]> git.ipfire.org Git - thirdparty/pdns.git/blame - pdns/recursordist/docs/changelog/4.1.rst
projects / thirdparty / pdns.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge pull request #7837 from aerique/feature/changelog-and-secpoll-for-rec-4.1.13
[thirdparty/pdns.git] / pdns / recursordist / docs / changelog / 4.1.rst
CommitLineData
223bb49e
PL		 1Changelogs for 4.1.x
2====================
3
9a41797f 4.. changelog::
5 :version: 4.1.13
6 :released: 21st of May 2019
7
8 .. change::
9 :tags: Improvements, Performance
10 :pullreq: 7673
11 :tickets: 7661
12
13 Add the ``disable-real-memory-usage`` setting to skip expensive
14 collection of detailed memory usage info.
15
16 .. change::
17 :tags: Bug Fixes, DNSSEC
18 :pullreq: 7816
19 :tickets: 7714
20
21 Fix DNSSEC validation of wildcards expanded onto themselves.
22
6ef20ac4
EW		 23.. changelog::
24 :version: 4.1.12
25 :released: 2nd of April 2019
26
27 .. change::
28 :tags: Bug Fixes, Internals
29 :pullreq: 7495
30 :tickets: 7494
31
32 Correctly interpret an empty AXFR response to an IXFR query.
33
34 .. change::
35 :tags: Improvements, Internals
36 :pullreq: 7647
37
38 Provide CPU usage statistics per thread (worker & distributor).
39
40 .. change::
41 :tags: Improvements, Internals, Performance
42 :pullreq: 7634
43 :tickets: 7507
44
45 Use a bounded load-balancing algo to distribute queries.
46
47 .. change::
48 :tags: Improvements, Internals
49 :pullreq: 7651
50 :tickets: 7631, 7572
51
52 Implement a configurable ECS cache limit so responses with an ECS scope more specific than a certain threshold and a TTL smaller than a specific threshold are not inserted into the records cache at all.
53
f537e4a5 54.. changelog::
55 :version: 4.1.11
56 :released: 1st of February 2019
57
a52f0baf 58 Since Spectre/Meltdown, system calls have become more expensive. This made exporting a very high number of protobuf messages costly, which is addressed in this release by reducing the number of syscalls per message.
f537e4a5 59
60 .. change::
61 :tags: Improvements
62 :pullreq: 7434
63
64 Add an option to export only responses over protobuf to the Lua :func:`protobufServer` directive.
65
66 .. change::
67 :tags: Improvements
68 :pullreq: 7430
69 :tickets: 7428
70
71 Reduce systemcall usage in protobuf logging. (See #7428.)
72
92c83c1d
EW		 73.. changelog::
74 :version: 4.1.10
75 :released: 24th of January 2019
76
d66fab2e 77 This release fixes a bug when trying to build PowerDNS Recursor with protobuf support disabled, thus this release is only relevant to people building PowerDNS Recursor from source and not if you're installing it as a package from our repositories.
92c83c1d
EW		 78
79 .. change::
80 :tags: Bug Fixes
81 :pullreq: 7403
82
83 PowerDNS Recursor release 4.1.9 introduced a call to the Lua :func:`ipfilter` hook that required access to the DNS header, but the corresponding variable was only declared when protobuf support had been enabled.
84
639a343d
RG		 85.. changelog::
86 :version: 4.1.9
87 :released: 21st of January 2019
88
89 This release fixes :doc:`Security Advisory 2019-01 <../security-advisories/powerdns-advisory-2019-01>` and :doc:`Security Advisory 2019-02 <../security-advisories/powerdns-advisory-2019-02>` that were recently discovered, affecting PowerDNS Recursor:
90 - CVE-2019-3806, 2019-01: from 4.1.4 up to and including 4.1.8 ;
91 - CVE-2019-3807, 2019-02: from 4.1.0 up to and including 4.1.8.
92
93 The issues are:
94 - CVE-2019-3806, 2019-01: Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly bypassing security policies enforced using Lua ;
95 - CVE-2019-3807, 2019-02: records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation.
96
97 .. change::
98 :tags: Bug Fixes
99 :pullreq: 7397
100
101 Properly apply Lua hooks to TCP queries, even with pdns-distributes-queries set (CVE-2019-3806, PowerDNS Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2019-01>`). Validates records in the answer section of responses with AA=0 (CVE-2019-3807, PowerDNS Security Advisory :doc:`2019-02 <../security-advisories/powerdns-advisory-2019-02>`).
102
103 .. change::
104 :tags: Improvements
105 :pullreq: 7377
106 :tickets: 7383
107
108 Try another worker before failing if the first pipe was full
109
4b786673 110.. changelog::
111 :version: 4.1.8
112 :released: 26th of November 2018
113
114 This release fixes :doc:`Security Advisory 2018-09 <../security-advisories/powerdns-advisory-2018-09>` that we recently discovered, affecting PowerDNS Recursor up to and including 4.1.7.
115
116 The issue is that a remote attacker can trigger an out-of-bounds memory read via a crafted query, while computing the hash of the query for a packet cache lookup, possibly leading to a crash.
117
118 When the PowerDNS Recursor is run inside a supervisor like supervisord or systemd, a crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.
119
120 .. change::
121 :tags: Bug Fixes
122 :pullreq: 7221
123
124 Crafted query can cause a denial of service (CVE-2018-16855, PowerDNS Security Advisory :doc:`2018-09 <../security-advisories/powerdns-advisory-2018-09>`)
125
d5603336
PD		 126.. changelog::
127 :version: 4.1.7
128 :released: 9th of November 2018
129
130 This release updates the mitigation for :doc:`Security Advisory 2018-07 <../security-advisories/powerdns-advisory-2018-07>`, reverting the EDNS fallback strictness increase. This is necessary because there are a lot of broken name servers on the Internet.
