This is a security release fixing CVE-2015-5230.
Bug fixes:
- Avoid superfluous backend recycling
- Removal of dnsdist from the authoritative server distribution
- Add EDNS unknown version handling and tests EDNS unknown version handling
Improvements:
- Update YaHTTP to v0.1.7
- Make trailing/leading spaces stand out in pdnssec check_zone
- GCC 5.2 support and sync boost.m4 macro with upstream
- Log answer packets only if log-dns-details is enabled
PowerDNS Authoritative Server 3.4.5
Bug fixes:
- Be careful reading empty lines in our config parser and prevent
integer overflow.
- prevent crash after --list-modules (Ruben Kerkhof)
- Limit the maximum length of a qname
Improvements:
- Support /etc/default for our debian/ubuntu packages (Aki Tuomi)
- Detect GCC 5.1 for boost (Ruben Kerkhof)
- Various PKCS#11 fixes and improvements (Aki Tuomi)
- Fix Coverity issues (Aki Tuomi)
- Fix building on OpenBSD (Florian Obser and Ruben Kerkhof)
- Look for mbedtls before polarssl (Ruben Kerkhof)
- Let pkg-config determine botan dependency libs (Ruben Kerkhof)
- Kill some further mallocs and add note to remind us not to add them back
- Move remotebackend-unix test socket to testsdir (Aki Tuomi)
- Defer launch of coprocess until first question (Aki Tuomi)
- pdnssec: check for glue and delegations in parent zones (Kees Monshouwer)
PowerDNS Authoritative Server 3.4.4
Bug fixes:
- Fix rectify-(all)-zones for mixed case domain names
- Fix CVE-2015-1868
- Blocking IO in busy-wait for remote backend (Wieger Opmeer)
- Fix double dot for root MX/SRV in bind slave zone files (Kees Monshouwer)
- Properly lock lmdb database, fixes ticket #1954 (Aki Tuomi)
- Fix segfault in zone2lmdb (Ruben Kerkhof)
New Features:
- pdnssec: warn for insecure wildcards in opt-out zones
- TKEY record type (Aki Tuomi)
- Many PKCS#11 improvements (Aki Tuomi)
- Introduce xfrBlobNoSpaces and use them for TSIG (Aki Tuomi)
Improvements:
- Allow "pdnssec set-nsec3 ZONE" for insecure zones; this saves on
one rectify when securing a NSEC3 zone
- Improvements to the config-file parsing (Aki Tuomi)
- Postgresql check should not touch LDFLAGS (Ruben Kerkhof)
- Log error when remote cannot do AXFR (Aki Tuomi)
- Speed improvements when AXFR is disabled (Christian Hofstaedtler)
- NSEC3 and related RRSIGS are not part of the dnstree (Kees Monshouwer)
- Change ifdef to check for __GLIBC__ instead of __linux__ to prevent
errors with other libc's (James Taylor)
- Try to raise open files before dropping privileges (Aki Tuomi)
- Add newline to carbon error message on auth (Aki Tuomi)
- Make sure we send servfail on error (Aki Tuomi)
- Ship lmdb-example.pl in tarball (Ruben Kerkhof)
- Allocate TCP buffer dynamically, decreasing stack usage
- Throw if getSOA gets non-SOA record
and zeromq options, which are disabled by default. ChangeLog:
PowerDNS Authoritative Server 3.4.3
Warning: Version 3.4.3 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to the Upgrade documentation for important information on correct and stable operation, as well as notes on performance and memory use.
Released March 2nd, 2015
Bug fixes:
commit ceb49ce: pdns_control: exit 1 on unknown command (Ruben Kerkhof)
commit 1406891: evaluate KSK ZSK pairs per algorithm (Kees Monshouwer)
commit 3ca050f: always set di.notified_serial in getAllDomains (Kees Monshouwer)
commit d9d09e1: pdns_control: don't open socket in /tmp (Ruben Kerkhof)
New features:
commit 2f67952: Limit who can send us AXFR notify queries (Ruben Kerkhof)
Improvements:
commit d7bec64: respond REFUSED instead of NOERROR for "unknown zone" situations
commit ebeb9d7: Check for Lua 5.3 (Ruben Kerkhof)
commit d09931d: Check compiler for relro support instead of linker (Ruben Kerkhof)
commit c4b0d0c: Replace PacketHandler with UeberBackend where possible (Christian Hofstaedtler)
commit 5a85152: PacketHandler: Share UeberBackend with DNSSECKeeper (Christian Hofstaedtler)
commit 97bd444: fix building with GCC 5
Experimental API changes (Christian Hofstaedtler):
commit ca44706: API: move shared DomainInfo reader into it's own function
commit 102602f: API: allow writing to domains.account field
commit d82f632: API: read and expose domain account field
commit 2b06977: API: be more strict when parsing record contents
commit 2f72b7c: API: Reject unknown types (TYPE0)
commit d82f632: API: read and expose domain account field
PowerDNS Authoritative Server 3.4.2
Warning: Version 3.4.2 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to the Upgrade documentation for important information on correct and stable operation, as well as notes on performance and memory use.
