4.1.5:
This release fixes the following security advisories:
* PowerDNS Security Advisory 2018-03 (CVE-2018-10851)
* PowerDNS Security Advisory 2018-05 (CVE-2018-14626)
Improvements
* Apply alias scopemask after chasing
* Release memory in case of error in the openssl ecdsa constructor
* Switch to devtoolset 7 for el6
Bug Fixes
* Fix compilation with libressl 2.7.0+
* Actually truncate truncated responses
* Crafted zone record can cause a denial of service (CVE-2018-10851, PowerDNS Security Advisory 2018-03)
* Packet cache pollution via crafted query (CVE-2018-14626, PowerDNS Security Advisory 2018-05)
Improvements
- Fix warnings reported by gcc 8.1.0.
- Make the gmysql backend future-proof.
- Initialize some missed qtypes.
Bug Fixes
- Avoid concurrent records/comments iteration from running out of
sync.
- Fix a crash in the API when adding records.
- pdns_control notify: handle slave without renotify properly.
- Reset the TSIG state between queries.
- Remove SOA-check backoff on incoming notify and fix lock handling.
- Fix an issue where updating a record via DNS-UPDATE in a child zone
that also exists in the parent zone, we would incorrectly apply the
update to the parent zone.
- Geoipbackend: check geoip_id_by_addr_gl and geoip_id_by_addr_v6_gl
return value.
4.1.3:
Improvements
: pdnsutil: use new domain in b2bmigrate
: Update copyright years to 2018
: Lower ‘packet too short’ loglevel
Bug Fixes
: Restrict creation of OPT and TSIG RRsets
: Fix handling of user-defined axfr filters return values
: Prevent the GeoIP backend from copying NetMaskTrees around, fixes slow-downs in certain configurations
: Ensure alias answers over TCP have correct name
Improvements
- API: increase serial after dnssec related updates
- Dnsreplay: bail out on a too small outgoing buffer
- lower ‘packet too short’ loglevel
- Make check-zone error on rows that have content but shouldn’t
- avoid an isane amount of new backend connections during an axfr
- Report unparseable data in stoul invalid_argument exception
- recheck serial when axfr is done
- add tcp support for alias
Bug Fixes
- allocate new statements after reconnecting to postgresql
- bindbackend: only compare ips in ismaster() (Kees Monshouwer)
- Rather than crash, sheepishly report no file/linenum
- Document undocumented config vars
- prevent cname + other data with dnsupdate
- Backport: forbid label compression in alias wire format
- Include unistd.h for chroot(2) et al.
- Auth: fix out of bounds exception in caa processing
- Add the missing include to mplexer.hh for struct timeval
- Auth: init openssl and libsodium before chrooting in pdnsutil
- Auth: always bind the results array after executing a mysql statement
- Ldap: fix getdomaininfo() to set this as di.backend
- Ldapbackend: fix listing zones incl. axfr
- Ixfr: correct behavior of dealing with dns name with multiple records
PowerDNS Authoritative Server 4.1.0
===========================================================
- Improved performance: 400% speedup in some scenarios
- Crypto API: DNSSEC fully configurable via RESTful API
- Improved documentation
- Database related improvements
- Enhanced tooling
- Support for TCP Fast Open
- Support for non-local bind
- Support for Botan 2.x (and removal of support for Botan 1.10)
- Our packages now ship with PKCS #11 support.
- Recursor passthrough removal
Full changelog:
https://doc.powerdns.com/authoritative/changelog/4.1.html
PowerDNS Authoritative Server 4.0.5
===========================================================
Fixes
- Fix for missing check on API operations (CVE-2017-15091)
- Bindbackend: do not corrupt data supplied by other backends in
getAllDomains
- API: prevent sending nameservers list and zone-level NS in rrsets
- gpgsql: make statement names actually unique
- Fix remotebackend params
- Fix godbc query logging
- For create-slave-zone, actually add all slaves, and not only first n
times
- Fix a regression in axfr-rectify + test
- When making a netmask from a comboaddress, we neglected to zero the
port
- Fix libatomic detection on ppc64
- Catch DNSName exception in the Zoneparser
- Publish inactive KSK/CSK as CDNSKEY/CDS
- Handle AFSDB record separately due to record structure.
