PowerDNS Recursor 4.1.0 RC1 is here!
The RC1 release features many fixes to the DNSSEC validation code, reported by different users. Other improvements include: logging, RPZ and the Remote Logger.
While not specifically mentioned in the ChangeLog, also thanks to Winfried Angele for bringing a documentation issue to our attention!
The full changelog looks like this:
- #5569: Don’t fetch the DNSKEY of a zone to validate the DS of the same zone.
- #5614: Improve DNSSEC debug logging,
- #5672: Add NSEC records on nx-trust cache hits.
- #5671: Handle NSEC wrap-around.
- #5670: Fix erroneous check for section 4.1 of rfc6840.
- #5715: Handle direct NSEC queries.
- #5716: Detect zone cuts by asking for DS instead of NS.
- #5738: Do not allow direct queries for RRSIG or NSEC3.
- #5771: The target zone being insecure doesn’t mean that the denial of the DS is too, if the parent zone is Secure.
- #5530: Add a missing header for PRId64 in the negative cache, required on EL5/EL6.
- #5549: Prevent an infinite loop if we need auth and the best match is not.
- #5570: Be more careful about the validation of negative answers.
- #5599: Fix libatomic detection on ppc64. (Sander Hoentjen)
- #5615: Fix sortlist in the presence of CNAME. (Benoit Perroud thanks for reporting this issue!)
- #5515: Fix cache handling of ECS queries with a source length of 0.
- #5328: Handle SNMP alarms so we can reconnect to the master.
- #5662: Fix Recursor 4.1.0 alpha 1 compilation on FreeBSD. (@RvdE)
- #5739: Remove pdns.PASS and pdns.TRUNCATE.
- #5734: Fix a crash when getting a public GOST key if the private one is not set.
- #5773: Don’t negcache entries for longer than their RRSIG validity.
- #5792: Gracefully handle Socket::accept() returning a null pointer on EAGAIN.
- #5756: Improve –quiet=false output to include DNSSEC and more timing details.
- #5733: Add DNSSEC test vectors for RSA, ECDSA, ed25519 and GOST.
- #5543: Wrap the webserver’s and Resolver::tryGetSOASerial objects into smart pointers (also thanks to Christian Hofstaedtler for reviewing!)
- #5545: Add more unit tests for the NetmaskTree and ECS cache index.
- #5588: Switch the default webserver’s ACL to 127.0.0.1, ::1.
- #5598: Add help text on autodetecting systemd support. (Ruben Kerkhof thanks for reporting!)
- #5622: Add log-rpz-changes to log RPZ additions and removals.
- #5621: Log the policy type (QName, Client IP, NS IP…) over protobuf.
- #5637: Remove unused SortList compare operator for ComboAddress.
- #5620: Add support for dumping the in-memory RPZ zones to a file.
- #5646: Support for identifying devices by id such as mac address.
- #5699: Implement dynamic cache sizeing.
- #5755: Improve dnsbulktest experience in Travis for more robustness.
- #5772: Set TC=1 if we had to omit part of the AUTHORITY section.
- #5764: autoconf: set –enable-libsodium to auto.
The tarball is available on downloads.powerdns.com (signature) and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Trusty, Yakkety, Xenial and Zesty are available from repo.powerdns.com.