This is the second release in the 4.1 train.
This release fixes PowerDNS Security Advisory 2018-01.
The full release notes can be read on the blog.
This is a release on the stable branch, containing a fix for the abovementioned security issue and several bug fixes from the development branch.
Don’t process records for another class than IN. We don’t use records of another class than IN, but we used to store some of them in the cache which is useless. Just skip them.¶
References: #6198, pull request 6085
Correctly handle ancestor delegation NSEC{,3} for children. Fixes the DNSSEC validation issue found in Knot Resolver, where a NSEC{3} ancestor delegation is wrongly use to prove the non-existence of a RR below the delegation. We already had the correct check for the exact owner name, but not for RRs below the delegation. (Security Advisory 2018-01)¶
References: pull request 6215
Fix the computation of the closest encloser for positive answers. When the positive answer is expanded from a wildcard with NSEC3, the closest encloser is not always parent of the qname, depending on the number of labels in the initial wildcard.¶
References: #6199, pull request 6092
Pass the correct buffer size to arecvfrom(). The incorrect size
could possibly cause DNSSEC failures.¶
References: #6200, pull request 6095
Fix to make primeHints threadsafe, otherwise there’s a small
chance on startup that the root-server IPs will be incorrect.¶
References: #6212, pull request 6209
Don’t validate signature for “glue” CNAME, since anything else than the initial CNAME can’t be considered authoritative.¶
References: #6201, pull request 6137
This is the first release in the 4.1 train.
The full release notes can be read on the blog.
This is a major release containing significant speedups (both in throughput and latency), enhanced capabilities and a highly conformant and robust DNSSEC validation implementation that is ready for heavy production use. In addition, our EDNS Client Subnet implementation now scales effortlessly to networks needing very fine grained scopes (as used by some ‘country sized’ service providers).
Changes since 4.1.0-rc3:
Dump the validation status of negcache entries, fix DNSSEC type.¶
References: pull request 5972
Fix DNSSEC validation of DS denial from the negative cache.¶
References: pull request 5978
Store additional records as non-auth, even on AA=1 answers.¶
References: pull request 5997
Don’t leak when the loading a public ECDSA key fails.¶
References: pull request 6008
When validating DNSKeys, the zone should be part of the signer.¶
References: pull request 6009
Cache Secure validation state when inserting negcache entries.¶
References: pull request 5980
The third Release Candidate adds support for Botan 2.x (and removes support for Botan 1.10!), has a lot of DNSSEC fixes, features a cleaned up web UI and has miscellaneous minor improvements.
Add the DNSSEC validation state to the DNSQuestion Lua object
(although the ability to update the validation state from these
hooks is postponed to after 4.1.0).¶
References: #5888, pull request 5895
Add support for Botan 2.x and remove support for Botan 1.10.¶
References: #5797, #2250, pull request 5498
Print more details of trust anchors. In addition, the trace output that mentions if data from authoritative servers gets accepted now also prints the TTL and clarifies the ‘place’ number previously printed.¶
References: pull request 5876
Better support for deleting entries in NetmaskTree and
NetmaskGroup.¶
References: pull request 5616
Prevent possible downgrade attacks in the recursor.¶
References: pull request 5889
Split NODATA / NXDOMAIN NSEC wildcard denial proof of existence. Otherwise there is a very real risk that a NSEC will cover a more specific wildcard and we end up with what looks like a NXDOMAIN proof but is a NODATA one.¶
References: #5882, pull request 5885
Fix incomplete validation of cached entries.¶
References: pull request 5904
Fix going Insecure on NSEC3 hashes with too many iterations, since we could have gone Bogus on a positive answer synthetized from a wildcard if the corresponding NSEC3 had more iterations that we were willing to accept, while the correct result is Insecure.¶
References: pull request 5912
Sort NS addresses by speed and remove old ones.¶
References: #1066, pull request 5877
Purge nsSpeeds entries even if we get less than 2 new entries.¶
References: pull request 5896
Add EDNS to truncated, servfail answers.¶
References: #5618, pull request 5881
Use _exit() when we really really want to exit, for example
after a fatal error. This stops us dying while we die. A call to
exit() will trigger destructors, which may paradoxically stop
the process from exiting, taking down only one thread, but harming
the rest of the process.¶
References: pull request 5917
In the recursor secpoll code, we assumed the TXT record would be the first record first record we received. Sometimes it was the RRSIG, leading to a silent error, and no secpoll check. Fixed the assumption, added an error.¶
References: pull request 5930
Don’t crash when asked to run with zero threads.¶
References: pull request 5938
Only accept types not matching the query if we asked for ANY. Even from forward-recurse servers.¶
References: #5934, pull request 5939
Allow the use of a ‘self-resolving’ NS if cached A / AAAA exists. Before this, we could skip a perfectly valid NS for which we had retrieved the A and / or AAAA entries, for example via a glue.¶
References: #2758, pull request 5937
Add the config-name argument to the definition of configname. There was a bug where the config-name parameter was not used to change the path of the config file. This meant that some commands via rec_control (e.g. reload-acls) would fail when run against a recursor which had config-name defined. The correct behaviour was present in some, but not all, definitions of configname. (@jake2184)¶
References: pull request 5961
The second Release Candidate contains several correctness fixes for DNSSEC, mostly in the area of verifying negative responses.
