]>
Commit | Line | Data |
---|---|---|
223bb49e PL |
1 | Changelogs for 4.1.x |
2 | ==================== | |
3 | ||
6ef20ac4 EW |
4 | .. changelog:: |
5 | :version: 4.1.12 | |
6 | :released: 2nd of April 2019 | |
7 | ||
8 | .. change:: | |
9 | :tags: Bug Fixes, Internals | |
10 | :pullreq: 7495 | |
11 | :tickets: 7494 | |
12 | ||
13 | Correctly interpret an empty AXFR response to an IXFR query. | |
14 | ||
15 | .. change:: | |
16 | :tags: Improvements, Internals | |
17 | :pullreq: 7647 | |
18 | ||
19 | Provide CPU usage statistics per thread (worker & distributor). | |
20 | ||
21 | .. change:: | |
22 | :tags: Improvements, Internals, Performance | |
23 | :pullreq: 7634 | |
24 | :tickets: 7507 | |
25 | ||
26 | Use a bounded load-balancing algo to distribute queries. | |
27 | ||
28 | .. change:: | |
29 | :tags: Improvements, Internals | |
30 | :pullreq: 7651 | |
31 | :tickets: 7631, 7572 | |
32 | ||
33 | Implement a configurable ECS cache limit so responses with an ECS scope more specific than a certain threshold and a TTL smaller than a specific threshold are not inserted into the records cache at all. | |
34 | ||
f537e4a5 | 35 | .. changelog:: |
36 | :version: 4.1.11 | |
37 | :released: 1st of February 2019 | |
38 | ||
39 | Since Spectre/Meltdown, system calls have become more expensive. This made exporting a very high number of protobuf messages costly, which is addressed in this release by reducing the number of sycalls per message. | |
40 | ||
41 | .. change:: | |
42 | :tags: Improvements | |
43 | :pullreq: 7434 | |
44 | ||
45 | Add an option to export only responses over protobuf to the Lua :func:`protobufServer` directive. | |
46 | ||
47 | .. change:: | |
48 | :tags: Improvements | |
49 | :pullreq: 7430 | |
50 | :tickets: 7428 | |
51 | ||
52 | Reduce systemcall usage in protobuf logging. (See #7428.) | |
53 | ||
92c83c1d EW |
54 | .. changelog:: |
55 | :version: 4.1.10 | |
56 | :released: 24th of January 2019 | |
57 | ||
d66fab2e | 58 | This release fixes a bug when trying to build PowerDNS Recursor with protobuf support disabled, thus this release is only relevant to people building PowerDNS Recursor from source and not if you're installing it as a package from our repositories. |
92c83c1d EW |
59 | |
60 | .. change:: | |
61 | :tags: Bug Fixes | |
62 | :pullreq: 7403 | |
63 | ||
64 | PowerDNS Recursor release 4.1.9 introduced a call to the Lua :func:`ipfilter` hook that required access to the DNS header, but the corresponding variable was only declared when protobuf support had been enabled. | |
65 | ||
639a343d RG |
66 | .. changelog:: |
67 | :version: 4.1.9 | |
68 | :released: 21st of January 2019 | |
69 | ||
70 | This release fixes :doc:`Security Advisory 2019-01 <../security-advisories/powerdns-advisory-2019-01>` and :doc:`Security Advisory 2019-02 <../security-advisories/powerdns-advisory-2019-02>` that were recently discovered, affecting PowerDNS Recursor: | |
71 | - CVE-2019-3806, 2019-01: from 4.1.4 up to and including 4.1.8 ; | |
72 | - CVE-2019-3807, 2019-02: from 4.1.0 up to and including 4.1.8. | |
73 | ||
74 | The issues are: | |
75 | - CVE-2019-3806, 2019-01: Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly bypassing security policies enforced using Lua ; | |
76 | - CVE-2019-3807, 2019-02: records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation. | |
77 | ||
78 | .. change:: | |
79 | :tags: Bug Fixes | |
80 | :pullreq: 7397 | |
81 | ||
82 | Properly apply Lua hooks to TCP queries, even with pdns-distributes-queries set (CVE-2019-3806, PowerDNS Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2019-01>`). Validates records in the answer section of responses with AA=0 (CVE-2019-3807, PowerDNS Security Advisory :doc:`2019-02 <../security-advisories/powerdns-advisory-2019-02>`). | |
83 | ||
84 | .. change:: | |
85 | :tags: Improvements | |
86 | :pullreq: 7377 | |
87 | :tickets: 7383 | |
88 | ||
89 | Try another worker before failing if the first pipe was full | |
90 | ||
4b786673 | 91 | .. changelog:: |
92 | :version: 4.1.8 | |
93 | :released: 26th of November 2018 | |
94 | ||
95 | This release fixes :doc:`Security Advisory 2018-09 <../security-advisories/powerdns-advisory-2018-09>` that we recently discovered, affecting PowerDNS Recursor up to and including 4.1.7. | |
96 | ||
97 | The issue is that a remote attacker can trigger an out-of-bounds memory read via a crafted query, while computing the hash of the query for a packet cache lookup, possibly leading to a crash. | |
98 | ||
99 | When the PowerDNS Recursor is run inside a supervisor like supervisord or systemd, a crash will lead to an automatic restart, limiting the impact to a somewhat degraded service. | |
100 | ||
101 | .. change:: | |
102 | :tags: Bug Fixes | |
103 | :pullreq: 7221 | |
104 | ||
105 | Crafted query can cause a denial of service (CVE-2018-16855, PowerDNS Security Advisory :doc:`2018-09 <../security-advisories/powerdns-advisory-2018-09>`) | |
106 | ||
d5603336 PD |
107 | .. changelog:: |
108 | :version: 4.1.7 | |
109 | :released: 9th of November 2018 | |
110 | ||
111 | This release updates the mitigation for :doc:`Security Advisory 2018-07 <../security-advisories/powerdns-advisory-2018-07>`, reverting the EDNS fallback strictness increase. This is necessary because there are a lot of broken name servers on the Internet. | |
112 | ||
113 | .. change:: | |
114 | :tags: Improvements | |
115 | :pullreq: 7172 | |
116 | ||
117 | Revert 'Keep the EDNS status of a server on FormErr with EDNS' | |
118 | ||
119 | .. change:: | |
120 | :tags: Improvements | |
121 | :pullreq: 7174 | |
122 | ||
123 | Refuse queries for all meta-types | |