131
132 .. change::
133 :tags: Improvements
134 :pullreq: 7172
135
136 Revert 'Keep the EDNS status of a server on FormErr with EDNS'
137
138 .. change::
139 :tags: Improvements
140 :pullreq: 7174
141
142 Refuse queries for all meta-types
143
49b2577f
PL		 144.. changelog::
145 :version: 4.1.6
146 :released: 7th of November 2018
147
148 This release reverts `#6980 <https://github.com/PowerDNS/pdns/pull/6980>`__, it could lead to DNSSEC validation issues.
149
150 .. change::
151 :tags: Bug Fixes
152 :pullreq: 7159
153 :tickets: 7158
154
155 Revert "rec: Authority records in AA=1 CNAME answer are authoritative".
156
27e94792
EW		 157.. changelog::
158 :version: 4.1.5
159 :released: 6th of November 2018
160
161 This release fixes the following security advisories:
162
163 - PowerDNS Security Advisory :doc:`2018-04 <../security-advisories/powerdns-advisory-2018-04>` (CVE-2018-10851)
164 - PowerDNS Security Advisory :doc:`2018-06 <../security-advisories/powerdns-advisory-2018-06>` (CVE-2018-14626)
165 - PowerDNS Security Advisory :doc:`2018-07 <../security-advisories/powerdns-advisory-2018-07>` (CVE-2018-14644)
166
167 .. change::
168 :tags: Bug Fixes
3ad24d7d 169 :pullreq: 7151
27e94792
EW		 170
171 Crafted answer can cause a denial of service (CVE-2018-10851, PowerDNS Security Advisory :doc:`2018-04 <../security-advisories/powerdns-advisory-2018-04>`)
172
173 .. change::
174 :tags: Bug Fixes
3ad24d7d 175 :pullreq: 7151
27e94792
EW		 176
177 Packet cache pollution via crafted query (CVE-2018-14626, PowerDNS Security Advisory :doc:`2018-06 <../security-advisories/powerdns-advisory-2018-06>`)
178
179 .. change::
180 :tags: Bug Fixes
3ad24d7d 181 :pullreq: 7151
27e94792
EW		 182
183 Crafted query for meta-types can cause a denial of service (CVE-2018-14644, PowerDNS Security Advisory :doc:`2018-07 <../security-advisories/powerdns-advisory-2018-07>`)
184
185 Additionally there are some other minor fixes and improvements listed below.
186
187 .. change::
188 :tags: Improvements, Lua
189 :pullreq: 6919
190 :tickets: 6848
191
192 Add pdnslog to lua configuration scripts (Chris Hofstaedtler)
193
194 .. change::
195 :tags: Bug Fixes
196 :pullreq: 6961
197 :tickets: 6960
198
199 Cleanup the netmask trees used for the ecs index on removals
200
201 .. change::
202 :tags: Bug Fixes
203 :pullreq: 6963
204 :tickets: 6605
205
206 Make sure that the ECS scope from the auth is < to the source
207
208 .. change::
209 :tags: Bug Fixes, RPZ, Internals
210 :pullreq: 6984
211 :tickets: 6792
212
213 Delay the creation of rpz threads until we have dropped privileges
214
215 .. change::
216 :tags: Bug Fixes
217 :pullreq: 6980
218 :tickets: 6979
219
220 Authority records in aa=1 cname answer are authoritative
221
222 .. change::
223 :tags: Bug Fixes, Internals
224 :pullreq: 7073
225
226 Avoid a memory leak in catch-all exception handler
227
228 .. change::
229 :tags: Bug Fixes
230 :pullreq: 6741
231 :tickets: 6340
232
233 Don't require authoritative answers for forward-recurse zones
234
235 .. change::
236 :tags: Improvements
237 :pullreq: 6948
238 :tickets: 6943
239
240 Fix compilation with libressl 2.7.0+
241
242 .. change::
243 :tags: Bug Fixes, Internals
244 :pullreq: 6917
245
246 Release memory in case of error in the openssl ecdsa constructor
247
248 .. change::
249 :tags: Bug Fixes
250 :pullreq: 6925
251 :tickets: 6924
252
253 Convert a few uses to toLogString to print DNSName's that may be empty in a safer manner
254
255 .. change::
256 :tags: Bug Fixes, Internals
257 :pullreq: 6945
258
259 Avoid a crash on DEC Alpha systems
260
261 .. change::
262 :tags: Bug Fixes, Internals
263 :pullreq: 6951
264 :tickets: 6949
265
266 Clear all caches on (N)TA changes
267
268 .. change::
269 :tags: Improvements
270 :pullreq: 7004
271 :tickets: 6989, 6991
272
273 Export outgoing ECS value and server ID in protobuf (if any)
274
275 .. change::
276 :tags: Improvements, Internals
277 :pullreq: 7122
278 :tickets: 7040
279
280 Switch to devtoolset 7 for el6
281
282 .. change::
283 :tags: Improvements
284 :pullreq: 7125
285 :tickets: 7081
286
287 Allow the signature inception to be off by a number of seconds. (Kees Monshouwer)
288
40713bf0
PL		 289.. changelog::
290 :version: 4.1.4
291 :released: 31st of August 2018
292
293 .. change::
294 :tags: Improvements
295 :pullreq: 6436
296
297 Split ``pdns_enable_unit_tests``. (Chris Hofstaedtler)
298
299 .. change::
300 :tags: Bug Fixes
301 :pullreq: 6465
302 :tickets: 6462
303
304 Don't account chained queries more than once.
305
306 .. change::
307 :tags: Improvements
308 :pullreq: 6518
309
310 Add a new :ref:`setting-max-udp-queries-per-round` setting.
311
312 .. change::
313 :tags: Bug Fixes
314 :pullreq: 6557
315 :tickets: 6536
316
ce2fbdac 317 Make :doc:`../../manpages/rec_control.1` respect :ref:`setting-include-dir`.
