Previous topic

Changelogs for 4.1.x

Next topic

Changelogs for all pre 4.0 releases

This Page

Changelogs for 4.0.x

This page has all the changelogs for the PowerDNS Recursor 4.0 release train.

Note: 4.0.x and earlier releases are End of Life and no longer supported. See EOL Statements.

PowerDNS Recursor 4.0.9

Released 6th of November 2018

This release fixes the following security advisories:

  • PowerDNS Security Advisory 2018-04: Crafted answer can cause a denial of service (CVE-2018-10851)
  • PowerDNS Security Advisory 2018-06: Packet cache pollution via crafted query (CVE-2018-14626)
  • PowerDNS Security Advisory 2018-07: Crafted query for meta-types can cause a denial of service (CVE-2018-14644)

Bug fixes

  • #7152: Crafted answer can cause a denial of service (CVE-2018-10851)
  • #7152: Packet cache pollution via crafted query (CVE-2018-14626)
  • #7152: Crafted query for meta-types can cause a denial of service (CVE-2018-14644)

PowerDNS Recursor 4.0.8

Released 11th of December 2017

This release fixes PowerDNS Security Advisory 2017-08.

Bug fixes

  • #5930: Don’t assume TXT record is first record for secpoll
  • #6082: Don’t add non-IN records to the cache

PowerDNS Recursor 4.0.7

Released 27th of November 2017

This release fixes PowerDNS Security Advisories 2017-03, 2017-05, 2017-06 and 2017-07.

Bug fixes

  • #4561: Update rec_control manpage (Winfried Angele)
  • #4824: Check in the detected OpenSSL/libcrypto for ECDSA
  • #5406: Make more specific Netmasks < to less specific ones
  • #5525: Fix validation at the exact RRSIG inception or expiration time
  • #5740: Lowercase all outgoing qnames when lowercase-outgoing is set
  • #5599: Fix libatomic detection on ppc64
  • #5961: Edit configname definition to include the ‘config-name’ argument (Jake Reynolds)
  • #5995: Security Advisories 2017-03, 2017-05, 2017-06 and 2017-07.


  • #4646: Extract nested exception from Luawrapper
  • #4960: Use explicit yes for default-enabled settings (Chris Hofstaedtler)
  • #5078: Throw an error when lua-conf-file can’t be loaded
  • #5261: get-remote-ring’s “other” report should only have two items. (Patrick Cloke)
  • #5320: PowerDNS sdig does not truncate trailing bits of EDNS Client Subnet mask
  • #5488: Only increase no-packet-error on the first read
  • #5498: Add support for Botan 2.x
  • #5511: Add more information to recursor cache dumps
  • #5523: Fix typo in two log messages (Ruben Kerkhof)
  • #5598: Add help text on autodetecting systemd support
  • #5726: Be more resilient with broken auths
  • #5739: Remove pdns.PASS and pdns.TRUNCATE
  • #5755: Improve dnsbulktest experience in travis for more robustness
  • #5762: Create socket-dir from init-script
  • #5843: b.root renumbering, effective 2017-10-24
  • #5921: Don’t retry security polling too often when it fails

PowerDNS Recursor 4.0.6

Released 6th of July 2017

This release features a fix for the ed25519 verifier. This verifier hashed the message before verifying, resulting in unverifiable signatures. Also on the Elliptic Curve front, support was added for ED448 (DNSSEC algorithm 16) by using libdecaf.

Besides that, this release features massive improvements to our edns-client-subnet handling, and some IXFR fixes. Note that this release changes use-incoming-edns-subnet to disabled by default.

Bug fixes


  • commit 2325010e6:
    with this, EDNS Client Subnet becomes compatible with the packet cache, using the existing variable answer facility.
  • commit 2ec8d8148:
    Remove just enough entries from the cache, not one more than asked
  • commit 71df15677:
    Move expired cache entries to the front so they are expunged
  • commit d84834c4c:
    changed IPv6 addr of (Arsen Stasic)
  • commit bcce047bc: has IPv6 now (phonedph1)
  • commit cef8ec7c2:
    hello decaf signers (ED25519 and ED448) Testing algorithm 15: ‘Decaf ED25519’ ->’Decaf ED25519’ -> ‘Decaf ED25519’ Signature & verify ok, signature 68usec, verify 93usec Testing algorithm 16: ‘Decaf ED448’ ->’Decaf ED448’ -> ‘Decaf ED448’ Signature & verify ok, signature 163usec, verify 252usec (Kees Monshouwer)
  • commit 68490a4b5:
    don’t use the libdecaf ed25519 signer when libsodium is enabled (Kees Monshouwer)
  • commit 5a88a8ed5:
    do not hash the message in the ed25519 signer (Kees Monshouwer)
  • commit 0e7893bf4:
    Disable use-incoming-edns-subnet by default

PowerDNS Recursor 4.0.5

Released 13th of June 2017

This release adds ed25519 (algorithm 15) support for DNSSEC and adds the 2017 DNSSEC root key. If you do DNSSEC validation, this upgrade is mandatory to continue validating after October 2017.

