Changelogs for 4.0.x
This page has all the changelogs for the PowerDNS Recursor 4.0 release train.
Note: 4.0.x and earlier releases are End of Life and no longer supported.
See EOL Statements.
PowerDNS Recursor 4.0.9
Released 6th of November 2018
This release fixes the following security advisories:
- PowerDNS Security Advisory 2018-04: Crafted answer can cause a denial of service (CVE-2018-10851)
- PowerDNS Security Advisory 2018-06: Packet cache pollution via crafted query (CVE-2018-14626)
- PowerDNS Security Advisory 2018-07: Crafted query for meta-types can cause a denial of service (CVE-2018-14644)
Bug fixes
- #7152: Crafted answer can cause a denial of service (CVE-2018-10851)
- #7152: Packet cache pollution via crafted query (CVE-2018-14626)
- #7152: Crafted query for meta-types can cause a denial of service (CVE-2018-14644)
PowerDNS Recursor 4.0.8
Released 11th of December 2017
This release fixes PowerDNS Security Advisory 2017-08.
Bug fixes
- #5930: Don’t assume TXT record is first record for secpoll
- #6082: Don’t add non-IN records to the cache
PowerDNS Recursor 4.0.7
Released 27th of November 2017
This release fixes PowerDNS Security Advisories 2017-03,
2017-05, 2017-06
and 2017-07.
Bug fixes
- #4561: Update rec_control manpage (Winfried Angele)
- #4824: Check in the detected OpenSSL/libcrypto for ECDSA
- #5406: Make more specific Netmasks < to less specific ones
- #5525: Fix validation at the exact RRSIG inception or expiration time
- #5740: Lowercase all outgoing qnames when lowercase-outgoing is set
- #5599: Fix libatomic detection on ppc64
- #5961: Edit configname definition to include the ‘config-name’ argument (Jake Reynolds)
- #5995: Security Advisories 2017-03,
2017-05, 2017-06 and
2017-07.
Improvements
- #4646: Extract nested exception from Luawrapper
- #4960: Use explicit yes for default-enabled settings (Chris Hofstaedtler)
- #5078: Throw an error when lua-conf-file can’t be loaded
- #5261: get-remote-ring’s “other” report should only have two items. (Patrick Cloke)
- #5320: PowerDNS sdig does not truncate trailing bits of EDNS Client Subnet mask
- #5488: Only increase no-packet-error on the first read
- #5498: Add support for Botan 2.x
- #5511: Add more information to recursor cache dumps
- #5523: Fix typo in two log messages (Ruben Kerkhof)
- #5598: Add help text on autodetecting systemd support
- #5726: Be more resilient with broken auths
- #5739: Remove pdns.PASS and pdns.TRUNCATE
- #5755: Improve dnsbulktest experience in travis for more robustness
- #5762: Create socket-dir from init-script
- #5843: b.root renumbering, effective 2017-10-24
- #5921: Don’t retry security polling too often when it fails
PowerDNS Recursor 4.0.6
Released 6th of July 2017
This release features a fix for the ed25519 verifier.
This verifier hashed the message before verifying, resulting in unverifiable signatures.
Also on the Elliptic Curve front, support was added for ED448 (DNSSEC algorithm 16) by using libdecaf.
Besides that, this release features massive improvements to our edns-client-subnet handling, and some IXFR fixes.
Note that this release changes use-incoming-edns-subnet to disabled by default.
Improvements
- commit 2325010e6:
- with this, EDNS Client Subnet becomes compatible with the packet cache, using the existing variable answer facility.
- commit 2ec8d8148:
- Remove just enough entries from the cache, not one more than asked
- commit 71df15677:
- Move expired cache entries to the front so they are expunged
- commit d84834c4c:
- changed IPv6 addr of b.root-servers.net (Arsen Stasic)
- commit bcce047bc:
- e.root-servers.net has IPv6 now (phonedph1)
- commit cef8ec7c2:
- hello decaf signers (ED25519 and ED448) Testing algorithm 15: ‘Decaf ED25519’ ->’Decaf ED25519’ -> ‘Decaf ED25519’ Signature & verify ok, signature 68usec, verify 93usec Testing algorithm 16: ‘Decaf ED448’ ->’Decaf ED448’ -> ‘Decaf ED448’ Signature & verify ok, signature 163usec, verify 252usec (Kees Monshouwer)
- commit 68490a4b5:
- don’t use the libdecaf ed25519 signer when libsodium is enabled (Kees Monshouwer)
- commit 5a88a8ed5:
- do not hash the message in the ed25519 signer (Kees Monshouwer)
- commit 0e7893bf4:
- Disable use-incoming-edns-subnet by default
PowerDNS Recursor 4.0.5
Released 13th of June 2017
This release adds ed25519 (algorithm 15) support for DNSSEC and adds the
2017 DNSSEC root key. If you do DNSSEC validation, this upgrade is
mandatory to continue validating after October 2017.
