Note: 4.1.x and earlier releases are End of Life and no longer supported. See EOL Statements.
Backport of CVE-2020-25829: Cache pollution.¶
References: pull request 9601
Backport of CVE-2020-14196: Enforce webserver ACL.¶
References: pull request 9283
Fix compilation on systems that do not define HOST_NAME_MAX.¶
References: #8640, #9127, pull request 9129
Only log qname parsing errors when ‘log-common-errors’ is set.¶
References: pull request 8868
Backport of security fixes for CVE-2020-10995, CVE-2020-12244 and CVE-2020-10030, plus avoid a crash when loading an invalid RPZ.¶
References: pull request 9117
Update python dependencies for docs generation.¶
References: pull request 8809
Update boost.m4.¶
References: pull request 8753
Backport 8525 to rec 4.1.x: Purge map of failed auths periodically by keeping a last changed timestamp¶
References: pull request 8554
Backport 8470 to rec 4.1.x: prime NS records of root-servers.net parent (.net)¶
References: pull request 8544
Backport 8340 to rec 4.1.x: issue with “zz” abbreviation for IPv6 RPZ triggers¶
References: pull request 8543
Backport 7068 to 4.1.x: Do the edns data dump for all threads¶
References: pull request 8542
Backport #7951 to 4.1.x: update boost.m4¶
References: pull request 8123
Add statistics counters for AD and CD queries.¶
References: pull request 7906
Add missing getregisteredname Lua function¶
References: pull request 7912
Add the disable-real-memory-usage setting to skip expensive
collection of detailed memory usage info.¶
References: #7661, pull request 7673
Fix DNSSEC validation of wildcards expanded onto themselves.¶
References: #7714, pull request 7816
Provide CPU usage statistics per thread (worker & distributor).¶
References: pull request 7647
Use a bounded load-balancing algo to distribute queries.¶
References: #7507, pull request 7634
Implement a configurable ECS cache limit so responses with an ECS scope more specific than a certain threshold and a TTL smaller than a specific threshold are not inserted into the records cache at all.¶
References: #7572, #7631, pull request 7651
Correctly interpret an empty AXFR response to an IXFR query.¶
References: #7494, pull request 7495
Since Spectre/Meltdown, system calls have become more expensive. This made exporting a very high number of protobuf messages costly, which is addressed in this release by reducing the number of syscalls per message.
Add an option to export only responses over protobuf to the Lua protobufServer() directive.¶
References: pull request 7434
Reduce systemcall usage in protobuf logging. (See #7428.)¶
References: #7428, pull request 7430
This release fixes a bug when trying to build PowerDNS Recursor with protobuf support disabled, thus this release is only relevant to people building PowerDNS Recursor from source and not if you’re installing it as a package from our repositories.
PowerDNS Recursor release 4.1.9 introduced a call to the Lua ipfilter() hook that required access to the DNS header, but the corresponding variable was only declared when protobuf support had been enabled.¶
References: pull request 7403
Try another worker before failing if the first pipe was full¶
References: #7383, pull request 7377
Properly apply Lua hooks to TCP queries, even with pdns-distributes-queries set (CVE-2019-3806, PowerDNS Security Advisory 2018-01). Validates records in the answer section of responses with AA=0 (CVE-2019-3807, PowerDNS Security Advisory 2019-02).¶
References: pull request 7397
This release fixes Security Advisory 2018-09 that we recently discovered, affecting PowerDNS Recursor up to and including 4.1.7.
The issue is that a remote attacker can trigger an out-of-bounds memory read via a crafted query, while computing the hash of the query for a packet cache lookup, possibly leading to a crash.
When the PowerDNS Recursor is run inside a supervisor like supervisord or systemd, a crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.
Crafted query can cause a denial of service (CVE-2018-16855, PowerDNS Security Advisory 2018-09)¶
References: pull request 7221
This release updates the mitigation for Security Advisory 2018-07, reverting the EDNS fallback strictness increase. This is necessary because there are a lot of broken name servers on the Internet.
