Changes since 4.2.2:
* Released:
- 7th of April 2020
* Improvements:
- reduce the number of temporary memory allocations
- adjust NSEC TTLs to negative TTL
- Add more SQL schema files to packages and tarballs
- only log "No question section in packet" at Debug logging level
- do not update identical notified serials
- IXFR: only sign SOA in empty response for +DO queries
- Prepare the caches' buckets in advance
- Rework NetmaskTree for better CPU and memory efficiency.
- allow local-ipv6 until 4.4.0
- Add metrics about the size of our in-memory rings
- gpgsqlbackend: stop using prepared statements
- Enforce a strict maximum size for the packet and records caches
- API: optionally, do not return dnssec info in domain list
- zone file parser: Add a parameter to limit the number of "$GENERATE" steps
- api: avoid a large number of new database connections
- Emulate a buffered read in the pipe backend, ~3x faster
- LUA performance: register lua functions only once
- API: make max request/response body size configurable
- API: add edited_serial to Zone object
- Improve error when notification comes in for non-slave zone
- LUA record: rewrote the health checking system
* Bug fixes:
- avoid IXFR-in corruption when deltas come in close together (please see the
IXFR-in corruption upgrade notes)
- improve sql schema updates
- Fix NSECx for unpublished DNSKEYs properly
- emit correct NSEC/NSEC3 bitmaps in hidden key situations
- Refuse NSEC records with a bitmap length > 32
- YaHTTP: Support bracketed IPv6 addresses
- Make sure the default-publish-cds and default-publish-cdnskey options are
- respected for AXFR
- make sure records from LMDB backend end up in the right packet section
- Clear the TSIG algo between iterations in the API
- HTTP API: Allow DNAME in apex with SOA and NS records
- various memory/thread correctness fixes
- LUA view: do not crash on empty IP list
- REST API: accept headers without spaces
- on luaSynth exception, drain db output
- tinydnsbackend: limit timestamp-based TTLs
- Ensure that pdns can read pdns.conf when upgrading from an older package
- Ixfrdist: handle reading of empty files gracefully
- webserver: handle exceptions instead of SIGABRTing the world
* New features:
- add full option to "pdns_control show-config"
- Add "IO wait" and "steal" metrics on Linux
- API: add includerings option to statistics endpoint
- Add an extended status report in the bind backend
- add default-publish-{cds|cdnskey} options
- remotebackend: Support alsoNotifies, setFresh, getUnfreshSlaveInfos
- Add support for managing unpublished DNSSEC keys
- gmysql backend, add an option to send the SSL capability flag
- pdnsutil: offer to increase serial after edit-zone
* Removed features:
- remove goracle, lua, mydns, opendbx, oracle backends
- deprecate SOA autocomplete in pdnsutil check-zone
* misc.:
- remove the implicit 5->7 algorithm upgrade
- Make Lua mandatory for Auth
For complete and up-to-date changelog, see:
https://doc.powerdns.com/authoritative/changelog/4.3.html
pkgsrc notes:
~~~~~~~~~~~~~
The default options have changed since 4.2.2 a bit:
- option "lua" has been removed as LUA is now mandatory
- option "luarecords" has been added with default "on". When
not present in PKG_OPTIONS, LUA records support will be disabled.
Changes since 4.2.1:
* Released:
- 9th of April 2020
* New Features:
- api: add includerings option to statistics endpoint
* Improvements:
- cache: strictly enforce maximum size, and improve cleanup routine
* Bug Fixes:
- fix records ending up in wrong packet section
- avoid IXFR-in corruption when deltas come in close together.
Please see the IXFR-in corruption upgrade notes
- fix out-of-bound access for zero length "serialized" string when
using lmdbbackend.
- bind backend: pthread_mutex_t should be inited and destroyed and not be copied
* Reference:
- https://doc.powerdns.com/authoritative/changelog/4.2.html#change-4.2.2
4.2.1
This release fixes several bugs and makes a few features more robust or intuitive. It also contains a few performance improvements for API users.
New Features
Add SLAVE-RENOTIFY zone metadata support
Add configurable timeout for inbound AXFR
Add CentOS 8 as builder target
gmysql backend, add an option to send the SSL capability flag
Improvements
API: reduce number of database connections
Register a few known RR types and remove an unknown one
bindbackend: use metadata for also-notifies as well
pdnsutil increase-serial: under SOA-EDIT=INCEPTION-EPOCH, bump as if it is EPOCH
API: optionally do not return dnssec info in domain list
Basic validation of $GENERATE parameters
Bug Fixes
LUA view: do not crash on empty IP list
API: Accept headers without spaces
Avoid database state-related SERVFAILs after a LUA error
Just before 4.2.0, some SQL-related fixes broke edit-zone and other features with the LMDB backend. This has been fixed now.
rfc2136, pdnsutil: somewhat improve duplicate record handling
4.2.0
Compared to the last release candidate, one more bug has been fixed.
