Changelogs for 4.1.x
====================

.. changelog::
  :version: 4.1.1
  :released: 22nd of January 2018

  This is the second release in the 4.1 train.

  This release fixes PowerDNS Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2018-01>`.

  The full release notes can be read `on the blog <https://blog.powerdns.com/2018/01/22/powerdns-recursor-4-1-1/>`__.

  This is a release on the stable branch, containing a fix for the
  abovementioned security issue and several bug fixes from the
  development branch.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 6215

    Correctly handle ancestor delegation NSEC{,3} for children. Fixes
    the DNSSEC validation issue found in Knot Resolver, where a NSEC{3}
    ancestor delegation is wrongly use to prove the non-existence of a
    RR below the delegation.
    We already had the correct check for the exact owner name, but not
    for RRs below the delegation.
    (Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2018-01>`)

  .. change::
    :tags: Internals, Bug Fixes
    :pullreq: 6209
    :tickets: 6212

    Fix to make ``primeHints`` threadsafe, otherwise there's a small
    chance on startup that the root-server IPs will be incorrect.

  .. change::
    :tags: Internals, Improvements
    :pullreq: 6085
    :tickets: 6198

    Don't process records for another class than IN. We don't use
    records of another class than IN, but we used to store some of them
    in the cache which is useless. Just skip them.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 6092
    :tickets: 6199

    Fix the computation of the closest encloser for positive
    answers. When the positive answer is expanded from a wildcard with
    NSEC3, the closest encloser is not always parent of the qname,
    depending on the number of labels in the initial wildcard.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 6095
    :tickets: 6200

    Pass the correct buffer size to ``arecvfrom()``. The incorrect size
    could possibly cause DNSSEC failures.

  .. change::
    :tags: Bug Fixes
    :pullreq: 6137
    :tickets: 6201

    Don't validate signature for "glue" CNAME, since anything else than
    the initial CNAME can't be considered authoritative.

.. changelog::
  :version: 4.1.0
  :released: 4th of December 2017

  This is the first release in the 4.1 train.

  The full release notes can be read `on the blog <https://blog.powerdns.com/2017/12/04/powerdns-recursor-4-1/>`__.

  This is a major release containing significant speedups (both in throughput and latency), enhanced capabilities and a highly conformant and robust DNSSEC validation implementation that is ready for heavy production use. In addition, our EDNS Client Subnet implementation now scales effortlessly to networks needing very fine grained scopes (as used by some ‘country sized’ service providers).

  - Improved DNSSEC support,
  - Improved documentation,
  - Improved RPZ support,
  - Improved EDNS Client Subnet support,
  - Support for Botan 2.x (and removal of support for Botan 1.10),
  - SNMP support,
  - Lua engine has gained access to more parts of the recursor,
  - CPU affinity can now be specified,
  - TCP Fast Open support,
  - New performance metrics.

  Changes since 4.1.0-rc3:

  .. change::
    :tags: Internals, DNSSEC, Bug Fixes
    :pullreq: 5972

    Dump the validation status of negcache entries, fix DNSSEC type.

  .. change::
    :tags: Internals, Bug Fixes
    :pullreq: 5980

    Cache Secure validation state when inserting negcache entries.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 5978

    Fix DNSSEC validation of DS denial from the negative cache.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 5997

    Store additional records as non-auth, even on AA=1 answers.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 6008

    Don't leak when the loading a public ECDSA key fails.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 6009

    When validating DNSKeys, the zone should be part of the signer.

.. changelog::
  :version: 4.1.0-rc3
  :released: 17th of November 2017

  The third Release Candidate adds support for Botan 2.x (and removes
  support for Botan 1.10!), has a lot of DNSSEC fixes, features a
  cleaned up web UI and has miscellaneous minor improvements.

  .. change::
    :tags: Internals, Bug Fixes
    :pullreq: 5877
    :tickets: 1066

    Sort NS addresses by speed and remove old ones.

  .. change::
    :tags: Internals, Improvements
    :pullreq: 5498
    :tickets: 2250, 5797

    Add support for Botan 2.x and remove support for Botan 1.10.

