]> git.ipfire.org Git - thirdparty/pdns.git/blame - pdns/recursordist/docs/changelog/4.1.rst
projects / thirdparty / pdns.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge pull request #11431 from jroessler-ox/docs-kskzskroll-update
[thirdparty/pdns.git] / pdns / recursordist / docs / changelog / 4.1.rst
CommitLineData
223bb49e
PL		 1Changelogs for 4.1.x
2====================
e742191a
OM		 3**Note**: 4.1.x and earlier releases are End of Life and no longer supported.
4See :doc:`EOL Statements <../appendices/EOL>`.
223bb49e 5
4cdeb5c0
OM		 6.. changelog::
7 :version: 4.1.18
8 :released: 13th of October 2020
9
10 .. change::
11 :tags: Bug Fixes
12 :pullreq: 9601
13
14 Backport of CVE-2020-25829: Cache pollution.
15
2a250050
OM		 16.. changelog::
17 :version: 4.1.17
18 :released: 1st of July 2020
19
20 .. change::
21 :tags: Bug Fixes
c64a6512 22 :pullreq: 9283
2a250050
OM		 23
24 Backport of CVE-2020-14196: Enforce webserver ACL.
25
26 .. change::
27 :tags: Bug Fixes
28 :pullreq: 9129
29 :tickets: 9127, 8640
30
31 Fix compilation on systems that do not define HOST_NAME_MAX.
32
33
6ca27983 34.. changelog::
d28ad210
OM		 35 :version: 4.1.16
36 :released: 19th of May 2020
37
38 .. change::
39 :tags: Bug Fixes
c64a6512 40 :pullreq: 9117
d28ad210
OM		 41
42 Backport of security fixes for CVE-2020-10995, CVE-2020-12244 and
43 CVE-2020-10030, plus avoid a crash when loading an invalid RPZ.
44
45 .. change::
46 :tags: Internals
47 :pullreq: 8809
48
49 Update python dependencies for docs generation.
50
51 .. change::
52 :tags: Improvements
53 :pullreq: 8868
54
55 Only log qname parsing errors when 'log-common-errors' is set.
56
57 .. change::
58 :tags: Internals
59 :pullreq: 8753
60
61 Update boost.m4.
62
63.. changelog::
64 :version: 4.1.15
6ca27983
OM		 65 :released: 6th of December 2019
66
67 .. change::
68 :tags: Bug Fixes
69 :pullreq: 8554
70
71 Backport 8525 to rec 4.1.x: Purge map of failed auths periodically by keeping a last changed timestamp
72
73 .. change::
74 :tags: Bug Fixes
75 :pullreq: 8544
76
77 Backport 8470 to rec 4.1.x: prime NS records of root-servers.net parent (.net)
78
79 .. change::
80 :tags: Bug Fixes
81 :pullreq: 8543
82
83 Backport 8340 to rec 4.1.x: issue with "zz" abbreviation for IPv6 RPZ triggers
84
85 .. change::
86 :tags: Bug Fixes
87 :pullreq: 8542
88
89 Backport 7068 to 4.1.x: Do the edns data dump for all threads
90
91 .. change::
92 :tags: Internals
93 :pullreq: 8123
94
95 Backport #7951 to 4.1.x: update boost.m4
96
9a41797f 97.. changelog::
bbccaefd 98 :version: 4.1.14
aef30baa 99 :released: 13th of June 2019
bbccaefd
OM		 100
101 .. change::
102 :tags: Improvements
103 :pullreq: 7906
104
105 Add statistics counters for AD and CD queries.
106
26381df4 107 .. change::
bbccaefd
OM		 108 :tags: Bug Fixes
109 :pullreq: 7912
110
111 Add missing getregisteredname Lua function
112
97d70706 113.. changelog::
9a41797f 114 :version: 4.1.13
115 :released: 21st of May 2019
116
117 .. change::
118 :tags: Improvements, Performance
119 :pullreq: 7673
120 :tickets: 7661
121
122 Add the ``disable-real-memory-usage`` setting to skip expensive
123 collection of detailed memory usage info.
124
125 .. change::
126 :tags: Bug Fixes, DNSSEC
127 :pullreq: 7816
128 :tickets: 7714
129
130 Fix DNSSEC validation of wildcards expanded onto themselves.
131
6ef20ac4
EW		 132.. changelog::
133 :version: 4.1.12
134 :released: 2nd of April 2019
135
136 .. change::
137 :tags: Bug Fixes, Internals
138 :pullreq: 7495
139 :tickets: 7494
140
141 Correctly interpret an empty AXFR response to an IXFR query.
142
143 .. change::
144 :tags: Improvements, Internals
145 :pullreq: 7647
146
147 Provide CPU usage statistics per thread (worker & distributor).
148
149 .. change::
150 :tags: Improvements, Internals, Performance
151 :pullreq: 7634
152 :tickets: 7507
153
154 Use a bounded load-balancing algo to distribute queries.
155
156 .. change::
157 :tags: Improvements, Internals
158 :pullreq: 7651
159 :tickets: 7631, 7572
160
161 Implement a configurable ECS cache limit so responses with an ECS scope more specific than a certain threshold and a TTL smaller than a specific threshold are not inserted into the records cache at all.
162
f537e4a5 163.. changelog::
164 :version: 4.1.11
165 :released: 1st of February 2019
166
a52f0baf 167 Since Spectre/Meltdown, system calls have become more expensive. This made exporting a very high number of protobuf messages costly, which is addressed in this release by reducing the number of syscalls per message.
f537e4a5 168
169 .. change::
170 :tags: Improvements
171 :pullreq: 7434
172
173 Add an option to export only responses over protobuf to the Lua :func:`protobufServer` directive.
174
175 .. change::
176 :tags: Improvements
177 :pullreq: 7430
178 :tickets: 7428
179
180 Reduce systemcall usage in protobuf logging. (See #7428.)
181
92c83c1d
EW		 182.. changelog::
183 :version: 4.1.10
184 :released: 24th of January 2019
185
d66fab2e 186 This release fixes a bug when trying to build PowerDNS Recursor with protobuf support disabled, thus this release is only relevant to people building PowerDNS Recursor from source and not if you're installing it as a package from our repositories.
