This is a security fix release for PowerDNS Security Advisory 2022-01. Additionally, because CentOS 8 is End Of Life now, we have switched those builds to Oracle Linux 8. The resulting packages are compatible with RHEL and all derivatives.
Fix validation of incremental zone transfers (IXFRs).¶
References: pull request 11456
A SHA-384 DS should not trump a SHA-256 one, only potentially ignore SHA-1 DS records.¶
References: #10908, pull request 10910
rec_control wipe-cache-typed should check if a qtype argument is present and valid.¶
References: #10905, pull request 10909
Use the correct RPZ policy name for statistics when loading via XFR.¶
References: #10768, pull request 10802
NS from the cache could be a forwarder, take that into account for throttling decision.¶
References: #10643, pull request 10654
Check in more places if the policy has been updated before using or modifying it.¶
References: #10627, pull request 10628
Work around clueless servers sending AA=0 answers.¶
References: #10555, pull request 10580
Check if we have room before adding zero ECS scope ENDS value.¶
References: pull request 10390
Use the correct ECS address when proxy-protocol is enabled.¶
References: #10303, pull request 10383
Apply dns64 on RPZ hits generated after a gettag_ffi hit.¶
References: pull request 10385
RPZ dumper: stop generating double zz labels on networks that start with zeroes.¶
References: #10286, pull request 10314
Exception loading the RPZ seed file is not fatal.¶
References: #10291, pull request 10313
Use a short-lived NSEC3 hashes cache for denial validation.¶
References: #9856, pull request 10221
Pull in libfstrm for el8 build.¶
References: pull request 10062
More fail-safe handling of Newly Discovered Domain files.¶
References: #10238, pull request 10240
Handle policy (if needed) after postresolve.¶
References: #10111, pull request 10227
Return current rcode instead of 0 if there are no CNAME records to follow.¶
References: #10064, pull request 10226
Lookup DS entries before CNAME entries.¶
References: #9883, pull request 10224
Handle failure to start the web server more gracefully.¶
References: #9812, pull request 10199
Test that we correctly cap the answer’s TTL in expanded wildcard cases.¶
References: #9970, pull request 10197
Fix the gathering of denial proof for wildcard-expanded answers.¶
References: #9793, pull request 10194
Make sure we take the right minimum for the packet cache TTL data in the SERVFAIL case.¶
References: #10185, pull request 10192
UUID: Use the non-cryptographic variant of the boost::uuid.¶
References: pull request 9837
Keep a cached, valid entry over a fresher Bogus one.¶
References: pull request 9838
Ensure socket-dir matches runtime directory on old systemd¶
References: #9574, pull request 9799
Move to several distinct Bogus states, for easier debugging.¶
References: #9597, pull request 9821
Do not chase CNAME during qname minimization step 4.¶
References: #9790, pull request 9805
Untangle the validation/resolving qnames and qtypes.¶
References: #9807, pull request 9825
APL records: fix endianness problem.¶
References: #9766, pull request 9774
Allow to specify a name in getMetric() that is used for Prometheus export only.¶
References: #9651, pull request 9687
Do not add request to a wait chain that’s already processed or being processed.¶
References: #9707, pull request 9719
Avoid a CNAME loop detection issue with DNS64¶
References: #9696, pull request 9710
Do not send overly long NOD lookups.¶
References: #9697, pull request 9705
If a.b.c CNAME x.a.b.c is encountered, switch off QName Minimization.¶
References: #9680, pull request 9683
Fix the processing of answers generated from gettag.¶
References: #9679, pull request 9682
Backport of CVE-2020-25829: Cache pollution.¶
References: pull request 9605
Don’t parse any config with –version.¶
References: #9569, pull request 9577
Expose typed cache flush via Web API.¶
References: #9562, pull request 9576
Log when going Bogus because of a missing SOA in authority.¶
References: #9471, pull request 9528
Raise an exception on invalid content in unknown record.¶
References: #9497, pull request 9506
When deciding if we are auth in the local auth or forwarding case, DS is special.¶
References: #9434, pull request 9579
Fix wipe-cache-typed.¶
References: #9515, pull request 9557
Watch the descriptor again after an out-of-order read timeout.¶
References: #9495, pull request 9526
Only do QName Minimization for the names inside a forwarded domain.¶
References: #9448, pull request 9465
Fix the parsing of dont-throttle-netmasks in the presence of dont-throttle-names.¶
References: pull request 9458
Store RPZ trigger and hit in appliedPolicy and protobuf message and log them in the trace log.¶
References: pull request 9376
Apply filtering policies (RPZ) on CNAME chains as well.¶
References: #9363, pull request 9414
Fix warning: initialized lambda captures are a C++14 extension.¶
References: pull request 9411
Clean some coverity reported cases of exceptions thrown but not caught.¶
References: pull request 9412
Export record cache lock (contention) stats via the various channels.¶
References: pull request 9391
Allow multiple local data records when doing RPZ IP matching.¶
References: pull request 9396
Replace the use of ‘1’ by QClass::IN to improve readability.¶
