Changelogs for 4.0.x ==================== PowerDNS Authoritative Server 4.0.9 ----------------------------------- Released 1st of August 2019 This release contains the updated PostgreSQL schema for PowerDNS Security Advisory :doc:`2019-06 <../security-advisories/powerdns-advisory-2019-06>` (CVE-2019-10203). Upgrading is not enough - you need to manually apply the schema change: ``ALTER TABLE domains ALTER notified_serial TYPE bigint USING CASE WHEN notified_serial >= 0 THEN notified_serial::bigint END;`` PowerDNS Authoritative Server 4.0.8 ----------------------------------- Released 21st of June 2019 This release fixes PowerDNS Security Advisories :doc:`2019-04 <../security-advisories/powerdns-advisory-2019-04>` and :doc:`2019-05 <../security-advisories/powerdns-advisory-2019-05>`. PowerDNS Authoritative Server 4.0.7 ----------------------------------- Released 18th of March 2019 This release fixes PowerDNS Security Advisory :doc:`2019-03 <../security-advisories/powerdns-advisory-2019-03>`: Insufficient validation in the HTTP remote backend (CVE-2019-3871) Bug fixes ~~~~~~~~~ - `#7582 `__: Insufficient validation in the HTTP remote backend (CVE-2019-3871) PowerDNS Authoritative Server 4.0.6 ----------------------------------- Released 6th of November 2018 This release fixes PowerDNS Security Advisory :doc:`2018-03 <../security-advisories/powerdns-advisory-2018-03>`: Crafted zone record can cause a denial of service (CVE-2018-10851) Bug fixes ~~~~~~~~~ - `#7150 `__: Crafted zone record can cause a denial of service (CVE-2018-10851) - `#7135 `__: Fix el6 builds Improvements ~~~~~~~~~~~~ - `#6315 `__: Prevent cname + other data with dnsupdate - `#7119 `__: Switch to devtoolset 7 for el6 PowerDNS Authoritative Server 4.0.5 ----------------------------------- Released 27th of November 2017 This release fixes PowerDNS Security Advisory :doc:`2017-04 <../security-advisories/powerdns-advisory-2017-04>`: Missing check on API operations (CVE-2017-15091). Bug fixes ~~~~~~~~~ - `#4650 `__: Bindbackend: do not corrupt data supplied by other backends in getAllDomains (Chris Hofstaedtler) - `#4751 `__: API: prevent sending nameservers list and zone-level NS in rrsets (Chris Hofstaedtler) - `#4929 `__: gpgsql: make statement names actually unique (Chris Hofstaedtler) - `#4997 `__: Fix remotebackend params (Aki Tuomi) - `#5051 `__: Fix godbc query logging - `#5125 `__: For create-slave-zone, actually add all slaves, and not only first n times - `#5161 `__: Fix a regression in axfr-rectify + test (Arthur Gautier) - `#5408 `__: When making a netmask from a comboaddress, we neglected to zero the port - `#5599 `__: Fix libatomic detection on ppc64 - `#5641 `__: Catch DNSName exception in the Zoneparser - `#5722 `__: Publish inactive KSK/CSK as CDNSKEY/CDS - `#5730 `__: Handle AFSDB record separately due to record structure. Fixes #4703 (Johan Jatko) - `#5678 `__: Treat requestor's payload size lower than 512 as equal to 512 - `#5766 `__: Correctly purge entries from the caches after a transfer - `#5777 `__: Handle a signing pipe worker dying with work still pending - `#5815 `__: Ignore SOA-EDIT for PRESIGNED zones. Fixes #5814 - `#5933 `__: Check return value for all getTSIGKey calls. Fixes #5931 - `#5996 `__: Deny cache flush, zone retrieve and notify if the API is RO (Security Advisory :doc:`2017-04 <../security-advisories/powerdns-advisory-2017-04>`) Improvements ~~~~~~~~~~~~ - `#4922 `__: Fix ldap-strict autoptr feature, including a test - `#5043 `__: mydnsbackend: Add getAllDomains (Aki Tuomi) - `#5112 `__: Stubresolver: Use only ``recursor`` setting if given - `#5147 `__: LuaWrapper: Allow embedded NULs in strings received