PowerDNS Blog

PowerDNS Authoritative Server 4.0.4 released! | PowerDNS Blog

Written by Pieter Lexis | Jun 23, 2017 4:00:00 AM

Today we are releasing version 4.0.4 of the PowerDNS Authoritative Server.

This release features a fix for the ed25519 signer. This signer hashed the message before signing, resulting in unverifiable signatures. Also on the Elliptic Curve front, support was added for ED448 (DNSSEC algorithm 16) by using libdecaf.

The full changelog is as follows:

Bug fixes

  • #5423: Do not hash the message in the ed25519 signer (Kees Monshouwer)
  • #5445: Make URI integers 16 bits, fixes #5443
  • #5346: configure.ac: Corrects syntax error in test statement on existance of libcrypto_ecdsa (shinsterneck)
  • #5440: configure.ac: Fix quoting issue fixes #5401
  • #4824: configure.ac: Check in the detected OpenSSL/libcrypto for ECDSA
  • #5016: configure.ac: Check if we can link against libatomic if needed
  • #5341: Fix typo in ldapbackend.cc from issue #5091 (shantikulkarni)
  • #5289: Sort NSEC record case insensitive (Kees Monshouwer)
  • #5378: Make sure NSEC ordernames are always lower case
  • #4781: API: correctly take TTL from first record even if we are at the last comment (Christian Hofstaedtler)
  • #4901: Fix AtomicCounter unit tests on 32-bit
  • #4911: Fix negative port detection for IPv6 addresses on 32-bit
  • #4508: Remove support for ‘right’ timezones, as this code turned out to be broken
  • #4961: Lowercase the TSIG algorithm name in hash computation
  • #5048: Handle exceptions raised by closesocket()
  • #5297: Don’t leak on signing errors during outgoing AXFR; signpipe stumbles over interrupted rrsets; fix memory leak in gmysql backend
  • #5450: TinyCDB backend: Don’t leak a CDB object in case of bogus data

Improvements

  • #5071: ODBC backend: Allow query logging
  • #5441: Add ED25519 (algo 15) and ED448 (algo 16) support with libdecaf signer (Kees Monshouwer)
  • #5325: YaHTTP: Sync with upstream changes
  • #5298: Send a notification to all slave servers after every dnsupdate (Kees Monshouwer)
  • #5317: Add option to set a global lua-axfr-script value (Kees Monshouwer)
  • #5130: dnsreplay: Add --source-ip and --source-port options
  • #5085: calidns: Use the correct socket family (IPv4 / IPv6)
  • #5170: Add an option to allow AXFR of zones with a different (higher/lower) serial (Kees Monshouwer)
  • #4622: API: Make trailing dot handling consistent with pdnsutil (Tuxis Internet Engineering)
  • #4762: SuffixMatchNode: Fix insertion issue for an existing node
  • #4861: Do not resolve the NS-records for NOTIFY targets if the “only-notify” whitelist is empty, as a target will never match an empty whitelist.
  • #5378: Improve the AXFR DNSSEC freshness check; Ignore NSEC3PARAM metadata in an unsigned zone
  • #5297: Create additional reuseport sockets before dropping privileges; remove transaction in pgpsql backend

Tarball (sig) is available on the downloads website. Packages for Debian Jessie and Stretch, CentOS 6 and 7 and Ubuntu 14.04, 16.04, 16.10 and 17.04 are uploaded to our repositories.