PowerDNS Blog

PowerDNS Authoritative Server 5.1.1 Released

Peter van Dijk — Mon, 08 Jun 2026 12:07:58 GMT

Despite our best efforts, a severe bug escaped our testing while working on the 5.1.0 release. Users of the LMDB backend, when not using the new ``lmdb-split-domain-table'', would fail to update their last notification timestamp, and cause secondary servers to keep trying to synchronize with their primary servers, and primary servers to keep asking their secondaries to do so.

PowerDNS Authoritative Server 5.1.0 Released

Peter van Dijk — Wed, 03 Jun 2026 10:03:22 GMT

Being out of excuses to postpone this release, we are releasing PowerDNS Authoritative Server version 5.1.0 today.

A detailed list of changes can be found in the changelog.

There are too many changes and bugfixes to mention in this short announcement; among the new features, you might be interested in structured logging or, for users of the LMDB backend, the ability to add comments to their RRsets, a feature which used to be available on SQL backends only.

PowerDNS Recursor 5.2.10, 5.3.7 and 5.4.2 Released

Otto Moerbeek — Wed, 03 Jun 2026 08:19:20 GMT

Today we have released PowerDNS Recursor 5.2.10, 5.3.7 and 5.4.2.

These releases are maintenance releases that fix a few bugs and have a few improvements. The most important ones are:

PowerDNS DNSdist 2.1.0 Release Candidate 1 Released

Remi Gacogne — Tue, 02 Jun 2026 10:15:17 GMT

Today we released the first release candidate for PowerDNS DNSdist 2.1.0.

This new version brings a lot of bug fixes since the second beta, including security issues that have been recently fixed in stable branches[1][2]. We also tracked and fixed a performance regression, making the performance of this release candidate better than previous releases, especially for cache hits.

Compared to 2.0, 2.1 also brings the following new features:

PowerDNS DNSdist 2.0.6 Released

Remi Gacogne — Thu, 21 May 2026 11:41:22 GMT

Today we released DNSdist 2.0.6, fixing several issues. The notable ones are:

the feature that was introduced in 2.0.0 to limit the rate of new TCP or QUIC connections that a given client can open per second has a serious bug, coming from a confusion over the interval, which is set in minutes, and the rate, which is set in seconds, causing clients to be blocked a lot sooner than they should have been
there was a data race in the CDB Key-Value store implementation. This was fixed by preventing threads from accessing the same CDB object concurrently, which might have a performance impact for users that rely heavily on CDB. Please reach out to us if you experience such a performance impact
the BPFFilter::addRangeRule feature was not working properly
configured buffer sizes for UDP sockets were only applied to incoming sockets, not outgoing ones
AF_XDP/XSK could not be enabled from YAML
the TLS session cache for outgoing connections to backends was not properly cleaned up
the computation of the "Top N" metrics for suffix-based dynamic block counters was wrong
DownstreamState::setHealthCheckParams was sometimes overwriting the wrong value
a memory leak was found in the SNMP metrics implementation
the maximum size of a DNS over QUIC query was slightly off, which might have been a problem for very large queries

PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server

Peter van Dijk — Wed, 20 May 2026 13:02:52 GMT

Today, we are releasing two new versions of the PowerDNS Authoritative Server.

These 4.9.15 and 5.0.5 versions provide fixes for the following PowerDNS Security Advisory: PowerDNS Security Advisory 2026-06: Multiple Issues

The security issues being fixed with these releases are low or medium-severity, and most of them involve specific back-ends and/or configurations. They are:

CVE-2026-41999 (only concerns 5.0.x)
When using views, queries sent using TCP Proxy Protocol will select the view according to the address of the proxy, rather than the address of the initial query. This can lead to wrong data being returned.
CVE-2026-42000
Missing escaping of special characters (such as $ or @) in DNS names received during an AXFR operation can lead to an incorrect (non-parseable) Bind backend configuration to be written, causing this backend to fail until manual operation is performed to fix the configuration.
CVE-2026-42001
Missing sanity checks of the answer to the initial SOA query, when running in auto-secondary mode and receiving a notification for an not-yet-known domain may cause the server to crash.
CVE-2026-42002
Multiple concurrency and locking defects in the GSS-TSIG code can lead to memory corruption due to accidental data structure sharing, which can in turn lead to a program crash.
Moreover, the lack of bounds on the number of in-flight GSS-TSIG contexts can lead to unbounded memory consumption in case of an excessive number of requests at a given time. A limit of 1000 contexts is now enforced, and can be modified with the "gss-max-contexts" parameter in server configuration.
CVE-2026-42396
Missing proper escaping of double-quote characters when computing labels will cause AXFR of a catalog zone with a member whose producer group option contains such a character to fail.

Automatic authenticated DNSSEC Bootstrapping in PowerDNS Authoritative

Peter van Dijk — Tue, 12 May 2026 12:16:52 GMT

The chain of trust is better off without leaps of faith: Automatic authenticated DNSSEC Bootstrapping in PowerDNS Authoritative Server

Authors: Barbara Jantzen & Peter Thomassen (both from deSEC)

PowerDNS Authoritative Server 5.1.0-beta1 Released

Peter van Dijk — Thu, 07 May 2026 14:35:36 GMT

On this lovely day, we are releasing version 5.1.0-beta1 of the PowerDNS Authoritative Server. It contains many small new features and improvements over the previous 5.1.0-alpha1 release, as well as the unavoidable bug fixes.

You might be especially interested in structured logging or, for users of the LMDB backend, the ability to add comments to their RRsets, a feature which used to be available on SQL backends only.

Please test it and help us make the final 5.1.0 release a success!

Introducing PowerDNS Authoritative Essentials

Oliver Michler — Tue, 05 May 2026 09:49:35 GMT

We’re thrilled to announce the launch of PowerDNS Authoritative Essentials – a streamlined, enterprise-grade solution designed for organizations that require high-performance, secure, and dependable DNS for their domain portfolios.

PowerDNS DNSdist 1.9.14 and 2.0.5 Released

Remi Gacogne — Thu, 23 Apr 2026 09:45:49 GMT

Today we again released two new versions of DNSdist, 1.9.14 and 2.0.5, fixing one regression introduced in 1.9.13 and 2.0.4, and several small issues that were not included in yesterday's security releases.

The regression introduced in 1.9.13 and 2.0.4 concerns the PRSD detection mechanism enabled with DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI, and causes an exception to be raised when accessing StatNode::fullname from the Lua visitor function.

The other issues fixed in this release are:

(1.9.14 and 2.0.5) When DNSdist is compiled in "single acceptor thread" mode, which is designed for embedded systems with low memory, a TCP worker thread was not always created by default, even when DOQ and DoH3 support was enabled, leading to a crash.
(2.0.5) The buffers allocated for recvmmsg might have been too large, wasting memory
(2.0.5) When the trustForwardForHeader option is used, and the upstream proxy did include X-Forwarded-For header for at least one query in an established connection but somehow does not include it for a subsequent query, DNSdist should reset the client address to the address of the proxy instead of using the last received one
(2.0.5): Fix handling of long HTTP/2 Date headers if the administrator explictly used a non-POSIX locale
(2.0.5): Detection of some TLS functions was missing when compiling with meson: TLS_client_method and gnutls_transport_set_fastopen