Revert ‘Keep the EDNS status of a server on FormErr with EDNS’¶
References: pull request 7172
Refuse queries for all meta-types¶
References: pull request 7174
This release reverts #6980, it could lead to DNSSEC validation issues.
Revert “rec: Authority records in AA=1 CNAME answer are authoritative”.¶
References: #7158, pull request 7159
This release fixes the following security advisories:
Add pdnslog to lua configuration scripts (Chris Hofstaedtler)¶
References: #6848, pull request 6919
Fix compilation with libressl 2.7.0+¶
References: #6943, pull request 6948
Export outgoing ECS value and server ID in protobuf (if any)¶
References: #6989, #6991, pull request 7004
Switch to devtoolset 7 for el6¶
References: #7040, pull request 7122
Allow the signature inception to be off by a number of seconds. (Kees Monshouwer)¶
References: #7081, pull request 7125
Delay the creation of rpz threads until we have dropped privileges¶
References: #6792, pull request 6984
Crafted answer can cause a denial of service (CVE-2018-10851, PowerDNS Security Advisory 2018-04)¶
References: pull request 7151
Packet cache pollution via crafted query (CVE-2018-14626, PowerDNS Security Advisory 2018-06)¶
References: pull request 7151
Crafted query for meta-types can cause a denial of service (CVE-2018-14644, PowerDNS Security Advisory 2018-07)¶
References: pull request 7151
Cleanup the netmask trees used for the ecs index on removals¶
References: #6960, pull request 6961
Make sure that the ECS scope from the auth is < to the source¶
References: #6605, pull request 6963
Authority records in aa=1 cname answer are authoritative¶
References: #6979, pull request 6980
Avoid a memory leak in catch-all exception handler¶
References: pull request 7073
Don’t require authoritative answers for forward-recurse zones¶
References: #6340, pull request 6741
Release memory in case of error in the openssl ecdsa constructor¶
References: pull request 6917
Convert a few uses to toLogString to print DNSName’s that may be empty in a safer manner¶
References: #6924, pull request 6925
Avoid a crash on DEC Alpha systems¶
References: pull request 6945
Clear all caches on (N)TA changes¶
References: #6949, pull request 6951
Split pdns_enable_unit_tests. (Chris Hofstaedtler)¶
References: pull request 6436
Add a new max-udp-queries-per-round setting.¶
References: pull request 6518
Fix warnings reported by gcc 8.1.0.¶
References: pull request 6590
Tests: replace awk command by perl.¶
References: pull request 6809
Allow the snmp thread to retrieve statistics.¶
References: pull request 6720
Don’t account chained queries more than once.¶
References: #6462, pull request 6465
Make rec_control respect include-dir.¶
References: #6536, pull request 6557
Load lua scripts only in worker threads.¶
References: #6567, pull request 6812
Purge all auth/forward zone data including subtree. (@phonedph1)¶
References: pull request 6873
This release improves the stability and resiliency of the RPZ implementation, prevents metrics gathering from slowing down the processing of DNS queries and fixes an issue related to the cleaning of EDNS Client Subnet entries from the cache.
Move carbon/webserver/control/stats handling to a separate thread.¶
References: pull request 6567
Use a separate, non-blocking pipe to distribute queries.¶
References: pull request 6566
Add a subtree option to the API cache flush endpoint.¶
References: #6550, pull request 6562
Update copyright years to 2018 (Matt Nordhoff).¶
References: #6130, #6610, pull request 6611
Fix a warning on botan >= 2.5.0.¶
References: #6474, pull request 6478, pull request 6596
Add _raw versions for QName / ComboAddresses to the FFI API.¶
References: pull request 6583
Respect the AXFR timeout while connecting to the RPZ server.¶
References: pull request 6469
Don’t increase the DNSSEC validations counters when running with process-no-validate.¶
References: pull request 6467
Count a lookup into an internal auth zone as a cache miss.¶
References: pull request 6313
Delay the loading of RPZ zones until the parsing is done, fixing a race condition.¶
References: #6237, pull request 6588
Reorder includes to avoid boost L conflict.¶
References: #6358, #6516, #6517, #6542, pull request 6595
¶Use canonical ordering in theECSindex.
