This release contains the fix for PowerDNS Security Advisory 2020-05 (CVE-2020-17482)
Raise an exception on invalid hex content in unknown records.¶
References: pull request 9499
mydns: add SOA to list() output¶
References: #9181, pull request 9191
api: add includerings option to statistics endpoint¶
References: pull request 8786
cache: strictly enforce maximum size, and improve cleanup routine¶
References: pull request 8736, pull request 9003
fix records ending up in wrong packet section (Kees Monshouwer)¶
References: pull request 9010
avoid IXFR-in corruption when deltas come in close together (please see the IXFR-in corruption upgrade notes)¶
References: pull request 9001
fix out-of-bound access for zero length “serialized” string when using lmdbbackend. (Kees Monshouwer)¶
References: pull request 8612
bind backend: pthread_mutex_t should be inited and destroyed and not be copied¶
References: pull request 8602
This release fixes several bugs and makes a few features more robust or intuitive. It also contains a few performance improvements for API users.
Add SLAVE-RENOTIFY zone metadata support (Matti Hiljanen)¶
References: pull request 8549
Add configurable timeout for inbound AXFR (Matti Hiljanen)¶
References: pull request 8547
Add CentOS 8 as builder target¶
References: pull request 8428
gmysql backend, add an option to send the SSL capability flag¶
References: pull request 8341
API: reduce number of database connections (Kees Monshouwer)¶
References: pull request 8457
Register a few known RR types and remove an unknown one¶
References: pull request 8546
bindbackend: use metadata for also-notifies as well (Matti Hiljanen)¶
References: pull request 8548
pdnsutil increase-serial: under SOA-EDIT=INCEPTION-EPOCH, bump as if it is EPOCH¶
References: #8218, pull request 8508
API: optionally do not return dnssec info in domain list (Chris Hofstaedtler)¶
References: pull request 8541
Basic validation of $GENERATE parameters¶
References: pull request 8454
LUA view: do not crash on empty IP list¶
References: #8572, pull request 8589
API: Accept headers without spaces¶
References: pull request 8576
Avoid database state-related SERVFAILs after a LUA error¶
References: #8299, pull request 8570
Just before 4.2.0, some SQL-related fixes broke edit-zone and other features with the LMDB backend. This has been fixed now. (backport by Kees Monshouwer)¶
References: #8134, pull request 8568
Clear the caches for the entire zone after a patch operation (was apex only). The default default-api-rectify setting was ignored in patchZone(), rectify only took place when the API-RECTIFY metadata was set to “1”. (Kees Monshouwer)¶
References: pull request 8497
rfc2136, pdnsutil: somewhat improve duplicate record handling¶
References: #8217, pull request 8507
Compared to the last release candidate, one more bug has been fixed.
The LMDB backend is incomplete in this version. Slaving zones works, loading zones with pdnsutil works, but more fine-grained edits (using edit-zone, or the REST API) fail. We hope to fix this soon in a 4.2.x release.
For an overview of features new since 4.1.x, please see the 4.2.0 announcement blog post.
bind getAllDomains: ignore per-zone exceptions¶
References: pull request 8229
Thanks to an overwhelming amount of testing by our fabulous user community, this release candidate contains a ton of bug fixes (and a few improvements) compared to the previous one. We hope this has shaken out all of the important bugs, so that we can release 4.2.0 soon!
This release, sadly, cripples the LMDB backend somewhat, due to transaction-related fixes for the SQL backends. We hope to fix this issue before 4.2.0, or otherwise, early in 4.2.x.
