6 :released: 31st of August 2018
12 Split ``pdns_enable_unit_tests``. (Chris Hofstaedtler)
19 Don't account chained queries more than once.
25 Add a new :ref:`setting-max-udp-queries-per-round` setting.
32 Make :doc:`rec_control` respect :ref:`setting-include-dir`.
38 Fix warnings reported by gcc 8.1.0.
44 Tests: replace awk command by perl.
51 Load lua scripts only in worker threads.
57 Allow the snmp thread to retrieve statistics.
63 Purge all auth/forward zone data including subtree. (@phonedph1)
67 :released: 22nd of May 2018
69 This release improves the stability and resiliency of the RPZ implementation, prevents metrics gathering from slowing down the processing of DNS queries and fixes an issue related to the cleaning of EDNS Client Subnet entries from the cache.
75 Respect the ``AXFR`` timeout while connecting to the ``RPZ`` server.
81 Don't increase the ``DNSSEC`` validations counters when running with ``process-no-validate``.
87 Count a lookup into an internal auth zone as a cache miss.
94 Delay the loading of ``RPZ`` zones until the parsing is done, fixing a race condition.
100 Move carbon/webserver/control/stats handling to a separate thread.
106 Use a separate, non-blocking pipe to distribute queries.
113 Add a subtree option to the :doc:`API <../http-api/index>` cache flush endpoint.
118 :tickets: 6542, 6516, 6358, 6517
120 Reorder includes to avoid boost ``L`` conflict.
127 Update copyright years to 2018 (Matt Nordhoff).
134 Fix a warning on botan >= 2.5.0.
140 Add ``_raw`` versions for ``QName`` / ``ComboAddresses`` to the ``FFI`` API.
147 Use canonical ordering in the ``ECS`` index.
153 Add ``-rdynamic`` to ``C{,XX}FLAGS`` when we build with ``LuaJIT``.
160 Increase ``MTasker`` stacksize to avoid crash in exception unwinding (Chris Hofstaedtler).
167 Use the SyncRes time in our unit tests when checking cache validity (Chris Hofstaedtler).
174 Disable only our own tcp listening socket when reuseport is enabled
178 :released: 29th of March 2018
180 This release improves the stability and resiliency of the RPZ implementation and fixes several issues related to EDNS Client Subnet.
184 :pullreq: 6298, 6303, 6290, 6268
186 Add the option to set the AXFR timeout for RPZs.
190 :pullreq: 6336, 6237, 6293
193 Retry loading RPZ zones from server when they fail initially.
199 IXFR: correct behavior of dealing with DNS Name with multiple records and speed up IXFR transaction (Leon Xu).
205 Fix ECS-based cache entry refresh code.
212 Fix ECS-specific NS AAAA not being returned from the cache.
219 Add :doc:`RPZ statistics endpoint <../http-api/endpoint-rpz-stats>` to the :doc:`API <../http-api/index>`.
225 Add FFI version of :func:`gettag`.
229 :released: 22nd of January 2018
231 This is the second release in the 4.1 train.
233 This release fixes PowerDNS Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2018-01>`.
235 The full release notes can be read `on the blog <https://blog.powerdns.com/2018/01/22/powerdns-recursor-4-1-1/>`__.
237 This is a release on the stable branch, containing a fix for the
238 abovementioned security issue and several bug fixes from the
242 :tags: DNSSEC, Bug Fixes
245 Correctly handle ancestor delegation NSEC{,3} for children. Fixes
246 the DNSSEC validation issue found in Knot Resolver, where a NSEC{3}
247 ancestor delegation is wrongly use to prove the non-existence of a
248 RR below the delegation.
249 We already had the correct check for the exact owner name, but not
250 for RRs below the delegation.
251 (Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2018-01>`)
254 :tags: Internals, Bug Fixes
258 Fix to make ``primeHints`` threadsafe, otherwise there's a small
259 chance on startup that the root-server IPs will be incorrect.
262 :tags: Internals, Improvements
266 Don't process records for another class than IN. We don't use
267 records of another class than IN, but we used to store some of them
268 in the cache which is useless. Just skip them.
271 :tags: DNSSEC, Bug Fixes
275 Fix the computation of the closest encloser for positive
276 answers. When the positive answer is expanded from a wildcard with
277 NSEC3, the closest encloser is not always parent of the qname,
278 depending on the number of labels in the initial wildcard.
281 :tags: DNSSEC, Bug Fixes
285 Pass the correct buffer size to ``arecvfrom()``. The incorrect size
286 could possibly cause DNSSEC failures.
293 Don't validate signature for "glue" CNAME, since anything else than
294 the initial CNAME can't be considered authoritative.
