All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Not committed (merge conflicts...):
net/radsecproxy/distinfo
The following distfiles could not be fetched (fetched conditionally?):
./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz
./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch
./net/djbdns/distinfo djbdns-1.05-test28.diff.xz
./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch
./net/djbdns/distinfo djbdns-1.05-multiip.diff
./net/djbdns/distinfo djbdns-cachestats.patch
* Released: 8th of February 2021
* Improvements:
- debian packaging update
- dockerfiles: do not claim equivs-dummy is built from the pdns source
package
- Fix missing #include for gcc-11
- lmdb: Do a mdb_readers_check to clean up stale readers on database load
* Bug Fixes:
- fix TCP answer counters
- run deleteDomain() inside a transaction
- lmdb: do not reuse backend that has seen corrupted data
- lmdb: serialise LMDBBackend construction to ensure only a single schema
upgrade is attempted
- backport some asan/ubsan fixes
- pdnsutil edit-zone: do not exit on ZoneParser exception
Full changelog:
https://doc.powerdns.com/authoritative/changelog/4.4.html#change-4.4.1
checking whether -latomic is needed for __atomic builtins... configure: error: in `/scratch/work/net/powerdns/work/pdns-4.4.0':
configure: error: libatomic needed, but linking with -latomic failed, cannot continue
Security fix:
* This release drops GSS/TSIG support, please see PowerDNS Security Advisory 2020-06
https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-06.html
Changelog:
* New features:
- the LMDB backend now supports long record content, making it production
ready for everybody
- the SVCB and HTTPS record types are supported, with limited additional
processing transaction handling in the 2136 handler and the HTTP API was
again improved a lot, avoiding various spurious issues users may have
noticed if they do a lot of changes a new setting (consistent-backends)
offers a roughly 30% speedup, subject to conditions
- we finally emit Prometheus metrics!
* Improvements:
- don’t log trusted-notification-proxy notify at error level
- Stop using incbin and use od & sed to generate constant string data.
* Bug Fixes:
- clear the LMDB set state when performing a new lookup or list to prevent
corruption cases
- SVCB: Correctly parse and print unknown params
- fix direct-dnskey in AXFR-out
Security fix:
* CVE-2020-17482:
https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html
An issue has been found in PowerDNS Authoritative Server before 4.3.1
where an authorized user with the ability to insert crafted records
into a zone might be able to leak the content of uninitialized memory.
Such a user could be a customer inserting data via a control panel,
or somebody with access to the REST API. Crafted records cannot be
inserted via AXFR.
Changelog:
* New Features
- Add ubuntu focal target
* Improvements
- EL8 pkgs: Build mysql backend against mariadb-connector-c-devel
- gpgsql: Reintroduce prepared statements
- gsqlite3backend: add missing indexes
- Use real remote for supermaster createSlaveDomain()
- Optimize IXFR-to-AXFR fallback path
- Install bind SQL schema files as part of bindbackend
- Do not send out of zone lookups to the backends
* Bug Fixes:
- Raise an exception on invalid hex content in unknown records.
- Handle the extra single-row result set of MySQL stored procedures
* pkgsrc-specific:
- The default pid file patch in rc.d script has been fixed
Changes since 4.2.2:
* Released:
- 7th of April 2020
* Improvements:
- reduce the number of temporary memory allocations
- adjust NSEC TTLs to negative TTL
- Add more SQL schema files to packages and tarballs
- only log "No question section in packet" at Debug logging level
- do not update identical notified serials
- IXFR: only sign SOA in empty response for +DO queries
- Prepare the caches' buckets in advance
- Rework NetmaskTree for better CPU and memory efficiency.
