PowerDNS Changelog

New in version 3.4.4

April 25th, 2015
  • The most important part of this update is a fix for CVE-2015-1868.

New in version 3.4.3 (March 18th, 2015)

  • Bug fixes:
  • commit ceb49ce: pdns_control: exit 1 on unknown command (Ruben Kerkhof)
  • commit 1406891: evaluate KSK ZSK pairs per algorithm (Kees Monshouwer)
  • commit 3ca050f: always set di.notified_serial in getAllDomains (Kees Monshouwer)
  • commit d9d09e1: pdns_control: don’t open socket in /tmp (Ruben Kerkhof)
  • New features:
  • commit 2f67952: Limit who can send us AXFR notify queries (Ruben Kerkhof)
  • Improvements:
  • commit d7bec64: respond REFUSED instead of NOERROR for “unknown zone” situations
  • commit ebeb9d7: Check for Lua 5.3 (Ruben Kerkhof)
  • commit d09931d: Check compiler for relro support instead of linker (Ruben Kerkhof)
  • commit c4b0d0c: Replace PacketHandler with UeberBackend where possible (Christian Hofstaedtler)
  • commit 5a85152: PacketHandler: Share UeberBackend with DNSSECKeeper (Christian Hofstaedtler)
  • commit 97bd444: fix building with GCC 5
  • Experimental API changes (Christian Hofstaedtler):
  • commit ca44706: API: move shared DomainInfo reader into it’s own function
  • commit 102602f: API: allow writing to domains.account field
  • commit d82f632: API: read and expose domain account field
  • commit 2b06977: API: be more strict when parsing record contents
  • commit 2f72b7c: API: Reject unknown types (TYPE0)
  • commit d82f632: API: read and expose domain account field

New in version 3.4.2 (February 15th, 2015)

  • Improvements:
  • commit 73004f1: implement CORS for the HTTP API
  • commit 4d9c289: qtype is now case insensitive in API and database
  • commit 13af5d8, commit 223373a, commit 1d5a68d, commit 705a73f, commit b418d52: Allow (optional) PIE hardening
  • commit 2f86f20: json-api: remove priority from json
  • commit cefcf9f: backport remotebackend fixes
  • commit 920f987, commit dd8853c: Support Lua 5.3
  • commit 003aae5: support single-type ZSK signing
  • commit 1c57e1d: Potential fix for ticket #1907, we now try to trigger libgcc_s.so.1 to load before we chroot. I can’t reproduce the bug on my local system, but this “should” help.
  • commit 031ab21: update polarssl to 1.3.9
  • Bug fixes:
  • commit 60b2b7c, commit d962fbc: refuse overly long labels in names
  • commit a64fd6a: auth: limit long version strings to 63 characters and catch exceptions in secpoll
  • commit fa52e02: pdnssec: fix ttl check for RRSIG records
  • commit 0678b25: fix up latency reporting for sub-millisecond latencies (would clip to 0)
  • commit d45c1f1: make sure we don’t throw an exception on “pdns_control show” of an unknown variable
  • commit 63c8088: fix startup race condition with carbon thread already trying to broadcast uninitialized data
  • commit 796321c: make qsize-q more robust
  • commit 407867c: Kees Monshouwer discovered we count corrupt packets and EAGAIN situations as validly received packets, skewing the udp questions/answers graphs on auth.
  • commit f06d069: make latency & qsize reporting ‘live’. Plus fix that we only reported the qsize of the first distributor.
  • commit 2f3498e: fix up statbag for carbon protocol and function pointers
  • commit 0f2f999: get priority from table in Lua axfrfilter; fixes ticket #1857
  • commit 96963e2, commit bbcbbbe, commit d5c9c07: various backends: fix records pointing at root
  • commit e94c2c4: remove additional layer of trailing . stripping, which broke MX records to the root in the BIND backend. Should close ticket #1243.
  • commit 8f35ba2: api: use uncached results for getKeys()
  • commit c574336: read ALLOW-AXFR-FROM from the backend with the metadata
  • Minor changes:
  • commit 1e39b4c: move manpages to section 1
  • commit b3992d9: secpoll: Replace ~ with _
  • commit 9799ef5: only zones with an active ksk are secure
  • commit d02744f: api: show keys for zones without active ksk
  • New features:
  • commit 1b97ba0: add signatures metric to auth, so we can plot signatures/second
  • commit 92cef2d: pdns_control: make it posible to notify all zones at once
  • commit f648752: JSON API: provide flush-cache, notify, axfr-receive
  • commit 02653a7: add ‘bench-db’ to do very simple database backend performance benchmark
  • commit a83257a: enable callback based metrics to statbas, and add 5 such metrics: uptime, sys-msec, user-msec, key-cache-size, meta-cache-size, signature-cache-size
  • Performance improvements:
  • commit a37fe8c: better key for packetcache
  • commit e5217bb: don’t do time(0) under signature cache lock
  • commit d061045, commit 135db51, commit 7d0f392: shard the packet cache, closing ticket #1910.
  • commit d71a712: with thanks to Jack Lloyd, this works around the default Botan allocator slowing down for us during production use.