References: #6505, pull request 6586
Add -rdynamic to C{,XX}FLAGS when we build with LuaJIT.¶
References: pull request 6514, pull request 6630
Increase MTasker stacksize to avoid crash in exception unwinding (Chris Hofstaedtler).¶
References: #6179, pull request 6418
Use the SyncRes time in our unit tests when checking cache validity (Chris Hofstaedtler).¶
References: #6086, pull request 6419
Disable only our own tcp listening socket when reuseport is enabled¶
References: #6849, pull request 6850
This release improves the stability and resiliency of the RPZ implementation and fixes several issues related to EDNS Client Subnet.
References: pull request 6344
Add the option to set the AXFR timeout for RPZs.¶
References: pull request 6268, pull request 6290, pull request 6298, pull request 6303
IXFR: correct behavior of dealing with DNS Name with multiple records and speed up IXFR transaction (Leon Xu).¶
References: pull request 6172
Add RPZ statistics endpoint to the API.¶
References: #6225, pull request 6379
Retry loading RPZ zones from server when they fail initially.¶
References: #6238, pull request 6237, pull request 6293, pull request 6336
Fix ECS-based cache entry refresh code.¶
References: pull request 6300
Fix ECS-specific NS AAAA not being returned from the cache.¶
References: #6319, pull request 6320
This is the second release in the 4.1 train.
This release fixes PowerDNS Security Advisory 2018-01.
The full release notes can be read on the blog.
This is a release on the stable branch, containing a fix for the abovementioned security issue and several bug fixes from the development branch.
Don’t process records for another class than IN. We don’t use records of another class than IN, but we used to store some of them in the cache which is useless. Just skip them.¶
References: #6198, pull request 6085
Correctly handle ancestor delegation NSEC{,3} for children. Fixes the DNSSEC validation issue found in Knot Resolver, where a NSEC{3} ancestor delegation is wrongly use to prove the non-existence of a RR below the delegation. We already had the correct check for the exact owner name, but not for RRs below the delegation. (Security Advisory 2018-01)¶
References: pull request 6215
Fix the computation of the closest encloser for positive answers. When the positive answer is expanded from a wildcard with NSEC3, the closest encloser is not always parent of the qname, depending on the number of labels in the initial wildcard.¶
References: #6199, pull request 6092
Pass the correct buffer size to arecvfrom(). The incorrect size
could possibly cause DNSSEC failures.¶
References: #6200, pull request 6095
Fix to make primeHints threadsafe, otherwise there’s a small
chance on startup that the root-server IPs will be incorrect.¶
References: #6212, pull request 6209
Don’t validate signature for “glue” CNAME, since anything else than the initial CNAME can’t be considered authoritative.¶
References: #6201, pull request 6137
This is the first release in the 4.1 train.
The full release notes can be read on the blog.
This is a major release containing significant speedups (both in throughput and latency), enhanced capabilities and a highly conformant and robust DNSSEC validation implementation that is ready for heavy production use. In addition, our EDNS Client Subnet implementation now scales effortlessly to networks needing very fine-grained scopes (as used by some ‘country sized’ service providers).
Changes since 4.1.0-rc3:
Dump the validation status of negcache entries, fix DNSSEC type.¶
References: pull request 5972
Fix DNSSEC validation of DS denial from the negative cache.¶
References: pull request 5978
Store additional records as non-auth, even on AA=1 answers.¶
References: pull request 5997
Don’t leak when the loading a public ECDSA key fails.¶
References: pull request 6008
When validating DNSKeys, the zone should be part of the signer.¶
References: pull request 6009
Cache Secure validation state when inserting negcache entries.¶
References: pull request 5980
The third Release Candidate adds support for Botan 2.x (and removes support for Botan 1.10!), has a lot of DNSSEC fixes, features a cleaned up web UI and has miscellaneous minor improvements.