web: make max request/response body size configurable¶
References: pull request 7550
boost.m4 improvements¶
References: pull request 8172, pull request 8173
add metric for open TCP connections¶
References: pull request 8126
Various robustness and performance improvements around domain IDs (Kees Monshouwer)¶
References: pull request 8092
remove unused import to enable compile on illumos (Thomas Mieslinger)¶
References: pull request 8064
ixfrdist: limit XFR chunk size to 16k¶
References: pull request 8051
Fix a memory leak when sqlite3_exec() fails¶
References: pull request 7998
don’t enable the tbhandler when libc only pretends to be glibc (James Taylor)¶
References: pull request 7980, pull request 8019
Fix a leak on ‘Backend reported permanent error which prevented lookup’ error¶
References: pull request 8006
Clear CMSG_SPACE(sizeof(data)) in cmsghdr to appease valgrind¶
References: pull request 7996
deprecate SOA autocomplete in pdnsutil check-zone (Kees Monshouwer)¶
References: pull request 7918
move /var/lib/pdns to pdns-server debian package¶
References: pull request 7889
Show newer features in configure output and –version¶
References: pull request 7890
completely disable the packet when cache-ttl=0 (Kees Monshouwer)¶
References: pull request 7910
Improve error when notification comes in for non-slave zone¶
References: pull request 7943
web: add edited_serial to Zone object¶
References: pull request 7962
Adapt calidns for openbsd and other systems without rcvmmsg(2)¶
References: pull request 7871
DNSName, speed up toString() conversion¶
References: pull request 7699
packethandler: Compare TSIG key name using DNSName¶
References: pull request 8168
Make sure we always compile with BOOST_CB_ENABLE_DEBUG set to 0¶
References: pull request 8169
Fix SERVFAIL when backend returns empty DNSName¶
References: pull request 8058
stop using select() in places where FDs can be >1023¶
References: pull request 8149
pdnsutil increase-serial: set right ordername¶
References: pull request 8166
use BIGINT for notified_serial in pg schema (Klaus Darilion)¶
References: pull request 8097
Fix the accounting of servfail-queries in the distributor¶
References: pull request 8056
limit compression pointers to 14 bits¶
References: pull request 8028
catch name & IP parse errors during outgoing notify preparations¶
References: pull request 8037
Make explicit lmdbbackend synchronous option¶
References: pull request 7807
Reduce mmap size for lmdb on 32 bits plus restrict number of shards¶
References: pull request 7700
sqlite3: make journal mode configurable; default to WAL¶
References: pull request 7852
Portability/building improvements:
-latomic is needed instead of hardcoding (neheb)net-snmp-config --netsnmp-agent-libs instead of --agent-libsReferences: pull request 7668, pull request 7818, pull request 7861, pull request 7862
Robustness improvements:
References: pull request 7708, pull request 7864, pull request 7865
Always truncate when the additional records do not fit in a response (Kees Monshouwer)¶
References: pull request 7873
Remove disable-tcp option¶
References: pull request 7859
RKEY is missing algorithm field (DNS-Leo)¶
References: pull request 7615
Ignore Path MTU Discovery on UDP server socket¶
References: pull request 7410
improve logging in the web server¶
References: pull request 5932
GSQL: Log more data in error messages¶
References: pull request 7584
pdnsutil: show DS for second and further keys too¶
References: #7667, pull request 7801
LMDB improvements:
getAllDomains() (Kees Monshouwer)References: pull request 7643, pull request 7697, pull request 7784
auth gsql getAllDomains: ignore stou errors¶
References: pull request 7854
Rectify/ENT fixes:
References: pull request 7787, pull request 7831
Cleanup SOA editing (Kees Monshouwer)¶
References: pull request 7363
DNSSEC fixes:
References: pull request 7772, pull request 7789
API: mark set-ptr as deprecated (zeha)¶
References: pull request 7797
add DoH support to sdig¶
References: pull request 7832
dumresp: add TCP support¶
References: pull request 7655
pdnsutil, dnswasher: add support for encrypting IP addresses¶
References: pull request 7481
auth API, pdnsutil: improve backend transaction correctness¶
References: pull request 7891
detect SOA cache pollution caused by broken backends (Kees Monshouwer)¶
References: pull request 7881
speedup getUpdatedMasters() for the gsql backends (Kees Monshouwer)¶
References: pull request 7460
pdns_control reopens geoip databases on reload (jpmens)¶
References: pull request 7753
