Improvements
- Don't process records for another class than IN
Bug Fixes
- Correctly handle ancestor delegation NSEC{,3} for children.
(CVE-2018-1000003)
- Fix the computation of the closest encloser for positive answers.
- Pass the correct buffer size to arecvfrom().
- Fix to make primeHints threadsafe, otherwise there's a small chance
on startup that the root-server IPs will be incorrect.
- Don't validate signature for "glue" CNAME, since anything else than
the initial CNAME can't be considered authoritative.
Lua support no longer optional.
PowerDNS Recursor 4.1.0
===========================================================
- Improved DNSSEC support
- Improved documentation
- Improved RPZ support
- Improved EDNS Client Subnet support
- Support for Botan 2.x (and removal of support for Botan 1.10)
- SNMP support
- Lua engine has gained access to more parts of the recursor
- CPU affinity can now be specified
- TCP Fast Open support
- New performance metrics
Full changelog:
https://doc.powerdns.com/recursor/changelog/4.1.html
PowerDNS Recursor 4.0.7
===========================================================
- Insufficient validation of DNSSEC signatures (CVE-2017-15090)
- Cross-Site Scripting in the web interface (CVE-2017-15092)
- Configuration file injection in the API (CVE-2017-15093)
- Memory leak in DNSSEC parsing (CVE-2017-15094)
Bug fixes
- Update rec_control manpage
- Check in the detected OpenSSL/libcrypto for ECDSA
- Make more specific Netmasks < to less specific ones
- Fix validation at the exact RRSIG inception or expiration time
- Lowercase all outgoing qnames when lowercase-outgoing is set
- Fix libatomic detection on ppc64
- Edit configname definition to include the 'config-name' argument
Improvements
- Extract nested exception from Luawrapper
- Use explicit yes for default-enabled settings
- Throw an error when lua-conf-file can't be loaded
- get-remote-ring's "other" report should only have two items.
- PowerDNS sdig does not truncate trailing bits of EDNS Client Subnet
mask
- Only increase no-packet-error on the first read
- Add support for Botan 2.x
- Add more information to recursor cache dumps
- Fix typo in two log messages
- Add help text on autodetecting systemd support
- Be more resilient with broken auths
- Remove pdns.PASS and pdns.TRUNCATE
- Improve dnsbulktest experience in travis for more robustness
- Create socket-dir from init-script
- b.root renumbering, effective 2017-10-24
- Don't retry security polling too often when it fails
Bug fixes
- Use the incoming ECS for cache lookup if use-incoming-edns-subnet is
set
- when making a netmask from a comboaddress, we neglected to zero the
port. This could lead to a proliferation of netmasks.
- Don't take the initial ECS source for a scope one if EDNS is off
- also set d_requestor without Lua: the ECS logic needs it
- Fix IXFR skipping the additions part of the last sequence
- Treat requestor's payload size lower than 512 as equal to 512
- make URI integers 16 bits, fixes ticket #5443
- unbreak quoting
Improvements
- EDNS Client Subnet becomes compatible with the packet cache, using
the existing variable answer facility.
- Remove just enough entries from the cache, not one more than asked
- Move expired cache entries to the front so they are expunged
- changed IPv6 addr of b.root-servers.net
- e.root-servers.net has IPv6 now
- hello decaf signers (ED25519 and ED448)
- don't use the libdecaf ed25519 signer when libsodium is enabled
(Kees Monshouwer)
- do not hash the message in the ed25519 signer (Kees Monshouwer)
- Disable use-incoming-edns-subnet by default
Enhancements
- Add the 2017 DNSSEC root key
- Add support for RPZ wildcarded target names.
