All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Not committed (merge conflicts...):
net/radsecproxy/distinfo
The following distfiles could not be fetched (fetched conditionally?):
./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz
./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch
./net/djbdns/distinfo djbdns-1.05-test28.diff.xz
./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch
./net/djbdns/distinfo djbdns-1.05-multiip.diff
./net/djbdns/distinfo djbdns-cachestats.patch
Changelog:
Released: 14th of December 2020
* Improvements:
- UUID: Use the non-cryptographic variant of the boost::uuid.
- Keep a cached, valid entry over a fresher Bogus one.
- Ensure socket-dir matches runtime directory on old systemd
- Move to several distinct Bogus states, for easier debugging.
- Do not chase CNAME during qname minimization step 4.
* Bug Fixes:
- Untangle the validation/resolving qnames and qtypes.
- APL records: fix endianness problem.
Changelog:
Released: 25th of November 2020
* Improvements:
- Allow to specify a name in getMetric() that is used for Prometheus export
only.
* Bug Fixes:
- Do not add request to a wait chain that’s already processed or being
processed.
- Avoid a CNAME loop detection issue with DNS64
- Do not send overly long NOD lookups.
- If a.b.c CNAME x.a.b.c is encountered, switch off QName Minimization.
- Fix the processing of answers generated from gettag.
Changelog for 4.4.0:
Released: 19th of October 2020
Bug Fixes
- Backport of CVE-2020-25829: Cache pollution.
Changelog for 4.4.0-rc2:
Released: 6th of October 2020
Improvements:
- Don’t parse any config with –version.
- Expose typed cache flush via Web API.
- Log when going Bogus because of a missing SOA in authority.
- Raise an exception on invalid content in unknown record.
Bug Fixes:
- When deciding if we are auth in the local auth or forwarding case, DS is
special.
- Fix wipe-cache-typed.
- Watch the descriptor again after an out-of-order read timeout.
Changelog for 4.4.0-rc1:
Released: 21st of September 2020
Bug Fixes:
- Only do QName Minimization for the names inside a forwarded domain.
- Fix the parsing of dont-throttle-netmasks in the presence of
dont-throttle-names.
Changelog for 4.4.0-beta1:
Released: 31st of August 2020
Improvements:
- Store RPZ trigger and hit in appliedPolicy and protobuf message and log
them in the trace log.
- Apply filtering policies (RPZ) on CNAME chains as well.
- Fix warning: initialized lambda captures are a C++14 extension.
- Clean some coverity reported cases of exceptions thrown but not caught.
- Export record cache lock (contention) stats via the various channels.
- Allow multiple local data records when doing RPZ IP matching.
- Replace the use of ‘1’ by QClass::IN to improve readability.
- Avoid name clashes on Solaris derived systems.
Bug Fixes:
- Allow some more depth headroom for the no-qname-minimization fallback case.
- If we have an NS in cache, use it in the forwarder case.
- Disable outgoing v4 when query-local-address has no v4 addresses.
- Resize hostname to final size in getCarbonHostname() (Aki Tuomi).
Changelog for 4.4.0-alpha2:
Released: 20th of July 2020
Improvements:
- Check that DNSKEYs have the zone flag set.
- Remove redundant toLogString() calls (Chris Hofstaedtler).
- Stop cluttering the global namespace with validation states.
- Use explicit flag for the specific version of c++ we’re targeting.
- Use new operator to print states.
- Refuse QType 0 right away, based on rfc6895 section 3.1.
- Specify a storage type for validation states.
- Common TCP write problems should only be logged if wanted.
- Dump the authority records of a negative cache entry as well.
- Alternative way to do “skip cname check” for DS and DNSKEY records
- Control stack depth when priming.
- Add version ‘statistic’ to prometheus.
- Cleanup cache cleaner pruneCollection function.
- RPZ policy should override gettag_ffi answer by default.
- Don’t copy the records when scanning for CNAME loops.
- Do not use using namespace std; .
- More sophisticated CNAME loop detection.
- Use std::string_view when available (Rosen Penev).
- Make sure we can install unsigned packages.
- Clarify docs (Josh Soref).
- Ensure runtime dirs for virtual services differ.
- Builder: improve shipped config files (Chris Hofstaedtler).
- Less negatives in error messages improves readability.
- Boost 1.73 moved boost::bind placeholders to the placeholders namespace.
- Fix useless copies in loop reported by clang++ 10.
- NetmaskTree: do not test node for null, the loop guarantees node is not
null.