40713bf0
PL		 318
319 .. change::
320 :tags: Improvements
321 :pullreq: 6590
322
323 Fix warnings reported by gcc 8.1.0.
324
325 .. change::
326 :tags: Improvements
327 :pullreq: 6809
328
329 Tests: replace awk command by perl.
330
331 .. change::
332 :tags: Bug Fixes
333 :pullreq: 6812
334 :tickets: 6567
335
336 Load lua scripts only in worker threads.
337
338 .. change::
339 :tags: Improvements
340 :pullreq: 6720
341
342 Allow the snmp thread to retrieve statistics.
343
344 .. change::
345 :tags: Bug Fixes
346 :pullreq: 6873
347
348 Purge all auth/forward zone data including subtree. (@phonedph1)
349
5c24af87
RG		 350.. changelog::
351 :version: 4.1.3
352 :released: 22nd of May 2018
353
354 This release improves the stability and resiliency of the RPZ implementation, prevents metrics gathering from slowing down the processing of DNS queries and fixes an issue related to the cleaning of EDNS Client Subnet entries from the cache.
355
356 .. change::
357 :tags: Bug Fixes
358 :pullreq: 6469
359
360 Respect the ``AXFR`` timeout while connecting to the ``RPZ`` server.
361
362 .. change::
363 :tags: Bug Fixes
364 :pullreq: 6467
365
366 Don't increase the ``DNSSEC`` validations counters when running with ``process-no-validate``.
367
368 .. change::
369 :tags: Bug Fixes
370 :pullreq: 6313
371
372 Count a lookup into an internal auth zone as a cache miss.
373
374 .. change::
375 :tags: Bug Fixes
376 :pullreq: 6588
377 :tickets: 6237
378
379 Delay the loading of ``RPZ`` zones until the parsing is done, fixing a race condition.
380
381 .. change::
382 :tags: Improvements
383 :pullreq: 6567
384
385 Move carbon/webserver/control/stats handling to a separate thread.
386
387 .. change::
388 :tags: Improvements
389 :pullreq: 6566
390
391 Use a separate, non-blocking pipe to distribute queries.
392
393 .. change::
394 :tags: Improvements
395 :pullreq: 6562
396 :tickets: 6550
397
398 Add a subtree option to the :doc:`API <../http-api/index>` cache flush endpoint.
399
400 .. change::
401 :tags: Bug Fixes
402 :pullreq: 6595
403 :tickets: 6542, 6516, 6358, 6517
404
405 Reorder includes to avoid boost ``L`` conflict.
406
407 .. change::
408 :tags: Improvements
409 :pullreq: 6611
410 :tickets: 6130, 6610
411
4f2e66fc
RG		 412 Update copyright years to 2018 (Matt Nordhoff).
413
414 .. change::
415 :tags: Improvements
416 :pullreq: 6596, 6478
417 :tickets: 6474
418
419 Fix a warning on botan >= 2.5.0.
5c24af87
RG		 420
421 .. change::
422 :tags: Improvements
423 :pullreq: 6583
424
425 Add ``_raw`` versions for ``QName`` / ``ComboAddresses`` to the ``FFI`` API.
426
427 .. change::
428 :tags: Bug Fixes
429 :pullreq: 6586
430 :tickets: 6505
431
432 Use canonical ordering in the ``ECS`` index.
433
434 .. change::
435 :tags: Bug Fixes
1c5d2111 436 :pullreq: 6514, 6630
5c24af87
RG		 437
438 Add ``-rdynamic`` to ``C{,XX}FLAGS`` when we build with ``LuaJIT``.
439
440 .. change::
441 :tags: Bug Fixes
442 :pullreq: 6418
443 :tickets: 6179
444
445 Increase ``MTasker`` stacksize to avoid crash in exception unwinding (Chris Hofstaedtler).
446
447 .. change::
448 :tags: Bug Fixes
449 :pullreq: 6419
450 :tickets: 6086
451
452 Use the SyncRes time in our unit tests when checking cache validity (Chris Hofstaedtler).
453
40713bf0
PL		 454 .. change::
455 :tags: Bug Fixes
456 :pullreq: 6850
457 :tickets: 6849
458
459 Disable only our own tcp listening socket when reuseport is enabled
460
2bd1c9e7
PL		 461.. changelog::
462 :version: 4.1.2
463 :released: 29th of March 2018
464
465 This release improves the stability and resiliency of the RPZ implementation and fixes several issues related to EDNS Client Subnet.
