PowerDNS Security Advisory 2023-02: Deterred spoofing attempts can lead to authoritative servers being marked unavailable.¶
References: pull request 12702
Correct skip record condition in processRecords.¶
References: #12198, pull request 12229
Also consider recursive forward in the “forwarded DS should not end up in negCache code.”¶
References: #12189, #12199, pull request 12226
Timeout handling for IXFRs as a client.¶
References: #12125, pull request 12191
Detect invalid bytes in makeBytesFromHex().¶
References: #12066, pull request 12172
Log invalid RPZ content when obtained via IXFR.¶
References: #12081, pull request 12170
When an expired NSEC3 entry is seen, move it to the front of the expiry queue.¶
References: #12038, pull request 12167
For zones having many NS records, we are not interested in all so take a sample.¶
References: #11904, pull request 11937
Also check qperq limit if throttling happened, as it increases counters.¶
References: #11848, pull request 11898
Failure to retrieve DNSKEYs of an Insecure zone should not be fatal.¶
References: #11890, pull request 11941
Resize answer length to actual received length in udpQueryResponse.¶
References: #11773, pull request 11775
PowerDNS Security Advisory 2022-02: incomplete exception handling related to protobuf message generation.¶
References: pull request 11874, pull request 11876
Fix API issue when asking config values for allow-from or allow-notify-from.¶
References: pull request 11609, pull request 11633
Allow disabling of processing the root hints.¶
References: #11283, pull request 11360
Log an error if pdns.DROP is used as rcode in Lua callbacks.¶
References: #11288, pull request 11361
A CNAME answer on DS query should abort DS retrieval.¶
References: #11245, pull request 11358
Reject non-apex NSEC(3)s that have both the NS and SOA bits set.¶
References: #11225, pull request 11357
Fix build with OpenSSL 3.0.0.¶
References: pull request 11260
Shorter thread names.¶
References: #11137, pull request 11170
Two more features to print (DoT and scrypt).¶
References: #11109, pull request 11169
Be more careful using refresh mode only for the record asked.¶
References: #11371, pull request 11418
Use the Lua context stored in SyncRes when calling hooks.¶
References: #11300, pull request 11380
QType ADDR is supposed to be used internally only.¶
References: #11338, pull request 11363
If we get NODATA on an AAAA in followCNAMERecords, try native dns64.¶
References: #11327, pull request 11362
Initialize isNew before calling a exception throwing function.¶
References: #11257, pull request 11359
This is a security fix release for PowerDNS Security Advisory 2022-01. Additionally, because CentOS 8 is End Of Life now, we have switched those builds to Oracle Linux 8. The resulting packages are compatible with RHEL and all derivatives.
Fix validation of incremental zone transfers (IXFRs).¶
References: pull request 11458
Do not generate event trace records for Lua hooks if no Lua hook is defined.¶
References: pull request 11091
Remove capability requirements from Docker images.¶
References: pull request 11092
Condition to HAVE_SYSTEMD_WITH_RUNTIME_DIR_ENV is reversed. During build, the runtime directory in the service files for virtual-hosting are now correctly generated.¶
References: #10982, pull request 11055
Do cache negative answers, even when the response was ECS-scoped.¶
References: #10994, #11010, pull request 11025
Fix logic botch in TCP code introduced by notify handling in 4.6.0-beta2.¶
References: #11018, pull request 11022
Include sys/time.h; needed on musl.¶
References: #11005, pull request 11016
Add support for NOTIFY queries to wipe cache entries (Kevin P. Fleming).¶
References: #7014, pull request 10751
Return the proper extended error code on specific validation failures.¶
References: #10936, pull request 10980
We need a libcurl dev lib for the zone-to-cache function.¶
References: pull request 10971
Return documented reply on /api/v1 access.¶
References: pull request 10865
Add more UDP error metrics (checksum, IPv6).¶
References: #10852, pull request 10919
Move to a stream based socket for the control channel.¶
References: pull request 10930, pull request 10965
ZoneParserTNG: Stricter checks when loading a zone file.¶
References: pull request 10901
Implement fd-usage metric for OpenBSD.¶
References: pull request 10891
Credentials: EVP_PKEY_CTX_set1_scrypt_salt() takes an unsigned char*.¶
References: #10938, pull request 10943
Fix regression of carbon-ourname.¶
References: pull request 10926
Move to modern C++ constructs (Rosen Penev).¶
References: pull request 10646, pull request 10868, pull request 10870
NOD - use structured logging API.¶
References: pull request 10843
Sync dnsmessage.proto.¶
References: pull request 10847
Introduce experimental Event Trace function to get a more detailed view the work done by the Recursor.¶
References: #7420, #7558, pull request 10567
Use packetcache-servfail-ttl for all packet cache entries considered an error reply.¶
References: #9135, pull request 10797
Add a periodic zones-to-cache function.¶
References: pull request 10505, pull request 10794, pull request 10799
Correct appliedPolicyTrigger value for IP matches.¶
References: pull request 10842
Use the correct RPZ policy name when loading via XFR.¶
References: pull request 10768
Don’t create file with wide permissions.¶
References: pull request 10760
Update the stats (serial, number of records, timestamp) for RPZ files.¶
References: pull request 10757
TCP/DoT outgoing connection pooling.¶
References: pull request 10669
Be more strict when validating DS with respect to parent/child NSEC(3)s.¶
References: pull request 10599
Keep a count of per RPZ (or filter) hits.¶
References: #10554, pull request 10605
Modify per-thread cpu usage stats to be Prometheus-friendly.¶
References: #10735, pull request 10554, pull request 10738
Refactor almost-expired code and add more detailed stats.¶
References: pull request 10598
Add dns64 metrics.¶
References: pull request 10546
Move macOS to kqueue event handler and assorted compile fixes.¶
References: #10631, pull request 10634
Cumulative and Prometheus friendly histograms.¶
References: #10122, #9077, pull request 10122, pull request 10663
Rewrite of outgoing TCP code and implement DoT to auth or forwarders.¶
References: pull request 10428, pull request 10533, pull request 10659
Switch OpenBSD to kqueue event handler.¶
References: pull request 10467
Take into account g_quiet when determining loglevel and change a few loglevels.¶
References: #10395, pull request 10396
Move to tcpiohandler for outgoing TCP, sharing much more code with dnsdist.¶
References: pull request 10349, pull request 10623
Deprecate offensive setting names.¶
References: pull request 10288
Implement structured logging API.¶
References: pull request 10160
Disable PMTU for IPv6.¶
References: pull request 10264
Move to hashed passwords for the web interface.¶
References: pull request 10157
Rec: Add bindings to set arbitrary key-value metadata in logged messages¶
References: pull request 10491
Only the DNAME records are authoritative in DNAME answers.¶
References: #10713, pull request 10718
Pass the Lua context to follow up queries (follow CNAME, dns64).¶
References: #10632, pull request 10633
Detect a loop when the denial of the DS comes from the child zone.¶
References: #10621, pull request 10622
Process policy and potential Drop action after Lua hooks.¶
References: pull request 10602
Do not use DNSKEYs found below an apex for validation.¶
References: pull request 10565