- Wrap pthread objects
- Get rid of a naked pointer in the /dev/poll event multiplexer.
- Random engine.
Bug Fixes:
- Update proxy-protocol.cc (ihsinme).
- Kill an signed vs unsigned warning on OpenBSD.
- Don’t validate a NXD with a NSEC proving that the name is an ENT.
- Fix three shared cache issues.
- Limit the TTL of RRSIG records as well.
- Avoid throwing an exception in Logger::log().
Changelog for 4.4.0-alpha1:
Released: 22th of April 2020
New Features:
- Implement native DNS64 support, without Lua.
- Add custom tags to RPZ hits.
- Allow attaching a ‘routing’ tag string to a query in lua code and use that
tag in the record cache when appropriate.
- Share record cache between threads.
- Add support for Proxy Protocol between dnsdist and the recursor.
Improvements:
- Fix warnings with llvm10 and -Wrange-loop-construct (Kirill Ponomarev).
- Fix compilation without deprecated OpenSSL APIs (Rosen Penev).
- Detect {Libre,Open}SSL functions availability during configure.
- Better handling of reconnections in Remote Logger.
- Add ‘queue full’ metrics for our remote logger, log at debug only.
- Update boost.m4
- Keep a masked network in the Netmask class.
- Replace include guard ifdef/define with pragma once (Chris Hofstaedtler).
- YaHTTP: Support bracketed IPv6 addresses
- Rework NetmaskTree for better CPU and memory efficiency (Stephan Bosch).
- RPZ dumpFile/seedFile: store/get SOA refresh on dump/load.
- Add ‘IO wait’ and ‘steal’ metrics on Linux.
- DNSName: Don’t call strlen() when the length is already known.
- Fix build with gcc-10 (Sander Hoentjen).
Bug Fixes
- Fix compilation of the ports event multiplexer.
- Init zone’s d_priority field.
- QName Minimization sometimes uses 1 label too many.
Changelog for 4.3.4:
Released: 8th of September 2020
* Improvements:
- Ensure runtime dirs for virtual services differ.
* Bug Fixes:
- Allow some more depth headroom for the no-qname-minimization fallback case
- Resize hostname to final size in getCarbonHostname().
Changelog for 4.3.3:
Released: 17th of July 2020
* Bug Fixes:
- Validate cached DNSKEYs against the DSs, not the RRSIGs only.
- Ignore cache-only for DNSKEYs and DS retrieval.
- A ServFail while retrieving DS/DNSKEY records is just that.
- Refuse DS records received from child zones.
- Better exception handling in houseKeeping/handlePolicyHit.
- Take initial refresh time from loaded zone.
pkgsrc-specific changes:
- Move pdns socket directory to /var/run/pdns-recursor
to reduce diff
- Introduce SMF method script that also creates the
socket directory on platforms where /var/run is not
persistent (i.e. swap or tmpfs-mounted)
Changes since 4.3.1:
* Released:
- 1st of July 2020
* Improvements:
- Defer the NOD lookup until after the response has been sent.
- CNAME loop detection.
* Bug fixes:
- Backport of CVE-2020-14196: Enforce webserver ACL.
- Copy the negative cache entry before validating it.
- Fix compilation of the ports event multiplexer.
- Fix the handling of DS queries for the root.
- Fix RPZ removals when an update has several deltas.
- Fix compilation on systems that do not define HOST_NAME_MAX.
- Fix build with gcc-10.Â
* misc.:
- Correct depth increments.
- Limit the TTL of RRSIG records as well
4.3.0
Improvements
Only log qname parsing errors when ‘log-common-errors’ is set.
Update copyright year.
4.2.1
Improvements
Add CentOS 8 as builder target
Update boost.m4
Add deviceName field to protobuf messages
Test improvements
Builder: add raspbian-buster target
Bug Fixes
Purge map of failed auths periodically by keeping a last changed timestamp.
Prime NS records of root-servers.net parent (.net)
Issue with “zz” abbreviation for IPv6 RPZ triggers
Basic validation of $GENERATE parameters
Fix inverse handler registration logic for SNMP.
4.2.0
Improvements
Clear CMSG_SPACE(sizeof(data)) in cmsghdr to appease valgrind
Bug Fixes
Make sure we always compile with BOOST_CB_ENABLE_DEBUG set to 0
Limit compression pointers to 14 bits
misc
Fix the export of only outgoing queries or incoming responses
4.1.12
Improvements
Provide CPU usage statistics per thread (worker & distributor).
Use a bounded load-balancing algo to distribute queries.
