Changelogs for 4.5.X ==================== .. changelog:: :version: 4.5.12 :released: 25th of November 2022 .. change:: :tags: Bug Fixes :pullreq: 12228 :tickets: 12198 Correct skip record condition in processRecords. .. change:: :tags: Bug Fixes :pullreq: 12225 :tickets: 12189, 12199 Also consider recursive forward in the "forwarded DS should not end up in negCache code." .. change:: :tags: Bug Fixes :pullreq: 12192 :tickets: 12125 Timeout handling for IXFRs as a client. .. change:: :tags: Bug Fixes :pullreq: 12169 :tickets: 12081 Log invalid RPZ content when obtained via IXFR. .. change:: :tags: Bug Fixes :pullreq: 12166 :tickets: 12038 When an expired NSEC3 entry is seen, move it to the front of the expiry queue. .. change:: :tags: Bug Fixes :pullreq: 12165 :tickets: 11337, 11338 QType ADDR is supposed to be used internally only. .. changelog:: :version: 4.5.11 :released: 20th of September 2022 .. change:: :tags: Improvements :pullreq: 11939 :tickets: 11904 For zones having many NS records, we are not interested in all so take a sample. .. change:: :tags: Bug Fixes :pullreq: 11942 :tickets: 11890 Failure to retrieve DNSKEYs of an Insecure zone should not be fatal. .. change:: :tags: Improvements :pullreq: 11899 :tickets: 11848 Also check qperq limit if throttling happened, as it increases counters. .. changelog:: :version: 4.5.10 :released: 23rd of August 2022 .. change:: :tags: Bug Fixes :pullreq: 11875,11874 PowerDNS Security Advisory 2022-02: incomplete exception handling related to protobuf message generation. .. change:: :tags: Bug Fixes :pullreq: 11634,11609 Fix API issue when asking config values for allow-from or allow-notify-from. .. changelog:: :version: 4.5.9 :released: 4th of April 2022 .. change:: :tags: Bug Fixes :pullreq: 11419 :tickets: 11371 Be more careful using refresh mode only for the record asked. .. change:: :tags: Bug Fixes :pullreq: 11384 :tickets: 11300 Use the Lua context stored in SyncRes when calling hooks. .. change:: :tags: Improvements :pullreq: 11024 :tickets: 10994, 11010 Do cache negative results, even when wasVariable() is true. .. changelog:: :version: 4.5.8 :released: 25th of March 2022 This is a security fix release for :doc:`PowerDNS Security Advisory 2022-01 <../security-advisories/powerdns-advisory-2022-01>`. Additionally, because CentOS 8 is End Of Life now, we have switched those builds to Oracle Linux 8. The resulting packages are compatible with RHEL and all derivatives. .. change:: :tags: Bug Fixes :pullreq: 11457 Fix validation of incremental zone transfers (IXFRs). .. changelog:: :version: 4.5.7 :released: 5th of November 2021 .. change:: :tags: Bug Fixes :pullreq: 10912 :tickets: 10908 A SHA-384 DS should not trump a SHA-256 one, only potentially ignore SHA-1 DS records. .. change:: :tags: Bug Fixes :pullreq: 10911 :tickets: 10905 rec_control wipe-cache-typed should check if a qtype arg is present and valid. .. change:: :tags: Bug Fixes :pullreq: 10863 :tickets: 10842 Put the correct string into appliedPolicyTrigger for Netmask matching rules. .. changelog:: :version: 4.5.6 :released: 11th of October 2021 .. change:: :tags: Bug Fixes :pullreq: 10806 :tickets: 10565 Do not use DNSKEYs found below an apex for validation. .. change:: :tags: Bug Fixes :pullreq: 10807 :tickets: 10622 Detect a loop when the denial of the DS comes from the child zone. .. change:: :tags: Bug Fixes :pullreq: 10809 :tickets: 10632 Match ordering of PacketID using the Birthday vs non-Birthday comparator. .. change:: :tags: Bug Fixes :pullreq: 10811 :tickets: 10633 Pass the Lua context to follow up queries (follow CNAME, dns64). .. change:: :tags: Bug Fixes :pullreq: 10813 :tickets: 10718 Only the DNAME records are authoritative in DNAME answers. .. change:: :tags: Bug Fixes :pullreq: 10803 :tickets: 10768 Use the correct RPZ policy name for statistics when loading via XFR. .. change:: :tags: Bug Fixes :pullreq: 10717 :tickets: 10701 Fix the aggressive cache returning duplicated NSEC3 records. .. change:: :tags: Bug Fixes :pullreq: 10655 :tickets: 10643 NS from the cache could be a forwarder, take that into account for throttling decision. .. change:: :tags: Bug Fixes :pullreq: 10629 :tickets: 10627 Check in more places if the policy has been updated before using or modifying it. .. changelog:: :version: 4.5.5 :released: 30th of July 2021 .. change:: :tags: Bug Fixes :pullreq: 10593 :tickets: 10587 Ancestor NSEC3s can only deny the existence