6 :released: 2nd of April 2019
9 :tags: Bug Fixes, Internals
13 Correctly interpret an empty AXFR response to an IXFR query.
16 :tags: Improvements, Internals
19 Provide CPU usage statistics per thread (worker & distributor).
22 :tags: Improvements, Internals, Performance
26 Use a bounded load-balancing algo to distribute queries.
29 :tags: Improvements, Internals
33 Implement a configurable ECS cache limit so responses with an ECS scope more specific than a certain threshold and a TTL smaller than a specific threshold are not inserted into the records cache at all.
37 :released: 1st of February 2019
39 Since Spectre/Meltdown, system calls have become more expensive. This made exporting a very high number of protobuf messages costly, which is addressed in this release by reducing the number of sycalls per message.
45 Add an option to export only responses over protobuf to the Lua :func:`protobufServer` directive.
52 Reduce systemcall usage in protobuf logging. (See #7428.)
56 :released: 24th of January 2019
58 This release fixes a bug when trying to build PowerDNS Recursor with protobuf support disabled, thus this release is only relevant to people building PowerDNS Recursor from source and not if you're installing it as a package from our repositories.
64 PowerDNS Recursor release 4.1.9 introduced a call to the Lua :func:`ipfilter` hook that required access to the DNS header, but the corresponding variable was only declared when protobuf support had been enabled.
68 :released: 21st of January 2019
70 This release fixes :doc:`Security Advisory 2019-01 <../security-advisories/powerdns-advisory-2019-01>` and :doc:`Security Advisory 2019-02 <../security-advisories/powerdns-advisory-2019-02>` that were recently discovered, affecting PowerDNS Recursor:
71 - CVE-2019-3806, 2019-01: from 4.1.4 up to and including 4.1.8 ;
72 - CVE-2019-3807, 2019-02: from 4.1.0 up to and including 4.1.8.
75 - CVE-2019-3806, 2019-01: Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly bypassing security policies enforced using Lua ;
76 - CVE-2019-3807, 2019-02: records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation.
82 Properly apply Lua hooks to TCP queries, even with pdns-distributes-queries set (CVE-2019-3806, PowerDNS Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2019-01>`). Validates records in the answer section of responses with AA=0 (CVE-2019-3807, PowerDNS Security Advisory :doc:`2019-02 <../security-advisories/powerdns-advisory-2019-02>`).
89 Try another worker before failing if the first pipe was full
93 :released: 26th of November 2018
95 This release fixes :doc:`Security Advisory 2018-09 <../security-advisories/powerdns-advisory-2018-09>` that we recently discovered, affecting PowerDNS Recursor up to and including 4.1.7.
97 The issue is that a remote attacker can trigger an out-of-bounds memory read via a crafted query, while computing the hash of the query for a packet cache lookup, possibly leading to a crash.
99 When the PowerDNS Recursor is run inside a supervisor like supervisord or systemd, a crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.
105 Crafted query can cause a denial of service (CVE-2018-16855, PowerDNS Security Advisory :doc:`2018-09 <../security-advisories/powerdns-advisory-2018-09>`)
109 :released: 9th of November 2018
111 This release updates the mitigation for :doc:`Security Advisory 2018-07 <../security-advisories/powerdns-advisory-2018-07>`, reverting the EDNS fallback strictness increase. This is necessary because there are a lot of broken name servers on the Internet.
117 Revert 'Keep the EDNS status of a server on FormErr with EDNS'
123 Refuse queries for all meta-types
127 :released: 7th of November 2018
129 This release reverts `#6980 <https://github.com/PowerDNS/pdns/pull/6980>`__, it could lead to DNSSEC validation issues.