92c83c1d
EW		 187
188 .. change::
189 :tags: Bug Fixes
190 :pullreq: 7403
191
192 PowerDNS Recursor release 4.1.9 introduced a call to the Lua :func:`ipfilter` hook that required access to the DNS header, but the corresponding variable was only declared when protobuf support had been enabled.
193
639a343d
RG		 194.. changelog::
195 :version: 4.1.9
196 :released: 21st of January 2019
197
198 This release fixes :doc:`Security Advisory 2019-01 <../security-advisories/powerdns-advisory-2019-01>` and :doc:`Security Advisory 2019-02 <../security-advisories/powerdns-advisory-2019-02>` that were recently discovered, affecting PowerDNS Recursor:
199 - CVE-2019-3806, 2019-01: from 4.1.4 up to and including 4.1.8 ;
200 - CVE-2019-3807, 2019-02: from 4.1.0 up to and including 4.1.8.
201
202 The issues are:
203 - CVE-2019-3806, 2019-01: Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly bypassing security policies enforced using Lua ;
204 - CVE-2019-3807, 2019-02: records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation.
205
206 .. change::
207 :tags: Bug Fixes
208 :pullreq: 7397
209
210 Properly apply Lua hooks to TCP queries, even with pdns-distributes-queries set (CVE-2019-3806, PowerDNS Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2019-01>`). Validates records in the answer section of responses with AA=0 (CVE-2019-3807, PowerDNS Security Advisory :doc:`2019-02 <../security-advisories/powerdns-advisory-2019-02>`).
211
212 .. change::
213 :tags: Improvements
214 :pullreq: 7377
215 :tickets: 7383
216
217 Try another worker before failing if the first pipe was full
218
4b786673 219.. changelog::
220 :version: 4.1.8
221 :released: 26th of November 2018
222
223 This release fixes :doc:`Security Advisory 2018-09 <../security-advisories/powerdns-advisory-2018-09>` that we recently discovered, affecting PowerDNS Recursor up to and including 4.1.7.
224
225 The issue is that a remote attacker can trigger an out-of-bounds memory read via a crafted query, while computing the hash of the query for a packet cache lookup, possibly leading to a crash.
226
227 When the PowerDNS Recursor is run inside a supervisor like supervisord or systemd, a crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.
228
229 .. change::
230 :tags: Bug Fixes
231 :pullreq: 7221
232
233 Crafted query can cause a denial of service (CVE-2018-16855, PowerDNS Security Advisory :doc:`2018-09 <../security-advisories/powerdns-advisory-2018-09>`)
234
d5603336
PD		 235.. changelog::
236 :version: 4.1.7
237 :released: 9th of November 2018
238
239 This release updates the mitigation for :doc:`Security Advisory 2018-07 <../security-advisories/powerdns-advisory-2018-07>`, reverting the EDNS fallback strictness increase. This is necessary because there are a lot of broken name servers on the Internet.
240
241 .. change::
242 :tags: Improvements
243 :pullreq: 7172
244
245 Revert 'Keep the EDNS status of a server on FormErr with EDNS'
246
247 .. change::
248 :tags: Improvements
249 :pullreq: 7174
250
251 Refuse queries for all meta-types
252
49b2577f
PL		 253.. changelog::
254 :version: 4.1.6
255 :released: 7th of November 2018
256
257 This release reverts `#6980 <https://github.com/PowerDNS/pdns/pull/6980>`__, it could lead to DNSSEC validation issues.
258
259 .. change::
260 :tags: Bug Fixes
261 :pullreq: 7159
262 :tickets: 7158
263
264 Revert "rec: Authority records in AA=1 CNAME answer are authoritative".
265
27e94792
EW		 266.. changelog::
267 :version: 4.1.5
268 :released: 6th of November 2018
269
270 This release fixes the following security advisories:
271
272 - PowerDNS Security Advisory :doc:`2018-04 <../security-advisories/powerdns-advisory-2018-04>` (CVE-2018-10851)
273 - PowerDNS Security Advisory :doc:`2018-06 <../security-advisories/powerdns-advisory-2018-06>` (CVE-2018-14626)
274 - PowerDNS Security Advisory :doc:`2018-07 <../security-advisories/powerdns-advisory-2018-07>` (CVE-2018-14644)
275
276 .. change::
277 :tags: Bug Fixes
3ad24d7d 278 :pullreq: 7151
27e94792
EW		 279
280 Crafted answer can cause a denial of service (CVE-2018-10851, PowerDNS Security Advisory :doc:`2018-04 <../security-advisories/powerdns-advisory-2018-04>`)
281
282 .. change::
283 :tags: Bug Fixes
3ad24d7d 284 :pullreq: 7151
27e94792
EW		 285
286 Packet cache pollution via crafted query (CVE-2018-14626, PowerDNS Security Advisory :doc:`2018-06 <../security-advisories/powerdns-advisory-2018-06>`)
287
288 .. change::
289 :tags: Bug Fixes
3ad24d7d 290 :pullreq: 7151
27e94792
EW		 291
292 Crafted query for meta-types can cause a denial of service (CVE-2018-14644, PowerDNS Security Advisory :doc:`2018-07 <../security-advisories/powerdns-advisory-2018-07>`)
