We are happy to announce the release of the PowerDNS Recursor version 4.0.4. This release fixes 2 security issues and adds several improvements to the DNSSEC validation code.
The following PowerDNS Security Advisories are fixes:
- 2016-02: Crafted queries can cause abnormal CPU usage
- 2016-04: Insufficient validation of TSIG signatures
Minimal patches are available for those unable to fully upgrade (2016-02, 2016-04)
The full changelog is available, highlights include:
- Check TSIG signature on IXFR (Security Advisory 2016-04)
- Don’t parse spurious RRs in queries when we don’t need them (Security Advisory 2016-02)
- Add `max-recursion-depth` to limit the number of internal recursion
- Wait until after daemonizing to start the RPZ and protobuf threads
- On RPZ customPolicy, follow the resulting CNAME
- Make the negcache forwarded zones aware
- Cache records for zones that were delegated to from a forwarded zone
- DNSSEC: don’t go bogus on zero configured DSs
- DNSSEC: NSEC3 optout and Bogus insecure forward fixes
- DNSSEC: Handle CNAMEs at the apex of secure zones to other secure zones
We recommend all users of the Recursor to upgrade to this version. Tarballs with sources are available (signature).
Packages for Debian Stable, Ubuntu Trusty, Xenial and Wily and CentOS 6 and 7 are available from our repositories.