- Treat requestor's payload size lower than 512 as equal to 512
- Correctly purge entries from the caches after a transfer
- Handle a signing pipe worker dying with work still pending
- Ignore SOA-EDIT for PRESIGNED zones.
- Check return value for all getTSIGKey calls.
Improvements
- Fix ldap-strict autoptr feature, including a test
- mydnsbackend: Add getAllDomains
- Stubresolver: Use only recursor setting if given
- LuaWrapper: Allow embedded NULs in strings received from Lua
- sdig: Clarify that the ednssubnet option takes "subnet/mask"
- Tests: Ensure all required tools are available
- PowerDNS sdig does not truncate trailing bits of EDNS Client Subnet
mask
- LuaJIT 2.1: Lua fallback functionality no longer uses Lua namespace
- Add support for Botan 2.x
- Ship ldapbackend schema files in tarball
- Collection of schema changes
- Fix typo in two log messages
- Add help text on autodetecting systemd support
- Use a unique pointer for bind backend's d_of
- Fix some of the issues found by @jpmens
This release features a fix for the ed25519 signer. This signer hashed the
message before signing, resulting in unverifiable signatures. Also on the
Elliptic Curve front, support was added for ED448 (DNSSEC algorithm 16)
by using libdecaf.
Bug fixes
- Do not hash the message in the ed25519 signer
- Make URI integers 16 bits, fixes#5443
- configure.ac: Corrects syntax error in test statement on existance
of libcrypto_ecdsa
- configure.ac: Fix quoting issue fixes#5401
- configure.ac: Check in the detected OpenSSL/libcrypto for ECDSA
- configure.ac: Check if we can link against libatomic if needed
- Fix typo in ldapbackend.cc from issue #5091
- Sort NSEC record case insensitive
- Make sure NSEC ordernames are always lower case
- API: correctly take TTL from first record even if we are at
the last comment
- Fix AtomicCounter unit tests on 32-bit
- Fix negative port detection for IPv6 addresses on 32-bit
- Remove support for 'right' timezones, as this code turned out to be broken
- Lowercase the TSIG algorithm name in hash computation
- Handle exceptions raised by closesocket()
- Don't leak on signing errors during outgoing AXFR; signpipe stumbles over
interrupted rrsets; fix memory leak in gmysql backend
- TinyCDB backend: Don't leak a CDB object in case of bogus data
Improvements
- ODBC backend: Allow query logging
- Add ED25519 (algo 15) and ED448 (algo 16) support with libdecaf signer
- YaHTTP: Sync with upstream changes
- Send a notification to all slave servers after every dnsupdate
- Add option to set a global lua-axfr-script value
- dnsreplay: Add --source-ip and --source-port options
- calidns: Use the correct socket family (IPv4 / IPv6)
- Add an option to allow AXFR of zones with a different (higher/lower) serial
- API: Make trailing dot handling consistent with pdnsutil
- SuffixMatchNode: Fix insertion issue for an existing node
- Do not resolve the NS-records for NOTIFY targets if the "only-notify"
whitelist is empty, as a target will never match an empty whitelist.
- Improve the AXFR DNSSEC freshness check; Ignore NSEC3PARAM metadata in
an unsigned zone
- Create additional reuseport sockets before dropping privileges; remove
transaction in pgpsql backend
pkgsrc changes:
- Remove options for cryptopp and geoip (the latter to go into a
separate package).
- Clean up a lot of patches that do not seem to be needed anymore.
