Do not count RRSIGs using unsupported algorithms toward RRSIGs limit.¶
References: #14049, pull request 14095
Correctly count NSEC3s considered when chasing the closest encloser.¶
References: #13984, pull request 13996
Security advisory 2024-02: CVE-2024-25583¶
References: pull request 14110
Update new b-root-server.net addresses in built-in hints.¶
References: #13387, pull request 13796
If serving stale, wipe CNAME records from cache when we get a NODATA negative response for them.¶
References: #13353, pull request 13797
Fix the zoneToCache regression introduced by SA 2024-01.¶
References: pull request 13799
Fix gathering of denial of existence proof for wildcard-expanded names.¶
References: #13847, pull request 13854
Security advisory 2024-01: CVE-2023-50387 and CVE-2023-50868¶
References: pull request 13784
(I)XFR: handle partial read of len prefix.¶
References: #13105, pull request 13158
YaHTTP: Prevent integer overflow on very large chunks.¶
References: #12892, pull request 13078
Stop using the now deprecated ERR_load_CRYPTO_strings() to detect OpenSSL.¶
References: #12935, pull request 13077
Work around Red Hat 8 misfeature in OpenSSL’s headers.¶
References: #12961, pull request 13076
Fix setting of policy tags for packet cache hits.¶
References: #13021, pull request 13056
PowerDNS Security Advisory 2023-02: Deterred spoofing attempts can lead to authoritative servers being marked unavailable.¶
References: pull request 12700
Change a few logging urgency levels¶
References: #12495, pull request 12608
Use correct name for isEntryUsable(). Existing code used the right logic but wrong name.¶
References: #12347, pull request 12607
Fix serve-stale logic to not cause intermittent high CPU load by:
References: #12595, #12610, #12611, pull request 12613
Update validation state after a missing negative indication.¶
References: #12598, pull request 12609
Make cache cleaning of record an negative cache more fair when under pressure.¶
References: #12374, pull request 12418
Do not report “not decreasing socket buf size” as an error.¶
References: #12333, pull request 12345
Do not use “message” as key, it has a special meaning to systemd-journal.¶
References: #12467, pull request 12475
When using serve-stale, wrong data can be returned from negative cache and record cache (zjs604381586).¶
References: #12395, pull request 12457
Add the ‘parse packet from auth’ error message to structured logging.¶
References: #12368, pull request 12456
Refresh of negcache stale entry might use wrong qtype (zjs604381586).¶
References: #12352, pull request 12455
Do not chain ECS enabled queries, it can cause the wrong scope to be used for outgoing queries.¶
References: #12407, pull request 12408
Fix compilation on FreeBSD. Reported by HellSpawn.¶
References: #12317, pull request 12346
Properly encode json string containing binary data.¶
References: #12260, pull request 12344
Avoid unbounded recursion when retrieving DS records from some misconfigured domains. CVE-2023-22617.¶
References: pull request 12442
Refactor unsupported qtype code and make sure we ServFail on all unsupported qtypes.¶
References: #12289, pull request 12293
Infra queries should not use refresh mode.¶
References: #11376, #11776, #12078, #12219, pull request 12221
Also consider recursive forward in the “forwarded DS should not end up in negCache” code.¶
References: #12189, #12199, pull request 12201
Correct skip record condition in processRecords.¶
References: #12198, pull request 12200
Get DS records with QName Minimization switched on.¶
References: #12175, pull request 12197
Fix typo in structured logging key.¶
References: #12194, pull request 12196
Only replace protobuf logger config objects if the reload changed them.¶
References: #12063, pull request 12146
Be more lenient replacing auth by non-auth records in cache.¶
References: #12140, pull request 12150
Fix SNMP OID numbers for rcode stats.¶
References: #12155, pull request 12163
Implement output operator for QTypes, avoids numeric qtypes in trace logs.¶
References: #12122, pull request 12162
Handle IXFR connect and transfer timeouts.¶
References: #12125, pull request 12161
Log invalid RPZ content when obtained via IXFR.¶
References: #12081, pull request 12145
Detect invalid bytes in makeBytesFromHex().¶
References: #12066, pull request 12147
Add support for NOD/UDR notifications using dnstap.¶
References: pull request 12047