Bug fixes

  • commit af76224: Correctly lowercase the TSIG algorithm name in hash computation, fixes #4942
  • commit 86c4ed0: Clear the RPZ NS IP table when clearing the policy, this prevents false positives
  • commit 5e660e9: Fix cache-only queries against a forward-zone, fixes #5211
  • commit 2875033: Only delegate if NSes are below apex in auth-zones, fixes #4771
  • commit e7c183d: Remove hardcoding of port 53 for TCP/IP forwarded zones in recursor, fixes #4799
  • commit 5bec36e: Make sure labelsToAdd is not empty in getZoneCuts()
  • commit 0f59e05: Wait until after daemonizing to start the outgoing protobuf thread, prevents hangs when the protobuf server is not available
  • commit 233e144: Ensure (re)priming the root never fails
  • commit 3642cb3: Don’t age the root, fixes a regression from 3.x
  • commit 83f9226: Fix exception when sending a protobuf message for an empty question
  • commit ffdd813: LuaWrapper: Allow embedded NULs in strings received from Lua
  • commit c5ffd90: Fix coredumps on illumos/SmartOS, fixes #4579 (Roman Dayneko)
  • commit 651c0e9: StateHolder: Allocate (and copy if needed) before taking the lock
  • commit 547d68f: SuffixMatchNode: Fix insertion issue for an existing node
  • commit 3ada4e2: Fix negative port detection for IPv6 addresses on 32-bit systems

Additions and Enhancements

  • commit 7705e1c: Add support for RPZ wildcarded target names. Fixes #5237
  • #5165: Speed up RPZ zone loading and add a zoneSizeHint parameter to rpzFile and rpzMaster for faster reloads
  • #4794: Make the RPZ summary consistent (Fixes #4342) and log additions/removals at debug level, not info
  • commit 1909556: Add the 2017 root key
  • commit abfe671 and commit 7abbb2c: Update Ed25519 algorithm number and mnemonic and hook up to the Recursor (Kees Monshouwer)
  • #5355: Add use-incoming-edns-subnet option to process and pass along ECS and fix some ECS bugs in the process
  • commit dff1a11: Refuse to start with chroot set in a systemd env (Fixes #4848)
  • commit 5a38a56: Handle exceptions raised by closesocket() to prevent process termination
  • #4619: Document missing top-pub-queries and top-pub-servfail-queries commands for rec_control (phonedph1)
  • commit 502a850: IPv6 address for added (Kevin Otte)
  • commit 7a2a645: Log outgoing queries / incoming responses via protobuf

PowerDNS Recursor 4.0.4

Released January 13th 2017

The 4.0.4 version of the PowerDNS Recursor fixes PowerDNS Security Advisories 2016-02 and 2016-04.

Bug fixes

Additions and Enhancements

PowerDNS Recursor 4.0.3

Released September 6th 2016

The 4.0.3 version of the PowerDNS Recursor features many improvements to the Policy Engine (RPZ) and the Lua bindings to it. We would like to thank Wim (42wim) for testing and reporting on the RPZ module.

Bug fixes

  • #4350: Call gettag() for TCP queries
  • #4376: Fix the use of an uninitialized filtering policy
  • #4381: Parse query-local-address before lua-config-file
  • #4383: Fix accessing an empty policyCustom, policyName from Lua
  • #4387: ComboAddress: don’t allow invalid ports
  • #4388: Fix RPZ default policy not being applied over IXFR
  • #4391: DNSSEC: Actually follow RFC 7646 §2.1
  • #4396: Add boost context ldflags so freebsd builds can find the libs
  • #4402: Ignore NS records in a RPZ zone received over IXFR
  • #4403: Fix build with OpenSSL 1.1.0 final
  • #4404: Don’t validate when a Lua hook took the query
  • #4425: Fix a protobuf regression (requestor/responder mix-up)

Additions and Enhancements

  • #4394: Support Boost 1.61+ fcontext
  • #4402: Add Lua binding for DNSRecord::d_place

PowerDNS Recursor 4.0.2

Released August 26th 2016

This release fixes a regression in 4.x where CNAME records for DNSSEC signed domains were not sorted before the final answers, leading to some clients (notably some versions of Chrome) not being able to extract the required answer from the packet. This happened exclusively for DNSSEC signed domains, but the problem happens even for clients not requesting DNSSEC validation.