PowerDNS Authoritative Server 4.0.3
===================================
- Revert "In 'Bind2Backend::lookup()', use the 'zoneId' when we have it"
PowerDNS Authoritative Server 4.0.2
Security issues fixed:
- 2016-02: Crafted queries can cause abnormal CPU usage
- 2016-03: Denial of service via the web server
- 2016-04: Insufficient validation of TSIG signatures
- 2016-05: Crafted zone record can cause a denial of service
Other highlights:
- Don't parse spurious RRs in queries when we don't need them (Security
Advisory 2016-02)
- Don't exit if the webserver can't accept a connection (Security
Advisory 2016-03)
- Check TSIG signature on IXFR (Security Advisory 2016-04)
- Correctly check unknown record content size (Security Advisory
2016-05)
- ODBC backend: actually prepare statements
- Improve root-zone performance
- Plug memory leak in postgresql backend (Christian Hofstaedtler)
- calidns: Don't crash if we don't have enough 'unknown' queries
remaining
- Improve PacketCache cleaning (Kees Monshouwer)
- Bind backend: update status message on reload, keep the existing zone
on failure
- Fix TSIG for single thread distributor (Kees Monshouwer)
- Change default for any-to-tcp to yes (Kees Monshouwer)
- Don't look up the packet cache for TSIG-enabled queries
- Fix build with OpenSSL 1.1.0 final (Christian Hofstaedtler)
- pdnsutil: create-slave-zone accept multiple masters (Hannu Ylitalo)
PowerDNS Authoritative Server 4.0.1
===================================
Bug fixes
- Wait for the connection to the carbon server to be established
- Don't try to deallocate empty PG statements
- Send the correct response when queried for an NSEC directly (Kees
Monshouwer)
- Don't include bind files if length <= 2 or > sizeof(filename)
- Catch runtime_error when parsing a broken MNAME
Improvements
- Make DNSPacket return a ComboAddredd for local and remote (Aki Tuomi)
- OpenSSL 1.1.0 support (Christian Hofstaedtler)
- Fix typos in a logmessage and exception (Christian Hofsteadtler)
- pdnsutil: Remove checking of ctime and always diff the changes (Hannu
Ylitalo)
- dnsreplay: Only add Client Subnet stamp when asked
- Use toLogString() for ringAccount (Kees Monshouwer)
Additions
- Add limits to the size of received {A,I}XFR
- Add used filedescriptor statistic (Kees Monshouwer)
PowerDNS Authoritative Server 4.0.0
===================================
- Moved to C++ 2011, a cleaner more powerful version of C++ that has
allowed us to improve the quality of implementation in many places.
- Implemented dedicated infrastructure for dealing with DNS names that
is fully "DNS Native" and needs less escaping and unescaping.
- Due to this, the PowerDNS Authoritative Server can now serve
DNSSEC-enabled root-zones.
- All backends derived from the Generic SQL backend use prepared
statements.
- Both the server and pdns_control do the right thing when chroot'ed.
- Caches are now fully canonically ordered, which means entries can be
wiped on suffix in all places
- A revived and supported ODBC backend (godbc).
- A revived and supported LDAP backend (ldap).
- Support for CDS/CDNSKEY and RFC 7344 key-rollovers.
- Support for the ALIAS record.
- The webserver and API are no longer experimental.
- The API-path has moved to /api/v1
- DNSUpdate is no longer experimental.
- ECDSA (algorithm 13 and 14) supported without in-tree cryptographic
libraries (provided by OpenSSL).
- Experimental support for ed25519 DNSSEC signatures (when compiled with
libsodium support).
- Many new pdnsutil commands.
- GeoIP backend has gained many features, and can now e.g. run based on
explicit netmasks not present in the GeoIP databases
- Removed support for LMDB.
- Removed the Geo backened (use the improved GeoIP instead).
- pdnssec has been renamed to pdnsutil.
- Support for the PolarSSL/MbedTLS, Crypto++ and Botan cryptographic
libraries have been dropped in favor of the (faster) OpenSSL libcrypto
(except for GOST, which is still provided by Botan).
- ECDSA P256 SHA256 (algorithm 13) is now the default algorithm when
securing zones.
