Prep for 20260209 Recursor security release

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt
index 33ebb16ec34341b764a22745f63f5cfe39fe2feb..8cf187b457cf5422e5a23d643ee120d454ee6842 100644 (file)
--- a/.github/actions/spell-check/expect.txt
+++ b/.github/actions/spell-check/expect.txt
@@ -156,6 +156,7 @@ bulc
 bulletinc
 burstable
 byteslimit
+bytesperq
 bzero
 caa
 cachekey
@@ -534,6 +535,7 @@ gss
 gssapi
 gtld
 guilabel
+Guo
 gutenberg
 Gyselinck
 Haixin
@@ -632,6 +634,7 @@ Jelte
 Jermar
 Jeroen
 jessie
+Jian
 joaotavora
 jonathaneen
 Jong
@@ -1264,6 +1267,7 @@ shinsterneck
 shnya
 showdetails
 showflags
+Shuhan
 Shukla
 sidebarbgcolor
 sidebarbtncolor
@@ -1600,6 +1604,7 @@ yourdomain
 yourorganization
 yoursecret
 yubikey
+Yufan
 Yunyi
 Yuxiao
 YYYYMMD

diff --git a/docs/secpoll.zone b/docs/secpoll.zone
index c1d8dd157b4b40f454122fb7c6ea8c00997e8e4c..543448bd97e54512aedfc25148af01d23c3ef370 100644 (file)
--- a/docs/secpoll.zone
+++ b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2026012901 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2026020901 10800 3600 604800 10800
 @       3600    IN  NS  pdns-public-ns1.powerdns.com.
 @       3600    IN  NS  pdns-public-ns2.powerdns.com.
 
@@ -423,7 +423,8 @@ recursor-5.1.5.security-status                          60 IN TXT "3 Upgrade now
 recursor-5.1.6.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html"
 recursor-5.1.7.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html"
 recursor-5.1.8.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html"
-recursor-5.1.9.security-status                          60 IN TXT "1 OK"
+recursor-5.1.9.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-01.html"
+recursor-5.1.10.security-status                         60 IN TXT "1 OK"
 
 recursor-5.2.0-alpha1.security-status                   60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
 recursor-5.2.0-beta1.security-status                    60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
@@ -435,7 +436,8 @@ recursor-5.2.3.security-status                          60 IN TXT "3 Upgrade now
 recursor-5.2.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html"
 recursor-5.2.5.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html"
 recursor-5.2.6.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html"
-recursor-5.2.7.security-status                          60 IN TXT "1 OK"
+recursor-5.2.7.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-01.html"
+recursor-5.2.8.security-status                          60 IN TXT "1 OK"
 
 recursor-5.3.0-alpha1.security-status                   60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
 recursor-5.3.0-alpha2.security-status                   60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
@@ -444,10 +446,11 @@ recursor-5.3.0-rc1.security-status                      60 IN TXT "3 Superseded
 recursor-5.3.0.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html"
 recursor-5.3.1.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-07.html"
 recursor-5.3.2.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html"
-recursor-5.3.3.security-status                          60 IN TXT "1 OK"
-recursor-5.3.4.security-status                          60 IN TXT "1 OK"
-recursor-5.4.0-alpha1.security-status                   60 IN TXT "2 Superseded pre-release"
-recursor-5.4.0-beta1.security-status                    60 IN TXT "1 Unsupported pre-release"
+recursor-5.3.3.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-01.html"
+recursor-5.3.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-01.html"
+recursor-5.3.5.security-status                          60 IN TXT "1 OK"
+recursor-5.4.0-alpha1.security-status                   60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
+recursor-5.4.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 
 ; Recursor Debian
 recursor-3.6.2-2.debian.security-status                 60 IN TXT "3 Upgrade now, see https://docs.powerdns.com/recursor/appendices/EOL.html"

diff --git a/pdns/recursordist/docs/changelog/5.1.rst b/pdns/recursordist/docs/changelog/5.1.rst
index bcea796f8d4a57892be151a23f51db4073a9728d..129186d688ebedbbca38b3e32fcd67df027c6028 100644 (file)
--- a/pdns/recursordist/docs/changelog/5.1.rst
+++ b/pdns/recursordist/docs/changelog/5.1.rst
@@ -3,6 +3,16 @@ Changelogs for 5.1.X
 
 Before upgrading, it is advised to read the :doc:`../upgrade`.
 
