PowerDNS Recursor Changelog

What's new in PowerDNS Recursor 4.2.1

Jan 8, 2020
  • Improvements:
  • Add CentOS 8 as builder target
  • References: pull request 8427
  • Update boost.m4
  • References: pull request 8124
  • Add deviceName field to protobuf messages
  • References: #8101, pull request 8187
  • Test improvements (Chris Hofstaedtler)
  • References: #8008, #8047, pull request 8121
  • Builder: add raspbian-buster target
  • References: pull request 8086
  • Bug Fixes:
  • Purge map of failed auths periodically by keeping a last changed timestamp.
  • References: pull request 8552
  • Prime NS records of root-servers.net parent (.net)
  • References: pull request 8528
  • Issue with “zz” abbreviation for IPv6 RPZ triggers
  • References: pull request 8493
  • Basic validation of $GENERATE parameters
  • References: pull request 8452
  • Fix inverse handler registration logic for SNMP.
  • References: pull request 8230

New in PowerDNS Recursor 4.1.14 (Jun 21, 2019)

  • #7906: Add statistics counters for AD and CD queries.
  • #7912: Add missing getRegisteredName Lua function.

New in PowerDNS Recursor 4.1.13 (May 23, 2019)

  • #7673: Add the disable-real-memory-usage setting to skip expensive collection of detailed memory usage info,
  • #7816: Fix DNSSEC validation of wildcards expanded onto themselves.

New in PowerDNS Recursor 4.1.11 (Feb 10, 2019)

  • #7434: Add an option to export only responses over protobuf
  • #7430: Reduce systemcall usage in protobuf logging

New in PowerDNS Recursor 4.1.9 (Jan 22, 2019)

  • #7397: Load the Lua script in the distributor thread, check signature for AA=0 answers (CVE-2019-3806, CVE-2019-3807)
  • #7377: Try another worker before failing if the first pipe was full

New in PowerDNS Recursor 4.1.8 (Nov 27, 2018)

  • #7221: Crafted query can cause a denial of service (CVE-2018-16855)

New in PowerDNS Recursor 4.1.7 (Nov 14, 2018)

  • #7172: Revert ‘Keep the EDNS status of a server on FormErr with EDNS’
  • #7174: Refuse queries for all meta-types

New in PowerDNS Recursor 4.1.3 (May 24, 2018)

  • Improvements:
  • #6550, #6562: Add a subtree option to the API cache flush endpoint.
  • #6566: Use a separate, non-blocking pipe to distribute queries.
  • #6567: Move carbon/webserver/control/stats handling to a separate thread.
  • #6583: Add _raw versions for QName / ComboAddresses to the FFI API.
  • #6611, #6130: Update copyright years to 2018 (Matt Nordhoff).
  • #6474, #6596, #6478: Fix a warning on botan >= 2.5.0.
  • Bug Fixes:
  • #6313: Count a lookup into an internal auth zone as a cache miss.
  • #6467: Don’t increase the DNSSEC validations counters when running with process-no-validate.
  • #6469: Respect the AXFR timeout while connecting to the RPZ server.
  • #6418, #6179: Increase MTasker stacksize to avoid crash in exception unwinding (Chris Hofstaedtler).
  • #6419, #6086: Use the SyncRes time in our unit tests when checking cache validity (Chris Hofstaedtler).
  • #6514, #6630: Add -rdynamic to C{,XX}FLAGS when we build with LuaJIT.
  • #6588, #6237: Delay the loading of RPZ zones until the parsing is done, fixing a race condition.
  • #6595, #6542, #6516, #6358, #6517: Reorder includes to avoid boost L conflict.

New in PowerDNS Recursor 4.1.2 (May 15, 2018)

  • New Features:
  • #6344: Add FFI version of gettag().
  • Improvements:
  • #6298, #6303, #6268, #6290: Add the option to set the AXFR timeout for RPZs.
  • #6172: IXFR: correct behavior of dealing with DNS Name with multiple records and speed up IXFR transaction (Leon Xu).
  • #6379: Add RPZ statistics endpoint to the API.
  • Bug Fixes:
  • #6336, #6293, #6237: Retry loading RPZ zones from server when they fail initially.
  • #6300: Fix ECS-based cache entry refresh code.
  • #6320: Fix ECS-specific NS AAAA not being returned from the cache.