124 | ||
49b2577f PL |
125 | .. changelog:: |
126 | :version: 4.1.6 | |
127 | :released: 7th of November 2018 | |
128 | ||
129 | This release reverts `#6980 <https://github.com/PowerDNS/pdns/pull/6980>`__, it could lead to DNSSEC validation issues. | |
130 | ||
131 | .. change:: | |
132 | :tags: Bug Fixes | |
133 | :pullreq: 7159 | |
134 | :tickets: 7158 | |
135 | ||
136 | Revert "rec: Authority records in AA=1 CNAME answer are authoritative". | |
137 | ||
27e94792 EW |
138 | .. changelog:: |
139 | :version: 4.1.5 | |
140 | :released: 6th of November 2018 | |
141 | ||
142 | This release fixes the following security advisories: | |
143 | ||
144 | - PowerDNS Security Advisory :doc:`2018-04 <../security-advisories/powerdns-advisory-2018-04>` (CVE-2018-10851) | |
145 | - PowerDNS Security Advisory :doc:`2018-06 <../security-advisories/powerdns-advisory-2018-06>` (CVE-2018-14626) | |
146 | - PowerDNS Security Advisory :doc:`2018-07 <../security-advisories/powerdns-advisory-2018-07>` (CVE-2018-14644) | |
147 | ||
148 | .. change:: | |
149 | :tags: Bug Fixes | |
3ad24d7d | 150 | :pullreq: 7151 |
27e94792 EW |
151 | |
152 | Crafted answer can cause a denial of service (CVE-2018-10851, PowerDNS Security Advisory :doc:`2018-04 <../security-advisories/powerdns-advisory-2018-04>`) | |
153 | ||
154 | .. change:: | |
155 | :tags: Bug Fixes | |
3ad24d7d | 156 | :pullreq: 7151 |
27e94792 EW |
157 | |
158 | Packet cache pollution via crafted query (CVE-2018-14626, PowerDNS Security Advisory :doc:`2018-06 <../security-advisories/powerdns-advisory-2018-06>`) | |
159 | ||
160 | .. change:: | |
161 | :tags: Bug Fixes | |
3ad24d7d | 162 | :pullreq: 7151 |
27e94792 EW |
163 | |
164 | Crafted query for meta-types can cause a denial of service (CVE-2018-14644, PowerDNS Security Advisory :doc:`2018-07 <../security-advisories/powerdns-advisory-2018-07>`) | |
165 | ||
166 | Additionally there are some other minor fixes and improvements listed below. | |
167 | ||
168 | .. change:: | |
169 | :tags: Improvements, Lua | |
170 | :pullreq: 6919 | |
171 | :tickets: 6848 | |
172 | ||
173 | Add pdnslog to lua configuration scripts (Chris Hofstaedtler) | |
174 | ||
175 | .. change:: | |
176 | :tags: Bug Fixes | |
177 | :pullreq: 6961 | |
178 | :tickets: 6960 | |
179 | ||
180 | Cleanup the netmask trees used for the ecs index on removals | |
181 | ||
182 | .. change:: | |
183 | :tags: Bug Fixes | |
184 | :pullreq: 6963 | |
185 | :tickets: 6605 | |
186 | ||
187 | Make sure that the ECS scope from the auth is < to the source | |
188 | ||
189 | .. change:: | |
190 | :tags: Bug Fixes, RPZ, Internals | |
191 | :pullreq: 6984 | |
192 | :tickets: 6792 | |
193 | ||
194 | Delay the creation of rpz threads until we have dropped privileges | |
195 | ||
196 | .. change:: | |
197 | :tags: Bug Fixes | |
198 | :pullreq: 6980 | |
199 | :tickets: 6979 | |
200 | ||
201 | Authority records in aa=1 cname answer are authoritative | |
202 | ||
203 | .. change:: | |
204 | :tags: Bug Fixes, Internals | |
205 | :pullreq: 7073 | |
206 | ||
207 | Avoid a memory leak in catch-all exception handler | |
208 | ||
209 | .. change:: | |
210 | :tags: Bug Fixes | |
211 | :pullreq: 6741 | |
212 | :tickets: 6340 | |
213 | ||
214 | Don't require authoritative answers for forward-recurse zones | |
215 | ||
216 | .. change:: | |
217 | :tags: Improvements | |
218 | :pullreq: 6948 | |
219 | :tickets: 6943 | |
220 | ||
221 | Fix compilation with libressl 2.7.0+ | |
222 | ||
223 | .. change:: | |
224 | :tags: Bug Fixes, Internals | |
225 | :pullreq: 6917 | |
226 | ||
227 | Release memory in case of error in the openssl ecdsa constructor | |
228 | ||
229 | .. change:: | |
230 | :tags: Bug Fixes | |
231 | :pullreq: 6925 | |
232 | :tickets: 6924 | |
233 | ||
234 | Convert a few uses to toLogString to print DNSName's that may be empty in a safer manner | |
235 | ||
236 | .. change:: | |
237 | :tags: Bug Fixes, Internals | |
238 | :pullreq: 6945 | |
239 | ||
240 | Avoid a crash on DEC Alpha systems | |
241 | ||
242 | .. change:: | |
243 | :tags: Bug Fixes, Internals | |
244 | :pullreq: 6951 | |
245 | :tickets: 6949 | |
246 | ||
247 | Clear all caches on (N)TA changes | |
248 | ||
249 | .. change:: | |
250 | :tags: Improvements | |
251 | :pullreq: 7004 | |
252 | :tickets: 6989, 6991 | |
253 | ||
254 | Export outgoing ECS value and server ID in protobuf (if any) | |
255 | ||
256 | .. change:: | |
257 | :tags: Improvements, Internals | |
258 | :pullreq: 7122 | |
259 | :tickets: 7040 | |
260 | ||
261 | Switch to devtoolset 7 for el6 | |
262 | ||
263 | .. change:: | |
264 | :tags: Improvements | |
265 | :pullreq: 7125 | |
266 | :tickets: 7081 | |
267 | ||
268 | Allow the signature inception to be off by a number of seconds. (Kees Monshouwer) | |
269 | ||
40713bf0 PL |
270 | .. changelog:: |
271 | :version: 4.1.4 | |
272 | :released: 31st of August 2018 | |
273 | ||
274 | .. change:: | |
275 | :tags: Improvements | |
276 | :pullreq: 6436 | |
277 | ||
278 | Split ``pdns_enable_unit_tests``. (Chris Hofstaedtler) | |
279 | ||
280 | .. change:: | |
281 | :tags: Bug Fixes | |
282 | :pullreq: 6465 | |
283 | :tickets: 6462 | |
284 | ||
285 | Don't account chained queries more than once. | |
286 | ||
287 | .. change:: | |
288 | :tags: Improvements | |
289 | :pullreq: 6518 | |
290 | ||
291 | Add a new :ref:`setting-max-udp-queries-per-round` setting. | |
292 | ||
293 | .. change:: | |
294 | :tags: Bug Fixes | |
295 | :pullreq: 6557 | |
296 | :tickets: 6536 | |
297 | ||
ce2fbdac | 298 | Make :doc:`../../manpages/rec_control.1` respect :ref:`setting-include-dir`. |
40713bf0 PL |
299 | |
300 | .. change:: | |
301 | :tags: Improvements | |
302 | :pullreq: 6590 | |
303 | ||
304 | Fix warnings reported by gcc 8.1.0. | |
305 | ||
306 | .. change:: | |
307 | :tags: Improvements | |
308 | :pullreq: 6809 | |
309 | ||
310 | Tests: replace awk command by perl. | |
311 | ||
312 | .. change:: | |
313 | :tags: Bug Fixes | |
314 | :pullreq: 6812 | |
315 | :tickets: 6567 | |
316 | ||
317 | Load lua scripts only in worker threads. | |
318 | ||
319 | .. change:: | |
320 | :tags: Improvements | |
321 | :pullreq: 6720 | |
322 | ||
323 | Allow the snmp thread to retrieve statistics. | |
324 | ||
325 | .. change:: | |
326 | :tags: Bug Fixes | |
327 | :pullreq: 6873 | |
328 | ||
329 | Purge all auth/forward zone data including subtree. (@phonedph1) | |
330 | ||
5c24af87 RG |
331 | .. changelog:: |
332 | :version: 4.1.3 | |
333 | :released: 22nd of May 2018 | |
334 | ||
335 | This release improves the stability and resiliency of the RPZ implementation, prevents metrics gathering from slowing down the processing of DNS queries and fixes an issue related to the cleaning of EDNS Client Subnet entries from the cache. | |
336 | ||
337 | .. change:: | |
338 | :tags: Bug Fixes | |
339 | :pullreq: 6469 | |
340 | ||
341 | Respect the ``AXFR`` timeout while connecting to the ``RPZ`` server. | |
342 | ||
343 | .. change:: | |
344 | :tags: Bug Fixes | |
345 | :pullreq: 6467 | |
346 | ||
347 | Don't increase the ``DNSSEC`` validations counters when running with ``process-no-validate``. | |
348 | ||
349 | .. change:: | |
350 | :tags: Bug Fixes | |
351 | :pullreq: 6313 | |
352 | ||
353 | Count a lookup into an internal auth zone as a cache miss. | |
354 | ||
355 | .. change:: | |
356 | :tags: Bug Fixes | |
357 | :pullreq: 6588 | |
358 | :tickets: 6237 | |
359 | ||
360 | Delay the loading of ``RPZ`` zones until the parsing is done, fixing a race condition. | |
361 | ||
362 | .. change:: | |
363 | :tags: Improvements | |
364 | :pullreq: 6567 | |
365 | ||
366 | Move carbon/webserver/control/stats handling to a separate thread. | |
367 | ||
368 | .. change:: | |
369 | :tags: Improvements | |
370 | :pullreq: 6566 | |
371 | ||
372 | Use a separate, non-blocking pipe to distribute queries. | |
373 | ||
374 | .. change:: | |
375 | :tags: Improvements | |
376 | :pullreq: 6562 | |
377 | :tickets: 6550 | |
378 | ||
379 | Add a subtree option to the :doc:`API <../http-api/index>` cache flush endpoint. | |
380 | ||
381 | .. change:: | |
382 | :tags: Bug Fixes | |
383 | :pullreq: 6595 | |
384 | :tickets: 6542, 6516, 6358, 6517 | |
385 | ||
386 | Reorder includes to avoid boost ``L`` conflict. | |
387 | ||
388 | .. change:: | |
389 | :tags: Improvements | |
390 | :pullreq: 6611 | |
391 | :tickets: 6130, 6610 | |
392 | ||
4f2e66fc RG |
393 | Update copyright years to 2018 (Matt Nordhoff). |
394 | ||
395 | .. change:: | |
396 | :tags: Improvements | |
397 | :pullreq: 6596, 6478 | |
398 | :tickets: 6474 | |
399 | ||
400 | Fix a warning on botan >= 2.5.0. | |
5c24af87 RG |
401 | |
402 | .. change:: | |
403 | :tags: Improvements | |
404 | :pullreq: 6583 | |
405 | ||
406 | Add ``_raw`` versions for ``QName`` / ``ComboAddresses`` to the ``FFI`` API. | |
407 | ||
408 | .. change:: | |
409 | :tags: Bug Fixes | |
410 | :pullreq: 6586 | |
411 | :tickets: 6505 | |
412 | ||
413 | Use canonical ordering in the ``ECS`` index. | |
414 | ||
415 | .. change:: | |
416 | :tags: Bug Fixes | |
1c5d2111 | 417 | :pullreq: 6514, 6630 |
5c24af87 RG |
418 | |
419 | Add ``-rdynamic`` to ``C{,XX}FLAGS`` when we build with ``LuaJIT``. | |
420 | ||
421 | .. change:: | |
422 | :tags: Bug Fixes | |
423 | :pullreq: 6418 | |
424 | :tickets: 6179 | |
425 | ||
426 | Increase ``MTasker`` stacksize to avoid crash in exception unwinding (Chris Hofstaedtler). | |
427 | ||
428 | .. change:: | |
429 | :tags: Bug Fixes | |
430 | :pullreq: 6419 | |
431 | :tickets: 6086 | |
432 | ||
433 | Use the SyncRes time in our unit tests when checking cache validity (Chris Hofstaedtler). | |
434 | ||
40713bf0 PL |
435 | .. change:: |
436 | :tags: Bug Fixes | |
437 | :pullreq: 6850 | |
438 | :tickets: 6849 | |
439 | ||
440 | Disable only our own tcp listening socket when reuseport is enabled | |
441 | ||
2bd1c9e7 PL |
442 | .. changelog:: |
443 | :version: 4.1.2 | |
444 | :released: 29th of March 2018 | |
445 | ||
446 | This release improves the stability and resiliency of the RPZ implementation and fixes several issues related to EDNS Client Subnet. | |
447 | ||
448 | .. change:: | |
449 | :tags: Improvements | |
450 | :pullreq: 6298, 6303, 6290, 6268 | |
451 | ||
452 | Add the option to set the AXFR timeout for RPZs. | |
453 | ||
454 | .. change:: | |
455 | :tags: Bug Fixes | |
456 | :pullreq: 6336, 6237, 6293 | |
457 | :tickets: 6238 | |
458 | ||
459 | Retry loading RPZ zones from server when they fail initially. | |
460 | ||
461 | .. change:: | |
462 | :tags: Improvements | |
463 | :pullreq: 6172 | |
464 | ||
465 | IXFR: correct behavior of dealing with DNS Name with multiple records and speed up IXFR transaction (Leon Xu). | |
466 | ||
467 | .. change:: | |
468 | :tags: Bug Fixes | |
469 | :pullreq: 6300 | |
470 | ||
471 | Fix ECS-based cache entry refresh code. | |
472 | ||
473 | .. change:: | |
474 | :tags: Bug Fixes | |
475 | :pullreq: 6320 | |
476 | :tickets: 6319 | |
477 | ||
478 | Fix ECS-specific NS AAAA not being returned from the cache. | |
479 | ||
480 | .. change:: | |
481 | :tags: Improvements | |
482 | :pullreq: 6379 | |
483 | :tickets: 6225 | |
484 | ||
485 | Add :doc:`RPZ statistics endpoint <../http-api/endpoint-rpz-stats>` to the :doc:`API <../http-api/index>`. | |
486 | ||
487 | .. change:: | |