+.. changelog::
+  :version: 5.1.10
+  :released: 9th of February 2026
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: TBD
+
+    Fix PowerDNS Security Advisory 2026-01: Crafted zones can lead to increased resource usage in Recursor.
+
 .. changelog::
   :version: 5.1.9
   :released: 8th of December 2025

diff --git a/pdns/recursordist/docs/changelog/5.2.rst b/pdns/recursordist/docs/changelog/5.2.rst
index 8e82c6ff5384e36d6a2109201e0205b87f6b2ea5..a492256bde99f46c51f28c3fd20ed5cdb3977372 100644 (file)
--- a/pdns/recursordist/docs/changelog/5.2.rst
+++ b/pdns/recursordist/docs/changelog/5.2.rst
@@ -3,6 +3,16 @@ Changelogs for 5.2.X
 
 Before upgrading, it is advised to read the :doc:`../upgrade`.
 
+.. changelog::
+  :version: 5.2.8
+  :released: 9th of February 2026
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: TBD
+
+    Fix PowerDNS Security Advisory 2026-01: Crafted zones can lead to increased resource usage in Recursor.
+
 .. changelog::
   :version: 5.2.7
   :released: 8th of December 2025

diff --git a/pdns/recursordist/docs/changelog/5.3.rst b/pdns/recursordist/docs/changelog/5.3.rst
index 29f3d0c8bf600e7701a45251299fb0a2177d117b..01920f906f127d831cfbe75e26ca208bc1473900 100644 (file)
--- a/pdns/recursordist/docs/changelog/5.3.rst
+++ b/pdns/recursordist/docs/changelog/5.3.rst
@@ -3,6 +3,16 @@ Changelogs for 5.3.X
 
 Before upgrading, it is advised to read the :doc:`../upgrade`.
 
+.. changelog::
+  :version: 5.3.5
+  :released: 9th of February 2026
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: TBD
+
+    Fix PowerDNS Security Advisory 2026-01: Crafted zones can lead to increased resource usage in Recursor.
+
 .. changelog::
   :version: 5.3.4
   :released: 14th of January 2026

diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2026-01.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2026-01.rst
new file mode 100644 (file)
index 0000000..ac68210
--- /dev/null
+++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2026-01.rst
@@ -0,0 +1,40 @@
+PowerDNS Security Advisory 2026-01: Crafted zones can lead to increased resource usage in Recursor
+==================================================================================================
+
+- CVE: CVE-2026-24027
+- Date: 9th February 2026
+- Affects: PowerDNS Recursor up and including to 5.1.9, 5.2.7 and 5.3.4
+- Not affected: PowerDNS Recursor 5.1.10, 5.2.8 and 5.3.5
+- Severity: Medium
+- Impact: Denial of Service
+- Exploit: This problem can be triggered by publishing and querying a crafted zone that causes increased incoming network traffic.
+- Risk of system compromise: None
+- Solution: Upgrade to patched version
+
+CVSS Score: 5.3, see
+https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1
+
+The remedy is: upgrade to a patched version.
+
+We would like to thank Shuhan Zhang from Tsinghua University for bringing this issue to our attention.
+
+- CVE: CVE-2026-0398
+- Date: 9th February 2026
+- Affects: PowerDNS Recursor up and including to 5.1.9, 5.2.7 and 5.3.4
+- Not affected: PowerDNS Recursor 5.1.10, 5.2.8 and 5.3.5
+- Severity: Medium
+- Impact: Denial of Service
+- Exploit: This problem can be triggered by publishing and querying a crafted zone that causes large memory usage.
+- Risk of system compromise: None
+- Solution: Upgrade to patched version
+
+CVSS Score: 5.3, see
+https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1
+
+The remedy is: upgrade to a patched version.
+
+We would like to thank Yufan You from Tsinghua University for bringing this issue to our attention.
+
+We would also like to thank TaoFei Guo from Peking University and Yang Luo, JianJun Chen from
+Tsinghua University for bringing an issue of caching irrelevant records related to CNAME chains to
+our attention.

diff --git a/pdns/recursordist/docs/upgrade.rst b/pdns/recursordist/docs/upgrade.rst
index 081e2a799bb5ab66557d3d9431778a41ee3da763..39e52172615ca1d62b9aeb14d24f8822a74ac944 100644 (file)
--- a/pdns/recursordist/docs/upgrade.rst
+++ b/pdns/recursordist/docs/upgrade.rst
@@ -4,6 +4,15 @@ Upgrade Guide
 Before upgrading, it is advised to read the :doc:`changelog/index`.
 When upgrading several versions, please read **all** notes applying to the upgrade.
 
+5.1.10, 5.2.8 and 5.3.5
+-----------------------
+
+New settings
+^^^^^^^^^^^^
+- The :ref:`setting-yaml-outgoing.max_bytesperq` setting has been introduced to limit the amount of incoming bytes per client query.
+- The :ref:`setting-yaml-recordcache.max_entry_size` setting has been introduced to limit the maximum size of a stored record set.
+- The :ref:`setting-yaml-packetcache.max_entry_size` setting has been introduced to limit the maximum size of a packet cache entry.
+
 5.3.0 to master
 ---------------