Previous topic

Changelogs for 4.1.x

Next topic

Changelogs for 3.x and older

This Page

Changelogs for 4.0.x

PowerDNS Authoritative Server 4.0.9

Released 1st of August 2019

This release contains the updated PostgreSQL schema for PowerDNS Security Advisory 2019-06 (CVE-2019-10203).

Upgrading is not enough - you need to manually apply the schema change: ALTER TABLE domains ALTER notified_serial TYPE bigint USING CASE WHEN notified_serial >= 0 THEN notified_serial::bigint END;

PowerDNS Authoritative Server 4.0.8

Released 21st of June 2019

This release fixes PowerDNS Security Advisories 2019-04 and 2019-05.

PowerDNS Authoritative Server 4.0.7

Released 18th of March 2019

This release fixes PowerDNS Security Advisory 2019-03: Insufficient validation in the HTTP remote backend (CVE-2019-3871)

Bug fixes

  • #7582: Insufficient validation in the HTTP remote backend (CVE-2019-3871)

PowerDNS Authoritative Server 4.0.6

Released 6th of November 2018

This release fixes PowerDNS Security Advisory 2018-03: Crafted zone record can cause a denial of service (CVE-2018-10851)

Bug fixes

  • #7150: Crafted zone record can cause a denial of service (CVE-2018-10851)
  • #7135: Fix el6 builds


  • #6315: Prevent cname + other data with dnsupdate
  • #7119: Switch to devtoolset 7 for el6

PowerDNS Authoritative Server 4.0.5

Released 27th of November 2017

This release fixes PowerDNS Security Advisory 2017-04: Missing check on API operations (CVE-2017-15091).

Bug fixes

  • #4650: Bindbackend: do not corrupt data supplied by other backends in getAllDomains (Chris Hofstaedtler)
  • #4751: API: prevent sending nameservers list and zone-level NS in rrsets (Chris Hofstaedtler)
  • #4929: gpgsql: make statement names actually unique (Chris Hofstaedtler)
  • #4997: Fix remotebackend params (Aki Tuomi)
  • #5051: Fix godbc query logging
  • #5125: For create-slave-zone, actually add all slaves, and not only first n times
  • #5161: Fix a regression in axfr-rectify + test (Arthur Gautier)
  • #5408: When making a netmask from a comboaddress, we neglected to zero the port
  • #5599: Fix libatomic detection on ppc64
  • #5641: Catch DNSName exception in the Zoneparser
  • #5722: Publish inactive KSK/CSK as CDNSKEY/CDS
  • #5730: Handle AFSDB record separately due to record structure. Fixes #4703 (Johan Jatko)
  • #5678: Treat requestor’s payload size lower than 512 as equal to 512
  • #5766: Correctly purge entries from the caches after a transfer
  • #5777: Handle a signing pipe worker dying with work still pending
  • #5815: Ignore SOA-EDIT for PRESIGNED zones. Fixes #5814
  • #5933: Check return value for all getTSIGKey calls. Fixes #5931
  • #5996: Deny cache flush, zone retrieve and notify if the API is RO (Security Advisory


  • #4922: Fix ldap-strict autoptr feature, including a test
  • #5043: mydnsbackend: Add getAllDomains (Aki Tuomi)
  • #5112: Stubresolver: Use only recursor setting if given
  • #5147: LuaWrapper: Allow embedded NULs in strings received from Lua
  • #5277: sdig: Clarify that the ednssubnet option takes “subnet/mask”
  • #5309: Tests: Ensure all required tools are available (Arthur Gautier)
  • #5320: PowerDNS sdig does not truncate trailing bits of EDNS Client Subnet mask
  • #5349: LuaJIT 2.1: Lua fallback functionality no longer uses Lua namespace
  • #5498: Add support for Botan 2.x
  • #5509: Ship ldapbackend schema files in tarball (Chris Hofstaedtler)
  • #5518: Collection of schema changes (Kees Monshouwer)
  • #5523: Fix typo in two log messages (Ruben Kerkhof)
  • #5598: Add help text on autodetecting systemd support
  • #5723: Use a unique pointer for bind backend’s d_of
  • #5826: Fix some of the issues found by @jpmens

PowerDNS Authoritative Server 4.0.4

Released 23rd of June 2017

This release features a fix for the ed25519 signer. This signer hashed the message before signing, resulting in unverifiable signatures. Also on the Elliptic Curve front, support was added for ED448 (DNSSEC algorithm 16) by using libdecaf.