488 | :tags: New Features | |
489 | :pullreq: 6344 | |
490 | ||
491 | Add FFI version of :func:`gettag`. | |
492 | ||
f754ca9c EW |
493 | .. changelog:: |
494 | :version: 4.1.1 | |
495 | :released: 22nd of January 2018 | |
496 | ||
497 | This is the second release in the 4.1 train. | |
498 | ||
499 | This release fixes PowerDNS Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2018-01>`. | |
500 | ||
d4961689 | 501 | The full release notes can be read `on the blog <https://blog.powerdns.com/2018/01/22/powerdns-recursor-4-1-1/>`__. |
f754ca9c | 502 | |
7ff16054 | 503 | This is a release on the stable branch, containing a fix for the |
f754ca9c EW |
504 | abovementioned security issue and several bug fixes from the |
505 | development branch. | |
506 | ||
507 | .. change:: | |
508 | :tags: DNSSEC, Bug Fixes | |
509 | :pullreq: 6215 | |
510 | ||
511 | Correctly handle ancestor delegation NSEC{,3} for children. Fixes | |
512 | the DNSSEC validation issue found in Knot Resolver, where a NSEC{3} | |
513 | ancestor delegation is wrongly use to prove the non-existence of a | |
514 | RR below the delegation. | |
515 | We already had the correct check for the exact owner name, but not | |
516 | for RRs below the delegation. | |
517 | (Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2018-01>`) | |
518 | ||
519 | .. change:: | |
520 | :tags: Internals, Bug Fixes | |
521 | :pullreq: 6209 | |
522 | :tickets: 6212 | |
523 | ||
524 | Fix to make ``primeHints`` threadsafe, otherwise there's a small | |
525 | chance on startup that the root-server IPs will be incorrect. | |
526 | ||
527 | .. change:: | |
528 | :tags: Internals, Improvements | |
529 | :pullreq: 6085 | |
530 | :tickets: 6198 | |
531 | ||
532 | Don't process records for another class than IN. We don't use | |
533 | records of another class than IN, but we used to store some of them | |
534 | in the cache which is useless. Just skip them. | |
535 | ||
536 | .. change:: | |
537 | :tags: DNSSEC, Bug Fixes | |
538 | :pullreq: 6092 | |
539 | :tickets: 6199 | |
540 | ||
541 | Fix the computation of the closest encloser for positive | |
542 | answers. When the positive answer is expanded from a wildcard with | |
543 | NSEC3, the closest encloser is not always parent of the qname, | |
544 | depending on the number of labels in the initial wildcard. | |
545 | ||
546 | .. change:: | |
547 | :tags: DNSSEC, Bug Fixes | |
548 | :pullreq: 6095 | |
549 | :tickets: 6200 | |
550 | ||
551 | Pass the correct buffer size to ``arecvfrom()``. The incorrect size | |
552 | could possibly cause DNSSEC failures. | |
553 | ||
554 | .. change:: | |
555 | :tags: Bug Fixes | |
556 | :pullreq: 6137 | |
557 | :tickets: 6201 | |
558 | ||
559 | Don't validate signature for "glue" CNAME, since anything else than | |
560 | the initial CNAME can't be considered authoritative. | |
561 | ||
b6a30c02 | 562 | .. changelog:: |
563 | :version: 4.1.0 | |
564 | :released: 4th of December 2017 | |
565 | ||
566 | This is the first release in the 4.1 train. | |
567 | ||
d4961689 | 568 | The full release notes can be read `on the blog <https://blog.powerdns.com/2017/12/04/powerdns-recursor-4-1/>`__. |
b6a30c02 | 569 | |
570 | This is a major release containing significant speedups (both in throughput and latency), enhanced capabilities and a highly conformant and robust DNSSEC validation implementation that is ready for heavy production use. In addition, our EDNS Client Subnet implementation now scales effortlessly to networks needing very fine grained scopes (as used by some ‘country sized’ service providers). | |
571 | ||
572 | - Improved DNSSEC support, | |
573 | - Improved documentation, | |
574 | - Improved RPZ support, | |
575 | - Improved EDNS Client Subnet support, | |
576 | - Support for Botan 2.x (and removal of support for Botan 1.10), | |
577 | - SNMP support, | |
578 | - Lua engine has gained access to more parts of the recursor, | |
579 | - CPU affinity can now be specified, | |
580 | - TCP Fast Open support, | |
581 | - New performance metrics. | |
582 | ||
583 | Changes since 4.1.0-rc3: | |
584 | ||
585 | .. change:: | |
586 | :tags: Internals, DNSSEC, Bug Fixes | |
587 | :pullreq: 5972 | |
588 | ||
589 | Dump the validation status of negcache entries, fix DNSSEC type. | |
590 | ||
591 | .. change:: | |
592 | :tags: Internals, Bug Fixes | |
593 | :pullreq: 5980 | |
594 | ||
595 | Cache Secure validation state when inserting negcache entries. | |
596 | ||
597 | .. change:: | |
598 | :tags: DNSSEC, Bug Fixes | |
599 | :pullreq: 5978 | |
600 | ||
601 | Fix DNSSEC validation of DS denial from the negative cache. | |
602 | ||
603 | .. change:: | |
604 | :tags: DNSSEC, Bug Fixes | |
605 | :pullreq: 5997 | |
606 | ||
607 | Store additional records as non-auth, even on AA=1 answers. | |
608 | ||
609 | .. change:: | |
610 | :tags: DNSSEC, Bug Fixes | |
611 | :pullreq: 6008 | |
612 | ||
613 | Don't leak when the loading a public ECDSA key fails. | |
614 | ||
615 | .. change:: | |
616 | :tags: DNSSEC, Bug Fixes | |
617 | :pullreq: 6009 | |
618 | ||
619 | When validating DNSKeys, the zone should be part of the signer. | |
620 | ||
be5c4d7e | 621 | .. changelog:: |
622 | :version: 4.1.0-rc3 | |
623 | :released: 17th of November 2017 | |
624 | ||
625 | The third Release Candidate adds support for Botan 2.x (and removes | |
626 | support for Botan 1.10!), has a lot of DNSSEC fixes, features a | |
627 | cleaned up web UI and has miscellaneous minor improvements. | |
628 | ||
629 | .. change:: | |
630 | :tags: Internals, Bug Fixes | |
631 | :pullreq: 5877 | |
632 | :tickets: 1066 | |
633 | ||