Further fixes and changes can be found below:

Bug fixes

  • #4264: Set dq.rcode before calling postresolve
  • #4294: Honor PIE flags.
  • #4310: Fix build with LibreSSL, for which OPENSSL_VERSION_NUMBER is irrelevant
  • #4340: Don’t shuffle CNAME records.
  • #4354: Fix delegation-only

Additions and enhancements

  • #4288: Respect the timeout when connecting to a protobuf server
  • #4300: allow newDN to take a DNSName in; document missing methods
  • #4301: expose SMN toString to lua
  • #4318: Anonymize the protobuf ECS value as well
  • #4324: Allow Lua access to the result of the Policy Engine decision, skip RPZ, finish RPZ implementation
  • #4349: Remove unused DNSPacket::d_qlen
  • #4351: RPZ: Use query-local-address(6) by default
  • #4357: Move the root DNSSEC data to a header file

PowerDNS Recursor 4.0.1

Released July 29th 2016

This release has several improvements with regards to DNSSEC validation and it improves interoperability with DNSSEC clients that expect an AD-bit on validated data when they query with only the DO-bit set.

Bug fixes

  • #4119 Improve DNSSEC record skipping for non dnssec queries (Kees Monshouwer)
  • #4162 Don’t validate zones from the local auth store, go one level down while validating when there is a CNAME
  • #4187:
  • Don’t go bogus on islands of security
  • Check all possible chains for Insecure states
  • Don’t go Bogus on a CNAME at the apex
  • #4215 RPZ: default policy should also override local data RRs
  • #4243 Fix a crash when the next name in a chained query is empty and rec_control current-queries is invoked


  • #4056 OpenSSL 1.1.0 support (Chris Hofstaedtler)
  • #4133 Add limits to the size of received {A,I}XFR (CVE-2016-6172)
  • #4140 Fix warnings with gcc on musl-libc (James Taylor)
  • #4160 Also validate on +DO
  • #4164 Fail to start when the lua-dns-script does not exist
  • #4168 Add more Netmask methods for Lua (Aki Tuomi)
  • #4210 Validate DNSSEC for security polling
  • #4217 Turn on root-nx-trust by default and log-common-errors=off
  • #4207 Allow for multiple trust anchors per zone
  • #4242 Fix compilation warning when building without Protobuf

PowerDNS Recursor 4.0.0

Released July 11th 2016

PowerDNS Recursor 4.0.0 is part of the great 4.x “Spring Cleaning” of PowerDNS which lasted through the end of 2015.

As part of the general cleanup, we did the following:

  • Moved to C++ 2011, a cleaner more powerful version of C++ that has allowed us to improve the quality of implementation in many places.
  • Implemented dedicated infrastructure for dealing with DNS names that is fully “DNS Native” and needs less escaping and unescaping
  • Switched to binary storage of DNS records in all places
  • Moved ACLs to a dedicated Netmask Tree
  • Implemented a version of RCU for configuration changes
  • Instrumented our use of the memory allocator, reduced number of malloc calls substantially.
  • The Lua hook infrastructure was redone using LuaWrapper; old scripts will no longer work, but new scripts are easier to write under the new interface.

In addition to this cleanup, which has many internal benefits and solves longstanding issues with escaped domain names, 4.0.0 brings the following major new features:

  • RPZ aka Response Policy Zone support
  • IXFR slaving in the PowerDNS Recursor for RPZ
  • DNSSEC processing in Recursor (Authoritative has had this for years)
  • DNSSEC validation (without NSEC(3) proof validation)
  • EDNS Client Subnet support in PowerDNS Recursor (Authoritative has had this for years)
  • Lua asynchronous queries for per-IP/per-domain status
  • Caches that can now be wiped per whole zone instead of per name
  • Statistics on authoritative server response times (split for IPv4 and IPv6)
  • APIs are no longer marked as ‘experimental’ and had one final URL change
  • New metric: tcp-answer-bytes to measure DNS TCP/IP bandwidth, and many other new metrics

Please be aware that beyond the items listed here, there have been heaps of tiny changes. As always, please carefully test a new release before deploying it.

