Release notes

Version numbering

Version number format is major.minor.patch. Knot Resolver does not use semantic versioning even though the version number looks similar.

Leftmost number which was changed signalizes what to expect when upgrading:

Major version
  • Manual upgrade steps might be necessary, please follow instructions in Upgrading section.

  • Major releases may contain significant changes including changes to configuration format.

  • We might release a new major also when internal implementation details change significantly.

Minor version
  • Configuration stays compatible with the previous version, except for undocumented or very obscure options.

  • Upgrade should be seamless for users who use modules shipped as part of Knot Resolver distribution.

  • Incompatible changes in internal APIs are allowed in minor versions. Users who develop or use custom modules (i.e. modules not distributed together with Knot Resolver) need to double check their modules for incompatibilities. Upgrading section should contain hints for module authors.

Patch version
  • Everything should be compatible with the previous version.

  • API for modules should be stable on best effort basis, i.e. API is very unlikely to break in patch releases.

  • Custom modules might need to be recompiled, i.e. ABI compatibility is not guaranteed.

This definition is not applicable to versions older than 5.2.0.

Knot Resolver 6.0.7 (2024-03-27)


  • manager: clear the cache via management HTTP API (#876, !1491)

  • manager: added support for Python 3.12 and removed for 3.7 (!1502)

  • manager: use build-time install prefix to execute kresd instead of PATH (!1511)

  • docs: documentation is now separated into user and developer parts (!1514)

  • daemon: ignore UDP requests from ports < 1024 (!1507)

  • manager: increase startup timeout for processes (!1518, !1520)

  • local-data: increase default DB size to 2G on 64-bit platforms (!1518)


  • fix listening by interface name containing dashes (#900, !1500)

  • fix kresctl http request timeout (!1505)

  • fix RPZ if it contains apex NS record (!1516)

  • fix RPZ if SOA is repated, as usual in AXFR output (!1521)

  • avoid RPZ overriding the root SOA (!1521)

  • fix on 32-bit systems with 64-bit time_t (!1510)

  • fix paths to knot-dns libs if exec_prefix != prefix (!1503)

  • manager: add missing early check that neither a custom port nor TLS is set for authoritative server forwarding (#902, !1505)

Knot Resolver 6.0.6 (2024-02-13)


  • CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU * validator: lower the NSEC3 iteration limit (150 -> 50) * validator: similarly also limit excessive NSEC3 salt length * cache: limit the amount of work on SHA1 in NSEC3 aggressive cache * validator: limit the amount of work on SHA1 in NSEC3 proofs * validator: refuse to validate answers with more than 8 NSEC3 records

  • CVE-2023-50387 “KeyTrap”: DNSSEC verification complexity could be exploited to exhaust CPU resources and stall DNS resolvers. Solution boils down mainly to limiting crypto-validations per packet.

    We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel and Michael Waidner from the German National Research Center for Applied Cybersecurity ATHENE for bringing this vulnerability to our attention.


  • update addresses of (!1478)

  • tweak the default run_dir on non-Linux (!1481)


  • fix potential SERVFAIL deadlocks if net.ipv6 = false (#880)

  • fix validation of RRsets around 64 KiB size; needs libknot >= 3.4 (!1497)

Knot Resolver 6.0.5 (2024-01-09)

6.0.x are “early access” versions, not generally recommended for production use.

6.0 contains biggest changes in the history of Knot Resolver releases. You will have to rewrite your configuration. See documentation, in particular: