PowerDNS Recursor 4.0.5 Released!

Today we are releasing version 4.0.5 of the PowerDNS Recursor. The most important change is the addition of the KSK-2017, the new root key for DNSSEC, that will be used to sign the root starting October 11th 2017 (read more about the keyroll). If you do DNSSEC validation, upgrading is mandatory to continue to validate DNSSEC after October 11th 2017! Also on the DNSSEC front, Kees Monshouwer added support for validating ed25519 (algorithm 15) signatures when linked against libsodium. Packages supplied by us have this support enabled.

The RPZ module has also seen a steady number of improvements, like support for RPZ wildcard target names and several stability and performance improvements.

The full changelog looks like this:

Additions and Enhancements

  • commit 7705e1c: Add support for RPZ wildcarded target names. Fixes #5237
  • #5165: Speed up RPZ zone loading and add a zoneSizeHint parameter to rpzFile and rpzMaster for faster reloads
  • #4794: Make the RPZ summary consistent (Fixes #4342) and log additions/removals at debug level, not info
  • commit 1909556: Add the 2017 root key
  • commit abfe671 and commit 7abbb2c: Update Ed25519 algorithm number and mnemonic and hook up to the Recursor (Kees Monshouwer)
  • #5355: Add use-incoming-edns-subnet option to process and pass along ECS and fix some ECS bugs in the process
  • commit dff1a11: Refuse to start with chroot set in a systemd env (Fixes #4848)
  • commit 5a38a56: Handle exceptions raised by closesocket() to prevent process termination
  • #4619: Document missing top-pub-queries and top-pub-servfail-queries commands for rec_control (phonedph1)
  • commit 502a850: IPv6 address for g.root-servers.net added (Kevin Otte)
  • commit 7a2a645: Log outgoing queries / incoming responses via protobuf

Bug fixes

  • commit af76224: Correctly lowercase the TSIG algorithm name in hash computation, fixes #4942
  • commit 86c4ed0: Clear the RPZ NS IP table when clearing the policy, this prevents false positives
  • commit 5e660e9: Fix cache-only queries against a forward-zone, fixes #5211
  • commit 2875033: Only delegate if NSes are below apex in auth-zones, fixes #4771
  • commit e7c183d: Remove hardcoding of port 53 for TCP/IP forwarded zones in recursor, fixes #4799
  • commit 5bec36e: Make sure labelsToAdd is not empty in getZoneCuts()
  • commit 0f59e05: Wait until after daemonizing to start the outgoing protobuf thread, prevents hangs when the protobuf server is not available
  • commit 233e144: Ensure (re)priming the root never fails
  • commit 3642cb3: Don’t age the root, fixes a regression from 3.x
  • commit 83f9226: Fix exception when sending a protobuf message for an empty question
  • commit ffdd813: LuaWrapper: Allow embedded NULs in strings received from Lua
  • commit c5ffd90: Fix coredumps on illumos/SmartOS, fixes #4579 (Roman Dayneko)
  • commit 651c0e9: StateHolder: Allocate (and copy if needed) before taking the lock
  • commit 547d68f: SuffixMatchNode: Fix insertion issue for an existing node
  • commit 3ada4e2: Fix negative port detection for IPv6 addresses on 32-bit systems

Tarball (sig) is available on the downloads website. Packages for Debian Jessie and Stretch, CentOS 6 and 7 and Ubuntu 14.04, 16.04, 16.10 and 17.04 are uploaded to our repositories.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s