634 | Sort NS addresses by speed and remove old ones. | |
635 | ||
636 | .. change:: | |
637 | :tags: Internals, Improvements | |
638 | :pullreq: 5498 | |
639 | :tickets: 2250, 5797 | |
640 | ||
641 | Add support for Botan 2.x and remove support for Botan 1.10. | |
642 | ||
643 | .. change:: | |
644 | :tags: Internals, Bug Fixes | |
645 | :pullreq: 5896 | |
646 | ||
647 | Purge ``nsSpeeds`` entries even if we get less than 2 new entries. | |
648 | ||
649 | .. change:: | |
650 | :tags: DNSSEC, Bug Fixes | |
651 | :pullreq: 5889 | |
652 | ||
653 | Prevent possible downgrade attacks in the recursor. | |
654 | ||
655 | .. change:: | |
656 | :tags: Improvements | |
657 | :pullreq: 5876 | |
658 | ||
659 | Print more details of trust anchors. In addition, the | |
660 | :ref:`setting-trace` output that mentions if data from authoritative | |
661 | servers gets accepted now also prints the TTL and clarifies the | |
662 | 'place' number previously printed. | |
663 | ||
664 | .. change:: | |
665 | :tags: DNSSEC, Bug Fixes | |
666 | :pullreq: 5885 | |
667 | :tickets: 5882 | |
668 | ||
669 | Split NODATA / NXDOMAIN NSEC wildcard denial proof of | |
670 | existence. Otherwise there is a very real risk that a NSEC will | |
671 | cover a more specific wildcard and we end up with what looks like a | |
672 | NXDOMAIN proof but is a NODATA one. | |
673 | ||
674 | .. change:: | |
675 | :tags: DNSSEC, Bug Fixes | |
676 | :pullreq: 5904 | |
677 | ||
678 | Fix incomplete validation of cached entries. | |
679 | ||
680 | .. change:: | |
681 | :tags: DNSSEC, Bug Fixes | |
682 | :pullreq: 5912 | |
683 | ||
684 | Fix going Insecure on NSEC3 hashes with too many iterations, since | |
685 | we could have gone Bogus on a positive answer synthetized from a | |
686 | wildcard if the corresponding NSEC3 had more iterations that we were | |
687 | willing to accept, while the correct result is Insecure. | |
688 | ||
689 | .. change:: | |
690 | :tags: Internals, Bug Fixes | |
691 | :pullreq: 5881 | |
692 | :tickets: 5618 | |
693 | ||
694 | Add EDNS to truncated, servfail answers. | |
695 | ||
696 | .. change:: | |
697 | :tags: Internals, Improvements | |
698 | :pullreq: 5616 | |
699 | ||
700 | Better support for deleting entries in ``NetmaskTree`` and | |
701 | ``NetmaskGroup``. | |
702 | ||
703 | .. change:: | |
704 | :tags: Internals, Bug Fixes | |
705 | :pullreq: 5917 | |
706 | ||
707 | Use ``_exit()`` when we really really want to exit, for example | |
708 | after a fatal error. This stops us dying while we die. A call to | |
709 | ``exit()`` will trigger destructors, which may paradoxically stop | |
710 | the process from exiting, taking down only one thread, but harming | |
711 | the rest of the process. | |
712 | ||
713 | .. change:: | |
714 | :tags: Lua, DNSSEC, Improvements | |
715 | :pullreq: 5895 | |
716 | :tickets: 5888 | |
717 | ||
718 | Add the DNSSEC validation state to the ``DNSQuestion`` Lua object | |
719 | (although the ability to update the validation state from these | |
720 | hooks is postponed to after 4.1.0). | |
721 | ||
722 | .. change:: | |
723 | :tags: Bug Fixes | |
724 | :pullreq: 5930 | |
725 | ||
726 | In the recursor secpoll code, we assumed the TXT record would be the | |
727 | first record first record we received. Sometimes it was the RRSIG, | |
728 | leading to a silent error, and no secpoll check. Fixed the | |
729 | assumption, added an error. | |
730 | ||
731 | .. change:: | |
732 | :tags: Internals, Bug Fixes | |
733 | :pullreq: 5938 | |
734 | ||
735 | Don't crash when asked to run with zero threads. | |
736 | ||
737 | .. change:: | |
738 | :tags: Internals, Bug Fixes | |
739 | :pullreq: 5939 | |
740 | :tickets: 5934 | |
741 | ||
742 | Only accept types not matching the query if we asked for ANY. Even | |
743 | from forward-recurse servers. | |
744 | ||
745 | .. change:: | |
746 | :tags: Internals, Bug Fixes | |
747 | :pullreq: 5937 | |
748 | :tickets: 2758 | |
749 | ||
750 | Allow the use of a 'self-resolving' NS if cached A / AAAA | |
751 | exists. Before this, we could skip a perfectly valid NS for which we | |
752 | had retrieved the A and / or AAAA entries, for example via a glue. | |
753 | ||
754 | .. change:: | |
755 | :tags: Bug Fixes | |
756 | :pullreq: 5961 | |
757 | ||
758 | Add the config-name argument to the definition of configname. There | |
759 | was a bug where the config-name parameter was not used to change the | |
760 | path of the config file. This meant that some commands via | |
761 | rec_control (e.g. reload-acls) would fail when run against a | |
762 | recursor which had config-name defined. The correct behaviour was | |
763 | present in some, but not all, definitions of configname. (@jake2184) | |
764 | ||
6425370d | 765 | .. changelog:: |
766 | :version: 4.1.0-rc2 | |
ab33dca8 | 767 | :released: 30th of October 2017 |
6425370d | 768 | |
769 | The second Release Candidate contains several correctness fixes for DNSSEC, | |
770 | mostly in the area of verifying negative responses. | |
771 | ||
6425370d | 772 | .. change:: |
773 | :tags: API, Improvements | |
774 | :pullreq: 5805 | |
775 | ||
776 | Improve logging for the built-in :doc:`webserver <../../http-api/index>` | |
777 | and the :ref:`Carbon <metricscarbon>` sender. | |
778 | ||
779 | .. change:: | |
780 | :tags: DNSSEC, Bug Fixes | |
781 | :pullreq: 5808 | |
782 | ||
783 | Check that the NSEC covers an empty non-terminal when looking for NODATA. | |
784 | ||
785 | .. change:: | |
786 | :tags: Improvements, Internals | |
787 | :pullreq: 5824 | |
788 | :tickets: 5663 | |
789 | ||
790 | New b.root ipv4 address (Kees Monshouwer). | |
791 | ||