Implement a configurable ECS cache limit so responses with an ECS scope more specific than a certain threshold and a TTL smaller than a specific threshold are not inserted into the records cache at all.
Bug Fixes
Correctly interpret an empty AXFR response to an IXFR query.
4.1.11
Since Spectre/Meltdown, system calls have become more expensive. This made exporting a very high number of protobuf messages costly, which is addressed in this release by reducing the number of sycalls per message.
Improvements
Add an option to export only responses over protobuf to the Lua protobufServer() directive.
Reduce systemcall usage in protobuf logging.
4.1.10
This release fixes a bug when trying to build PowerDNS Recursor with protobuf support disabled, thus this release is only relevant to people building PowerDNS Recursor from source and not if you’re installing it as a package from our repositories.
Bug Fixes
PowerDNS Recursor release 4.1.9 introduced a call to the Lua ipfilter() hook that required access to the DNS header, but the corresponding variable was only declared when protobuf support had been enabled.
4.1.9
This release fixes Security Advisory 2019-01 and Security Advisory 2019-02 that were recently discovered, affecting PowerDNS Recursor:
CVE-2019-3806, 2019-01: from 4.1.4 up to and including 4.1.8 ;
CVE-2019-3807, 2019-02: from 4.1.0 up to and including 4.1.8.
The issues are:
CVE-2019-3806, 2019-01: Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly bypassing security policies enforced using Lua ;
CVE-2019-3807, 2019-02: records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation.
Improvements
Try another worker before failing if the first pipe was full
Recursor 4.1.8
Crafted query can cause a denial of service (CVE-2018-16855)
Recursor 4.1.7
Revert ‘Keep the EDNS status of a server on FormErr with EDNS’
Refuse queries for all meta-types
Recursor 4.1.6
Revert “rec: Authority records in AA=1 CNAME answer are authoritative”.
Recursor 4.1.5
PowerDNS Security Advisory 2018-04 (CVE-2018-10851)
PowerDNS Security Advisory 2018-06 (CVE-2018-14626)
PowerDNS Security Advisory 2018-07 (CVE-2018-14644)
Improvements
Add pdnslog to lua configuration scripts (Chris Hofstaedtler)
Fix compilation with libressl 2.7.0+
Export outgoing ECS value and server ID in protobuf (if any)
Switch to devtoolset 7 for el6
Allow the signature inception to be off by a number of seconds (Kees Monshouwer)
Bug Fixes
Crafted answer can cause a denial of service (CVE-2018-10851)
Packet cache pollution via crafted query (CVE-2018-14626)
Crafted query for meta-types can cause a denial of service (CVE-2018-14644)
Delay the creation of rpz threads until we have dropped privileges
Cleanup the netmask trees used for the ecs index on removals
Make sure that the ecs scope from the auth is < to the source
Authority records in aa=1 cname answer are authoritative
Avoid a memory leak in catch-all exception handler
Don’t require authoritative answers for forward-recurse zones
Release memory in case of error in the openssl ecdsa constructor
Convert a few uses to toLogString to print DNSName’s that may be empty in a safer manner
Avoid a crash on DEC Alpha systems
Clear all caches on (N)TA changes
Improvements
- Split pdns_enable_unit_tests.
- Add a new max-udp-queries-per-round setting.
- Fix warnings reported by gcc 8.1.0.
- Tests: replace awk command by perl.
- Allow the snmp thread to retrieve statistics.
Bug Fixes
- Don’t account chained queries more than once.
- Make rec_control respect include-dir.
- Load lua scripts only in worker threads.
- Purge all auth/forward zone data including subtree.
Improvements
- Add a subtree option to the API cache flush endpoint.
- Use a separate, non-blocking pipe to distribute queries.
- Move carbon/webserver/control/stats handling to a separate thread.
- Add _raw versions for QName / ComboAddresses to the FFI API.
- Update copyright years to 2018
- Fix a warning on botan >= 2.5.0.
Bug Fixes
- Count a lookup into an internal auth zone as a cache miss.
- Don’t increase the DNSSEC validations counters when running with
process-no-validate.
- Respect the AXFR timeout while connecting to the RPZ server.
- Increase MTasker stacksize to avoid crash in exception unwinding
- Use the SyncRes time in our unit tests when checking cache validity
- Add -rdynamic to C{,XX}FLAGS when we build with LuaJIT.
- Delay the loading of RPZ zones until the parsing is done, fixing a
race condition.
- Reorder includes to avoid boost L conflict.
New Features
- Add FFI version of gettag().