466
467 .. change::
468 :tags: Improvements
469 :pullreq: 6298, 6303, 6290, 6268
470
471 Add the option to set the AXFR timeout for RPZs.
472
473 .. change::
474 :tags: Bug Fixes
475 :pullreq: 6336, 6237, 6293
476 :tickets: 6238
477
478 Retry loading RPZ zones from server when they fail initially.
479
480 .. change::
481 :tags: Improvements
482 :pullreq: 6172
483
484 IXFR: correct behavior of dealing with DNS Name with multiple records and speed up IXFR transaction (Leon Xu).
485
486 .. change::
487 :tags: Bug Fixes
488 :pullreq: 6300
489
490 Fix ECS-based cache entry refresh code.
491
492 .. change::
493 :tags: Bug Fixes
494 :pullreq: 6320
495 :tickets: 6319
496
497 Fix ECS-specific NS AAAA not being returned from the cache.
498
499 .. change::
500 :tags: Improvements
501 :pullreq: 6379
502 :tickets: 6225
503
504 Add :doc:`RPZ statistics endpoint <../http-api/endpoint-rpz-stats>` to the :doc:`API <../http-api/index>`.
505
506 .. change::
507 :tags: New Features
508 :pullreq: 6344
509
510 Add FFI version of :func:`gettag`.
511
f754ca9c
EW		 512.. changelog::
513 :version: 4.1.1
514 :released: 22nd of January 2018
515
516 This is the second release in the 4.1 train.
517
518 This release fixes PowerDNS Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2018-01>`.
519
d4961689 520 The full release notes can be read `on the blog <https://blog.powerdns.com/2018/01/22/powerdns-recursor-4-1-1/>`__.
f754ca9c 521
7ff16054 522 This is a release on the stable branch, containing a fix for the
f754ca9c
EW		 523 abovementioned security issue and several bug fixes from the
524 development branch.
525
526 .. change::
527 :tags: DNSSEC, Bug Fixes
528 :pullreq: 6215
529
530 Correctly handle ancestor delegation NSEC{,3} for children. Fixes
531 the DNSSEC validation issue found in Knot Resolver, where a NSEC{3}
532 ancestor delegation is wrongly use to prove the non-existence of a
533 RR below the delegation.
534 We already had the correct check for the exact owner name, but not
535 for RRs below the delegation.
536 (Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2018-01>`)
537
538 .. change::
539 :tags: Internals, Bug Fixes
540 :pullreq: 6209
541 :tickets: 6212
542
543 Fix to make ``primeHints`` threadsafe, otherwise there's a small
544 chance on startup that the root-server IPs will be incorrect.
545
546 .. change::
547 :tags: Internals, Improvements
548 :pullreq: 6085
549 :tickets: 6198
550
551 Don't process records for another class than IN. We don't use
552 records of another class than IN, but we used to store some of them
553 in the cache which is useless. Just skip them.
554
555 .. change::
556 :tags: DNSSEC, Bug Fixes
557 :pullreq: 6092
558 :tickets: 6199
559
560 Fix the computation of the closest encloser for positive
561 answers. When the positive answer is expanded from a wildcard with
562 NSEC3, the closest encloser is not always parent of the qname,
563 depending on the number of labels in the initial wildcard.
564
565 .. change::
566 :tags: DNSSEC, Bug Fixes
567 :pullreq: 6095
568 :tickets: 6200
569
570 Pass the correct buffer size to ``arecvfrom()``. The incorrect size
571 could possibly cause DNSSEC failures.
572
573 .. change::
574 :tags: Bug Fixes
575 :pullreq: 6137
576 :tickets: 6201
577
578 Don't validate signature for "glue" CNAME, since anything else than
579 the initial CNAME can't be considered authoritative.
580
b6a30c02 581.. changelog::
582 :version: 4.1.0
583 :released: 4th of December 2017
584
585 This is the first release in the 4.1 train.
586
d4961689 587 The full release notes can be read `on the blog <https://blog.powerdns.com/2017/12/04/powerdns-recursor-4-1/>`__.
b6a30c02 588
589 This is a major release containing significant speedups (both in throughput and latency), enhanced capabilities and a highly conformant and robust DNSSEC validation implementation that is ready for heavy production use. In addition, our EDNS Client Subnet implementation now scales effortlessly to networks needing very fine grained scopes (as used by some ‘country sized’ service providers).
590
591 - Improved DNSSEC support,
592 - Improved documentation,
593 - Improved RPZ support,
594 - Improved EDNS Client Subnet support,
595 - Support for Botan 2.x (and removal of support for Botan 1.10),
596 - SNMP support,
597 - Lua engine has gained access to more parts of the recursor,
598 - CPU affinity can now be specified,
599 - TCP Fast Open support,
600 - New performance metrics.
601
602 Changes since 4.1.0-rc3:
603
604 .. change::
605 :tags: Internals, DNSSEC, Bug Fixes
606 :pullreq: 5972
607
608 Dump the validation status of negcache entries, fix DNSSEC type.
609
610 .. change::
611 :tags: Internals, Bug Fixes
612 :pullreq: 5980
613
614 Cache Secure validation state when inserting negcache entries.
615
616 .. change::
617 :tags: DNSSEC, Bug Fixes
618 :pullreq: 5978
619
620 Fix DNSSEC validation of DS denial from the negative cache.
621
622 .. change::
623 :tags: DNSSEC, Bug Fixes
624 :pullreq: 5997
625
626 Store additional records as non-auth, even on AA=1 answers.
627
628 .. change::
629 :tags: DNSSEC, Bug Fixes
630 :pullreq: 6008
631
632 Don't leak when the loading a public ECDSA key fails.
633
634 .. change::
635 :tags: DNSSEC, Bug Fixes
636 :pullreq: 6009
637
638 When validating DNSKeys, the zone should be part of the signer.
639
be5c4d7e 640.. changelog::
641 :version: 4.1.0-rc3
642 :released: 17th of November 2017
643
644 The third Release Candidate adds support for Botan 2.x (and removes
645 support for Botan 1.10!), has a lot of DNSSEC fixes, features a
646 cleaned up web UI and has miscellaneous minor improvements.