New in version 3.4.1 (November 10th, 2014)

  • commit dcd6524, commit a8750a5, commit 7dc86bf, commit 2fda71f: PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in Section 2, “Security polling”.
  • commit 5fe6dc0: API: Replace HTTP Basic auth with static key in custom header (X-API-Key)
  • commit 4a95ab4: Use transaction for pdnssec increase-serial
  • commit 6e82a23: Don’t empty ordername during pdnssec increase-serial
  • commit 535f4e3: honor SOA-EDIT while considering “empty IXFR” fallback, fixes ticket 1835. This fixes slaving of signed zones to IXFR-aware slaves like NSD or BIND.

New in version 3.4 (October 16th, 2014)

  • This is a performance, feature, bugfix and conformity update to 3.3.1 and any earlier version. It contains a huge amount of work by various contributors, to whom we are very grateful.

New in version 3.3.1 (January 27th, 2014)

  • direct-dnskey is no longer experimental, thanks Kees Monshouwer & co for extensive testing (commit e4b36a4).
  • Handle signals during poll (commit 5dde2c6).
  • commit 7538e56: Fix zone2{sql,json} exit codes
  • commit 7593c40: geobackend: fix possible nullptr deref
  • commit 3506cc6: gpsqlbackend: don't append empty dbname=/user= values to connect string
  • gpgsql queries were simplified through the use of casting (commit 9a6e39c).
  • commit a7aa9be: Replace hardcoded make with variable
  • commit e4fe901: make sure to run PKG_PROG_PKG_CONFIG before the first PKG_* usage
  • commit 29bf169: fix hmac-md5 TSIG key lookup
  • commit c4e348b: fix 64+ character TSIG keys
  • commit 00a7b25: Fix comparison between signed and unsigned by using uint32_t for inception on INCEPTION-EPOCH
  • commit d3f6432: fix building on os x 10.9, thanks Martijn Bakker.
  • We now allow building against Lua 5.2 (commit bef3000, commit 2bdd03b, commit 88d9e99).
  • commit fa1f845: autodetect MySQL 5.5+ connection charset
  • When misconfigured using 'right' timezones, a bug in (g)libc gmtime breaks our signatures. Fixed in commit e4faf74 by Kees Monshouwer by implementing our own gmtime_r.
  • When sending SERVFAIL due to a CNAME loop, don't uselessly include the CNAMEs (commit dfd1b82).
  • Build fixes for platforms with 'weird' types (like s390/s390x): commit c669f7c (details), commit 07b904e and commit 2400764.
  • Support for += syntax for options, commit 98dd325 and others.
  • commit f8f29f4: nproxy: Add missing chdir("/") after chroot()
  • commit 2e6e9ad: fix for "missing" libmysqlclient on RHEL/CentOS based systems
  • pdnssec check-zone improvements in commit 5205892, commit edb255f, commit 0dde9d0, commit 07ee700, commit 79a3091, commit 08f3452, commit bcf9daf, commit c9a3dd7, commit 6ebfd08, commit fd53bd0, commit 7eaa83a, commit e319467, ,
  • NSEC/NSEC3 fixes in commit 3191709, commit f75293f, commit cd30e94, commit 74baf86, commit 1fa8b2b
  • The webserver could crash when the ring buffers were resized, fixed in commit 3dfb45f.
  • commit 213ec4a: add constraints for name to pg schema
  • commit f104427: make domainmetadata queries case insensitive
  • commit 78fc378: no label compression for name in TSIG records
  • commit 15d6ffb: pdnssec now outputs ZSK DNSKEY records if experimental-direct-dnskey support is enabled (renamed to direct-dnskey before release!)
  • commit ad67d0e: drop cryptopp from static build as libcryptopp.a is broken on Debian 7, which is what we build on
  • commit 7632dd8: support polarssl 1.3 externally.
  • Remotebackend was fully updated in various commits.
  • commit 82def39: SOA-EDIT: fix INCEPTION-INCREMENT handling
  • commit a3a546c: add innodb-read-committed option to gmysql settings.
  • commit 9c56e16: actually notice timeout during AXFR retrieve, thanks hkraal

