Changelogs for 4.1.x

4.1.8

Released: 26th of November 2018

This release fixes Security Advisory 2018-09 that we recently discovered, affecting PowerDNS Recursor up to and including 4.1.7.

The issue is that a remote attacker can trigger an out-of-bounds memory read via a crafted query, while computing the hash of the query for a packet cache lookup, possibly leading to a crash.

When the PowerDNS Recursor is run inside a supervisor like supervisord or systemd, a crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.

Bug Fixes

4.1.7

Released: 9th of November 2018

This release updates the mitigation for Security Advisory 2018-07, reverting the EDNS fallback strictness increase. This is necessary because there are a lot of broken name servers on the Internet.

Improvements

4.1.6

Released: 7th of November 2018

This release reverts #6980, it could lead to DNSSEC validation issues.

Bug Fixes

4.1.5

Released: 6th of November 2018

This release fixes the following security advisories:

  • PowerDNS Security Advisory 2018-04 (CVE-2018-10851)
  • PowerDNS Security Advisory 2018-06 (CVE-2018-14626)
  • PowerDNS Security Advisory 2018-07 (CVE-2018-14644)

Improvements

Bug Fixes

4.1.4

Released: 31st of August 2018

Improvements

Bug Fixes

4.1.3

Released: 22nd of May 2018

This release improves the stability and resiliency of the RPZ implementation, prevents metrics gathering from slowing down the processing of DNS queries and fixes an issue related to the cleaning of EDNS Client Subnet entries from the cache.

Improvements

Bug Fixes

4.1.2

Released: 29th of March 2018

This release improves the stability and resiliency of the RPZ implementation and fixes several issues related to EDNS Client Subnet.

New Features

Improvements

Bug Fixes

4.1.1

Released: 22nd of January 2018

This is the second release in the 4.1 train.

This release fixes PowerDNS Security Advisory 2018-01.

The full release notes can be read on the blog.

This is a release on the stable branch, containing a fix for the abovementioned security issue and several bug fixes from the development branch.

Improvements

  • Don’t process records for another class than IN. We don’t use records of another class than IN, but we used to store some of them in the cache which is useless. Just skip them.

    References: #6198, pull request 6085

Bug Fixes

  • Correctly handle ancestor delegation NSEC{,3} for children. Fixes the DNSSEC validation issue found in Knot Resolver, where a NSEC{3} ancestor delegation is wrongly use to prove the non-existence of a RR below the delegation. We already had the correct check for the exact owner name, but not for RRs below the delegation. (Security Advisory 2018-01)

    References: pull request 6215

  • Fix the computation of the closest encloser for positive answers. When the positive answer is expanded from a wildcard with NSEC3, the closest encloser is not always parent of the qname, depending on the number of labels in the initial wildcard.

    References: #6199, pull request 6092

  • Pass the correct buffer size to arecvfrom(). The incorrect size could possibly cause DNSSEC failures.

    References: #6200, pull request 6095

  • Fix to make primeHints threadsafe, otherwise there’s a small chance on startup that the root-server IPs will be incorrect.

    References: #6212, pull request 6209

  • Don’t validate signature for “glue” CNAME, since anything else than the initial CNAME can’t be considered authoritative.

    References: #6201, pull request 6137

4.1.0

Released: 4th of December 2017

This is the first release in the 4.1 train.

The full release notes can be read on the blog.

This is a major release containing significant speedups (both in throughput and latency), enhanced capabilities and a highly conformant and robust DNSSEC validation implementation that is ready for heavy production use. In addition, our EDNS Client Subnet implementation now scales effortlessly to networks needing very fine grained scopes (as used by some ‘country sized’ service providers).

  • Improved DNSSEC support,
  • Improved documentation,
  • Improved RPZ support,
  • Improved EDNS Client Subnet support,
  • Support for Botan 2.x (and removal of support for Botan 1.10),
  • SNMP support,
  • Lua engine has gained access to more parts of the recursor,
  • CPU affinity can now be specified,
  • TCP Fast Open support,
  • New performance metrics.