b2b-migrate did not open a transaction, breaking it for lmdb¶
References: pull request 7696
No longer filter DNSSEC metadata when DNSSEC is enabled in gsql¶
References: pull request 7706
Rectify for ent records in narrow zones was slightly wrong. (Kees Monshouwer)¶
References: pull request 7580
Clear caches (meta-data, keys) on domain deletion¶
References: pull request 7529
optionally reuse Lua state¶
References: pull request 7869, pull request 7897
Various robustness improvements:
References: pull request 7503, pull request 7517, pull request 7569, pull request 7587, pull request 7662, pull request 7790
disable dnssec pre-processing for non dnssec zones and avoid a lot of isSecuredZone() calls (Kees Monshouwer)¶
References: pull request 7523
rename ‘supermaster’ option to ‘superslave’¶
References: pull request 7723
Add dnspcap2calidns to convert PCAP to the calidns format.¶
References: pull request 6564
Add quiet modifier to pdnsutil rectify-all-zones command.¶
References: pull request 6374
Authoritative LMDB backend.¶
References: pull request 7453
Adds the glorious log-log histograms.¶
References: pull request 6969
LUA Records (yes we know it is “Lua”).¶
References: pull request 6171
LDAP misc updates:
References: #5260, pull request 5821
Remove api-logfile flag and grep API endpoint.¶
References: pull request 7025
Drop api-readonly configuration setting.¶
References: pull request 6845
Use a less expensive way to get memory stats for real-memory-usage.¶
References: pull request 7502
Be smarter about trimming whitespace when creating records from ASCII.¶
References: pull request 7412
More sandboxing using SystemD’s features.¶
References: pull request 6634
Fix attempt to restrict / speed-up additional processing to auth zone.¶
References: pull request 7353
Make pdns_control notify * also notify slaves zones.¶
References: pull request 7293
Zero out QTYPE response numbers in our statistics. Makes Valgrind usable on auth again.¶
References: pull request 7348
Improve memory handling for NSEC(3) records with lots of types.¶
References: pull request 7345
Use a cache-able soa record for the serial check caused by a notify.¶
References: pull request 7245
dns_random: Implement new dns_random.¶
References: pull request 5274
Remove theLog and theL and replace this with a global g_log.¶
References: pull request 6358
Lower ‘packet too short’ loglevel.¶
References: pull request 6312
Remove all traces of selectmplexer, fix up pollmplexer.¶
References: pull request 6230
Change from time_t to uint32_t for serial in calculateSOASerial.¶
References: #1010, pull request 5068
Use toLogString() for logging and throwing.¶
References: pull request 5979
Remove obsolete EDNS PING code. (@zeha)¶
References: pull request 6156
Add type filter to search-data api.¶
References: #5430, pull request 7326
Add rcode response statistics on API.¶
References: #7357, pull request 7359
Use commas instead of spaces when setting Zone Masters via the REST API.¶
References: #6451, pull request 7491
Improve RRset validation.¶
References: pull request 7463
Fix a couple of Swagger / OpenAPI issues.¶
References: pull request 7286
API: Add TSIG key manipulation endpoints.¶
References: pull request 5988
Make API changes do a rectify by default, add an option to disable.¶
References: pull request 7233
Add zone lookup by /zones?zone=example.org.¶
References: pull request 6668
API export function output change to add IN to the output.¶
References: pull request 6649
Send correct response codes for the CryptoKey endpoints.¶
References: #6652, pull request 6662
Return status 409 if domain already exists.¶
References: pull request 6325
Expose ResponseStats via REST API.¶
References: pull request 2603
Return 404 for non-existing zones.¶
References: pull request 6076
check-all-zones: find duplicate zones and SOAs.¶
References: pull request 6843
calidns: Accurate qps targets.¶
References: pull request 6774
pdns_control notify: Handle slave w/o renotify properly.¶
References: pull request 6691
pdnsutil: Occlusion and auth check improvements.¶
References: pull request 6653
pdnsutil: also load modules through the load-modules directive.¶
References: pull request 6594
calidns: Add quiet, minimum-success-rate options to use from a script.¶
References: pull request 6601
calidns: Add an option to read ECS values from the query file, skip comments.¶
References: pull request 6526
calidns: Add a maximum-qps option to stay at a given stable load.¶
References: pull request 6525
Add TCP support for ALIAS.¶
References: pull request 6331
calidns: Add the --ecs parameter to add random ECS values to queries.¶
