PowerDNS Recursor 4.1.1

This is the second release in the 4.1 train with a fix for the following DNSSEC security advisory:

• PowerDNS Security Advisory 2018-01: Correctly handle ancestor delegation NSEC{,3} for children (CVE-2018-1000003)

Note that although this is a security vulnerability, the impact is limited to certain DNSSEC data wrongly being served as authentic. Specifically, attackers could cause PowerDNS to accept denials of existence for domain names that did in fact exist.

This is a release on the stable branch containing a fix for the aforementioned security issue and several bug fixes from the development branch.

The full changelog looks like this:

Improvements

• #6085: Don’t process records for another class than IN. We don’t use records of another class than IN, but we used to store some of them in the cache which is useless. Just skip them.

Bug Fixes

• #6215: Correctly handle ancestor delegation NSEC{,3} for children. Fixes the DNSSEC validation issue found in Knot Resolver, where a NSEC{3} ancestor delegation is wrongly use to prove the non-existence of a RR below the delegation. We already had the correct check for the exact owner name, but not for RRs below the delegation. (Security Advisory 2018-01)
• #6092: Fix the computation of the closest encloser for positive answers. When the positive answer is expanded from a wildcard with NSEC3, the closest encloser is not always parent of the qname, depending on the number of labels in the initial wildcard.
• #6095: Pass the correct buffer size to arecvfrom(). The incorrect size could possibly cause DNSSEC failures.
• #6209: Fix to make primeHints threadsafe, otherwise there’s a small chance on startup that the root-server IPs will be incorrect.
• #6137: Don’t validate signature for “glue” CNAME, since anything else than the initial CNAME can’t be considered authoritative.