Correct skip record condition in processRecords.¶
References: #12198, pull request 12228
Also consider recursive forward in the “forwarded DS should not end up in negCache code.”¶
References: #12189, #12199, pull request 12225
Timeout handling for IXFRs as a client.¶
References: #12125, pull request 12192
Log invalid RPZ content when obtained via IXFR.¶
References: #12081, pull request 12169
When an expired NSEC3 entry is seen, move it to the front of the expiry queue.¶
References: #12038, pull request 12166
QType ADDR is supposed to be used internally only.¶
References: #11337, #11338, pull request 12165
For zones having many NS records, we are not interested in all so take a sample.¶
References: #11904, pull request 11939
Also check qperq limit if throttling happened, as it increases counters.¶
References: #11848, pull request 11899
Failure to retrieve DNSKEYs of an Insecure zone should not be fatal.¶
References: #11890, pull request 11942
PowerDNS Security Advisory 2022-02: incomplete exception handling related to protobuf message generation.¶
References: pull request 11874, pull request 11875
Fix API issue when asking config values for allow-from or allow-notify-from.¶
References: pull request 11609, pull request 11634
Do cache negative results, even when wasVariable() is true.¶
References: #10994, #11010, pull request 11024
Be more careful using refresh mode only for the record asked.¶
References: #11371, pull request 11419
Use the Lua context stored in SyncRes when calling hooks.¶
References: #11300, pull request 11384
This is a security fix release for PowerDNS Security Advisory 2022-01. Additionally, because CentOS 8 is End Of Life now, we have switched those builds to Oracle Linux 8. The resulting packages are compatible with RHEL and all derivatives.
Fix validation of incremental zone transfers (IXFRs).¶
References: pull request 11457
A SHA-384 DS should not trump a SHA-256 one, only potentially ignore SHA-1 DS records.¶
References: #10908, pull request 10912
rec_control wipe-cache-typed should check if a qtype arg is present and valid.¶
References: #10905, pull request 10911
Put the correct string into appliedPolicyTrigger for Netmask matching rules.¶
References: #10842, pull request 10863
Do not use DNSKEYs found below an apex for validation.¶
References: #10565, pull request 10806
Detect a loop when the denial of the DS comes from the child zone.¶
References: #10622, pull request 10807
Match ordering of PacketID using the Birthday vs non-Birthday comparator.¶
References: #10632, pull request 10809
Pass the Lua context to follow up queries (follow CNAME, dns64).¶
References: #10633, pull request 10811
Only the DNAME records are authoritative in DNAME answers.¶
References: #10718, pull request 10813
Use the correct RPZ policy name for statistics when loading via XFR.¶
References: #10768, pull request 10803
Fix the aggressive cache returning duplicated NSEC3 records.¶
References: #10701, pull request 10717
NS from the cache could be a forwarder, take that into account for throttling decision.¶
References: #10643, pull request 10655
Check in more places if the policy has been updated before using or modifying it.¶
References: #10627, pull request 10629
Work around clueless servers sending AA=0 answers.¶
References: #10555, pull request 10564
Ancestor NSEC3s can only deny the existence of a DS.¶
References: #10587, pull request 10593
Make really sure we did not miss a cut on validation failure.¶
References: #10570, pull request 10575
Clear the current proxy protocol values each iteration.¶
References: #10515, pull request 10573
Make sure that we pass the SOA along the NSEC/NSEC3 proof for DS queries.¶
References: pull request 10519
Change nsec3-max-iterations default to 150.¶
References: #10440, pull request 10477
For the NOD lookup case, we don’t want QName Minimization.¶
References: #10420, pull request 10422
Don’t follow referral from the parent to the child for DS queries.¶
References: #10460, pull request 10476
When refreshing, do not consider root almost expired.¶
References: #10426, pull request 10475
Take into account q_quiet when determining loglevel and change a few loglevels.¶
References: #10396, pull request 10474
Only add the NSEC and RRSIG records once in wildcard NODATA answers.¶
References: #10350, pull request 10473
Prevent a race in the aggressive NSEC cache.¶
References: pull request 10377
Apply dns64 on RPZ hits generated after a gettag_ffi hit.¶
References: pull request 10353
Boost 1.76 containers: use standard exceptions.¶
References: #10329, pull request 10335
Fix wording in edns-padding-tag help.¶
References: #10318, pull request 10334
Improve packet cache size computation now that TCP answers are also cached.¶
References: #10312, pull request 10333
Print the covering NSEC in tracing log.¶
References: #10298, pull request 10307
Do not put results of DS query for auth or forward domains in negcache.¶
References: #10317, pull request 10320
Use the correct ECS address when proxy-protocol is enabled.¶