298 :released: 4th of December 2017
300 This is the first release in the 4.1 train.
302 The full release notes can be read `on the blog <https://blog.powerdns.com/2017/12/04/powerdns-recursor-4-1/>`__.
304 This is a major release containing significant speedups (both in throughput and latency), enhanced capabilities and a highly conformant and robust DNSSEC validation implementation that is ready for heavy production use. In addition, our EDNS Client Subnet implementation now scales effortlessly to networks needing very fine grained scopes (as used by some ‘country sized’ service providers).
306 - Improved DNSSEC support,
307 - Improved documentation,
308 - Improved RPZ support,
309 - Improved EDNS Client Subnet support,
310 - Support for Botan 2.x (and removal of support for Botan 1.10),
312 - Lua engine has gained access to more parts of the recursor,
313 - CPU affinity can now be specified,
314 - TCP Fast Open support,
315 - New performance metrics.
317 Changes since 4.1.0-rc3:
320 :tags: Internals, DNSSEC, Bug Fixes
323 Dump the validation status of negcache entries, fix DNSSEC type.
326 :tags: Internals, Bug Fixes
329 Cache Secure validation state when inserting negcache entries.
332 :tags: DNSSEC, Bug Fixes
335 Fix DNSSEC validation of DS denial from the negative cache.
338 :tags: DNSSEC, Bug Fixes
341 Store additional records as non-auth, even on AA=1 answers.
344 :tags: DNSSEC, Bug Fixes
347 Don't leak when the loading a public ECDSA key fails.
350 :tags: DNSSEC, Bug Fixes
353 When validating DNSKeys, the zone should be part of the signer.
357 :released: 17th of November 2017
359 The third Release Candidate adds support for Botan 2.x (and removes
360 support for Botan 1.10!), has a lot of DNSSEC fixes, features a
361 cleaned up web UI and has miscellaneous minor improvements.
364 :tags: Internals, Bug Fixes
368 Sort NS addresses by speed and remove old ones.
371 :tags: Internals, Improvements
375 Add support for Botan 2.x and remove support for Botan 1.10.
378 :tags: Internals, Bug Fixes
381 Purge ``nsSpeeds`` entries even if we get less than 2 new entries.
384 :tags: DNSSEC, Bug Fixes
387 Prevent possible downgrade attacks in the recursor.
393 Print more details of trust anchors. In addition, the
394 :ref:`setting-trace` output that mentions if data from authoritative
395 servers gets accepted now also prints the TTL and clarifies the
396 'place' number previously printed.
399 :tags: DNSSEC, Bug Fixes
403 Split NODATA / NXDOMAIN NSEC wildcard denial proof of
404 existence. Otherwise there is a very real risk that a NSEC will
405 cover a more specific wildcard and we end up with what looks like a
406 NXDOMAIN proof but is a NODATA one.
409 :tags: DNSSEC, Bug Fixes
412 Fix incomplete validation of cached entries.
415 :tags: DNSSEC, Bug Fixes
418 Fix going Insecure on NSEC3 hashes with too many iterations, since
419 we could have gone Bogus on a positive answer synthetized from a
420 wildcard if the corresponding NSEC3 had more iterations that we were
421 willing to accept, while the correct result is Insecure.
424 :tags: Internals, Bug Fixes
428 Add EDNS to truncated, servfail answers.
431 :tags: Internals, Improvements
434 Better support for deleting entries in ``NetmaskTree`` and
438 :tags: Internals, Bug Fixes
441 Use ``_exit()`` when we really really want to exit, for example
442 after a fatal error. This stops us dying while we die. A call to
443 ``exit()`` will trigger destructors, which may paradoxically stop
444 the process from exiting, taking down only one thread, but harming
445 the rest of the process.
448 :tags: Lua, DNSSEC, Improvements
452 Add the DNSSEC validation state to the ``DNSQuestion`` Lua object
453 (although the ability to update the validation state from these
454 hooks is postponed to after 4.1.0).
460 In the recursor secpoll code, we assumed the TXT record would be the
461 first record first record we received. Sometimes it was the RRSIG,
462 leading to a silent error, and no secpoll check. Fixed the
463 assumption, added an error.
466 :tags: Internals, Bug Fixes
469 Don't crash when asked to run with zero threads.
472 :tags: Internals, Bug Fixes
476 Only accept types not matching the query if we asked for ANY. Even
477 from forward-recurse servers.
480 :tags: Internals, Bug Fixes
484 Allow the use of a 'self-resolving' NS if cached A / AAAA
485 exists. Before this, we could skip a perfectly valid NS for which we
486 had retrieved the A and / or AAAA entries, for example via a glue.