Bug fixes
- commit af76224:
Correctly lowercase the TSIG algorithm name in hash computation,
fixes #4942
- commit 86c4ed0:
Clear the RPZ NS IP table when clearing the policy, this prevents
false positives
- commit 5e660e9:
Fix cache-only queries against a forward-zone, fixes
#5211
- commit 2875033:
Only delegate if NSes are below apex in auth-zones, fixes
#4771
- commit e7c183d:
Remove hardcoding of port 53 for TCP/IP forwarded zones in recursor,
fixes #4799
- commit 5bec36e:
Make sure
labelsToAdd is not empty in getZoneCuts()
- commit 0f59e05:
Wait until after daemonizing to start the outgoing protobuf thread,
prevents hangs when the protobuf server is not available
- commit 233e144:
Ensure (re)priming the root never fails
- commit 3642cb3:
Don’t age the root, fixes a regression from 3.x
- commit 83f9226:
Fix exception when sending a protobuf message for an empty question
- commit ffdd813:
LuaWrapper: Allow embedded NULs in strings received from Lua
- commit c5ffd90:
Fix coredumps on illumos/SmartOS, fixes
#4579 (Roman
Dayneko)
- commit 651c0e9:
StateHolder: Allocate (and copy if needed) before taking the lock
- commit 547d68f:
SuffixMatchNode: Fix insertion issue for an existing node
- commit 3ada4e2:
Fix negative port detection for IPv6 addresses on 32-bit systems
Additions and Enhancements
- commit 7705e1c:
Add support for RPZ wildcarded target names. Fixes
#5237
- #5165: Speed up RPZ
zone loading and add a
zoneSizeHint parameter to rpzFile and
rpzMaster for faster reloads
- #4794: Make the
RPZ summary consistent (Fixes
#4342) and log
additions/removals at debug level, not info
- commit 1909556:
Add the 2017 root key
- commit abfe671
and commit
7abbb2c: Update
Ed25519 algorithm number and
mnemonic
and hook up to the Recursor (Kees Monshouwer)
- #5355: Add
use-incoming-edns-subnet option to process and pass along ECS and
fix some ECS bugs in the process
- commit dff1a11:
Refuse to start with chroot set in a systemd env (Fixes
#4848)
- commit 5a38a56:
Handle exceptions raised by
closesocket() to prevent process
termination
- #4619: Document
missing
top-pub-queries and top-pub-servfail-queries commands
for rec_control (phonedph1)
- commit 502a850:
IPv6 address for g.root-servers.net added (Kevin Otte)
- commit 7a2a645:
Log outgoing queries / incoming responses via protobuf
PowerDNS Recursor 4.0.4
Released January 13th 2017
The 4.0.4 version of the PowerDNS Recursor fixes PowerDNS Security
Advisories 2016-02 and
2016-04.
Additions and Enhancements
PowerDNS Recursor 4.0.3
Released September 6th 2016
The 4.0.3 version of the PowerDNS Recursor features many improvements to
the Policy Engine (RPZ) and the Lua bindings to it. We would like to
thank Wim (42wim) for testing and
reporting on the RPZ module.
Bug fixes
- #4350: Call
gettag() for TCP queries
- #4376: Fix the use
of an uninitialized filtering policy
- #4381: Parse
query-local-address before lua-config-file
- #4383: Fix accessing
an empty policyCustom, policyName from Lua
- #4387: ComboAddress:
don’t allow invalid ports
- #4388: Fix RPZ
default policy not being applied over IXFR
- #4391: DNSSEC:
Actually follow RFC 7646 §2.1
- #4396: Add boost
context ldflags so freebsd builds can find the libs
- #4402: Ignore NS
records in a RPZ zone received over IXFR
- #4403: Fix build
with OpenSSL 1.1.0 final
- #4404: Don’t
validate when a Lua hook took the query
- #4425: Fix a
protobuf regression (requestor/responder mix-up)
Additions and Enhancements
- #4394: Support Boost
1.61+ fcontext
- #4402: Add Lua
binding for DNSRecord::d_place
PowerDNS Recursor 4.0.2
Released August 26th 2016
This release fixes a regression in 4.x where CNAME records for DNSSEC
signed domains were not sorted before the final answers, leading to some
clients (notably some versions of Chrome) not being able to extract the
required answer from the packet. This happened exclusively for DNSSEC
signed domains, but the problem happens even for clients not requesting
DNSSEC validation.
