Knot Resolver 1.2.4 (2017-03-09)
================================

Security
--------
- Knot Resolver 1.2.0 and higher could return AD flag for insecure
  answer if the daemon received answer with invalid RRSIG several
  times in a row.

Improvements
------------
- modules/policy: allow QTRACE policy to be chained with other
  policies
- hints.add_hosts(path): a new property
- module: document the API and simplify the code
- policy.MIRROR: support IPv6 link-local addresses
- policy.FORWARD: support IPv6 link-local addresses
- add net.outgoing_{v4,v6} to allow specifying address to use for
  connections

Bugfixes
--------
- layer/iterate: some improvements in cname chain unrolling
- layer/validate: fix duplicate records in AUTHORITY section in case
  of WC expansion proof
- lua: do *not* truncate cache size to unsigned
- forwarding mode: correctly forward +cd flag
- fix a potential memory leak
- don't treat answers that contain DS non-existance proof as insecure
- don't store NSEC3 and their signatures in the cache
- layer/iterate: when processing delegations, check if qname is at or
  below new authority


Knot Resolver 1.2.3 (2017-02-23)
================================

Bugfixes
--------
- Disable storing GLUE records into the cache even in the
  (non-default) QUERY_PERMISSIVE mode
- iterate: skip answer RRs that don't match the query
- layer/iterate: some additional processing for referrals
- lib/resolve: zonecut fetching error was fixed


Knot Resolver 1.2.2 (2017-02-10)
================================

Bugfixes:
---------
- Fix -k argument processing to avoid out-of-bounds memory accesses
- lib/resolve: fix zonecut fetching for explicit DS queries
- hints: more NULL checks
- Fix TA bootstrapping for multiple TAs in the IANA XML file

Testing:
--------
- Update tests to run tests with and without QNAME minimization


Knot Resolver 1.2.1 (2017-02-01)
====================================

Security:
---------
- Under certain conditions, a cached negative answer from a CD query
  would be reused to construct response for non-CD queries, resulting
  in Insecure status instead of Bogus.  Only 1.2.0 release was affected.

Documentation
-------------
- Update the typo in the documentation: The query trace policy is
  named policy.QTRACE (and not policy.TRACE)

Bugfixes:
---------
- lua: make the map command check its arguments


Knot Resolver 1.2.0 (2017-01-24)
====================================

Security:
---------
- In a policy.FORWARD() mode, the AD flag was being always set by mistake.
  It is now cleared, as the policy.FORWARD() doesn't do DNSSEC validation yet.

Improvements:
-------------
- The DNSSEC Validation has been refactored, fixing many resolving
  failures.
- Add module `version` that checks for updates and CVEs periodically.
- Support RFC7830: EDNS(0) padding in responses over TLS.
- Support CD flag on incoming requests.
- hints module: previously /etc/hosts was loaded by default, but not anymore.
  Users can now actually avoid loading any file.
- DNS over TLS now creates ephemeral certs.
- Configurable cache.{min,max}_tll option, with max_ttl defaulting to 6 days.
- Option to reorder RRs in the response.
- New policy.QTRACE policy to print packet contents

Bugfixes:
---------
- Trust Anchor configuration is now more robust.
- Correctly answer NOTIMPL for meta-types and non-IN RR classes.
- Free TCP buffer on cancelled connection.
- Fix crash in hints module on empty hints file, and fix non-lowercase hints.

Miscelaneous:
-------------
- It now requires knot >= 2.3.1 to link successfully.
- The API+ABI for modules changed slightly.
- New LRU implementation.


Knot Resolver 1.1.1 (2016-08-24)
================================

Bugfixes:
---------
 - Fix 0x20 randomization with retransmit
 - Fix pass-through for the stub mode
 - Fix the root hints IPv6 addresses
 - Fix dst addr for retries over TCP

Improvements:
-------------
 - Track RTT of all tried servers for faster retransmit
 - DAF: Allow forwarding to custom port
 - systemd: Read EnvironmentFile and user $KRESD_ARGS
 - systemd: Update systemd units to be named after daemon


Knot Resolver 1.1.0 (2016-08-12)
================================

Improvements:
-------------
 - RFC7873 DNS Cookies
 - RFC7858 DNS over TLS
 - HTTP/2 web interface, RESTful API
 - Metrics exported in Prometheus
 - DNS firewall module
 - Explicit CNAME target fetching in strict mode
 - Query minimisation improvements
 - Improved integration with systemd


Knot Resolver 1.0.0 (2016-05-30)
================================

Initial release:
----------------
 - The first initial release