The LMDB backend is incomplete in this version. Slaving zones works, loading zones with pdnsutil works, but more fine grained edits (using edit-zone, or the REST API) fail. We hope to fix this soon in a 4.2.x release.
For an overview of features new since 4.1.x, please see the 4.2.0 announcement blog post.
Bug Fixes
bind getAllDomains: ignore per-zone exceptions
4.1.8
Bug Fixes
Fix rectify for ENT records in narrow zones.
Prevent leak of file descriptor if running out of ports for incoming AXFR.
EL6: fix CXXFLAGS to build with compiler optimizations.
Fix API search failed with “Commands out of sync; you can’t run this command now”.
Fix invalid SOA record in MySQL which prevented the authoritative server from starting.
Plug mysql_thread_init memory leak.
Correctly interpret an empty AXFR response to an IXFR query.
Fix replying from ANY address for non-standard port.
Do not compress the root.
Fix dot stripping in setcontent().
4.1.7
Bug Fixes
Insufficient validation in the HTTP remote backend (CVE-2019-3871, PowerDNS Security Advisory 2019-03)
4.1.5:
This release fixes the following security advisories:
* PowerDNS Security Advisory 2018-03 (CVE-2018-10851)
* PowerDNS Security Advisory 2018-05 (CVE-2018-14626)
Improvements
* Apply alias scopemask after chasing
* Release memory in case of error in the openssl ecdsa constructor
* Switch to devtoolset 7 for el6
Bug Fixes
* Fix compilation with libressl 2.7.0+
* Actually truncate truncated responses
* Crafted zone record can cause a denial of service (CVE-2018-10851, PowerDNS Security Advisory 2018-03)
* Packet cache pollution via crafted query (CVE-2018-14626, PowerDNS Security Advisory 2018-05)
Improvements
- Fix warnings reported by gcc 8.1.0.
- Make the gmysql backend future-proof.
- Initialize some missed qtypes.
Bug Fixes
- Avoid concurrent records/comments iteration from running out of
sync.
- Fix a crash in the API when adding records.
- pdns_control notify: handle slave without renotify properly.
- Reset the TSIG state between queries.
- Remove SOA-check backoff on incoming notify and fix lock handling.
- Fix an issue where updating a record via DNS-UPDATE in a child zone
that also exists in the parent zone, we would incorrectly apply the
update to the parent zone.
- Geoipbackend: check geoip_id_by_addr_gl and geoip_id_by_addr_v6_gl
return value.
4.1.3:
Improvements
: pdnsutil: use new domain in b2bmigrate
: Update copyright years to 2018
: Lower ‘packet too short’ loglevel
Bug Fixes
: Restrict creation of OPT and TSIG RRsets
: Fix handling of user-defined axfr filters return values
: Prevent the GeoIP backend from copying NetMaskTrees around, fixes slow-downs in certain configurations
: Ensure alias answers over TCP have correct name
Improvements
- API: increase serial after dnssec related updates
- Dnsreplay: bail out on a too small outgoing buffer
- lower ‘packet too short’ loglevel
- Make check-zone error on rows that have content but shouldn’t
- avoid an isane amount of new backend connections during an axfr
- Report unparseable data in stoul invalid_argument exception
- recheck serial when axfr is done
- add tcp support for alias
Bug Fixes
- allocate new statements after reconnecting to postgresql
- bindbackend: only compare ips in ismaster() (Kees Monshouwer)
- Rather than crash, sheepishly report no file/linenum
- Document undocumented config vars
- prevent cname + other data with dnsupdate
- Backport: forbid label compression in alias wire format
- Include unistd.h for chroot(2) et al.
- Auth: fix out of bounds exception in caa processing
- Add the missing include to mplexer.hh for struct timeval
- Auth: init openssl and libsodium before chrooting in pdnsutil
- Auth: always bind the results array after executing a mysql statement
- Ldap: fix getdomaininfo() to set this as di.backend
- Ldapbackend: fix listing zones incl. axfr
- Ixfr: correct behavior of dealing with dns name with multiple records
PowerDNS Authoritative Server 4.1.0
===========================================================
- Improved performance: 400% speedup in some scenarios
- Crypto API: DNSSEC fully configurable via RESTful API
- Improved documentation
- Database related improvements
- Enhanced tooling
- Support for TCP Fast Open
- Support for non-local bind
- Support for Botan 2.x (and removal of support for Botan 1.10)
- Our packages now ship with PKCS #11 support.