References: pull request 6326
Add an --initial-port option to dnsreplay.¶
References: pull request 6166
Add colour to diff output of pdnsutil.¶
References: pull request 6063
remotebackend: Implement getUpdatedMasters.¶
References: #7444, pull request 7448
Report checkKey errors upwards.¶
References: pull request 7516
ixfrdist: Add option to limit AXFR record count.¶
References: pull request 6872
Lua records: Add useragent option to ifurlup and set a default.¶
References: #7393, pull request 7490
Lua: Expose dns_random as pdnsrandom.¶
References: #6853, pull request 7492
Error on DNSSEC default misconfiguration.¶
References: pull request 7340
Fallback to SHA1 for the signatures cache if MD5 is not available.¶
References: pull request 7284
Improved Lua records - Added all selector, and backupSelector fallbacks.¶
References: pull request 6894
Configure --enable-pdns-option --with-third-party-module.¶
References: pull request 7026
Address some known LUA Records issues:
DNSName::getRawLabels in lua env,References: #6693, pull request 6731
Remove out-of-zone-additional-processing setting.¶
References: pull request 6869
Improve RSA key warnings.¶
References: pull request 6958
Use unique pointers in the OpenSSL signer.¶
References: pull request 7069
Store NetmaskTree nodes in a set for faster removal.¶
References: pull request 6962
ALIAS: Respond SERVFAIL on non-NOERRORs from resolver.¶
References: pull request 6727
Add support for OpenSSL 1.1.1’s ed25519 and ed448 for signing and verifying.¶
References: pull request 6910
Add incremental slave-check backoff also for failed AXFR.¶
References: pull request 6822
Enhance query-logging with timing for MySQL, PostgreSQL and SQLite.¶
References: pull request 6975
Apply ALIAS scopemask after chasing.¶
References: pull request 6811
Fix compilation with LibreSSL 2.7.0+.¶
References: pull request 6948
Remove GOST and Botan support.¶
References: pull request 6921
Add option send-signed-notify to send NOTIFYs without TSIG signature.¶
References: pull request 6825
Add the serials when logging the final result of a slave check.¶
References: pull request 6824
Implement a smarter dedup for filling packets in auth.¶
References: pull request 6730
luawrapper: Report caught std::exception as lua_error.¶
References: pull request 6658
Reject duplicate RRsets in patchZone.¶
References: pull request 6633
Ensure ALIAS answers over TCP have correct name.¶
References: pull request 6659
Fix some minor issues for presigned (large) bind zones.¶
References: pull request 6561
bindbackend: Refuse launch suffixes.¶
References: pull request 6558
Add missing overrides.¶
References: pull request 6530
Avoid an isane amount of new backend connections during an AXFR.¶
References: pull request 6427
Add support for MB and MG RR types.¶
References: pull request 6377
Add actual EDNS buffer size logging, not just our interpretation.¶
References: pull request 6102
Lua2 backend: This is a rewrite of the lua backend. It uses AuthLua4 as basis and more strongly typed access using LuaContext.¶
References: pull request 6157
Make requests always return to sender, for usage in multimaster slave zones. Also - made sure that the master that is questioned for updates will be selected randomly, to prevent repeatedly asking a dead master for updates.¶
References: #3602, pull request 5361
Reject updates if they would lead to CNAME+Other data.¶
References: pull request 6276
Fix rectify (ordername) for non-DNSSEC zones.¶
References: pull request 6243
pkcs11signers: Fix yubikey NEO to work.¶
References: pull request 6278
Make outgoing-query-address and outgoing-query-address6
behaviours equivalent.¶
References: pull request 6100
GeoIPbackend improvements:
References: #5268, pull request 6128
Fix syntax error for replace-rrset. (@lordievader)¶
References: pull request 6295
Add XPF support to sdig, PowerDNS Recursor and dnsdist.¶
References: #5079, #5594, #5654, pull request 6220
Check more thoroughly the source of UDP answers.¶
References: pull request 5960
Slave cleanups. (@zeha)¶
References: pull request 6162
pdns: Improve record parsing¶
References: #2611, pull request 6158
Changes to compile and run on NetBSD.¶
References: pull request 6146
Forbid creating algo 5/8/10 keys with out-of-spec sizes.¶
References: pull request 6139
Add Draft of Swagger spec for Authoritative Server HTTP API.¶
References: #5854, pull request 5862
API: Add response-by-qtype and response-by-rcode on /statistics endpoint¶
References: #7357, pull request 7359
Several improvements to processing of notifies.
