Changelogs for 4.1.x


Released: September 2nd 2020

This release contains the fix for PowerDNS Security Advisory 2020-05 (CVE-2020-17482)

Bug Fixes


Released: August 9th 2019

This is a bugfix release for high traffic setups using the pipebackend or remotebackend.

Bug Fixes


Released: 4.1.12 was skipped due to a packaging issue.


Released: August 1st 2019

This release contains the updated PostgreSQL schema for PowerDNS Security Advisory 2019-06 (CVE-2019-10203).

Upgrading is not enough - you need to manually apply the schema change: ALTER TABLE domains ALTER notified_serial TYPE bigint USING CASE WHEN notified_serial >= 0 THEN notified_serial::bigint END;

Bug Fixes


Released: June 21st 2019

This release and 4.1.9 together fix the following security advisories:

  • PowerDNS Security Advisory 2019-04 (CVE-2019-10162)
  • PowerDNS Security Advisory 2019-05 (CVE-2019-10163)

Bug Fixes

  • Do not exit on exception parsing names of name servers to notify.

    References: pull request 7964


Released: June 19th 2019

New Features

Bug Fixes

  • Do not exit on exception resolving addresses to notify.

    References: pull request 7663

  • Avoid very busy looping on lots of notifies.

    References: pull request 7829

  • In gsql getAllDomainMetadata, actually get all domain metadata. This makes DNSSEC metadata work with pdnsutil b2b-migrate.

    References: pull request 7921


Released: March 22nd 2019

Bug Fixes


Released: March 18th 2019

This release fixes the following security advisory:

  • PowerDNS Security Advisory 2019-03 (CVE-2019-3871)

Bug Fixes

  • Insufficient validation in the HTTP remote backend (CVE-2019-3871, PowerDNS Security Advisory 2019-03)

    References: pull request 7577


Released: January 31st 2019

Bug Fixes


Released: November 6th 2018

This release fixes the following security advisories:

  • PowerDNS Security Advisory 2018-03 (CVE-2018-10851)
  • PowerDNS Security Advisory 2018-05 (CVE-2018-14626)


Bug Fixes


Released: August 29th 2018


Bug Fixes

  • Avoid concurrent records/comments iteration from running out of sync.

    References: pull request 6780

  • Fix a crash in the API when adding records

    References: pull request 6816

  • pdns_control notify: handle slave without renotify properly. (Chris Hofstaedtler)

    References: #4457, pull request 6691

  • Reset the TSIG state between queries.

    References: #6736, pull request 6738

  • Remove SOA-check backoff on incoming notify and fix lock handling. (Klaus Darilion)

    References: pull request 6857

  • Fix an issue where updating a record via DNS-UPDATE in a child zone that also exists in the parent zone, we would incorrectly apply the update to the parent zone.

    References: pull request 6858

  • Geoipbackend: check geoip_id_by_addr_gl and geoip_id_by_addr_v6_gl return value. (Aki Tuomi)

    References: #6676, pull request 6677


Released: 24th of May 2018

This release contains several small fixes to the GeoIP backend. The most prominent fix being one where the backend would be slow when thousands of network masks were configured for services.


Bug Fixes


Released: 8th of May 2018

This is the third release in the 4.1 train. Besides bug fixes, it contains some performance and usability improvements.


Bug Fixes



Released: 16th of February 2018

This is the second release in the 4.1 train.

This is a bug-fix only release, with fixes to the LDAP and MySQL backends, the pdnsutil tool, and PDNS internals.

Changes since 4.1.1:

Bug Fixes


Released: 30th of November 2017

This is the first release in the 4.1 train.

The full release notes can be read on the blog.

The 4.1 release is a major upgrade for the Authoritative Server featuring many improvements and speedups:

  • Improved performance: 400% speedup in some scenarios,
  • Crypto API: DNSSEC fully configurable via RESTful API,
  • Improved documentation,
  • Database related improvements,
  • Enhanced tooling,
  • Support for TCP Fast Open,
  • Support for non-local bind,
  • Support for Botan 2.x (and removal of support for Botan 1.10),
  • Our packages now ship with PKCS #11 support.

Recursor passthrough removal: This will impact many installations, and we realize this may be painful, but it is necessary. Previously, the PowerDNS Authoritative Server contained a facility for sending recursion desired queries to a resolving backend, possibly after first consulting its local cache. This feature (‘recursor=’) was frequently confusing and also delivered inconsistent results, for example when a query ended up referring to a CNAME that was outside of the Authoritative Server’s knowledge. To read more about this please see the blog post mentioned above or read the migration guide.

Changes since 4.1.0-rc3:

Removed Features

  • Remove deprecated SOA-EDIT values: INCEPTION and INCEPTION-WEEK.

    References: pull request 6004


Bug Fixes


Released: 17th of November 2017

This is the third release candidate of the PowerDNS Authoritative Server in the 4.1 release train.

This release features various bug fixes and some improvements to pdnsutil.

New Features

  • Make it possible to disable DNSSEC via the API, this is equivalent to doing pdnsutil disable-dnssec.