- Speed up RPZ zone loading and add a zoneSizeHint parameter to
rpzFile and rpzMaster for faster reloads
- Make the RPZ summary consistent and log additions/removals at debug
level, not info
- Update Ed25519 algorithm number and mnemonic and hook up to the
Recursor
- Add use-incoming-edns-subnet option to process and pass along ECS
and fix some ECS bugs in the process
- Refuse to start with chroot set in a systemd env
- Handle exceptions raised by closesocket() to prevent process
termination
- Document missing top-pub-queries and top-pub-servfail-queries
commands for rec_control
- IPv6 address for g.root-servers.net added
- Log outgoing queries / incoming responses via protobuf
Bug fixes
- Correctly lowercase the TSIG algorithm name in hash computation
- Clear the RPZ NS IP table when clearing the policy, this prevents
false positives
- Fix cache-only queries against a forward-zone
- Only delegate if NSes are below apex in auth-zones
- Remove hardcoding of port 53 for TCP/IP forwarded zones in recursor
- Make sure labelsToAdd is not empty in getZoneCuts()
- Wait until after daemonizing to start the outgoing protobuf thread,
prevents hangs when the protobuf server is not available
- Ensure (re)priming the root never fails
- Don't age the root, fixes a regression from 3.x
- Fix exception when sending a protobuf message for an empty question
- LuaWrapper: Allow embedded NULs in strings received from Lua
- Fix coredumps on illumos/SmartOS
- StateHolder: Allocate (and copy if needed) before taking the lock
- SuffixMatchNode: Fix insertion issue for an existing node
- Fix negative port detection for IPv6 addresses on 32-bit systems
PowerDNS Recursor 4.0.4
=======================
Change highlights include:
- Check TSIG signature on IXFR (Security Advisory 2016-04)
- Don't parse spurious RRs in queries when we don't need them
(Security Advisory 2016-02)
- Add 'max-recursion-depth' to limit the number of internal recursion
- Wait until after daemonizing to start the RPZ and protobuf threads
- On RPZ customPolicy, follow the resulting CNAME
- Make the negcache forwarded zones aware
- Cache records for zones that were delegated to from a forwarded zone
- DNSSEC: don't go bogus on zero configured DSs
- DNSSEC: NSEC3 optout and Bogus insecure forward fixes
- DNSSEC: Handle CNAMEs at the apex of secure zones to other secure
zones
PowerDNS Recursor 4.0.3
=======================
Bug fixes
- Call gettag() for TCP queries
- Fix the use of an uninitialized filtering policy
- Parse query-local-address before lua-config-file
- Fix accessing an empty policyCustom, policyName from Lua
- ComboAddress: don't allow invalid ports
- Fix RPZ default policy not being applied over IXFR
- DNSSEC: Actually follow RFC 7646 §2.1
- Add boost context ldflags so freebsd builds can find the libs
- Ignore NS records in a RPZ zone received over IXFR
- Fix build with OpenSSL 1.1.0 final
- Don't validate when a Lua hook took the query
- Fix a protobuf regression (requestor/responder mix-up)
Additions and Enhancements
- Support Boost 1.61+ fcontext
- Add Lua binding for DNSRecord::d_place
PowerDNS Recursor 4.0.2
=======================
Bug fixes
- Set dq.rcode before calling postresolve
- Honor PIE flags.
- Fix build with LibreSSL, for which OPENSSL_VERSION_NUMBER is
irrelevant
- Don't shuffle CNAME records. (thanks to Gert van Dijk for the
extensive bug report!)
- Fix delegation-only
Additions and enhancements
- Respect the timeout when connecting to a protobuf server
- allow newDN to take a DNSName in; document missing methods
- expose SMN toString to lua
- Anonymize the protobuf ECS value as well (thanks to Kai Storbeck of
XS4All for finding this)
- Allow Lua access to the result of the Policy Engine decision, skip
RPZ, finish RPZ implementation
- Remove unused DNSPacket::d_qlen
- RPZ: Use query-local-address(6) by default (thanks to Oli Schacher
of switch.ch for the feature request)
- Move the root DNSSEC data to a header file
PowerDNS Recursor 4.0.1
=======================
Bug fixes
- Improve DNSSEC record skipping for non dnssec queries (Kees
Monshouwer)
- Don't validate zones from the local auth store, go one level down
while validating when there is a CNAME
- Don't go bogus on islands of security
- Check all possible chains for Insecures
- Don't go Bogus on a CNAME at the apex
- RPZ: default policy should also override local data RRs
- Fix a crash when the next name in a chained query is empty and
rec_control current-queries is invoked
Improvements
- OpenSSL 1.1.0 support (Christian Hofstaedtler)
- Fix warnings with gcc on musl-libc (James Taylor)
- Also validate on +DO
- Fail to start when the lua-dns-script does not exist
- Add more Netmask methods for Lua (Aki Tuomi)
- Validate DNSSEC for security polling
- Turn on root-nx-trust by default and log-common-errors=off
- Allow for multiple trust anchors per zone
- Fix compilation warning when building without Protobuf
PowerDNS Recursor 4.0.0
=======================
- Moved to C++ 2011, a cleaner more powerful version of C++ that has
allowed us to improve the quality of implementation in many places.
- Implemented dedicated infrastructure for dealing with DNS names that
is fully "DNS Native" and needs less escaping and unescaping.
- Switched to binary storage of DNS records in all places.
- Moved ACLs to a dedicated Netmask Tree.
