PowerDNS Recursor 4.1.1

This is the second release in the 4.1 train with a fix for the following DNSSEC security advisory:

Note that although this is a security vulnerability, the impact is limited to certain DNSSEC data wrongly being served as authentic. Specifically, attackers could cause PowerDNS to accept denials of existence for domain names that did in fact exist.

This is a release on the stable branch containing a fix for the aforementioned security issue and several bug fixes from the development branch.

The full changelog looks like this:

Improvements

  • #6085: Don’t process records for another class than IN. We don’t use records of another class than IN, but we used to store some of them in the cache which is useless. Just skip them.

Bug Fixes

  • #6215: Correctly handle ancestor delegation NSEC{,3} for children. Fixes the DNSSEC validation issue found in Knot Resolver, where a NSEC{3} ancestor delegation is wrongly use to prove the non-existence of a RR below the delegation. We already had the correct check for the exact owner name, but not for RRs below the delegation. (Security Advisory 2018-01)
  • #6092: Fix the computation of the closest encloser for positive answers. When the positive answer is expanded from a wildcard with NSEC3, the closest encloser is not always parent of the qname, depending on the number of labels in the initial wildcard.
  • #6095: Pass the correct buffer size to arecvfrom(). The incorrect size could possibly cause DNSSEC failures.
  • #6209: Fix to make primeHints threadsafe, otherwise there’s a small chance on startup that the root-server IPs will be incorrect.
  • #6137: Don’t validate signature for “glue” CNAME, since anything else than the initial CNAME can’t be considered authoritative.

The tarball is available on downloads.powerdns.com (signature) and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Artful, Trusty and Xenial are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailinglist, or in case of a bug, via GitHub.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s