492 Add the config-name argument to the definition of configname. There
493 was a bug where the config-name parameter was not used to change the
494 path of the config file. This meant that some commands via
495 rec_control (e.g. reload-acls) would fail when run against a
496 recursor which had config-name defined. The correct behaviour was
497 present in some, but not all, definitions of configname. (@jake2184)
501 :released: 30th of October 2017
503 The second Release Candidate contains several correctness fixes for DNSSEC,
504 mostly in the area of verifying negative responses.
507 :tags: API, Improvements
510 Improve logging for the built-in :doc:`webserver <../../http-api/index>`
511 and the :ref:`Carbon <metricscarbon>` sender.
514 :tags: DNSSEC, Bug Fixes
517 Check that the NSEC covers an empty non-terminal when looking for NODATA.
520 :tags: Improvements, Internals
524 New b.root ipv4 address (Kees Monshouwer).
527 :tags: Bug Fixes, Internals
530 Lowercase all outgoing qnames when :ref:`setting-lowercase-outgoing` is set.
533 :tags: DNSSEC, Improvements
536 Don't directly store NSEC3 records in the positive cache.
542 Add :ref:`experimental metrics <stat-x-our-latency>` that track the time spent inside PowerDNS per query.
543 These metrics ignore time spent waiting for the network.
546 :tags: DNSSEC, Bug Fixes
550 Disable validation for infrastructure queries (e.g. when recursing for a name).
551 Also validate entries from the Negative cache if they were not validated before.
557 Add :ref:`setting-log-timestamp` setting. This option can be used to disable
558 printing timestamps to stdout, this is useful when using ``systemd-journald``
559 or another supervisor that timestamps output by itself.
566 Create :ref:`setting-socket-dir` from the init-script.
569 :tags: DNSSEC, Bug Fixes
573 Fix DNSSEC validation for denial of wildcards in negative answers and
574 denial of existence proofs in wildcard-expanded positive responses.
577 :tags: DNSSEC, Bug Fixes
580 Fix DNSSEC validation when using ``-flto``.
583 :tags: Bug Fixes, Internals
586 Fix crashes with uncaught exceptions in MThreads.
590 :released: 9th of October 2017
592 The RC1 release features many fixes to the DNSSEC validation code, reported by different users. Other improvements include: logging, RPZ and the Remote Logger.
594 While not specifically mentioned in the ChangeLog, also thanks to Winfried Angele for bringing a documentation issue to our attention!
600 Add a missing header for PRId64 in the negative cache, required on EL5/EL6.
603 :tags: Internals, Improvements
606 Wrap the webserver's and Resolver::tryGetSOASerial objects into smart pointers (also thanks to Christian Hofstaedtler for reviewing!)
609 :tags: Internals, Improvements
612 Add more unit tests for the NetmaskTree and ECS cache index.
618 Prevent an infinite loop if we need auth and the best match is not.
624 Be more careful about the validation of negative answers.
627 :tags: Bug Fixes, DNSSEC
630 Don't fetch the DNSKEY of a zone to validate the DS of the same zone.
637 Fix libatomic detection on ppc64. (Sander Hoentjen)
643 Switch the default webserver's ACL to ``127.0.0.1, ::1``.
650 Add help text on autodetecting systemd support. (Ruben Kerkhof thanks for reporting!)
657 Fix sortlist in the presence of CNAME. (Benoit Perroud thanks for
658 reporting this issue!)
661 :tags: Bug Fixes, DNSSEC
664 Improve DNSSEC debug logging,
670 Add ``log-rpz-changes`` to log RPZ additions and removals.
676 Log the policy type (QName, Client IP, NS IP...) over protobuf.
682 Fix cache handling of ECS queries with a source length of 0.
688 Remove unused SortList compare operator for ComboAddress.
694 Add support for dumping the in-memory RPZ zones to a file.
701 Handle SNMP alarms so we can reconnect to the master.
707 Support for identifying devices by id such as mac address.
713 Fix Recursor 4.1.0 alpha 1 compilation on FreeBSD. (@RvdE)
716 :tags: Bug Fixes, DNSSEC
720 Add NSEC records on nx-trust cache hits.
723 :tags: Bug Fixes, DNSSEC
727 Handle NSEC wrap-around.
730 :tags: Bug Fixes, DNSSEC
734 Fix erroneous check for section 4.1 of rfc6840.
737 :tags: Bug Fixes, DNSSEC
741 Handle direct NSEC queries.
747 Remove pdns.PASS and pdns.TRUNCATE.
753 Fix a crash when getting a public GOST key if the private one is not set.
759 Implement dynamic cache sizeing.
762 :tags: Bug Fixes, DNSSEC
766 Detect zone cuts by asking for DS instead of NS.
769 :tags: Bug Fixes, DNSSEC
773 Do not allow direct queries for RRSIG or NSEC3.
779 Improve dnsbulktest experience in Travis for more robustness.
782 :tags: Improvements, DNSSEC
785 Improve ``--quiet=false`` output to include DNSSEC and more timing details.
791 Set ``TC=1`` if we had to omit part of the AUTHORITY section.
794 :tags: Bug Fixes, DNSSEC
797 The target zone being insecure doesn't mean that the denial of the DS is too, if the parent zone is Secure..
800 :tags: Improvements, DNSSEC
803 Add DNSSEC test vectors for RSA, ECDSA, ed25519 and GOST.
809 Don't negcache entries for longer than their RRSIG validity.
815 autoconf: set ``--with-libsodium`` to ``auto``.
