Category: Uncategorized

First Beta Release of PowerDNS Recursor 4.4.0

Hello!,

We are proud to announce the first beta release of what should become PowerDNS Recursor 4.4.0.

Compared to the last alpha release, this release contains new features with respect to RPZ processing (in particular chasing of CNAMES from an RPZ and better logging of RPZ hit information in protobuf, Lua bindings and the trace log) and improved ability to use a local root-zone.

Please refer to the changelog for additional details.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial, Bionic and Focal are available from repo.powerdns.com.

We would like to thank all contributors (in particular Josh Soref and phonedph1) for their efforts in creating this release.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Second Alpha Release of PowerDNS Recursor 4.4.0

Hello!,

We are proud to announce the second alpha release of what should become PowerDNS Recursor 4.4.0.

Compared to the first alpha release, this release mostly contains bug fixes and code cleanup. In particular, fixes already backported to the 4.3 release branch are included and a bug in the new shared cache code is fixed.

Please refer to the changelog for additional details.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial, Bionic and Focal are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Recursor 4.3.3 and 4.2.4 Released

Hello!,

Today we are releasing PowerDNS Recursor 4.3.3 and 4.2.4.

These releases fix an issue where the refresh time of a loaded RPZ zone was ignored. A DNSSEC issue that could lead to zones being marked Bogus wrongly and a few other DNSSEC related issues were also fixed.

Please refer to the 4.3.3 changelog and 4.2.4 changelog for details.

The 4.3.3 tarball (signature) and 4.2.4 tarball (signature) are available at downloads.powerdns.com and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com.

4.0 and older releases are EOL, refer to the documentation for details about our release cycles.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Recursor 4.3.2, 4.2.3 and 4.1.17 Released

Hello!,

Today we are releasing PowerDNS Recursor 4.3.2, 4.2.3. and 4.1.17, containing a security fix for CVE-2020-14196: Access restriction bypass.

An issue has been found in PowerDNS Recursor where the ACL applied to the internal web server via `webserver-allow-from` is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction.

Note that the web server is not enabled by default. Only installations using a non-default value for webserver and webserver-address are affected.

Workarounds are: disable the webserver or set a password or an API key. Additionally, restrict the binding address using the webserver-address setting to local addresses only and/or use a firewall to disallow web requests from untrusted sources reaching the webserver listening address.

As usual, there were also other smaller enhancements and bugfixes. In particular, the 4.3.2 release contains fixes that allow long CNAME chains to resolve properly, where previously they could fail if qname minimization is enabled.
Please refer to the 4.3.2 changelog, 4.2.3 changelog and 4.1.17 changelog for details.

The 4.3.2 tarball (signature), 4.2.3 tarball (signature) and 4.1.17 tarball (signature) are available at downloads.powerdns.com and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com.

4.0 and older releases are EOL, refer to the documentation for details about our release cycles.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Recursor 4.3.1, 4.2.2 and 4.1.16 Released

Hello!,

Today we are releasing PowerDNS Recursor 4.3.1, 4.2.2. and 4.1.16, containing security fixes for three CVEs:

CVE-2020-10995
CVE-2020-12244
CVE-2020-10030

The issues are:

CVE-2020-10995: An issue in the DNS protocol has been found that allows malicious parties to use recursive DNS services to attack third party authoritative name servers. Severity is medium. We would like to thank Lior Shafir, Yehuda Afek and Anat Bremler-Barr for finding and subsequently reporting this issue!

CVE-2020-12244: Records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated. Severity is medium. We would like to thank Matt Nordhoff for finding and subsequently reporting this issue!

CVE-2020-10030: An attacker with enough privileges to change the hostname might be able to disclose uninitialized memory. This issue also affects the Authoritative Server and dnsdist; since the attack requires very high privileges and the issue does not affect Linux, we will not be releasing new versions for those just for this issue. Severity is low.

As usual, there were also other smaller enhancements and bugfixes. Please refer to the 4.3.1 changelog, 4.2.2 changelog and 4.1.16 changelog for details.

The 4.3.1 tarball (signature), 4.2.2 tarball (signature) and 4.1.16 tarball (signature) are available at downloads.powerdns.com and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com.

Note that the 4.1 packages will be published later today.

4.0 and older releases are EOL, refer to the documentation for details about our release cycles.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

First Alpha Release of PowerDNS Recursor 4.4.0

Hello!,

We are proud to announce the first alpha release of what should become PowerDNS Recursor 4.4.0.