from Lua - `#5277 `__: sdig: Clarify that the ``ednssubnet`` option takes "subnet/mask" - `#5309 `__: Tests: Ensure all required tools are available (Arthur Gautier) - `#5320 `__: PowerDNS sdig does not truncate trailing bits of EDNS Client Subnet mask - `#5349 `__: LuaJIT 2.1: Lua fallback functionality no longer uses Lua namespace - `#5498 `__: Add support for Botan 2.x - `#5509 `__: Ship ldapbackend schema files in tarball (Chris Hofstaedtler) - `#5518 `__: Collection of schema changes (Kees Monshouwer) - `#5523 `__: Fix typo in two log messages (Ruben Kerkhof) - `#5598 `__: Add help text on autodetecting systemd support - `#5723 `__: Use a unique pointer for bind backend's ``d_of`` - `#5826 `__: Fix some of the issues found by @jpmens PowerDNS Authoritative Server 4.0.4 ----------------------------------- Released 23rd of June 2017 This release features a fix for the ed25519 signer. This signer hashed the message before signing, resulting in unverifiable signatures. Also on the Elliptic Curve front, support was added for ED448 (DNSSEC algorithm 16) by using libdecaf. Bug fixes ~~~~~~~~~ - `#5423 `__: Do not hash the message in the ed25519 signer (Kees Monshouwer) - `#5445 `__: Make URI integers 16 bits, fixes `#5443 `__ - `#5346 `__: configure.ac: Corrects syntax error in test statement on existence of libcrypto\_ecdsa (shinsterneck) - `#5440 `__: configure.ac: Fix quoting issue fixes `#5401 `__ - `#4824 `__: configure.ac: Check in the detected OpenSSL/libcrypto for ECDSA - `#5016 `__: configure.ac: Check if we can link against libatomic if needed - `#5341 `__: Fix typo in ldapbackend.cc from issue `#5091 `__ (shantikulkarni) - `#5289 `__: Sort NSEC record case insensitive (Kees Monshouwer) - `#5378 `__: Make sure NSEC ordernames are always lower case - `#4781 `__: API: correctly take TTL from first record even if we are at the last comment (Chris Hofstaedtler) - `#4901 `__: Fix AtomicCounter unit tests on 32-bit - `#4911 `__: Fix negative port detection for IPv6 addresses on 32-bit - `#4508 `__: Remove support for 'right' timezones, as this code turned out to be broken - `#4961 `__: Lowercase the TSIG algorithm name in hash computation - `#5048 `__: Handle exceptions raised by ``closesocket()`` - `#5297 `__: Don't leak on signing errors during outgoing AXFR; signpipe stumbles over interrupted rrsets; fix memory leak in gmysql backend - `#5450 `__: TinyCDB backend: Don't leak a CDB object in case of bogus data Improvements ~~~~~~~~~~~~ - `#5071 `__: ODBC backend: Allow query logging - `#5441 `__: Add ED25519 (algo 15) and ED448 (algo 16) support with libdecaf signer (Kees Monshouwer) - `#5325 `__: YaHTTP: Sync with upstream changes - `#5298 `__: Send a notification to all slave servers after every dnsupdate (Kees Monshouwer) - `#5317 `__: Add option to set a global ``lua-axfr-script`` value (Kees Monshouwer) - `#5130 `__: dnsreplay: Add ``--source-ip`` and ``--source-port`` options - `#5085 `__: calidns: Use the correct socket family (IPv4 / IPv6) - `#5170 `__: Add an option to allow AXFR of zones with a different (higher/lower) serial (Kees Monshouwer) - `#4622 `__: API: Make trailing dot handling consistent with pdnsutil (Tuxis Internet Engineering) - `#4762 `__: SuffixMatchNode: Fix insertion issue for an existing node - `#4861 `__: Do not resolve the NS-records for NOTIFY targets if the "only-notify" whitelist is empty, as a target will never match an empty whitelist. - `#5378 `__: Improve the AXFR DNSSEC freshness check; Ignore NSEC3PARAM metadata in an unsigned zone - `#5297 `__: Create additional ``reuseport`` sockets before dropping privileges; remove transaction in pgpsql backend PowerDNS