PowerDNS Recursor 4.0.4
=======================
Change highlights include:
- Check TSIG signature on IXFR (Security Advisory 2016-04)
- Don't parse spurious RRs in queries when we don't need them
(Security Advisory 2016-02)
- Add 'max-recursion-depth' to limit the number of internal recursion
- Wait until after daemonizing to start the RPZ and protobuf threads
- On RPZ customPolicy, follow the resulting CNAME
- Make the negcache forwarded zones aware
- Cache records for zones that were delegated to from a forwarded zone
- DNSSEC: don't go bogus on zero configured DSs
- DNSSEC: NSEC3 optout and Bogus insecure forward fixes
- DNSSEC: Handle CNAMEs at the apex of secure zones to other secure
zones
PowerDNS Recursor 4.0.3
=======================
Bug fixes
- Call gettag() for TCP queries
- Fix the use of an uninitialized filtering policy
- Parse query-local-address before lua-config-file
- Fix accessing an empty policyCustom, policyName from Lua
- ComboAddress: don't allow invalid ports
- Fix RPZ default policy not being applied over IXFR
- DNSSEC: Actually follow RFC 7646 §2.1
- Add boost context ldflags so freebsd builds can find the libs
- Ignore NS records in a RPZ zone received over IXFR
- Fix build with OpenSSL 1.1.0 final
- Don't validate when a Lua hook took the query
- Fix a protobuf regression (requestor/responder mix-up)
Additions and Enhancements
- Support Boost 1.61+ fcontext
- Add Lua binding for DNSRecord::d_place
PowerDNS Recursor 4.0.2
=======================
Bug fixes
- Set dq.rcode before calling postresolve
- Honor PIE flags.
- Fix build with LibreSSL, for which OPENSSL_VERSION_NUMBER is
irrelevant
- Don't shuffle CNAME records. (thanks to Gert van Dijk for the
extensive bug report!)
- Fix delegation-only
Additions and enhancements
- Respect the timeout when connecting to a protobuf server
- allow newDN to take a DNSName in; document missing methods
- expose SMN toString to lua
- Anonymize the protobuf ECS value as well (thanks to Kai Storbeck of
XS4All for finding this)
- Allow Lua access to the result of the Policy Engine decision, skip
RPZ, finish RPZ implementation
- Remove unused DNSPacket::d_qlen
- RPZ: Use query-local-address(6) by default (thanks to Oli Schacher
of switch.ch for the feature request)
- Move the root DNSSEC data to a header file
PowerDNS Recursor 4.0.1
=======================
Bug fixes
- Improve DNSSEC record skipping for non dnssec queries (Kees
Monshouwer)
- Don't validate zones from the local auth store, go one level down
while validating when there is a CNAME
- Don't go bogus on islands of security
- Check all possible chains for Insecures
- Don't go Bogus on a CNAME at the apex
- RPZ: default policy should also override local data RRs
- Fix a crash when the next name in a chained query is empty and
rec_control current-queries is invoked
Improvements
- OpenSSL 1.1.0 support (Christian Hofstaedtler)
- Fix warnings with gcc on musl-libc (James Taylor)
- Also validate on +DO
- Fail to start when the lua-dns-script does not exist
- Add more Netmask methods for Lua (Aki Tuomi)
- Validate DNSSEC for security polling
- Turn on root-nx-trust by default and log-common-errors=off
- Allow for multiple trust anchors per zone
- Fix compilation warning when building without Protobuf
PowerDNS Recursor 4.0.0
=======================
- Moved to C++ 2011, a cleaner more powerful version of C++ that has
allowed us to improve the quality of implementation in many places.
- Implemented dedicated infrastructure for dealing with DNS names that
is fully "DNS Native" and needs less escaping and unescaping.
- Switched to binary storage of DNS records in all places.
- Moved ACLs to a dedicated Netmask Tree.
- Implemented a version of RCU for configuration changes
- Instrumented our use of the memory allocator, reduced number of
malloc calls substantially.
- The Lua hook infrastructure was redone using LuaWrapper; old scripts
will no longer work, but new scripts are easier to write under the
new interface.
- DNSSEC processing: if you ask for DNSSEC records, you will get them.
- DNSSEC validation: if so configured, PowerDNS perform DNSSEC
validation of your answers.
- Completely revamped Lua scripting API that is "DNSName" native and
therefore far less error prone, and likely faster for most commonly
used scenarios.
- New asynchronous per-domain, per-ip address, query engine.
- RPZ (from file, over AXFR or IXFR) support.
- All caches can now be wiped on suffixes, because of canonical
ordering.
- Many, many more relevant performance metrics, including upstream
authoritative performance measurements.
