Downloads:
|
This a stability, bugfix and conformity update to 3.2. It improves interoperability with various validators, either through bugfixes or by catering to their needs beyond the specifications.
New features and important changes since 3.2:
- commit 04576ee, commit b0e15c8: Implement pdnssec increase-serial, thanks Ruben d’Arco.
- commit cee857b: PowerDNS now sets additional groups while dropping privileges.
- commit 7796a3b: Merge support for include-dir directive, thanks Aki Tuomi!
- commit d725755: make pdns-static Conflict with pdns-server, closes ticket 640
- commit c0d5504: pdnssec now emits ‘INSERT INTO domain ..’ queries when running without named.conf
- commit a1d6b0c: Older versions of the BIND 9 validating recursor need a superfluous NSEC3 record on positive wildcard responses. We now send this extra NSEC3. Closes ticket 814.
- commit 07bf35d: catch a lot more errors in pdnssec and report them. Fixes ticket 588.
- commit 032e390: make pdnssec exit with 1 on some error conditions, closes ticket 677
- commit 4af49b8, commit 4cec6ac: add ability to create an ‘active’ or inactive key using add-zone-key and import-zone-key, plus silenced some debugging. Fixes ticket 707.
- commit fae4167: Compiling against Lua 5.2 (–with-lua=lua5.2) now disables some code used for regression testing, instead of breaking during compile. This means that Lua 5.2 can be used in production.
- commit abc8f3f, 357f6a7: Implement the new any-to-tcp option that, when set, always replies with a truncated response (TC=1) to ANY queries, forcing them to use TCP.
- commit 496073b: Since 3.0, pdnssec secure-zone has always generated 3 keys: one KSK and two ZSK, with one ZSK active. For most, if not almost all, users, this inactive ZSK is never used. We now no longer generate this useless ZSK. The resulting smaller DNSKEY RRset improves interoperability with certain validators. Closes ticket 824.
- commit df55450: Non-DNSSEC ANY queries no longer get sent DNSSEC records. This improves interoperability with some old resolvers. Patch by Kees Monshouwer.
- commit 04b4bf6: Merge support for not using opt-out with NSEC3. Many thanks to Kees Monshouwer.
- commit 8db49a6: We now try not to NOTIFY ourselves. In convoluted cases involving REUSE_PORT and binding to 0.0.0.0 and ::, it might be possible that we guess wrong, in which case you can set prevent-self-notification to off.
Important bug fixes:
- commit 63e365d: don’t mess up encoding when copying qname from question to answer in packetcache. Based on reports&debugging by Jimmy Bergman (sigint), Daniel Norman (Loopia) and the fine people at ISC. This avoids most issues related to BIND 9 erroneously blacklisting PowerDNS for lack of EDNS support.
- commit 3526186: fix backslash handling in TXT parser, includes test. Thanks Jan-Piet Mens.
- commit 830281f, aef7330: Accept chars >127 (‘high ASCII’) in TXT records, closing ticket 541 and 723.
- commit feef1ec: fix missing NSEC3 for secure delegation, thanks Kees Monshouwer, closes ticket 682
- commit b61e407: around Thursday midnight, during signature rollovers, we would update the SOA serial too early. Fixed by reverting commit d90efbf, adding 7 days margin to inception. Fix by Kees Monshouwer.
- commit ff64750: make sure mixed-case queries get a correct apex NSEC3 type bitmap
- commit 4b153d8: always lowercase next name in NSEC to avoid interop troubles with validators, thanks Marco Davids&Matthijs Mekking.
Other changes:
- commit 49977c6: fix bug in boost.m4 where it insists on setting -L, causing useless RPATH in our binaries. Closes ticket 728
- commit 62ac758: use PolarSSL for MD5 hashing instead of shipping our own copy of md5 hashing code.
- commit 775acd9: give a better error on trying to add nsec3 parameters to a weird zone like “1 0 1 ab” (which indicates that you forgot to specify a zone name on the command line). Fixes ticket 800.
- commit 315dd2e: Simplify socket listening code, and make sure we always set the nonblocking flag correctly. Patch by Mark Zealey, closes ticket 664.
- commit b35da1b: if_ether.h is in netinet/ not net/ on OpenBSD, thanks Florian Obser.
