Previous topic

Changelogs for 4.2.x

Next topic

Changelogs for 4.0.x

This Page

Changelogs for 4.1.x

Note: 4.1.x and earlier releases are End of Life and no longer supported. See EOL Statements.


Released: 13th of October 2020

Bug Fixes


Released: 1st of July 2020

Bug Fixes


Released: 19th of May 2020


  • Only log qname parsing errors when ‘log-common-errors’ is set.

    References: pull request 8868

Bug Fixes

  • Backport of security fixes for CVE-2020-10995, CVE-2020-12244 and CVE-2020-10030, plus avoid a crash when loading an invalid RPZ.

    References: pull request 9117



Released: 6th of December 2019

Bug Fixes

  • Backport 8525 to rec 4.1.x: Purge map of failed auths periodically by keeping a last changed timestamp

    References: pull request 8554

  • Backport 8470 to rec 4.1.x: prime NS records of parent (.net)

    References: pull request 8544

  • Backport 8340 to rec 4.1.x: issue with “zz” abbreviation for IPv6 RPZ triggers

    References: pull request 8543

  • Backport 7068 to 4.1.x: Do the edns data dump for all threads

    References: pull request 8542



Released: 13th of June 2019


Bug Fixes


Released: 21st of May 2019


  • Add the disable-real-memory-usage setting to skip expensive collection of detailed memory usage info.

    References: #7661, pull request 7673

Bug Fixes


Released: 2nd of April 2019


  • Provide CPU usage statistics per thread (worker & distributor).

    References: pull request 7647

  • Use a bounded load-balancing algo to distribute queries.

    References: #7507, pull request 7634

  • Implement a configurable ECS cache limit so responses with an ECS scope more specific than a certain threshold and a TTL smaller than a specific threshold are not inserted into the records cache at all.

    References: #7572, #7631, pull request 7651

Bug Fixes


Released: 1st of February 2019

Since Spectre/Meltdown, system calls have become more expensive. This made exporting a very high number of protobuf messages costly, which is addressed in this release by reducing the number of syscalls per message.



Released: 24th of January 2019

This release fixes a bug when trying to build PowerDNS Recursor with protobuf support disabled, thus this release is only relevant to people building PowerDNS Recursor from source and not if you’re installing it as a package from our repositories.

Bug Fixes

  • PowerDNS Recursor release 4.1.9 introduced a call to the Lua ipfilter() hook that required access to the DNS header, but the corresponding variable was only declared when protobuf support had been enabled.

    References: pull request 7403


Released: 21st of January 2019

This release fixes Security Advisory 2019-01 and Security Advisory 2019-02 that were recently discovered, affecting PowerDNS Recursor:
  • CVE-2019-3806, 2019-01: from 4.1.4 up to and including 4.1.8 ;
  • CVE-2019-3807, 2019-02: from 4.1.0 up to and including 4.1.8.
The issues are:
  • CVE-2019-3806, 2019-01: Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly bypassing security policies enforced using Lua ;
  • CVE-2019-3807, 2019-02: records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation.


Bug Fixes

  • Properly apply Lua hooks to TCP queries, even with pdns-distributes-queries set (CVE-2019-3806, PowerDNS Security Advisory 2018-01). Validates records in the answer section of responses with AA=0 (CVE-2019-3807, PowerDNS Security Advisory 2019-02).

    References: pull request 7397


Released: 26th of November 2018

This release fixes Security Advisory 2018-09 that we recently discovered, affecting PowerDNS Recursor up to and including 4.1.7.

The issue is that a remote attacker can trigger an out-of-bounds memory read via a crafted query, while computing the hash of the query for a packet cache lookup, possibly leading to a crash.

When the PowerDNS Recursor is run inside a supervisor like supervisord or systemd, a crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.

Bug Fixes


Released: 9th of November 2018

This release updates the mitigation for Security Advisory 2018-07, reverting the EDNS fallback strictness increase. This is necessary because there are a lot of broken name servers on the Internet.



Released: 7th of November 2018

This release reverts #6980, it could lead to DNSSEC validation issues.

Bug Fixes


Released: 6th of November 2018

This release fixes the following security advisories:

  • PowerDNS Security Advisory 2018-04 (CVE-2018-10851)
  • PowerDNS Security Advisory 2018-06 (CVE-2018-14626)
  • PowerDNS Security Advisory 2018-07 (CVE-2018-14644)


Bug Fixes


Released: 31st of August 2018


Bug Fixes


Released: 22nd of May 2018

This release improves the stability and resiliency of the RPZ implementation, prevents metrics gathering from slowing down the processing of DNS queries and fixes an issue related to the cleaning of EDNS Client Subnet entries from the cache.


Bug Fixes


Released: 29th of March 2018

This release improves the stability and resiliency of the RPZ implementation and fixes several issues related to EDNS Client Subnet.

New Features


Bug Fixes


Released: 22nd of January 2018

This is the second release in the 4.1 train.

This release fixes PowerDNS Security Advisory 2018-01.

The full release notes can be read on the blog.

This is a release on the stable branch, containing a fix for the abovementioned security issue and several bug fixes from the development branch.


  • Don’t process records for another class than IN. We don’t use records of another class than IN, but we used to store some of them in the cache which is useless. Just skip them.