- EDNS Client Subnet support, including cache awareness of
subnet-varying answers.
pkgsrc changes:
- Remove options for cryptopp and geoip (the latter to go into a
separate package).
- Clean up a lot of patches that do not seem to be needed anymore.
PowerDNS Authoritative Server 4.0.3
===================================
- Revert "In 'Bind2Backend::lookup()', use the 'zoneId' when we have it"
PowerDNS Authoritative Server 4.0.2
Security issues fixed:
- 2016-02: Crafted queries can cause abnormal CPU usage
- 2016-03: Denial of service via the web server
- 2016-04: Insufficient validation of TSIG signatures
- 2016-05: Crafted zone record can cause a denial of service
Other highlights:
- Don't parse spurious RRs in queries when we don't need them (Security
Advisory 2016-02)
- Don't exit if the webserver can't accept a connection (Security
Advisory 2016-03)
- Check TSIG signature on IXFR (Security Advisory 2016-04)
- Correctly check unknown record content size (Security Advisory
2016-05)
- ODBC backend: actually prepare statements
- Improve root-zone performance
- Plug memory leak in postgresql backend (Christian Hofstaedtler)
- calidns: Don't crash if we don't have enough 'unknown' queries
remaining
- Improve PacketCache cleaning (Kees Monshouwer)
- Bind backend: update status message on reload, keep the existing zone
on failure
- Fix TSIG for single thread distributor (Kees Monshouwer)
- Change default for any-to-tcp to yes (Kees Monshouwer)
- Don't look up the packet cache for TSIG-enabled queries
- Fix build with OpenSSL 1.1.0 final (Christian Hofstaedtler)
- pdnsutil: create-slave-zone accept multiple masters (Hannu Ylitalo)
PowerDNS Authoritative Server 4.0.1
===================================
Bug fixes
- Wait for the connection to the carbon server to be established
- Don't try to deallocate empty PG statements
- Send the correct response when queried for an NSEC directly (Kees
Monshouwer)
- Don't include bind files if length <= 2 or > sizeof(filename)
- Catch runtime_error when parsing a broken MNAME
Improvements
- Make DNSPacket return a ComboAddredd for local and remote (Aki Tuomi)
- OpenSSL 1.1.0 support (Christian Hofstaedtler)
- Fix typos in a logmessage and exception (Christian Hofsteadtler)
- pdnsutil: Remove checking of ctime and always diff the changes (Hannu
Ylitalo)
- dnsreplay: Only add Client Subnet stamp when asked
- Use toLogString() for ringAccount (Kees Monshouwer)
Additions
- Add limits to the size of received {A,I}XFR
- Add used filedescriptor statistic (Kees Monshouwer)
PowerDNS Authoritative Server 4.0.0
===================================
- Moved to C++ 2011, a cleaner more powerful version of C++ that has
allowed us to improve the quality of implementation in many places.
- Implemented dedicated infrastructure for dealing with DNS names that
is fully "DNS Native" and needs less escaping and unescaping.
- Due to this, the PowerDNS Authoritative Server can now serve
DNSSEC-enabled root-zones.
- All backends derived from the Generic SQL backend use prepared
statements.
- Both the server and pdns_control do the right thing when chroot'ed.
- Caches are now fully canonically ordered, which means entries can be
wiped on suffix in all places
- A revived and supported ODBC backend (godbc).
- A revived and supported LDAP backend (ldap).
- Support for CDS/CDNSKEY and RFC 7344 key-rollovers.
- Support for the ALIAS record.
- The webserver and API are no longer experimental.
- The API-path has moved to /api/v1
- DNSUpdate is no longer experimental.
- ECDSA (algorithm 13 and 14) supported without in-tree cryptographic
libraries (provided by OpenSSL).
- Experimental support for ed25519 DNSSEC signatures (when compiled with
libsodium support).
- Many new pdnsutil commands.
- GeoIP backend has gained many features, and can now e.g. run based on
explicit netmasks not present in the GeoIP databases
- Removed support for LMDB.
- Removed the Geo backened (use the improved GeoIP instead).
- pdnssec has been renamed to pdnsutil.
- Support for the PolarSSL/MbedTLS, Crypto++ and Botan cryptographic
libraries have been dropped in favor of the (faster) OpenSSL libcrypto
(except for GOST, which is still provided by Botan).
- ECDSA P256 SHA256 (algorithm 13) is now the default algorithm when
securing zones.
- The PowerDNS Authoritative Server now listens by default on all IPv6
addresses.
- Several superfluous queries have been dropped from the Generic SQL
backends.
