Changelogs for 4.0.x ==================== This page has all the changelogs for the PowerDNS Recursor 4.0 release train. **Note**: 4.0.x and earlier releases are End of Life and no longer supported. See :doc:`EOL Statements <../appendices/EOL>`. PowerDNS Recursor 4.0.9 ----------------------- Released 6th of November 2018 This release fixes the following security advisories: - PowerDNS Security Advisory :doc:`2018-04 <../security-advisories/powerdns-advisory-2018-04>`: Crafted answer can cause a denial of service (CVE-2018-10851) - PowerDNS Security Advisory :doc:`2018-06 <../security-advisories/powerdns-advisory-2018-06>`: Packet cache pollution via crafted query (CVE-2018-14626) - PowerDNS Security Advisory :doc:`2018-07 <../security-advisories/powerdns-advisory-2018-07>`: Crafted query for meta-types can cause a denial of service (CVE-2018-14644) Bug fixes ^^^^^^^^^ - `#7152 `__: Crafted answer can cause a denial of service (CVE-2018-10851) - `#7152 `__: Packet cache pollution via crafted query (CVE-2018-14626) - `#7152 `__: Crafted query for meta-types can cause a denial of service (CVE-2018-14644) PowerDNS Recursor 4.0.8 ----------------------- Released 11th of December 2017 This release fixes PowerDNS Security Advisory :doc:`2017-08 <../security-advisories/powerdns-advisory-2017-08>`. Bug fixes ^^^^^^^^^ - `#5930 `__: Don't assume TXT record is first record for secpoll - `#6082 `__: Don't add non-IN records to the cache PowerDNS Recursor 4.0.7 ----------------------- Released 27th of November 2017 This release fixes PowerDNS Security Advisories :doc:`2017-03 <../security-advisories/powerdns-advisory-2017-03>`, :doc:`2017-05 <../security-advisories/powerdns-advisory-2017-05>`, :doc:`2017-06 <../security-advisories/powerdns-advisory-2017-06>` and :doc:`2017-07 <../security-advisories/powerdns-advisory-2017-07>`. Bug fixes ^^^^^^^^^ - `#4561 `__: Update rec_control manpage (Winfried Angele) - `#4824 `__: Check in the detected OpenSSL/libcrypto for ECDSA - `#5406 `__: Make more specific Netmasks < to less specific ones - `#5525 `__: Fix validation at the exact RRSIG inception or expiration time - `#5740 `__: Lowercase all outgoing qnames when lowercase-outgoing is set - `#5599 `__: Fix libatomic detection on ppc64 - `#5961 `__: Edit configname definition to include the 'config-name' argument (Jake Reynolds) - `#5995 `__: Security Advisories :doc:`2017-03 <../security-advisories/powerdns-advisory-2017-03>`, :doc:`2017-05 <../security-advisories/powerdns-advisory-2017-05>`, :doc:`2017-06 <../security-advisories/powerdns-advisory-2017-06>` and :doc:`2017-07 <../security-advisories/powerdns-advisory-2017-07>`. Improvements ^^^^^^^^^^^^ - `#4646 `__: Extract nested exception from Luawrapper - `#4960 `__: Use explicit yes for default-enabled settings (Chris Hofstaedtler) - `#5078 `__: Throw an error when lua-conf-file can't be loaded - `#5261 `__: get-remote-ring's "other" report should only have two items. (Patrick Cloke) - `#5320 `__: PowerDNS sdig does not truncate trailing bits of EDNS Client Subnet mask - `#5488 `__: Only increase `no-packet-error` on the first read - `#5498 `__: Add support for Botan 2.x - `#5511 `__: Add more information to recursor cache dumps - `#5523 `__: Fix typo in two log messages (Ruben Kerkhof) - `#5598 `__: Add help text on autodetecting systemd support - `#5726 `__: Be more resilient with broken auths - `#5739 `__: Remove pdns.PASS and pdns.TRUNCATE - `#5755 `__: Improve dnsbulktest experience in travis for more robustness - `#5762 `__: Create socket-dir from init-script - `#5843 `__: b.root renumbering, effective 2017-10-24 - `#5921 `__: Don't retry security polling too often when it fails PowerDNS Recursor 