We are happy to announce the release of the PowerDNS Recursor version 4.0.4. This release fixes 2 security issues and adds several improvements to the DNSSEC validation code.
The following PowerDNS Security Advisories are fixes:
- 2016-02: Crafted queries can cause abnormal CPU usage
- 2016-04: Insufficient validation of TSIG signatures
The full changelog is available, highlights include:
- Check TSIG signature on IXFR (Security Advisory 2016-04)
- Don’t parse spurious RRs in queries when we don’t need them (Security Advisory 2016-02)
- Add `max-recursion-depth` to limit the number of internal recursion
- Wait until after daemonizing to start the RPZ and protobuf threads
- On RPZ customPolicy, follow the resulting CNAME
- Make the negcache forwarded zones aware
- Cache records for zones that were delegated to from a forwarded zone
- DNSSEC: don’t go bogus on zero configured DSs
- DNSSEC: NSEC3 optout and Bogus insecure forward fixes
- DNSSEC: Handle CNAMEs at the apex of secure zones to other secure zones
Packages for Debian Stable, Ubuntu Trusty, Xenial and Wily and CentOS 6 and 7 are available from our repositories.