Changelogs for 4.8.X¶

4.8.9¶

Released: 14 of May 2024

Bug Fixes¶

Do not count RRSIGs using unsupported algorithms toward RRSIGs limit.
¶
References: #14049, pull request 14095
Correctly count NSEC3s considered when chasing the closest encloser.
¶
References: #13984, pull request 13996

4.8.8¶

Released: 24th of April 2024

Bug Fixes¶

Security advisory 2024-02: CVE-2024-25583
¶
References: pull request 14110

4.8.7¶

Released: 7th of March 2024

Improvements¶

Update new b-root-server.net addresses in built-in hints.
¶
References: #13387, pull request 13796

Bug Fixes¶

If serving stale, wipe CNAME records from cache when we get a NODATA negative response for them.
¶
References: #13353, pull request 13797
Fix the zoneToCache regression introduced by SA 2024-01.
¶
References: pull request 13799
Fix gathering of denial of existence proof for wildcard-expanded names.
¶
References: #13847, pull request 13854

4.8.6¶

Released: 13th of February 2024

Bug Fixes¶

Security advisory 2024-01: CVE-2023-50387 and CVE-2023-50868
¶
References: pull request 13784

4.8.5¶

Released: 25th of August 2023

Bug Fixes¶

(I)XFR: handle partial read of len prefix.
¶
References: #13105, pull request 13158
YaHTTP: Prevent integer overflow on very large chunks.
¶
References: #12892, pull request 13078
Stop using the now deprecated ERR_load_CRYPTO_strings() to detect OpenSSL.
¶
References: #12935, pull request 13077
Work around Red Hat 8 misfeature in OpenSSL’s headers.
¶
References: #12961, pull request 13076
Fix setting of policy tags for packet cache hits.
¶
References: #13021, pull request 13056

4.8.4¶

Released: 29th of March 2023

Bug Fixes¶

PowerDNS Security Advisory 2023-02: Deterred spoofing attempts can lead to authoritative servers being marked unavailable.
¶
References: pull request 12700

4.8.3¶

Released: 7th of March 2023

Improvements¶

Change a few logging urgency levels
¶
References: #12495, pull request 12608
Use correct name for isEntryUsable(). Existing code used the right logic but wrong name.
¶
References: #12347, pull request 12607

Bug Fixes¶

Fix serve-stale logic to not cause intermittent high CPU load by:
- correcting the removal of a negative cache entry,
- correcting the serve-stale main loop with respect to exception handling and
- correctly handle negcache entries with serve-state status.
¶
References: #12595, #12610, #12611, pull request 12613
Update validation state after a missing negative indication.
¶
References: #12598, pull request 12609

4.8.2¶

Released: 31th of January 2023

Improvements¶

Make cache cleaning of record a negative cache more fair when under pressure.
¶
References: #12374, pull request 12418
Do not report “not decreasing socket buf size” as an error.
¶
References: #12333, pull request 12345

Bug Fixes¶

Do not use “message” as key, it has a special meaning to systemd-journal.
¶
References: #12467, pull request 12475
When using serve-stale, wrong data can be returned from negative cache and record cache (zjs604381586).
¶
References: #12395, pull request 12457
Add the ‘parse packet from auth’ error message to structured logging.
¶
References: #12368, pull request 12456
Refresh of negcache stale entry might use wrong qtype (zjs604381586).
¶
References: #12352, pull request 12455
Do not chain ECS enabled queries, it can cause the wrong scope to be used for outgoing queries.
¶
References: #12407, pull request 12408
Fix compilation on FreeBSD. Reported by HellSpawn.
¶
References: #12317, pull request 12346
Properly encode json string containing binary data.
¶
References: #12260, pull request 12344

4.8.1¶

Released: 20th of January 2023

Bug Fixes¶

Avoid unbounded recursion when retrieving DS records from some misconfigured domains. CVE-2023-22617.
¶
References: pull request 12442

4.8.0¶

Released: 12th of December 2022

Bug Fixes¶

Refactor unsupported qtype code and make sure we ServFail on all unsupported qtypes.
¶
References: #12289, pull request 12293
Infra queries should not use refresh mode.
¶
References: #11376, #11776, #12078, #12219, pull request 12221

4.8.0-rc1¶

Released: 18th of November 2022

Bug Fixes¶

Also consider recursive forward in the “forwarded DS should not end up in negCache” code.
¶
References: #12189, #12199, pull request 12201
Correct skip record condition in processRecords.
¶
References: #12198, pull request 12200
Get DS records with QName Minimization switched on.
¶
References: #12175, pull request 12197
Fix typo in structured logging key.
¶
References: #12194, pull request 12196

4.8.0-beta2¶

Released: 7th of November 2022

Improvements¶

Only replace protobuf logger config objects if the reload changed them.
¶
References: #12063, pull request 12146
Be more lenient replacing auth by non-auth records in cache.
¶
References: #12140, pull request 12150