Add the DNSSEC validation state to the DNSQuestion Lua object
(although the ability to update the validation state from these
hooks is postponed to after 4.1.0).¶
References: #5888, pull request 5895
Add support for Botan 2.x and remove support for Botan 1.10.¶
References: #2250, #5797, pull request 5498
Print more details of trust anchors. In addition, the trace output that mentions if data from authoritative servers gets accepted now also prints the TTL and clarifies the ‘place’ number previously printed.¶
References: pull request 5876
Better support for deleting entries in NetmaskTree and
NetmaskGroup.¶
References: pull request 5616
Prevent possible downgrade attacks in the recursor.¶
References: pull request 5889
Split NODATA / NXDOMAIN NSEC wildcard denial proof of existence. Otherwise there is a very real risk that a NSEC will cover a more specific wildcard and we end up with what looks like a NXDOMAIN proof but is a NODATA one.¶
References: #5882, pull request 5885
Fix incomplete validation of cached entries.¶
References: pull request 5904
Fix going Insecure on NSEC3 hashes with too many iterations, since we could have gone Bogus on a positive answer synthesized from a wildcard if the corresponding NSEC3 had more iterations that we were willing to accept, while the correct result is Insecure.¶
References: pull request 5912
Sort NS addresses by speed and remove old ones.¶
References: #1066, pull request 5877
Purge nsSpeeds entries even if we get less than 2 new entries.¶
References: pull request 5896
Add EDNS to truncated, servfail answers.¶
References: #5618, pull request 5881
Use _exit() when we really want to exit, for example
after a fatal error. This stops us dying while we die. A call to
exit() will trigger destructors, which may paradoxically stop
the process from exiting, taking down only one thread, but harming
the rest of the process.¶
References: pull request 5917
In the recursor secpoll code, we assumed the TXT record would be the first record first record we received. Sometimes it was the RRSIG, leading to a silent error, and no secpoll check. Fixed the assumption, added an error.¶
References: pull request 5930
Don’t crash when asked to run with zero threads.¶
References: pull request 5938
Only accept types not matching the query if we asked for ANY. Even from forward-recurse servers.¶
References: #5934, pull request 5939
Allow the use of a ‘self-resolving’ NS if cached A / AAAA exists. Before this, we could skip a perfectly valid NS for which we had retrieved the A and / or AAAA entries, for example via a glue.¶
References: #2758, pull request 5937
Add the config-name argument to the definition of configname. There was a bug where the config-name parameter was not used to change the path of the config file. This meant that some commands via rec_control (e.g. reload-acls) would fail when run against a recursor which had config-name defined. The correct behaviour was present in some, but not all, definitions of configname. (@jake2184)¶
References: pull request 5961
The second Release Candidate contains several correctness fixes for DNSSEC, mostly in the area of verifying negative responses.
Don’t directly store NSEC3 records in the positive cache.¶
References: pull request 5834
Improve logging for the built-in webserver and the Carbon sender.¶
References: pull request 5805
New b.root ipv4 address (Kees Monshouwer).¶
References: #5663, pull request 5824
Add experimental Metrics and Statistics x-our-latency that track the time spent inside PowerDNS per query.
These metrics ignore time spent waiting for the network.¶
References: pull request 5774
Add log-timestamp setting. This option can be used to disable
printing timestamps to stdout, this is useful when using systemd-journald
or another supervisor that timestamps output by itself.¶
References: pull request 5842
Check that the NSEC covers an empty non-terminal when looking for NODATA.¶
References: pull request 5808
Disable validation for infrastructure queries (e.g. when recursing for a name). Also validate entries from the Negative cache if they were not validated before.¶
References: #5827, pull request 5835
Fix DNSSEC validation for denial of wildcards in negative answers and denial of existence proofs in wildcard-expanded positive responses.¶
References: #5861, pull request 5868
Fix DNSSEC validation when using -flto.¶
References: pull request 5873
Lowercase all outgoing qnames when lowercase-outgoing is set.¶
References: pull request 5740
Create socket-dir from the init-script.¶
References: #5439, pull request 5762
Fix crashes with uncaught exceptions in MThreads.¶
References: pull request 5803
The RC1 release features many fixes to the DNSSEC validation code, reported by different users. Other improvements include: logging, RPZ and the Remote Logger.