- Recursor passthrough removal
Full changelog:
https://doc.powerdns.com/authoritative/changelog/4.1.html
PowerDNS Authoritative Server 4.0.5
===========================================================
Fixes
- Fix for missing check on API operations (CVE-2017-15091)
- Bindbackend: do not corrupt data supplied by other backends in
getAllDomains
- API: prevent sending nameservers list and zone-level NS in rrsets
- gpgsql: make statement names actually unique
- Fix remotebackend params
- Fix godbc query logging
- For create-slave-zone, actually add all slaves, and not only first n
times
- Fix a regression in axfr-rectify + test
- When making a netmask from a comboaddress, we neglected to zero the
port
- Fix libatomic detection on ppc64
- Catch DNSName exception in the Zoneparser
- Publish inactive KSK/CSK as CDNSKEY/CDS
- Handle AFSDB record separately due to record structure.
- Treat requestor's payload size lower than 512 as equal to 512
- Correctly purge entries from the caches after a transfer
- Handle a signing pipe worker dying with work still pending
- Ignore SOA-EDIT for PRESIGNED zones.
- Check return value for all getTSIGKey calls.
Improvements
- Fix ldap-strict autoptr feature, including a test
- mydnsbackend: Add getAllDomains
- Stubresolver: Use only recursor setting if given
- LuaWrapper: Allow embedded NULs in strings received from Lua
- sdig: Clarify that the ednssubnet option takes "subnet/mask"
- Tests: Ensure all required tools are available
- PowerDNS sdig does not truncate trailing bits of EDNS Client Subnet
mask
- LuaJIT 2.1: Lua fallback functionality no longer uses Lua namespace
- Add support for Botan 2.x
- Ship ldapbackend schema files in tarball
- Collection of schema changes
- Fix typo in two log messages
- Add help text on autodetecting systemd support
- Use a unique pointer for bind backend's d_of
- Fix some of the issues found by @jpmens
This release features a fix for the ed25519 signer. This signer hashed the
message before signing, resulting in unverifiable signatures. Also on the
Elliptic Curve front, support was added for ED448 (DNSSEC algorithm 16)
by using libdecaf.
Bug fixes
- Do not hash the message in the ed25519 signer
- Make URI integers 16 bits, fixes#5443
- configure.ac: Corrects syntax error in test statement on existance
of libcrypto_ecdsa
- configure.ac: Fix quoting issue fixes#5401
- configure.ac: Check in the detected OpenSSL/libcrypto for ECDSA
- configure.ac: Check if we can link against libatomic if needed
- Fix typo in ldapbackend.cc from issue #5091
- Sort NSEC record case insensitive
- Make sure NSEC ordernames are always lower case
- API: correctly take TTL from first record even if we are at
the last comment
- Fix AtomicCounter unit tests on 32-bit
- Fix negative port detection for IPv6 addresses on 32-bit
- Remove support for 'right' timezones, as this code turned out to be broken
- Lowercase the TSIG algorithm name in hash computation
- Handle exceptions raised by closesocket()
- Don't leak on signing errors during outgoing AXFR; signpipe stumbles over
interrupted rrsets; fix memory leak in gmysql backend
- TinyCDB backend: Don't leak a CDB object in case of bogus data
Improvements
- ODBC backend: Allow query logging
- Add ED25519 (algo 15) and ED448 (algo 16) support with libdecaf signer
- YaHTTP: Sync with upstream changes
- Send a notification to all slave servers after every dnsupdate
- Add option to set a global lua-axfr-script value
- dnsreplay: Add --source-ip and --source-port options
- calidns: Use the correct socket family (IPv4 / IPv6)
- Add an option to allow AXFR of zones with a different (higher/lower) serial
- API: Make trailing dot handling consistent with pdnsutil
- SuffixMatchNode: Fix insertion issue for an existing node
- Do not resolve the NS-records for NOTIFY targets if the "only-notify"
whitelist is empty, as a target will never match an empty whitelist.
- Improve the AXFR DNSSEC freshness check; Ignore NSEC3PARAM metadata in
an unsigned zone
- Create additional reuseport sockets before dropping privileges; remove
transaction in pgpsql backend
pkgsrc changes:
- Remove options for cryptopp and geoip (the latter to go into a
separate package).