New in PowerDNS Recursor 4.1.1 (Jan 23, 2018)

  • Improvements:
  • Don’t process records for another class than IN. We don’t use records of another class than IN, but we used to store some of them in the cache which is useless. Just skip them.
  • Bug Fixes:
  • Correctly handle ancestor delegation NSEC{,3} for children. Fixes the DNSSEC validation issue found in Knot Resolver, where a NSEC{3} ancestor delegation is wrongly use to prove the non-existence of a RR below the delegation. We already had the correct check for the exact owner name, but not for RRs below the delegation. (Security Advisory 2018-01)
  • Fix the computation of the closest encloser for positive answers. When the positive answer is expanded from a wildcard with NSEC3, the closest encloser is not always parent of the qname, depending on the number of labels in the initial wildcard.
  • Pass the correct buffer size to arecvfrom(). The incorrect size could possibly cause DNSSEC failures.
  • Fix to make primeHints threadsafe, otherwise there’s a small chance on startup that the root-server IPs will be incorrect.
  • Don’t validate signature for “glue” CNAME, since anything else than the initial CNAME can’t be considered authoritative.

New in PowerDNS Recursor 4.0.8 (Dec 27, 2017)

  • Bug fixes:
  • #5930: Don’t assume TXT record is first record for secpoll
  • #6082: Don’t add non-IN records to the cache

New in PowerDNS Recursor 4.0.6 (Jul 10, 2017)

  • Bug fixes:
  • Use the incoming ECS for cache lookup if use-incoming-edns-subnet is set
  • when making a netmask from a comboaddress, we neglected to zero the port. This could lead to a proliferation of netmasks.
  • Don’t take the initial ECS source for a scope one if EDNS is off
  • also set d_requestor without Lua: the ECS logic needs it
  • Fix IXFR skipping the additions part of the last sequence
  • Treat requestor’s payload size lower than 512 as equal to 512
  • make URI integers 16 bits, fixes ticket #5443
  • unbreak quoting; fixes ticket #5401
  • Improvements:
  • with this, EDNS Client Subnet becomes compatible with the packet cache, using the existing variable answer facility.
  • Remove just enough entries from the cache, not one more than asked
  • Move expired cache entries to the front so they are expunged
  • changed IPv6 addr of b.root-servers.net
  • e.root-servers.net has IPv6 now
  • hello decaf signers (ED25519 and ED448) Testing algorithm 15: ‘Decaf ED25519′ ->’Decaf ED25519’ -> ‘Decaf ED25519’ Signature & verify ok, signature 68usec, verify 93usec Testing algorithm 16: ‘Decaf ED448′ ->’Decaf ED448’ -> ‘Decaf ED448’ Signature & verify ok, signature 163usec, verify 252usec
  • don’t use the libdecaf ed25519 signer when libsodium is enabled
  • do not hash the message in the ed25519 signer
  • Disable use-incoming-edns-subnet by default

New in PowerDNS Recursor 4.0.5 (Jun 21, 2017)