792 | .. change:: | |
793 | :tags: Bug Fixes, Internals | |
794 | :pullreq: 5740 | |
795 | ||
796 | Lowercase all outgoing qnames when :ref:`setting-lowercase-outgoing` is set. | |
797 | ||
798 | .. change:: | |
799 | :tags: DNSSEC, Improvements | |
800 | :pullreq: 5834 | |
801 | ||
802 | Don't directly store NSEC3 records in the positive cache. | |
803 | ||
804 | .. change:: | |
805 | :tags: Improvements | |
806 | :pullreq: 5774 | |
807 | ||
808 | Add :ref:`experimental metrics <stat-x-our-latency>` that track the time spent inside PowerDNS per query. | |
809 | These metrics ignore time spent waiting for the network. | |
810 | ||
811 | .. change:: | |
812 | :tags: DNSSEC, Bug Fixes | |
813 | :pullreq: 5835 | |
814 | :tickets: 5827 | |
815 | ||
816 | Disable validation for infrastructure queries (e.g. when recursing for a name). | |
817 | Also validate entries from the Negative cache if they were not validated before. | |
818 | ||
819 | .. change:: | |
820 | :tags: Improvements | |
821 | :pullreq: 5842 | |
822 | ||
823 | Add :ref:`setting-log-timestamp` setting. This option can be used to disable | |
824 | printing timestamps to stdout, this is useful when using ``systemd-journald`` | |
825 | or another supervisor that timestamps output by itself. | |
826 | ||
827 | .. change:: | |
828 | :tags: Bug Fixes | |
829 | :pullreq: 5762 | |
830 | :tickets: 5439 | |
831 | ||
832 | Create :ref:`setting-socket-dir` from the init-script. | |
833 | ||
834 | .. change:: | |
835 | :tags: DNSSEC, Bug Fixes | |
836 | :pullreq: 5868 | |
837 | :tickets: 5861 | |
838 | ||
839 | Fix DNSSEC validation for denial of wildcards in negative answers and | |
840 | denial of existence proofs in wildcard-expanded positive responses. | |
841 | ||
842 | .. change:: | |
843 | :tags: DNSSEC, Bug Fixes | |
844 | :pullreq: 5873 | |
845 | ||
846 | Fix DNSSEC validation when using ``-flto``. | |
847 | ||
848 | .. change:: | |
849 | :tags: Bug Fixes, Internals | |
850 | :pullreq: 5803 | |
851 | ||
852 | Fix crashes with uncaught exceptions in MThreads. | |
853 | ||
4eed8fc6 | 854 | .. changelog:: |
ef75af13 EW |
855 | :version: 4.1.0-rc1 |
856 | :released: 9th of October 2017 | |
857 | ||
858 | The RC1 release features many fixes to the DNSSEC validation code, reported by different users. Other improvements include: logging, RPZ and the Remote Logger. | |
859 | ||
860 | While not specifically mentioned in the ChangeLog, also thanks to Winfried Angele for bringing a documentation issue to our attention! | |
861 | ||
862 | .. change:: | |
863 | :tags: Bug Fixes | |
864 | :pullreq: 5530 | |
865 | ||
866 | Add a missing header for PRId64 in the negative cache, required on EL5/EL6. | |
867 | ||
868 | .. change:: | |
869 | :tags: Internals, Improvements | |
870 | :pullreq: 5543 | |
871 | ||
872 | Wrap the webserver's and Resolver::tryGetSOASerial objects into smart pointers (also thanks to Christian Hofstaedtler for reviewing!) | |
873 | ||
874 | .. change:: | |
875 | :tags: Internals, Improvements | |
876 | :pullreq: 5545 | |
877 | ||
878 | Add more unit tests for the NetmaskTree and ECS cache index. | |
879 | ||
880 | .. change:: | |
881 | :tags: Bug Fixes | |
882 | :pullreq: 5549 | |
883 | ||
884 | Prevent an infinite loop if we need auth and the best match is not. | |
885 | ||
886 | .. change:: | |
887 | :tags: Bug Fixes | |
888 | :pullreq: 5570 | |
889 | ||
890 | Be more careful about the validation of negative answers. | |
891 | ||
892 | .. change:: | |
893 | :tags: Bug Fixes, DNSSEC | |
894 | :pullreq: 5569 | |
895 | ||
896 | Don't fetch the DNSKEY of a zone to validate the DS of the same zone. | |
897 | ||
898 | .. change:: | |
899 | :tags: Bug Fixes | |
900 | :pullreq: 5599 | |
901 | :tickets: 5456 | |
902 | ||
903 | Fix libatomic detection on ppc64. (Sander Hoentjen) | |
904 | ||
905 | .. change:: | |
906 | :tags: Improvements | |
907 | :pullreq: 5588 | |
908 | ||
909 | Switch the default webserver's ACL to ``127.0.0.1, ::1``. | |
910 | ||
911 | .. change:: | |
912 | :tags: Improvements | |
913 | :pullreq: 5598 | |
914 | :tickets: 5524 | |
915 | ||
916 | Add help text on autodetecting systemd support. (Ruben Kerkhof thanks for reporting!) | |
917 | ||
918 | .. change:: | |
919 | :tags: Bug Fixes | |
920 | :pullreq: 5615 | |
921 | :tickets: 5357 | |
922 | ||
923 | Fix sortlist in the presence of CNAME. (Benoit Perroud thanks for | |
924 | reporting this issue!) | |
925 | ||
926 | .. change:: | |
927 | :tags: Bug Fixes, DNSSEC | |
928 | :pullreq: 5614 | |
929 | ||
930 | Improve DNSSEC debug logging, | |
931 | ||
932 | .. change:: | |
933 | :tags: Improvements | |
934 | :pullreq: 5622 | |
935 | ||
936 | Add ``log-rpz-changes`` to log RPZ additions and removals. | |
937 | ||
938 | .. change:: | |
939 | :tags: Improvements | |
940 | :pullreq: 5621 | |
941 | ||
942 | Log the policy type (QName, Client IP, NS IP...) over protobuf. | |
943 | ||
944 | .. change:: | |
945 | :tags: Bug Fixes | |
946 | :pullreq: 5515 | |
947 | ||
948 | Fix cache handling of ECS queries with a source length of 0. | |
949 | ||
950 | .. change:: | |
951 | :tags: Improvements | |
952 | :pullreq: 5637 | |
953 | ||
954 | Remove unused SortList compare operator for ComboAddress. | |
955 | ||
956 | .. change:: | |
957 | :tags: Improvements | |
958 | :pullreq: 5620 | |
959 | ||
960 | Add support for dumping the in-memory RPZ zones to a file. | |
961 | ||
962 | .. change:: | |
963 | :tags: Bug Fixes | |
964 | :pullreq: 5328 | |
965 | :tickets: 5327 | |
966 | ||
967 | Handle SNMP alarms so we can reconnect to the master. | |
968 | ||
969 | .. change:: | |
970 | :tags: Improvements | |