  .. change::
    :tags: Internals, Bug Fixes
    :pullreq: 5896

    Purge ``nsSpeeds`` entries even if we get less than 2 new entries.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 5889

    Prevent possible downgrade attacks in the recursor.

  .. change::
    :tags: Improvements
    :pullreq: 5876

    Print more details of trust anchors. In addition, the
    :ref:`setting-trace` output that mentions if data from authoritative
    servers gets accepted now also prints the TTL and clarifies the
    'place' number previously printed.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 5885
    :tickets: 5882

    Split NODATA / NXDOMAIN NSEC wildcard denial proof of
    existence. Otherwise there is a very real risk that a NSEC will
    cover a more specific wildcard and we end up with what looks like a
    NXDOMAIN proof but is a NODATA one.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 5904

    Fix incomplete validation of cached entries.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 5912

    Fix going Insecure on NSEC3 hashes with too many iterations, since
    we could have gone Bogus on a positive answer synthetized from a
    wildcard if the corresponding NSEC3 had more iterations that we were
    willing to accept, while the correct result is Insecure.

  .. change::
    :tags: Internals, Bug Fixes
    :pullreq: 5881
    :tickets: 5618

    Add EDNS to truncated, servfail answers.

  .. change::
    :tags: Internals, Improvements
    :pullreq: 5616

    Better support for deleting entries in ``NetmaskTree`` and
    ``NetmaskGroup``.

  .. change::
    :tags: Internals, Bug Fixes
    :pullreq: 5917

    Use ``_exit()`` when we really really want to exit, for example
    after a fatal error. This stops us dying while we die. A call to
    ``exit()`` will trigger destructors, which may paradoxically stop
    the process from exiting, taking down only one thread, but harming
    the rest of the process.

  .. change::
    :tags: Lua, DNSSEC, Improvements
    :pullreq: 5895
    :tickets: 5888

    Add the DNSSEC validation state to the ``DNSQuestion`` Lua object
    (although the ability to update the validation state from these
    hooks is postponed to after 4.1.0).

  .. change::
    :tags: Bug Fixes
    :pullreq: 5930

    In the recursor secpoll code, we assumed the TXT record would be the
    first record first record we received. Sometimes it was the RRSIG,
    leading to a silent error, and no secpoll check. Fixed the
    assumption, added an error.

  .. change::
    :tags: Internals, Bug Fixes
    :pullreq: 5938

    Don't crash when asked to run with zero threads.

  .. change::
    :tags: Internals, Bug Fixes
    :pullreq: 5939
    :tickets: 5934

    Only accept types not matching the query if we asked for ANY. Even
    from forward-recurse servers.

  .. change::
    :tags: Internals, Bug Fixes
    :pullreq: 5937
    :tickets: 2758

    Allow the use of a 'self-resolving' NS if cached A / AAAA
    exists. Before this, we could skip a perfectly valid NS for which we
    had retrieved the A and / or AAAA entries, for example via a glue.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5961

    Add the config-name argument to the definition of configname. There
    was a bug where the config-name parameter was not used to change the
    path of the config file. This meant that some commands via
    rec_control (e.g. reload-acls) would fail when run against a
    recursor which had config-name defined. The correct behaviour was
    present in some, but not all, definitions of configname. (@jake2184)

.. changelog::
  :version: 4.1.0-rc2
  :released: 30th of October 2017

  The second Release Candidate contains several correctness fixes for DNSSEC,
  mostly in the area of verifying negative responses.

  .. change::
    :tags: API, Improvements
    :pullreq: 5805

    Improve logging for the built-in :doc:`webserver <../../http-api/index>`
    and the :ref:`Carbon <metricscarbon>` sender.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 5808

    Check that the NSEC covers an empty non-terminal when looking for NODATA.

  .. change::
    :tags: Improvements, Internals
    :pullreq: 5824
    :tickets: 5663

    New b.root ipv4 address (Kees Monshouwer).

  .. change::
    :tags: Bug Fixes, Internals
    :pullreq: 5740

    Lowercase all outgoing qnames when :ref:`setting-lowercase-outgoing` is set.

  .. change::
    :tags: DNSSEC, Improvements
    :pullreq: 5834

    Don't directly store NSEC3 records in the positive cache.