4.0.6 ----------------------- Released 6th of July 2017 This release features a fix for the ed25519 verifier. This verifier hashed the message before verifying, resulting in unverifiable signatures. Also on the Elliptic Curve front, support was added for ED448 (DNSSEC algorithm 16) by using libdecaf. Besides that, this release features massive improvements to our edns-client-subnet handling, and some IXFR fixes. Note that this release changes :ref:`setting-use-incoming-edns-subnet` to disabled by default. Bug fixes ^^^^^^^^^ - `commit c24288b87 `__: Use the incoming ECS for cache lookup if :ref:`setting-use-incoming-edns-subnet` is set - `commit b91dc6e92 `__: when making a netmask from a comboaddress, we neglected to zero the port. This could lead to a proliferation of netmasks. - `commit 261591b6f `__: Don't take the initial ECS source for a scope one if EDNS is off - `commit 66f894b7a `__: also set ``d_requestor`` without Lua: the ECS logic needs it - `commit c2086f265 `__: Fix IXFR skipping the additions part of the last sequence - `commit a5c9534d0 `__: Treat requestor's payload size lower than 512 as equal to 512 - `commit 61b1ea2f4 `__: make URI integers 16 bits, fixes `ticket #5443 `__ - `commit 27f9da3c2 `__: unbreak quoting; fixes `ticket #5401 `__ Improvements ^^^^^^^^^^^^ - `commit 2325010e6 `__: with this, EDNS Client Subnet becomes compatible with the packet cache, using the existing variable answer facility. - `commit 2ec8d8148 `__: Remove just enough entries from the cache, not one more than asked - `commit 71df15677 `__: Move expired cache entries to the front so they are expunged - `commit d84834c4c `__: changed IPv6 addr of b.root-servers.net (Arsen Stasic) - `commit bcce047bc `__: e.root-servers.net has IPv6 now (phonedph1) - `commit cef8ec7c2 `__: hello decaf signers (ED25519 and ED448) Testing algorithm 15: 'Decaf ED25519' ->'Decaf ED25519' -> 'Decaf ED25519' Signature & verify ok, signature 68usec, verify 93usec Testing algorithm 16: 'Decaf ED448' ->'Decaf ED448' -> 'Decaf ED448' Signature & verify ok, signature 163usec, verify 252usec (Kees Monshouwer) - `commit 68490a4b5 `__: don't use the libdecaf ed25519 signer when libsodium is enabled (Kees Monshouwer) - `commit 5a88a8ed5 `__: do not hash the message in the ed25519 signer (Kees Monshouwer) - `commit 0e7893bf4 `__: Disable use-incoming-edns-subnet by default PowerDNS Recursor 4.0.5 ----------------------- Released 13th of June 2017 This release adds ed25519 (algorithm 15) support for DNSSEC and adds the 2017 DNSSEC root key. If you do DNSSEC validation, this upgrade is **mandatory** to continue validating after October 2017. Bug fixes ^^^^^^^^^ - `commit af76224 `__: Correctly lowercase the TSIG algorithm name in hash computation, fixes `#4942 `__ - `commit 86c4ed0 `__: Clear the RPZ NS IP table when clearing the policy, this prevents false positives - `commit 5e660e9 `__: Fix cache-only queries against a forward-zone, fixes `#5211 `__ - `commit 2875033 `__: Only delegate if NSes are below apex in auth-zones, fixes `#4771 `__ - `commit e7c183d `__: Remove hardcoding of port 53 for TCP/IP forwarded zones in recursor, fixes `#4799 `__ - `commit 5bec36e `__: Make sure ``labelsToAdd`` is not empty in ``getZoneCuts()`` - `commit 0f59e05 `__: Wait until after daemonizing to start the outgoing protobuf thread, prevents hangs when the protobuf server is not available - `commit 233e144 `__: Ensure (re)priming the root never fails - `commit 3642cb3 `__: Don't age the root, fixes a regression from 3.x - `commit 83f9226 `__: Fix exception when sending a protobuf message for an empty question - `commit ffdd813 `__: LuaWrapper: Allow embedded NULs in strings received from