- allow local-ipv6 until 4.4.0
- Add metrics about the size of our in-memory rings
- gpgsqlbackend: stop using prepared statements
- Enforce a strict maximum size for the packet and records caches
- API: optionally, do not return dnssec info in domain list
- zone file parser: Add a parameter to limit the number of "$GENERATE" steps
- api: avoid a large number of new database connections
- Emulate a buffered read in the pipe backend, ~3x faster
- LUA performance: register lua functions only once
- API: make max request/response body size configurable
- API: add edited_serial to Zone object
- Improve error when notification comes in for non-slave zone
- LUA record: rewrote the health checking system
* Bug fixes:
- avoid IXFR-in corruption when deltas come in close together (please see the
IXFR-in corruption upgrade notes)
- improve sql schema updates
- Fix NSECx for unpublished DNSKEYs properly
- emit correct NSEC/NSEC3 bitmaps in hidden key situations
- Refuse NSEC records with a bitmap length > 32
- YaHTTP: Support bracketed IPv6 addresses
- Make sure the default-publish-cds and default-publish-cdnskey options are
- respected for AXFR
- make sure records from LMDB backend end up in the right packet section
- Clear the TSIG algo between iterations in the API
- HTTP API: Allow DNAME in apex with SOA and NS records
- various memory/thread correctness fixes
- LUA view: do not crash on empty IP list
- REST API: accept headers without spaces
- on luaSynth exception, drain db output
- tinydnsbackend: limit timestamp-based TTLs
- Ensure that pdns can read pdns.conf when upgrading from an older package
- Ixfrdist: handle reading of empty files gracefully
- webserver: handle exceptions instead of SIGABRTing the world
* New features:
- add full option to "pdns_control show-config"
- Add "IO wait" and "steal" metrics on Linux
- API: add includerings option to statistics endpoint
- Add an extended status report in the bind backend
- add default-publish-{cds|cdnskey} options
- remotebackend: Support alsoNotifies, setFresh, getUnfreshSlaveInfos
- Add support for managing unpublished DNSSEC keys
- gmysql backend, add an option to send the SSL capability flag
- pdnsutil: offer to increase serial after edit-zone
* Removed features:
- remove goracle, lua, mydns, opendbx, oracle backends
- deprecate SOA autocomplete in pdnsutil check-zone
* misc.:
- remove the implicit 5->7 algorithm upgrade
- Make Lua mandatory for Auth
For complete and up-to-date changelog, see:
https://doc.powerdns.com/authoritative/changelog/4.3.html
pkgsrc notes:
~~~~~~~~~~~~~
The default options have changed since 4.2.2 a bit:
- option "lua" has been removed as LUA is now mandatory
- option "luarecords" has been added with default "on". When
not present in PKG_OPTIONS, LUA records support will be disabled.
Changes since 4.2.1:
* Released:
- 9th of April 2020
* New Features:
- api: add includerings option to statistics endpoint
* Improvements:
- cache: strictly enforce maximum size, and improve cleanup routine
* Bug Fixes:
- fix records ending up in wrong packet section
- avoid IXFR-in corruption when deltas come in close together.
Please see the IXFR-in corruption upgrade notes
- fix out-of-bound access for zero length "serialized" string when
using lmdbbackend.
- bind backend: pthread_mutex_t should be inited and destroyed and not be copied
* Reference:
- https://doc.powerdns.com/authoritative/changelog/4.2.html#change-4.2.2
4.2.1
This release fixes several bugs and makes a few features more robust or intuitive. It also contains a few performance improvements for API users.
New Features
Add SLAVE-RENOTIFY zone metadata support
Add configurable timeout for inbound AXFR
Add CentOS 8 as builder target
gmysql backend, add an option to send the SSL capability flag
Improvements
API: reduce number of database connections
Register a few known RR types and remove an unknown one
bindbackend: use metadata for also-notifies as well
pdnsutil increase-serial: under SOA-EDIT=INCEPTION-EPOCH, bump as if it is EPOCH
API: optionally do not return dnssec info in domain list
Basic validation of $GENERATE parameters
Bug Fixes
LUA view: do not crash on empty IP list
API: Accept headers without spaces
Avoid database state-related SERVFAILs after a LUA error
Just before 4.2.0, some SQL-related fixes broke edit-zone and other features with the LMDB backend. This has been fixed now.
rfc2136, pdnsutil: somewhat improve duplicate record handling
4.2.0
Compared to the last release candidate, one more bug has been fixed.
The LMDB backend is incomplete in this version. Slaving zones works, loading zones with pdnsutil works, but more fine grained edits (using edit-zone, or the REST API) fail. We hope to fix this soon in a 4.2.x release.
For an overview of features new since 4.1.x, please see the 4.2.0 announcement blog post.
Bug Fixes
bind getAllDomains: ignore per-zone exceptions
4.1.8
Bug Fixes
Fix rectify for ENT records in narrow zones.
Prevent leak of file descriptor if running out of ports for incoming AXFR.
EL6: fix CXXFLAGS to build with compiler optimizations.
Fix API search failed with “Commands out of sync; you can’t run this command now”.
Fix invalid SOA record in MySQL which prevented the authoritative server from starting.
Plug mysql_thread_init memory leak.
Correctly interpret an empty AXFR response to an IXFR query.
Fix replying from ANY address for non-standard port.
Do not compress the root.
Fix dot stripping in setcontent().
4.1.7
Bug Fixes
Insufficient validation in the HTTP remote backend (CVE-2019-3871, PowerDNS Security Advisory 2019-03)
4.1.5:
This release fixes the following security advisories:
* PowerDNS Security Advisory 2018-03 (CVE-2018-10851)
* PowerDNS Security Advisory 2018-05 (CVE-2018-14626)
Improvements
* Apply alias scopemask after chasing
* Release memory in case of error in the openssl ecdsa constructor
* Switch to devtoolset 7 for el6
Bug Fixes
* Fix compilation with libressl 2.7.0+
* Actually truncate truncated responses
* Crafted zone record can cause a denial of service (CVE-2018-10851, PowerDNS Security Advisory 2018-03)
* Packet cache pollution via crafted query (CVE-2018-14626, PowerDNS Security Advisory 2018-05)
Improvements
- Fix warnings reported by gcc 8.1.0.
