From: Otto Date: Fri, 24 Sep 2021 08:49:34 +0000 (+0200) Subject: Upgrade guide and changelog for rec-4.6.0 X-Git-Tag: auth-4.6.0-alpha1~14^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=883c75bdb580848997f1460416a75e8128493cc1;p=thirdparty%2Fpdns.git Upgrade guide and changelog for rec-4.6.0 --- diff --git a/docs/secpoll.zone b/docs/secpoll.zone index 90a63b6293..dd3fec6950 100644 --- a/docs/secpoll.zone +++ b/docs/secpoll.zone @@ -1,4 +1,4 @@ -@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2021092302 10800 3600 604800 10800 +@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2021092900 10800 3600 604800 10800 @ 3600 IN NS pdns-public-ns1.powerdns.com. @ 3600 IN NS pdns-public-ns2.powerdns.com. @@ -272,6 +272,7 @@ recursor-4.5.2.security-status 60 IN TXT "1 OK" recursor-4.5.3.security-status 60 IN TXT "2 Unsupported pre-release" recursor-4.5.4.security-status 60 IN TXT "1 OK" recursor-4.5.5.security-status 60 IN TXT "1 OK" +recursor-4.6.0-alpha1.security-status 60 IN TXT "1 OK" ; Recursor Debian recursor-3.6.2-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/" diff --git a/pdns/recursordist/docs/changelog/4.6.rst b/pdns/recursordist/docs/changelog/4.6.rst new file mode 100644 index 0000000000..ce65af4a45 --- /dev/null +++ b/pdns/recursordist/docs/changelog/4.6.rst @@ -0,0 +1,135 @@ +Changelogs for 4.6.X +==================== + +.. changelog:: + :version: 4.6.0-alpha1 + :released: 29th of September 2021 + + .. change:: + :tags: Improvements + :pullreq: 10669 + + TCP/DoT outgoing connection pooling. + + .. change:: + :tags: Bug Fixes + :pullreq: 10718 + :tickets: 10713 + + Only the DNAME records are authoritative in DNAME answers. + + .. change:: + :tags: Improvements + :pullreq: 10599 + + Be more strict when validating DS with respect to parent/child NSEC(3)s. + + .. change:: + :tags: Bug Fixes + :pullreq: 10633 + :tickets: 10632 + + Pass the Lua context to follow up queries (follow CNAME, dns64). + + .. change:: + :tags: Improvements + :pullreq: 10605 + :tickets: 10554 + + Keep a count of per RPZ (or filter) hits. + + .. change:: + :tags: Bug Fixes + :pullreq: 10622 + :tickets: 10621 + + Detect a loop when the denial of the DS comes from the child zone. + + .. change:: + :tags: Improvements + :pullreq: 10554,10738 + :tickets: 10735 + + Modify per-thread cpu usage stats to be Prometheus-friendly. + + .. change:: + :tags: Improvements + :pullreq: 10598 + + Refactor almost-expired code and add more detailed stats. + + .. change:: + :tags: Improvements + :pullreq: 10546 + + Add dns64 metrics. + + .. change:: + :tags: Bug Fixes + :pullreq: 10602 + + Process policy and potential Drop action after Lua hooks. + + .. change:: + :tags: Improvements + :pullreq: 10634 + :tickets: 10631 + + Move MacOS to kqueue event handler and assorted compile fixes. + + .. change:: + :tags: Bug Fixes + :pullreq: 10565 + + Do not use DNSKEYs found below an apex for validation. + + .. change:: + :tags: Improvements + :pullreq: 10122,10663 + :tickets: 9077,10122 + + Cumulative and Prometheus friendly histograms. + + .. change:: + :tags: Improvements + :pullreq: 10428,10659,10533 + + Rewrite of outgoing TCP code and implement DoT to auth or forwarders. + + .. change:: + :tags: Improvements + :pullreq: 10467 + + Switch OpenBSD to kqueue event handler. + + .. change:: + :tags: Improvements + :pullreq: 10396 + :tickets: 10395 + + Take into account g_quiet when determining loglevel and change a few loglevels. + + .. change:: + :tags: Improvements + :pullreq: 10349,10623 + + Move to tcpiohandler for outgoing TCP, sharing much more code with dnsdist. + + .. change:: + :tags: Improvements + :pullreq: 10288 + + Deprecate offensive setting names. + + .. change:: + :tags: Improvements + :pullreq: 10160 + + Implement structured logging API. + + .. change:: + :tags: Improvements + :pullreq: 10264 + + Disable PMTU for IPv6. + diff --git a/pdns/recursordist/docs/changelog/index.rst b/pdns/recursordist/docs/changelog/index.rst index ea5fa30658..77d7f42c07 100644 --- a/pdns/recursordist/docs/changelog/index.rst +++ b/pdns/recursordist/docs/changelog/index.rst @@ -6,6 +6,7 @@ The changelogs for the recursor are split between release trains. .. toctree:: :maxdepth: 2 + 4.6 4.5 4.4 4.3 diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst index 2343e6cc44..eab06acac5 100644 --- a/pdns/recursordist/docs/settings.rst +++ b/pdns/recursordist/docs/settings.rst @@ -388,7 +388,7 @@ If `pdns-distributes-queries`_ is set, spawn this number of distributor threads handle incoming queries and distribute them to other threads based on a hash of the query, to maximize the cache hit ratio. -.. _settings-dot-to-auth-names: +.. _setting-dot-to-auth-names: ``dot-to-auth-names`` --------------------- @@ -400,7 +400,7 @@ ratio. Force DoT to the listed authoritative nameservers. For this to work, DoT support has to be compiled in. Currently, the certificate is not checked for validity in any way. -.. _settings-dot-to-port-853: +.. _setting-dot-to-port-853: ``dot-to-port-853`` ------------------- @@ -1898,7 +1898,7 @@ Enable TCP Fast Open Connect support, if available, on the outgoing connections Time outgoing TCP/DoT connections are left idle in milliseconds or 0 if no limit. After having been idle for this time, the connection is eligible for closing. -.. _setting-tcp-out-max-per-auth: +.. _setting-tcp-out-max-idle-per-auth: ``tcp-out-max-idle-per-auth`` ----------------------------- diff --git a/pdns/recursordist/docs/upgrade.rst b/pdns/recursordist/docs/upgrade.rst index 64f0a6064e..7e73ef0c67 100644 --- a/pdns/recursordist/docs/upgrade.rst +++ b/pdns/recursordist/docs/upgrade.rst @@ -7,6 +7,20 @@ When upgrading several versions, please read **all** notes applying to the upgra 4.5.x to 4.6.0 or master ------------------------ +Offensive language +^^^^^^^^^^^^^^^^^^ +Using the settings mentioned in :ref:`upgrade-offensive` now generates a warning. Please start using the new names, as the old names will be unsupported in the future. + +Deprecated and changed settings +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +- The :ref:`setting-api-key` and :ref:`setting-webserver-password` settings now accept a hashed and salted version (if the support is available in the openssl library used). +- The :ref:`setting-dot-to-auth-names` setting to list nameservers that should be contacted over DoT has been introduced. +- The :ref:`setting-dot-to-port-853` setting to specify that nameservers or forwarders using port 853 should be contacted over DoT has been introduced. +- The :ref:`setting-ignore-unknown-settings` setting has been introduced to make it easier to switch between recursor versions supporting different settings. +- The :ref:`setting-webserver-hash-plaintext-credentials` has been introduced to avoid keeping cleartext sensitive information in memory. +- The :ref:`setting-tcp-out-max-idle-ms`, :ref:`setting-tcp-out-max-idle-per-auth`, :ref:`setting-tcp-out-max-queries` and :ref:`setting-tcp-out-max-idle-per-thread` settings have been introduced to control the new TCP/DoT outgoing connections pooling. This mechanism keeps connections to authoritative servers or forwarders open for later re-use. + + 4.5.1 to 4.5.2 -------------- @@ -17,6 +31,8 @@ Deprecated and changed settings 4.4.x to 4.5.1 -------------- +.. _upgrade-offensive: + Offensive language ^^^^^^^^^^^^^^^^^^ Synonyms for various settings names containing ``master``, ``slave``,