Bug fixes

  • #5423: Do not hash the message in the ed25519 signer (Kees Monshouwer)
  • #5445: Make URI integers 16 bits, fixes #5443
  • #5346: Corrects syntax error in test statement on existence of libcrypto_ecdsa (shinsterneck)
  • #5440: Fix quoting issue fixes #5401
  • #4824: Check in the detected OpenSSL/libcrypto for ECDSA
  • #5016: Check if we can link against libatomic if needed
  • #5341: Fix typo in from issue #5091 (shantikulkarni)
  • #5289: Sort NSEC record case insensitive (Kees Monshouwer)
  • #5378: Make sure NSEC ordernames are always lower case
  • #4781: API: correctly take TTL from first record even if we are at the last comment (Chris Hofstaedtler)
  • #4901: Fix AtomicCounter unit tests on 32-bit
  • #4911: Fix negative port detection for IPv6 addresses on 32-bit
  • #4508: Remove support for ‘right’ timezones, as this code turned out to be broken
  • #4961: Lowercase the TSIG algorithm name in hash computation
  • #5048: Handle exceptions raised by closesocket()
  • #5297: Don’t leak on signing errors during outgoing AXFR; signpipe stumbles over interrupted rrsets; fix memory leak in gmysql backend
  • #5450: TinyCDB backend: Don’t leak a CDB object in case of bogus data


  • #5071: ODBC backend: Allow query logging
  • #5441: Add ED25519 (algo 15) and ED448 (algo 16) support with libdecaf signer (Kees Monshouwer)
  • #5325: YaHTTP: Sync with upstream changes
  • #5298: Send a notification to all slave servers after every dnsupdate (Kees Monshouwer)
  • #5317: Add option to set a global lua-axfr-script value (Kees Monshouwer)
  • #5130: dnsreplay: Add --source-ip and --source-port options
  • #5085: calidns: Use the correct socket family (IPv4 / IPv6)
  • #5170: Add an option to allow AXFR of zones with a different (higher/lower) serial (Kees Monshouwer)
  • #4622: API: Make trailing dot handling consistent with pdnsutil (Tuxis Internet Engineering)
  • #4762: SuffixMatchNode: Fix insertion issue for an existing node
  • #4861: Do not resolve the NS-records for NOTIFY targets if the “only-notify” whitelist is empty, as a target will never match an empty whitelist.
  • #5378: Improve the AXFR DNSSEC freshness check; Ignore NSEC3PARAM metadata in an unsigned zone
  • #5297: Create additional reuseport sockets before dropping privileges; remove transaction in pgpsql backend

PowerDNS Authoritative Server 4.0.3

Released January 17th 2017

This release fixes an issue when using multiple backends, where one of the backends is the BIND backend. This regression was introduced in 4.0.2.

Bug fix

  • #4905: Revert “auth: In Bind2Backend::lookup(), use the zoneId when we have it”

PowerDNS Authoritative Server 4.0.2

Released January 13th 2017

This release fixes PowerDNS Security Advisories 2016-02, 2016-03, 2016-04 and 2016-05 and includes a fix for a memory leak in the Postgresql backend.

Bug fixes

  • commit f61af48: Don’t parse spurious RRs in queries when we don’t need them (Security Advisory 2016-02)
  • commit 592006d: Don’t exit if the webserver can’t accept a connection (Security Advisory 2016-03)
  • commit e85acc6: Check TSIG signature on IXFR (Security Advisory 2016-04)
  • commit 3b1e4a2: Correctly check unknown record content size (Security Advisory 2016-05)
  • commit 9ecbf02: ODBC backend: actually prepare statements
  • commit a4d607b: Fix incorrect length check in DNSName when extracting qtype or qclass
  • commit c816fe3: Fix a possible memory leak in the webserver
  • #4287: Better handling of invalid serial
  • #4306: Limit size of mysql cell to 128 kilobytes
  • #4314: Overload fix: make overload-queue-length work as intended again, add test for it.
  • #4317: Improve root-zone performance
  • #4319: pipe: SERVFAIL when needed
  • #4360: Make sure mariadb (mysql on centos/rhel) is started before pdns (42wim)
  • #4387: ComboAddress: don’t allow invalid ports
  • #4459: Plug memory leak in postgresql backend (Chris Hofstaedtler)
  • #4544: Fix a stack-based off-by-one write in the HTTP remote backend
  • #4755: calidns: Don’t crash if we don’t have enough ‘unknown’ queries remaining