  .. change::
    :tags: Improvements
    :pullreq: 5774

    Add :ref:`experimental metrics <stat-x-our-latency>` that track the time spent inside PowerDNS per query.
    These metrics ignore time spent waiting for the network.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 5835
    :tickets: 5827

    Disable validation for infrastructure queries (e.g. when recursing for a name).
    Also validate entries from the Negative cache if they were not validated before.

  .. change::
    :tags: Improvements
    :pullreq: 5842

    Add :ref:`setting-log-timestamp` setting. This option can be used to disable
    printing timestamps to stdout, this is useful when using ``systemd-journald``
    or another supervisor that timestamps output by itself.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5762
    :tickets: 5439

    Create :ref:`setting-socket-dir` from the init-script.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 5868
    :tickets: 5861

    Fix DNSSEC validation for denial of wildcards in negative answers and
    denial of existence proofs in wildcard-expanded positive responses.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 5873

    Fix DNSSEC validation when using ``-flto``.

  .. change::
    :tags: Bug Fixes, Internals
    :pullreq: 5803

    Fix crashes with uncaught exceptions in MThreads.

.. changelog::
  :version: 4.1.0-rc1
  :released: 9th of October 2017

  The RC1 release features many fixes to the DNSSEC validation code, reported by different users. Other improvements include: logging, RPZ and the Remote Logger.

  While not specifically mentioned in the ChangeLog, also thanks to Winfried Angele for bringing a documentation issue to our attention!

  .. change::
    :tags: Bug Fixes
    :pullreq: 5530

    Add a missing header for PRId64 in the negative cache, required on EL5/EL6.

  .. change::
    :tags: Internals, Improvements
    :pullreq: 5543

    Wrap the webserver's and Resolver::tryGetSOASerial objects into smart pointers (also thanks to Christian Hofstaedtler for reviewing!)

  .. change::
    :tags: Internals, Improvements
    :pullreq: 5545

    Add more unit tests for the NetmaskTree and ECS cache index.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5549

    Prevent an infinite loop if we need auth and the best match is not.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5570

    Be more careful about the validation of negative answers.

  .. change::
    :tags: Bug Fixes, DNSSEC
    :pullreq: 5569

    Don't fetch the DNSKEY of a zone to validate the DS of the same zone.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5599
    :tickets: 5456

    Fix libatomic detection on ppc64. (Sander Hoentjen)

  .. change::
    :tags: Improvements
    :pullreq: 5588

    Switch the default webserver's ACL to ``127.0.0.1, ::1``.

  .. change::
    :tags: Improvements
    :pullreq: 5598
    :tickets: 5524

    Add help text on autodetecting systemd support. (Ruben Kerkhof thanks for reporting!)

  .. change::
    :tags: Bug Fixes
    :pullreq: 5615
    :tickets: 5357

    Fix sortlist in the presence of CNAME. (Benoit Perroud thanks for
    reporting this issue!)

  .. change::
    :tags: Bug Fixes, DNSSEC
    :pullreq: 5614

    Improve DNSSEC debug logging,

  .. change::
    :tags: Improvements
    :pullreq: 5622

    Add ``log-rpz-changes`` to log RPZ additions and removals.

  .. change::
    :tags: Improvements
    :pullreq: 5621

    Log the policy type (QName, Client IP, NS IP...) over protobuf.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5515

    Fix cache handling of ECS queries with a source length of 0.

  .. change::
    :tags: Improvements
    :pullreq: 5637

    Remove unused SortList compare operator for ComboAddress.

  .. change::
    :tags: Improvements
    :pullreq: 5620

    Add support for dumping the in-memory RPZ zones to a file.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5328
    :tickets: 5327

    Handle SNMP alarms so we can reconnect to the master.

  .. change::
    :tags: Improvements
    :pullreq: 5646

    Support for identifying devices by id such as mac address.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5662

    Fix Recursor 4.1.0 alpha 1 compilation on FreeBSD. (@RvdE)

  .. change::
    :tags: Bug Fixes, DNSSEC
    :pullreq: 5672
    :tickets: 5649

    Add NSEC records on nx-trust cache hits.