136 Revert "rec: Authority records in AA=1 CNAME answer are authoritative".
140 :released: 6th of November 2018
142 This release fixes the following security advisories:
144 - PowerDNS Security Advisory :doc:`2018-04 <../security-advisories/powerdns-advisory-2018-04>` (CVE-2018-10851)
145 - PowerDNS Security Advisory :doc:`2018-06 <../security-advisories/powerdns-advisory-2018-06>` (CVE-2018-14626)
146 - PowerDNS Security Advisory :doc:`2018-07 <../security-advisories/powerdns-advisory-2018-07>` (CVE-2018-14644)
152 Crafted answer can cause a denial of service (CVE-2018-10851, PowerDNS Security Advisory :doc:`2018-04 <../security-advisories/powerdns-advisory-2018-04>`)
158 Packet cache pollution via crafted query (CVE-2018-14626, PowerDNS Security Advisory :doc:`2018-06 <../security-advisories/powerdns-advisory-2018-06>`)
164 Crafted query for meta-types can cause a denial of service (CVE-2018-14644, PowerDNS Security Advisory :doc:`2018-07 <../security-advisories/powerdns-advisory-2018-07>`)
166 Additionally there are some other minor fixes and improvements listed below.
169 :tags: Improvements, Lua
173 Add pdnslog to lua configuration scripts (Chris Hofstaedtler)
180 Cleanup the netmask trees used for the ecs index on removals
187 Make sure that the ECS scope from the auth is < to the source
190 :tags: Bug Fixes, RPZ, Internals
194 Delay the creation of rpz threads until we have dropped privileges
201 Authority records in aa=1 cname answer are authoritative
204 :tags: Bug Fixes, Internals
207 Avoid a memory leak in catch-all exception handler
214 Don't require authoritative answers for forward-recurse zones
221 Fix compilation with libressl 2.7.0+
224 :tags: Bug Fixes, Internals
227 Release memory in case of error in the openssl ecdsa constructor
234 Convert a few uses to toLogString to print DNSName's that may be empty in a safer manner
237 :tags: Bug Fixes, Internals
240 Avoid a crash on DEC Alpha systems
243 :tags: Bug Fixes, Internals
247 Clear all caches on (N)TA changes
254 Export outgoing ECS value and server ID in protobuf (if any)
257 :tags: Improvements, Internals
261 Switch to devtoolset 7 for el6
268 Allow the signature inception to be off by a number of seconds. (Kees Monshouwer)
272 :released: 31st of August 2018
278 Split ``pdns_enable_unit_tests``. (Chris Hofstaedtler)
285 Don't account chained queries more than once.
291 Add a new :ref:`setting-max-udp-queries-per-round` setting.
298 Make :doc:`../../manpages/rec_control.1` respect :ref:`setting-include-dir`.
304 Fix warnings reported by gcc 8.1.0.
310 Tests: replace awk command by perl.
317 Load lua scripts only in worker threads.
323 Allow the snmp thread to retrieve statistics.
329 Purge all auth/forward zone data including subtree. (@phonedph1)
333 :released: 22nd of May 2018
335 This release improves the stability and resiliency of the RPZ implementation, prevents metrics gathering from slowing down the processing of DNS queries and fixes an issue related to the cleaning of EDNS Client Subnet entries from the cache.
341 Respect the ``AXFR`` timeout while connecting to the ``RPZ`` server.
347 Don't increase the ``DNSSEC`` validations counters when running with ``process-no-validate``.
353 Count a lookup into an internal auth zone as a cache miss.
360 Delay the loading of ``RPZ`` zones until the parsing is done, fixing a race condition.
366 Move carbon/webserver/control/stats handling to a separate thread.
372 Use a separate, non-blocking pipe to distribute queries.
379 Add a subtree option to the :doc:`API <../http-api/index>` cache flush endpoint.
384 :tickets: 6542, 6516, 6358, 6517
386 Reorder includes to avoid boost ``L`` conflict.
393 Update copyright years to 2018 (Matt Nordhoff).
400 Fix a warning on botan >= 2.5.0.
406 Add ``_raw`` versions for ``QName`` / ``ComboAddresses`` to the ``FFI`` API.
413 Use canonical ordering in the ``ECS`` index.
419 Add ``-rdynamic`` to ``C{,XX}FLAGS`` when we build with ``LuaJIT``.
426 Increase ``MTasker`` stacksize to avoid crash in exception unwinding (Chris Hofstaedtler).
433 Use the SyncRes time in our unit tests when checking cache validity (Chris Hofstaedtler).
440 Disable only our own tcp listening socket when reuseport is enabled
444 :released: 29th of March 2018
446 This release improves the stability and resiliency of the RPZ implementation and fixes several issues related to EDNS Client Subnet.