  • Bug fixes:
  • Correctly lowercase the TSIG algorithm name in hash computation, fixes #4942
  • Clear the RPZ NS IP table when clearing the policy, this prevents false positives
  • Fix cache-only queries against a forward-zone, fixes #5211
  • Only delegate if NSes are below apex in auth-zones, fixes #4771
  • Remove hardcoding of port 53 for TCP/IP forwarded zones in recursor, fixes #4799
  • Make sure labelsToAdd is not empty in getZoneCuts()
  • Wait until after daemonizing to start the outgoing protobuf thread, prevents hangs when the protobuf server is not available
  • Ensure (re)priming the root never fails
  • Don't age the root, fixes a regression from 3.x
  • Fix exception when sending a protobuf message for an empty question
  • LuaWrapper: Allow embedded NULs in strings received from Lua
  • Fix coredumps on illumos/SmartOS, fixes #4579
  • StateHolder: Allocate (and copy if needed) before taking the lock
  • SuffixMatchNode: Fix insertion issue for an existing node
  • Fix negative port detection for IPv6 addresses on 32-bit systems
  • Additions and Enhancements:
  • Add support for RPZ wildcarded target names. Fixes #5237
  • Speed up RPZ zone loading and add a zoneSizeHint parameter to rpzFile and rpzMaster for faster reloads
  • Make the RPZ summary consistent (Fixes #4342) and log additions/removals at debug level, not info
  • Add the 2017 root key
  • Update Ed25519 algorithm number and mnemonic and hook up to the Recursor
  • Add use-incoming-edns-subnet option to process and pass along ECS and fix some ECS bugs in the process
  • Refuse to start with chroot set in a systemd env (Fixes #4848)
  • Handle exceptions raised by closesocket() to prevent process termination
  • Document missing top-pub-queries and top-pub-servfail-queries commands for rec_control
  • IPv6 address for g.root-servers.net added
  • Log outgoing queries / incoming responses via protobuf

New in PowerDNS Recursor 4.0.4 (Jan 19, 2017)

  • Bug fixes:
  • commit 658d9e4: Check TSIG signature on IXFR (Security Advisory 2016-04)
  • commit 91acd82: Don't parse spurious RRs in queries when we don't need them (Security Advisory 2016-02)
  • commit 400e28d: Fix incorrect length check in DNSName when extracting qtype or qclass
  • commit 2168188: rec: Wait until after daemonizing to start the RPZ and protobuf threads
  • commit 3beb3b2: On (re-)priming, fetch the root NS records
  • commit cfeb109: rec: Fix src/dest inversion in the protobuf message for TCP queries
  • commit 46a6666: NSEC3 optout and Bogus insecure forward fixes
  • commit bb437d4: On RPZ customPolicy, follow the resulting CNAME
  • commit 6b5a8f3: DNSSEC: don't go bogus on zero configured DSs
  • commit 1fa6e1b: Don't crash on an empty query ring
  • commit bfb7e5d: Set the result to NoError before calling preresolve
  • Additions and Enhancements:
  • commit 7c3398a: Add max-recursion-depth to limit the number of internal recursion
  • commit 3d59c6f: Fix building with ECDSA support disabled in libcrypto
  • commit 0170a3b: Add requestorId and some comments to the protobuf definition file
  • commit d8cd67b: Make the negcache forwarded zones aware
  • commit 46ccbd6: Cache records for zones that were delegated to from a forwarded zone
  • commit 5aa64e6, commit 5f4242e and commit 0f707cd: DNSSEC: Implement keysearch based on zone-cuts
  • commit ddf6fa5: rec: Add support for boost::context >= 1.61
  • commit bb6bd6e: Add getRecursorThreadId() to Lua, identifying the current thread
  • commit d8baf17: Handle CNAMEs at the apex of secure zones to other secure zones

New in PowerDNS Recursor 4.0.0 (Jul 12, 2016)

