Knot Resolver 1.3.3 released

Knot Resolver 1.3.3 has been released.


  • Fix a critical DNSSEC flaw. Signatures might be accepted as valid even if the signed data was not in bailiwick of the DNSKEY used to sign it, assuming the trust chain to that DNSKEY was valid.


  • iterate: skip RRSIGs with bad label count instead of immediate SERVFAIL
  • utils: fix possible incorrect seeding of the random generator
  • modules/http: fix compatibility with the Prometheus text format


  • policy: implement remaining special-use domain names from RFC6761 (#205), and make these rules apply only if no other non-chain rule applies