293
294 Additionally there are some other minor fixes and improvements listed below.
295
296 .. change::
297 :tags: Improvements, Lua
298 :pullreq: 6919
299 :tickets: 6848
300
301 Add pdnslog to lua configuration scripts (Chris Hofstaedtler)
302
303 .. change::
304 :tags: Bug Fixes
305 :pullreq: 6961
306 :tickets: 6960
307
308 Cleanup the netmask trees used for the ecs index on removals
309
310 .. change::
311 :tags: Bug Fixes
312 :pullreq: 6963
313 :tickets: 6605
314
315 Make sure that the ECS scope from the auth is < to the source
316
317 .. change::
318 :tags: Bug Fixes, RPZ, Internals
319 :pullreq: 6984
320 :tickets: 6792
321
322 Delay the creation of rpz threads until we have dropped privileges
323
324 .. change::
325 :tags: Bug Fixes
326 :pullreq: 6980
327 :tickets: 6979
328
329 Authority records in aa=1 cname answer are authoritative
330
331 .. change::
332 :tags: Bug Fixes, Internals
333 :pullreq: 7073
334
335 Avoid a memory leak in catch-all exception handler
336
337 .. change::
338 :tags: Bug Fixes
339 :pullreq: 6741
340 :tickets: 6340
341
342 Don't require authoritative answers for forward-recurse zones
343
344 .. change::
345 :tags: Improvements
346 :pullreq: 6948
347 :tickets: 6943
348
349 Fix compilation with libressl 2.7.0+
350
351 .. change::
352 :tags: Bug Fixes, Internals
353 :pullreq: 6917
354
355 Release memory in case of error in the openssl ecdsa constructor
356
357 .. change::
358 :tags: Bug Fixes
359 :pullreq: 6925
360 :tickets: 6924
361
362 Convert a few uses to toLogString to print DNSName's that may be empty in a safer manner
363
364 .. change::
365 :tags: Bug Fixes, Internals
366 :pullreq: 6945
367
368 Avoid a crash on DEC Alpha systems
369
370 .. change::
371 :tags: Bug Fixes, Internals
372 :pullreq: 6951
373 :tickets: 6949
374
375 Clear all caches on (N)TA changes
376
377 .. change::
378 :tags: Improvements
379 :pullreq: 7004
380 :tickets: 6989, 6991
381
382 Export outgoing ECS value and server ID in protobuf (if any)
383
384 .. change::
385 :tags: Improvements, Internals
386 :pullreq: 7122
387 :tickets: 7040
388
389 Switch to devtoolset 7 for el6
390
391 .. change::
392 :tags: Improvements
393 :pullreq: 7125
394 :tickets: 7081
395
396 Allow the signature inception to be off by a number of seconds. (Kees Monshouwer)
397
40713bf0
PL		 398.. changelog::
399 :version: 4.1.4
400 :released: 31st of August 2018
401
402 .. change::
403 :tags: Improvements
404 :pullreq: 6436
405
406 Split ``pdns_enable_unit_tests``. (Chris Hofstaedtler)
407
408 .. change::
409 :tags: Bug Fixes
410 :pullreq: 6465
411 :tickets: 6462
412
413 Don't account chained queries more than once.
414
415 .. change::
416 :tags: Improvements
417 :pullreq: 6518
418
419 Add a new :ref:`setting-max-udp-queries-per-round` setting.
420
421 .. change::
422 :tags: Bug Fixes
423 :pullreq: 6557
424 :tickets: 6536
425
ce2fbdac 426 Make :doc:`../../manpages/rec_control.1` respect :ref:`setting-include-dir`.
40713bf0
PL		 427
428 .. change::
429 :tags: Improvements
430 :pullreq: 6590
431
432 Fix warnings reported by gcc 8.1.0.
433
434 .. change::
435 :tags: Improvements
436 :pullreq: 6809
437
438 Tests: replace awk command by perl.
439
440 .. change::
441 :tags: Bug Fixes
442 :pullreq: 6812
443 :tickets: 6567
444
445 Load lua scripts only in worker threads.
446
447 .. change::
448 :tags: Improvements
449 :pullreq: 6720
450
451 Allow the snmp thread to retrieve statistics.
452
453 .. change::
454 :tags: Bug Fixes
455 :pullreq: 6873
456
457 Purge all auth/forward zone data including subtree. (@phonedph1)
458
5c24af87
RG		 459.. changelog::
460 :version: 4.1.3
461 :released: 22nd of May 2018
462
463 This release improves the stability and resiliency of the RPZ implementation, prevents metrics gathering from slowing down the processing of DNS queries and fixes an issue related to the cleaning of EDNS Client Subnet entries from the cache.
464
465 .. change::
466 :tags: Bug Fixes
467 :pullreq: 6469
468
469 Respect the ``AXFR`` timeout while connecting to the ``RPZ`` server.
470
471 .. change::
472 :tags: Bug Fixes
473 :pullreq: 6467
474
475 Don't increase the ``DNSSEC`` validations counters when running with ``process-no-validate``.
476
477 .. change::
478 :tags: Bug Fixes
479 :pullreq: 6313
480
481 Count a lookup into an internal auth zone as a cache miss.
482
483 .. change::
484 :tags: Bug Fixes
485 :pullreq: 6588
486 :tickets: 6237
487
488 Delay the loading of ``RPZ`` zones until the parsing is done, fixing a race condition.
489
490 .. change::
491 :tags: Improvements
492 :pullreq: 6567
493
494 Move carbon/webserver/control/stats handling to a separate thread.
495
496 .. change::
497 :tags: Improvements
498 :pullreq: 6566
499
500 Use a separate, non-blocking pipe to distribute queries.
501
502 .. change::
503 :tags: Improvements
504 :pullreq: 6562
505 :tickets: 6550
506
507 Add a subtree option to the :doc:`API <../http-api/index>` cache flush endpoint.
508
509 .. change::
510 :tags: Bug Fixes
511 :pullreq: 6595
512 :tickets: 6542, 6516, 6358, 6517
513
514 Reorder includes to avoid boost ``L`` conflict.
515
516 .. change::
517 :tags: Improvements
518 :pullreq: 6611
519 :tickets: 6130, 6610
520
4f2e66fc
RG		 521 Update copyright years to 2018 (Matt Nordhoff).