450 :pullreq: 6298, 6303, 6290, 6268
452 Add the option to set the AXFR timeout for RPZs.
456 :pullreq: 6336, 6237, 6293
459 Retry loading RPZ zones from server when they fail initially.
465 IXFR: correct behavior of dealing with DNS Name with multiple records and speed up IXFR transaction (Leon Xu).
471 Fix ECS-based cache entry refresh code.
478 Fix ECS-specific NS AAAA not being returned from the cache.
485 Add :doc:`RPZ statistics endpoint <../http-api/endpoint-rpz-stats>` to the :doc:`API <../http-api/index>`.
491 Add FFI version of :func:`gettag`.
495 :released: 22nd of January 2018
497 This is the second release in the 4.1 train.
499 This release fixes PowerDNS Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2018-01>`.
501 The full release notes can be read `on the blog <https://blog.powerdns.com/2018/01/22/powerdns-recursor-4-1-1/>`__.
503 This is a release on the stable branch, containing a fix for the
504 abovementioned security issue and several bug fixes from the
508 :tags: DNSSEC, Bug Fixes
511 Correctly handle ancestor delegation NSEC{,3} for children. Fixes
512 the DNSSEC validation issue found in Knot Resolver, where a NSEC{3}
513 ancestor delegation is wrongly use to prove the non-existence of a
514 RR below the delegation.
515 We already had the correct check for the exact owner name, but not
516 for RRs below the delegation.
517 (Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2018-01>`)
520 :tags: Internals, Bug Fixes
524 Fix to make ``primeHints`` threadsafe, otherwise there's a small
525 chance on startup that the root-server IPs will be incorrect.
528 :tags: Internals, Improvements
532 Don't process records for another class than IN. We don't use
533 records of another class than IN, but we used to store some of them
534 in the cache which is useless. Just skip them.
537 :tags: DNSSEC, Bug Fixes
541 Fix the computation of the closest encloser for positive
542 answers. When the positive answer is expanded from a wildcard with
543 NSEC3, the closest encloser is not always parent of the qname,
544 depending on the number of labels in the initial wildcard.
547 :tags: DNSSEC, Bug Fixes
551 Pass the correct buffer size to ``arecvfrom()``. The incorrect size
552 could possibly cause DNSSEC failures.
559 Don't validate signature for "glue" CNAME, since anything else than
560 the initial CNAME can't be considered authoritative.
564 :released: 4th of December 2017
566 This is the first release in the 4.1 train.
568 The full release notes can be read `on the blog <https://blog.powerdns.com/2017/12/04/powerdns-recursor-4-1/>`__.
570 This is a major release containing significant speedups (both in throughput and latency), enhanced capabilities and a highly conformant and robust DNSSEC validation implementation that is ready for heavy production use. In addition, our EDNS Client Subnet implementation now scales effortlessly to networks needing very fine grained scopes (as used by some ‘country sized’ service providers).
572 - Improved DNSSEC support,
573 - Improved documentation,
574 - Improved RPZ support,
575 - Improved EDNS Client Subnet support,
576 - Support for Botan 2.x (and removal of support for Botan 1.10),
578 - Lua engine has gained access to more parts of the recursor,
579 - CPU affinity can now be specified,
580 - TCP Fast Open support,
581 - New performance metrics.
583 Changes since 4.1.0-rc3:
586 :tags: Internals, DNSSEC, Bug Fixes
589 Dump the validation status of negcache entries, fix DNSSEC type.
592 :tags: Internals, Bug Fixes
595 Cache Secure validation state when inserting negcache entries.
598 :tags: DNSSEC, Bug Fixes
601 Fix DNSSEC validation of DS denial from the negative cache.
604 :tags: DNSSEC, Bug Fixes
607 Store additional records as non-auth, even on AA=1 answers.
610 :tags: DNSSEC, Bug Fixes
613 Don't leak when the loading a public ECDSA key fails.
616 :tags: DNSSEC, Bug Fixes
619 When validating DNSKeys, the zone should be part of the signer.
623 :released: 17th of November 2017
625 The third Release Candidate adds support for Botan 2.x (and removes
626 support for Botan 1.10!), has a lot of DNSSEC fixes, features a
627 cleaned up web UI and has miscellaneous minor improvements.