Released February 3rd, 2015
Find the downloads on our download page.
This is a performance and bugfix update to 3.4.1 and any earlier version. For high traffic setups, including those using DNSSEC, upgrading to 3.4.2 may show tremendous performance increases.
A list of changes since 3.4.1 follows.
Improvements:
commit 73004f1: implement CORS for the HTTP API
commit 4d9c289: qtype is now case insensitive in API and database
commit 13af5d8, commit 223373a, commit 1d5a68d, commit 705a73f, commit b418d52: Allow (optional) PIE hardening
commit 2f86f20: json-api: remove priority from json
commit cefcf9f: backport remotebackend fixes
commit 920f987, commit dd8853c: Support Lua 5.3
commit 003aae5: support single-type ZSK signing
commit 1c57e1d: Potential fix for ticket #1907, we now try to trigger libgcc_s.so.1 to load before we chroot. I can't reproduce the bug on my local system, but this "should" help. Seriously.
commit 031ab21: update polarssl to 1.3.9
Bug fixes:
commit 60b2b7c, commit d962fbc: refuse overly long labels in names
commit a64fd6a: auth: limit long version strings to 63 characters and catch exceptions in secpoll
commit fa52e02: pdnssec: fix ttl check for RRSIG records
commit 0678b25: fix up latency reporting for sub-millisecond latencies (would clip to 0)
commit d45c1f1: make sure we don't throw an exception on "pdns_control show" of an unknown variable
commit 63c8088: fix startup race condition with carbon thread already trying to broadcast uninitialized data
commit 796321c: make qsize-q more robust
commit 407867c: mind04 discovered we count corrupt packets and EAGAIN situations as validly received packets, skewing the udp questions/answers graphs on auth.
commit f06d069: make latency & qsize reporting 'live'. Plus fix that we only reported the qsize of the first distributor.
commit 2f3498e: fix up statbag for carbon protocol and function pointers
commit 0f2f999: get priority from table in Lua axfrfilter; fixes ticket #1857
commit 96963e2, commit bbcbbbe, commit d5c9c07: various backends: fix records pointing at root
commit e94c2c4: remove additional layer of trailing . stripping, which broke MX records to the root in the BIND backend. Should close ticket #1243.
commit 8f35ba2: api: use uncached results for getKeys()
commit c574336: read ALLOW-AXFR-FROM from the backend with the metadata
Minor changes:
commit 1e39b4c: move manpages to section 1
commit b3992d9: secpoll: Replace ~ with _
commit 9799ef5: only zones with an active ksk are secure
commit d02744f: api: show keys for zones without active ksk
New features:
commit 1b97ba0: add signatures metric to auth, so we can plot signatures/second
commit 92cef2d: pdns_control: make it posible to notify all zones at once
commit f648752: JSON API: provide flush-cache, notify, axfr-retrieve
commit 02653a7: add 'bench-db' to do very simple database backend performance benchmark
commit a83257a: enable callback based metrics to statbas, and add 5 such metrics: uptime, sys-msec, user-msec, key-cache-size, meta-cache-size, signature-cache-size
Performance improvements:
commit a37fe8c: better key for packetcache
commit e5217bb: don't do time(0) under signature cache lock
commit d061045, commit 135db51, commit 7d0f392: shard the packet cache, closing ticket #1910.
commit d71a712: with thanks to Jack Lloyd, this works around the default Botan allocator slowing down for us during production use.
pkgsrc changes:
- SQLite 2.x support no longer exists
- SQLite 3.x support cannot be compiled outside the main package because
of how symbols are distributed, so making it a compile time option
for net/powerdns now.
Too many changes since 2.9.22.5 (over 2 years ago), see the full changelog:
http://doc.powerdns.com/md/changelog/
Upgrade notes:
- PowerDNS 3.4 comes with a mandatory database schema upgrade coming from
any previous 3.x release.
- PowerDNS 3.1 introduces native SQLite3 support for storing key material for
DNSSEC in the bindbackend. With this change, support for bind+gsql-setups
('hybrid mode') has been dropped.
- PowerDNS 3.0 introduces full DNSSEC support which requires changes
to database schemas. By default, old non-DNSSEC schema is assumed.
Please see the docs on upgrading for particular steps that need to be taken:
http://doc.powerdns.com/md/authoritative/upgrading/
The PowerDNS nameserver is a modern, advanced and high performance
authoritative-only nameserver. It is written from scratch and conforms
to all the relevant DNS standards documents. PowerDNS is open source.
The PowerDNS nameserver utilizes a flexible backend architecture that
can access DNS information from any data source. This includes file
formats, Bind zone files, relational databases or LDAP directories.
See the net/powerdns-* packages for additional backend modules.