Don’t directly store NSEC3 records in the positive cache.¶
References: pull request 5834
Improve logging for the built-in webserver and the Carbon sender.¶
References: pull request 5805
New b.root ipv4 address (Kees Monshouwer).¶
References: #5663, pull request 5824
Add experimental metrics that track the time spent inside PowerDNS per query. These metrics ignore time spent waiting for the network.¶
References: pull request 5774
Add log-timestamp setting. This option can be used to disable
printing timestamps to stdout, this is useful when using systemd-journald
or another supervisor that timestamps output by itself.¶
References: pull request 5842
Check that the NSEC covers an empty non-terminal when looking for NODATA.¶
References: pull request 5808
Disable validation for infrastructure queries (e.g. when recursing for a name). Also validate entries from the Negative cache if they were not validated before.¶
References: #5827, pull request 5835
Fix DNSSEC validation for denial of wildcards in negative answers and denial of existence proofs in wildcard-expanded positive responses.¶
References: #5861, pull request 5868
Fix DNSSEC validation when using -flto.¶
References: pull request 5873
Lowercase all outgoing qnames when lowercase-outgoing is set.¶
References: pull request 5740
Create socket-dir from the init-script.¶
References: #5439, pull request 5762
Fix crashes with uncaught exceptions in MThreads.¶
References: pull request 5803
The RC1 release features many fixes to the DNSSEC validation code, reported by different users. Other improvements include: logging, RPZ and the Remote Logger.
While not specifically mentioned in the ChangeLog, also thanks to Winfried Angele for bringing a documentation issue to our attention!
Improve --quiet=false output to include DNSSEC and more timing details.¶
References: pull request 5756
Add DNSSEC test vectors for RSA, ECDSA, ed25519 and GOST.¶
References: pull request 5733
Wrap the webserver’s and Resolver::tryGetSOASerial objects into smart pointers (also thanks to Christian Hofstaedtler for reviewing!)¶
References: pull request 5543
Add more unit tests for the NetmaskTree and ECS cache index.¶
References: pull request 5545
Switch the default webserver’s ACL to 127.0.0.1, ::1.¶
References: pull request 5588
Add help text on autodetecting systemd support. (Ruben Kerkhof thanks for reporting!)¶
References: #5524, pull request 5598
Add log-rpz-changes to log RPZ additions and removals.¶
References: pull request 5622
Log the policy type (QName, Client IP, NS IP…) over protobuf.¶
References: pull request 5621
Remove unused SortList compare operator for ComboAddress.¶
References: pull request 5637
Add support for dumping the in-memory RPZ zones to a file.¶
References: pull request 5620
Support for identifying devices by id such as mac address.¶
References: pull request 5646
Implement dynamic cache sizeing.¶
References: pull request 5699
Improve dnsbulktest experience in Travis for more robustness.¶
References: pull request 5755
Set TC=1 if we had to omit part of the AUTHORITY section.¶
References: pull request 5772
autoconf: set --enable-libsodium to auto.¶
References: pull request 5764
Don’t fetch the DNSKEY of a zone to validate the DS of the same zone.¶
References: pull request 5569
Improve DNSSEC debug logging,¶
References: pull request 5614
Add NSEC records on nx-trust cache hits.¶
References: #5649, pull request 5672
Handle NSEC wrap-around.¶
References: #5650, pull request 5671
Fix erroneous check for section 4.1 of rfc6840.¶
References: #5648, #5651, pull request 5670
Handle direct NSEC queries.¶
References: #5705, pull request 5715
Detect zone cuts by asking for DS instead of NS.¶
References: #5681, pull request 5716
Do not allow direct queries for RRSIG or NSEC3.¶
References: #5735, pull request 5738
The target zone being insecure doesn’t mean that the denial of the DS is too, if the parent zone is Secure..¶
References: pull request 5771
Add a missing header for PRId64 in the negative cache, required on EL5/EL6.¶
References: pull request 5530
Prevent an infinite loop if we need auth and the best match is not.¶
References: pull request 5549
Be more careful about the validation of negative answers.¶
References: pull request 5570
Fix libatomic detection on ppc64. (Sander Hoentjen)¶
References: #5456, pull request 5599
Fix sortlist in the presence of CNAME. (Benoit Perroud thanks for reporting this issue!)¶
References: #5357, pull request 5615
Fix cache handling of ECS queries with a source length of 0.¶
References: pull request 5515
Handle SNMP alarms so we can reconnect to the master.¶
References: #5327, pull request 5328
Fix Recursor 4.1.0 alpha 1 compilation on FreeBSD. (@RvdE)¶
References: pull request 5662
Remove pdns.PASS and pdns.TRUNCATE.¶
References: pull request 5739
Fix a crash when getting a public GOST key if the private one is not set.¶
References: pull request 5734
Don’t negcache entries for longer than their RRSIG validity.¶
References: pull request 5773
Gracefully handle Socket::accept() returning a null pointer on EAGAIN.¶
References: pull request 5792
This is the first release of the PowerDNS Recursor in the 4.1 release train. This release contains several performance and correctness improvements in the EDNS Client subnet area, as well as better DNSSEC processing.