630 :tags: Internals, Bug Fixes
634 Sort NS addresses by speed and remove old ones.
637 :tags: Internals, Improvements
641 Add support for Botan 2.x and remove support for Botan 1.10.
644 :tags: Internals, Bug Fixes
647 Purge ``nsSpeeds`` entries even if we get less than 2 new entries.
650 :tags: DNSSEC, Bug Fixes
653 Prevent possible downgrade attacks in the recursor.
659 Print more details of trust anchors. In addition, the
660 :ref:`setting-trace` output that mentions if data from authoritative
661 servers gets accepted now also prints the TTL and clarifies the
662 'place' number previously printed.
665 :tags: DNSSEC, Bug Fixes
669 Split NODATA / NXDOMAIN NSEC wildcard denial proof of
670 existence. Otherwise there is a very real risk that a NSEC will
671 cover a more specific wildcard and we end up with what looks like a
672 NXDOMAIN proof but is a NODATA one.
675 :tags: DNSSEC, Bug Fixes
678 Fix incomplete validation of cached entries.
681 :tags: DNSSEC, Bug Fixes
684 Fix going Insecure on NSEC3 hashes with too many iterations, since
685 we could have gone Bogus on a positive answer synthetized from a
686 wildcard if the corresponding NSEC3 had more iterations that we were
687 willing to accept, while the correct result is Insecure.
690 :tags: Internals, Bug Fixes
694 Add EDNS to truncated, servfail answers.
697 :tags: Internals, Improvements
700 Better support for deleting entries in ``NetmaskTree`` and
704 :tags: Internals, Bug Fixes
707 Use ``_exit()`` when we really really want to exit, for example
708 after a fatal error. This stops us dying while we die. A call to
709 ``exit()`` will trigger destructors, which may paradoxically stop
710 the process from exiting, taking down only one thread, but harming
711 the rest of the process.
714 :tags: Lua, DNSSEC, Improvements
718 Add the DNSSEC validation state to the ``DNSQuestion`` Lua object
719 (although the ability to update the validation state from these
720 hooks is postponed to after 4.1.0).
726 In the recursor secpoll code, we assumed the TXT record would be the
727 first record first record we received. Sometimes it was the RRSIG,
728 leading to a silent error, and no secpoll check. Fixed the
729 assumption, added an error.
732 :tags: Internals, Bug Fixes
735 Don't crash when asked to run with zero threads.
738 :tags: Internals, Bug Fixes
742 Only accept types not matching the query if we asked for ANY. Even
743 from forward-recurse servers.
746 :tags: Internals, Bug Fixes
750 Allow the use of a 'self-resolving' NS if cached A / AAAA
751 exists. Before this, we could skip a perfectly valid NS for which we
752 had retrieved the A and / or AAAA entries, for example via a glue.
758 Add the config-name argument to the definition of configname. There
759 was a bug where the config-name parameter was not used to change the
760 path of the config file. This meant that some commands via
761 rec_control (e.g. reload-acls) would fail when run against a
762 recursor which had config-name defined. The correct behaviour was
763 present in some, but not all, definitions of configname. (@jake2184)
767 :released: 30th of October 2017
769 The second Release Candidate contains several correctness fixes for DNSSEC,
770 mostly in the area of verifying negative responses.
773 :tags: API, Improvements
776 Improve logging for the built-in :doc:`webserver <../../http-api/index>`
777 and the :ref:`Carbon <metricscarbon>` sender.
780 :tags: DNSSEC, Bug Fixes
783 Check that the NSEC covers an empty non-terminal when looking for NODATA.
786 :tags: Improvements, Internals
790 New b.root ipv4 address (Kees Monshouwer).
793 :tags: Bug Fixes, Internals
796 Lowercase all outgoing qnames when :ref:`setting-lowercase-outgoing` is set.
799 :tags: DNSSEC, Improvements
802 Don't directly store NSEC3 records in the positive cache.
808 Add :ref:`experimental metrics <stat-x-our-latency>` that track the time spent inside PowerDNS per query.
809 These metrics ignore time spent waiting for the network.
812 :tags: DNSSEC, Bug Fixes
816 Disable validation for infrastructure queries (e.g. when recursing for a name).
817 Also validate entries from the Negative cache if they were not validated before.
823 Add :ref:`setting-log-timestamp` setting. This option can be used to disable
824 printing timestamps to stdout, this is useful when using ``systemd-journald``
825 or another supervisor that timestamps output by itself.
