PowerDNS Recursor 4.1.0 RC3 is here!
We’d like to thank everyone that has helped us test the previous Recursor release candidates.
The third Release Candidate adds support for Botan 2.x (and removes support for Botan 1.10!), has some important DNSSEC fixes, features a cleaned up web UI and has miscellaneous minor improvements.
Also thanks to Jan-Piet Mens for help on the documentation!
The full changelog looks like this:
- #5895: Add the DNSSEC validation state to the
DNSQuestionLua object (although the ability to update the validation state from these hooks is postponed to after 4.1.0).
- #5498: Add support for Botan 2.x and remove support for Botan 1.10.
- #5876: Print more details of trust anchors. In addition, the trace output that mentions if data from authoritative servers gets accepted now also prints the TTL and clarifies the ‘place’ number previously printed.
- #5616: Better support for deleting entries in
- #5889: Prevent possible downgrade attacks in the recursor.
- #5885: Split NODATA / NXDOMAIN NSEC wildcard denial proof of existence. Otherwise there is a very real risk that a NSEC will cover a more specific wildcard and we end up with what looks like a NXDOMAIN proof but is a NODATA one.
- #5904: Fix incomplete validation of cached entries.
- #5912: Fix going Insecure on NSEC3 hashes with too many iterations, since we could have gone Bogus on a positive answer synthetized from a wildcard if the corresponding NSEC3 had more iterations that we were willing to accept, while the correct result is Insecure.
- #5877: Sort NS addresses by speed and remove old ones.
- #5896: Purge
nsSpeedsentries even if we get less than 2 new entries.
- #5881: Add EDNS to truncated, servfail answers.
- #5917: Use
_exit()when we really really want to exit, for example after a fatal error. This stops us dying while we die. A call to
exit()will trigger destructors, which may paradoxically stop the process from exiting, taking down only one thread, but harming the rest of the process.
- #5930: In the recursor secpoll code, we assumed the TXT record would be the first record first record we received. Sometimes it was the RRSIG, leading to a silent error, and no secpoll check. Fixed the assumption, added an error.
- #5938: Don’t crash when asked to run with zero threads.
- #5939: Only accept types not matching the query if we asked for ANY. Even from forward-recurse servers.
- #5937: Allow the use of a ‘self-resolving’ NS if cached A / AAAA exists. Before this, we could skip a perfectly valid NS for which we had retrieved the A and / or AAAA entries, for example via a glue.
- #5961: Add the config-name argument to the definition of configname. There was a bug where the config-name parameter was not used to change the path of the config file. This meant that some commands via rec_control (e.g. reload-acls) would fail when run against a recursor which had config-name defined. The correct behaviour was present in some, but not all, definitions of configname. (@jake2184)
The tarball is available on downloads.powerdns.com (signature) and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Artful, Trusty, Xenial and Zesty are available from repo.powerdns.com. (The Raspberry Pi packages will follow Monday morning.)