This release features the following fixes compared to rc1:

  • #3989 Fix usage of std::distance() in DNSName::isPartOf() (signed/unsigned comparisons)
  • #4017 Fix building without Lua. Add isTcp to dq.
  • #4023 Actually log on dnssec=log-fail
  • #4028 DNSSEC fixes (NSEC casing, send DO-bit over TCP, DNSSEC trace additions)
  • #4052 Don’t fail configure on missing fcontext.hpp
  • #4096 Don’t call commit() if we skipped all the records

It has the following improvements:

  • #3400 Enable building on OpenIndiana
  • #4016 Log protobuf messages for cache hits. Add policy tags in gettag()
  • #4040 Allow DNSSEC validation when chrooted
  • #4094 Sort included html files for improved reproducibility (Chris Hofstaedtler)

And these additions:

  • #3981 Import JavaScript sources for libs shipped with Recursor (Christian Hofstaedtler)
  • #4012 add tags support to
  • #4032 Set the existing policy tags in dq for {pre,post}resolve
  • #4077 Add DNSSEC validation statistics
  • #4090 Allow reloading the lua-config-file at runtime
  • #4097 Allow logging DNSSEC bogus in any mode
  • #4125 Add protobuf fields for the query’s time in the response

PowerDNS Recursor 4.0.0-rc1

Released June 9th 2016

This first (and hopefully last) Release Candidate contains the finishing touches to the experimental DNSSEC support by adding (Negative) Trust Anchor support and fixing a possible issue with DNSSEC and forwarded domains:

  • #3910 Add (Negative) Trust Anchor management
  • #3926 Set +CD on forwarded recursive queries

Other changes:

  • #3941 Ensure delegations from local auth zones are followed
  • #3924 Add a virtual hosting unit-file
  • #3929 Set the FDs in the unit file to a sane value

Bug fixes:

  • #3961 Fix building on EL6 i386
  • #3957 Add error reporting when parsing forward-zones(-recurse) (Aki Tuomi)

PowerDNS Recursor 4.0.0-beta1

Released May 27th 2016

This release fixes a bug in the DNSSEC implementation where a name would we validated as bogus when talking to non-compliant authoritative servers:

  • #3875 Disable DNSSEC for domain where the auth responds with FORMERR or NOTIMP


  • #3866 Increase max FDs in systemd unit file
  • #3905 Add a dnssec=process-no-validate option and make it default

Bug fixes

  • #3881 Fix the noEdnsOutQueries counter
  • #3892 support clock_gettime for platforms that require -lrt

PowerDNS Recursor 4.0.0-alpha3

Released May 10th 2016

This release features several leaps in the correctness and stability of the DNSSEC implementation.

Notable changes are:

  • #3752 Correct handling of query flags in conformance with RFC 6840

Bug fixes

  • #3804 Fix a memory leak in DNSSEC validation
  • #3785 and #3390 Correctly validate insecure delegations
  • #3606 Various DNSSEC fixes, disabling DNSSEC on forward-zones
  • #3681 Catch exception with a malformed DNSName in rec_control wipe-cache
  • #3779, #3768, #3766, #3783 and #3789 DNSName and other hardening improvements


  • #3801 Add missing Lua rcodes bindings
  • #3587 Update L-Root addresses

PowerDNS Recursor 4.0.0-alpha2

Released March 9th 2016

Note that the DNSSEC implementation has several bugs in this release, it is advised to set dnssec=off in your recursor.conf.

This release features many low-level performance fixes. Other notable changes since 4.0.0-alpha1 are:

  • #3259, #3280 The PowerDNS Recursor now properly uses GNU autoconf and autotools for building and installing
  • OpenSSL crypto primitives are now used for DNSSEC validation
  • #3313 Implement the logic we need to generate EDNS MAC fields in dnsdist & read them in recursor (blogpost
  • #3350 Add lowercase-outgoing feature to Recursor
  • #3410 Recuweb is now built-in to the daemon
  • #3230 API: drop JSONP, add web security headers (Chris Hofstaedtler)
  • #3485 Allow multiple carbon-servers
  • #3427, #3479, #3472 MTasker modernization (Andrew Nelless)

Bug fixes

  • #3444, #3442 RPZ IXFR fixes
  • #3448 Remove edns-subnet-whitelist whitelist pointing to (Christian Hofstaedtler)
  • #3293 make asynchronous UDP Lua queries work again in 4.x
  • #3365 Apply rcode set in UDPQueryResponse callback (Jan Broers)
  • #3244 Fix the forward zones in the recursor
  • #3135 Use 56 bits instead of 64 in EDNS Client Subnet option (Winfried Angele)
  • #3527 Make the recursor counters atomic


  • #3435 Add toStringNoDot and chopOff functions to Lua
  • #3437 Add timeval struct to recursor Lua
  • #3352 Cache improvements
  • #3502 Make second argument to pdnslog optional (Thiago Farina)
  • #3520 Reduce log level of periodic statistics to notice (Jan Broers)

PowerDNS Recursor 4.0.0-alpha1

Released December 24th 2015