement: module: document the API and simplify the code + enhancement: policy.MIRROR: support IPv6 link-local addresses + enhancement: poli...