522
523 .. change::
524 :tags: Improvements
525 :pullreq: 6596, 6478
526 :tickets: 6474
527
528 Fix a warning on botan >= 2.5.0.
5c24af87
RG		 529
530 .. change::
531 :tags: Improvements
532 :pullreq: 6583
533
534 Add ``_raw`` versions for ``QName`` / ``ComboAddresses`` to the ``FFI`` API.
535
536 .. change::
537 :tags: Bug Fixes
538 :pullreq: 6586
539 :tickets: 6505
540
541 Use canonical ordering in the ``ECS`` index.
542
543 .. change::
544 :tags: Bug Fixes
1c5d2111 545 :pullreq: 6514, 6630
5c24af87
RG		 546
547 Add ``-rdynamic`` to ``C{,XX}FLAGS`` when we build with ``LuaJIT``.
548
549 .. change::
550 :tags: Bug Fixes
551 :pullreq: 6418
552 :tickets: 6179
553
554 Increase ``MTasker`` stacksize to avoid crash in exception unwinding (Chris Hofstaedtler).
555
556 .. change::
557 :tags: Bug Fixes
558 :pullreq: 6419
559 :tickets: 6086
560
561 Use the SyncRes time in our unit tests when checking cache validity (Chris Hofstaedtler).
562
40713bf0
PL		 563 .. change::
564 :tags: Bug Fixes
565 :pullreq: 6850
566 :tickets: 6849
567
568 Disable only our own tcp listening socket when reuseport is enabled
569
2bd1c9e7
PL		 570.. changelog::
571 :version: 4.1.2
572 :released: 29th of March 2018
573
574 This release improves the stability and resiliency of the RPZ implementation and fixes several issues related to EDNS Client Subnet.
575
576 .. change::
577 :tags: Improvements
578 :pullreq: 6298, 6303, 6290, 6268
579
580 Add the option to set the AXFR timeout for RPZs.
581
582 .. change::
583 :tags: Bug Fixes
584 :pullreq: 6336, 6237, 6293
585 :tickets: 6238
586
587 Retry loading RPZ zones from server when they fail initially.
588
589 .. change::
590 :tags: Improvements
591 :pullreq: 6172
592
593 IXFR: correct behavior of dealing with DNS Name with multiple records and speed up IXFR transaction (Leon Xu).
594
595 .. change::
596 :tags: Bug Fixes
597 :pullreq: 6300
598
599 Fix ECS-based cache entry refresh code.
600
601 .. change::
602 :tags: Bug Fixes
603 :pullreq: 6320
604 :tickets: 6319
605
606 Fix ECS-specific NS AAAA not being returned from the cache.
607
608 .. change::
609 :tags: Improvements
610 :pullreq: 6379
611 :tickets: 6225
612
613 Add :doc:`RPZ statistics endpoint <../http-api/endpoint-rpz-stats>` to the :doc:`API <../http-api/index>`.
614
615 .. change::
616 :tags: New Features
617 :pullreq: 6344
618
619 Add FFI version of :func:`gettag`.
620
f754ca9c
EW		 621.. changelog::
622 :version: 4.1.1
623 :released: 22nd of January 2018
624
625 This is the second release in the 4.1 train.
626
627 This release fixes PowerDNS Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2018-01>`.
628
d4961689 629 The full release notes can be read `on the blog <https://blog.powerdns.com/2018/01/22/powerdns-recursor-4-1-1/>`__.
f754ca9c 630
7ff16054 631 This is a release on the stable branch, containing a fix for the
f754ca9c
EW		 632 abovementioned security issue and several bug fixes from the
633 development branch.
634
635 .. change::
636 :tags: DNSSEC, Bug Fixes
637 :pullreq: 6215
638
639 Correctly handle ancestor delegation NSEC{,3} for children. Fixes
640 the DNSSEC validation issue found in Knot Resolver, where a NSEC{3}
641 ancestor delegation is wrongly use to prove the non-existence of a
642 RR below the delegation.
643 We already had the correct check for the exact owner name, but not
644 for RRs below the delegation.
645 (Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2018-01>`)
646
647 .. change::
648 :tags: Internals, Bug Fixes
649 :pullreq: 6209
650 :tickets: 6212
651
652 Fix to make ``primeHints`` threadsafe, otherwise there's a small
653 chance on startup that the root-server IPs will be incorrect.
654
655 .. change::
656 :tags: Internals, Improvements
657 :pullreq: 6085
658 :tickets: 6198
659
660 Don't process records for another class than IN. We don't use
661 records of another class than IN, but we used to store some of them
662 in the cache which is useless. Just skip them.
663
664 .. change::
665 :tags: DNSSEC, Bug Fixes
666 :pullreq: 6092
667 :tickets: 6199
668
669 Fix the computation of the closest encloser for positive
670 answers. When the positive answer is expanded from a wildcard with
671 NSEC3, the closest encloser is not always parent of the qname,
672 depending on the number of labels in the initial wildcard.
673
674 .. change::
675 :tags: DNSSEC, Bug Fixes
676 :pullreq: 6095
677 :tickets: 6200
678
679 Pass the correct buffer size to ``arecvfrom()``. The incorrect size
680 could possibly cause DNSSEC failures.
681
682 .. change::
683 :tags: Bug Fixes
684 :pullreq: 6137
685 :tickets: 6201
686
687 Don't validate signature for "glue" CNAME, since anything else than
688 the initial CNAME can't be considered authoritative.
689
b6a30c02 690.. changelog::
691 :version: 4.1.0
692 :released: 4th of December 2017
693
694 This is the first release in the 4.1 train.
695
d4961689 696 The full release notes can be read `on the blog <https://blog.powerdns.com/2017/12/04/powerdns-recursor-4-1/>`__.
b6a30c02 697
f0eeb9b9 698 This is a major release containing significant speedups (both in throughput and latency), enhanced capabilities and a highly conformant and robust DNSSEC validation implementation that is ready for heavy production use. In addition, our EDNS Client Subnet implementation now scales effortlessly to networks needing very fine-grained scopes (as used by some ‘country sized’ service providers).
b6a30c02 699
700 - Improved DNSSEC support,
701 - Improved documentation,
702 - Improved RPZ support,
703 - Improved EDNS Client Subnet support,
704 - Support for Botan 2.x (and removal of support for Botan 1.10),
705 - SNMP support,
706 - Lua engine has gained access to more parts of the recursor,
707 - CPU affinity can now be specified,
708 - TCP Fast Open support,
709 - New performance metrics.