References: pull request 6021
Fix dns_random() always returning 0 when the minimum acceptable value is 0.¶
References: pull request 7382
Lower udp-truncation-threshold by default to 1232.¶
References: pull request 7320
Prevent leak of file descriptor if running out of ports for incoming AXFR.¶
References: pull request 7294
Fix API search failed with “Commands out of sync; you can’t run this command now”.¶
References: #7545, pull request 7546
Improve handling of out of range modified_at value.¶
References: #6114, pull request 7488
Prevent more than one CNAME / SOA record in the same RRset.¶
References: #7277, pull request 7278
Check DNSNames that should be hostnames.¶
References: pull request 6871
Make sure that we use strict weak records ordering in the API. (Doing this avoids concurrent records / comments iteration from running out of sync.)¶
References: pull request 6780, pull request 6816
Remove ENTs when “replacing” new records.¶
References: pull request 6647
Restrict creation of OPT and TSIG rrsets.¶
References: pull request 6614
Increase serial after DNSSEC related updates.¶
References: pull request 6571
Fix output order of pdnsutil add-record.¶
References: pull request 7482
sdig: Handle non-IN class records better.¶
References: pull request 7148
Dnsscope off-by-one + domain-filter.¶
References: pull request 7364
pdns_notify: Support hostname for notification.¶
References: #7319, pull request 7244
Make edit-zone catch zoneparser exceptions as well.¶
References: pull request 6859
calidns: Don’t issue socket buffer or SCHED_FIFO warnings in quiet mode.¶
References: pull request 6617
dnsreplay: Bail out on a too small outgoing buffer.¶
References: pull request 6580
pdnsutil: Use new domain in b2bmigrate.¶
References: pull request 6559
Link dnspcap2protobuf against librt when needed.¶
References: pull request 6487
Rather than crash, sheepishly report no file/linenum in pdnsutil.¶
References: pull request 6354
IXFR: correct behavior of dealing with DNS Name with multiple records; speed up IXFR transaction.¶
References: pull request 6172
Fix invalid SOA record in MySQL which prevented the authoritative server from starting.¶
References: #7493, pull request 7496
Avoid infinite loop in mydnsbackend.¶
References: pull request 7475
Fix listing zones incl. AXFR.¶
References: pull request 6122
Fix static lookup when using weighted records on multiple record types.¶
References: pull request 7219
Forbid 0 as weight value.¶
References: #7219, pull request 7227
Insufficient validation in the HTTP remote backend (CVE-2019-3871, PowerDNS Security Advisory 2019-03)¶
References: #7573, pull request 7576
Correctly interpret an empty AXFR response to an IXFR query.¶
References: pull request 7494
Respect packet size limits, even with ECS and TSIG.¶
References: pull request 7352
Fix dot stripping in setcontent().¶
References: #7429, pull request 7459
Do not compress the root since LMDB backend cannot set a root zone with a compressible SOA record.¶
References: #7471, pull request 7472
Avoid duplicate NSEC3 records in presigned zones in LMDB backend.¶
References: #7453, pull request 7470
Fix replying from ANY address for non-standard port.¶
References: pull request 7341
Fix a few off-by-one errors.¶
References: pull request 7288
On incoming NOTIFY load our serial from backend to have it available during slave-check.
Also log ourserial to ease debugging.
