Changelogs for 4.8.X

4.8.8

Released: 24th of April 2024

Bug Fixes

• Security advisory 2024-02: CVE-2024-25583

4.8.7

Released: 7th of March 2024

Improvements

• Update new b-root-server.net addresses in built-in hints.

  References: #13387, pull request 13796

Bug Fixes

• If serving stale, wipe CNAME records from cache when we get a NODATA negative response for them.

  References: #13353, pull request 13797

• Fix the zoneToCache regression introduced by SA 2024-01.

  References: pull request 13799

• Fix gathering of denial of existence proof for wildcard-expanded names.

  References: #13847, pull request 13854

4.8.6

Released: 13th of February 2024

Bug Fixes

• Security advisory 2024-01: CVE-2023-50387 and CVE-2023-50868

  References: pull request 13784

4.8.5

Released: 25th of August 2023

Bug Fixes

• (I)XFR: handle partial read of len prefix.

  References: #13105, pull request 13158

• YaHTTP: Prevent integer overflow on very large chunks.

  References: #12892, pull request 13078

• Stop using the now deprecated ERR_load_CRYPTO_strings() to detect OpenSSL.

  References: #12935, pull request 13077

• Work around Red Hat 8 misfeature in OpenSSL’s headers.

  References: #12961, pull request 13076

• Fix setting of policy tags for packet cache hits.

  References: #13021, pull request 13056

4.8.4

Released: 29th of March 2023

Bug Fixes

• PowerDNS Security Advisory 2023-02: Deterred spoofing attempts can lead to authoritative servers being marked unavailable.

  References: pull request 12700

4.8.3

Released: 7th of March 2023

Improvements

• Change a few logging urgency levels

  References: #12495, pull request 12608

• Use correct name for isEntryUsable(). Existing code used the right logic but wrong name.

  References: #12347, pull request 12607

Bug Fixes

• Fix serve-stale logic to not cause intermittent high CPU load by:

  • correcting the removal of a negative cache entry,
  • correcting the serve-stale main loop with respect to exception handling and
  • correctly handle negcache entries with serve-state status.

  References: #12595, #12610, #12611, pull request 12613

• Update validation state after a missing negative indication.

  References: #12598, pull request 12609

4.8.2

Released: 31th of January 2023

Improvements

• Make cache cleaning of record an negative cache more fair when under pressure.

  References: #12374, pull request 12418

• Do not report “not decreasing socket buf size” as an error.

  References: #12333, pull request 12345

Bug Fixes

• Do not use “message” as key, it has a special meaning to systemd-journal.

  References: #12467, pull request 12475

• When using serve-stale, wrong data can be returned from negative cache and record cache (zjs604381586).

  References: #12395, pull request 12457

• Add the ‘parse packet from auth’ error message to structured logging.

  References: #12368, pull request 12456

• Refresh of negcache stale entry might use wrong qtype (zjs604381586).

  References: #12352, pull request 12455

• Do not chain ECS enabled queries, it can cause the wrong scope to be used for outgoing queries.

  References: #12407, pull request 12408

• Fix compilation on FreeBSD. Reported by HellSpawn.

  References: #12317, pull request 12346

• Properly encode json string containing binary data.

  References: #12260, pull request 12344

4.8.1

Released: 20th of January 2023

Bug Fixes

• Avoid unbounded recursion when retrieving DS records from some misconfigured domains. CVE-2023-22617.

  References: pull request 12442

4.8.0

Released: 12th of December 2022

Bug Fixes

• Refactor unsupported qtype code and make sure we ServFail on all unsupported qtypes.

  References: #12289, pull request 12293

• Infra queries should not use refresh mode.

  References: #11376, #11776, #12078, #12219, pull request 12221

4.8.0-rc1

Released: 18th of November 2022

Bug Fixes

• Also consider recursive forward in the “forwarded DS should not end up in negCache” code.

  References: #12189, #12199, pull request 12201

• Correct skip record condition in processRecords.

  References: #12198, pull request 12200

• Get DS records with QName Minimization switched on.

  References: #12175, pull request 12197

• Fix typo in structured logging key.

  References: #12194, pull request 12196

4.8.0-beta2

Released: 7th of November 2022

Improvements

• Only replace protobuf logger config objects if the reload changed them.

  References: #12063, pull request 12146

• Be more lenient replacing auth by non-auth records in cache.

  References: #12140, pull request 12150

Bug Fixes

• Fix SNMP OID numbers for rcode stats.

  References: #12155, pull request 12163

• Implement output operator for QTypes, avoids numeric qtypes in trace logs.

  References: #12122, pull request 12162

• Handle IXFR connect and transfer timeouts.

