-@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2021092302 10800 3600 604800 10800
+@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2021092900 10800 3600 604800 10800
@ 3600 IN NS pdns-public-ns1.powerdns.com.
@ 3600 IN NS pdns-public-ns2.powerdns.com.
recursor-4.5.3.security-status 60 IN TXT "2 Unsupported pre-release"
recursor-4.5.4.security-status 60 IN TXT "1 OK"
recursor-4.5.5.security-status 60 IN TXT "1 OK"
+recursor-4.6.0-alpha1.security-status 60 IN TXT "1 OK"
; Recursor Debian
recursor-3.6.2-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"
--- /dev/null
+Changelogs for 4.6.X
+====================
+
+.. changelog::
+ :version: 4.6.0-alpha1
+ :released: 29th of September 2021
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 10669
+
+ TCP/DoT outgoing connection pooling.
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 10718
+ :tickets: 10713
+
+ Only the DNAME records are authoritative in DNAME answers.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 10599
+
+ Be more strict when validating DS with respect to parent/child NSEC(3)s.
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 10633
+ :tickets: 10632
+
+ Pass the Lua context to follow up queries (follow CNAME, dns64).
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 10605
+ :tickets: 10554
+
+ Keep a count of per RPZ (or filter) hits.
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 10622
+ :tickets: 10621
+
+ Detect a loop when the denial of the DS comes from the child zone.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 10554,10738
+ :tickets: 10735
+
+ Modify per-thread cpu usage stats to be Prometheus-friendly.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 10598
+
+ Refactor almost-expired code and add more detailed stats.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 10546
+
+ Add dns64 metrics.
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 10602
+
+ Process policy and potential Drop action after Lua hooks.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 10634
+ :tickets: 10631
+
+ Move MacOS to kqueue event handler and assorted compile fixes.
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 10565
+
+ Do not use DNSKEYs found below an apex for validation.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 10122,10663
+ :tickets: 9077,10122
+
+ Cumulative and Prometheus friendly histograms.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 10428,10659,10533
+
+ Rewrite of outgoing TCP code and implement DoT to auth or forwarders.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 10467
+
+ Switch OpenBSD to kqueue event handler.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 10396
+ :tickets: 10395
+
+ Take into account g_quiet when determining loglevel and change a few loglevels.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 10349,10623
+
+ Move to tcpiohandler for outgoing TCP, sharing much more code with dnsdist.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 10288
+
+ Deprecate offensive setting names.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 10160
+
+ Implement structured logging API.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 10264
+
+ Disable PMTU for IPv6.
+
.. toctree::
:maxdepth: 2
+ 4.6
4.5
4.4
4.3
handle incoming queries and distribute them to other threads based on a hash of the query, to maximize the cache hit
ratio.
-.. _settings-dot-to-auth-names:
+.. _setting-dot-to-auth-names:
``dot-to-auth-names``
---------------------
Force DoT to the listed authoritative nameservers. For this to work, DoT support has to be compiled in.
Currently, the certificate is not checked for validity in any way.
-.. _settings-dot-to-port-853:
+.. _setting-dot-to-port-853:
``dot-to-port-853``
-------------------
Time outgoing TCP/DoT connections are left idle in milliseconds or 0 if no limit. After having been idle for this time, the connection is eligible for closing.
-.. _setting-tcp-out-max-per-auth:
+.. _setting-tcp-out-max-idle-per-auth:
``tcp-out-max-idle-per-auth``
-----------------------------
4.5.x to 4.6.0 or master
------------------------
+Offensive language
+^^^^^^^^^^^^^^^^^^
+Using the settings mentioned in :ref:`upgrade-offensive` now generates a warning. Please start using the new names, as the old names will be unsupported in the future.
+
+Deprecated and changed settings
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+- The :ref:`setting-api-key` and :ref:`setting-webserver-password` settings now accept a hashed and salted version (if the support is available in the openssl library used).
+- The :ref:`setting-dot-to-auth-names` setting to list nameservers that should be contacted over DoT has been introduced.
+- The :ref:`setting-dot-to-port-853` setting to specify that nameservers or forwarders using port 853 should be contacted over DoT has been introduced.
+- The :ref:`setting-ignore-unknown-settings` setting has been introduced to make it easier to switch between recursor versions supporting different settings.
+- The :ref:`setting-webserver-hash-plaintext-credentials` has been introduced to avoid keeping cleartext sensitive information in memory.
+- The :ref:`setting-tcp-out-max-idle-ms`, :ref:`setting-tcp-out-max-idle-per-auth`, :ref:`setting-tcp-out-max-queries` and :ref:`setting-tcp-out-max-idle-per-thread` settings have been introduced to control the new TCP/DoT outgoing connections pooling. This mechanism keeps connections to authoritative servers or forwarders open for later re-use.
+
+
4.5.1 to 4.5.2
--------------
4.4.x to 4.5.1
--------------
+.. _upgrade-offensive:
+
Offensive language
^^^^^^^^^^^^^^^^^^
Synonyms for various settings names containing ``master``, ``slave``,
projects / thirdparty / pdns.git / commitdiff