of a DS. .. change:: :tags: Bug Fixes :pullreq: 10575 :tickets: 10570 Make really sure we did not miss a cut on validation failure. .. change:: :tags: Improvements :pullreq: 10564 :tickets: 10555 Work around clueless servers sending AA=0 answers. .. change:: :tags: Bug Fixes :pullreq: 10573 :tickets: 10515 Clear the current proxy protocol values each iteration. .. changelog:: :version: 4.5.4 :released: 2nd of July 2021, 4.5.3 was never released publicly. .. change:: :tags: Bug Fixes :pullreq: 10519 Make sure that we pass the SOA along the NSEC(3) proof for DS queries. .. changelog:: :version: 4.5.2 :released: 9th of June 2021 .. change:: :tags: Improvements :pullreq: 10477 :tickets: 10440 Change nsec3-max-iterations default to 150. .. change:: :tags: Bug Fixes :pullreq: 10476 :tickets: 10460 Don't follow referral from the parent to the child for DS queries. .. change:: :tags: Bug Fixes :pullreq: 10475 :tickets: 10426 When refreshing, do not consider root almost expired. .. change:: :tags: Bug Fixes :pullreq: 10474 :tickets: 10396 Take into account q_quiet when determining loglevel and change a few loglevels. .. change:: :tags: Bug Fixes :pullreq: 10473 :tickets: 10350 Only add the NSEC and RRSIG records once in wildcard NODATA answers. .. change:: :tags: Improvements :pullreq: 10422 :tickets: 10420 For the NOD lookup case, we don't want QName Minimization. .. changelog:: :version: 4.5.1 :released: 11th of May 2021 .. change:: :tags: Bug Fixes :pullreq: 10377 Prevent a race in the aggressive NSEC cache. .. changelog:: :version: 4.5.0 :released: Never released publicly. .. change:: :tags: Bug Fixes :pullreq: 10353 Apply dns64 on RPZ hits generated after a gettag_ffi hit. .. changelog:: :version: 4.5.0-rc1 :released: 28th of April 2021 .. change:: :tags: Improvements :pullreq: 10335 :tickets: 10329 Boost 1.76 containers: use standard exceptions. .. change:: :tags: Improvements :pullreq: 10334 :tickets: 10318 Fix wording in edns-padding-tag help. .. change:: :tags: Improvements :pullreq: 10333 :tickets: 10312 Improve packet cache size computation now that TCP answers are also cached. .. change:: :tags: Bug Fixes :pullreq: 10320 :tickets: 10317 Do not put results of DS query for auth or forward domains in negcache. .. change:: :tags: Bug Fixes :pullreq: 10319 :tickets: 10303 Use the correct ECS address when proxy-protocol is enabled. .. change:: :tags: Improvements :pullreq: 10307 :tickets: 10298 Print the covering NSEC in tracing log. .. change:: :tags: Bug Fixes :pullreq: 10306 :tickets: 10291 Exception loading the RPZ seed file is not fatal. .. change:: :tags: Bug Fixes :pullreq: 10305 :tickets: 10286 RPZ dumper: stop generating double zz labels on networks that start with zeroes. .. changelog:: :version: 4.5.0-beta2 :released: 14th of April 2021 .. change:: :tags: Improvements :pullreq: 10280 :tickets: 10268 Log local IP in dnstap messages. .. change:: :tags: Improvements :pullreq: 10279 :tickets: 10264 Also disable PMTU for IPv6. .. change:: :tags: Bug Fixes :pullreq: 10278 :tickets: 10232 Clear "from" in record cache if we don't know where the update came from. .. change:: :tags: Bug Fixes :pullreq: 10277 :tickets: 10223 Better handling of stranded DNSKeys. .. changelog:: :version: 4.5.0-beta1 :released: 26th of March 2021 .. change:: :tags: Improvements :pullreq: 9995 :tickets: 7982 Support TCP FastOpen connect on outgoing connections. .. change:: :tags: Improvements :pullreq: 8918 Implement EDNS0 padding (rfc7830) for outgoing responses. .. change:: :tags: Improvements :pullreq: 10057 Get rid of early zone cut computation when doing DNSSEC validation. .. change:: :tags: Improvements :pullreq: 10182 :tickets: 10177 Insert hints as non-auth into cache. .. change:: :tags: Bug Fixes :pullreq: 10185 Make sure we take the right minimum for the packet cache TTL data. .. change:: :tags: Improvements :pullreq: 10178 :tickets: 10125 Don't pick up random root NS records from AUTHORITY sections. .. change:: :tags: Improvements :pullreq: 10161 :tickets: 7591 Using DATA to report memory usage is unreliable, start using RES instead, as it seems reliable and relevant. .. changelog:: :version: 4.5.0-alpha3 :released: 9th of March 2021 .. change:: :tags: Improvements :pullreq: 10010 Check sizeof(time_t) to be at least 8. .. change:: :tags: Improvements :pullreq: 10118 Change dnssec default to `process`. .. change:: :tags: Improvements :pullreq: 10047 Implement rfc 8198 - Aggressive