We’re happy to announce the release of the PowerDNS Recursor version 4.0.1.
This release has several improvements with regards to DNSSEC validation and it improves interoperability with DNSSEC clients that expect an AD-bit on validated data when they query with only the DO-bit set.
- #4119 Improve DNSSEC record skipping for non dnssec queries (Kees Monshouwer)
- #4162 Don’t validate zones from the local auth store, go one level down while validating when there is a CNAME
- Don’t go bogus on islands of security
- Check all possible chains for Insecures
- Don’t go Bogus on a CNAME at the apex
- #4215 RPZ: default policy should also override local data RRs
- #4243 Fix a crash when the next name in a chained query is empty and
rec_control current-queriesis invoked
- #4056 OpenSSL 1.1.0 support (Christian Hofstaedtler)
- #4140 Fix warnings with gcc on musl-libc (James Taylor)
- #4160 Also validate on +DO
- #4164 Fail to start when the lua-dns-script does not exist
- #4168 Add more Netmask methods for Lua (Aki Tuomi)
- #4210 Validate DNSSEC for security polling
- #4217 Turn on root-nx-trust by default and log-common-errors=off
- #4207 Allow for multiple trust anchors per zone
- #4242 Fix compilation warning when building without Protobuf
The sources are on the downloads site(sig). Packages for several distributions are available from our repositories.