Authoritative Server 4.0.3 ----------------------------------- Released January 17th 2017 This release fixes an issue when using multiple backends, where one of the backends is the BIND backend. This regression was introduced in 4.0.2. Bug fix ~~~~~~~ - `#4905 `__: Revert "auth: In ``Bind2Backend::lookup()``, use the ``zoneId`` when we have it" PowerDNS Authoritative Server 4.0.2 ----------------------------------- Released January 13th 2017 This release fixes PowerDNS Security Advisories :doc:`2016-02 <../security-advisories/powerdns-advisory-2016-02>`, :doc:`2016-03 <../security-advisories/powerdns-advisory-2016-03>`, :doc:`2016-04 <../security-advisories/powerdns-advisory-2016-04>` and :doc:`2016-05 <../security-advisories/powerdns-advisory-2016-05>` and includes a fix for a memory leak in the Postgresql backend. Bug fixes ~~~~~~~~~ - `commit f61af48 `__: Don't parse spurious RRs in queries when we don't need them (Security Advisory :doc:`2016-02 <../security-advisories/powerdns-advisory-2016-02>`) - `commit 592006d `__: Don't exit if the webserver can't accept a connection (Security Advisory :doc:`2016-03 <../security-advisories/powerdns-advisory-2016-03>`) - `commit e85acc6 `__: Check TSIG signature on IXFR (Security Advisory :doc:`2016-04 <../security-advisories/powerdns-advisory-2016-04>`) - `commit 3b1e4a2 `__: Correctly check unknown record content size (Security Advisory :doc:`2016-05 <../security-advisories/powerdns-advisory-2016-05>`) - `commit 9ecbf02 `__: ODBC backend: actually prepare statements - `commit a4d607b `__: Fix incorrect length check in ``DNSName`` when extracting qtype or qclass - `commit c816fe3 `__: Fix a possible memory leak in the webserver - `#4287 `__: Better handling of invalid serial - `#4306 `__: Limit size of mysql cell to 128 kilobytes - `#4314 `__: Overload fix: make overload-queue-length work as intended again, add test for it. - `#4317 `__: Improve root-zone performance - `#4319 `__: pipe: SERVFAIL when needed - `#4360 `__: Make sure mariadb (mysql on centos/rhel) is started before pdns (42wim) - `#4387 `__: ComboAddress: don't allow invalid ports - `#4459 `__: Plug memory leak in postgresql backend (Chris Hofstaedtler) - `#4544 `__: Fix a stack-based off-by-one write in the HTTP remote backend - `#4755 `__: calidns: Don't crash if we don't have enough 'unknown' queries remaining Additions and Enhancements ~~~~~~~~~~~~~~~~~~~~~~~~~~ - `commit 1238e06 `__: disable negative getSOA caching if the negcache\_ttl is 0 (Kees Monshouwer) - `commit 3a0bded `__, `commit 8c879d4 `__, `commit 8c03126 `__, `commit 5656e12 `__ and `commit c1d283d `__: Improve PacketCache cleaning (Kees Monshouwer) - `#4261 `__: Strip trailing dot in PTR content (Kees Monshouwer) - `#4269 `__: contrib: simple bash completion for pdnsutil (j0ju) - `#4272 `__: Bind backend: update status message on reload, keep the existing zone on failure - `#4274 `__: report DHCID type (Kees Monshouwer) - `#4310 `__: Fix build with LibreSSL, for which OPENSSL\_VERSION\_NUMBER is irrelevant - `#4323 `__: Speedup DNSName creation - `#4335 `__: fix TSIG for single thread distributor (Kees Monshouwer) - `#4346 `__: change default for any-to-tcp to yes (Kees Monshouwer) - `#4356 `__: Don't look up the packet cache for TSIG-enabled queries - `#4403 `__: (auth) Fix build with OpenSSL 1.1.0 final (Chris Hofstaedtler) - `#4442 `__: geoipbackend: Fix minor naming issue (Aki Tuomi) - `#4454 `__: pdnsutil: create-slave-zone accept multiple masters (Hannu Ylitalo) - `#4541 `__: Backport of #4542: API: search should not return ENTs (Chris Hofstaedtler) - `#4754 `__: In ``Bind2Backend::lookup()``, use the ``zoneId`` when we have it PowerDNS