710
711 Changes since 4.1.0-rc3:
712
713 .. change::
714 :tags: Internals, DNSSEC, Bug Fixes
715 :pullreq: 5972
716
717 Dump the validation status of negcache entries, fix DNSSEC type.
718
719 .. change::
720 :tags: Internals, Bug Fixes
721 :pullreq: 5980
722
723 Cache Secure validation state when inserting negcache entries.
724
725 .. change::
726 :tags: DNSSEC, Bug Fixes
727 :pullreq: 5978
728
729 Fix DNSSEC validation of DS denial from the negative cache.
730
731 .. change::
732 :tags: DNSSEC, Bug Fixes
733 :pullreq: 5997
734
735 Store additional records as non-auth, even on AA=1 answers.
736
737 .. change::
738 :tags: DNSSEC, Bug Fixes
739 :pullreq: 6008
740
741 Don't leak when the loading a public ECDSA key fails.
742
743 .. change::
744 :tags: DNSSEC, Bug Fixes
745 :pullreq: 6009
746
747 When validating DNSKeys, the zone should be part of the signer.
748
be5c4d7e 749.. changelog::
750 :version: 4.1.0-rc3
751 :released: 17th of November 2017
752
753 The third Release Candidate adds support for Botan 2.x (and removes
754 support for Botan 1.10!), has a lot of DNSSEC fixes, features a
755 cleaned up web UI and has miscellaneous minor improvements.
756
757 .. change::
758 :tags: Internals, Bug Fixes
759 :pullreq: 5877
760 :tickets: 1066
761
762 Sort NS addresses by speed and remove old ones.
763
764 .. change::
765 :tags: Internals, Improvements
766 :pullreq: 5498
767 :tickets: 2250, 5797
768
769 Add support for Botan 2.x and remove support for Botan 1.10.
770
771 .. change::
772 :tags: Internals, Bug Fixes
773 :pullreq: 5896
774
775 Purge ``nsSpeeds`` entries even if we get less than 2 new entries.
776
777 .. change::
778 :tags: DNSSEC, Bug Fixes
779 :pullreq: 5889
780
781 Prevent possible downgrade attacks in the recursor.
782
783 .. change::
784 :tags: Improvements
785 :pullreq: 5876
786
787 Print more details of trust anchors. In addition, the
788 :ref:`setting-trace` output that mentions if data from authoritative
789 servers gets accepted now also prints the TTL and clarifies the
790 'place' number previously printed.
791
792 .. change::
793 :tags: DNSSEC, Bug Fixes
794 :pullreq: 5885
795 :tickets: 5882
796
797 Split NODATA / NXDOMAIN NSEC wildcard denial proof of
798 existence. Otherwise there is a very real risk that a NSEC will
799 cover a more specific wildcard and we end up with what looks like a
800 NXDOMAIN proof but is a NODATA one.
801
802 .. change::
803 :tags: DNSSEC, Bug Fixes
804 :pullreq: 5904
805
806 Fix incomplete validation of cached entries.
807
808 .. change::
809 :tags: DNSSEC, Bug Fixes
810 :pullreq: 5912
811
812 Fix going Insecure on NSEC3 hashes with too many iterations, since
ef2ea4bf 813 we could have gone Bogus on a positive answer synthesized from a
be5c4d7e 814 wildcard if the corresponding NSEC3 had more iterations that we were
815 willing to accept, while the correct result is Insecure.
816
817 .. change::
818 :tags: Internals, Bug Fixes
819 :pullreq: 5881
820 :tickets: 5618
821
822 Add EDNS to truncated, servfail answers.
823
824 .. change::
825 :tags: Internals, Improvements
826 :pullreq: 5616
827
828 Better support for deleting entries in ``NetmaskTree`` and
829 ``NetmaskGroup``.
830
831 .. change::
832 :tags: Internals, Bug Fixes
833 :pullreq: 5917
834
cd10b828 835 Use ``_exit()`` when we *really* want to exit, for example
be5c4d7e 836 after a fatal error. This stops us dying while we die. A call to
837 ``exit()`` will trigger destructors, which may paradoxically stop
838 the process from exiting, taking down only one thread, but harming
839 the rest of the process.
840
841 .. change::
842 :tags: Lua, DNSSEC, Improvements
843 :pullreq: 5895
844 :tickets: 5888
845
846 Add the DNSSEC validation state to the ``DNSQuestion`` Lua object
847 (although the ability to update the validation state from these
848 hooks is postponed to after 4.1.0).
849
850 .. change::
851 :tags: Bug Fixes
852 :pullreq: 5930
853
854 In the recursor secpoll code, we assumed the TXT record would be the
855 first record first record we received. Sometimes it was the RRSIG,
856 leading to a silent error, and no secpoll check. Fixed the
857 assumption, added an error.
858
859 .. change::
860 :tags: Internals, Bug Fixes
861 :pullreq: 5938
862
863 Don't crash when asked to run with zero threads.
864
865 .. change::
866 :tags: Internals, Bug Fixes
867 :pullreq: 5939
868 :tickets: 5934
869
870 Only accept types not matching the query if we asked for ANY. Even
871 from forward-recurse servers.
872
873 .. change::
874 :tags: Internals, Bug Fixes
875 :pullreq: 5937
876 :tickets: 2758
877
878 Allow the use of a 'self-resolving' NS if cached A / AAAA
879 exists. Before this, we could skip a perfectly valid NS for which we
880 had retrieved the A and / or AAAA entries, for example via a glue.
881
882 .. change::
883 :tags: Bug Fixes
884 :pullreq: 5961
885
886 Add the config-name argument to the definition of configname. There
887 was a bug where the config-name parameter was not used to change the
888 path of the config file. This meant that some commands via
889 rec_control (e.g. reload-acls) would fail when run against a
890 recursor which had config-name defined. The correct behaviour was
891 present in some, but not all, definitions of configname. (@jake2184)
892
6425370d 893.. changelog::
894 :version: 4.1.0-rc2
ab33dca8 895 :released: 30th of October 2017
6425370d 896
897 The second Release Candidate contains several correctness fixes for DNSSEC,
898 mostly in the area of verifying negative responses.