647
648 .. change::
649 :tags: Internals, Bug Fixes
650 :pullreq: 5877
651 :tickets: 1066
652
653 Sort NS addresses by speed and remove old ones.
654
655 .. change::
656 :tags: Internals, Improvements
657 :pullreq: 5498
658 :tickets: 2250, 5797
659
660 Add support for Botan 2.x and remove support for Botan 1.10.
661
662 .. change::
663 :tags: Internals, Bug Fixes
664 :pullreq: 5896
665
666 Purge ``nsSpeeds`` entries even if we get less than 2 new entries.
667
668 .. change::
669 :tags: DNSSEC, Bug Fixes
670 :pullreq: 5889
671
672 Prevent possible downgrade attacks in the recursor.
673
674 .. change::
675 :tags: Improvements
676 :pullreq: 5876
677
678 Print more details of trust anchors. In addition, the
679 :ref:`setting-trace` output that mentions if data from authoritative
680 servers gets accepted now also prints the TTL and clarifies the
681 'place' number previously printed.
682
683 .. change::
684 :tags: DNSSEC, Bug Fixes
685 :pullreq: 5885
686 :tickets: 5882
687
688 Split NODATA / NXDOMAIN NSEC wildcard denial proof of
689 existence. Otherwise there is a very real risk that a NSEC will
690 cover a more specific wildcard and we end up with what looks like a
691 NXDOMAIN proof but is a NODATA one.
692
693 .. change::
694 :tags: DNSSEC, Bug Fixes
695 :pullreq: 5904
696
697 Fix incomplete validation of cached entries.
698
699 .. change::
700 :tags: DNSSEC, Bug Fixes
701 :pullreq: 5912
702
703 Fix going Insecure on NSEC3 hashes with too many iterations, since
704 we could have gone Bogus on a positive answer synthetized from a
705 wildcard if the corresponding NSEC3 had more iterations that we were
706 willing to accept, while the correct result is Insecure.
707
708 .. change::
709 :tags: Internals, Bug Fixes
710 :pullreq: 5881
711 :tickets: 5618
712
713 Add EDNS to truncated, servfail answers.
714
715 .. change::
716 :tags: Internals, Improvements
717 :pullreq: 5616
718
719 Better support for deleting entries in ``NetmaskTree`` and
720 ``NetmaskGroup``.
721
722 .. change::
723 :tags: Internals, Bug Fixes
724 :pullreq: 5917
725
726 Use ``_exit()`` when we really really want to exit, for example
727 after a fatal error. This stops us dying while we die. A call to
728 ``exit()`` will trigger destructors, which may paradoxically stop
729 the process from exiting, taking down only one thread, but harming
730 the rest of the process.
731
732 .. change::
733 :tags: Lua, DNSSEC, Improvements
734 :pullreq: 5895
735 :tickets: 5888
736
737 Add the DNSSEC validation state to the ``DNSQuestion`` Lua object
738 (although the ability to update the validation state from these
739 hooks is postponed to after 4.1.0).
740
741 .. change::
742 :tags: Bug Fixes
743 :pullreq: 5930
744
745 In the recursor secpoll code, we assumed the TXT record would be the
746 first record first record we received. Sometimes it was the RRSIG,
747 leading to a silent error, and no secpoll check. Fixed the
748 assumption, added an error.
749
750 .. change::
751 :tags: Internals, Bug Fixes
752 :pullreq: 5938
753
754 Don't crash when asked to run with zero threads.
755
756 .. change::
757 :tags: Internals, Bug Fixes
758 :pullreq: 5939
759 :tickets: 5934
760
761 Only accept types not matching the query if we asked for ANY. Even
762 from forward-recurse servers.
763
764 .. change::
765 :tags: Internals, Bug Fixes
766 :pullreq: 5937
767 :tickets: 2758
768
769 Allow the use of a 'self-resolving' NS if cached A / AAAA
770 exists. Before this, we could skip a perfectly valid NS for which we
771 had retrieved the A and / or AAAA entries, for example via a glue.
772
773 .. change::
774 :tags: Bug Fixes
775 :pullreq: 5961
776
777 Add the config-name argument to the definition of configname. There
778 was a bug where the config-name parameter was not used to change the
779 path of the config file. This meant that some commands via
780 rec_control (e.g. reload-acls) would fail when run against a
781 recursor which had config-name defined. The correct behaviour was
782 present in some, but not all, definitions of configname. (@jake2184)
783
6425370d 784.. changelog::
785 :version: 4.1.0-rc2
ab33dca8 786 :released: 30th of October 2017
6425370d 787
788 The second Release Candidate contains several correctness fixes for DNSSEC,
789 mostly in the area of verifying negative responses.
790
6425370d 791 .. change::
792 :tags: API, Improvements
793 :pullreq: 5805
794
795 Improve logging for the built-in :doc:`webserver <../../http-api/index>`
796 and the :ref:`Carbon <metricscarbon>` sender.