Additions and Enhancements

  • commit 1238e06: disable negative getSOA caching if the negcache_ttl is 0 (Kees Monshouwer)
  • commit 3a0bded, commit 8c879d4, commit 8c03126, commit 5656e12 and commit c1d283d: Improve PacketCache cleaning (Kees Monshouwer)
  • #4261: Strip trailing dot in PTR content (Kees Monshouwer)
  • #4269: contrib: simple bash completion for pdnsutil (j0ju)
  • #4272: Bind backend: update status message on reload, keep the existing zone on failure
  • #4274: report DHCID type (Kees Monshouwer)
  • #4310: Fix build with LibreSSL, for which OPENSSL_VERSION_NUMBER is irrelevant
  • #4323: Speedup DNSName creation
  • #4335: fix TSIG for single thread distributor (Kees Monshouwer)
  • #4346: change default for any-to-tcp to yes (Kees Monshouwer)
  • #4356: Don’t look up the packet cache for TSIG-enabled queries
  • #4403: (auth) Fix build with OpenSSL 1.1.0 final (Chris Hofstaedtler)
  • #4442: geoipbackend: Fix minor naming issue (Aki Tuomi)
  • #4454: pdnsutil: create-slave-zone accept multiple masters (Hannu Ylitalo)
  • #4541: Backport of #4542: API: search should not return ENTs (Chris Hofstaedtler)
  • #4754: In Bind2Backend::lookup(), use the zoneId when we have it

PowerDNS Authoritative Server 4.0.1

Released July 29th 2016

This release fixes two small issues and adds a setting to limit AXFR and IXFR sizes, in response to CVE-2016-6172.

Bug fixes

  • #4126 Wait for the connection to the carbon server to be established
  • #4206 Don’t try to deallocate empty PG statements
  • #4245 Send the correct response when queried for an NSEC directly (Kees Monshouwer)
  • #4252 Don’t include bind files if length <= 2 or > sizeof(filename)
  • #4255 Catch runtime_error when parsing a broken MNAME


  • #4044 Make DNSPacket return a ComboAddress for local and remote (Aki Tuomi)
  • #4056 OpenSSL 1.1.0 support (Chris Hofstaedtler)
  • #4169 Fix typos in a logmessage and exception (Chris Hofstaedtler)
  • #4183 pdnsutil: Remove checking of ctime and always diff the changes (Hannu Ylitalo)
  • #4192 dnsreplay: Only add Client Subnet stamp when asked
  • #4250 Use toLogString() for ringAccount (Kees Monshouwer)


  • #4133 Add limits to the size of received {A,I}XFR (CVE-2016-6172)
  • #4142 Add used filedescriptor statistic (Kees Monshouwer)

PowerDNS Authoritative Server 4.0.0

Released July 11th 2016

PowerDNS Authoritative Server 4.0.0 is part of the great 4.x “Spring Cleaning” of PowerDNS which lasted through the end of 2015.

As part of the general cleanup and improvements, we did the following:

  • Moved to C++ 2011, a cleaner more powerful version of C++ that has allowed us to improve the quality of implementation in many places.
  • Implemented dedicated infrastructure for dealing with DNS names that is fully “DNS Native” and needs less escaping and unescaping.
  • All backends derived from the Generic SQL backend use prepared statements.
  • Both the server and pdns_control do the right thing when chroot’ed.

In addition to this cleanup, 4.0.0 brings the following new features:

  • A revived ODBC backend (godbc).
  • A revived LDAP backend (ldap).
  • Support for CDS/CDNSKEY and RFC 7344 key-rollovers.
  • Support for the ALIAS record.
  • The webserver and API are no longer marked experimental.
    • The API-path has moved to /api/v1
  • DNSUpdate is no longer experimental.
  • Default ECDSA (algorithms 13 and 14) support without external dependencies.
  • Experimental support for ed25519 DNSSEC signatures (when compiled with libsodium support).
  • IXFR consumption support.
  • Many new pdnsutil commands
    • help command now produces the help
    • Warns if the configuration file cannot be read
    • Does not check disabled records with check-zone unless verbose mode is enabled
    • create-zone command creates a new zone
    • add-record command to add records
    • delete-rrset and replace-rrset commands to delete and add rrsets
    • edit-zone command that spawns $EDITOR with the zone contents in zonefile format regardless of the backend used (blogpost

The following backend have been dropped in 4.0.0:

  • LMDB.
  • Geo (use the improved GeoIP instead).

