Category: Uncategorized

Second Release Candidate of PowerDNS Recursor 4.4.0

Hello!

We are proud to announce the second release candidate of what should become PowerDNS Recursor 4.4.0.

Compared to the first release candidate, this release contains a few enhancements and fixes a few bugs. In particular, DS records of forwarded zones are handles properly and the parsing of unknown record types has been made more strict. Note that the recursor only parses these types if read from a zone file.

Please refer to the changelog for details.

Compared to the 4.3 release of PowerDNS Recursor, this release contains these major enhancements:

  • Native DNS64 support, without the need to use Lua.
  • The ability to add custom tags to RPZ hits.
  • Names encountered while resolving CNAMEs are now subject to RPZ processing.
  • More detailed information about RPZ handling is now available while tracing, in Lua and in the protobuf logging messages.
  • To allow more efficient use, the record cache is now shared between threads.
  • A routing tag can be added in Lua code, which will be used as an additional record cache key instead of of an EDNS subnet mask, enabling for a simpler record cache structure which will enhance query processing where the EDNS subnet mask is relevant.
  • The Proxy Protocol version 2 has been implemented to allow for a structured exchange of information between a client (typically dnsdist) and the Recursor. See the documentation for details.

We are grateful to all reporters of bugs, issues, feature requests, and submitters of fixes and features. We also like to thank anybody who tested the pre-releases, and invite you to contribute to the testing of this release candidate!

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 7 and 8, Debian Stretch and Buster, Ubuntu Xenial, Bionic and Focal are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Authoritative 4.4.0-alpha1

Hello!

we are very happy to announce version 4.4.0-alpha1 of the Authoritative Server.

This release drops GSS/TSIG support, please see PowerDNS Security Advisory 2020-06.

Version 4.4.0 brings a bunch of exciting changes:

  • the LMDB backend now supports long record content, making it production ready for everybody
  • the SVCB and HTTPS record types are supported, with limited additional processing
  • transaction handling in the 2136 handler and the HTTP API was again improved a lot, avoiding various spurious issues users may have noticed if they do a lot of changes
  • we finally emit Prometheus metrics!

Authoritative 4.3.x was the last release branch with support for CentOS/RHEL 6. Problems running Authoritative 4.4.x on CentOS/RHEL 6 will not be treated as bugs by us.

We want to specifically thank Robin Geuze, Kees Monshouwer, Mischan Toosarani-Hausberger, and Chris Hofstaedtler for their contributions to this release. We are also grateful to all other reporters of bugs, issues, feature requests, and submitters of smaller fixes and features.

Please make sure to read the Upgrade Notes before upgrading.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 7 and 8, Debian Stretch and Buster, Ubuntu Xenial, Bionic and Focal are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Authoritative 4.3.1, 4.2.3 and 4.1.14

Today we have released PowerDNS Authoritative Server versions 4.3.1, 4.2.3 and 4.1.14, containing a fix for PowerDNS Security Advisory 2020-05.

Additionally, we are publishing PowerDNS Security Advisory 2020-06 today (‘Various issues have been found in our GSS-TSIG support, where an unauthorized attacker could cause crashes, possibly leak uninitialised memory, and possibly execute arbitrary code.’). Our GSS-TSIG support was never shipped in any packages by us or, to our knowledge, any other distributions. The GSS-TSIG code will be gone in version 4.4.0. We’ve chosen to leave the code intact for older versions, so that users that do rely on it today can keep doing so, keeping in mind the risks detailed in Advisory 2020-06.

Regarding 2020-05: an issue has been found in PowerDNS Authoritative Server where an authorized user with the ability to insert crafted records into a zone might be able to leak the content of uninitialized memory. Such a user could be a customer inserting data via a control panel, or somebody with access to the REST API. Crafted records cannot be inserted via AXFR. This issue is resolved in the versions mentioned above. (4.1.14 changelog, 4.2.3 changelog)

Version 4.3.1 also contains various other bug fixes and improvements, please see the changelog for all details.

The 4.3.1 tarball (signature), 4.2.3 tarball (signature) and 4.1.14 tarball (signature) are available at downloads.powerdns.com and packages for various Linux distributions are available from our repository.

4.0 and older releases are EOL, refer to the documentation for details about our release cycles.

Please send us all feedback and issues you might have via the mailing list or our IRC channel, or in case of a bug, via GitHub.

First Release Candidate of PowerDNS Recursor 4.4.0

Hello!

We are proud to announce the first release candidate of what should become PowerDNS Recursor 4.4.0.

Compared to the beta release, this release fixes two bugs:

• Only do QName Minimization for the names inside a forwarded domain,
• Fix the parsing of dont-throttle-netmasks in the presence of dont-throttle-names.

Please refer to the changelog for details.

We want to thank everyone that contributed to the testing of the beta release, and invite you to contribute to the testing of this release candidate!