971 | :pullreq: 5646 | |
972 | ||
973 | Support for identifying devices by id such as mac address. | |
974 | ||
975 | .. change:: | |
976 | :tags: Bug Fixes | |
977 | :pullreq: 5662 | |
978 | ||
979 | Fix Recursor 4.1.0 alpha 1 compilation on FreeBSD. (@RvdE) | |
980 | ||
981 | .. change:: | |
982 | :tags: Bug Fixes, DNSSEC | |
983 | :pullreq: 5672 | |
984 | :tickets: 5649 | |
985 | ||
986 | Add NSEC records on nx-trust cache hits. | |
987 | ||
988 | .. change:: | |
989 | :tags: Bug Fixes, DNSSEC | |
990 | :pullreq: 5671 | |
991 | :tickets: 5650 | |
992 | ||
993 | Handle NSEC wrap-around. | |
994 | ||
995 | .. change:: | |
996 | :tags: Bug Fixes, DNSSEC | |
997 | :pullreq: 5670 | |
998 | :tickets: 5648, 5651 | |
999 | ||
1000 | Fix erroneous check for section 4.1 of rfc6840. | |
1001 | ||
1002 | .. change:: | |
1003 | :tags: Bug Fixes, DNSSEC | |
1004 | :pullreq: 5715 | |
1005 | :tickets: 5705 | |
1006 | ||
1007 | Handle direct NSEC queries. | |
1008 | ||
1009 | .. change:: | |
1010 | :tags: Bug Fixes | |
1011 | :pullreq: 5739 | |
1012 | ||
1013 | Remove pdns.PASS and pdns.TRUNCATE. | |
1014 | ||
1015 | .. change:: | |
1016 | :tags: Bug Fixes | |
1017 | :pullreq: 5734 | |
1018 | ||
1019 | Fix a crash when getting a public GOST key if the private one is not set. | |
1020 | ||
1021 | .. change:: | |
1022 | :tags: Improvements | |
1023 | :pullreq: 5699 | |
1024 | ||
1025 | Implement dynamic cache sizeing. | |
1026 | ||
1027 | .. change:: | |
1028 | :tags: Bug Fixes, DNSSEC | |
1029 | :pullreq: 5716 | |
1030 | :tickets: 5681 | |
1031 | ||
1032 | Detect zone cuts by asking for DS instead of NS. | |
1033 | ||
1034 | .. change:: | |
1035 | :tags: Bug Fixes, DNSSEC | |
1036 | :pullreq: 5738 | |
1037 | :tickets: 5735 | |
1038 | ||
1039 | Do not allow direct queries for RRSIG or NSEC3. | |
1040 | ||
1041 | .. change:: | |
1042 | :tags: Improvements | |
1043 | :pullreq: 5755 | |
1044 | ||
1045 | Improve dnsbulktest experience in Travis for more robustness. | |
1046 | ||
1047 | .. change:: | |
1048 | :tags: Improvements, DNSSEC | |
1049 | :pullreq: 5756 | |
1050 | ||
1051 | Improve ``--quiet=false`` output to include DNSSEC and more timing details. | |
1052 | ||
1053 | .. change:: | |
1054 | :tags: Improvements | |
1055 | :pullreq: 5772 | |
1056 | ||
1057 | Set ``TC=1`` if we had to omit part of the AUTHORITY section. | |
1058 | ||
1059 | .. change:: | |
1060 | :tags: Bug Fixes, DNSSEC | |
1061 | :pullreq: 5771 | |
1062 | ||
1063 | The target zone being insecure doesn't mean that the denial of the DS is too, if the parent zone is Secure.. | |
1064 | ||
1065 | .. change:: | |
1066 | :tags: Improvements, DNSSEC | |
1067 | :pullreq: 5733 | |
1068 | ||
1069 | Add DNSSEC test vectors for RSA, ECDSA, ed25519 and GOST. | |
1070 | ||
1071 | .. change:: | |
1072 | :tags: Bug Fixes | |
1073 | :pullreq: 5773 | |
1074 | ||
1075 | Don't negcache entries for longer than their RRSIG validity. | |
1076 | ||
1077 | .. change:: | |
1078 | :tags: Improvements | |
1079 | :pullreq: 5764 | |
1080 | ||
cb264691 | 1081 | autoconf: set ``--with-libsodium`` to ``auto``. |
ef75af13 EW |
1082 | |
1083 | .. change:: | |
1084 | :tags: Bug Fixes | |
1085 | :pullreq: 5792 | |
1086 | ||
1087 | Gracefully handle Socket::accept() returning a null pointer on EAGAIN. | |
4eed8fc6 | 1088 | |
223bb49e | 1089 | .. changelog:: |
7731aeee | 1090 | :version: 4.1.0-alpha1 |
4eed8fc6 | 1091 | :released: 18th of July 2017 |
223bb49e PL |
1092 | |
1093 | This is the first release of the PowerDNS Recursor in the 4.1 release train. | |
1094 | This release contains several performance and correctness improvements in the EDNS Client subnet area, as well as better DNSSEC processing. | |
1095 | ||
1096 | .. change:: | |
1097 | :tags: New Features | |
1098 | :pullreq: 5138 | |
1099 | :tickets: 5128 | |
1100 | ||
1101 | Add server-side TCP Fast Open support. | |
1102 | This adds a new option :ref:`setting-tcp-fast-open`. | |
1103 | ||
1104 | .. change:: | |
1105 | :tags: New Features | |
1106 | :pullreq: 4569 | |
1107 | ||
1108 | Pass ``tcp`` to :func:`gettag` to allow a script to take different actions whether a query came in over TCP or UDP. | |
1109 | ||
1110 | .. change:: | |
1111 | :tags: New Features | |
1112 | :pullreq: 4569 | |
1113 | ||
1114 | Allow setting the requestor ID field in the :attr:`DNSQuestion <DNSQuestion.requestorId>` from all hooks. | |
1115 | ||
1116 | .. change:: | |
1117 | :tags: Improvements, DNSSEC | |
7731aeee PL |
1118 | :pullreq: 5223, 5463, 5486, 5528 |
1119 | :tickets: 4254, 4362, 4490, 4994 | |
223bb49e | 1120 | |
4368d62f | 1121 | Implement "on-the-fly" DNSSEC processing. This places the DNSSEC processing alongside the regular recursion, reducing possible cornercases, adding unit tests and making the code better maintainable. |
223bb49e PL |
1122 | |
1123 | .. change:: | |
4368d62f | 1124 | :tags: New Features |
223bb49e PL |
1125 | :pullreq: 5063 |
1126 | :tickets: 2818 | |
1127 | ||
1128 | Implement CNAME wildcards in recursor authoritative component. | |
1129 | ||
1130 | .. change:: | |
1131 | :tags: Bug Fixes | |
1132 | :pullreq: 5078 | |
1133 | :tickets: 4939, 5075 | |
1134 | ||
1135 | Show a useful error when an invalid :ref:`setting-lua-config-file` is configured. | |
1136 | ||
4368d62f PL |
1137 | .. change:: |
1138 | :tags: Bug Fixes | |
1139 | :pullreq: 4860 | |
1140 | ||
1141 | Fix :class:`DNSQuestion` members alterations from Lua not being taken into account. | |
1142 | ||
1143 | .. change:: | |
1144 | :tags: Bug Fixes, Protobuf | |
1145 | :pullreq: 4984 | |
1146 | :tickets: 4969 | |
1147 | ||
1148 | Fix ``remote``/``local`` inversion in :func:`preoutquery`. | |