- Clean up a lot of patches that do not seem to be needed anymore.
PowerDNS Authoritative Server 4.0.3
===================================
- Revert "In 'Bind2Backend::lookup()', use the 'zoneId' when we have it"
PowerDNS Authoritative Server 4.0.2
Security issues fixed:
- 2016-02: Crafted queries can cause abnormal CPU usage
- 2016-03: Denial of service via the web server
- 2016-04: Insufficient validation of TSIG signatures
- 2016-05: Crafted zone record can cause a denial of service
Other highlights:
- Don't parse spurious RRs in queries when we don't need them (Security
Advisory 2016-02)
- Don't exit if the webserver can't accept a connection (Security
Advisory 2016-03)
- Check TSIG signature on IXFR (Security Advisory 2016-04)
- Correctly check unknown record content size (Security Advisory
2016-05)
- ODBC backend: actually prepare statements
- Improve root-zone performance
- Plug memory leak in postgresql backend (Christian Hofstaedtler)
- calidns: Don't crash if we don't have enough 'unknown' queries
remaining
- Improve PacketCache cleaning (Kees Monshouwer)
- Bind backend: update status message on reload, keep the existing zone
on failure
- Fix TSIG for single thread distributor (Kees Monshouwer)
- Change default for any-to-tcp to yes (Kees Monshouwer)
- Don't look up the packet cache for TSIG-enabled queries
- Fix build with OpenSSL 1.1.0 final (Christian Hofstaedtler)
- pdnsutil: create-slave-zone accept multiple masters (Hannu Ylitalo)
PowerDNS Authoritative Server 4.0.1
===================================
Bug fixes
- Wait for the connection to the carbon server to be established
- Don't try to deallocate empty PG statements
- Send the correct response when queried for an NSEC directly (Kees
Monshouwer)
- Don't include bind files if length <= 2 or > sizeof(filename)
- Catch runtime_error when parsing a broken MNAME
Improvements
- Make DNSPacket return a ComboAddredd for local and remote (Aki Tuomi)
- OpenSSL 1.1.0 support (Christian Hofstaedtler)
- Fix typos in a logmessage and exception (Christian Hofsteadtler)
- pdnsutil: Remove checking of ctime and always diff the changes (Hannu
Ylitalo)
- dnsreplay: Only add Client Subnet stamp when asked
- Use toLogString() for ringAccount (Kees Monshouwer)
Additions
- Add limits to the size of received {A,I}XFR
- Add used filedescriptor statistic (Kees Monshouwer)
PowerDNS Authoritative Server 4.0.0
===================================
- Moved to C++ 2011, a cleaner more powerful version of C++ that has
allowed us to improve the quality of implementation in many places.
- Implemented dedicated infrastructure for dealing with DNS names that
is fully "DNS Native" and needs less escaping and unescaping.
- Due to this, the PowerDNS Authoritative Server can now serve
DNSSEC-enabled root-zones.
- All backends derived from the Generic SQL backend use prepared
statements.
- Both the server and pdns_control do the right thing when chroot'ed.
- Caches are now fully canonically ordered, which means entries can be
wiped on suffix in all places
- A revived and supported ODBC backend (godbc).
- A revived and supported LDAP backend (ldap).
- Support for CDS/CDNSKEY and RFC 7344 key-rollovers.
- Support for the ALIAS record.
- The webserver and API are no longer experimental.
- The API-path has moved to /api/v1
- DNSUpdate is no longer experimental.
- ECDSA (algorithm 13 and 14) supported without in-tree cryptographic
libraries (provided by OpenSSL).
- Experimental support for ed25519 DNSSEC signatures (when compiled with
libsodium support).
- Many new pdnsutil commands.
- GeoIP backend has gained many features, and can now e.g. run based on
explicit netmasks not present in the GeoIP databases
- Removed support for LMDB.
- Removed the Geo backened (use the improved GeoIP instead).
- pdnssec has been renamed to pdnsutil.
- Support for the PolarSSL/MbedTLS, Crypto++ and Botan cryptographic
libraries have been dropped in favor of the (faster) OpenSSL libcrypto
(except for GOST, which is still provided by Botan).
- ECDSA P256 SHA256 (algorithm 13) is now the default algorithm when
securing zones.
- The PowerDNS Authoritative Server now listens by default on all IPv6
addresses.
- Several superfluous queries have been dropped from the Generic SQL
backends.
- The INCEPTION, INCEPTION-WEEK and EPOCH SOA-EDIT metadata values are
marked as deprecated and will be removed in 4.1.0