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial, Bionic and Focal are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Recursor 4.3.4 Released

Hello!,

Today we are releasing PowerDNS Recursor 4.3.4.

This release:

  • fixes an issue where certain CNAMEs could lead to resolver failure,
  • fixes an issue with the hostname reported in Carbon messages,
  • allows for multiple recursor services to run under systemd.

Please refer to the 4.3.4 changelog for details.

The 4.3.4 tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial, Bionic and Focal are available from repo.powerdns.com.

4.0 and older releases are EOL, refer to the documentation for details about our release cycles.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

First Beta Release of PowerDNS Recursor 4.4.0

Hello!,

We are proud to announce the first beta release of what should become PowerDNS Recursor 4.4.0.

Compared to the last alpha release, this release contains new features with respect to RPZ processing (in particular chasing of CNAMES from an RPZ and better logging of RPZ hit information in protobuf, Lua bindings and the trace log) and improved ability to use a local root-zone.

Please refer to the changelog for additional details.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial, Bionic and Focal are available from repo.powerdns.com.

We would like to thank all contributors (in particular Josh Soref and phonedph1) for their efforts in creating this release.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Second Alpha Release of PowerDNS Recursor 4.4.0

Hello!,

We are proud to announce the second alpha release of what should become PowerDNS Recursor 4.4.0.

Compared to the first alpha release, this release mostly contains bug fixes and code cleanup. In particular, fixes already backported to the 4.3 release branch are included and a bug in the new shared cache code is fixed.

Please refer to the changelog for additional details.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial, Bionic and Focal are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Recursor 4.3.3 and 4.2.4 Released

Hello!,

Today we are releasing PowerDNS Recursor 4.3.3 and 4.2.4.

These releases fix an issue where the refresh time of a loaded RPZ zone was ignored. A DNSSEC issue that could lead to zones being marked Bogus wrongly and a few other DNSSEC related issues were also fixed.

Please refer to the 4.3.3 changelog and 4.2.4 changelog for details.

The 4.3.3 tarball (signature) and 4.2.4 tarball (signature) are available at downloads.powerdns.com and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com.

4.0 and older releases are EOL, refer to the documentation for details about our release cycles.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Recursor 4.3.2, 4.2.3 and 4.1.17 Released

Hello!,

Today we are releasing PowerDNS Recursor 4.3.2, 4.2.3. and 4.1.17, containing a security fix for CVE-2020-14196: Access restriction bypass.

An issue has been found in PowerDNS Recursor where the ACL applied to the internal web server via `webserver-allow-from` is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction.

Note that the web server is not enabled by default. Only installations using a non-default value for webserver and webserver-address are affected.

Workarounds are: disable the webserver or set a password or an API key. Additionally, restrict the binding address using the webserver-address setting to local addresses only and/or use a firewall to disallow web requests from untrusted sources reaching the webserver listening address.

As usual, there were also other smaller enhancements and bugfixes. In particular, the 4.3.2 release contains fixes that allow long CNAME chains to resolve properly, where previously they could fail if qname minimization is enabled.
Please refer to the 4.3.2 changelog, 4.2.3 changelog and 4.1.17 changelog for details.

The 4.3.2 tarball (signature), 4.2.3 tarball (signature) and 4.1.17 tarball (signature) are available at downloads.powerdns.com and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com.

4.0 and older releases are EOL, refer to the documentation for details about our release cycles.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Recursor 4.3.1, 4.2.2 and 4.1.16 Released

Hello!,

Today we are releasing PowerDNS Recursor 4.3.1, 4.2.2. and 4.1.16, containing security fixes for three CVEs:

CVE-2020-10995
CVE-2020-12244
CVE-2020-10030

The issues are:

CVE-2020-10995: An issue in the DNS protocol has been found that allows malicious parties to use recursive DNS services to attack third party authoritative name servers. Severity is medium. We would like to thank Lior Shafir, Yehuda Afek and Anat Bremler-Barr for finding and subsequently reporting this issue!

CVE-2020-12244: Records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated. Severity is medium. We would like to thank Matt Nordhoff for finding and subsequently reporting this issue!

CVE-2020-10030: An attacker with enough privileges to change the hostname might be able to disclose uninitialized memory. This issue also affects the Authoritative Server and dnsdist; since the attack requires very high privileges and the issue does not affect Linux, we will not be releasing new versions for those just for this issue. Severity is low.

As usual, there were also other smaller enhancements and bugfixes. Please refer to the 4.3.1 changelog, 4.2.2 changelog and 4.1.16 changelog for details.

The 4.3.1 tarball (signature), 4.2.2 tarball (signature) and 4.1.16 tarball (signature) are available at downloads.powerdns.com and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com.

Note that the 4.1 packages will be published later today.

4.0 and older releases are EOL, refer to the documentation for details about our release cycles.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.