PowerDNS Recursor 4.4.1 and 4.3.6 Released

Hello!,

Today we are releasing PowerDNS Recursor 4.4.1 and 4.3.6.

These releases fix a bug where a reply from an authoritative server could get lost, causing timeouts or ServFail answers to clients. Additionally, an issue resolving CNAMEs of the form a.b.c CNAME x.a.b.c when QName Minimization is enabled was fixed.

As usual, there were also other smaller enhancements and bugfixes. Please refer to the 4.4.1 changelog and 4.3.6 changelog for details.

The 4.4.1 tarball (signature), 4.3.6 tarball (signature) are available at downloads.powerdns.com and packages for CentOS 7 and 8, Debian Stretch and Buster, Ubuntu Xenial, Bionic and Focal are available from repo.powerdns.com.

4.1 and older releases are EOL, refer to the documentation for details about our release cycles.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Authoritative 4.4.0-beta1

Hello!

we are very happy to announce version 4.4.0-beta1 of the Authoritative Server.

This release drops GSS/TSIG support, please see PowerDNS Security Advisory 2020-06.

Version 4.4.0 brings a bunch of exciting changes:

  • the LMDB backend now supports long record content, making it production ready for everybody
  • the SVCB and HTTPS record types are supported, with limited additional processing
  • transaction handling in the 2136 handler and the HTTP API was again improved a lot, avoiding various spurious issues users may have noticed if they do a lot of changes
  • a new setting (consistent-backends) offers a roughly 30% speedup, subject to conditions
  • we finally emit Prometheus metrics!

Authoritative 4.3.x was the last release branch with support for CentOS/RHEL 6. Problems running Authoritative 4.4.x on CentOS/RHEL 6 will not be treated as bugs by us.

We want to specifically thank Robin Geuze, Kees Monshouwer, Mischan Toosarani-Hausberger, Chris Hofstaedtler, and Kevin Fleming for their contributions to this release. We are also grateful to all other reporters of bugs, issues, feature requests, and submitters of smaller fixes and features.

Please make sure to read the Upgrade Notes before upgrading.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 7 and 8, Debian Stretch and Buster, Ubuntu Xenial, Bionic and Focal are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Recursor and the SAD DNS attack

Short version: the PowerDNS Recursor already implements mitigations to the SAD DNS attack. However, our users will likely be vulnerable to the most complex variant of the attack, which exploits kernel behaviour. Unfortunately that is outside our control.

Long version:

Last week, a group of researchers published a new vulnerability in DNS resolvers, that they call ‘a revival of the classic DNS cache poisoning attack’. In short, they have found tricks to get around some of the mitigations that resolver software has put in place to prevent spoofing, especially after the ‘Kaminsky Attack’ in 2008. There is an excellent explanation of the attack on the Cloudflare blog. We strongly suggest reading it to understand the full scope and impact of the attack.

PowerDNS Recursor already implements mitigations against the attack described in the paper, including port and ID randomisation, the use of connected sockets, and a ‘spoof attempt detection’ that we call a ‘near miss counter’ (see the last paragraph behind this link). This means that the only remaining avenue for an attacker is the ‘ICMP rate limit side channel’, which is a kernel problem. For Linux, a kernel patch (also linked on the SAD DNS web page) is available. We suggest asking your OS vendor for a timeline for delivering a patched kernel to you. Until then, blocking outgoing ICMP Port Unreachable messages has been suggested as a mitigation. Please note that we generally recommend against such blanket filters.

Authoritative 4.4.0-alpha3

Hello!

we are very happy to announce version 4.4.0-alpha3 of the Authoritative Server.

(A painful bug in the LMDB backend was found just as we started the Alpha 2 release process, so we decided to skip right on to Alpha 3, with that bug fixed).

This release drops GSS/TSIG support, please see PowerDNS Security Advisory 2020-06.

Version 4.4.0 brings a bunch of exciting changes:

  • the LMDB backend now supports long record content, making it production ready for everybody
  • the SVCB and HTTPS record types are supported, with limited additional processing
  • transaction handling in the 2136 handler and the HTTP API was again improved a lot, avoiding various spurious issues users may have noticed if they do a lot of changes
  • a new setting (consistent-backends) offers a roughly 30% speedup, subject to conditions
  • we finally emit Prometheus metrics!