  .. change::
    :tags: Bug Fixes, DNSSEC
    :pullreq: 5671
    :tickets: 5650

    Handle NSEC wrap-around.

  .. change::
    :tags: Bug Fixes, DNSSEC
    :pullreq: 5670
    :tickets: 5648, 5651

    Fix erroneous check for section 4.1 of rfc6840.

  .. change::
    :tags: Bug Fixes, DNSSEC
    :pullreq: 5715
    :tickets: 5705

    Handle direct NSEC queries.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5739

    Remove pdns.PASS and pdns.TRUNCATE.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5734

    Fix a crash when getting a public GOST key if the private one is not set.

  .. change::
    :tags: Improvements
    :pullreq: 5699

    Implement dynamic cache sizeing.

  .. change::
    :tags: Bug Fixes, DNSSEC
    :pullreq: 5716
    :tickets: 5681

    Detect zone cuts by asking for DS instead of NS.

  .. change::
    :tags: Bug Fixes, DNSSEC
    :pullreq: 5738
    :tickets: 5735

    Do not allow direct queries for RRSIG or NSEC3.

  .. change::
    :tags: Improvements
    :pullreq: 5755

    Improve dnsbulktest experience in Travis for more robustness.

  .. change::
    :tags: Improvements, DNSSEC
    :pullreq: 5756

    Improve ``--quiet=false`` output to include DNSSEC and more timing details.

  .. change::
    :tags: Improvements
    :pullreq: 5772

    Set ``TC=1`` if we had to omit part of the AUTHORITY section.

  .. change::
    :tags: Bug Fixes, DNSSEC
    :pullreq: 5771

    The target zone being insecure doesn't mean that the denial of the DS is too, if the parent zone is Secure..

  .. change::
    :tags: Improvements, DNSSEC
    :pullreq: 5733

    Add DNSSEC test vectors for RSA, ECDSA, ed25519 and GOST.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5773

    Don't negcache entries for longer than their RRSIG validity.

  .. change::
    :tags: Improvements
    :pullreq: 5764

    autoconf: set ``--enable-libsodium`` to ``auto``.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5792

    Gracefully handle Socket::accept() returning a null pointer on EAGAIN.

.. changelog::
  :version: 4.1.0-alpha1
  :released: 18th of July 2017

  This is the first release of the PowerDNS Recursor in the 4.1 release train.
  This release contains several performance and correctness improvements in the EDNS Client subnet area, as well as better DNSSEC processing.

  .. change::
    :tags: New Features
    :pullreq: 5138
    :tickets: 5128

    Add server-side TCP Fast Open support.
    This adds a new option :ref:`setting-tcp-fast-open`.

  .. change::
    :tags: New Features
    :pullreq: 4569

    Pass ``tcp`` to :func:`gettag` to allow a script to take different actions whether a query came in over TCP or UDP.

  .. change::
    :tags: New Features
    :pullreq: 4569

    Allow setting the requestor ID field in the :attr:`DNSQuestion <DNSQuestion.requestorId>` from all hooks.

  .. change::
    :tags: Improvements, DNSSEC
    :pullreq: 5223, 5463, 5486, 5528
    :tickets: 4254, 4362, 4490, 4994

    Implement "on-the-fly" DNSSEC processing. This places the DNSSEC processing alongside the regular recursion, reducing possible cornercases, adding unit tests and making the code better maintainable.

  .. change::
    :tags: New Features
    :pullreq: 5063
    :tickets: 2818

    Implement CNAME wildcards in recursor authoritative component.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5078
    :tickets: 4939, 5075

    Show a useful error when an invalid :ref:`setting-lua-config-file` is configured.

  .. change::
    :tags: Bug Fixes
    :pullreq: 4860

    Fix :class:`DNSQuestion` members alterations from Lua not being taken into account.

  .. change::
    :tags: Bug Fixes, Protobuf
    :pullreq: 4984
    :tickets: 4969

    Fix ``remote``/``local`` inversion in :func:`preoutquery`.

  .. change::
    :tags: New Features, Scripting
    :pullreq: 4982
    :tickets: 4981

    Allow returning the :attr:`DNSQuestion.data` table from :func:`gettag`.