899
6425370d 900 .. change::
901 :tags: API, Improvements
902 :pullreq: 5805
903
904 Improve logging for the built-in :doc:`webserver <../../http-api/index>`
905 and the :ref:`Carbon <metricscarbon>` sender.
906
907 .. change::
908 :tags: DNSSEC, Bug Fixes
909 :pullreq: 5808
910
911 Check that the NSEC covers an empty non-terminal when looking for NODATA.
912
913 .. change::
914 :tags: Improvements, Internals
915 :pullreq: 5824
916 :tickets: 5663
917
918 New b.root ipv4 address (Kees Monshouwer).
919
920 .. change::
921 :tags: Bug Fixes, Internals
922 :pullreq: 5740
923
924 Lowercase all outgoing qnames when :ref:`setting-lowercase-outgoing` is set.
925
926 .. change::
927 :tags: DNSSEC, Improvements
928 :pullreq: 5834
929
930 Don't directly store NSEC3 records in the positive cache.
931
932 .. change::
933 :tags: Improvements
934 :pullreq: 5774
935
936 Add :ref:`experimental metrics <stat-x-our-latency>` that track the time spent inside PowerDNS per query.
937 These metrics ignore time spent waiting for the network.
938
939 .. change::
940 :tags: DNSSEC, Bug Fixes
941 :pullreq: 5835
942 :tickets: 5827
943
944 Disable validation for infrastructure queries (e.g. when recursing for a name).
945 Also validate entries from the Negative cache if they were not validated before.
946
947 .. change::
948 :tags: Improvements
949 :pullreq: 5842
950
951 Add :ref:`setting-log-timestamp` setting. This option can be used to disable
952 printing timestamps to stdout, this is useful when using ``systemd-journald``
953 or another supervisor that timestamps output by itself.
954
955 .. change::
956 :tags: Bug Fixes
957 :pullreq: 5762
958 :tickets: 5439
959
960 Create :ref:`setting-socket-dir` from the init-script.
961
962 .. change::
963 :tags: DNSSEC, Bug Fixes
964 :pullreq: 5868
965 :tickets: 5861
966
967 Fix DNSSEC validation for denial of wildcards in negative answers and
968 denial of existence proofs in wildcard-expanded positive responses.
969
970 .. change::
971 :tags: DNSSEC, Bug Fixes
972 :pullreq: 5873
973
974 Fix DNSSEC validation when using ``-flto``.
975
976 .. change::
977 :tags: Bug Fixes, Internals
978 :pullreq: 5803
979
980 Fix crashes with uncaught exceptions in MThreads.
981
4eed8fc6 982.. changelog::
ef75af13
EW		 983 :version: 4.1.0-rc1
984 :released: 9th of October 2017
985
986 The RC1 release features many fixes to the DNSSEC validation code, reported by different users. Other improvements include: logging, RPZ and the Remote Logger.
987
988 While not specifically mentioned in the ChangeLog, also thanks to Winfried Angele for bringing a documentation issue to our attention!
989
990 .. change::
991 :tags: Bug Fixes
992 :pullreq: 5530
993
994 Add a missing header for PRId64 in the negative cache, required on EL5/EL6.
995
996 .. change::
997 :tags: Internals, Improvements
998 :pullreq: 5543
999
92e42ffd 1000 Wrap the webserver's and Resolver::tryGetSOASerial objects into smart pointers (also thanks to Chris Hofstaedtler for reviewing!)
ef75af13
EW		 1001
1002 .. change::
1003 :tags: Internals, Improvements
1004 :pullreq: 5545
1005
1006 Add more unit tests for the NetmaskTree and ECS cache index.
1007
1008 .. change::
1009 :tags: Bug Fixes
1010 :pullreq: 5549
1011
1012 Prevent an infinite loop if we need auth and the best match is not.
1013
1014 .. change::
1015 :tags: Bug Fixes
1016 :pullreq: 5570
1017
1018 Be more careful about the validation of negative answers.
1019
1020 .. change::
1021 :tags: Bug Fixes, DNSSEC
1022 :pullreq: 5569
1023
1024 Don't fetch the DNSKEY of a zone to validate the DS of the same zone.
1025
1026 .. change::
1027 :tags: Bug Fixes
1028 :pullreq: 5599
1029 :tickets: 5456
1030
1031 Fix libatomic detection on ppc64. (Sander Hoentjen)
1032
1033 .. change::
1034 :tags: Improvements
1035 :pullreq: 5588
1036
1037 Switch the default webserver's ACL to ``127.0.0.1, ::1``.
1038
1039 .. change::
1040 :tags: Improvements
1041 :pullreq: 5598
1042 :tickets: 5524
1043
1044 Add help text on autodetecting systemd support. (Ruben Kerkhof thanks for reporting!)
1045
1046 .. change::
1047 :tags: Bug Fixes
1048 :pullreq: 5615
1049 :tickets: 5357
1050
1051 Fix sortlist in the presence of CNAME. (Benoit Perroud thanks for
1052 reporting this issue!)
1053
1054 .. change::
1055 :tags: Bug Fixes, DNSSEC
1056 :pullreq: 5614
1057
1058 Improve DNSSEC debug logging,
1059
1060 .. change::
1061 :tags: Improvements
1062 :pullreq: 5622
1063
1064 Add ``log-rpz-changes`` to log RPZ additions and removals.
1065
1066 .. change::
1067 :tags: Improvements
1068 :pullreq: 5621
1069
1070 Log the policy type (QName, Client IP, NS IP...) over protobuf.
1071
1072 .. change::
1073 :tags: Bug Fixes
1074 :pullreq: 5515
1075
1076 Fix cache handling of ECS queries with a source length of 0.
1077
1078 .. change::
1079 :tags: Improvements
1080 :pullreq: 5637
1081
1082 Remove unused SortList compare operator for ComboAddress.
1083
1084 .. change::