Authoritative Server 4.0.1 ----------------------------------- Released July 29th 2016 This release fixes two small issues and adds a setting to limit AXFR and IXFR sizes, in response to `CVE-2016-6172 `__. Bug fixes ~~~~~~~~~ - `#4126 `__ Wait for the connection to the carbon server to be established - `#4206 `__ Don't try to deallocate empty PG statements - `#4245 `__ Send the correct response when queried for an NSEC directly (Kees Monshouwer) - `#4252 `__ Don't include bind files if length <= 2 or > sizeof(filename) - `#4255 `__ Catch runtime\_error when parsing a broken MNAME Improvements ~~~~~~~~~~~~ - `#4044 `__ Make DNSPacket return a ComboAddress for local and remote (Aki Tuomi) - `#4056 `__ OpenSSL 1.1.0 support (Chris Hofstaedtler) - `#4169 `__ Fix typos in a logmessage and exception (Chris Hofstaedtler) - `#4183 `__ pdnsutil: Remove checking of ctime and always diff the changes (Hannu Ylitalo) - `#4192 `__ dnsreplay: Only add Client Subnet stamp when asked - `#4250 `__ Use toLogString() for ringAccount (Kees Monshouwer) Additions ~~~~~~~~~ - `#4133 `__ Add limits to the size of received {A,I}XFR (CVE-2016-6172) - `#4142 `__ Add used filedescriptor statistic (Kees Monshouwer) PowerDNS Authoritative Server 4.0.0 ----------------------------------- Released July 11th 2016 PowerDNS Authoritative Server 4.0.0 is part of `the great 4.x "Spring Cleaning" `__ of PowerDNS which lasted through the end of 2015. As part of the general cleanup and improvements, we did the following: - Moved to C++ 2011, a cleaner more powerful version of C++ that has allowed us to `improve the quality of implementation `__ in many places. - Implemented dedicated infrastructure for dealing with DNS names that is fully "DNS Native" and needs less escaping and unescaping. - All backends derived from the Generic SQL backend use :doc:`prepared statements <../backends/generic-sql>`. - Both the server and ``pdns_control`` do the right thing when ``chroot``'ed. In addition to this cleanup, 4.0.0 brings the following new features: - A revived ODBC backend (:doc:`godbc <../backends/generic-odbc>`). - A revived LDAP backend (:doc:`ldap <../backends/ldap>`). - Support for :doc:`CDS/CDNSKEY <../guides/kskrollcdnskey>` and :rfc:`7344` key-rollovers. - Support for the :doc:`ALIAS <../guides/alias>` record. - The webserver and API are no longer marked experimental. - The API-path has moved to ``/api/v1`` - DNSUpdate is no longer experimental. - Default ECDSA (algorithms 13 and 14) support without external dependencies. - Experimental support for ed25519 DNSSEC signatures (when compiled with libsodium support). - IXFR consumption support. - Many new ``pdnsutil`` commands - ``help`` command now produces the help - Warns if the configuration file cannot be read - Does not check disabled records with ``check-zone`` unless verbose mode is enabled - ``create-zone`` command creates a new zone - ``add-record`` command to add records - ``delete-rrset`` and ``replace-rrset`` commands to delete and add rrsets - ``edit-zone`` command that spawns ``$EDITOR`` with the zone contents in zonefile format regardless of the backend used (`blogpost `__ The following backend have been dropped in 4.0.0: - LMDB. - Geo (use the improved :doc:`GeoIP <../backends/geoip>` instead). Important changes: - ``pdnssec`` has been renamed to ``pdnsutil`` - PowerDNS Authoritative Server now listens by default on all IPv6 addresses. - The default for ``pdnsutil secure-zone`` has been changed from 1 2048 bit RSA KSK and 1 1024 bit RSA ZSK to a single 256 bit ECDSA (algorithm 13, ECDSAP256SHA256) key. - Several superfluous queries have been dropped from the SQL backend, if you