References: #10303, pull request 10319
Exception loading the RPZ seed file is not fatal.¶
References: #10291, pull request 10306
RPZ dumper: stop generating double zz labels on networks that start with zeroes.¶
References: #10286, pull request 10305
Log local IP in dnstap messages.¶
References: #10268, pull request 10280
Also disable PMTU for IPv6.¶
References: #10264, pull request 10279
Clear “from” in record cache if we don’t know where the update came from.¶
References: #10232, pull request 10278
Better handling of stranded DNSKeys.¶
References: #10223, pull request 10277
Support TCP FastOpen connect on outgoing connections.¶
References: #7982, pull request 9995
Implement EDNS0 padding (rfc7830) for outgoing responses.¶
References: pull request 8918
Get rid of early zone cut computation when doing DNSSEC validation.¶
References: pull request 10057
Insert hints as non-auth into cache.¶
References: #10177, pull request 10182
Don’t pick up random root NS records from AUTHORITY sections.¶
References: #10125, pull request 10178
Using DATA to report memory usage is unreliable, start using RES instead, as it seems reliable and relevant.¶
References: #7591, pull request 10161
Make sure we take the right minimum for the packet cache TTL data.¶
References: pull request 10185
Check sizeof(time_t) to be at least 8.¶
References: pull request 10010
Change dnssec default to process.¶
References: pull request 10118
Implement rfc 8198 - Aggressive Use of DNSSEC-Validated Cache.¶
References: pull request 10047
Be less verbose telling we are looking up CNAMEs or DNAMEs while tracing.¶
References: pull request 10112
Add validation state to protobuf message.¶
References: #8587, pull request 10113
Add Policy Kind / RPZ action to Protobuf messages.¶
References: #9653, #9654, pull request 10109
Count DNSSEC stats for given names in a different set of counters.¶
References: #10058, pull request 10089
Remember non-resolving nameservers.¶
References: pull request 10096
Pass an fd to dump to from rec_control to the recursor.¶
References: pull request 9468
Introduce settings to never cache EDNS Client (v4/v6) Subnet carrying replies.¶
References: pull request 10075
Change spoof-nearmiss-max default to 1.¶
References: #9845, pull request 10077
Add missing entries to Prometheus metrics.¶
References: #10021, pull request 10022
Also use packetcache for tcp queries.¶
References: pull request 9990
Document taskqueue metrics and add them to SNMP MIB.¶
References: #10009, pull request 10020
Treat the .localhost domain as special.¶
References: pull request 9996
Handle policy (if needed) after postresolve and document the hooks better.¶
References: #10080, pull request 10111
Return current rcode instead of 0 if there are no CNAME records to follow.¶
References: #9547, pull request 10064
Introduce “Refresh almost expired” a mechanism to keep the record cache warm.¶
References: #440, pull request 9699
Use protozero for Protocol Buffer operations in dnsdist, and dnstap/outgoing for the recursor.¶
References: #9780, #9781, pull request 9630, pull request 9843
Use a short-lived NSEC3 hashes cache for denial validation.¶
References: pull request 9856
Introduce synonyms for offensive language in settings and docs.¶
References: pull request 9670
Handle failure to start the web server more gracefully.¶
References: #9808, pull request 9812
Switch default TTL override to 1.¶
References: pull request 9720
Log the exact Bogus state when ‘dnssec-log-bogus’ is enabled.¶
References: pull request 9806 9828
Switch to TCP in case of spoofing (near-miss) attempts.¶
References: pull request 9744
Add support for rfc8914: Extended DNS Errors.¶
References: pull request 9673
Two OpenBSD improvements for UDP sockets: port randomization and EAGAIN errors.¶
References: pull request 9633
Cleanup of RPZ refresh handling.¶
References: pull request 9594
Refactor the percentage computation and use rounding.¶
References: pull request 9629
Throttle servers sending invalid data and rcodes.¶
References: pull request 9571
Terminate TCP connections instead of ‘ignoring’ errors.¶
References: pull request 9572
Don’t parse any config with –version.¶
References: pull request 9569
Expose typed cache flush via Web API.¶
References: pull request 9562
Remove query-local-address6.¶
References: pull request 9554
Lua: add backtraces to errors.¶
References: pull request 8942
Log the line received from rec_control.¶
References: pull request 9493
Shared and sharded neg cache.¶
References: pull request 9475
Lookup DS entries before CNAME entries.¶
References: #9621, pull request 9883
Fix the gathering of denial proof for wildcard-expanded answers.¶
References: pull request 9793
Actually discard invalid RRSIGs with too high labels count.¶
References: pull request 9789
x-our-latency is a gauge.¶
References: #9638, pull request 9686
Make parse ip:port a bit smarter.¶
References: #7743, pull request 9432
Fix wipe-cache-typed.¶
References: pull request 9515
Detach snmp thread to avoid trouble when trying to quit nicely.¶
References: pull request 9492