1085 :tags: Improvements
1086 :pullreq: 5620
1087
1088 Add support for dumping the in-memory RPZ zones to a file.
1089
1090 .. change::
1091 :tags: Bug Fixes
1092 :pullreq: 5328
1093 :tickets: 5327
1094
1095 Handle SNMP alarms so we can reconnect to the master.
1096
1097 .. change::
1098 :tags: Improvements
1099 :pullreq: 5646
1100
1101 Support for identifying devices by id such as mac address.
1102
1103 .. change::
1104 :tags: Bug Fixes
1105 :pullreq: 5662
1106
1107 Fix Recursor 4.1.0 alpha 1 compilation on FreeBSD. (@RvdE)
1108
1109 .. change::
1110 :tags: Bug Fixes, DNSSEC
1111 :pullreq: 5672
1112 :tickets: 5649
1113
1114 Add NSEC records on nx-trust cache hits.
1115
1116 .. change::
1117 :tags: Bug Fixes, DNSSEC
1118 :pullreq: 5671
1119 :tickets: 5650
1120
1121 Handle NSEC wrap-around.
1122
1123 .. change::
1124 :tags: Bug Fixes, DNSSEC
1125 :pullreq: 5670
1126 :tickets: 5648, 5651
1127
1128 Fix erroneous check for section 4.1 of rfc6840.
1129
1130 .. change::
1131 :tags: Bug Fixes, DNSSEC
1132 :pullreq: 5715
1133 :tickets: 5705
1134
1135 Handle direct NSEC queries.
1136
1137 .. change::
1138 :tags: Bug Fixes
1139 :pullreq: 5739
1140
1141 Remove pdns.PASS and pdns.TRUNCATE.
1142
1143 .. change::
1144 :tags: Bug Fixes
1145 :pullreq: 5734
1146
1147 Fix a crash when getting a public GOST key if the private one is not set.
1148
1149 .. change::
1150 :tags: Improvements
1151 :pullreq: 5699
1152
ef2ea4bf 1153 Implement dynamic cache sizing.
ef75af13
EW		 1154
1155 .. change::
1156 :tags: Bug Fixes, DNSSEC
1157 :pullreq: 5716
1158 :tickets: 5681
1159
1160 Detect zone cuts by asking for DS instead of NS.
1161
1162 .. change::
1163 :tags: Bug Fixes, DNSSEC
1164 :pullreq: 5738
1165 :tickets: 5735
1166
1167 Do not allow direct queries for RRSIG or NSEC3.
1168
1169 .. change::
1170 :tags: Improvements
1171 :pullreq: 5755
1172
1173 Improve dnsbulktest experience in Travis for more robustness.
1174
1175 .. change::
1176 :tags: Improvements, DNSSEC
1177 :pullreq: 5756
1178
1179 Improve ``--quiet=false`` output to include DNSSEC and more timing details.
1180
1181 .. change::
1182 :tags: Improvements
1183 :pullreq: 5772
1184
1185 Set ``TC=1`` if we had to omit part of the AUTHORITY section.
1186
1187 .. change::
1188 :tags: Bug Fixes, DNSSEC
1189 :pullreq: 5771
1190
1191 The target zone being insecure doesn't mean that the denial of the DS is too, if the parent zone is Secure..
1192
1193 .. change::
1194 :tags: Improvements, DNSSEC
1195 :pullreq: 5733
1196
1197 Add DNSSEC test vectors for RSA, ECDSA, ed25519 and GOST.
1198
1199 .. change::
1200 :tags: Bug Fixes
1201 :pullreq: 5773
1202
1203 Don't negcache entries for longer than their RRSIG validity.
1204
1205 .. change::
1206 :tags: Improvements
1207 :pullreq: 5764
1208
cb264691 1209 autoconf: set ``--with-libsodium`` to ``auto``.
ef75af13
EW		 1210
1211 .. change::
1212 :tags: Bug Fixes
1213 :pullreq: 5792
1214
1215 Gracefully handle Socket::accept() returning a null pointer on EAGAIN.
4eed8fc6 1216
223bb49e 1217.. changelog::
7731aeee 1218 :version: 4.1.0-alpha1
4eed8fc6 1219 :released: 18th of July 2017
223bb49e
PL		 1220
1221 This is the first release of the PowerDNS Recursor in the 4.1 release train.
1222 This release contains several performance and correctness improvements in the EDNS Client subnet area, as well as better DNSSEC processing.
1223
1224 .. change::
1225 :tags: New Features
1226 :pullreq: 5138
1227 :tickets: 5128
1228
1229 Add server-side TCP Fast Open support.
1230 This adds a new option :ref:`setting-tcp-fast-open`.
1231
1232 .. change::
1233 :tags: New Features
1234 :pullreq: 4569
1235
1236 Pass ``tcp`` to :func:`gettag` to allow a script to take different actions whether a query came in over TCP or UDP.
1237
1238 .. change::
1239 :tags: New Features
1240 :pullreq: 4569
1241
1242 Allow setting the requestor ID field in the :attr:`DNSQuestion <DNSQuestion.requestorId>` from all hooks.
1243
1244 .. change::
1245 :tags: Improvements, DNSSEC
7731aeee
PL		 1246 :pullreq: 5223, 5463, 5486, 5528
1247 :tickets: 4254, 4362, 4490, 4994
223bb49e 1248
4368d62f 1249 Implement "on-the-fly" DNSSEC processing. This places the DNSSEC processing alongside the regular recursion, reducing possible cornercases, adding unit tests and making the code better maintainable.