  References: #12125, pull request 12161

• Log invalid RPZ content when obtained via IXFR.

  References: #12081, pull request 12145

• Detect invalid bytes in makeBytesFromHex().

  References: #12066, pull request 12147

4.8.0-beta1

Released: 5th of October 2022

Improvements

• Add support for NOD/UDR notifications using dnstap.

  References: pull request 12047

• Protobuf and dnstap metrics, including rec_control subcommand to show them.

  References: #11841, pull request 11903, pull request 12049

• Provide metrics for rcode received from authoritative servers.

  References: #7164, pull request 11949

• Proxymapping metrics, including rec_control subcommand to show them.

  References: #11648, pull request 11866

• Add querytime attribute to Lua DNSQuestion object, to see the time a query was received.

  References: pull request 11909

• Enable include-dir by default in RPM builds, to be in line with DEB builds (Frank Louwers).

  References: #11766, pull request 11768

• Improve error message when invalid values for local-address are provided in recursor config file.

  References: pull request 11989

• Enable SNMP support for debian and ubuntu builds.

  References: #11999, pull request 12011

• Warn if snmp-agent is set but SNMP support is not available.

  References: #11998, pull request 12009

• A few tweaks to structured logging calls.

  References: pull request 11959

Bug Fixes

• Fix –config (should be equal to –config=default), followup to #11907.

  References: pull request 12048

• Fix compilation of the event ports multiplexer.

  References: #12044, pull request 12046

• When an expired NSEC3 entry is seen move it to the front of the expiry queue.

  References: pull request 12038

• If new data is auth and existing data is not, replace even if cache locking is active.

  References: #11958, pull request 12027

Removals

• Remove XPF support.

  References: pull request 11856

4.8.0-alpha1

Released: 23rd of September 2022

Improvements

• Lock record cache entries if enabled by record-cache-locked-ttl-perc.

  References: pull request 11958

• Use nullptr in getNSEC3PARAM + init bool at call site (Axel Viala).

  References: pull request 11957

• Axfr-retriever: abort on chunk with TC set.

  References: #11804, pull request 11953

• Clarify return codes for the Lua hooks in the Recursor (Frank Louwers).

  References: pull request 11955

• Recursor: Add --config[=check|=diff|=default].

  References: pull request 11907

• Implement optional Serve stale functionality, enabled by serve-stale-extensions..

  References: pull request 11776

• Implement padding of (DoT) messages to authoritative servers, if set by edns-padding-out (default yes).

  References: pull request 11906

• Log socket directory path if there is a problem.

  References: pull request 11800

• Handle Lua script loading errors.

  References: pull request 11823

• Stop sending Server: header (Chris Hofstaedtler).

  References: #4979, pull request 11813

• Keep time and count metrics when maintenance is called.

  References: #6981, pull request 11869

• Consider dns64 processing in more cases than Rcode == NoError.

  References: pull request 11849

• Set rec_control_LDFLAGS, needed for macOS or any platforms where libcrypto is not in default lib path.

  References: #11855, pull request 11857

• Replace/remove jQuery (Chris Hofstaedtler)

  References: pull request 11812

• Remove unused jsrender.js (Chris Hofstaedtler).

  References: pull request 11811

• Save the last nameserver speed recorded plus output it in rec_control dump-nsspeeds.

  References: #11736, pull request 11780

• Set TCP_NODELAY on in and outgoing TCP.

  References: #11734, pull request 11754

• Remove > 5 check on TTL of glue from the cache.

  References: pull request 11744

• Structured logging for various subsystems.

  References: pull request 11631, pull request 11642, pull request 11654, pull request 11662, pull request 11681, pull request 11693, pull request 11710, pull request 11714, pull request 11854

• Make edns table a sparse table.

  References: pull request 11704, pull request 11779

• Shared ednsmap.

  References: pull request 11601

• Load IPv6 entries from etc-hosts file.

  References: #2248, pull request 11682

• Use systemd-journal for structured logging if it is available and set by structured-logging-backend.

  References: #11705, #11706, pull request 11660, pull request 11709

• Fix typos in stats log messages (Matt Nordhoff).

  References: #11654, #11671, pull request 11671, pull request 11680

• Shared throttle map.

  References: pull request 11598

• Adaptive root refresh interval, normally at 80% of max-cache-ttl.

  References: pull request 11381

Bug Fixes

• Libssl: Properly load ciphers and digests with OpenSSL 3.0.

  References: #11853, pull request 11862

• rec_control: test for --version before requiring an argument.

  References: #11864, pull request 11867

• Make rec zone files with trailing dot (phonedph1).

  References: pull request 11672

• Handle file related errors initially loading Lua script.

  References: #10079, #11818, pull request 11820