797
798 .. change::
799 :tags: DNSSEC, Bug Fixes
800 :pullreq: 5808
801
802 Check that the NSEC covers an empty non-terminal when looking for NODATA.
803
804 .. change::
805 :tags: Improvements, Internals
806 :pullreq: 5824
807 :tickets: 5663
808
809 New b.root ipv4 address (Kees Monshouwer).
810
811 .. change::
812 :tags: Bug Fixes, Internals
813 :pullreq: 5740
814
815 Lowercase all outgoing qnames when :ref:`setting-lowercase-outgoing` is set.
816
817 .. change::
818 :tags: DNSSEC, Improvements
819 :pullreq: 5834
820
821 Don't directly store NSEC3 records in the positive cache.
822
823 .. change::
824 :tags: Improvements
825 :pullreq: 5774
826
827 Add :ref:`experimental metrics <stat-x-our-latency>` that track the time spent inside PowerDNS per query.
828 These metrics ignore time spent waiting for the network.
829
830 .. change::
831 :tags: DNSSEC, Bug Fixes
832 :pullreq: 5835
833 :tickets: 5827
834
835 Disable validation for infrastructure queries (e.g. when recursing for a name).
836 Also validate entries from the Negative cache if they were not validated before.
837
838 .. change::
839 :tags: Improvements
840 :pullreq: 5842
841
842 Add :ref:`setting-log-timestamp` setting. This option can be used to disable
843 printing timestamps to stdout, this is useful when using ``systemd-journald``
844 or another supervisor that timestamps output by itself.
845
846 .. change::
847 :tags: Bug Fixes
848 :pullreq: 5762
849 :tickets: 5439
850
851 Create :ref:`setting-socket-dir` from the init-script.
852
853 .. change::
854 :tags: DNSSEC, Bug Fixes
855 :pullreq: 5868
856 :tickets: 5861
857
858 Fix DNSSEC validation for denial of wildcards in negative answers and
859 denial of existence proofs in wildcard-expanded positive responses.
860
861 .. change::
862 :tags: DNSSEC, Bug Fixes
863 :pullreq: 5873
864
865 Fix DNSSEC validation when using ``-flto``.
866
867 .. change::
868 :tags: Bug Fixes, Internals
869 :pullreq: 5803
870
871 Fix crashes with uncaught exceptions in MThreads.
872
4eed8fc6 873.. changelog::
ef75af13
EW		 874 :version: 4.1.0-rc1
875 :released: 9th of October 2017
876
877 The RC1 release features many fixes to the DNSSEC validation code, reported by different users. Other improvements include: logging, RPZ and the Remote Logger.
878
879 While not specifically mentioned in the ChangeLog, also thanks to Winfried Angele for bringing a documentation issue to our attention!
880
881 .. change::
882 :tags: Bug Fixes
883 :pullreq: 5530
884
885 Add a missing header for PRId64 in the negative cache, required on EL5/EL6.
886
887 .. change::
888 :tags: Internals, Improvements
889 :pullreq: 5543
890
891 Wrap the webserver's and Resolver::tryGetSOASerial objects into smart pointers (also thanks to Christian Hofstaedtler for reviewing!)
892
893 .. change::
894 :tags: Internals, Improvements
895 :pullreq: 5545
896
897 Add more unit tests for the NetmaskTree and ECS cache index.
898
899 .. change::
900 :tags: Bug Fixes
901 :pullreq: 5549
902
903 Prevent an infinite loop if we need auth and the best match is not.
904
905 .. change::
906 :tags: Bug Fixes
907 :pullreq: 5570
908
909 Be more careful about the validation of negative answers.
910
911 .. change::
912 :tags: Bug Fixes, DNSSEC
913 :pullreq: 5569
914
915 Don't fetch the DNSKEY of a zone to validate the DS of the same zone.
916
917 .. change::
918 :tags: Bug Fixes
919 :pullreq: 5599
920 :tickets: 5456
921
922 Fix libatomic detection on ppc64. (Sander Hoentjen)
923
924 .. change::
925 :tags: Improvements
926 :pullreq: 5588
927
928 Switch the default webserver's ACL to ``127.0.0.1, ::1``.
929
930 .. change::
931 :tags: Improvements
932 :pullreq: 5598
933 :tickets: 5524
934
935 Add help text on autodetecting systemd support. (Ruben Kerkhof thanks for reporting!)
936
937 .. change::
938 :tags: Bug Fixes
939 :pullreq: 5615
940 :tickets: 5357
941
942 Fix sortlist in the presence of CNAME. (Benoit Perroud thanks for
943 reporting this issue!)
944
945 .. change::
946 :tags: Bug Fixes, DNSSEC
947 :pullreq: 5614
948
949 Improve DNSSEC debug logging,
950
951 .. change::
952 :tags: Improvements
953 :pullreq: 5622
954
955 Add ``log-rpz-changes`` to log RPZ additions and removals.
956
957 .. change::
958 :tags: Improvements
959 :pullreq: 5621
960
961 Log the policy type (QName, Client IP, NS IP...) over protobuf.
962
963 .. change::
964 :tags: Bug Fixes
965 :pullreq: 5515
966
967 Fix cache handling of ECS queries with a source length of 0.
968
969 .. change::
970 :tags: Improvements
971 :pullreq: 5637
972
973 Remove unused SortList compare operator for ComboAddress.
974
975 .. change::
976 :tags: Improvements
977 :pullreq: 5620
978
979 Add support for dumping the in-memory RPZ zones to a file.
980
981 .. change::
982 :tags: Bug Fixes
983 :pullreq: 5328
984 :tickets: 5327
985
986 Handle SNMP alarms so we can reconnect to the master.
987
988 .. change::
989 :tags: Improvements
990 :pullreq: 5646
991
992 Support for identifying devices by id such as mac address.
993
994 .. change::
995 :tags: Bug Fixes
996 :pullreq: 5662
997
998 Fix Recursor 4.1.0 alpha 1 compilation on FreeBSD. (@RvdE)
999
1000 .. change::