Lua - `commit c5ffd90 `__: Fix coredumps on illumos/SmartOS, fixes `#4579 `__ (Roman Dayneko) - `commit 651c0e9 `__: StateHolder: Allocate (and copy if needed) before taking the lock - `commit 547d68f `__: SuffixMatchNode: Fix insertion issue for an existing node - `commit 3ada4e2 `__: Fix negative port detection for IPv6 addresses on 32-bit systems Additions and Enhancements ^^^^^^^^^^^^^^^^^^^^^^^^^^ - `commit 7705e1c `__: Add support for RPZ wildcarded target names. Fixes `#5237 `__ - `#5165 `__: Speed up RPZ zone loading and add a ``zoneSizeHint`` parameter to ``rpzFile`` and ``rpzMaster`` for faster reloads - `#4794 `__: Make the RPZ summary consistent (Fixes `#4342 `__) and log additions/removals at debug level, not info - `commit 1909556 `__: Add the 2017 root key - `commit abfe671 `__ and `commit 7abbb2c `__: Update Ed25519 `algorithm number and mnemonic `__ and hook up to the Recursor (Kees Monshouwer) - `#5355 `__: Add ``use-incoming-edns-subnet`` option to process and pass along ECS and fix some ECS bugs in the process - `commit dff1a11 `__: Refuse to start with chroot set in a systemd env (Fixes `#4848 `__) - `commit 5a38a56 `__: Handle exceptions raised by ``closesocket()`` to prevent process termination - `#4619 `__: Document missing ``top-pub-queries`` and ``top-pub-servfail-queries`` commands for ``rec_control`` (phonedph1) - `commit 502a850 `__: IPv6 address for g.root-servers.net added (Kevin Otte) - `commit 7a2a645 `__: Log outgoing queries / incoming responses via protobuf PowerDNS Recursor 4.0.4 ----------------------- Released January 13th 2017 The 4.0.4 version of the PowerDNS Recursor fixes PowerDNS Security Advisories :doc:`2016-02 <../security-advisories/powerdns-advisory-2016-02>` and :doc:`2016-04 <../security-advisories/powerdns-advisory-2016-04>`. Bug fixes ^^^^^^^^^ - `commit 658d9e4 `__: Check TSIG signature on IXFR (Security Advisory :doc:`2016-04 <../security-advisories/powerdns-advisory-2016-04>`) - `commit 91acd82 `__: Don't parse spurious RRs in queries when we don't need them (Security Advisory :doc:`2016-02 <../security-advisories/powerdns-advisory-2016-02>`) - `commit 400e28d `__: Fix incorrect length check in ``DNSName`` when extracting qtype or qclass - `commit 2168188 `__: rec: Wait until after daemonizing to start the RPZ and protobuf threads - `commit 3beb3b2 `__: On (re-)priming, fetch the root NS records - `commit cfeb109 `__: rec: Fix src/dest inversion in the protobuf message for TCP queries - `commit 46a6666 `__: NSEC3 optout and Bogus insecure forward fixes - `commit bb437d4 `__: On RPZ customPolicy, follow the resulting CNAME - `commit 6b5a8f3 `__: DNSSEC: don't go bogus on zero configured DSs - `commit 1fa6e1b `__: Don't crash on an empty query ring - `commit bfb7e5d `__: Set the result to NoError before calling ``preresolve`` Additions and Enhancements ^^^^^^^^^^^^^^^^^^^^^^^^^^ - `commit 7c3398a `__: Add ``max-recursion-depth`` to limit the number of internal recursion - `commit 3d59c6f `__: Fix building with ECDSA support disabled in libcrypto - `commit 0170a3b `__: Add requestorId and some comments to the protobuf definition file - `commit d8cd67b `__: Make the negcache forwarded zones aware - `commit 46ccbd6 `__: Cache records for zones that were delegated to from a forwarded zone - `commit 5aa64e6 `__, `commit 5f4242e `__ and `commit 0f707cd `__: DNSSEC: Implement keysearch based on zone-cuts - `commit ddf6fa5 `__: rec: Add support for boost::context >= 1.61 - `commit bb6bd6e `__: Add ``getRecursorThreadId()`` to Lua, identifying the current thread - `commit d8baf17 `__: Handle CNAMEs at the apex of secure zones to other secure zones PowerDNS Recursor 4.0.3 ----------------------- Released