PowerDNS Recursor 4.5.6 Released

We are proud to announce the release of PowerDNS Recursor 4.5.6.

This release contains fixes to the way RPZ updates are handled and a fix to a case where traffic to a forwarder could be throttled while it should not. Additionally a few minor DNSSEC validation issues and a case where the combining of equivalent queries wasn’t effective were resolved.

Please refer to the change log for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarball and signature are available from our download server and packages for several distributions are available from our repository.

With the earlier 4.5.1 release, the 4.2.x releases is EOL and the 4.3.x and 4.4.x releases went into critical fixes only mode. Consult the EOL policy for more details.

We would also like to announce that with this release we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm6, arm7, and i386.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

PowerDNS Recursor 4.4.6 Released

We are proud to announce the release of PowerDNS Recursor 4.4.6.

This release contains fixes to the way RPZ updates are handled and a fix to a case where traffic to a forwarder could be throttled while it should not.

Please refer to the change log for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarball and signature are available from our download server and packages for several distributions are available from our repository.

With the earlier 4.5.1 release, the 4.2.x releases is EOL and the 4.3.x and 4.4.x releases went into critical fixes only mode. Consult the EOL policy for more details.

We would also like to announce that with this release we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm6, arm7, and i386.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

First Alpha Release for Authoritative Server 4.6.0

Hello!

Today we released the first Alpha version for Authoritative Server version 4.6.0.

Version 4.6.0 mostly brings small improvements and fixes, but there are two notable new features:

  • support for incoming PROXY headers
  • support for EDNS cookies

Support for PROXY headers allows you to put a load balancer (such as dnsdist) in front of the Authoritative Server, while still having the Auth see the actual IPs of clients talking to it.

EDNS Cookies allow resolvers that support it to have an extra layer of authentication on their communication with the Authoritative Server.

A full list of changes can be found in the changelog.

Please make sure to read the Upgrade Notes before upgrading.

The tarball (signature) is available at downloads.powerdns.com. Packages for various distributions are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

First Alpha release of PowerDNS Recursor 4.6.0

We are proud to announce the first alpha release of PowerDNS Recursor 4.6.0.

Compared to the previous major (4.5) release of PowerDNS Recursor, this release contains two major sets of changes:

  • a rewrite of the outgoing TCP code, adding both re-use of connections and support for DoT to authoritative servers or forwarders,
  • many improvements in the area of metrics: more metrics are collected and more metrics are now exported in a Prometheus friendly way.

Re-use of TCP/DoT connections is achieved by not closing connections, leaving them open for re-use. Previously, a TCP connection would be closed after a single query-reply exchange. The policy used to keep idle connections open is governed by various settings.

By default, if a forwarder is specified using port 853, DoT will be used to connect to that forwarder. It is also possible to list specific nameservers that should be contacted over DoT. Note that no certificate validation is done. After the standard committees define discovery of authoritative servers offering DoT, we will add functionality to allow automatic switching to DoT including validation of certificates.

As always, there are also many smaller bug fixes and improvements, please refer to the changelog for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarball (signature) is available from our download server and packages for several distributions are available from our repository.

With the final 4.6 release, the 4.3.x releases will be EOL and the 4.4.x and 4.5.x releases will go into critical fixes only mode. Consult the EOL policy for more details.

We would also like to mention that with the 4.5 release we stopped supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm6, arm7, and i386.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

First alpha release of dnsdist 1.7.0

Hello!

We are proud to announce the first alpha release of dnsdist 1.7.0. This release contains several new exciting features, as well as improvements and bug fixes.

In our view, the most exciting new feature is the support of outgoing DNS over TLS and DNS over HTTPS, as well as the ability to do “cross-protocol” queries, meaning a query received over a given protocol (UDP, TCP, DoT, DoH, …) can be forwarded over a different one. Now that dnsdist is capable of contacting its backend over an encrypted channel, full end-to-end encryption is possible, offering improved confidentiality and integrity.

This release also reduces the memory footprint of dnsdist in several places, which makes it easier to use in resource-constrained environments.

We added support for generating the still experimental SVCB and HTTPS records directly from dnsdist, offering potential benefits to both performance and privacy.

Our LMDB code has gained the ability to do range-based lookups, and is now more performant even for simple lookups.

Extending the per-thread custom load-balancing policies introduced in 1.6.0, it is now possible to write blazing-fast, lock-less per-thread custom actions using the Lua foreign function interface.

Dimitrios Mavrommatis improved the handling of AXFR and IXFR queries, making it possible to reuse a TCP connection used for a zone transfer much more efficiently.

Holger Hoffstätte also improved the reporting of an unavailable backend, making sure the existing metrics are no longer reported to prevent any confusion.

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Release tarballs are available on the downloads website, and packages for CentOS 7 and 8, Debian Buster, Bullseye, and Ubuntu Bionic and Focal are available from our repository.

With the future 1.7.0 final release, the 1.4.x releases will be EOL and the 1.5.x releases will go into critical security fixes only mode.

Finally, we would like to thank the PowerDNS community and all external contributors for their great work in this release!

dnsdist 1.6.1 released

Hello!

We are happy to release dnsdist 1.6.1 today, a maintenance release fixing a few bugs reported since 1.6.0:

  • Adding ECS failed for queries with records in the answer or additional section (Dimitrios Mavrommatis)
  • The transport was not properly set in dnstap and protobuf messages for DoH queries
  • The outstanding queries counter was not properly reset when some TCP I/O errors occurred
  • The ability to load a new certificate on a DoH frontend was missing
  • A missing header could have caused a compilation issue on some platforms

As usual there were also other smaller enhancements and fixes, please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

The release tarball (signature) is available on the downloads website, and packages for CentOS 7 and 8, Debian Buster and Bullseye, and Ubuntu Bionic and Focal are available from our repository.