  • We changed many things internally to the nameserver:
  • Moved to C++ 2011, a cleaner more powerful version of C++ that has allowed us to improve the quality of implementation in many places.c
  • Implemented dedicated infrastructure for dealing with DNS names that is fully “DNS Native” and needs less escaping and unescaping.
  • Switched to binary storage of DNS records in all places.
  • Moved ACLs to a dedicated Netmask Tree.
  • Implemented a version of RCU for configuration changes
  • Instrumented our use of the memory allocator, reduced number of malloc calls substantially.
  • The Lua hook infrastructure was redone using LuaWrapper; old scripts will no longer work, but new scripts are easier to write under the new interface.
  • Due to these changes, PowerDNS Recursor 4.0.0 is almost an order of magnitude faster than the 3.7 branch.
  • DNSSEC processing: if you ask for DNSSEC records, you will get them.
  • DNSSEC validation: if so configured, PowerDNS perform DNSSEC validation of your answers.
  • Completely revamped Lua scripting API that is “DNSName” native and therefore far less error prone, and likely faster for most commonly used scenarios. Loads and indexes a 1 million domain custom policy list in a few seconds.
  • New asynchronous per-domain, per-ip address, query engine. This allows PowerDNS to consult an external service in realtime to determine client or domain status. This could for example mean looking up actual customer identity from a DHCP server based on IP address (option 82 for example).
  • RPZ (from file, over AXFR or IXFR) support. This loads the largest Spamhaus zone in 5 seconds on our hardware, containing around 2 million instructions.
  • All caches can now be wiped on suffixes, because of canonical ordering.
  • Many, many more relevant performance metrics, including upstream authoritative performance measurements (‘is it me or the network that is slow’).
  • EDNS Client Subnet support, including cache awareness of subnet-varying answers.
  • DNSSEC:
  • As stated in the features section above, the PowerDNS Recursor now has DNSSEC processing and experimental DNSSEC validation support. DNSSEC processing means the nameserver will return RRSIG records when requested to do so by the client (by means of the DO-bit) and will always retrieve the RRSIGs even if the client does not ask for. It will perform validation and set the AD-bit in the response if the client requests validation. In fullblown DNSSEC-mode, the PowerDNS Recursor will validate the answers and set the AD-bit in validated answers if the client requests it and will SERVFAIL on bogus answers to all clients.
  • The DNSSEC support is marked experimental, but functional at the moment, as it has 2 limitations:
  • Negative answers validated but the NSEC proof is not fully checked.
  • Zones that have a CNAME at the apex (which is ‘wrong’ anyway) validate as Bogus.
  • If you run with DNSSEC enabled and notice broken domains, do file an issue.

New in PowerDNS Recursor 3.7.2 (Apr 25, 2015)

  • The most important part of this update is a fix for CVE-2015-1868.

New in PowerDNS Recursor 3.6.2 (Nov 10, 2014)

  • commit ab14b4f: expedite servfail generation for ezdns-like failures (fully abort query resolving if we hit more than 50 outqueries)
  • commit 42025be: PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in Section 2, “Security polling”.
  • commit 5027429: We did not transmit the right ‘local’ socket address to Lua for TCP/IP queries in the recursor. In addition, we would attempt to lookup a filedescriptor that wasn’t there in an unlocked map which could conceivably lead to crashes. Closes ticket 1828, thanks Winfried for reporting
  • commit 752756c: Sync embedded yahttp copy. API: Replace HTTP Basic auth with static key in custom header
  • commit 6fdd40d: add missing #include to rec-channel.hh (this fixes building on OS X).

New in PowerDNS Recursor 3.5.3 (Jan 28, 2014)

  • 3.5 replaced our ANY query with A+AAAA for users with IPv6 enabled. Extensive measurements by Darren Gamble showed that this change had a non-trivial performance impact. We now do the ANY query like before, but fall back to the individual A+AAAA queries when necessary. Change in commit 1147a8b.
  • The IPv6 address for d.root-servers.net was added in commit 66cf384, thanks Ralf van der Enden.
  • We now drop packets with a non-zero opcode (i.e. special packets like DNS UPDATE) earlier on. If the experimental pdns-distributes-queries flag is enabled, this fix avoids a crash. Normal setups were never susceptible to this crash. Code in commit 35bc40d, closes ticket 945.
  • TXT handling was somewhat improved in commit 4b57460, closing ticket 795.

New in PowerDNS Recursor 3.3 (Sep 23, 2010)

  • This release fixes a number of small but persistent issues, rounds off the IPv6 support, and adds an important feature for many users of the Lua scripts.
  • In addition, scalability on Solaris 10 has been improved.
  • This release is identical to RC3.

New in PowerDNS Recursor 3.3 RC3 (Sep 21, 2010)

  • This version fixes a number of small but persistent issues, rounds off the IPv6 support, and adds an important feature for many users of the Lua scripts.
  • In addition, scalability on Solaris 10 has been improved.
  • Since RC2, a harmless but scary message about an expired root has been removed.

New in PowerDNS Recursor 3.3 RC2 (Sep 13, 2010)

  • This release fixes a number of small but persistent issues, rounds off the IPv6 support, and adds an important feature for many users of the Lua scripts.
  • In addition, scalability on Solaris 10 has been improved.
  • Since RC1, compilation on RHEL5 has been fixed.