    References: #5909, #5910, pull request 5936

  • Add add-meta command to pdnsutil that can be used to append to existing metadata without clobbering it.

    References: #5853, pull request 5883


Bug Fixes

  • Use _exit() when we really want to exit, for example after a fatal error. This stops us dying while we die. A call to exit() will trigger destructors, which may paradoxically stop the process from exiting, taking down only one thread, but harming the rest of the process.

    References: pull request 5917

  • Fix messages created by pdnsutil generate-tsig-key.

    References: #5849, pull request 5884

  • Add back missing output details to rectifyZone.

    References: #5903, pull request 5928

  • Use 302 redirects in the webserver for ringbuffer reset or resize. With the current 301 redirect it is only possible to reset or resize once. Every next duplicate action is replaced by the destination cached in the browser.

    References: pull request 5905


Released: 3rd of November 2017

This is the second release candidate of the PowerDNS Authoritative Server in the 4.1 release train.

This release has several performance improvements, stability and correctness fixes.

New Features

  • Rectify zones via the API. (Nils Wisiol)

    • Move the pdnsutil rectification code to the DNSSECKeeper
    • Generate DNSSEC keys for a zone when “dnssec” is true in an API POST/PATCH for zones
    • Rectify DNSSEC zones after POST/PATCH when API-RECTIFY metadata is 1
    • Allow setting this metadata via the “api-rectify” param in a Zone object
    • Show “nsec3param” and “nsec3narrow” in Zone API responses
    • Add an “rrsets” request parameter for a zone to skip sending RRSets in the response
    • Add rectify endpoint in the API

    References: #3417, #5712, pull request 5779

  • Add PKCS#11 support to packages on Operating Systems that support it.

    References: pull request 5665


  • Add support for Botan 2.x and drop support for Botan 1.10 (the latter thanks to Kees Monshouwer).

    References: #2250, #5734, #5797, #5889, pull request 5498

  • Fix issues when b2b-migrating from the BIND backend to a database:

    • No masters were set in the target db (#5807)
    • Only the last master in the list of masters would be added to the target database
    • The BIND backend was not fully aware of native zones

    References: #5115, #5807, pull request 5810

  • Add support for new record types to the LDAP backend.

    References: pull request 5584

  • Add log-timestamp option. This option can be used to disable printing timestamps to stdout, this is useful when using systemd-journald or another supervisor that timestamps stdout by itself. As the logs will not have 2 timestamps.

    References: pull request 5842

  • Stop doing individual RRSIG queries during outbound AXFR. (Kees Monshouwer)

    References: #5767, pull request 5838

Bug Fixes

  • Improve trailing dot handling internally which lead to a segfault in pdnsutil before.

    References: #5673, pull request 5684

  • Treat requestor’s payload size lower than 512 as equal to 512. Before, we did not follow RFC 6891 section 6.2.3 correctly.

    References: pull request 5678

  • Correctly purge entries from the caches after a transfer. Since the QC/PC split up, we only removed entries for the AXFR’d domain from the packet cache, not the query cache. We also did not remove entries in case of IXFR.

    References: #5767, pull request 5766

  • When throwing because of bogus content in the tinydns database, report the offending name+type so the admin can find the offending record.

    References: pull request 5791

  • For zone PATCH requests, add new X-PDNS-Old-Serial and X-PDNS-New-Serial response headers with the zone serials before and after the changes.

    References: pull request 5696

  • Make default options singular and use defaults in Cryptokey API-endpoint

    References: pull request 5704

  • Remove printing of DS records from pdnsutil export-zone-dnskey . This was not only inconsistent behaviour but also done incorrectly.

    References: #5719, pull request 5729

  • Make bindbackend startTransaction to return false when it has failed. (Aki Tuomi)

    References: pull request 5702

  • Log the needed size when a MySQL result was truncated.

    References: #5675, pull request 5820

  • Remove “” around secpoll result which fixes pdns_control show security-status not working.

    References: #5692, pull request 5710

  • Make the auth also publish CDS/CDNSKEY records for inactive keys, as this is needed to roll without double sigs.

    References: #5721, pull request 5722

  • Fix a crash when getting a public GOST key if the private one is not set.

    References: pull request 5734

  • Ignore SOA-EDIT for PRESIGNED zones.

    References: pull request 5815


Released: 31st of August 2017

This is the first release candidate of the PowerDNS Authoritative Server in the 4.1 release train.

New Features

Removed Features


  • Revamp and clean label compression code. Speeds up large packet creation by ~40%.

    References: pull request 4373

  • Apply non-local-bind to query-local-address and query-local-address6 when possible.

    References: #4299, pull request 4332

  • A number of fixes and improvements that are difficult to untangle:

    • Remove the ASCII DNSResourceRecord from the hot path of packet assembly.
    • Hash the storage of records in the BindBackend.
    • Hash the packetcache.
    • Fix some bugs in the LDAP backend and in the MyDNS backend.
    • Make the randombackend go ‘native’ and directly supply records that can be sent to packets
    • The performance benefit of this PR is measured in “factors” for being a root-server.

