Changelogs for 4.1.x


Released: 4th of December 2017

This is the first release in the 4.1 train.

The full release notes can be read on the blog.

This is a major release containing significant speedups (both in throughput and latency), enhanced capabilities and a highly conformant and robust DNSSEC validation implementation that is ready for heavy production use. In addition, our EDNS Client Subnet implementation now scales effortlessly to networks needing very fine grained scopes (as used by some ‘country sized’ service providers).

  • Improved DNSSEC support,
  • Improved documentation,
  • Improved RPZ support,
  • Improved EDNS Client Subnet support,
  • Support for Botan 2.x (and removal of support for Botan 1.10),
  • SNMP support,
  • Lua engine has gained access to more parts of the recursor,
  • CPU affinity can now be specified,
  • TCP Fast Open support,
  • New performance metrics.

Changes since 4.1.0-rc3:

Bug Fixes


Released: 17th of November 2017

The third Release Candidate adds support for Botan 2.x (and removes support for Botan 1.10!), has a lot of DNSSEC fixes, features a cleaned up web UI and has miscellaneous minor improvements.


  • Add the DNSSEC validation state to the DNSQuestion Lua object (although the ability to update the validation state from these hooks is postponed to after 4.1.0).

    References: #5888, pull request 5895

  • Add support for Botan 2.x and remove support for Botan 1.10.

    References: #5797, #2250, pull request 5498

  • Print more details of trust anchors. In addition, the trace output that mentions if data from authoritative servers gets accepted now also prints the TTL and clarifies the ‘place’ number previously printed.

    References: pull request 5876

  • Better support for deleting entries in NetmaskTree and NetmaskGroup.

    References: pull request 5616

Bug Fixes

  • Prevent possible downgrade attacks in the recursor.

    References: pull request 5889

  • Split NODATA / NXDOMAIN NSEC wildcard denial proof of existence. Otherwise there is a very real risk that a NSEC will cover a more specific wildcard and we end up with what looks like a NXDOMAIN proof but is a NODATA one.

    References: #5882, pull request 5885

  • Fix incomplete validation of cached entries.

    References: pull request 5904

  • Fix going Insecure on NSEC3 hashes with too many iterations, since we could have gone Bogus on a positive answer synthetized from a wildcard if the corresponding NSEC3 had more iterations that we were willing to accept, while the correct result is Insecure.

    References: pull request 5912

  • Sort NS addresses by speed and remove old ones.

    References: #1066, pull request 5877

  • Purge nsSpeeds entries even if we get less than 2 new entries.

    References: pull request 5896

  • Add EDNS to truncated, servfail answers.

    References: #5618, pull request 5881

  • Use _exit() when we really really want to exit, for example after a fatal error. This stops us dying while we die. A call to exit() will trigger destructors, which may paradoxically stop the process from exiting, taking down only one thread, but harming the rest of the process.

    References: pull request 5917

  • In the recursor secpoll code, we assumed the TXT record would be the first record first record we received. Sometimes it was the RRSIG, leading to a silent error, and no secpoll check. Fixed the assumption, added an error.

    References: pull request 5930

  • Don’t crash when asked to run with zero threads.

    References: pull request 5938

  • Only accept types not matching the query if we asked for ANY. Even from forward-recurse servers.

    References: #5934, pull request 5939

  • Allow the use of a ‘self-resolving’ NS if cached A / AAAA exists. Before this, we could skip a perfectly valid NS for which we had retrieved the A and / or AAAA entries, for example via a glue.

    References: #2758, pull request 5937

  • Add the config-name argument to the definition of configname. There was a bug where the config-name parameter was not used to change the path of the config file. This meant that some commands via rec_control (e.g. reload-acls) would fail when run against a recursor which had config-name defined. The correct behaviour was present in some, but not all, definitions of configname. (@jake2184)

    References: pull request 5961


Released: 30th of October 2017

The second Release Candidate contains several correctness fixes for DNSSEC, mostly in the area of verifying negative responses.


Bug Fixes


Released: 9th of October 2017

The RC1 release features many fixes to the DNSSEC validation code, reported by different users. Other improvements include: logging, RPZ and the Remote Logger.

While not specifically mentioned in the ChangeLog, also thanks to Winfried Angele for bringing a documentation issue to our attention!


Bug Fixes


Released: 18th of July 2017

This is the first release of the PowerDNS Recursor in the 4.1 release train. This release contains several performance and correctness improvements in the EDNS Client subnet area, as well as better DNSSEC processing.

New Features


Bug Fixes