PowerDNS Recursor 4.0.6 released!

Jul 6, 2017

This release features a fix for the ed25519 verifier. This verifier hashed the message before verifying, resulting in unverifiable signatures. Also on the Elliptic Curve front, support was added for ED448 (DNSSEC algorithm 16) by using libdecaf.

Besides that, this release features massive improvements to our edns-client-subnet handling, and some IXFR fixes. Note that this release changes use-incoming-edns-subnet to disabled by default.

The full changelog looks like this:

Bug fixes

  • commit c24288b87: Use the incoming ECS for cache lookup if use-incoming-edns-subnet is set
  • commit b91dc6e92: when making a netmask from a comboaddress, we neglected to zero the port. This could lead to a proliferation of netmasks.
  • commit 261591b6f: Don’t take the initial ECS source for a scope one if EDNS is off
  • commit 66f894b7a: also set d_requestor without Lua: the ECS logic needs it
  • commit c2086f265: Fix IXFR skipping the additions part of the last sequence
  • commit a5c9534d0: Treat requestor’s payload size lower than 512 as equal to 512
  • commit 61b1ea2f4: make URI integers 16 bits, fixes ticket #5443
  • commit 27f9da3c2: unbreak quoting; fixes ticket #5401


  • commit 2325010e6: with this, EDNS Client Subnet becomes compatible with the packet cache, using the existing variable answer facility.
  • commit 2ec8d8148: Remove just enough entries from the cache, not one more than asked
  • commit 71df15677: Move expired cache entries to the front so they are expunged
  • commit d84834c4c: changed IPv6 addr of b.root-servers.net (Arsen Stasic)
  • commit bcce047bc: e.root-servers.net has IPv6 now (phonedph1)
  • commit cef8ec7c2: hello decaf signers (ED25519 and ED448) Testing algorithm 15: ‘Decaf ED25519′ ->’Decaf ED25519’ -> ‘Decaf ED25519’ Signature & verify ok, signature 68usec, verify 93usec Testing algorithm 16: ‘Decaf ED448′ ->’Decaf ED448’ -> ‘Decaf ED448’ Signature & verify ok, signature 163usec, verify 252usec (Kees Monshouwer)
  • commit 68490a4b5: don’t use the libdecaf ed25519 signer when libsodium is enabled (Kees Monshouwer)
  • commit 5a88a8ed5: do not hash the message in the ed25519 signer (Kees Monshouwer)
  • commit 0e7893bf4: Disable use-incoming-edns-subnet by default

Tarball (sig) is available on the downloads website. Packages for Debian Jessie and Stretch, CentOS 6 and 7 and Ubuntu 14.04, 16.04, 16.10 and 17.04 are uploaded to our repositories.

About the author

Peter van Dijk

Peter van Dijk

Senior Developer at PowerDNS


Related Articles

PowerDNS Recursor 5.1.0-alpha1 Released

We are proud to announce the first alpha release of PowerDNS Recursor 5.1.0!

Otto Moerbeek May 15, 2024

PowerDNS Recursor 4.8.9, 4.9.6 and 5.0.5 Released

Today we have released PowerDNS Recursor 4.8.9, 4.9.6 and 5.0.5. These releases are maintenance releases that fix a few...

Otto Moerbeek May 14, 2024

PowerDNS Recursor Security Advisory 2024-02

Today we have released PowerDNS Recursor 4.8.8, 4.9.5 and 5.0.4. These releases fix PowerDNS Security Advisory 2024-02: if...

Otto Moerbeek Apr 24, 2024

PowerDNS Authoritative Server 4.9.0

This is release 4.9.0 of the Authoritative Server. It brings a few new features, and a collection of small improvements and...

Peter van Dijk Mar 15, 2024