Authoritative 4.3.x was the last release branch with support for CentOS/RHEL 6. Problems running Authoritative 4.4.x on CentOS/RHEL 6 will not be treated as bugs by us.

We want to specifically thank Robin Geuze, Kees Monshouwer, Mischan Toosarani-Hausberger, and Chris Hofstaedtler for their contributions to this release. We are also grateful to all other reporters of bugs, issues, feature requests, and submitters of smaller fixes and features.

Please make sure to read the Upgrade Notes before upgrading.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 7 and 8, Debian Stretch and Buster, Ubuntu Xenial, Bionic and Focal are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Release of PowerDNS Recursor 4.4.0

Hello!

We are proud to announce the release of PowerDNS Recursor 4.4.0.

Compared to the last release candidate, this release contains a fix for the cache pollution issue described in security advisory 2020-07. Please refer to the changelog for details.

Compared to the 4.3 release of PowerDNS Recursor, this release contains these major enhancements:

  • Native DNS64 support, without the need to use Lua.
  • The ability to add custom tags to RPZ hits.
  • Names encountered while resolving CNAMEs are now subject to RPZ processing.
  • More detailed information about RPZ handling is now available while tracing, in Lua and in the protobuf logging messages.
  • To allow more efficient use, the record cache is now shared between threads.
  • A routing tag can be added in Lua code, which will be used as an additional record cache key instead of an EDNS subnet mask, enabling for a simpler record cache structure which will enhance query processing where the EDNS subnet mask is relevant.
  • The Proxy Protocol version 2 has been implemented to allow for a structured exchange of information between a client (typically dnsdist) and the Recursor. See the documentation for details.

We are grateful to all reporters of bugs, issues, feature requests, and submitters of fixes and features. We also like to thank anybody who tested the pre-releases.

Please note that with this release, the 4.1.x branch will be marked End of Life and the 4.2.x branch will go into critical security update mode only. See our release cycle document for more details. The upgrade notes contain information that helps doing upgrades from previous versions.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 7 and 8, Debian Stretch and Buster, Ubuntu Xenial, Bionic and Focal are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Recursor 4.3.5, 4.2.5 and 4.1.18 Released

Hello!,

Today we are releasing PowerDNS Recursor 4.3.5, 4.2.5. and 4.1.18, containing a security fix for CVE-2020-25829:

An issue has been found in PowerDNS Recursor where a remote attacker can cause the cached records for a given name to be updated to the Bogus DNSSEC validation state, instead of their actual DNSSEC Secure state, via a DNS ANY query. This results in a denial of service for installations that always validate (dnssec=validate) and for clients requesting validation when on-demand validation is enabled (dnssec=process). The severity is high for these cases.

As usual, there were also other smaller enhancements and bugfixes. Please refer to the 4.3.5 changelog, 4.2.5 changelog and 4.1.18 changelog for details.

The 4.3.5 tarball (signature), 4.2.5 tarball (signature) and 4.1.18 tarball (signature) are available at downloads.powerdns.com and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com.

4.0 and older releases are EOL, refer to the documentation for details about our release cycles.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Second Release Candidate of PowerDNS Recursor 4.4.0

Hello!

We are proud to announce the second release candidate of what should become PowerDNS Recursor 4.4.0.

Compared to the first release candidate, this release contains a few enhancements and fixes a few bugs. In particular, DS records of forwarded zones are handles properly and the parsing of unknown record types has been made more strict. Note that the recursor only parses these types if read from a zone file.

Please refer to the changelog for details.

Compared to the 4.3 release of PowerDNS Recursor, this release contains these major enhancements:

  • Native DNS64 support, without the need to use Lua.
  • The ability to add custom tags to RPZ hits.
  • Names encountered while resolving CNAMEs are now subject to RPZ processing.
  • More detailed information about RPZ handling is now available while tracing, in Lua and in the protobuf logging messages.
  • To allow more efficient use, the record cache is now shared between threads.
  • A routing tag can be added in Lua code, which will be used as an additional record cache key instead of of an EDNS subnet mask, enabling for a simpler record cache structure which will enhance query processing where the EDNS subnet mask is relevant.
  • The Proxy Protocol version 2 has been implemented to allow for a structured exchange of information between a client (typically dnsdist) and the Recursor. See the documentation for details.