Improvements
- Add the option to set the AXFR timeout for RPZs.
- IXFR: correct behavior of dealing with DNS Name with multiple
records and speed up IXFR transaction.
- Add RPZ statistics endpoint to the API.
Bug Fixes
- Retry loading RPZ zones from server when they fail initially.
- Fix ECS-based cache entry refresh code.
- Fix ECS-specific NS AAAA not being returned from the cache.
Improvements
- Don't process records for another class than IN
Bug Fixes
- Correctly handle ancestor delegation NSEC{,3} for children.
(CVE-2018-1000003)
- Fix the computation of the closest encloser for positive answers.
- Pass the correct buffer size to arecvfrom().
- Fix to make primeHints threadsafe, otherwise there's a small chance
on startup that the root-server IPs will be incorrect.
- Don't validate signature for "glue" CNAME, since anything else than
the initial CNAME can't be considered authoritative.
Lua support no longer optional.
PowerDNS Recursor 4.1.0
===========================================================
- Improved DNSSEC support
- Improved documentation
- Improved RPZ support
- Improved EDNS Client Subnet support
- Support for Botan 2.x (and removal of support for Botan 1.10)
- SNMP support
- Lua engine has gained access to more parts of the recursor
- CPU affinity can now be specified
- TCP Fast Open support
- New performance metrics
Full changelog:
https://doc.powerdns.com/recursor/changelog/4.1.html
PowerDNS Recursor 4.0.7
===========================================================
- Insufficient validation of DNSSEC signatures (CVE-2017-15090)
- Cross-Site Scripting in the web interface (CVE-2017-15092)
- Configuration file injection in the API (CVE-2017-15093)
- Memory leak in DNSSEC parsing (CVE-2017-15094)
Bug fixes
- Update rec_control manpage
- Check in the detected OpenSSL/libcrypto for ECDSA
- Make more specific Netmasks < to less specific ones
- Fix validation at the exact RRSIG inception or expiration time
- Lowercase all outgoing qnames when lowercase-outgoing is set
- Fix libatomic detection on ppc64
- Edit configname definition to include the 'config-name' argument
Improvements
- Extract nested exception from Luawrapper
- Use explicit yes for default-enabled settings
- Throw an error when lua-conf-file can't be loaded
- get-remote-ring's "other" report should only have two items.
- PowerDNS sdig does not truncate trailing bits of EDNS Client Subnet
mask
- Only increase no-packet-error on the first read
- Add support for Botan 2.x
- Add more information to recursor cache dumps
- Fix typo in two log messages
- Add help text on autodetecting systemd support
- Be more resilient with broken auths
- Remove pdns.PASS and pdns.TRUNCATE
- Improve dnsbulktest experience in travis for more robustness
- Create socket-dir from init-script
- b.root renumbering, effective 2017-10-24
- Don't retry security polling too often when it fails
Bug fixes
- Use the incoming ECS for cache lookup if use-incoming-edns-subnet is
set
- when making a netmask from a comboaddress, we neglected to zero the
port. This could lead to a proliferation of netmasks.
- Don't take the initial ECS source for a scope one if EDNS is off
- also set d_requestor without Lua: the ECS logic needs it
- Fix IXFR skipping the additions part of the last sequence
- Treat requestor's payload size lower than 512 as equal to 512
- make URI integers 16 bits, fixes ticket #5443
- unbreak quoting
Improvements
- EDNS Client Subnet becomes compatible with the packet cache, using
the existing variable answer facility.
- Remove just enough entries from the cache, not one more than asked
- Move expired cache entries to the front so they are expunged
- changed IPv6 addr of b.root-servers.net
- e.root-servers.net has IPv6 now
- hello decaf signers (ED25519 and ED448)
- don't use the libdecaf ed25519 signer when libsodium is enabled
(Kees Monshouwer)
- do not hash the message in the ed25519 signer (Kees Monshouwer)
- Disable use-incoming-edns-subnet by default
Enhancements
- Add the 2017 DNSSEC root key
- Add support for RPZ wildcarded target names.