While not specifically mentioned in the ChangeLog, also thanks to Winfried Angele for bringing a documentation issue to our attention!
Improve --quiet=false output to include DNSSEC and more timing details.¶
References: pull request 5756
Add DNSSEC test vectors for RSA, ECDSA, ed25519 and GOST.¶
References: pull request 5733
Wrap the webserver’s and Resolver::tryGetSOASerial objects into smart pointers (also thanks to Chris Hofstaedtler for reviewing!)¶
References: pull request 5543
Add more unit tests for the NetmaskTree and ECS cache index.¶
References: pull request 5545
Switch the default webserver’s ACL to 127.0.0.1, ::1.¶
References: pull request 5588
Add help text on autodetecting systemd support. (Ruben Kerkhof thanks for reporting!)¶
References: #5524, pull request 5598
Add log-rpz-changes to log RPZ additions and removals.¶
References: pull request 5622
Log the policy type (QName, Client IP, NS IP…) over protobuf.¶
References: pull request 5621
Remove unused SortList compare operator for ComboAddress.¶
References: pull request 5637
Add support for dumping the in-memory RPZ zones to a file.¶
References: pull request 5620
Support for identifying devices by id such as mac address.¶
References: pull request 5646
Implement dynamic cache sizing.¶
References: pull request 5699
Improve dnsbulktest experience in Travis for more robustness.¶
References: pull request 5755
Set TC=1 if we had to omit part of the AUTHORITY section.¶
References: pull request 5772
autoconf: set --with-libsodium to auto.¶
References: pull request 5764
Don’t fetch the DNSKEY of a zone to validate the DS of the same zone.¶
References: pull request 5569
Improve DNSSEC debug logging,¶
References: pull request 5614
Add NSEC records on nx-trust cache hits.¶
References: #5649, pull request 5672
Handle NSEC wrap-around.¶
References: #5650, pull request 5671
Fix erroneous check for section 4.1 of rfc6840.¶
References: #5648, #5651, pull request 5670
Handle direct NSEC queries.¶
References: #5705, pull request 5715
Detect zone cuts by asking for DS instead of NS.¶
References: #5681, pull request 5716
Do not allow direct queries for RRSIG or NSEC3.¶
References: #5735, pull request 5738
The target zone being insecure doesn’t mean that the denial of the DS is too, if the parent zone is Secure..¶
References: pull request 5771
Add a missing header for PRId64 in the negative cache, required on EL5/EL6.¶
References: pull request 5530
Prevent an infinite loop if we need auth and the best match is not.¶
References: pull request 5549
Be more careful about the validation of negative answers.¶
References: pull request 5570
Fix libatomic detection on ppc64. (Sander Hoentjen)¶
References: #5456, pull request 5599
Fix sortlist in the presence of CNAME. (Benoit Perroud thanks for reporting this issue!)¶
References: #5357, pull request 5615
Fix cache handling of ECS queries with a source length of 0.¶
References: pull request 5515
Handle SNMP alarms so we can reconnect to the master.¶
References: #5327, pull request 5328
Fix Recursor 4.1.0 alpha 1 compilation on FreeBSD. (@RvdE)¶
References: pull request 5662
Remove pdns.PASS and pdns.TRUNCATE.¶
References: pull request 5739
Fix a crash when getting a public GOST key if the private one is not set.¶
References: pull request 5734
Don’t negcache entries for longer than their RRSIG validity.¶
References: pull request 5773
Gracefully handle Socket::accept() returning a null pointer on EAGAIN.¶
References: pull request 5792
This is the first release of the PowerDNS Recursor in the 4.1 release train. This release contains several performance and correctness improvements in the EDNS Client subnet area, as well as better DNSSEC processing.