1001 :tags: Bug Fixes, DNSSEC
1002 :pullreq: 5672
1003 :tickets: 5649
1004
1005 Add NSEC records on nx-trust cache hits.
1006
1007 .. change::
1008 :tags: Bug Fixes, DNSSEC
1009 :pullreq: 5671
1010 :tickets: 5650
1011
1012 Handle NSEC wrap-around.
1013
1014 .. change::
1015 :tags: Bug Fixes, DNSSEC
1016 :pullreq: 5670
1017 :tickets: 5648, 5651
1018
1019 Fix erroneous check for section 4.1 of rfc6840.
1020
1021 .. change::
1022 :tags: Bug Fixes, DNSSEC
1023 :pullreq: 5715
1024 :tickets: 5705
1025
1026 Handle direct NSEC queries.
1027
1028 .. change::
1029 :tags: Bug Fixes
1030 :pullreq: 5739
1031
1032 Remove pdns.PASS and pdns.TRUNCATE.
1033
1034 .. change::
1035 :tags: Bug Fixes
1036 :pullreq: 5734
1037
1038 Fix a crash when getting a public GOST key if the private one is not set.
1039
1040 .. change::
1041 :tags: Improvements
1042 :pullreq: 5699
1043
1044 Implement dynamic cache sizeing.
1045
1046 .. change::
1047 :tags: Bug Fixes, DNSSEC
1048 :pullreq: 5716
1049 :tickets: 5681
1050
1051 Detect zone cuts by asking for DS instead of NS.
1052
1053 .. change::
1054 :tags: Bug Fixes, DNSSEC
1055 :pullreq: 5738
1056 :tickets: 5735
1057
1058 Do not allow direct queries for RRSIG or NSEC3.
1059
1060 .. change::
1061 :tags: Improvements
1062 :pullreq: 5755
1063
1064 Improve dnsbulktest experience in Travis for more robustness.
1065
1066 .. change::
1067 :tags: Improvements, DNSSEC
1068 :pullreq: 5756
1069
1070 Improve ``--quiet=false`` output to include DNSSEC and more timing details.
1071
1072 .. change::
1073 :tags: Improvements
1074 :pullreq: 5772
1075
1076 Set ``TC=1`` if we had to omit part of the AUTHORITY section.
1077
1078 .. change::
1079 :tags: Bug Fixes, DNSSEC
1080 :pullreq: 5771
1081
1082 The target zone being insecure doesn't mean that the denial of the DS is too, if the parent zone is Secure..
1083
1084 .. change::
1085 :tags: Improvements, DNSSEC
1086 :pullreq: 5733
1087
1088 Add DNSSEC test vectors for RSA, ECDSA, ed25519 and GOST.
1089
1090 .. change::
1091 :tags: Bug Fixes
1092 :pullreq: 5773
1093
1094 Don't negcache entries for longer than their RRSIG validity.
1095
1096 .. change::
1097 :tags: Improvements
1098 :pullreq: 5764
1099
cb264691 1100 autoconf: set ``--with-libsodium`` to ``auto``.
ef75af13
EW		 1101
1102 .. change::
1103 :tags: Bug Fixes
1104 :pullreq: 5792
1105
1106 Gracefully handle Socket::accept() returning a null pointer on EAGAIN.
4eed8fc6 1107
223bb49e 1108.. changelog::
7731aeee 1109 :version: 4.1.0-alpha1
4eed8fc6 1110 :released: 18th of July 2017
223bb49e
PL		 1111
1112 This is the first release of the PowerDNS Recursor in the 4.1 release train.
1113 This release contains several performance and correctness improvements in the EDNS Client subnet area, as well as better DNSSEC processing.
1114
1115 .. change::
1116 :tags: New Features
1117 :pullreq: 5138
1118 :tickets: 5128
1119
1120 Add server-side TCP Fast Open support.
1121 This adds a new option :ref:`setting-tcp-fast-open`.
1122
1123 .. change::
1124 :tags: New Features
1125 :pullreq: 4569
1126
1127 Pass ``tcp`` to :func:`gettag` to allow a script to take different actions whether a query came in over TCP or UDP.
1128
1129 .. change::
1130 :tags: New Features
1131 :pullreq: 4569
1132
1133 Allow setting the requestor ID field in the :attr:`DNSQuestion <DNSQuestion.requestorId>` from all hooks.
1134
1135 .. change::
1136 :tags: Improvements, DNSSEC
7731aeee
PL		 1137 :pullreq: 5223, 5463, 5486, 5528
1138 :tickets: 4254, 4362, 4490, 4994
223bb49e 1139
4368d62f 1140 Implement "on-the-fly" DNSSEC processing. This places the DNSSEC processing alongside the regular recursion, reducing possible cornercases, adding unit tests and making the code better maintainable.
223bb49e
PL		 1141
1142 .. change::
4368d62f 1143 :tags: New Features
223bb49e
PL		 1144 :pullreq: 5063
1145 :tickets: 2818
1146
1147 Implement CNAME wildcards in recursor authoritative component.
1148
1149 .. change::
1150 :tags: Bug Fixes
1151 :pullreq: 5078
1152 :tickets: 4939, 5075
1153
1154 Show a useful error when an invalid :ref:`setting-lua-config-file` is configured.
1155
4368d62f
PL		 1156 .. change::
1157 :tags: Bug Fixes
1158 :pullreq: 4860
1159
1160 Fix :class:`DNSQuestion` members alterations from Lua not being taken into account.
1161
1162 .. change::
1163 :tags: Bug Fixes, Protobuf
1164 :pullreq: 4984
1165 :tickets: 4969
1166
1167 Fix ``remote``/``local`` inversion in :func:`preoutquery`.
1168
1169 .. change::
1170 :tags: New Features, Scripting
1171 :pullreq: 4982
1172 :tickets: 4981
1173
1174 Allow returning the :attr:`DNSQuestion.data` table from :func:`gettag`.
1175
1176 .. change::
1177 :tags: New Features, SNMP
1178 :pullreq: 4990, 5404
1179
1180 Add :ref:`SNMP <snmp>` support.
1181
1182 .. change::
1183 :tags: Improvements
1184 :pullreq: 5106
1185
1186 Split SyncRes::doResolveAt, add const and static whenever possible. Possibly improving performance while making the code easier to maintain.