We are grateful to all reporters of bugs, issues, feature requests, and submitters of fixes and features. We also like to thank anybody who tested the pre-releases, and invite you to contribute to the testing of this release candidate!

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 7 and 8, Debian Stretch and Buster, Ubuntu Xenial, Bionic and Focal are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Authoritative 4.4.0-alpha1

Hello!

we are very happy to announce version 4.4.0-alpha1 of the Authoritative Server.

This release drops GSS/TSIG support, please see PowerDNS Security Advisory 2020-06.

Version 4.4.0 brings a bunch of exciting changes:

  • the LMDB backend now supports long record content, making it production ready for everybody
  • the SVCB and HTTPS record types are supported, with limited additional processing
  • transaction handling in the 2136 handler and the HTTP API was again improved a lot, avoiding various spurious issues users may have noticed if they do a lot of changes
  • we finally emit Prometheus metrics!

Authoritative 4.3.x was the last release branch with support for CentOS/RHEL 6. Problems running Authoritative 4.4.x on CentOS/RHEL 6 will not be treated as bugs by us.

We want to specifically thank Robin Geuze, Kees Monshouwer, Mischan Toosarani-Hausberger, and Chris Hofstaedtler for their contributions to this release. We are also grateful to all other reporters of bugs, issues, feature requests, and submitters of smaller fixes and features.

Please make sure to read the Upgrade Notes before upgrading.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 7 and 8, Debian Stretch and Buster, Ubuntu Xenial, Bionic and Focal are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

DNSDist 1.5.1 released

This release fixes a few issues discovered since 1.5.0:

  • the thread handling responses sent from a backend was not stopped when that backend was removed ;
  • getEDNSOptions() would throw an exception for queries with an empty additional section but records in the answer or authority sections ;
  • SetNegativeAndSOAAction was incorrectly adding EDNS to self-generated responses when there was no EDNS in the query ;
  • building with LLVM11 would generate an error.

It also adds a new command, clearConsoleHistory(), to prevent setups issuing a very large number of console commands from consuming too much memory.

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available in our repository. Please be aware that we have enabled a few additional features in our packages, like DNS over HTTPS, DNS over TLS and DNSTAP support, on distributions where the required dependencies were available.

PowerDNS Authoritative 4.3.1, 4.2.3 and 4.1.14

Today we have released PowerDNS Authoritative Server versions 4.3.1, 4.2.3 and 4.1.14, containing a fix for PowerDNS Security Advisory 2020-05.

Additionally, we are publishing PowerDNS Security Advisory 2020-06 today (‘Various issues have been found in our GSS-TSIG support, where an unauthorized attacker could cause crashes, possibly leak uninitialised memory, and possibly execute arbitrary code.’). Our GSS-TSIG support was never shipped in any packages by us or, to our knowledge, any other distributions. The GSS-TSIG code will be gone in version 4.4.0. We’ve chosen to leave the code intact for older versions, so that users that do rely on it today can keep doing so, keeping in mind the risks detailed in Advisory 2020-06.

Regarding 2020-05: an issue has been found in PowerDNS Authoritative Server where an authorized user with the ability to insert crafted records into a zone might be able to leak the content of uninitialized memory. Such a user could be a customer inserting data via a control panel, or somebody with access to the REST API. Crafted records cannot be inserted via AXFR. This issue is resolved in the versions mentioned above. (4.1.14 changelog, 4.2.3 changelog)

Version 4.3.1 also contains various other bug fixes and improvements, please see the changelog for all details.

The 4.3.1 tarball (signature), 4.2.3 tarball (signature) and 4.1.14 tarball (signature) are available at downloads.powerdns.com and packages for various Linux distributions are available from our repository.

4.0 and older releases are EOL, refer to the documentation for details about our release cycles.

Please send us all feedback and issues you might have via the mailing list or our IRC channel, or in case of a bug, via GitHub.