Changes since 4.1.0-rc3:

Bug Fixes

4.1.0-rc3

Released: 17th of November 2017

The third Release Candidate adds support for Botan 2.x (and removes support for Botan 1.10!), has a lot of DNSSEC fixes, features a cleaned up web UI and has miscellaneous minor improvements.

Improvements

  • Add the DNSSEC validation state to the DNSQuestion Lua object (although the ability to update the validation state from these hooks is postponed to after 4.1.0).

    References: #5888, pull request 5895

  • Add support for Botan 2.x and remove support for Botan 1.10.

    References: #5797, #2250, pull request 5498

  • Print more details of trust anchors. In addition, the trace output that mentions if data from authoritative servers gets accepted now also prints the TTL and clarifies the ‘place’ number previously printed.

    References: pull request 5876

  • Better support for deleting entries in NetmaskTree and NetmaskGroup.

    References: pull request 5616

Bug Fixes

  • Prevent possible downgrade attacks in the recursor.

    References: pull request 5889

  • Split NODATA / NXDOMAIN NSEC wildcard denial proof of existence. Otherwise there is a very real risk that a NSEC will cover a more specific wildcard and we end up with what looks like a NXDOMAIN proof but is a NODATA one.

    References: #5882, pull request 5885

  • Fix incomplete validation of cached entries.

    References: pull request 5904

  • Fix going Insecure on NSEC3 hashes with too many iterations, since we could have gone Bogus on a positive answer synthetized from a wildcard if the corresponding NSEC3 had more iterations that we were willing to accept, while the correct result is Insecure.

    References: pull request 5912

  • Sort NS addresses by speed and remove old ones.

    References: #1066, pull request 5877

  • Purge nsSpeeds entries even if we get less than 2 new entries.

    References: pull request 5896

  • Add EDNS to truncated, servfail answers.

    References: #5618, pull request 5881

  • Use _exit() when we really really want to exit, for example after a fatal error. This stops us dying while we die. A call to exit() will trigger destructors, which may paradoxically stop the process from exiting, taking down only one thread, but harming the rest of the process.

    References: pull request 5917

  • In the recursor secpoll code, we assumed the TXT record would be the first record first record we received. Sometimes it was the RRSIG, leading to a silent error, and no secpoll check. Fixed the assumption, added an error.

    References: pull request 5930

  • Don’t crash when asked to run with zero threads.

    References: pull request 5938

  • Only accept types not matching the query if we asked for ANY. Even from forward-recurse servers.

    References: #5934, pull request 5939

  • Allow the use of a ‘self-resolving’ NS if cached A / AAAA exists. Before this, we could skip a perfectly valid NS for which we had retrieved the A and / or AAAA entries, for example via a glue.

    References: #2758, pull request 5937

  • Add the config-name argument to the definition of configname. There was a bug where the config-name parameter was not used to change the path of the config file. This meant that some commands via rec_control (e.g. reload-acls) would fail when run against a recursor which had config-name defined. The correct behaviour was present in some, but not all, definitions of configname. (@jake2184)

    References: pull request 5961

4.1.0-rc2

Released: 30th of October 2017

The second Release Candidate contains several correctness fixes for DNSSEC, mostly in the area of verifying negative responses.

Improvements

Bug Fixes

4.1.0-rc1

Released: 9th of October 2017

The RC1 release features many fixes to the DNSSEC validation code, reported by different users. Other improvements include: logging, RPZ and the Remote Logger.

While not specifically mentioned in the ChangeLog, also thanks to Winfried Angele for bringing a documentation issue to our attention!

Improvements

Bug Fixes

4.1.0-alpha1

Released: 18th of July 2017

This is the first release of the PowerDNS Recursor in the 4.1 release train. This release contains several performance and correctness improvements in the EDNS Client subnet area, as well as better DNSSEC processing.

New Features

Improvements

Bug Fixes