Further fixes and changes can be found below:
Bug fixes
- #4264: Set
dq.rcode before calling postresolve
- #4294: Honor PIE
flags.
- #4310: Fix build
with LibreSSL, for which OPENSSL_VERSION_NUMBER is irrelevant
- #4340: Don’t shuffle
CNAME records.
- #4354: Fix
delegation-only
Additions and enhancements
- #4288: Respect the
timeout when connecting to a protobuf server
- #4300: allow newDN
to take a DNSName in; document missing methods
- #4301: expose SMN
toString to lua
- #4318: Anonymize the
protobuf ECS value as well
- #4324: Allow Lua
access to the result of the Policy Engine decision, skip RPZ, finish
RPZ implementation
- #4349: Remove unused
DNSPacket::d_qlen
- #4351: RPZ: Use
query-local-address(6) by default
- #4357: Move the root
DNSSEC data to a header file
PowerDNS Recursor 4.0.1
Released July 29th 2016
This release has several improvements with regards to DNSSEC validation
and it improves interoperability with DNSSEC clients that expect an
AD-bit on validated data when they query with only the DO-bit set.
Bug fixes
- #4119 Improve DNSSEC
record skipping for non dnssec queries (Kees Monshouwer)
- #4162 Don’t validate
zones from the local auth store, go one level down while validating
when there is a CNAME
- #4187:
- Don’t go bogus on islands of security
- Check all possible chains for Insecure states
- Don’t go Bogus on a CNAME at the apex
- #4215 RPZ: default
policy should also override local data RRs
- #4243 Fix a crash
when the next name in a chained query is empty and
rec_control current-queries is invoked
Improvements
- #4056 OpenSSL 1.1.0
support (Chris Hofstaedtler)
- #4133 Add limits to
the size of received {A,I}XFR (CVE-2016-6172)
- #4140 Fix warnings
with gcc on musl-libc (James Taylor)
- #4160 Also validate
on +DO
- #4164 Fail to start
when the lua-dns-script does not exist
- #4168 Add more
Netmask methods for Lua (Aki Tuomi)
- #4210 Validate
DNSSEC for security polling
- #4217 Turn on
root-nx-trust by default and log-common-errors=off
- #4207 Allow for
multiple trust anchors per zone
- #4242 Fix
compilation warning when building without Protobuf
PowerDNS Recursor 4.0.0
Released July 11th 2016
PowerDNS Recursor 4.0.0 is part of the great 4.x “Spring
Cleaning”
of PowerDNS which lasted through the end of 2015.
As part of the general cleanup, we did the following:
- Moved to C++ 2011, a cleaner more powerful version of C++ that has
allowed us to improve the quality of
implementation
in many places.
- Implemented dedicated infrastructure for dealing with DNS names that
is fully “DNS Native” and needs less escaping and unescaping
- Switched to binary storage of DNS records in all places
- Moved ACLs to a dedicated Netmask Tree
- Implemented a version of
RCU for
configuration changes
- Instrumented our use of the memory allocator, reduced number of
malloc calls substantially.
- The Lua hook infrastructure was redone using LuaWrapper; old scripts
will no longer work, but new scripts are easier to write under the
new interface.
In addition to this cleanup, which has many internal benefits and solves
longstanding issues with escaped domain names, 4.0.0 brings the
following major new features:
- RPZ aka Response Policy Zone support
- IXFR slaving in the PowerDNS Recursor for RPZ
- DNSSEC processing in Recursor (Authoritative has had this for years)
- DNSSEC validation (without NSEC(3) proof validation)
- EDNS Client Subnet support in PowerDNS Recursor (Authoritative has
had this for years)
- Lua asynchronous queries for per-IP/per-domain status
- Caches that can now be wiped per whole zone instead of per name
- Statistics on authoritative server response times (split for IPv4 and
IPv6)
- APIs are no longer marked as ‘experimental’ and had one final URL
change
- New metric: tcp-answer-bytes to measure DNS TCP/IP bandwidth, and
many other new metrics
Please be aware that beyond the items listed here, there have been heaps
of tiny changes. As always, please carefully test a new release before
deploying it.
This release features the following fixes compared to rc1:
- #3989 Fix usage of
std::distance() in DNSName::isPartOf() (signed/unsigned comparisons)
- #4017 Fix building
without Lua. Add
isTcp to dq.