- The PowerDNS Authoritative Server now listens by default on all IPv6
addresses.
- Several superfluous queries have been dropped from the Generic SQL
backends.
- The INCEPTION, INCEPTION-WEEK and EPOCH SOA-EDIT metadata values are
marked as deprecated and will be removed in 4.1.0
PowerDNS Authoritative Server 3.4.9
===================================
This is a minor bugfix and performance release. Two contributions
by Kees Monshouwer make 3.4.9 fully compatible with the new single
key ECDSA default that is coming in version 4.0.0.
Changes since 3.4.8:
- use OpenSSL for ECDSA signing where available (Kees Monshouwer)
- allow common signing key (Kees Monshouwer)
- Add a disable-syslog setting
- fix SOA caching with multiple backends (Kees Monshouwer)
- whitespace-related zone parsing fixes ticket #3568
- bindbackend: fix, set domain in list() (Kees Monshouwer)
PowerDNS Authoritative Server 3.4.8
===================================
This is a small bugfix release. Additionally, the deb/RPM packages
on downloads.powerdns.com (those with -static in the name) for
3.4.8 have been built against Botan 1.10.11 instead of Botan
1.10.3 like previous packages. Please see the Botan Security page
for more information on the fixes in Botan 1.10.11. As a PowerDNS
user, these issues only affect you if you ran our -static packages
and allowed your users to upload private keys to your
configuration.
Changes since 3.4.7:
- Use AC_SEARCH_LIBS (Ruben Kerkhof)
- Check for inet_aton in libresolv (Ruben Kerkhof)
- Remove hardcoded -lresolv, -lnsl and -lsocket (Ruben Kerkhof)
- pdnssec: don't check disabled records (Pieter Lexis)
- pdnssec: check all records (including disabled ones) only in
verbose mode (Kees Monshouwer)
- traling dot in DNAME content (Kees Monshouwer)
- Fix luabackend compilation on FreeBSD i386 (RvdE)
- silence g++ 6.0 warnings and error (Kees Monshouwer)
- add gcc 5.3 and 6.0 support to boost.m4 (Kees Monshouwer)
PowerDNS Authoritative Server 3.4.7
===================================
This is a security release fixing Security Advisory 2015-03
Bug fixes:
- Ignore invalid/empty TKEY and TSIG records (Christian
Hofstaedtler)
- Don't reply to truncated queries (Christian Hofstaedtler)
- don't log out-of-zone ents during AXFR in (Kees Monshouwer)
- Prevent XSS by escaping user input. Thanks to Pierre Jaury and
Damien Cauquil at Sysdream for pointing this out.
- Handle NULL and boolean properly in gPGSql (Aki Tuomi)
- Improve negative caching (Kees Monshouwer)
- Do not divide timeout twice (Aki Tuomi)
- Correctly sort records with a priority.
Improvements:
- Direct query answers and correct zone-rectification in the GeoIP
backend (Aki Tuomi)
- Use token names to identify PKCS#11 keys (Aki Tuomi)
- Fix typo in an error message (Arjen Zonneveld)
- limit NSEC3 iterations in bindbackend (Kees Monshouwer)
- Initialize minbody (Aki Tuomi)
New features:
- OPENPGPKEY record-type (James Cloos and Kees Monshouwer)
- add global soa-edit settings (Kees Monshouwer)
This is a security release fixing CVE-2015-5230.
Bug fixes:
- Avoid superfluous backend recycling
- Removal of dnsdist from the authoritative server distribution
- Add EDNS unknown version handling and tests EDNS unknown version handling
Improvements:
- Update YaHTTP to v0.1.7
- Make trailing/leading spaces stand out in pdnssec check_zone
- GCC 5.2 support and sync boost.m4 macro with upstream
- Log answer packets only if log-dns-details is enabled
PowerDNS Authoritative Server 3.4.5
Bug fixes:
- Be careful reading empty lines in our config parser and prevent
integer overflow.