Protobuf and dnstap metrics, including rec_control subcommand to show them.¶
References: #11841, pull request 11903, pull request 12049
Provide metrics for rcode received from authoritative servers.¶
References: #7164, pull request 11949
Proxymapping metrics, including rec_control subcommand to show them.¶
References: #11648, pull request 11866
Add querytime attribute to Lua DNSQuestion object, to see the time a query was received.¶
References: pull request 11909
Enable include-dir by default in RPM builds, to be in line with DEB builds (Frank Louwers).¶
References: #11766, pull request 11768
Improve error message when invalid values for local-address are provided in recursor config file.¶
References: pull request 11989
Enable SNMP support for debian and ubuntu builds.¶
References: #11999, pull request 12011
Warn if snmp-agent is set but SNMP support is not available.¶
References: #11998, pull request 12009
A few tweaks to structured logging calls.¶
References: pull request 11959
Fix –config (should be equal to –config=default), followup to #11907.¶
References: pull request 12048
Fix compilation of the event ports multiplexer.¶
References: #12044, pull request 12046
When an expired NSEC3 entry is seen move it to the front of the expiry queue.¶
References: pull request 12038
If new data is auth and existing data is not, replace even if cache locking is active.¶
References: #11958, pull request 12027
Remove XPF support.¶
References: pull request 11856
Lock record cache entries if enabled by record-cache-locked-ttl-perc.¶
References: pull request 11958
Use nullptr in getNSEC3PARAM + init bool at call site (Axel Viala).¶
References: pull request 11957
Axfr-retriever: abort on chunk with TC set.¶
References: #11804, pull request 11953
Clarify return codes for the Lua hooks in the Recursor (Frank Louwers).¶
References: pull request 11955
Recursor: Add --config[=check|=diff|=default].¶
References: pull request 11907
Implement optional Serve stale functionality, enabled by serve-stale-extensions..¶
References: pull request 11776
Implement padding of (DoT) messages to authoritative servers, if set by edns-padding-out (default yes).¶
References: pull request 11906
Log socket directory path if there is a problem.¶
References: pull request 11800
Handle Lua script loading errors.¶
References: pull request 11823
Stop sending Server: header (Chris Hofstaedtler).¶
References: #4979, pull request 11813
Keep time and count metrics when maintenance is called.¶
References: #6981, pull request 11869
Consider dns64 processing in more cases than Rcode == NoError.¶
References: pull request 11849
Set rec_control_LDFLAGS, needed for macOS or any platforms where libcrypto is not in default lib path.¶
References: #11855, pull request 11857
Replace/remove jQuery (Chris Hofstaedtler)¶
References: pull request 11812
Remove unused jsrender.js (Chris Hofstaedtler).¶
References: pull request 11811
Save the last nameserver speed recorded plus output it in rec_control dump-nsspeeds.¶
References: #11736, pull request 11780
Set TCP_NODELAY on in and outgoing TCP.¶
References: #11734, pull request 11754
Remove > 5 check on TTL of glue from the cache.¶
References: pull request 11744
Structured logging for various subsystems.¶
References: pull request 11631, pull request 11642, pull request 11654, pull request 11662, pull request 11681, pull request 11693, pull request 11710, pull request 11714, pull request 11854
Make edns table a sparse table.¶
References: pull request 11704, pull request 11779
Shared ednsmap.¶
References: pull request 11601
Load IPv6 entries from etc-hosts file.¶
References: #2248, pull request 11682
Use systemd-journal for structured logging if it is available and set by structured-logging-backend.¶
References: #11705, #11706, pull request 11660, pull request 11709
Fix typos in stats log messages (Matt Nordhoff).¶
References: #11654, #11671, pull request 11671, pull request 11680
Shared throttle map.¶
References: pull request 11598
Adaptive root refresh interval, normally at 80% of max-cache-ttl.¶
References: pull request 11381
Libssl: Properly load ciphers and digests with OpenSSL 3.0.¶
References: #11853, pull request 11862
rec_control: test for --version before requiring an argument.¶
References: #11864, pull request 11867
Make rec zone files with trailing dot (phonedph1).¶
References: pull request 11672
Handle file related errors initially loading Lua script.¶
References: #10079, #11818, pull request 11820