223bb49e
PL		 1250
1251 .. change::
4368d62f 1252 :tags: New Features
223bb49e
PL		 1253 :pullreq: 5063
1254 :tickets: 2818
1255
1256 Implement CNAME wildcards in recursor authoritative component.
1257
1258 .. change::
1259 :tags: Bug Fixes
1260 :pullreq: 5078
1261 :tickets: 4939, 5075
1262
1263 Show a useful error when an invalid :ref:`setting-lua-config-file` is configured.
1264
4368d62f
PL		 1265 .. change::
1266 :tags: Bug Fixes
1267 :pullreq: 4860
1268
1269 Fix :class:`DNSQuestion` members alterations from Lua not being taken into account.
1270
1271 .. change::
1272 :tags: Bug Fixes, Protobuf
1273 :pullreq: 4984
1274 :tickets: 4969
1275
1276 Fix ``remote``/``local`` inversion in :func:`preoutquery`.
1277
1278 .. change::
1279 :tags: New Features, Scripting
1280 :pullreq: 4982
1281 :tickets: 4981
1282
1283 Allow returning the :attr:`DNSQuestion.data` table from :func:`gettag`.
1284
1285 .. change::
1286 :tags: New Features, SNMP
1287 :pullreq: 4990, 5404
1288
1289 Add :ref:`SNMP <snmp>` support.
1290
1291 .. change::
1292 :tags: Improvements
1293 :pullreq: 5106
1294
1295 Split SyncRes::doResolveAt, add const and static whenever possible. Possibly improving performance while making the code easier to maintain.
1296
1297 .. change::
1298 :tags: Improvements
1299 :pullreq: 5102
1300
1301 Packet cache speedup and cleanup.
1302
1303 .. change::
1304 :tags: Improvements
1305 :pullreq: 5146
1306
1307 Make Lua mandatory for recursor builds.
1308
1309 .. change::
1310 :tags: Improvements, Performance
1311 :pullreq: 5103, 5487
1312
1313 Use one listening socket per thread when reuseport is enabled.
1314
1315 .. change::
1316 :tags: Improvements, RPZ
1317 :pullreq: 5057
1318
1319 Use the RPZ zone's TTL and add a new `maxTTL` setting.
1320
1321 .. change::
1322 :tags: Improvements, Lua
1323 :pullreq: 5141
1324
1325 Stop (de)serializing :attr:`DNSQuestion.data`.
1326
1327 .. change::
1328 :tags: New Features, Lua
1329 :pullreq: 5198
1330 :tickets: 5195
1331
1332 Allow access to EDNS options from the :func:`gettag` hook.
1333
1334 .. change::
1335 :tags: Improvements
1336 :pullreq: 5226
1337
1338 Refactor the negative cache into a class.
1339
1340 .. change::
1341 :tags: Bug Fixes
1342 :pullreq: 5209
1343
a13849bc 1344 Ensure locks cannot be copied.
4368d62f
PL		 1345
1346 .. change::
1347 :tags: Improvements, RPZ
1348 :pullreq: 5275, 5307
1349 :tickets: 5231, 5236
1350
1351 RPZ updates are done zone by zone, zones are now shared pointers.
1352
1353 .. change::
1354 :tags: Bug Fixes
1355 :pullreq: 5252
1356 :tickets: 5246
1357
1358 Only apply :ref:`setting-root-nx-trust` if the received SOA is ".".
1359
1360 .. change::
1361 :tags: New Features
1362 :pullreq: 4569
1363
1364 Pass ``tcp`` to :func:`gettag`, allow setting the requestor ID from hooks.
1365
1366 .. change::
1367 :tags: Bug Fixes
1368 :pullreq: 5312
1369
1370 Don't throw an exception when logging to protobuf without a question set.
1371
1372 .. change::
1373 :tags: New Features, Lua
1374 :pullreq: 5293
1375
1376 Allow retrieving stats from Lua via the :func:`getStat` call.
1377
1378 .. change::
1379 :tags: New Features, RPZ
1380 :pullreq: 5265
1381 :tickets: 5237
1382
1383 Add support for RPZ wildcarded target names.
1384
1385 .. change::
1386 :tags: Bug Fixes
1387 :pullreq: 5320
1388
1389 Correctly truncate EDNS Client Subnetmasks.
1390
1391 .. change::
1392 :tags: Improvements
1393 :pullreq: 5319
1394
1395 Only check the netmask for subnet specific cache entries.
1396
1397 .. change::
1398 :tags: Improvements
1399 :pullreq: 5236
1400
1401 Refactor and split ``SyncRes::doResolveAt()``, making it easier to understand.
1402 Get rid of ``SyncRes::d_nocache``, makes sure we can't get into a root refresh loop.
1403 Limit the use of global variables in SyncRes, to make it easier to understand the interaction between components
1404
1405 .. change::
1406 :tags: Improvements, EDNS Client Subnet
1407 :pullreq: 5461, 5472
1408
1409 Add an ECS index to the cache
1410
1411 .. change::
1412 :tags: New Features, EDNS Client Subnet
1413 :pullreq: 5409
1414
1415 Add ECS metrics.
1416
1417 .. change::
1418 :tags: Improvements, EDNS Client Subnet, DNSSEC
1419 :pullreq: 5484
1420
1421 Use ECS when updating the validation state if needed.
1422
1423 .. change::
1424 :tags: Bug Fixes, API
1425 :pullreq: 5466
1426 :tickets: 5398
1427
92e42ffd 1428 Clean up auth/recursor code mismatches in the API (Chris Hofstaedtler).
4368d62f
PL		 1429
1430 .. change::
1431 :tags: Bug Fixes
1432 :pullreq: 5474
1433 :tickets: 5474
1434
1435 Only increase ``no-packet-error`` on the first read.
1436
1437 .. change::
1438 :tags: Improvements
1439 :pullreq: 5511
1440
1441 When dumping the cache, also dump RRSIGs.
7731aeee
PL		 1442
1443 .. change::
1444 :tags: Bug Fixes, DNSSEC
1445 :pullreq: 5525
1446
1447 Fix validation at the exact RRSIG inception or expiration time.
1448
1449 .. change::
1450 :tags: Improvements
1451 :pullreq: 5485
1452
1453 Don't always override :ref:`setting-loglevel` to 6.
1454
1455 .. change::
1456 :tags: Improvements
1457 :pullreq: 5406, 5530
1458
1459 Make more specific Netmasks < to less specific ones.
1460
1461 .. change::
1462 :tags: New Features
1463 :pullreq: 5482
1464
1465 Add a :ref:`setting-cpu-map` directive to set CPU affinity per thread.
Unnamed repository; edit this file 'description' to name the repository.