- #4023 Actually log
on dnssec=log-fail
- #4028 DNSSEC fixes
(NSEC casing, send DO-bit over TCP, DNSSEC trace additions)
- #4052 Don’t fail
configure on missing fcontext.hpp
- #4096 Don’t call
commit() if we skipped all the records
It has the following improvements:
- #3400 Enable
building on OpenIndiana
- #4016 Log protobuf
messages for cache hits. Add policy tags in gettag()
- #4040 Allow DNSSEC
validation when chrooted
- #4094 Sort included
html files for improved reproducibility (Chris Hofstaedtler)
And these additions:
- #3981 Import
JavaScript sources for libs shipped with Recursor (Christian
Hofstaedtler)
- #4012 add tags
support to ProtobufLogger.py
- #4032 Set the
existing policy tags in
dq for {pre,post}resolve
- #4077 Add DNSSEC
validation statistics
- #4090 Allow
reloading the lua-config-file at runtime
- #4097 Allow logging
DNSSEC bogus in any mode
- #4125 Add protobuf
fields for the query’s time in the response
PowerDNS Recursor 4.0.0-rc1
Released June 9th 2016
This first (and hopefully last) Release Candidate contains the finishing
touches to the experimental DNSSEC support by adding (Negative) Trust
Anchor support and fixing a possible issue with DNSSEC and forwarded
domains:
- #3910 Add (Negative)
Trust Anchor management
- #3926 Set +CD on
forwarded recursive queries
Other changes:
- #3941 Ensure
delegations from local auth zones are followed
- #3924 Add a virtual
hosting unit-file
- #3929 Set the FDs in
the unit file to a sane value
Bug fixes:
- #3961 Fix building
on EL6 i386
- #3957 Add error
reporting when parsing forward-zones(-recurse) (Aki Tuomi)
PowerDNS Recursor 4.0.0-beta1
Released May 27th 2016
This release fixes a bug in the DNSSEC implementation where a name would
we validated as bogus when talking to non-compliant authoritative
servers:
- #3875 Disable DNSSEC
for domain where the auth responds with FORMERR or NOTIMP
Improvements
- #3866 Increase max
FDs in systemd unit file
- #3905 Add a
dnssec=process-no-validate option and make it default
Bug fixes
- #3881 Fix the
noEdnsOutQueries counter
- #3892 support
clock_gettime for platforms that require -lrt
PowerDNS Recursor 4.0.0-alpha3
Released May 10th 2016
This release features several leaps in the correctness and stability of
the DNSSEC implementation.
Notable changes are:
- #3752 Correct
handling of query flags in conformance with RFC
6840
Bug fixes
- #3804 Fix a memory
leak in DNSSEC validation
- #3785 and
#3390 Correctly
validate insecure delegations
- #3606 Various DNSSEC
fixes, disabling DNSSEC on forward-zones
- #3681 Catch
exception with a malformed DNSName in
rec_control wipe-cache
- #3779,
#3768,
#3766,
#3783 and
#3789 DNSName and
other hardening improvements
Improvements
- #3801 Add missing
Lua rcodes bindings
- #3587 Update L-Root
addresses
PowerDNS Recursor 4.0.0-alpha2
Released March 9th 2016
Note that the DNSSEC implementation has several bugs in this release, it
is advised to set dnssec=off in your recursor.conf.
This release features many low-level performance fixes. Other notable
changes since 4.0.0-alpha1 are:
- #3259,
#3280 The PowerDNS
Recursor now properly uses GNU autoconf and autotools for building
and installing
- OpenSSL crypto primitives are now used for DNSSEC validation
- #3313 Implement the
logic we need to generate EDNS MAC fields in dnsdist & read them in
recursor
(blogpost
- #3350 Add
lowercase-outgoing feature to Recursor
- #3410 Recuweb is now
built-in to the daemon
- #3230 API: drop
JSONP, add web security headers (Chris Hofstaedtler)
- #3485 Allow multiple
carbon-servers
- #3427,
#3479,
#3472 MTasker
modernization (Andrew Nelless)
Bug fixes
- #3444,
#3442 RPZ IXFR fixes
- #3448 Remove
edns-subnet-whitelist whitelist pointing to powerdns.com (Christian
Hofstaedtler)
- #3293 make
asynchronous UDP Lua queries work again in 4.x
- #3365 Apply rcode
set in UDPQueryResponse callback (Jan Broers)
- #3244 Fix the
forward zones in the recursor
- #3135 Use 56 bits
instead of 64 in EDNS Client Subnet option (Winfried Angele)
- #3527 Make the
recursor counters atomic
Improvements
- #3435 Add
toStringNoDot and chopOff functions to Lua
- #3437 Add
pdns.now timeval struct to recursor Lua
- #3352 Cache
improvements
- #3502 Make second
argument to pdnslog optional (Thiago Farina)
- #3520 Reduce log
level of periodic statistics to notice (Jan Broers)
PowerDNS Recursor 4.0.0-alpha1
Released December 24th 2015