821 Gracefully handle Socket::accept() returning a null pointer on EAGAIN.
824 :version: 4.1.0-alpha1
825 :released: 18th of July 2017
827 This is the first release of the PowerDNS Recursor in the 4.1 release train.
828 This release contains several performance and correctness improvements in the EDNS Client subnet area, as well as better DNSSEC processing.
835 Add server-side TCP Fast Open support.
836 This adds a new option :ref:`setting-tcp-fast-open`.
842 Pass ``tcp`` to :func:`gettag` to allow a script to take different actions whether a query came in over TCP or UDP.
848 Allow setting the requestor ID field in the :attr:`DNSQuestion <DNSQuestion.requestorId>` from all hooks.
851 :tags: Improvements, DNSSEC
852 :pullreq: 5223, 5463, 5486, 5528
853 :tickets: 4254, 4362, 4490, 4994
855 Implement "on-the-fly" DNSSEC processing. This places the DNSSEC processing alongside the regular recursion, reducing possible cornercases, adding unit tests and making the code better maintainable.
862 Implement CNAME wildcards in recursor authoritative component.
869 Show a useful error when an invalid :ref:`setting-lua-config-file` is configured.
875 Fix :class:`DNSQuestion` members alterations from Lua not being taken into account.
878 :tags: Bug Fixes, Protobuf
882 Fix ``remote``/``local`` inversion in :func:`preoutquery`.
885 :tags: New Features, Scripting
889 Allow returning the :attr:`DNSQuestion.data` table from :func:`gettag`.
892 :tags: New Features, SNMP
895 Add :ref:`SNMP <snmp>` support.
901 Split SyncRes::doResolveAt, add const and static whenever possible. Possibly improving performance while making the code easier to maintain.
907 Packet cache speedup and cleanup.
913 Make Lua mandatory for recursor builds.
916 :tags: Improvements, Performance
919 Use one listening socket per thread when reuseport is enabled.
922 :tags: Improvements, RPZ
925 Use the RPZ zone's TTL and add a new `maxTTL` setting.
928 :tags: Improvements, Lua
931 Stop (de)serializing :attr:`DNSQuestion.data`.
934 :tags: New Features, Lua
938 Allow access to EDNS options from the :func:`gettag` hook.
944 Refactor the negative cache into a class.
950 Ensure locks can not be copied.
953 :tags: Improvements, RPZ
957 RPZ updates are done zone by zone, zones are now shared pointers.
964 Only apply :ref:`setting-root-nx-trust` if the received SOA is ".".
970 Pass ``tcp`` to :func:`gettag`, allow setting the requestor ID from hooks.
976 Don't throw an exception when logging to protobuf without a question set.
979 :tags: New Features, Lua
982 Allow retrieving stats from Lua via the :func:`getStat` call.
985 :tags: New Features, RPZ
989 Add support for RPZ wildcarded target names.
995 Correctly truncate EDNS Client Subnetmasks.
1001 Only check the netmask for subnet specific cache entries.
1007 Refactor and split ``SyncRes::doResolveAt()``, making it easier to understand.
1008 Get rid of ``SyncRes::d_nocache``, makes sure we can't get into a root refresh loop.
1009 Limit the use of global variables in SyncRes, to make it easier to understand the interaction between components
1012 :tags: Improvements, EDNS Client Subnet
1013 :pullreq: 5461, 5472
1015 Add an ECS index to the cache
1018 :tags: New Features, EDNS Client Subnet
1024 :tags: Improvements, EDNS Client Subnet, DNSSEC
1027 Use ECS when updating the validation state if needed.
1030 :tags: Bug Fixes, API
1034 Clean up auth/recursor code mismatches in the API (Christian Hofstaedtler).
1041 Only increase ``no-packet-error`` on the first read.
1047 When dumping the cache, also dump RRSIGs.
1050 :tags: Bug Fixes, DNSSEC
1053 Fix validation at the exact RRSIG inception or expiration time.
1059 Don't always override :ref:`setting-loglevel` to 6.
1063 :pullreq: 5406, 5530
1065 Make more specific Netmasks < to less specific ones.
1071 Add a :ref:`setting-cpu-map` directive to set CPU affinity per thread.