1149 | ||
1150 | .. change:: | |
1151 | :tags: New Features, Scripting | |
1152 | :pullreq: 4982 | |
1153 | :tickets: 4981 | |
1154 | ||
1155 | Allow returning the :attr:`DNSQuestion.data` table from :func:`gettag`. | |
1156 | ||
1157 | .. change:: | |
1158 | :tags: New Features, SNMP | |
1159 | :pullreq: 4990, 5404 | |
1160 | ||
1161 | Add :ref:`SNMP <snmp>` support. | |
1162 | ||
1163 | .. change:: | |
1164 | :tags: Improvements | |
1165 | :pullreq: 5106 | |
1166 | ||
1167 | Split SyncRes::doResolveAt, add const and static whenever possible. Possibly improving performance while making the code easier to maintain. | |
1168 | ||
1169 | .. change:: | |
1170 | :tags: Improvements | |
1171 | :pullreq: 5102 | |
1172 | ||
1173 | Packet cache speedup and cleanup. | |
1174 | ||
1175 | .. change:: | |
1176 | :tags: Improvements | |
1177 | :pullreq: 5146 | |
1178 | ||
1179 | Make Lua mandatory for recursor builds. | |
1180 | ||
1181 | .. change:: | |
1182 | :tags: Improvements, Performance | |
1183 | :pullreq: 5103, 5487 | |
1184 | ||
1185 | Use one listening socket per thread when reuseport is enabled. | |
1186 | ||
1187 | .. change:: | |
1188 | :tags: Improvements, RPZ | |
1189 | :pullreq: 5057 | |
1190 | ||
1191 | Use the RPZ zone's TTL and add a new `maxTTL` setting. | |
1192 | ||
1193 | .. change:: | |
1194 | :tags: Improvements, Lua | |
1195 | :pullreq: 5141 | |
1196 | ||
1197 | Stop (de)serializing :attr:`DNSQuestion.data`. | |
1198 | ||
1199 | .. change:: | |
1200 | :tags: New Features, Lua | |
1201 | :pullreq: 5198 | |
1202 | :tickets: 5195 | |
1203 | ||
1204 | Allow access to EDNS options from the :func:`gettag` hook. | |
1205 | ||
1206 | .. change:: | |
1207 | :tags: Improvements | |
1208 | :pullreq: 5226 | |
1209 | ||
1210 | Refactor the negative cache into a class. | |
1211 | ||
1212 | .. change:: | |
1213 | :tags: Bug Fixes | |
1214 | :pullreq: 5209 | |
1215 | ||
1216 | Ensure locks can not be copied. | |
1217 | ||
1218 | .. change:: | |
1219 | :tags: Improvements, RPZ | |
1220 | :pullreq: 5275, 5307 | |
1221 | :tickets: 5231, 5236 | |
1222 | ||
1223 | RPZ updates are done zone by zone, zones are now shared pointers. | |
1224 | ||
1225 | .. change:: | |
1226 | :tags: Bug Fixes | |
1227 | :pullreq: 5252 | |
1228 | :tickets: 5246 | |
1229 | ||
1230 | Only apply :ref:`setting-root-nx-trust` if the received SOA is ".". | |
1231 | ||
1232 | .. change:: | |
1233 | :tags: New Features | |
1234 | :pullreq: 4569 | |
1235 | ||
1236 | Pass ``tcp`` to :func:`gettag`, allow setting the requestor ID from hooks. | |
1237 | ||
1238 | .. change:: | |
1239 | :tags: Bug Fixes | |
1240 | :pullreq: 5312 | |
1241 | ||
1242 | Don't throw an exception when logging to protobuf without a question set. | |
1243 | ||
1244 | .. change:: | |
1245 | :tags: New Features, Lua | |
1246 | :pullreq: 5293 | |
1247 | ||
1248 | Allow retrieving stats from Lua via the :func:`getStat` call. | |
1249 | ||
1250 | .. change:: | |
1251 | :tags: New Features, RPZ | |
1252 | :pullreq: 5265 | |
1253 | :tickets: 5237 | |
1254 | ||
1255 | Add support for RPZ wildcarded target names. | |
1256 | ||
1257 | .. change:: | |
1258 | :tags: Bug Fixes | |
1259 | :pullreq: 5320 | |
1260 | ||
1261 | Correctly truncate EDNS Client Subnetmasks. | |
1262 | ||
1263 | .. change:: | |
1264 | :tags: Improvements | |
1265 | :pullreq: 5319 | |
1266 | ||
1267 | Only check the netmask for subnet specific cache entries. | |
1268 | ||
1269 | .. change:: | |
1270 | :tags: Improvements | |
1271 | :pullreq: 5236 | |
1272 | ||
1273 | Refactor and split ``SyncRes::doResolveAt()``, making it easier to understand. | |
1274 | Get rid of ``SyncRes::d_nocache``, makes sure we can't get into a root refresh loop. | |
1275 | Limit the use of global variables in SyncRes, to make it easier to understand the interaction between components | |
1276 | ||
1277 | .. change:: | |
1278 | :tags: Improvements, EDNS Client Subnet | |
1279 | :pullreq: 5461, 5472 | |
1280 | ||
1281 | Add an ECS index to the cache | |
1282 | ||
1283 | .. change:: | |
1284 | :tags: New Features, EDNS Client Subnet | |
1285 | :pullreq: 5409 | |
1286 | ||
1287 | Add ECS metrics. | |
1288 | ||
1289 | .. change:: | |
1290 | :tags: Improvements, EDNS Client Subnet, DNSSEC | |
1291 | :pullreq: 5484 | |
1292 | ||
1293 | Use ECS when updating the validation state if needed. | |
1294 | ||
1295 | .. change:: | |
1296 | :tags: Bug Fixes, API | |
1297 | :pullreq: 5466 | |
1298 | :tickets: 5398 | |
1299 | ||
1300 | Clean up auth/recursor code mismatches in the API (Christian Hofstaedtler). | |
1301 | ||
1302 | .. change:: | |
1303 | :tags: Bug Fixes | |
1304 | :pullreq: 5474 | |
1305 | :tickets: 5474 | |
1306 | ||
1307 | Only increase ``no-packet-error`` on the first read. | |
1308 | ||
1309 | .. change:: | |
1310 | :tags: Improvements | |
1311 | :pullreq: 5511 | |
1312 | ||
1313 | When dumping the cache, also dump RRSIGs. | |
7731aeee PL |
1314 | |
1315 | .. change:: | |
1316 | :tags: Bug Fixes, DNSSEC | |
1317 | :pullreq: 5525 | |
1318 | ||
1319 | Fix validation at the exact RRSIG inception or expiration time. | |
1320 | ||
1321 | .. change:: | |
1322 | :tags: Improvements | |
1323 | :pullreq: 5485 | |
1324 | ||
1325 | Don't always override :ref:`setting-loglevel` to 6. | |
1326 | ||
1327 | .. change:: | |
1328 | :tags: Improvements | |
1329 | :pullreq: 5406, 5530 | |
1330 | ||
1331 | Make more specific Netmasks < to less specific ones. | |
1332 | ||
1333 | .. change:: | |
1334 | :tags: New Features | |
1335 | :pullreq: 5482 | |
1336 | ||
1337 | Add a :ref:`setting-cpu-map` directive to set CPU affinity per thread. |