- Make the gmysql backend future-proof.
- Initialize some missed qtypes.
Bug Fixes
- Avoid concurrent records/comments iteration from running out of
sync.
- Fix a crash in the API when adding records.
- pdns_control notify: handle slave without renotify properly.
- Reset the TSIG state between queries.
- Remove SOA-check backoff on incoming notify and fix lock handling.
- Fix an issue where updating a record via DNS-UPDATE in a child zone
that also exists in the parent zone, we would incorrectly apply the
update to the parent zone.
- Geoipbackend: check geoip_id_by_addr_gl and geoip_id_by_addr_v6_gl
return value.
4.1.3:
Improvements
: pdnsutil: use new domain in b2bmigrate
: Update copyright years to 2018
: Lower ‘packet too short’ loglevel
Bug Fixes
: Restrict creation of OPT and TSIG RRsets
: Fix handling of user-defined axfr filters return values
: Prevent the GeoIP backend from copying NetMaskTrees around, fixes slow-downs in certain configurations
: Ensure alias answers over TCP have correct name
Improvements
- API: increase serial after dnssec related updates
- Dnsreplay: bail out on a too small outgoing buffer
- lower ‘packet too short’ loglevel
- Make check-zone error on rows that have content but shouldn’t
- avoid an isane amount of new backend connections during an axfr
- Report unparseable data in stoul invalid_argument exception
- recheck serial when axfr is done
- add tcp support for alias
Bug Fixes
- allocate new statements after reconnecting to postgresql
- bindbackend: only compare ips in ismaster() (Kees Monshouwer)
- Rather than crash, sheepishly report no file/linenum
- Document undocumented config vars
- prevent cname + other data with dnsupdate
- Backport: forbid label compression in alias wire format
- Include unistd.h for chroot(2) et al.
- Auth: fix out of bounds exception in caa processing
- Add the missing include to mplexer.hh for struct timeval
- Auth: init openssl and libsodium before chrooting in pdnsutil
- Auth: always bind the results array after executing a mysql statement
- Ldap: fix getdomaininfo() to set this as di.backend
- Ldapbackend: fix listing zones incl. axfr
- Ixfr: correct behavior of dealing with dns name with multiple records
PowerDNS Authoritative Server 4.1.0
===========================================================
- Improved performance: 400% speedup in some scenarios
- Crypto API: DNSSEC fully configurable via RESTful API
- Improved documentation
- Database related improvements
- Enhanced tooling
- Support for TCP Fast Open
- Support for non-local bind
- Support for Botan 2.x (and removal of support for Botan 1.10)
- Our packages now ship with PKCS #11 support.
- Recursor passthrough removal
Full changelog:
https://doc.powerdns.com/authoritative/changelog/4.1.html
PowerDNS Authoritative Server 4.0.5
===========================================================
Fixes
- Fix for missing check on API operations (CVE-2017-15091)
- Bindbackend: do not corrupt data supplied by other backends in
getAllDomains
- API: prevent sending nameservers list and zone-level NS in rrsets
- gpgsql: make statement names actually unique
- Fix remotebackend params
- Fix godbc query logging
- For create-slave-zone, actually add all slaves, and not only first n
times
- Fix a regression in axfr-rectify + test
- When making a netmask from a comboaddress, we neglected to zero the
port
- Fix libatomic detection on ppc64
- Catch DNSName exception in the Zoneparser
- Publish inactive KSK/CSK as CDNSKEY/CDS
- Handle AFSDB record separately due to record structure.
- Treat requestor's payload size lower than 512 as equal to 512
- Correctly purge entries from the caches after a transfer
- Handle a signing pipe worker dying with work still pending
- Ignore SOA-EDIT for PRESIGNED zones.
- Check return value for all getTSIGKey calls.
Improvements
- Fix ldap-strict autoptr feature, including a test
- mydnsbackend: Add getAllDomains
- Stubresolver: Use only recursor setting if given
- LuaWrapper: Allow embedded NULs in strings received from Lua
- sdig: Clarify that the ednssubnet option takes "subnet/mask"
- Tests: Ensure all required tools are available
- PowerDNS sdig does not truncate trailing bits of EDNS Client Subnet
mask
- LuaJIT 2.1: Lua fallback functionality no longer uses Lua namespace
- Add support for Botan 2.x
- Ship ldapbackend schema files in tarball
- Collection of schema changes
- Fix typo in two log messages
- Add help text on autodetecting systemd support
- Use a unique pointer for bind backend's d_of
- Fix some of the issues found by @jpmens
