Today we are releasing the first release candidate of version 4.0.5 of the PowerDNS Recursor. The most import change is the addition of the KSK-2017, the new root key for DNSSEC, that will be used to sign the root starting October 11th 2017 (read more about the keyroll). If you do DNSSEC validation, upgrading is mandatory to continue to validate DNSSEC after October 11th 2017! Also on the DNSSEC front, Kees Monshouwer added support for validating ed25519 (algorithm 15) signatures when linked against libsodium. Packages supplied by us have this support enabled.
The RPZ module has also seen a steady number of improvements, one is support for RPZ wildcard target names and several stability and performance improvements.
The full changelog looks like this:
Bug fixes
- commit bdaa8ad: Only check the netmask for subnet specific cache entries
- commit 233e144: Fix a race condition when (re)priming the root
- commit 3642cb3: Don’t age the root
- commit 83f9226: Fix exception when sending a protobuf message for an empty question
- commit 86c4ed0: Clear the RPZ NS IP table when clearing the policy
- commit ffdd813: LuaWrapper: Allow embedded NULs in strings received from Lua
- commit 5e660e9: Fix cache-only queries against a forward-zone
- commit c5ffd90: Fix coredumps on illumos/SmartOS (Roman Dayneko)
- commit 651c0e9: StateHolder: Allocate (and copy if needed) before taking the lock
- commit 5bec36e: Make sure
labelsToAddis not empty ingetZoneCuts() - commit 547d68f: SuffixMatchNode: Fix insertion issue for an existing node
- commit 2875033: rec: only delegate if NS’s are below apex in auth-zones
- commit e7c183d: remove hardcoding of port 53 for TCP/IP forwarded zones in recursor, to address ticket #4799
- commit af76224: Lowercase the TSIG algorithm name in hash computation
- commit 3ada4e2: Fix negative port detection for IPv6 addresses on 32-bit
- commit 0f59e05: Wait until after daemonizing to start the outgoing protobuf thread
Additions and Enhancements
- commit 7705e1c: Add support for RPZ wildcarded target names
- commit 1909556: Add the 2017 root key
- commit dff1a11: Refuse to start with chroot set in a systemd env
- commit abfe671 and commit 7abbb2c: Update Ed25519 algorithm number and mnemonic and hook up to the Recursor (Kees Monshouwer)
- commit a052d53: Store the RPZ policies in an unordered_map instead of a map
- commit 5a38a56: Handle exceptions raised by
closesocket() - commit 064444d and commit ef43662: Update the rec_control(1) manpage (phonedph1)
- commit 94e6e8a: RPZ: log additions/removals at debug, not info
- commit b627731: Unconfuse the RPZ summary
- commit 502a850: g.root-servers.net added IPv6 (Kevin Otte)
- commit 7a2a645: Log outgoing queries / incoming responses via protobuf
Tarballs (sig) and packages for different operating systems can be downloaded from the downloads website. The packages are versioned so that users of the 4.0.x repositories can download and install them (using dpkg -i or rpm -U) and when the final release of 4.0.5 is added to the repositories, the package will be upgraded to the version in the repository.
Please test these packages and provide feedback.