¶References: #6821, pull request 6823
Remove autoserial from the Authoritative Server. Serial 0 was a little bit too special in PowerDNS.¶
References: #1355, #1366, pull request 6838
Handle ANY queries with Lua records.¶
References: pull request 7228
geoip: properly delete libGeoIP return values.¶
References: pull request 7217
SOA-check: reject NXDOMAIN response and check label of RR against qname.¶
References: pull request 7067
Fix carbon-instance / carbon-namespace inconsistencies.¶
References: pull request 7201
Fix up the BIND config files on upgrade.¶
References: pull request 7134
geoipbackend: Handle read error for config file.¶
References: pull request 7024
Make sure we escape 127 in TXT records.¶
References: pull request 7017
Add support for NONE SOA-EDIT kind.¶
References: pull request 4598
Respond correctly to DS query at delegation in unsigned zone.¶
References: pull request 6923
Release memory in case of error in the OpenSSL ECDSA constructor.¶
References: pull request 6917
Actually truncate truncated responses.¶
References: #6912, pull request 6913
RFC2136 fixes.¶
References: pull request 6858
Remove SOA-check backoff on incoming NOTIFY and fix d_lock handling.¶
References: pull request 6857
check-zone: allow null MX, SRV.¶
References: pull request 6834
Workaround MariaDB pretending to be MySQL.¶
References: pull request 6844
Reset the TSIG state between queries.¶
References: pull request 6738
Only parse resolv.conf once - this avoids race conditions.¶
References: pull request 6495
Sign CDS/CDNSKEY RRsets with the KSK.¶
References: pull request 6655
Initialize some missed qtypes: WKS, SMIMEA.¶
References: pull request 6686
geoipbackend: Check GeoIP_id_by_addr_gl and GeoIP_id_by_addr_v6_gl return value.¶
References: pull request 6677
stubresolver: Improve locking.¶
References: pull request 6499
gmysql: Use future-proof statement for transaction isolation.¶
References: pull request 6648
Geoip: Fix poisoning of cache when hit service’s default network.
Also includes an optimization to make lookups faster.
¶References: #6584, pull request 6585
Avoid interleaved access to B (via d_dk). Before this patch,
the meta lookup would interfere with the already-started
B.lookup. This caused failures with odbc/MSSQL.¶
References: pull request 6531
Add return 0 for correct exit of set-kind and set-account.¶
References: pull request 6481
Recheck serial when AXFR is done.¶
References: pull request 6484
Report unparsable data in stoul invalid_argument exception.¶
References: pull request 6396
Fix handling of user defined AXFR filters return values.¶
References: pull request 6370
Reload /etc/resolv.conf when modified.¶
References: #6263, pull request 6342
Make check-zone error on rows that have content but shouldn’t.¶
References: pull request 6297
bindbackend: handle std::exception during startup zone-parsing.¶
References: pull request 6152
gmysql-backend: set unsigned attribute on notified_serial column.¶
References: #5915, pull request 6019
Escaping unusual DNS label octets in DNSName is off by one.¶
References: pull request 6018
Update EDNS Option code list.¶
References: pull request 6155
Remove serializeSOAData, refactor calculate/edit/increaseSOA.¶
References: pull request 4547
Add methods missing from AuthLua4 when Lua support is disabled.¶
References: pull request 6132
Init openssl and libsodium before chrooting in pdnsutil.¶
References: pull request 6129
Fix uninitialized index in Lua’s DNSPacket::getRRS() binding.¶
References: pull request 6107
Fix out of bounds exception in CAA processing.¶
References: #6089, pull request 6103
Forbid label compression in ALIAS wire format.¶
References: #6028, pull request 6029
pdnsutil.1 & settings:
References: pull request 7187
Name threads in the programs.¶
References: pull request 6997
dnsreplay: Add more checks against bogus PCAP.¶
References: pull request 6582
geoipbackend: Allow empty content for ENT record.¶
References: #7195, pull request 7196
Add namespace and instance variable to carbon key.¶
References: #2362, #6951, pull request 6959
LuaWrapper: Disable maybe uninitialized warnings with boost optional.¶
References: pull request 6769
Improve tests and two bugfixes:
(@stbuehler)
¶References: #6101, #6120, pull request 6124