September 6th 2016 The 4.0.3 version of the PowerDNS Recursor features many improvements to the Policy Engine (RPZ) and the Lua bindings to it. We would like to thank Wim (`42wim `__) for testing and reporting on the RPZ module. Bug fixes ^^^^^^^^^ - `#4350 `__: Call ``gettag()`` for TCP queries - `#4376 `__: Fix the use of an uninitialized filtering policy - `#4381 `__: Parse query-local-address before lua-config-file - `#4383 `__: Fix accessing an empty policyCustom, policyName from Lua - `#4387 `__: ComboAddress: don't allow invalid ports - `#4388 `__: Fix RPZ default policy not being applied over IXFR - `#4391 `__: DNSSEC: Actually follow RFC 7646 ยง2.1 - `#4396 `__: Add boost context ldflags so freebsd builds can find the libs - `#4402 `__: Ignore NS records in a RPZ zone received over IXFR - `#4403 `__: Fix build with OpenSSL 1.1.0 final - `#4404 `__: Don't validate when a Lua hook took the query - `#4425 `__: Fix a protobuf regression (requestor/responder mix-up) Additions and Enhancements ^^^^^^^^^^^^^^^^^^^^^^^^^^ - `#4394 `__: Support Boost 1.61+ fcontext - `#4402 `__: Add Lua binding for DNSRecord::d\_place PowerDNS Recursor 4.0.2 ----------------------- Released August 26th 2016 This release fixes a regression in 4.x where CNAME records for DNSSEC signed domains were not sorted before the final answers, leading to some clients (notably some versions of Chrome) not being able to extract the required answer from the packet. This happened exclusively for DNSSEC signed domains, but the problem happens even for clients not requesting DNSSEC validation. Further fixes and changes can be found below: Bug fixes ^^^^^^^^^ - `#4264 `__: Set ``dq.rcode`` before calling postresolve - `#4294 `__: Honor PIE flags. - `#4310 `__: Fix build with LibreSSL, for which OPENSSL\_VERSION\_NUMBER is irrelevant - `#4340 `__: Don't shuffle CNAME records. - `#4354 `__: Fix delegation-only Additions and enhancements ^^^^^^^^^^^^^^^^^^^^^^^^^^ - `#4288 `__: Respect the timeout when connecting to a protobuf server - `#4300 `__: allow newDN to take a DNSName in; document missing methods - `#4301 `__: expose SMN toString to lua - `#4318 `__: Anonymize the protobuf ECS value as well - `#4324 `__: Allow Lua access to the result of the Policy Engine decision, skip RPZ, finish RPZ implementation - `#4349 `__: Remove unused ``DNSPacket::d_qlen`` - `#4351 `__: RPZ: Use query-local-address(6) by default - `#4357 `__: Move the root DNSSEC data to a header file PowerDNS Recursor 4.0.1 ----------------------- Released July 29th 2016 This release has several improvements with regards to DNSSEC validation and it improves interoperability with DNSSEC clients that expect an AD-bit on validated data when they query with only the DO-bit set. Bug fixes ^^^^^^^^^ - `#4119 `__ Improve DNSSEC record skipping for non dnssec queries (Kees Monshouwer) - `#4162 `__ Don't validate zones from the local auth store, go one level down while validating when there is a CNAME - `#4187 `__: - Don't go bogus on islands of security - Check all possible chains for Insecure states - Don't go Bogus on a CNAME at the apex - `#4215 `__ RPZ: default policy should also override local data RRs - `#4243 `__ Fix a crash when the next name in a chained query is empty and ``rec_control current-queries`` is invoked Improvements ^^^^^^^^^^^^ - `#4056 `__ OpenSSL 1.1.0 support (Chris Hofstaedtler) - `#4133 `__ Add limits to the size of received {A,I}XFR (CVE-2016-6172) - `#4140 `__ Fix warnings with gcc on musl-libc (James Taylor) - `#4160 `__ Also validate on +DO - `#4164 `__ Fail to start when the lua-dns-script does not exist - `#4168 `__ Add more Netmask methods for Lua (Aki Tuomi) - `#4210 `__ Validate DNSSEC for security polling - `#4217 `__ Turn on root-nx-trust by default and log-common-errors=off - `#4207 `__ Allow for multiple trust anchors per zone - `#4242 `__ Fix compilation warning when building without Protobuf PowerDNS Recursor 4.0.0 ----------------------- Released July 11th 2016 PowerDNS Recursor 4.0.0 is part of `the great 4.x "Spring Cleaning" `__ of PowerDNS which lasted through the end of 2015. As part of the general cleanup, we did the following: - Moved to C++ 2011, a cleaner more powerful version of C++ that has allowed us to `improve the quality of implementation `__ in many places. - Implemented dedicated infrastructure for dealing with DNS names that is fully "DNS Native" and needs less escaping and unescaping - Switched to binary storage of DNS records in all places - Moved ACLs to a dedicated Netmask Tree - Implemented a version of `RCU `__ for configuration changes - Instrumented our use of the memory allocator, reduced number of malloc calls substantially. - The Lua hook infrastructure was redone using LuaWrapper; old scripts will no longer work, but new scripts are easier to write under the new interface. In addition to this cleanup, which has many internal benefits and solves longstanding issues with escaped domain names, 4.0.0 brings the following major new features: - RPZ aka Response Policy Zone support - IXFR slaving in the PowerDNS Recursor for RPZ - DNSSEC processing in Recursor (Authoritative has had this for years) - DNSSEC validation (without NSEC(3) proof validation) - EDNS Client Subnet support in PowerDNS Recursor (Authoritative has had this for years) - Lua asynchronous queries for per-IP/per-domain status - Caches that can now be wiped per whole zone instead of per name - Statistics on authoritative server response times (split for IPv4 and IPv6) - APIs are no longer marked as 'experimental' and had one final URL change - New metric: tcp-answer-bytes to measure DNS TCP/IP bandwidth, and many other new metrics Please be aware that beyond the items listed here, there have been heaps of tiny changes. As always, please carefully test a new release before deploying it. This release features the following fixes compared to rc1: - `#3989 `__ Fix usage of std::distance() in DNSName::isPartOf() (signed/unsigned comparisons) - `#4017 `__ Fix building without Lua. Add ``isTcp`` to ``dq``. - `#4023 `__ Actually log on dnssec=log-fail - `#4028 `__ DNSSEC fixes (NSEC casing, send DO-bit over TCP, DNSSEC trace additions) - `#4052 `__ Don't fail configure on missing fcontext.hpp - `#4096 `__ Don't call ``commit()`` if we skipped all the records It has the following improvements: - `#3400 `__ Enable building on OpenIndiana - `#4016 `__ Log protobuf messages for cache hits. Add policy tags in gettag() - `#4040 `__ Allow DNSSEC validation when chrooted - `#4094 `__ Sort included html files for improved reproducibility (Chris Hofstaedtler) And these additions: - `#3981 `__ Import JavaScript sources for libs shipped with Recursor (Christian Hofstaedtler) - `#4012 `__ add tags support to ProtobufLogger.py - `#4032 `__ Set the existing policy tags in ``dq`` for ``{pre,post}resolve`` - `#4077 `__ Add DNSSEC validation statistics - `#4090 `__ Allow reloading the lua-config-file at runtime - `#4097 `__ Allow logging DNSSEC bogus in any mode - `#4125 `__ Add protobuf fields for the query's time in the response PowerDNS Recursor 4.0.0-rc1 ^^^^^^^^^^^^^^^^^^^^^^^^^^^ Released June 9th 2016 This first (and hopefully last) Release Candidate contains the finishing touches to the experimental DNSSEC support by adding (Negative) Trust Anchor support and fixing a possible issue with DNSSEC and forwarded domains: - `#3910 `__ Add (Negative) Trust Anchor management - `#3926 `__ Set +CD on forwarded recursive queries Other changes: - `#3941 `__ Ensure delegations from local auth zones are followed - `#3924 `__ Add a virtual hosting unit-file - `#3929 `__ Set the FDs in the unit file to a sane value Bug fixes: - `#3961 `__ Fix building on EL6 i386 - `#3957 `__ Add error reporting when parsing forward-zones(-recurse) (Aki Tuomi) PowerDNS Recursor 4.0.0-beta1 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Released May 27th 2016 This release fixes a bug in the DNSSEC implementation where a name would we validated as bogus when talking to non-compliant authoritative servers: - `#3875 `__ Disable DNSSEC for domain where the auth responds with FORMERR or NOTIMP Improvements ^^^^^^^^^^^^ - `#3866 `__ Increase max FDs in systemd unit file - `#3905 `__ Add a dnssec=process-no-validate option and make it default Bug fixes ^^^^^^^^^ - `#3881 `__ Fix the ``noEdnsOutQueries`` counter - `#3892 `__ support ``clock_gettime`` for platforms that require -lrt PowerDNS Recursor 4.0.0-alpha3 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Released May 10th 2016 This release features several leaps in the correctness and stability of the DNSSEC implementation. Notable changes are: - `#3752 `__ Correct handling of query flags in conformance with `RFC 6840 `__ Bug fixes ^^^^^^^^^ - `#3804 `__ Fix a memory leak in DNSSEC validation - `#3785 `__ and `#3390 `__ Correctly validate insecure delegations - `#3606 `__ Various DNSSEC fixes, disabling DNSSEC on forward-zones - `#3681 `__ Catch exception with a malformed DNSName in ``rec_control wipe-cache`` - `#3779 `__, `#3768 `__, `#3766 `__, `#3783 `__ and `#3789 `__ DNSName and other hardening improvements Improvements ^^^^^^^^^^^^ - `#3801 `__ Add missing Lua rcodes bindings - `#3587 `__ Update L-Root addresses PowerDNS Recursor 4.0.0-alpha2 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Released March 9th 2016 Note that the DNSSEC implementation has several bugs in this release, it is advised to set ``dnssec=off`` in your recursor.conf. This release features many low-level performance fixes. Other notable changes since 4.0.0-alpha1 are: - `#3259 `__, `#3280 `__ The PowerDNS Recursor now properly uses GNU autoconf and autotools for building and installing - OpenSSL crypto primitives are now used for DNSSEC validation - `#3313 `__ Implement the logic we need to generate EDNS MAC fields in dnsdist & read them in recursor (`blogpost `__ - `#3350 `__ Add lowercase-outgoing feature to Recursor - `#3410 `__ Recuweb is now built-in to the daemon - `#3230 `__ API: drop JSONP, add web security headers (Chris Hofstaedtler) - `#3485 `__ Allow multiple carbon-servers - `#3427 `__, `#3479 `__, `#3472 `__ MTasker modernization (Andrew Nelless) Bug fixes ~~~~~~~~~ - `#3444 `__, `#3442 `__ RPZ IXFR fixes - `#3448 `__ Remove edns-subnet-whitelist whitelist pointing to powerdns.com (Christian Hofstaedtler) - `#3293 `__ make asynchronous UDP Lua queries work again in 4.x - `#3365 `__ Apply rcode set in UDPQueryResponse callback (Jan Broers) - `#3244 `__ Fix the forward zones in the recursor - `#3135 `__ Use 56 bits instead of 64 in EDNS Client Subnet option (Winfried Angele) - `#3527 `__ Make the recursor counters atomic Improvements ~~~~~~~~~~~~ - `#3435 `__ Add ``toStringNoDot`` and ``chopOff`` functions to Lua - `#3437 `__ Add ``pdns.now`` timeval struct to recursor Lua - `#3352 `__ Cache improvements - `#3502 `__ Make second argument to pdnslog optional (Thiago Farina) - `#3520 `__ Reduce log level of periodic statistics to notice (Jan Broers) PowerDNS Recursor 4.0.0-alpha1 ------------------------------ Released December 24th 2015