Knot Resolver 4.0.0 released

Incompatible changes

  • see upgrading guide:
  • configuration: trust_anchors aliases .file, .config() and .negative were removed (!788)
  • configuration: trust_anchors.keyfile_default is no longer accessible (!788)
  • daemon: -k/--keyfile and -K/--keyfile-ro options were removed
  • meson build system is now used for builds (!771)
  • build with embedded LMBD is no longer supported
  • default modules dir location has changed
  • DNSSEC is enabled by default
  • upstream packages for Debian now require systemd
  • libknot >= 2.8 is required
  • net.list() output format changed (#448)
  • net.listen() reports error when address-port pair is in use
  • bind to DNS-over-TLS port by default (!792)
  • stop versioning libkres library
  • default port for web management and APIs changed to 8453


  • policy.TLS_FORWARD: if hostname is configured, send it on wire (!762)
  • hints module: allow configuring the TTL and change default from 0 to 5s
  • policy module: policy.rpz() will watch the file for changes by default
  • packaging: lua cqueues added to default dependencies where available
  • systemd: service is no longer auto-restarted on configuration errors
  • always send DO+CD flags upstream, even in insecure zones (#153)
  • cache.stats() output is completely new; see docs (!775)
  • improve usability of table_print() (!790, !801)
  • add DNS-over-HTTPS support (#280)
  • docker image supports and exposes DNS-over-HTTPS


  • predict module: load stats module if config didn't specify period (!755)
  • trust_anchors: don't do 5011-style updates on anchors from files that were loaded as unmanaged trust anchors (!753)
  • trust_anchors.add(): include these TAs in .summary() (!753)
  • policy module: support '#' for separating port numbers, for consistency
  • fix startup on macOS+BSD when </dev/null and cqueues installed
  • policy.RPZ: log problems from zone-file level of parser as well (#453)
  • fix flushing of messages to logs in some cases (notably systemd) (!781)
  • fix fallback when SERVFAIL or REFUSED is received from upstream (!784)
  • fix crash when dealing with unknown TA key algorhitm (#449)
  • go insecure due to algorithm support even if DNSKEY is NODATA (!798)
  • fix mac addresses in the output of net.interfaces() command (!804)
  • http module: fix too early renewal of ephemeral certificates (!808)

Module API changes

  • kr_straddr_split() changed API a bit (compiler will catch that)
  • C modules defining *_layer or *_props symbols need to change a bit See the upgrading guide for details. It's detected on module load.