use a non-standard SQL schema, please review the new defaults - ``insert-ent-query``, ``insert-empty-non-terminal-query``, ``insert-ent-order-query`` have been replaced by one query named ``insert-empty-non-terminal-order-query`` - ``insert-record-order-query`` has been dropped, ``insert-record-query`` now sets the ordername (or NULL) - ``insert-slave-query`` has been dropped, ``insert-zone-query`` now sets the type of zone - Crypto++ and mbedTLS support is dropped, these are replaced by OpenSSL - The INCEPTION and INCEPTION-WEEK SOA-EDIT metadata values are marked as deprecated and will be removed in 4.1 The final release has the following bug fixes compared to rc2: - `#4071 `__ Abort on backend failures at startup and retry while running (Kees Monshouwer) - `#4099 `__ Don't leak TCP connection descriptor if ``pthread_create()`` failed - `#4137 `__ gsqlite3: Check whether foreign keys should be turned on (Aki Tuomi) And the following improvements: - `#3051 `__ Better error message for unfound new slave domains - `#4123 `__ check-zone: warn on mismatch between algo and NSEC mode PowerDNS Authoritative Server 4.0.0-rc2 --------------------------------------- Released June 29th 2016 .. note:: rc1 was tagged in git but never officially released. Kees Monshouwer discovered an issue in the gmysql backend that would terminate the daemon on a connection error, this fixed in rc2. This Release Candidate adds IXFR consumption and fixes some issues with prepared statements: - `#3937 `__ GSQL: use lazy prepared statements (Aki Tuomi) - `#3949 `__ Implement IXFR-based slaving for Authoritative, fix duplicate AXFRs - `#4066 `__ Don't die on a mysql timeout (Kees Monshouwer) Other improvements: - `#4061 `__ Various fixes, a MySQL-query fix that improves performance and one that allows shorter best matches in getAuth() - `#3962 `__ Fix OpenBSD support - `#3972 `__ API: change PATCH/PUT on zones to return 204 No Content instead of full zone (Chris Hofstaedtler) - `#3917 `__ Remotebackend: Add getAllDomains call (Aki Tuomi) Bug fixes and changes: - `#3998 `__ remove gsql::isOurDomain for now (Kees Monshouwer) - `#3989 `__ Fix usage of std::distance() in DNSName::isPartOf() - `#4001 `__ re enable validDNSName() check (Kees Monshouwer) - `#3930 `__ Have pdns\_control bind-add-zone check for zonefile - `#3400 `__ Fix building on OpenIndiana - `#3961 `__ Allow building on CentOS 6 i386 - `#3940 `__ auth: Don't build dnsbulktest and dnstcpbench if boost is too old, fixes building on CentOS 6 - `#3931 `__ Rename ``notify`` to ``pdns_notify`` (Chris Hofstaedtler) PowerDNS Authoritative Server 4.0.0-beta1 ----------------------------------------- Released May 27th 2016 This release features several small fixes and deprecations. Improvements and Additions ~~~~~~~~~~~~~~~~~~~~~~~~~~ - `#3851 `__ Disable algorithm 13 and 14 if OpenSSL does not support ecdsa or the required curves (Kees Monshouwer) - `#3857 `__ Add simple stubquery tool for testing the stubresolver - `#3859 `__ build scripts: Stop patching config-dir in pdns.conf (Chris Hofstaedtler) - `#3872 `__ Add support for multiple carbon servers - `#3901 `__ Add support for virtual hosting with systemd Bug fixes ~~~~~~~~~ - `#3856 `__ Deal with unset name in nproxy replies PowerDNS Authoritative Server 4.0.0-alpha3 ------------------------------------------ Released May 11th 2016 Notable changes since 4.0.0-alpha2 - `#3415 `__ pdnsutil: add clear-zone command - `#3586 `__ Remove send-root-referral option - `#3578 `__ Add disable-syslog option - `#3733 `__ ALIAS improvements: DNSSEC and optional on-AXFR expansion of records - `#3764 `__ Notify support for systemd - `#3807 `__ Add TTL