Bug Fixes¶

Fix SNMP OID numbers for rcode stats.
¶
References: #12155, pull request 12163
Implement output operator for QTypes, avoids numeric qtypes in trace logs.
¶
References: #12122, pull request 12162
Handle IXFR connect and transfer timeouts.
¶
References: #12125, pull request 12161
Log invalid RPZ content when obtained via IXFR.
¶
References: #12081, pull request 12145
Detect invalid bytes in makeBytesFromHex().
¶
References: #12066, pull request 12147

4.8.0-beta1¶

Released: 5th of October 2022

Improvements¶

Add support for NOD/UDR notifications using dnstap.
¶
References: pull request 12047
Protobuf and dnstap metrics, including rec_control subcommand to show them.
¶
References: #11841, pull request 11903, pull request 12049
Provide metrics for rcode received from authoritative servers.
¶
References: #7164, pull request 11949
Proxymapping metrics, including rec_control subcommand to show them.
¶
References: #11648, pull request 11866
Add querytime attribute to Lua DNSQuestion object, to see the time that a query was received.
¶
References: pull request 11909
Enable include-dir by default in RPM builds, to be in line with DEB builds (Frank Louwers).
¶
References: #11766, pull request 11768
Improve error message when invalid values for local-address are provided in recursor config file.
¶
References: pull request 11989
Enable SNMP support for debian and ubuntu builds.
¶
References: #11999, pull request 12011
Warn if snmp-agent is set but SNMP support is not available.
¶
References: #11998, pull request 12009
A few tweaks to structured logging calls.
¶
References: pull request 11959

Bug Fixes¶

Fix –config (should be equal to –config=default), followup to #11907.
¶
References: pull request 12048
Fix compilation of the event ports multiplexer.
¶
References: #12044, pull request 12046
When an expired NSEC3 entry is seen move it to the front of the expiry queue.
¶
References: pull request 12038
If new data is auth and existing data is not, replace even if cache locking is active.
¶
References: #11958, pull request 12027

Removals¶

Remove XPF support.
¶
References: pull request 11856

4.8.0-alpha1¶

Released: 23rd of September 2022

Improvements¶

Lock record cache entries if enabled by record-cache-locked-ttl-perc.
¶
References: pull request 11958
Use nullptr in getNSEC3PARAM + init bool at call site (Axel Viala).
¶
References: pull request 11957
Axfr-retriever: abort on chunk with TC set.
¶
References: #11804, pull request 11953
Clarify return codes for the Lua hooks in the Recursor (Frank Louwers).
¶
References: pull request 11955
Recursor: Add --config[=check|=diff|=default].
¶
References: pull request 11907
Implement optional Serve stale functionality, enabled by serve-stale-extensions..
¶
References: pull request 11776
Implement padding of (DoT) messages to authoritative servers, if set by edns-padding-out (default yes).
¶
References: pull request 11906
Log socket directory path if there is a problem.
¶
References: pull request 11800
Handle Lua script loading errors.
¶
References: pull request 11823
Stop sending Server: header (Chris Hofstaedtler).
¶
References: #4979, pull request 11813
Keep time and count metrics when maintenance is called.
¶
References: #6981, pull request 11869
Consider dns64 processing in more cases than Rcode == NoError.
¶
References: pull request 11849
Set rec_control_LDFLAGS, needed for macOS or any platforms where libcrypto is not in default lib path.
¶
References: #11855, pull request 11857
Replace/remove jQuery (Chris Hofstaedtler)
¶
References: pull request 11812
Remove unused jsrender.js (Chris Hofstaedtler).
¶
References: pull request 11811
Save the last nameserver speed recorded plus output it in rec_control dump-nsspeeds.
¶
References: #11736, pull request 11780
Set TCP_NODELAY on in and outgoing TCP.
¶
References: #11734, pull request 11754
Remove > 5 check on TTL of glue from the cache.
¶
References: pull request 11744
Structured logging for various subsystems.
¶
References: pull request 11631, pull request 11642, pull request 11654, pull request 11662, pull request 11681, pull request 11693, pull request 11710, pull request 11714, pull request 11854
Make edns table a sparse table.
¶
References: pull request 11704, pull request 11779
Shared ednsmap.
¶
References: pull request 11601
Load IPv6 entries from etc-hosts file.
¶
References: #2248, pull request 11682
Use systemd-journal for structured logging if it is available and set by structured-logging-backend.
¶
References: #11705, #11706, pull request 11660, pull request 11709
Fix typos in stats log messages (Matt Nordhoff).
¶
References: #11654, #11671, pull request 11671, pull request 11680
Shared throttle map.
¶
References: pull request 11598
Adaptive root refresh interval, normally at 80% of max-cache-ttl.
¶
References: pull request 11381

Bug Fixes¶

Libssl: Properly load ciphers and digests with OpenSSL 3.0.
¶
References: #11853, pull request 11862
rec_control: test for --version before requiring an argument.
¶
References: #11864, pull request 11867
Make rec zone files with trailing dot (phonedph1).
¶
References: pull request 11672
Handle file related errors initially loading Lua script.
¶
References: #10079, #11818, pull request 11820