References: pull request 9380
Avoid name clashes on Solaris derived systems.¶
References: #9279, pull request 9348
Allow some more depth headroom for the no-qname-minimization fallback case.¶
References: pull request 9375
If we have an NS in cache, use it in the forwarder case.¶
References: #9227, pull request 9351
Disable outgoing v4 when query-local-address has no v4 addresses.¶
References: pull request 9196
Resize hostname to final size in getCarbonHostname() (Aki Tuomi).¶
References: pull request 9343
Check that DNSKEYs have the zone flag set.¶
References: pull request 9308
Remove redundant toLogString() calls (Chris Hofstaedtler).¶
References: pull request 9314
Stop cluttering the global namespace with validation states.¶
References: pull request 9312
Use explicit flag for the specific version of c++ we’re targeting.¶
References: pull request 9231
Use new operator to print states.¶
References: pull request 9303
Refuse QType 0 right away, based on rfc6895 section 3.1.¶
References: pull request 9290
Specify a storage type for validation states.¶
References: pull request 9295
Common TCP write problems should only be logged if wanted.¶
References: pull request 9289
Dump the authority records of a negative cache entry as well.¶
References: pull request 9288
Alternative way to do “skip cname check” for DS and DNSKEY records¶
References: #9266, pull request 9272
Control stack depth when priming.¶
References: pull request 9267
Add version ‘statistic’ to prometheus.¶
References: pull request 9252
Cleanup cache cleaner pruneCollection function.¶
References: pull request 9236
RPZ policy should override gettag_ffi answer by default.¶
References: pull request 9203
Don’t copy the records when scanning for CNAME loops.¶
References: pull request 9216
Do not use using namespace std; .¶
References: pull request 9213
More sophisticated CNAME loop detection.¶
References: #9153, #9194, pull request 9202
Use std::string_view when available (Rosen Penev).¶
References: pull request 9207
Make sure we can install unsigned packages.¶
References: pull request 9152
Clarify docs (Josh Soref).¶
References: pull request 9162
Ensure runtime dirs for virtual services differ.¶
References: pull request 9073
Builder: improve shipped config files (Chris Hofstaedtler).¶
References: #8094, pull request 9085
Less negatives in error messages improves readability.¶
References: pull request 9100
Boost 1.73 moved boost::bind placeholders to the placeholders namespace.¶
References: pull request 9070
Fix useless copies in loop reported by clang++ 10.¶
References: pull request 9076
NetmaskTree: do not test node for null, the loop guarantees node is not null.¶
References: pull request 9078
Wrap pthread objects¶
References: pull request 9067
Get rid of a naked pointer in the /dev/poll event multiplexer.¶
References: pull request 9053
Random engine.¶
References: #9004, pull request 9016
Update proxy-protocol.cc (ihsinme).¶
References: pull request 9320
Kill an signed vs unsigned warning on OpenBSD.¶
References: pull request 9302
Don’t validate a NXD with a NSEC proving that the name is an ENT.¶
References: pull request 9237
Fix three shared cache issues.¶
References: pull request 9226
Limit the TTL of RRSIG records as well.¶
References: #9193, pull request 9205
Avoid throwing an exception in Logger::log().¶
References: pull request 9079
Implement native DNS64 support, without Lua.¶
References: pull request 8967
Add custom tags to RPZ hits.¶
References: pull request 8927
Allow attaching a ‘routing’ tag string to a query in lua code and use that tag in the record cache when appropriate.¶
References: pull request 8910
Share record cache between threads.¶
References: pull request 8898
Add support for Proxy Protocol between dnsdist and the recursor.¶
References: pull request 8874
Fix warnings with llvm10 and -Wrange-loop-construct (Kirill Ponomarev).¶
References: pull request 9000
Fix compilation without deprecated OpenSSL APIs (Rosen Penev).¶
References: pull request 8985
Detect {Libre,Open}SSL functions availability during configure.¶
References: #8739, pull request 8900
Better handling of reconnections in Remote Logger.¶
References: pull request 8887
Add ‘queue full’ metrics for our remote logger, log at debug only.¶
References: #8629, pull request 8883
Update boost.m4¶
References: #8875, pull request 8740, pull request 8876
Keep a masked network in the Netmask class.¶
References: pull request 8812
Replace include guard ifdef/define with pragma once (Chris Hofstaedtler).¶
References: pull request 8631
YaHTTP: Support bracketed IPv6 addresses¶
References: pull request 8815
Rework NetmaskTree for better CPU and memory efficiency (Stephan Bosch).¶
References: pull request 8355
RPZ dumpFile/seedFile: store/get SOA refresh on dump/load.¶
References: pull request 8778
Add ‘IO wait’ and ‘steal’ metrics on Linux.¶
References: pull request 8783
DNSName: Don’t call strlen() when the length is already known.¶
References: pull request 8792
Fix build with gcc-10 (Sander Hoentjen).¶
References: pull request 8640
Fix compilation of the ports event multiplexer.¶
References: #9025, pull request 9031
Init zone’s d_priority field.¶
References: pull request 8830
QName Minimization sometimes uses 1 label too many.¶
References: #8697, pull request 8777