PowerDNS Recursor 4.1.0 Release Candidate 1 Available

PowerDNS Recursor 4.1.0 RC1 is here!

The RC1 release features many fixes to the DNSSEC validation code, reported by different users. Other improvements include: logging, RPZ and the Remote Logger.

While not specifically mentioned in the ChangeLog, also thanks to Winfried Angele for bringing a documentation issue to our attention!

The full changelog looks like this:

Bug Fixes

  • #5569: Don’t fetch the DNSKEY of a zone to validate the DS of the same zone.
  • #5614: Improve DNSSEC debug logging,
  • #5672: Add NSEC records on nx-trust cache hits.
  • #5671: Handle NSEC wrap-around.
  • #5670: Fix erroneous check for section 4.1 of rfc6840.
  • #5715: Handle direct NSEC queries.
  • #5716: Detect zone cuts by asking for DS instead of NS.
  • #5738: Do not allow direct queries for RRSIG or NSEC3.
  • #5771: The target zone being insecure doesn’t mean that the denial of the DS is too, if the parent zone is Secure.
  • #5530: Add a missing header for PRId64 in the negative cache, required on EL5/EL6.
  • #5549: Prevent an infinite loop if we need auth and the best match is not.
  • #5570: Be more careful about the validation of negative answers.
  • #5599: Fix libatomic detection on ppc64. (Sander Hoentjen)
  • #5615: Fix sortlist in the presence of CNAME. (Benoit Perroud thanks for reporting this issue!)
  • #5515: Fix cache handling of ECS queries with a source length of 0.
  • #5328: Handle SNMP alarms so we can reconnect to the master.
  • #5662: Fix Recursor 4.1.0 alpha 1 compilation on FreeBSD. (@RvdE)
  • #5739: Remove pdns.PASS and pdns.TRUNCATE.
  • #5734: Fix a crash when getting a public GOST key if the private one is not set.
  • #5773: Don’t negcache entries for longer than their RRSIG validity.
  • #5792: Gracefully handle Socket::accept() returning a null pointer on EAGAIN.


  • #5756: Improve –quiet=false output to include DNSSEC and more timing details.
  • #5733: Add DNSSEC test vectors for RSA, ECDSA, ed25519 and GOST.
  • #5543: Wrap the webserver’s and Resolver::tryGetSOASerial objects into smart pointers (also thanks to Christian Hofstaedtler for reviewing!)
  • #5545: Add more unit tests for the NetmaskTree and ECS cache index.
  • #5588: Switch the default webserver’s ACL to, ::1.
  • #5598: Add help text on autodetecting systemd support. (Ruben Kerkhof thanks for reporting!)
  • #5622: Add log-rpz-changes to log RPZ additions and removals.
  • #5621: Log the policy type (QName, Client IP, NS IP…) over protobuf.
  • #5637: Remove unused SortList compare operator for ComboAddress.
  • #5620: Add support for dumping the in-memory RPZ zones to a file.
  • #5646: Support for identifying devices by id such as mac address.
  • #5699: Implement dynamic cache sizeing.
  • #5755: Improve dnsbulktest experience in Travis for more robustness.
  • #5772: Set TC=1 if we had to omit part of the AUTHORITY section.
  • #5764: autoconf: set –enable-libsodium to auto.

The tarball is available on downloads.powerdns.com (signature) and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Trusty, Yakkety, Xenial and Zesty are available from repo.powerdns.com.

We invite you to test this release candidate and send us all feedback and issues you might have via the mailinglist, or in case of a bug, via GitHub.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s