- commit 71301b6: Replicate gsql backend feature of having separate -auth queries for DNSSEC into oraclebackend. Also lets you disable dnssec if you are not ready for it. Closes ticket 527.
- commit 2125dac: drop unused ignore-rd-bit flag
- commit 8c1a6d6: NSECx optimizations, thanks Kees Monshouwer.
- commit 664716a: drop unused variables in lua backend ( ticket 653)
- commit d8ec70f: fix db2 backend includes ( ticket 653)
- commit 6477102: add goracle schema
- commit 9118638: make goraclebackend “at least work”, closes ticket 729
- commit e0ad7bb: add DS digest type 4 to show-zone output; add algorithm names. Based on a patch by Aki Tuomi, closes ticket 744
- commit 61a7fac: enable AM_SILENT_RULES, closing ticket 647
- commit cc6bf4c: Merge branch ‘nodnssecany’ of github.com:mind04/pdns into mind04-nodnssecany
- commit 837f4b4: do a better job at escaping TXT, fixes ticket 795
- commit 6ca3fa7: add SOA-EDIT INCEPTION-INCREMENT mode, thanks stbuehler
- commit 6159c49: Add connection info to sql-connect message
- commit 9f62e34, commit 0fc965f, commit 2035112: Added EUI48 and EUI64 record types
- commit f9cf6d9: cut the number of database queries in half for AXFR-in
- commit c87f987: add default for SOA contact e-mail
- commit bb4a573: move random backend to modules
- commit 1071abd: restyle builtin webserver page
- commit cd5e158: correct bogus use of poll(2) related constants, improving non-Linux portability. Thanks Wouter de Jong
- commit 27ff60a: make sure our NSEC(3)s for names with spaces in them are correct. Reported by Jimmy Bergman. Includes test.
- commit 116e28a: reduce log level of successful gpgsql/gsqlite3 connection to Info
- commit b23b90a: Metadata update is now in the same transaction as the AXFR. This improves slaving speed tremendously, especially for SQLite users.
- commit 4620e8a: Added zone2json
- commit f0fa8b6: Fix remotebackend setdomainmetadata return value handling. Fix by Aki Tuomi, closes ticket 740
- commit 80e82d6: log control listener abort even more explicitly
- commit 7c0cb15, a718d74: support automake 1.12
- commit 3fe22eb, 6707cb1: update autoconf/automake preamble to non-deprecated variant, thanks Morten Stevens
- commit 6c4e531: disarm dead code that causes gcc crashes on ARM, thanks Morten Stevens
- commit 36855b5: if we failed to make a new UDP socket, we’d report a confusing error about it
- commit 1b8e5e6: autoconf support for oracle, thanks Aki Tuomi. Closes ticket 726
- commit 8ac0c06: allow setting of some oracle env vars. Patch by Aki Tuomi, closes ticket 725
- commit 45e845b: add example.rb sample script for remotebackend, thanks Aki
- commit 950bddd: add pdnssec generate-zone-key command, thanks Aki. Closes ticket 711
- commit 2c03cde: Replace select with waitForData in remotebackend. Patch by Aki Tuomi, closes ticket 715
- commit 450292c: accept ANY responses during recursive forwarding, thanks Jan-Piet Mens
- commit d9dd76b: actually clean up unix domain sockets too after use
- commit 36758d2: merge ticket 476 by Aki Tuomi, providing default-ksk/zsk-algorithms/size configuration parameters for pdnssec.
- commit 2f2b014: apply variant of code in ticket 714 so we can lauch pipe backend scripts with parameters, plus add experimental code that if pipe-command is a unix domain socket, we use that.
- commit 9566683: merge patch from ticket 712 addressing memory leak in remotebackend (thanks Aki for the fix!)
- commit fb6ed6f: explicitly set domain id during bindbackend superslave domain create, thanks Kees Monshouwer&Aki Tuomi
- commit 69bae20: use private temp dir when running under systemd, thanks Morten Stevens&Ruben Kerkhof
- commit b26a48a: fix rapidjson usage in remotebackend, patch by Aki Tuomi. Closes ticket 697
- commit da8e6ae: also answer questions with : in them
- commit ef1c4bf: also spot trailing dots on CNAME content, thanks Jan-Piet Mens and Ruben d’Arco
- commit fb31631: only setCloseOnExec on valid sockets