  .. change::
    :tags: New Features, SNMP
    :pullreq: 4990, 5404

    Add :ref:`SNMP <snmp>` support.

  .. change::
    :tags: Improvements
    :pullreq: 5106

    Split SyncRes::doResolveAt, add const and static whenever possible. Possibly improving performance while making the code easier to maintain.

  .. change::
    :tags: Improvements
    :pullreq: 5102

    Packet cache speedup and cleanup.

  .. change::
    :tags: Improvements
    :pullreq: 5146

    Make Lua mandatory for recursor builds.

  .. change::
    :tags: Improvements, Performance
    :pullreq: 5103, 5487

    Use one listening socket per thread when reuseport is enabled.

  .. change::
    :tags: Improvements, RPZ
    :pullreq: 5057

    Use the RPZ zone's TTL and add a new `maxTTL` setting.

  .. change::
    :tags: Improvements, Lua
    :pullreq: 5141

    Stop (de)serializing :attr:`DNSQuestion.data`.

  .. change::
    :tags: New Features, Lua
    :pullreq: 5198
    :tickets: 5195

    Allow access to EDNS options from the :func:`gettag` hook.

  .. change::
    :tags: Improvements
    :pullreq: 5226

    Refactor the negative cache into a class.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5209

    Ensure locks can not be copied.

  .. change::
    :tags: Improvements, RPZ
    :pullreq: 5275, 5307
    :tickets: 5231, 5236

    RPZ updates are done zone by zone, zones are now shared pointers.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5252
    :tickets: 5246

    Only apply :ref:`setting-root-nx-trust` if the received SOA is ".".

  .. change::
    :tags: New Features
    :pullreq: 4569

    Pass ``tcp`` to :func:`gettag`, allow setting the requestor ID from hooks.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5312

    Don't throw an exception when logging to protobuf without a question set.

  .. change::
    :tags: New Features, Lua
    :pullreq: 5293

    Allow retrieving stats from Lua via the :func:`getStat` call.

  .. change::
    :tags: New Features, RPZ
    :pullreq: 5265
    :tickets: 5237

    Add support for RPZ wildcarded target names.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5320

    Correctly truncate EDNS Client Subnetmasks.

  .. change::
    :tags: Improvements
    :pullreq: 5319

    Only check the netmask for subnet specific cache entries.

  .. change::
    :tags: Improvements
    :pullreq: 5236

    Refactor and split ``SyncRes::doResolveAt()``, making it easier to understand.
    Get rid of ``SyncRes::d_nocache``, makes sure we can't get into a root refresh loop.
    Limit the use of global variables in SyncRes, to make it easier to understand the interaction between components

  .. change::
    :tags: Improvements, EDNS Client Subnet
    :pullreq: 5461, 5472

    Add an ECS index to the cache

  .. change::
    :tags: New Features, EDNS Client Subnet
    :pullreq: 5409

    Add ECS metrics.

  .. change::
    :tags: Improvements, EDNS Client Subnet, DNSSEC
    :pullreq: 5484

    Use ECS when updating the validation state if needed.

  .. change::
    :tags: Bug Fixes, API
    :pullreq: 5466
    :tickets: 5398

    Clean up auth/recursor code mismatches in the API (Christian Hofstaedtler).

  .. change::
    :tags: Bug Fixes
    :pullreq: 5474
    :tickets: 5474

    Only increase ``no-packet-error`` on the first read.

  .. change::
    :tags: Improvements
    :pullreq: 5511

    When dumping the cache, also dump RRSIGs.

  .. change::
    :tags: Bug Fixes, DNSSEC
    :pullreq: 5525

    Fix validation at the exact RRSIG inception or expiration time.

  .. change::
    :tags: Improvements
    :pullreq: 5485

    Don't always override :ref:`setting-loglevel` to 6.

  .. change::
    :tags: Improvements
    :pullreq: 5406, 5530

    Make more specific Netmasks < to less specific ones.

  .. change::
    :tags: New Features
    :pullreq: 5482

    Add a :ref:`setting-cpu-map` directive to set CPU affinity per thread.