Use of DNSSEC-Validated Cache. .. change:: :tags: Improvements :pullreq: 10112 Be less verbose telling we are looking up CNAMEs or DNAMEs while tracing. .. change:: :tags: Bug Fixes :pullreq: 10111 :tickets: 10080 Handle policy (if needed) after postresolve and document the hooks better. .. change:: :tags: Improvements :pullreq: 10113 :tickets: 8587 Add validation state to protobuf message. .. change:: :tags: Improvements :pullreq: 10109 :tickets: 9654, 9653 Add Policy Kind / RPZ action to Protobuf messages. .. change:: :tags: Improvements :pullreq: 10089 :tickets: 10058 Count DNSSEC stats for given names in a different set of counters. .. change:: :tags: Improvements :pullreq: 10096 Remember non-resolving nameservers. .. change:: :tags: Improvements :pullreq: 9468 Pass an fd to dump to from rec_control to the recursor. .. change:: :tags: Improvements :pullreq: 10075 Introduce settings to never cache EDNS Client (v4/v6) Subnet carrying replies. .. change:: :tags: Improvements :pullreq: 10077 :tickets: 9845 Change spoof-nearmiss-max default to 1. .. change:: :tags: Improvements :pullreq: 10022 :tickets: 10021 Add missing entries to Prometheus metrics. .. change:: :tags: Bug Fixes :pullreq: 10064 :tickets: 9547 Return current rcode instead of 0 if there are no CNAME records to follow. .. change:: :tags: Improvements :pullreq: 9990 Also use packetcache for tcp queries. .. change:: :tags: Improvements :pullreq: 10020 :tickets: 10009 Document taskqueue metrics and add them to SNMP MIB. .. change:: :tags: Improvements :pullreq: 9996 Treat the .localhost domain as special. .. changelog:: :version: 4.5.0-alpha2 :released: This release was never made public. .. changelog:: :version: 4.5.0-alpha1 :released: 15th of January 2021 .. change:: :tags: Improvements :pullreq: 9699 :tickets: 440 Introduce "Refresh almost expired" a mechanism to keep the record cache warm. .. change:: :tags: Improvements :pullreq: 9630, 9843 :tickets: 9780, 9781 Use protozero for Protocol Buffer operations in dnsdist, and dnstap/outgoing for the recursor. .. change:: :tags: Bug Fixes :pullreq: 9883 :tickets: 9621 Lookup DS entries before CNAME entries. .. change:: :tags: Improvements :pullreq: 9856 Use a short-lived NSEC3 hashes cache for denial validation. .. change:: :tags: Improvements :pullreq: 9670 Introduce synonyms for offensive language in settings and docs. .. change:: :tags: Improvements :pullreq: 9812 :tickets: 9808 Handle failure to start the web server more gracefully. .. change:: :tags: Improvements :pullreq: 9720 Switch default TTL override to 1. .. change:: :tags: Improvements :pullreq: 9806 9828 Log the exact Bogus state when 'dnssec-log-bogus' is enabled. .. change:: :tags: Bug Fixes :pullreq: 9793 Fix the gathering of denial proof for wildcard-expanded answers. .. change:: :tags: Bug Fixes :pullreq: 9789 Actually discard invalid RRSIGs with too high labels count. .. change:: :tags: Improvements :pullreq: 9744 Switch to TCP in case of spoofing (near-miss) attempts. .. change:: :tags: Improvements :pullreq: 9673 Add support for rfc8914: Extended DNS Errors. .. change:: :tags: Improvements :pullreq: 9633 Two OpenBSD improvements for UDP sockets: port randomization and EAGAIN errors. .. change:: :tags: Bug Fixes :pullreq: 9686 :tickets: 9638 x-our-latency is a gauge. .. change:: :tags: Improvements :pullreq: 9594 Cleanup of RPZ refresh handling. .. change:: :tags: Improvements :pullreq: 9629 Refactor the percentage computation and use rounding. .. change:: :tags: Improvements :pullreq: 9571 Throttle servers sending invalid data and rcodes. .. change:: :tags: Improvements :pullreq: 9572 Terminate TCP connections instead of 'ignoring' errors. .. change:: :tags: Bug Fixes :pullreq: 9432 :tickets: 7743 Make parse ip:port a bit smarter. .. change:: :tags: Improvements :pullreq: 9569 Don't parse any config with `--version`. .. change:: :tags: Improvements :pullreq: 9562 Expose typed cache flush via Web API. .. change:: :tags: Improvements :pullreq: 9554 Remove query-local-address6. .. change:: :tags: Bug Fixes :pullreq: 9515 Fix wipe-cache-typed. .. change:: :tags: Improvements :pullreq: 8942 Lua: add backtraces to errors. .. change:: :tags: Improvements :pullreq: 9493 Log the line received from rec_control. .. change:: :tags: Bug Fixes :pullreq: 9492 Detach snmp thread to avoid trouble when trying to quit nicely. .. change:: :tags: Improvements :pullreq: 9475 Shared and sharded neg cache.