- The INCEPTION, INCEPTION-WEEK and EPOCH SOA-EDIT metadata values are
marked as deprecated and will be removed in 4.1.0
This is a regularly scheduled stable release.
Resolved issues since v0.12.23:
#3884: lib/sync: Fix a race in unlocker logging
#3976: Links and log messages refer to https instead of http where possible
Also:
As of this release, symlinks are no longer supported on Windows.
The default number of parallel file processing routines per
folder is now two (previously one), and the number of simultaneously
outstanding network requests has been increased.
The GUI now contains buttons to pause or resume all folders
with a single action.
lowdown is just another Markdown translator. It can output traditional
HTML or a document for your troff type-setter of choice, such as
groff(1), Heirloom troff, or even mandoc(1). lowdown doesn't require
XSLT, Python, or even Perl - it's just clean, secure, open source
C code with no dependencies.
This project provides Python bindings for interfacing with the
Zstandard compression library. A C extension and CFFI interface are
provided.
The primary goal of the project is to provide a rich interface to
the underlying C API through a Pythonic interface while not sacrificing
performance. This means exposing most of the features and flexibility
of the C API while not sacrificing usability or safety that Python
provides.
December 21, 2016
- Remove usage of ast_common.h
December 20, 2016
- Release 2.40.0
- network-simplex fixes and optimization (Stephen North)
- built-in tred tool now available in the various swig generated
language bindings (John Ellson)
- number rounding added to SVG renderer (same as PS and TK rounding)
to aid regression testing. (John Ellson)
- additional regressson test framework, used in Travis CI builds. (Erwin Janssen)
- PHP7 support (requires swig-3.0.11 or later). (John Ellson)
- Allow user to specify clustering algorithm in gvmap. (Emden Gansner)
- Add Sierpinski graph generator to gvgen. (Emden Gansner)
- Extensive code cleanup (Erwin Janssen)
- Removal of libgd source - use vanilla libgd from separate install
- Windows builds (Erwin Janssen)
- Appveyor CI for automated Windows build testing (Erwin Janssen)
- Travis CI for Fedora/Centos builds (Erwin Janssen)
- Added JSON output format, -Tjson (Emden Gansner)
- New curved arrowhead, cylinder node shape.
- Resolves bugs: 2599, 1172
June 18, 2016
- Experimenting with Travis CI
February 13, 2016
- Add cylinder shape for databases.
- Free installed plugins
- Update makefile for dot so that the using libpanco_C in the static build include PANGOFT2
as well as PANGOCAIRO_LIBS (needed for some versions of Ubuntu)
February 1, 2016
- Add json output format
April 26, 2015
- output class value in svg files
September 9, 2014
- Add plain shape for use with HTML-like labels.
August 12, 2014
- Add icurve arrowhead.
July 28, 2014
- Revert to old, translate to origin semantics in neato, etc. Add flag notranslate if that is
what the user desires.
1.14 2017-03-05
- Codes with just a language and script code were not parsed correctly,
leading to bugs in their data, so that they did not report a script_code,
nor did their name reflect the script. So for example "bs-Latn" was just
"Bosnian" instead of "Bosnian Latin".
1.13 2017-03-05
- Fixed a regression bug where providing a locale's English name or native
name to DateTime::Locale->load no longer worked. Fixed by Sergey. GH #13.
2.003001 - 2017-03-06
- fix +attributes replacing builder subs if parent attribute was defined with
builder => $subref
- fix trigger with a default value and init_arg of undef
6.23 2017-03-06
- Fix bug where Protocol::NNTP called undef on a variable before being done
using it. (GH PR #121)
- Ran perltidy on LWP::Protocol::NNTP
- Re-organized current documentation set.
Finally figured out how to use the X.Org automatic submission
script after realizing that I had to change the script in order for
OpenChrome DDX to build in the first place.
OpenChrome DDX Version 0.6 has added the following new features.
- First official support for CX700, VX700, and VX800 chipsets
integrated TMDS transmitter (i.e., DVI support)
- Initial support for Silicon Image SiI 164 TMDS transmitter
OpenChrome DDX Version 0.6 has the following improvements.
- Improved FP reinitialization when resuming from standby
(HP 2133 Mini-Note, FIC CE260 / CE261 based netbooks like
Everex CloudBook and Sylvania g netbook)
- Improved automatic detection of display resources
- Improved X Server stability in dual monitor mode
- Automatic active steering of the display controller channel to the
correct display output device
OpenChrome DDX Version 0.6 fixes the following bugs.
- Fix for the disruption of the VT (Virtual Terminal) screen bug
introduced in Version 0.5
- Fix for HP 2133 Mini-Note's PCIe WLAN getting turned off
inadvertently bug introduced in Version 0.5