Important changes:

  • pdnssec has been renamed to pdnsutil
  • PowerDNS Authoritative Server now listens by default on all IPv6 addresses.
  • The default for pdnsutil secure-zone has been changed from 1 2048 bit RSA KSK and 1 1024 bit RSA ZSK to a single 256 bit ECDSA (algorithm 13, ECDSAP256SHA256) key.
  • Several superfluous queries have been dropped from the SQL backend, if you use a non-standard SQL schema, please review the new defaults
    • insert-ent-query, insert-empty-non-terminal-query, insert-ent-order-query have been replaced by one query named insert-empty-non-terminal-order-query
    • insert-record-order-query has been dropped, insert-record-query now sets the ordername (or NULL)
    • insert-slave-query has been dropped, insert-zone-query now sets the type of zone
  • Crypto++ and mbedTLS support is dropped, these are replaced by OpenSSL
  • The INCEPTION and INCEPTION-WEEK SOA-EDIT metadata values are marked as deprecated and will be removed in 4.1

The final release has the following bug fixes compared to rc2:

  • #4071 Abort on backend failures at startup and retry while running (Kees Monshouwer)
  • #4099 Don’t leak TCP connection descriptor if pthread_create() failed
  • #4137 gsqlite3: Check whether foreign keys should be turned on (Aki Tuomi)

And the following improvements:

  • #3051 Better error message for unfound new slave domains
  • #4123 check-zone: warn on mismatch between algo and NSEC mode

PowerDNS Authoritative Server 4.0.0-rc2

Released June 29th 2016


rc1 was tagged in git but never officially released. Kees Monshouwer discovered an issue in the gmysql backend that would terminate the daemon on a connection error, this fixed in rc2.

This Release Candidate adds IXFR consumption and fixes some issues with prepared statements:

  • #3937 GSQL: use lazy prepared statements (Aki Tuomi)
  • #3949 Implement IXFR-based slaving for Authoritative, fix duplicate AXFRs
  • #4066 Don’t die on a mysql timeout (Kees Monshouwer)

Other improvements:

  • #4061 Various fixes, a MySQL-query fix that improves performance and one that allows shorter best matches in getAuth()
  • #3962 Fix OpenBSD support
  • #3972 API: change PATCH/PUT on zones to return 204 No Content instead of full zone (Chris Hofstaedtler)
  • #3917 Remotebackend: Add getAllDomains call (Aki Tuomi)

Bug fixes and changes:

  • #3998 remove gsql::isOurDomain for now (Kees Monshouwer)
  • #3989 Fix usage of std::distance() in DNSName::isPartOf()
  • #4001 re enable validDNSName() check (Kees Monshouwer)
  • #3930 Have pdns_control bind-add-zone check for zonefile
  • #3400 Fix building on OpenIndiana
  • #3961 Allow building on CentOS 6 i386
  • #3940 auth: Don’t build dnsbulktest and dnstcpbench if boost is too old, fixes building on CentOS 6
  • #3931 Rename notify to pdns_notify (Chris Hofstaedtler)

PowerDNS Authoritative Server 4.0.0-beta1

Released May 27th 2016

This release features several small fixes and deprecations.