- Speed up RPZ zone loading and add a zoneSizeHint parameter to
rpzFile and rpzMaster for faster reloads
- Make the RPZ summary consistent and log additions/removals at debug
level, not info
- Update Ed25519 algorithm number and mnemonic and hook up to the
Recursor
- Add use-incoming-edns-subnet option to process and pass along ECS
and fix some ECS bugs in the process
- Refuse to start with chroot set in a systemd env
- Handle exceptions raised by closesocket() to prevent process
termination
- Document missing top-pub-queries and top-pub-servfail-queries
commands for rec_control
- IPv6 address for g.root-servers.net added
- Log outgoing queries / incoming responses via protobuf
Bug fixes
- Correctly lowercase the TSIG algorithm name in hash computation
- Clear the RPZ NS IP table when clearing the policy, this prevents
false positives
- Fix cache-only queries against a forward-zone
- Only delegate if NSes are below apex in auth-zones
- Remove hardcoding of port 53 for TCP/IP forwarded zones in recursor
- Make sure labelsToAdd is not empty in getZoneCuts()
- Wait until after daemonizing to start the outgoing protobuf thread,
prevents hangs when the protobuf server is not available
- Ensure (re)priming the root never fails
- Don't age the root, fixes a regression from 3.x
- Fix exception when sending a protobuf message for an empty question
- LuaWrapper: Allow embedded NULs in strings received from Lua
- Fix coredumps on illumos/SmartOS
- StateHolder: Allocate (and copy if needed) before taking the lock
- SuffixMatchNode: Fix insertion issue for an existing node
- Fix negative port detection for IPv6 addresses on 32-bit systems
PowerDNS Recursor 4.0.4
=======================
Change highlights include:
- Check TSIG signature on IXFR (Security Advisory 2016-04)
- Don't parse spurious RRs in queries when we don't need them
(Security Advisory 2016-02)
- Add 'max-recursion-depth' to limit the number of internal recursion
- Wait until after daemonizing to start the RPZ and protobuf threads
- On RPZ customPolicy, follow the resulting CNAME
- Make the negcache forwarded zones aware
- Cache records for zones that were delegated to from a forwarded zone
- DNSSEC: don't go bogus on zero configured DSs
- DNSSEC: NSEC3 optout and Bogus insecure forward fixes
- DNSSEC: Handle CNAMEs at the apex of secure zones to other secure
zones
PowerDNS Recursor 4.0.3
=======================
Bug fixes
- Call gettag() for TCP queries
- Fix the use of an uninitialized filtering policy
- Parse query-local-address before lua-config-file
- Fix accessing an empty policyCustom, policyName from Lua
- ComboAddress: don't allow invalid ports
- Fix RPZ default policy not being applied over IXFR
- DNSSEC: Actually follow RFC 7646 §2.1
- Add boost context ldflags so freebsd builds can find the libs
- Ignore NS records in a RPZ zone received over IXFR
- Fix build with OpenSSL 1.1.0 final
- Don't validate when a Lua hook took the query
- Fix a protobuf regression (requestor/responder mix-up)
Additions and Enhancements
- Support Boost 1.61+ fcontext
- Add Lua binding for DNSRecord::d_place
PowerDNS Recursor 4.0.2
=======================
Bug fixes
- Set dq.rcode before calling postresolve
- Honor PIE flags.
- Fix build with LibreSSL, for which OPENSSL_VERSION_NUMBER is
irrelevant
- Don't shuffle CNAME records. (thanks to Gert van Dijk for the
extensive bug report!)
- Fix delegation-only
Additions and enhancements
- Respect the timeout when connecting to a protobuf server
- allow newDN to take a DNSName in; document missing methods
- expose SMN toString to lua
- Anonymize the protobuf ECS value as well (thanks to Kai Storbeck of
XS4All for finding this)
- Allow Lua access to the result of the Policy Engine decision, skip
RPZ, finish RPZ implementation
- Remove unused DNSPacket::d_qlen
- RPZ: Use query-local-address(6) by default (thanks to Oli Schacher
of switch.ch for the feature request)
- Move the root DNSSEC data to a header file
PowerDNS Recursor 4.0.1
=======================
Bug fixes
- Improve DNSSEC record skipping for non dnssec queries (Kees
Monshouwer)
- Don't validate zones from the local auth store, go one level down
while validating when there is a CNAME
- Don't go bogus on islands of security
- Check all possible chains for Insecures
- Don't go Bogus on a CNAME at the apex
- RPZ: default policy should also override local data RRs
- Fix a crash when the next name in a chained query is empty and
rec_control current-queries is invoked
Improvements
- OpenSSL 1.1.0 support (Christian Hofstaedtler)
- Fix warnings with gcc on musl-libc (James Taylor)
- Also validate on +DO
- Fail to start when the lua-dns-script does not exist
- Add more Netmask methods for Lua (Aki Tuomi)
- Validate DNSSEC for security polling
- Turn on root-nx-trust by default and log-common-errors=off
- Allow for multiple trust anchors per zone
- Fix compilation warning when building without Protobuf
PowerDNS Recursor 4.0.0
=======================
- Moved to C++ 2011, a cleaner more powerful version of C++ that has
allowed us to improve the quality of implementation in many places.