- Implemented a version of RCU for configuration changes
- Instrumented our use of the memory allocator, reduced number of
malloc calls substantially.
- The Lua hook infrastructure was redone using LuaWrapper; old scripts
will no longer work, but new scripts are easier to write under the
new interface.
- DNSSEC processing: if you ask for DNSSEC records, you will get them.
- DNSSEC validation: if so configured, PowerDNS perform DNSSEC
validation of your answers.
- Completely revamped Lua scripting API that is "DNSName" native and
therefore far less error prone, and likely faster for most commonly
used scenarios.
- New asynchronous per-domain, per-ip address, query engine.
- RPZ (from file, over AXFR or IXFR) support.
- All caches can now be wiped on suffixes, because of canonical
ordering.
- Many, many more relevant performance metrics, including upstream
authoritative performance measurements.
- EDNS Client Subnet support, including cache awareness of
subnet-varying answers.
Add SMF support.
Defuzz patches.
PowerDNS Recursor 3.7.3
- Limit the maximum length of a qname
- pdnssec: check for glue and delegations in parent zones
PowerDNS Recursor 3.7.2
- Fix handling of forward references in label compressed packets;
fixes CVE-2015-1868.
- Minor improvements and bugfixes.
PowerDNS Recursor 3.7.1
- New root-nx-trust flag makes PowerDNS generalize NXDOMAIN responses
from the root-servers
- getregisteredname() for Lua, which turns 'www.bbc.co.uk' into 'bbc.co.uk'
- Lua preoutquery filter
- Lua IP-based filter (ipfilter) before parsing packets
- iputils class for Lua, to quickly process IP addresses and netmasks
in their native format
- getregisteredname function for Lua, to find the registered domain
for a given name
- Various new ringbuffers: top-servfail-remotes, top-largeanswer-remotes,
top-servfail-queries
- Minor improvements and bugfixes.
PowerDNS Recursor 3.6.2
- Minor improvements and bugfixes.
PowerDNS Recursor 3.6.1
- Fix for a crash under a specific sequence of packets.
PowerDNS Recursor 3.6.0
- Implement minimum-ttl-override config setting, plus runtime configurability
via 'rec_control set-minimum-ttl'.
- Lots of work on the JSON API, which is exposed via Aki Tuomi's 'yahttp'.
- Lua modules can now use 'pdnslog(INFO..')
- Adopt any-to-tcp feature to the recursor.
- Implement built-in statistics dumper using the 'carbon' protocol, which
is also understood by metronome (our mini-graphite). Use 'carbon-server',
'carbon-ourname' and 'carbon-interval' settings.
- New setting 'udp-truncation-threshold' to configure from how many bytes
we should truncate. commit a09a8ce.
- Proper support for CHaos class for CHAOS TXT queries.
- Added support for Lua scripts to drop queries w/o further processing.
- Kevin Holly added qtype statistics to recursor and rec_control.
- Add support for include-files in configuration, also reload ACLs and zones
defined in them.
- Paulo Anes contributed server-down-max-fails which helps combat
Recursive DNS based amplification attacks.
- Implement "followCNAMERecords" feature in the Lua hooks.
- Minor improvements and bugfixes.
PowerDNS Recursor 3.5.3
- This is a bugfix and performance update to 3.5.2. It brings serious
performance improvements for dual stack users.
PowerDNS Recursor 3.5.2
- This is a stability and bugfix update to 3.5.1. It contains important
fixes that improve operation for certain domains.
PowerDNS Recursor 3.5.1
- This is a stability and bugfix update to 3.5.
PowerDNS Recursor 3.5
- The local zone server now understands wildcards.
- The Lua postresolve and nodata hooks.
- A new feature, rec_control trace-regex allows the tracing of lookups
for specific names
- A new setting, export-etc-hosts-search-suffix, adds a configurable
suffix to names imported from /etc/hosts
- Minor improvements & bugfixes
PowerDNS Recursor 3.3.1
- Small number of important fixes, adds some memory usage statistics,
but no new features
Changes from 3.1.7 include:
* Fixed CVE-2009-4009 and CVE-2009-4010
* Improved error messages when parsing zones
* Resilience against whitespace in configuration
* Performance increase
Based on the WIP version by pkgsrc@blackmouse.biz
The PowerDNS recursor is part of the source tarball of the main PowerDNS
distribution, but it is released separately. Starting from the version 3.0
pre-releases, there are zero known bugs or issues with the recursor. It is
known to power the resolving needs of over 2 million internet connections.
PowerDNS recursor can gets names from /etc/hosts.