Improvements and Additions

  • #3851 Disable algorithm 13 and 14 if OpenSSL does not support ecdsa or the required curves (Kees Monshouwer)
  • #3857 Add simple stubquery tool for testing the stubresolver
  • #3859 build scripts: Stop patching config-dir in pdns.conf (Chris Hofstaedtler)
  • #3872 Add support for multiple carbon servers
  • #3901 Add support for virtual hosting with systemd

Bug fixes

  • #3856 Deal with unset name in nproxy replies

PowerDNS Authoritative Server 4.0.0-alpha3

Released May 11th 2016

Notable changes since 4.0.0-alpha2

  • #3415 pdnsutil: add clear-zone command
  • #3586 Remove send-root-referral option
  • #3578 Add disable-syslog option
  • #3733 ALIAS improvements: DNSSEC and optional on-AXFR expansion of records
  • #3764 Notify support for systemd
  • #3807 Add TTL settings for DNSSECKeeper’s caches

Bug fixes

  • #3553 pdnsutil: properly show key sizes for presigned zones in show-zone
  • #3507 webserver: mask out the api-key setting (Chris Hofstaedtler)
  • #3580 bindbackend: set domain in list() (Kees Monshouwer)
  • #3595 pdnsutil: add NS record without trailing dot with create-zone
  • #3653 Allow tabs as whitespace in zonefiles
  • #3666 Restore recycle backend behaviour (Kees Monshouwer)
  • #3612 Prevent segfault in PostgreSQL backend
  • #3779, #3768, #3766, #3783 and #3789 DNSName and other hardening improvements
  • #3784 fix SOA caching with multiple backends (Kees Monshouwer)
  • #3827 Force NSEC3PARAM algorithm to 1, fixes validation issues when set to not 1


  • #3637, #3678, #3740 Correct root-zone slaving and serving (Kees Monshouwer and others)
  • #3495 API: Add discovery endpoint (Chris Hofstaedtler)
  • #3389 pdnsutil: support chroot
  • #3596 Remove botan-based ecdsa and rsa signers (Kees Monshouwer)
  • #3478, #3603, #3628 Various build system improvements (Ruben Kerkhof)
  • #3621 Always lowercase when inserting into the database
  • #3651 Rename PUBLISH_* to PUBLISH-* domainmetadata
  • #3656 API: clean up cryptokeys resource (Chris Hofstaedtler)
  • #3632 pdnsutil: Fix exit statuses to constants and return 0 when success (saltsa)
  • #3655 API: Fix set-ptr to honor SOA-EDIT-API (Chris Hofstaedtler)
  • #3720 Many fixes for dnswasher (Robert Edmonds)
  • #3707, #3788 Make MySQL timeout configurable (Kees Monshouwer and Brynjar Eide)
  • #3806 Move key validity check out of fromISCMap(), improves DNSSEC performance
  • #3820 pdnsutil load-zone: ignore double SOA

PowerDNS Authoritative Server 4.0.0-alpha2

Released February 25th 2016

Notable changes since 4.0.0-alpha1

  • #3037 Remove superfluous gsql queries and stop relying on schema defaults
  • #3176, #3139 OpenSSL support (Chris Hofstaedtler and Kees Monshouwer)
  • #3128 ECDSA support to DNSSEC infra via OpenSSL (Kees Monshouwer)
  • #3281, #3283, #3363 Remove Crypto++ and mbedTLS support
  • #3298 Implement pdnsutil create-zone zone nsname, add-record, delete-rrset, replace-rrset
  • #3407 API: Permit wildcard manipulation (Aki Tuomi)
  • #3230 API: drop JSONP, add web security headers (Chris Hofstaedtler)
  • #3428 API: Fix zone/records design mistake (Chris Hofstaedtler)
    • Note: this is a breaking change from alpha1, please review the API documentation <../httpapi>

Bug fixes

  • #3124 Fix several bugs with introduced with the change to a single signing key (e.g. the SEP bit is set on these single keys)
  • #3151 Catch DNSName build errors in dynhandler (Chris Hofstaedtler)
  • #3264 GeoIP backend: Use correct id numbers for domains (Aki Tuomi)
  • #3271 ZoneParser: Throw PDNSException on too many SOA data elements
  • #3302 Fix bindbackend’s feedRecord to handle being slave for the root
  • #3399 Report OpenSSL RSA keysize in bits (Kees Monshouwer)


  • #3119 Show DNSSEC keys for slaved zone (Aki Tuomi)
  • #3255 Don’t log authentication errors before sending HTTP basic auth challenge (Jan Broer)
  • #3338 Add weight feature to GeoIP backend (Aki Tuomi)
  • #3364 Shrink PacketID by 10% by eliminating padding. (Andrew Nelless)
  • #3443 Many speedup and correctness fixes

PowerDNS Authoritative Server 4.0.0-alpha1

Released December 24th 2015