1187
1188 .. change::
1189 :tags: Improvements
1190 :pullreq: 5102
1191
1192 Packet cache speedup and cleanup.
1193
1194 .. change::
1195 :tags: Improvements
1196 :pullreq: 5146
1197
1198 Make Lua mandatory for recursor builds.
1199
1200 .. change::
1201 :tags: Improvements, Performance
1202 :pullreq: 5103, 5487
1203
1204 Use one listening socket per thread when reuseport is enabled.
1205
1206 .. change::
1207 :tags: Improvements, RPZ
1208 :pullreq: 5057
1209
1210 Use the RPZ zone's TTL and add a new `maxTTL` setting.
1211
1212 .. change::
1213 :tags: Improvements, Lua
1214 :pullreq: 5141
1215
1216 Stop (de)serializing :attr:`DNSQuestion.data`.
1217
1218 .. change::
1219 :tags: New Features, Lua
1220 :pullreq: 5198
1221 :tickets: 5195
1222
1223 Allow access to EDNS options from the :func:`gettag` hook.
1224
1225 .. change::
1226 :tags: Improvements
1227 :pullreq: 5226
1228
1229 Refactor the negative cache into a class.
1230
1231 .. change::
1232 :tags: Bug Fixes
1233 :pullreq: 5209
1234
1235 Ensure locks can not be copied.
1236
1237 .. change::
1238 :tags: Improvements, RPZ
1239 :pullreq: 5275, 5307
1240 :tickets: 5231, 5236
1241
1242 RPZ updates are done zone by zone, zones are now shared pointers.
1243
1244 .. change::
1245 :tags: Bug Fixes
1246 :pullreq: 5252
1247 :tickets: 5246
1248
1249 Only apply :ref:`setting-root-nx-trust` if the received SOA is ".".
1250
1251 .. change::
1252 :tags: New Features
1253 :pullreq: 4569
1254
1255 Pass ``tcp`` to :func:`gettag`, allow setting the requestor ID from hooks.
1256
1257 .. change::
1258 :tags: Bug Fixes
1259 :pullreq: 5312
1260
1261 Don't throw an exception when logging to protobuf without a question set.
1262
1263 .. change::
1264 :tags: New Features, Lua
1265 :pullreq: 5293
1266
1267 Allow retrieving stats from Lua via the :func:`getStat` call.
1268
1269 .. change::
1270 :tags: New Features, RPZ
1271 :pullreq: 5265
1272 :tickets: 5237
1273
1274 Add support for RPZ wildcarded target names.
1275
1276 .. change::
1277 :tags: Bug Fixes
1278 :pullreq: 5320
1279
1280 Correctly truncate EDNS Client Subnetmasks.
1281
1282 .. change::
1283 :tags: Improvements
1284 :pullreq: 5319
1285
1286 Only check the netmask for subnet specific cache entries.
1287
1288 .. change::
1289 :tags: Improvements
1290 :pullreq: 5236
1291
1292 Refactor and split ``SyncRes::doResolveAt()``, making it easier to understand.
1293 Get rid of ``SyncRes::d_nocache``, makes sure we can't get into a root refresh loop.
1294 Limit the use of global variables in SyncRes, to make it easier to understand the interaction between components
1295
1296 .. change::
1297 :tags: Improvements, EDNS Client Subnet
1298 :pullreq: 5461, 5472
1299
1300 Add an ECS index to the cache
1301
1302 .. change::
1303 :tags: New Features, EDNS Client Subnet
1304 :pullreq: 5409
1305
1306 Add ECS metrics.
1307
1308 .. change::
1309 :tags: Improvements, EDNS Client Subnet, DNSSEC
1310 :pullreq: 5484
1311
1312 Use ECS when updating the validation state if needed.
1313
1314 .. change::
1315 :tags: Bug Fixes, API
1316 :pullreq: 5466
1317 :tickets: 5398
1318
1319 Clean up auth/recursor code mismatches in the API (Christian Hofstaedtler).
1320
1321 .. change::
1322 :tags: Bug Fixes
1323 :pullreq: 5474
1324 :tickets: 5474
1325
1326 Only increase ``no-packet-error`` on the first read.
1327
1328 .. change::
1329 :tags: Improvements
1330 :pullreq: 5511
1331
1332 When dumping the cache, also dump RRSIGs.
7731aeee
PL		 1333
1334 .. change::
1335 :tags: Bug Fixes, DNSSEC
1336 :pullreq: 5525
1337
1338 Fix validation at the exact RRSIG inception or expiration time.
1339
1340 .. change::
1341 :tags: Improvements
1342 :pullreq: 5485
1343
1344 Don't always override :ref:`setting-loglevel` to 6.
1345
1346 .. change::
1347 :tags: Improvements
1348 :pullreq: 5406, 5530
1349
1350 Make more specific Netmasks < to less specific ones.
1351
1352 .. change::
1353 :tags: New Features
1354 :pullreq: 5482
1355
1356 Add a :ref:`setting-cpu-map` directive to set CPU affinity per thread.
Unnamed repository; edit this file 'description' to name the repository.