This release contains various bug fixes, improvements and new features. The most important new features are

  • Native DNS64 support, without the need to use Lua.
  • The ability to add custom tags to RPZ hits.
  • To allow more efficient use, the record cache is now shared between threads.
  • A routing tag can be added in Lua code, which will be used as an additional record cache key instead of of an EDNS subnet mask, enabling for a more simple record cache structure which will enhance query processing where the EDNS subnet mask is relevant.
  • The Proxy Protocol version 2 has been implemented to allow for a structured exchange of information between a client (typically dnsdist) and the Recursor. See the documentation for details.

Please refer to the changelog for additional details.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Authoritative Server 4.2.2 Released

This release fixes issues in the IXFR receive code, improves cache management, and corrects a few other small things. If you use IXFR, please read the upgrade notes carefully.

Please see the changelog for more details.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6 and 7, 8, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Authoritative 4.3.0

Hello!

We are proud to announce the release of PowerDNS Authoritative Server 4.3.0. A lot of internals have been reworked, with some visible changes for users. If you read the upgrade notes for a beta or RC, please read them again!

A notable new feature in 4.3 is support for hiding DNSSEC keys, which makes it possible to do algorithm rollovers. This feature was contributed by Robin Geuze of TransIP, thanks! Another interesting new feature is support for automatically publishing CDS/CDNSKEY records with a single pdns.conf setting.

Please note that 4.3.0 comes with a mandatory database schema upgrade.

Please see the changelog for an almost complete list of changes since the last 4.2.x release.

We want to thank everyone that contributed to this and earlier releases, and invite you to contribute to the testing of this release!

The tarball (signature) is available at downloads.powerdns.com; packages for CentOS 6, 7 and 8, Debian Stretch and Buster, and Ubuntu Xenial and Bionic are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Authoritative 4.3.0 first release candidate

Hello!

We are proud to announce the first, and hopefully last, release candidate of what should become PowerDNS Authoritative 4.3.0. So far this is mostly a maintenance release, but there are a few interesting changes. A lot of internals have been reworked, with some visible changes for users.

Due to a bug found in 4.3.0-beta2 right -after- we tagged RC1, this first release candidate, confusingly, is called RC2 in package versions.

If you read the upgrading notes for beta1, please see them again for an important change in NSEC(3) TTLs handling in beta2.

A notable new feature in 4.3 is support for hiding DNSSEC keys, which makes it possible to do algorithm rollovers. This feature was contributed by Robin Geuze of TransIP, thanks! Another interesting new feature is support for automatically publishing CDS/CDNSKEY records with a single pdns.conf setting.

Please note that 4.3.0 comes with a mandatory database schema upgrade.

Please see the changelog for an almost complete list of changes since the last 4.2.x release.

We want to thank everyone that contributed to this and earlier releases, and invite you to contribute to the testing of this beta release!

The tarball (signature) is available at downloads.powerdns.com; packages for CentOS 6, 7 and 8, Debian Stretch and Buster, and Ubuntu Xenial and Bionic are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Recursor 4.3.0 Released

Hello!,

We are proud to announce the release of PowerDNS Recursor 4.3.0.

Compared to the last release candidate, only two very minor issues were fixed.

Compared to the 4.2 release of PowerDNS Recursor, the most important features that were added are:

  • A relaxed form of QName Minimization as described in rfc7816bis-01. This feature is enabled by default. See the documentation for more details.
  • Dnstap support for outgoing queries to authoritative servers and the corresponding replies. See the documentation for more details.
  • The recursor now processes a number of requests incoming over a TCP connection simultaneously and will return results (potentially) out-of-order. See the documentation for more details on how to tune this feature.
  • Newly Observed Domain (NOD) functionality. See the documentation for information on how to make use of this feature.
  • When the recursor is started by systemd, the recursor will no longer run as the root user. Instead, it will start as the pdns-recursor user. Make sure directories and files needed by your specific recursor setup are readable by this user. For non-systemd and non-chroot cases, the default directory for the control socket and pid file has changed to /var/run/pdns-recursor. The upgrade guide contains more information.

As usual, there were also many other smaller enhancements and bugfixes. Please refer to the changelog for details.

We want to thank everyone that contributed to the testing of the release candidates.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com.

With this release, PowerDNS Recursor 4.0 will be become End-of-Life and PowerDNS Recursor 4.1 will only receive critical security updates. For details, see the our EOL statement.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.