New in version 3.1 RC1 (March 24th, 2012)

  • This version fixes important DNSSEC issues, addresses memory use, and contains a vast amount of improvements and bugfixes.

New in version 3.0.1 (January 11th, 2012)

  • This version is identical to 3.0, except with a fix for CVE-2012-0206 aka PowerDNS Security Notification 2012-01. An upgrade is recommended.

New in version 3.0 RC3 (July 19th, 2011)

  • This release brings full support for DNSSEC, with automated signing, rollovers, and key maintenance.
  • The goal is to allow existing PowerDNS installations to start serving DNSSEC with as little hassle as possible, while maintaining performance and achieving high levels of security.
  • Other new features include TSIG, a MyDNS-compat backend, also-notify, master/slave over IPv6, a bulk parallel slaving engine, MongoDB support, and Lua zone editing.

New in version 3.0 RC1 (April 8th, 2011)

  • This release brings full support for DNSSEC, with automated signing, rollovers, and key maintenance.
  • The goal is to allow existing PowerDNS installations to start serving DNSSEC with as little hassle as possible, while maintaining performance and achieving high levels of security.
  • Other new features include TSIG, a MyDNS-compat backend, also-notify, master/slave over IPv6, a bulk parallel slaving engine, and Lua zone editing.

New in version 2.9.22 (January 28th, 2009)

  • This version brings a reasonable amount of new features, combined with vast performance increases for large setups.
  • In addition, significant numbers of bugs and issues have been addressed.
  • This is a much recommended upgrade.

New in version 2.9.22 RC2 (November 30th, 2008)

  • Compared to 2.9.21, this version offers a massive performance boost for installations running with high cache-TTLs or a large packet cache, in many cases of an order of magnitude.
  • Additionally, a large number of bugs were addressed, some features were added, and overall many areas saw improvements.
  • RC2 fixes important issues compared to RC1.

New in version 2.9.22 RC1 (November 19th, 2008)

  • Compared to 2.9.21, this version offers a massive performance boost for installations running with high cache-TTLs or a large packet cache, in many cases of an order of magnitude.
  • Additionally, a large number of bugs were addressed, some features were added, and overall many areas saw improvements.

New in version 2.9.21.2 (November 19th, 2008)

  • Some (rare) PowerDNS Authoritative Server configurations could be forced to restart themselves remotely.
  • For other configurations, a database reconnect can be triggered remotely.
  • These problems have been fixed.