Add support for RPZ wildcarded target names.¶
References: #5237, pull request 5265
Add server-side TCP Fast Open support. This adds a new option tcp-fast-open.¶
References: #5128, pull request 5138
Pass tcp to gettag() to allow a script to take different actions whether a query came in over TCP or UDP.¶
References: pull request 4569
Allow setting the requestor ID field in the DNSQuestion from all hooks.¶
References: pull request 4569
Implement CNAME wildcards in recursor authoritative component.¶
References: #2818, pull request 5063
Allow returning the DNSQuestion.data table from gettag().¶
References: #4981, pull request 4982
References: pull request 5404, pull request 4990
Allow access to EDNS options from the gettag() hook.¶
References: #5195, pull request 5198
Pass tcp to gettag(), allow setting the requestor ID from hooks.¶
References: pull request 4569
Allow retrieving stats from Lua via the getStat() call.¶
References: pull request 5293
Add ECS metrics.¶
References: pull request 5409
Add a cpu-map directive to set CPU affinity per thread.¶
References: pull request 5482
Implement “on-the-fly” DNSSEC processing. This places the DNSSEC processing alongside the regular recursion, reducing possible cornercases, adding unit tests and making the code better maintainable.¶
References: #4994, #4362, #4254, #4490, pull request 5223, pull request 5486, pull request 5463, pull request 5528
Use ECS when updating the validation state if needed.¶
References: pull request 5484
Use the RPZ zone’s TTL and add a new maxTTL setting.¶
References: pull request 5057
RPZ updates are done zone by zone, zones are now shared pointers.¶
References: #5231, #5236, pull request 5275, pull request 5307
Split SyncRes::doResolveAt, add const and static whenever possible. Possibly improving performance while making the code easier to maintain.¶
References: pull request 5106
Packet cache speedup and cleanup.¶
References: pull request 5102
Make Lua mandatory for recursor builds.¶
References: pull request 5146
Use one listening socket per thread when reuseport is enabled.¶
References: pull request 5487, pull request 5103
Stop (de)serializing DNSQuestion.data.¶
References: pull request 5141
Refactor the negative cache into a class.¶
References: pull request 5226
Only check the netmask for subnet specific cache entries.¶
References: pull request 5319
Refactor and split SyncRes::doResolveAt(), making it easier to understand.
Get rid of SyncRes::d_nocache, makes sure we can’t get into a root refresh loop.
Limit the use of global variables in SyncRes, to make it easier to understand the interaction between components¶
References: pull request 5236
Add an ECS index to the cache¶
References: pull request 5461, pull request 5472
When dumping the cache, also dump RRSIGs.¶
References: pull request 5511
Don’t always override loglevel to 6.¶
References: pull request 5485
Make more specific Netmasks < to less specific ones.¶
References: pull request 5406, pull request 5530
Fix validation at the exact RRSIG inception or expiration time.¶
References: pull request 5525
Fix remote/local inversion in preoutquery().¶
References: #4969, pull request 4984
Show a useful error when an invalid lua-config-file is configured.¶
References: #4939, #5075, pull request 5078
Fix DNSQuestion members alterations from Lua not being taken into account.¶
References: pull request 4860
Ensure locks can not be copied.¶
References: pull request 5209
Only apply root-nx-trust if the received SOA is “.”.¶
References: #5246, pull request 5252
Don’t throw an exception when logging to protobuf without a question set.¶
References: pull request 5312
Correctly truncate EDNS Client Subnetmasks.¶
References: pull request 5320
Clean up auth/recursor code mismatches in the API (Christian Hofstaedtler).¶
References: #5398, pull request 5466
Only increase no-packet-error on the first read.¶
References: #5474, pull request 5474