832 Create :ref:`setting-socket-dir` from the init-script.
835 :tags: DNSSEC, Bug Fixes
839 Fix DNSSEC validation for denial of wildcards in negative answers and
840 denial of existence proofs in wildcard-expanded positive responses.
843 :tags: DNSSEC, Bug Fixes
846 Fix DNSSEC validation when using ``-flto``.
849 :tags: Bug Fixes, Internals
852 Fix crashes with uncaught exceptions in MThreads.
856 :released: 9th of October 2017
858 The RC1 release features many fixes to the DNSSEC validation code, reported by different users. Other improvements include: logging, RPZ and the Remote Logger.
860 While not specifically mentioned in the ChangeLog, also thanks to Winfried Angele for bringing a documentation issue to our attention!
866 Add a missing header for PRId64 in the negative cache, required on EL5/EL6.
869 :tags: Internals, Improvements
872 Wrap the webserver's and Resolver::tryGetSOASerial objects into smart pointers (also thanks to Christian Hofstaedtler for reviewing!)
875 :tags: Internals, Improvements
878 Add more unit tests for the NetmaskTree and ECS cache index.
884 Prevent an infinite loop if we need auth and the best match is not.
890 Be more careful about the validation of negative answers.
893 :tags: Bug Fixes, DNSSEC
896 Don't fetch the DNSKEY of a zone to validate the DS of the same zone.
903 Fix libatomic detection on ppc64. (Sander Hoentjen)
909 Switch the default webserver's ACL to ``127.0.0.1, ::1``.
916 Add help text on autodetecting systemd support. (Ruben Kerkhof thanks for reporting!)
923 Fix sortlist in the presence of CNAME. (Benoit Perroud thanks for
924 reporting this issue!)
927 :tags: Bug Fixes, DNSSEC
930 Improve DNSSEC debug logging,
936 Add ``log-rpz-changes`` to log RPZ additions and removals.
942 Log the policy type (QName, Client IP, NS IP...) over protobuf.
948 Fix cache handling of ECS queries with a source length of 0.
954 Remove unused SortList compare operator for ComboAddress.
960 Add support for dumping the in-memory RPZ zones to a file.
967 Handle SNMP alarms so we can reconnect to the master.
973 Support for identifying devices by id such as mac address.
979 Fix Recursor 4.1.0 alpha 1 compilation on FreeBSD. (@RvdE)
982 :tags: Bug Fixes, DNSSEC
986 Add NSEC records on nx-trust cache hits.
989 :tags: Bug Fixes, DNSSEC
993 Handle NSEC wrap-around.
996 :tags: Bug Fixes, DNSSEC
1000 Fix erroneous check for section 4.1 of rfc6840.
1003 :tags: Bug Fixes, DNSSEC
1007 Handle direct NSEC queries.
1013 Remove pdns.PASS and pdns.TRUNCATE.
1019 Fix a crash when getting a public GOST key if the private one is not set.
1025 Implement dynamic cache sizeing.
1028 :tags: Bug Fixes, DNSSEC
1032 Detect zone cuts by asking for DS instead of NS.
1035 :tags: Bug Fixes, DNSSEC
1039 Do not allow direct queries for RRSIG or NSEC3.
1045 Improve dnsbulktest experience in Travis for more robustness.
1048 :tags: Improvements, DNSSEC
1051 Improve ``--quiet=false`` output to include DNSSEC and more timing details.
1057 Set ``TC=1`` if we had to omit part of the AUTHORITY section.
1060 :tags: Bug Fixes, DNSSEC
1063 The target zone being insecure doesn't mean that the denial of the DS is too, if the parent zone is Secure..
1066 :tags: Improvements, DNSSEC
1069 Add DNSSEC test vectors for RSA, ECDSA, ed25519 and GOST.
1075 Don't negcache entries for longer than their RRSIG validity.
1081 autoconf: set ``--with-libsodium`` to ``auto``.
1087 Gracefully handle Socket::accept() returning a null pointer on EAGAIN.
1090 :version: 4.1.0-alpha1
1091 :released: 18th of July 2017
1093 This is the first release of the PowerDNS Recursor in the 4.1 release train.
1094 This release contains several performance and correctness improvements in the EDNS Client subnet area, as well as better DNSSEC processing.