- prevent crash after --list-modules (Ruben Kerkhof)
- Limit the maximum length of a qname
Improvements:
- Support /etc/default for our debian/ubuntu packages (Aki Tuomi)
- Detect GCC 5.1 for boost (Ruben Kerkhof)
- Various PKCS#11 fixes and improvements (Aki Tuomi)
- Fix Coverity issues (Aki Tuomi)
- Fix building on OpenBSD (Florian Obser and Ruben Kerkhof)
- Look for mbedtls before polarssl (Ruben Kerkhof)
- Let pkg-config determine botan dependency libs (Ruben Kerkhof)
- Kill some further mallocs and add note to remind us not to add them back
- Move remotebackend-unix test socket to testsdir (Aki Tuomi)
- Defer launch of coprocess until first question (Aki Tuomi)
- pdnssec: check for glue and delegations in parent zones (Kees Monshouwer)
PowerDNS Authoritative Server 3.4.4
Bug fixes:
- Fix rectify-(all)-zones for mixed case domain names
- Fix CVE-2015-1868
- Blocking IO in busy-wait for remote backend (Wieger Opmeer)
- Fix double dot for root MX/SRV in bind slave zone files (Kees Monshouwer)
- Properly lock lmdb database, fixes ticket #1954 (Aki Tuomi)
- Fix segfault in zone2lmdb (Ruben Kerkhof)
New Features:
- pdnssec: warn for insecure wildcards in opt-out zones
- TKEY record type (Aki Tuomi)
- Many PKCS#11 improvements (Aki Tuomi)
- Introduce xfrBlobNoSpaces and use them for TSIG (Aki Tuomi)
Improvements:
- Allow "pdnssec set-nsec3 ZONE" for insecure zones; this saves on
one rectify when securing a NSEC3 zone
- Improvements to the config-file parsing (Aki Tuomi)
- Postgresql check should not touch LDFLAGS (Ruben Kerkhof)
- Log error when remote cannot do AXFR (Aki Tuomi)
- Speed improvements when AXFR is disabled (Christian Hofstaedtler)
- NSEC3 and related RRSIGS are not part of the dnstree (Kees Monshouwer)
- Change ifdef to check for __GLIBC__ instead of __linux__ to prevent
errors with other libc's (James Taylor)
- Try to raise open files before dropping privileges (Aki Tuomi)
- Add newline to carbon error message on auth (Aki Tuomi)
- Make sure we send servfail on error (Aki Tuomi)
- Ship lmdb-example.pl in tarball (Ruben Kerkhof)
- Allocate TCP buffer dynamically, decreasing stack usage
- Throw if getSOA gets non-SOA record
and zeromq options, which are disabled by default. ChangeLog:
PowerDNS Authoritative Server 3.4.3
Warning: Version 3.4.3 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to the Upgrade documentation for important information on correct and stable operation, as well as notes on performance and memory use.
Released March 2nd, 2015
Bug fixes:
commit ceb49ce: pdns_control: exit 1 on unknown command (Ruben Kerkhof)
commit 1406891: evaluate KSK ZSK pairs per algorithm (Kees Monshouwer)
commit 3ca050f: always set di.notified_serial in getAllDomains (Kees Monshouwer)
commit d9d09e1: pdns_control: don't open socket in /tmp (Ruben Kerkhof)
New features:
commit 2f67952: Limit who can send us AXFR notify queries (Ruben Kerkhof)
Improvements:
commit d7bec64: respond REFUSED instead of NOERROR for "unknown zone" situations
commit ebeb9d7: Check for Lua 5.3 (Ruben Kerkhof)
commit d09931d: Check compiler for relro support instead of linker (Ruben Kerkhof)
commit c4b0d0c: Replace PacketHandler with UeberBackend where possible (Christian Hofstaedtler)
commit 5a85152: PacketHandler: Share UeberBackend with DNSSECKeeper (Christian Hofstaedtler)
commit 97bd444: fix building with GCC 5
Experimental API changes (Christian Hofstaedtler):
commit ca44706: API: move shared DomainInfo reader into it's own function
commit 102602f: API: allow writing to domains.account field
commit d82f632: API: read and expose domain account field
commit 2b06977: API: be more strict when parsing record contents
commit 2f72b7c: API: Reject unknown types (TYPE0)
commit d82f632: API: read and expose domain account field
PowerDNS Authoritative Server 3.4.2
Warning: Version 3.4.2 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to the Upgrade documentation for important information on correct and stable operation, as well as notes on performance and memory use.