Add support for RPZ wildcarded target names.¶
References: #5237, pull request 5265
Add server-side TCP Fast Open support. This adds a new option tcp-fast-open.¶
References: #5128, pull request 5138
Pass tcp to gettag() to allow a script to take different actions whether a query came in over TCP or UDP.¶
References: pull request 4569
Allow setting the requestor ID field in the DNSQuestion from all hooks.¶
References: pull request 4569
Implement CNAME wildcards in recursor authoritative component.¶
References: #2818, pull request 5063
Allow returning the DNSQuestion.data table from gettag().¶
References: #4981, pull request 4982
References: pull request 4990, pull request 5404
Allow access to EDNS options from the gettag() hook.¶
References: #5195, pull request 5198
Pass tcp to gettag(), allow setting the requestor ID from hooks.¶
References: pull request 4569
Allow retrieving stats from Lua via the getStat() call.¶
References: pull request 5293
Add ECS metrics.¶
References: pull request 5409
Add a cpu-map directive to set CPU affinity per thread.¶
References: pull request 5482
Implement “on-the-fly” DNSSEC processing. This places the DNSSEC processing alongside the regular recursion, reducing possible cornercases, adding unit tests and making the code better maintainable.¶
References: #4254, #4362, #4490, #4994, pull request 5223, pull request 5463, pull request 5486, pull request 5528
Use ECS when updating the validation state if needed.¶
References: pull request 5484
Use the RPZ zone’s TTL and add a new maxTTL setting.¶
References: pull request 5057
RPZ updates are done zone by zone, zones are now shared pointers.¶
References: #5231, #5236, pull request 5275, pull request 5307
Split SyncRes::doResolveAt, add const and static whenever possible. Possibly improving performance while making the code easier to maintain.¶
References: pull request 5106
Packet cache speedup and cleanup.¶
References: pull request 5102
Make Lua mandatory for recursor builds.¶
References: pull request 5146
Use one listening socket per thread when reuseport is enabled.¶
References: pull request 5103, pull request 5487
Stop (de)serializing DNSQuestion.data.¶
References: pull request 5141
Refactor the negative cache into a class.¶
References: pull request 5226
Only check the netmask for subnet specific cache entries.¶
References: pull request 5319
Refactor and split SyncRes::doResolveAt(), making it easier to understand.
Get rid of SyncRes::d_nocache, makes sure we can’t get into a root refresh loop.
Limit the use of global variables in SyncRes, to make it easier to understand the interaction between components¶
References: pull request 5236
Add an ECS index to the cache¶
References: pull request 5461, pull request 5472
When dumping the cache, also dump RRSIGs.¶
References: pull request 5511
Don’t always override loglevel to 6.¶
References: pull request 5485
Make more specific Netmasks < to less specific ones.¶
References: pull request 5406, pull request 5530
Fix validation at the exact RRSIG inception or expiration time.¶
References: pull request 5525
Fix remote/local inversion in preoutquery().¶
References: #4969, pull request 4984
Show a useful error when an invalid lua-config-file is configured.¶
References: #4939, #5075, pull request 5078
Fix DNSQuestion members alterations from Lua not being taken into account.¶
References: pull request 4860
Ensure locks cannot be copied.¶
References: pull request 5209
Only apply root-nx-trust if the received SOA is “.”.¶
References: #5246, pull request 5252
Don’t throw an exception when logging to protobuf without a question set.¶
References: pull request 5312
Correctly truncate EDNS Client Subnetmasks.¶
References: pull request 5320
Clean up auth/recursor code mismatches in the API (Chris Hofstaedtler).¶
References: #5398, pull request 5466
Only increase no-packet-error on the first read.¶
References: #5474, pull request 5474