1101 Add server-side TCP Fast Open support.
1102 This adds a new option :ref:`setting-tcp-fast-open`.
1108 Pass ``tcp`` to :func:`gettag` to allow a script to take different actions whether a query came in over TCP or UDP.
1114 Allow setting the requestor ID field in the :attr:`DNSQuestion <DNSQuestion.requestorId>` from all hooks.
1117 :tags: Improvements, DNSSEC
1118 :pullreq: 5223, 5463, 5486, 5528
1119 :tickets: 4254, 4362, 4490, 4994
1121 Implement "on-the-fly" DNSSEC processing. This places the DNSSEC processing alongside the regular recursion, reducing possible cornercases, adding unit tests and making the code better maintainable.
1128 Implement CNAME wildcards in recursor authoritative component.
1133 :tickets: 4939, 5075
1135 Show a useful error when an invalid :ref:`setting-lua-config-file` is configured.
1141 Fix :class:`DNSQuestion` members alterations from Lua not being taken into account.
1144 :tags: Bug Fixes, Protobuf
1148 Fix ``remote``/``local`` inversion in :func:`preoutquery`.
1151 :tags: New Features, Scripting
1155 Allow returning the :attr:`DNSQuestion.data` table from :func:`gettag`.
1158 :tags: New Features, SNMP
1159 :pullreq: 4990, 5404
1161 Add :ref:`SNMP <snmp>` support.
1167 Split SyncRes::doResolveAt, add const and static whenever possible. Possibly improving performance while making the code easier to maintain.
1173 Packet cache speedup and cleanup.
1179 Make Lua mandatory for recursor builds.
1182 :tags: Improvements, Performance
1183 :pullreq: 5103, 5487
1185 Use one listening socket per thread when reuseport is enabled.
1188 :tags: Improvements, RPZ
1191 Use the RPZ zone's TTL and add a new `maxTTL` setting.
1194 :tags: Improvements, Lua
1197 Stop (de)serializing :attr:`DNSQuestion.data`.
1200 :tags: New Features, Lua
1204 Allow access to EDNS options from the :func:`gettag` hook.
1210 Refactor the negative cache into a class.
1216 Ensure locks can not be copied.
1219 :tags: Improvements, RPZ
1220 :pullreq: 5275, 5307
1221 :tickets: 5231, 5236
1223 RPZ updates are done zone by zone, zones are now shared pointers.
1230 Only apply :ref:`setting-root-nx-trust` if the received SOA is ".".
1236 Pass ``tcp`` to :func:`gettag`, allow setting the requestor ID from hooks.
1242 Don't throw an exception when logging to protobuf without a question set.
1245 :tags: New Features, Lua
1248 Allow retrieving stats from Lua via the :func:`getStat` call.
1251 :tags: New Features, RPZ
1255 Add support for RPZ wildcarded target names.
1261 Correctly truncate EDNS Client Subnetmasks.
1267 Only check the netmask for subnet specific cache entries.
1273 Refactor and split ``SyncRes::doResolveAt()``, making it easier to understand.
1274 Get rid of ``SyncRes::d_nocache``, makes sure we can't get into a root refresh loop.
1275 Limit the use of global variables in SyncRes, to make it easier to understand the interaction between components
1278 :tags: Improvements, EDNS Client Subnet
1279 :pullreq: 5461, 5472
1281 Add an ECS index to the cache
1284 :tags: New Features, EDNS Client Subnet
1290 :tags: Improvements, EDNS Client Subnet, DNSSEC
1293 Use ECS when updating the validation state if needed.
1296 :tags: Bug Fixes, API
1300 Clean up auth/recursor code mismatches in the API (Christian Hofstaedtler).
1307 Only increase ``no-packet-error`` on the first read.
1313 When dumping the cache, also dump RRSIGs.
1316 :tags: Bug Fixes, DNSSEC
1319 Fix validation at the exact RRSIG inception or expiration time.
1325 Don't always override :ref:`setting-loglevel` to 6.
1329 :pullreq: 5406, 5530
1331 Make more specific Netmasks < to less specific ones.
1337 Add a :ref:`setting-cpu-map` directive to set CPU affinity per thread.