Released February 3rd, 2015
Find the downloads on our download page.
This is a performance and bugfix update to 3.4.1 and any earlier version. For high traffic setups, including those using DNSSEC, upgrading to 3.4.2 may show tremendous performance increases.
A list of changes since 3.4.1 follows.
Improvements:
commit 73004f1: implement CORS for the HTTP API
commit 4d9c289: qtype is now case insensitive in API and database
commit 13af5d8, commit 223373a, commit 1d5a68d, commit 705a73f, commit b418d52: Allow (optional) PIE hardening
commit 2f86f20: json-api: remove priority from json
commit cefcf9f: backport remotebackend fixes
commit 920f987, commit dd8853c: Support Lua 5.3
commit 003aae5: support single-type ZSK signing
commit 1c57e1d: Potential fix for ticket #1907, we now try to trigger libgcc_s.so.1 to load before we chroot. I can't reproduce the bug on my local system, but this "should" help. Seriously.
commit 031ab21: update polarssl to 1.3.9
Bug fixes:
commit 60b2b7c, commit d962fbc: refuse overly long labels in names
commit a64fd6a: auth: limit long version strings to 63 characters and catch exceptions in secpoll
commit fa52e02: pdnssec: fix ttl check for RRSIG records
commit 0678b25: fix up latency reporting for sub-millisecond latencies (would clip to 0)
commit d45c1f1: make sure we don't throw an exception on "pdns_control show" of an unknown variable
commit 63c8088: fix startup race condition with carbon thread already trying to broadcast uninitialized data
commit 796321c: make qsize-q more robust
commit 407867c: mind04 discovered we count corrupt packets and EAGAIN situations as validly received packets, skewing the udp questions/answers graphs on auth.
commit f06d069: make latency & qsize reporting 'live'. Plus fix that we only reported the qsize of the first distributor.
commit 2f3498e: fix up statbag for carbon protocol and function pointers
commit 0f2f999: get priority from table in Lua axfrfilter; fixes ticket #1857
commit 96963e2, commit bbcbbbe, commit d5c9c07: various backends: fix records pointing at root
commit e94c2c4: remove additional layer of trailing . stripping, which broke MX records to the root in the BIND backend. Should close ticket #1243.
commit 8f35ba2: api: use uncached results for getKeys()
commit c574336: read ALLOW-AXFR-FROM from the backend with the metadata
Minor changes:
commit 1e39b4c: move manpages to section 1
commit b3992d9: secpoll: Replace ~ with _
commit 9799ef5: only zones with an active ksk are secure
commit d02744f: api: show keys for zones without active ksk
New features:
commit 1b97ba0: add signatures metric to auth, so we can plot signatures/second
commit 92cef2d: pdns_control: make it posible to notify all zones at once
commit f648752: JSON API: provide flush-cache, notify, axfr-retrieve
commit 02653a7: add 'bench-db' to do very simple database backend performance benchmark
commit a83257a: enable callback based metrics to statbas, and add 5 such metrics: uptime, sys-msec, user-msec, key-cache-size, meta-cache-size, signature-cache-size
Performance improvements:
commit a37fe8c: better key for packetcache
commit e5217bb: don't do time(0) under signature cache lock
commit d061045, commit 135db51, commit 7d0f392: shard the packet cache, closing ticket #1910.
commit d71a712: with thanks to Jack Lloyd, this works around the default Botan allocator slowing down for us during production use.