- Implemented dedicated infrastructure for dealing with DNS names that
is fully "DNS Native" and needs less escaping and unescaping.
- Switched to binary storage of DNS records in all places.
- Moved ACLs to a dedicated Netmask Tree.
- Implemented a version of RCU for configuration changes
- Instrumented our use of the memory allocator, reduced number of
malloc calls substantially.
- The Lua hook infrastructure was redone using LuaWrapper; old scripts
will no longer work, but new scripts are easier to write under the
new interface.
- DNSSEC processing: if you ask for DNSSEC records, you will get them.
- DNSSEC validation: if so configured, PowerDNS perform DNSSEC
validation of your answers.
- Completely revamped Lua scripting API that is "DNSName" native and
therefore far less error prone, and likely faster for most commonly
used scenarios.
- New asynchronous per-domain, per-ip address, query engine.
- RPZ (from file, over AXFR or IXFR) support.
- All caches can now be wiped on suffixes, because of canonical
ordering.
- Many, many more relevant performance metrics, including upstream
authoritative performance measurements.
- EDNS Client Subnet support, including cache awareness of
subnet-varying answers.
Add SMF support.
Defuzz patches.
PowerDNS Recursor 3.7.3
- Limit the maximum length of a qname
- pdnssec: check for glue and delegations in parent zones
PowerDNS Recursor 3.7.2
- Fix handling of forward references in label compressed packets;
fixes CVE-2015-1868.
- Minor improvements and bugfixes.
PowerDNS Recursor 3.7.1
- New root-nx-trust flag makes PowerDNS generalize NXDOMAIN responses
from the root-servers
- getregisteredname() for Lua, which turns 'www.bbc.co.uk' into 'bbc.co.uk'
- Lua preoutquery filter
- Lua IP-based filter (ipfilter) before parsing packets
- iputils class for Lua, to quickly process IP addresses and netmasks
in their native format
- getregisteredname function for Lua, to find the registered domain
for a given name
- Various new ringbuffers: top-servfail-remotes, top-largeanswer-remotes,
top-servfail-queries
- Minor improvements and bugfixes.
PowerDNS Recursor 3.6.2
- Minor improvements and bugfixes.
PowerDNS Recursor 3.6.1
- Fix for a crash under a specific sequence of packets.
PowerDNS Recursor 3.6.0
- Implement minimum-ttl-override config setting, plus runtime configurability
via 'rec_control set-minimum-ttl'.
- Lots of work on the JSON API, which is exposed via Aki Tuomi's 'yahttp'.
- Lua modules can now use 'pdnslog(INFO..')
- Adopt any-to-tcp feature to the recursor.
- Implement built-in statistics dumper using the 'carbon' protocol, which
is also understood by metronome (our mini-graphite). Use 'carbon-server',
'carbon-ourname' and 'carbon-interval' settings.
- New setting 'udp-truncation-threshold' to configure from how many bytes
we should truncate. commit a09a8ce.
- Proper support for CHaos class for CHAOS TXT queries.
- Added support for Lua scripts to drop queries w/o further processing.
- Kevin Holly added qtype statistics to recursor and rec_control.
- Add support for include-files in configuration, also reload ACLs and zones
defined in them.
- Paulo Anes contributed server-down-max-fails which helps combat
Recursive DNS based amplification attacks.
- Implement "followCNAMERecords" feature in the Lua hooks.
- Minor improvements and bugfixes.
PowerDNS Recursor 3.5.3
- This is a bugfix and performance update to 3.5.2. It brings serious
performance improvements for dual stack users.
PowerDNS Recursor 3.5.2
- This is a stability and bugfix update to 3.5.1. It contains important
fixes that improve operation for certain domains.
PowerDNS Recursor 3.5.1
- This is a stability and bugfix update to 3.5.
PowerDNS Recursor 3.5
- The local zone server now understands wildcards.
- The Lua postresolve and nodata hooks.
- A new feature, rec_control trace-regex allows the tracing of lookups
for specific names
- A new setting, export-etc-hosts-search-suffix, adds a configurable
suffix to names imported from /etc/hosts
- Minor improvements & bugfixes
PowerDNS Recursor 3.3.1
- Small number of important fixes, adds some memory usage statistics,
but no new features