    References: #6198, pull request 6085

Bug Fixes

  • Correctly handle ancestor delegation NSEC{,3} for children. Fixes the DNSSEC validation issue found in Knot Resolver, where a NSEC{3} ancestor delegation is wrongly use to prove the non-existence of a RR below the delegation. We already had the correct check for the exact owner name, but not for RRs below the delegation. (Security Advisory 2018-01)

    References: pull request 6215

  • Fix the computation of the closest encloser for positive answers. When the positive answer is expanded from a wildcard with NSEC3, the closest encloser is not always parent of the qname, depending on the number of labels in the initial wildcard.

    References: #6199, pull request 6092

  • Pass the correct buffer size to arecvfrom(). The incorrect size could possibly cause DNSSEC failures.

    References: #6200, pull request 6095

  • Fix to make primeHints threadsafe, otherwise there’s a small chance on startup that the root-server IPs will be incorrect.

    References: #6212, pull request 6209

  • Don’t validate signature for “glue” CNAME, since anything else than the initial CNAME can’t be considered authoritative.

    References: #6201, pull request 6137


Released: 4th of December 2017

This is the first release in the 4.1 train.

The full release notes can be read on the blog.

This is a major release containing significant speedups (both in throughput and latency), enhanced capabilities and a highly conformant and robust DNSSEC validation implementation that is ready for heavy production use. In addition, our EDNS Client Subnet implementation now scales effortlessly to networks needing very fine-grained scopes (as used by some ‘country sized’ service providers).

  • Improved DNSSEC support,
  • Improved documentation,
  • Improved RPZ support,
  • Improved EDNS Client Subnet support,
  • Support for Botan 2.x (and removal of support for Botan 1.10),
  • SNMP support,
  • Lua engine has gained access to more parts of the recursor,
  • CPU affinity can now be specified,
  • TCP Fast Open support,
  • New performance metrics.

Changes since 4.1.0-rc3:

Bug Fixes


Released: 17th of November 2017

The third Release Candidate adds support for Botan 2.x (and removes support for Botan 1.10!), has a lot of DNSSEC fixes, features a cleaned up web UI and has miscellaneous minor improvements.


  • Add the DNSSEC validation state to the DNSQuestion Lua object (although the ability to update the validation state from these hooks is postponed to after 4.1.0).

    References: #5888, pull request 5895

  • Add support for Botan 2.x and remove support for Botan 1.10.

    References: #2250, #5797, pull request 5498

  • Print more details of trust anchors. In addition, the trace output that mentions if data from authoritative servers gets accepted now also prints the TTL and clarifies the ‘place’ number previously printed.

    References: pull request 5876

  • Better support for deleting entries in NetmaskTree and NetmaskGroup.

    References: pull request 5616

Bug Fixes

  • Prevent possible downgrade attacks in the recursor.

    References: pull request 5889

  • Split NODATA / NXDOMAIN NSEC wildcard denial proof of existence. Otherwise there is a very real risk that a NSEC will cover a more specific wildcard and we end up with what looks like a NXDOMAIN proof but is a NODATA one.

    References: #5882, pull request 5885

  • Fix incomplete validation of cached entries.

    References: pull request 5904

  • Fix going Insecure on NSEC3 hashes with too many iterations, since we could have gone Bogus on a positive answer synthesized from a wildcard if the corresponding NSEC3 had more iterations that we were willing to accept, while the correct result is Insecure.

    References: pull request 5912

  • Sort NS addresses by speed and remove old ones.

    References: #1066, pull request 5877

  • Purge nsSpeeds entries even if we get less than 2 new entries.

    References: pull request 5896

  • Add EDNS to truncated, servfail answers.

    References: #5618, pull request 5881

  • Use _exit() when we really want to exit, for example after a fatal error. This stops us dying while we die. A call to exit() will trigger destructors, which may paradoxically stop the process from exiting, taking down only one thread, but harming the rest of the process.

    References: pull request 5917

  • In the recursor secpoll code, we assumed the TXT record would be the first record first record we received. Sometimes it was the RRSIG, leading to a silent error, and no secpoll check. Fixed the assumption, added an error.

    References: pull request 5930

  • Don’t crash when asked to run with zero threads.

    References: pull request 5938

  • Only accept types not matching the query if we asked for ANY. Even from forward-recurse servers.

    References: #5934, pull request 5939

  • Allow the use of a ‘self-resolving’ NS if cached A / AAAA exists. Before this, we could skip a perfectly valid NS for which we had retrieved the A and / or AAAA entries, for example via a glue.

    References: #2758, pull request 5937

  • Add the config-name argument to the definition of configname. There was a bug where the config-name parameter was not used to change the path of the config file. This meant that some commands via rec_control (e.g. reload-acls) would fail when run against a recursor which had config-name defined. The correct behaviour was present in some, but not all, definitions of configname. (@jake2184)

    References: pull request 5961


Released: 30th of October 2017

The second Release Candidate contains several correctness fixes for DNSSEC, mostly in the area of verifying negative responses.


Bug Fixes


Released: 9th of October 2017

The RC1 release features many fixes to the DNSSEC validation code, reported by different users. Other improvements include: logging, RPZ and the Remote Logger.

While not specifically mentioned in the ChangeLog, also thanks to Winfried Angele for bringing a documentation issue to our attention!


Bug Fixes


Released: 18th of July 2017

This is the first release of the PowerDNS Recursor in the 4.1 release train. This release contains several performance and correctness improvements in the EDNS Client subnet area, as well as better DNSSEC processing.

New Features


Bug Fixes