PowerDNS Recursor 4.4.5 and 4.5.5 Released

We are proud to announce the release of PowerDNS Recursor 4.4.5. and 4.5.5.

Both releases contain an improvement to work around broken authoritative servers sending replies without the “authoritative answer” (AA) bit set.

The 4.5.5 release contains a fix to an issue where an insecure domain with signatures records could be marked as bogus due to a missed zone cut and a fix to the aggressive NSEC(3) cache handling of denials of DS records.

Please refer to the change logs for the 4.4.4 and 4.5.5 releases for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarballs (4.4.5, 4.5.5) and signatures (4.4.5, 4.5.5) are available from our download server and packages for several distributions are available from our repository.

The 4.2.x release is EOL and the 4.3.x and 4.4.x releases are in critical fixes only mode. Consult the EOL policy for more details.

We would also like to announce that starting with the 4.5 release we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm6, arm7, and i386.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

security advisory 2021-01 for PowerDNS Authoritative Server 4.5.0

Hello,

today we have released PowerDNS Authoritative Server 4.5.1, fixing a remotely triggered crash present in version 4.5.0. No other versions are affected.

Tarballs and signatures are available at https://downloads.powerdns.com/releases/, and a single patch is available at https://downloads.powerdns.com/patches/2021-01/. However, 4.5.1 contains no other changes.

Please find the full text of the advisory below.

PowerDNS Security Advisory 2021-01: Specific query crashes Authoritative Server

  • CVE: CVE-2021-36754
  • Date: July 26th, 2021
  • Affects: PowerDNS Authoritative version 4.5.0
  • Not affected: 4.4.x and below, 4.5.1
  • Severity: High
  • Impact: Denial of service
  • Exploit: This problem can be triggered via a specific query packet
  • Risk of system compromise: None
  • Solution: Upgrade to 4.5.1, or filter queries in dnsdist

PowerDNS Authoritative Server 4.5.0 (and the alpha/beta/rc1/rc2 prereleases that came before it) will crash with an uncaught out of bounds exception if it receives a query with QTYPE 65535. The offending code was not present in earlier versions, and they are not affected.

Users that cannot upgrade immediately, but do have dnsdist in place, can use dnsdist to filter such queries before they do harm, with something like addAction(QTypeRule(65535), RCodeAction(DNSRCode.REFUSED)).

When the PowerDNS Authoritative Server is run inside a supervisor like supervisord or systemd, an uncaught exception crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.

We would like to thank Reinier Schoof and Robin Geuze of TransIP for noticing crashes in production, immediately letting us know, and helping us figure out what was happening.

PowerDNS Authoritative Server 4.5.0

Hello!

PowerDNS Authoritative Server 4.5.0 was released today.

Version 4.5.0 mostly brings small improvements and fixes, but there are two notable new features:

  • The ‘zone cache’, which allows PowerDNS to keep a list of zones in memory, updated periodically. With this cache, PowerDNS can avoid hitting the database with queries for unknown domains. In some setups, and some attack scenarios, this can make a serious performance difference. Users of backends with dynamically generated zones may want to disable this or at least read the upgrade notes extremely carefully. Many thanks to Chris Hofstaedtler for implementing this. This work by Chris was supported by RcodeZero DNS.

  • Priority ordering in the AXFR queue in PowerDNS running as a secondary. Some users with a lot of domains (>100k) sometimes found real changes waiting behind signature refreshes on Thursdays. With the new ordering, those real changes can ‘skip the line’ and get deployed on your secondaries faster. Many thanks to Robin Geuze of TransIP for implementing this.

Since 4.5.0-beta1, the zone cache is enabled by default.

A full list of changes can be found in the changelog.

Please make sure to read the Upgrade Notes before upgrading.

With version 4.5.0, support for platforms with a time_t type smaller than 64 bits is dropped. This means that we do not build packages for Raspberry Pi OS.

The tarball (signature) is available at downloads.powerdns.com. Packages for various distributions are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Authoritative Server 4.5.0-RC2

Hello!

Today we released the second, and hopefully last, Release Candidate for Authoritative Server version 4.5.0. Please try it!

Version 4.5.0 mostly brings small improvements and fixes, but there are two notable new features:

  • The ‘zone cache’, which allows PowerDNS to keep a list of zones in memory, updated periodically. With this cache, PowerDNS can avoid hitting the database with queries for unknown domains. In some setups, and some attack scenarios, this can make a serious performance difference. Many thanks to Chris Hofstaedtler for implementing this.
  • Priority ordering in the AXFR queue in PowerDNS running as a secondary. Some users with a lot of domains (>100k) sometimes found real changes waiting behind signature refreshes on Thursdays. With the new ordering, those real changes can ‘skip the line’ and get deployed on your secondaries faster. Many thanks to Robin Geuze for implementing this.

Since 4.5.0-beta1, the zone cache is enabled by default.

A full list of changes can be found in the changelog.

Please make sure to read the Upgrade Notes before upgrading.

With version 4.5.0, support for platforms with a time_t type smaller than 64 bits is dropped. This means that we do not build packages for Raspberry Pi OS.

The tarball (signature) is available at downloads.powerdns.com. Packages for various distributions are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.