settings for DNSSECKeeper's caches Bug fixes ~~~~~~~~~ - `#3553 `__ pdnsutil: properly show key sizes for presigned zones in show-zone - `#3507 `__ webserver: mask out the api-key setting (Chris Hofstaedtler) - `#3580 `__ bindbackend: set domain in list() (Kees Monshouwer) - `#3595 `__ pdnsutil: add NS record without trailing dot with create-zone - `#3653 `__ Allow tabs as whitespace in zonefiles - `#3666 `__ Restore recycle backend behaviour (Kees Monshouwer) - `#3612 `__ Prevent segfault in PostgreSQL backend - `#3779 `__, `#3768 `__, `#3766 `__, `#3783 `__ and `#3789 `__ DNSName and other hardening improvements - `#3784 `__ fix SOA caching with multiple backends (Kees Monshouwer) - `#3827 `__ Force NSEC3PARAM algorithm to 1, fixes validation issues when set to not 1 Improvements ~~~~~~~~~~~~ - `#3637 `__, `#3678 `__, `#3740 `__ Correct root-zone slaving and serving (Kees Monshouwer and others) - `#3495 `__ API: Add discovery endpoint (Chris Hofstaedtler) - `#3389 `__ pdnsutil: support chroot - `#3596 `__ Remove botan-based ecdsa and rsa signers (Kees Monshouwer) - `#3478 `__, `#3603 `__, `#3628 `__ Various build system improvements (Ruben Kerkhof) - `#3621 `__ Always lowercase when inserting into the database - `#3651 `__ Rename PUBLISH\_\* to PUBLISH-\* domainmetadata - `#3656 `__ API: clean up cryptokeys resource (Chris Hofstaedtler) - `#3632 `__ pdnsutil: Fix exit statuses to constants and return 0 when success (saltsa) - `#3655 `__ API: Fix set-ptr to honor SOA-EDIT-API (Chris Hofstaedtler) - `#3720 `__ Many fixes for dnswasher (Robert Edmonds) - `#3707 `__, `#3788 `__ Make MySQL timeout configurable (Kees Monshouwer and Brynjar Eide) - `#3806 `__ Move key validity check out of ``fromISCMap()``, improves DNSSEC performance - `#3820 `__ pdnsutil load-zone: ignore double SOA PowerDNS Authoritative Server 4.0.0-alpha2 ------------------------------------------ Released February 25th 2016 Notable changes since 4.0.0-alpha1 - `#3037 `__ Remove superfluous gsql queries and stop relying on schema defaults - `#3176 `__, `#3139 `__ OpenSSL support (Chris Hofstaedtler and Kees Monshouwer) - `#3128 `__ ECDSA support to DNSSEC infra via OpenSSL (Kees Monshouwer) - `#3281 `__, `#3283 `__, `#3363 `__ Remove Crypto++ and mbedTLS support - `#3298 `__ Implement pdnsutil create-zone zone nsname, add-record, delete-rrset, replace-rrset - `#3407 `__ API: Permit wildcard manipulation (Aki Tuomi) - `#3230 `__ API: drop JSONP, add web security headers (Chris Hofstaedtler) - `#3428 `__ API: Fix zone/records design mistake (Chris Hofstaedtler) - **Note**: this is a breaking change from alpha1, please review the `API documentation <../httpapi>` Bug fixes ~~~~~~~~~ - `#3124 `__ Fix several bugs with introduced with the change to a single signing key (e.g. the SEP bit is set on these single keys) - `#3151 `__ Catch DNSName build errors in dynhandler (Chris Hofstaedtler) - `#3264 `__ GeoIP backend: Use correct id numbers for domains (Aki Tuomi) - `#3271 `__ ZoneParser: Throw PDNSException on too many SOA data elements - `#3302 `__ Fix bindbackend's feedRecord to handle being slave for the root - `#3399 `__ Report OpenSSL RSA keysize in bits (Kees Monshouwer) Improvements ~~~~~~~~~~~~ - `#3119 `__ Show DNSSEC keys for slaved zone (Aki Tuomi) - `#3255 `__ Don't log authentication errors before sending HTTP basic auth challenge (Jan Broer) - `#3338 `__ Add weight feature to GeoIP backend (Aki Tuomi) - `#3364 `__ Shrink PacketID by 10% by eliminating padding. (Andrew Nelless) - `#3443 `__ Many speedup and correctness fixes PowerDNS Authoritative Server 4.0.0-alpha1 ------------------------------------------ Released December 24th 2015