    References: pull request 4467, pull request 4492

  • Improve cleaning, remove an unnecessary lock and improve performance of the packetcache (Kees Monshouwer).

    References: #4503, pull request 4504

  • Improve SOA records caching (Kees Monshouwer).

    References: pull request 4485

  • Make sure AXFR only deletes records from a SLAVE domain in a multi backend setup (Kees Monshouwer).

    References: pull request 4829

  • Tidy up UeberBackend (Chris Hofstaedtler).

    References: pull request 4908

  • Improve API performance by instantiating only one DNSSECKeeper per request.

    References: pull request 4944

  • Incremental backoff for failed slave checks.

    When a SOA record for a slave domain can’t be retrieved, use an increasing interval between checking the domain again. This prevents hammering down on already busy servers.

    References: #349, #602, pull request 4953

  • Remove d_place from DNSResourceRecord (Chris Hofstaedtler).

    References: pull request 4549

  • Add an option to allow AXFR of zones with a different (higher/lower) serial (Kees Monshouwer).

    References: pull request 5169

  • Use the resolver setting for the stub resolver, use resolv.conf as fallback.

    References: #4655, pull request 5112

  • Re-implement the AXFR Filter with LuaContext (Aki Tuomi).

    References: pull request 5250

  • Allow control socket to listen on IPv6 (@Gibheer).

    References: pull request 5387

  • Fix typo in two log messages (Ruben Kerkhof).

    References: pull request 5523

  • Update YaHTTP (to fix a warning reported by Coverity).

    References: pull request 5542

  • Clarify how we check the return value of std::string::find() (reported by Coverity).

    References: pull request 5541

  • Wrap the webserver’s and Resolver::tryGetSOASerial objects into smart pointers.

    References: pull request 5543

  • SSql: Use unique_ptr for statements (Aki Tuomi).

    References: pull request 4692

  • Fix libatomic detection on ppc64 (Sander Hoentjen).

    References: pull request 5599

  • Switch the default webserver’s ACL to “, ::1”.

    References: pull request 5588

  • NOTIMP is only appropriate for an unsupported opcode (Kees Monshouwer).

    References: pull request 5611

  • Catch DNSName exception in the Zoneparser.

    References: pull request 5641

  • Listen on during regression tests (@tcely).

    References: pull request 5583

  • Enable the webserver when api is ‘yes’ (Chris Hofstaedtler).

    References: #4290, pull request 4408

  • Prevent sending nameservers list and zone-level NS in rrsets in the API (Chris Hofstaedtler).

    References: #4132, pull request 4751

  • Forbid mixing CNAMEs and other RRSets in the API (Christan Hofstaedtler).

    References: #5305, pull request 5389

  • Prevent duplicate records in single RRset (Chris Hofstaedtler).

    References: pull request 4195

  • Implement subcommand printing all KSK DS records in pdnsutil (Jonas Wielicki).

    References: #4005, pull request 4007

  • Allow setting the account of a zone via pdnsutil (Tuxis Internet Engineering).

    References: pull request 4584

  • Print “$ORIGIN .” on pdnsutil list-zone, so the output can be used in pdnsutil load-zone (Tuxis Internet Engineering).

    References: pull request 4719

  • pdnsutil: clarify error message when set-presigned fails with DNSSEC disabled (Peter Thomassen).

    References: pull request 4478

  • pdnsutil: Validate names with address records to be valid hostnames (Håkan Lindqvist).

    References: pull request 3913

  • Correct pdnsutil help output for add-zone-key.

    References: pull request 5118

  • Check for valid hostnames in SRV, NS and MX records.

    References: #512, pull request 5062

  • Disable ALIAS expansion by default.

    References: #5119, pull request 5182

  • Make the zone parser adhere to RFC 2308 with regards to implicit TTLs.

    Existing zone files may now be interpreted differently. Specifically, where we previously used the SOA minimum field for the default TTL if none was set explicitly, or no $TTL was set, we now use the TTL from the previous line.

    References: pull request 5094

  • mydnsbackend: Initialize d_query_stmt (Aki Tuomi).

    References: pull request 5605

  • Enable setting custom pgsql connection parameters, like TLS parameters (Tarjei Husøy).

    References: pull request 4711

  • Use pkg-config to detect PostgreSQL libraries.

    References: #2358, #5193, pull request 5121, pull request 5221

  • Use BIGSERIAL for in the gpgsql backend (Arsen Stasic).

    References: pull request 5426

  • Ship ldapbackend schema files in tarball (Chris Hofstaedtler).

    References: pull request 5509

  • Add ability to have service record for apex record and any other static record (Aki Tuomi).

    References: pull request 5548

  • Report query statistics as full numbers, not scientific notation in the webserver.

    References: #1844, pull request 5116

  • Schema changes for MySQL / MariaDB and PostgreSQL to for storage requirements of various versions (Kees Monshouwer).

    References: pull request 5518

Bug Fixes