Knot Resolver 3.2.0 released

New features

  • module edns_keepalive to implement server side of RFC 7828 (#408)
  • module nsid to implement server side of RFC 5001 (#289)
  • module bogus_log provides .frequent() table (!629, credit Ulrich Wisser)
  • module stats collects flags from answer messages (!629, credit Ulrich Wisser)
  • module view supports multiple rules with identical address/TSIG specification and keeps trying rules until a "non-chain" action is executed (!678)
  • module experimental_dot_auth implements an DNS-over-TLS to auth protocol (!711, credit Manu Bretelle)
  • net.bpf bindings allow advanced users to use eBPF socket filters


  • http module: only run prometheus in parent process if using --forks=N, as the submodule collects metrics from all sub-processes as well.
  • TLS fixes for corner cases (!700, !714, !716, !721, !728)
  • fix build with -DNOVERBOSELOG (#424)
  • policy.{FORWARD,TLS_FORWARD,STUB}: respect net.ipv{4,6} setting (!710)
  • avoid SERVFAILs due to certain kind of NS dependency cycles, again (#374) this time seen as 'circular dependency' in verbose logs
  • policy and view modules do not overwrite result finished requests (!678)


  • Dockerfile: rework, basing on Debian instead of Alpine
  • policy.{FORWARD,TLS_FORWARD,STUB}: give advantage to IPv6 when choosing whom to ask, just as for iteration
  • use pseudo-randomness from gnutls instead of internal ISAAC (#233)
  • tune the way we deal with non-responsive servers (!716, !723)
  • documentation clarifies interaction between policy and view modules (!678, !730)

Module API changes

  • new layer is added: answer_finalize
  • kr_request keeps ::qsource.packet beyond the begin layer
  • kr_request::qsource.tcp renamed to ::qsource.flags.tcp
  • kr_request::has_tls renamed to ::qsource.flags.tls
  • kr_zonecut_add(), kr_zonecut_del() and kr_nsrep_sort() changed parameters slightly