Version: 4.1.8-13.1
* Mon Nov 26 2018 adam.majer@suse.de
- update to 4.1.8
https://blog.powerdns.com/2018/11/26/powerdns-recursor-4-1-8-released/
- Fixes case where a crafted query can cause a denial of service
(CVE-2018-16855, bsc#1116592)
* Fri Nov 09 2018 adam.majer@suse.de
- update to 4.1.7
https://blog.powerdns.com/2018/11/09/powerdns-recursor-4-1-7-released/
- Revert ?Keep the EDNS status of a server on FormErr with EDNS?
- Refuse queries for all meta-types
* Wed Nov 07 2018 adam.majer@suse.de
- update to 4.1.6
- Revert "rec: Authority records in AA=1 CNAME answer are
authoritative"
https://github.com/PowerDNS/pdns/issues/7158
* Wed Nov 07 2018 michael@stroeder.com
- update to 4.1.5
- Improvements
* Add pdnslog to lua configuration scripts
* Fix compilation with libressl 2.7.0+
* Export outgoing ECS value and server ID in protobuf (if any)
* Switch to devtoolset 7 for el6
* Allow the signature inception to be off by number of seconds
- Bug Fixes
* Crafted answer can cause a denial of service
(bsc#1114157, CVE-2018-10851)
* Packet cache pollution via crafted query
(bsc#1114169, CVE-2018-14626)
* Crafted query for meta-types can cause a denial of service
(bsc#1114170, CVE-2018-14644)
* Delay creation of rpz threads until we dropped privileges
* Cleanup the netmask trees used for the ecs index on removals
* Make sure that the ecs scope from the auth is < to the source
* Authority records in aa=1 cname answer are authoritative
* Avoid a memory leak in catch-all exception handler
* Don?t require authoritative answers for forward-recurse zones
* Release memory in case of error in openssl ecdsa constructor
* Convert a few uses to toLogString to print DNSName?s that
may be empty in a safer manner
* Avoid a crash on DEC Alpha systems
* Clear all caches on (N)TA changes
* Fri Aug 31 2018 adam.majer@suse.de
- update to 4.1.4
- Improvements
* Split pdns_enable_unit_tests.
* Add a new max-udp-queries-per-round setting.
* Fix warnings reported by gcc 8.1.0.
* Tests: replace awk command by perl.
* Allow the snmp thread to retrieve statistics.
- Bug Fixes
* Don?t account chained queries more than once.
* Make rec_control respect include-dir.
* Load lua scripts only in worker threads.
* Purge all auth/forward zone data including subtree.
Version: 4.1.2-5.1
* Sun Apr 01 2018 mrueckert@suse.de
- update to 4.1.2
- New Features
- #6344: Add FFI version of gettag().
- Improvements
- #6298, #6303, #6268, #6290: Add the option to set the AXFR
timeout for RPZs.
- #6172: IXFR: correct behavior of dealing with DNS Name with
multiple records and speed up IXFR transaction (Leon Xu).
- #6379: Add RPZ statistics endpoint to the API.
- Bug Fixes
- #6336, #6293, #6237: Retry loading RPZ zones from server when
they fail initially.
- #6300: Fix ECS-based cache entry refresh code.
- #6320: Fix ECS-specific NS AAAA not being returned from the
cache.
* Mon Jan 22 2018 adam.majer@suse.de
- update to version 4.1.1:
+ Fixes security vulnerability where man-in-the-middle to send
a NXDOMAIN answer for a DNSSEC name that does exist.
(bsc#1077154, CVE-2018-1000003)
+ Don't validate signature for "glue" CNAME, since anything else
than the initial CNAME can?t be considered authoritative.
Version: 4.1.12-bp151.2.3
* Fri Apr 26 2019 mvetter@suse.com
- bsc#1130588: Require shadow instead of old pwdutils
* Tue Apr 02 2019 Michael Ströder <michael@stroeder.com>
- update to 4.1.12:
* Improvements
- Provide CPU usage statistics per thread (worker & distributor).
- Use a bounded load-balancing algo to distribute queries.
- Implement a configurable ECS cache limit so responses with an
ECS scope more specific than a certain threshold and a TTL
smaller than a specific threshold are not inserted into the
records cache at all.
* Bug Fixes
- Correctly interpret an empty AXFR response to an IXFR query.
- update to 4.1.11:
* Improvements
- Add an option to export only responses over protobuf to the
Lua protobufServer() directive.
- Reduce systemcall usage in protobuf logging. (See #7428.)
* Fri Jan 25 2019 Michael Ströder <michael@stroeder.com>
- update to 4.1.10
- #7403: Fix compilation in handleRunningTCPQuestion without
protobuf support
* Wed Nov 07 2018 Michael Ströder <michael@stroeder.com>
- update to 4.1.5
- Improvements
* Add pdnslog to lua configuration scripts
* Fix compilation with libressl 2.7.0+
* Export outgoing ECS value and server ID in protobuf (if any)
* Switch to devtoolset 7 for el6
* Allow the signature inception to be off by number of seconds
- Bug Fixes
* Crafted answer can cause a denial of service
(bsc#1114157, CVE-2018-10851)
* Packet cache pollution via crafted query
(bsc#1114169, CVE-2018-14626)
* Crafted query for meta-types can cause a denial of service
(bsc#1114170, CVE-2018-14644)
* Delay creation of rpz threads until we dropped privileges
* Cleanup the netmask trees used for the ecs index on removals
* Make sure that the ecs scope from the auth is < to the source
* Authority records in aa=1 cname answer are authoritative
* Avoid a memory leak in catch-all exception handler
* Don?t require authoritative answers for forward-recurse zones
* Release memory in case of error in openssl ecdsa constructor
* Convert a few uses to toLogString to print DNSName?s that
may be empty in a safer manner
* Avoid a crash on DEC Alpha systems
* Clear all caches on (N)TA changes
Version: 4.1.0-2.1
* Fri Dec 29 2017 adam.majer@suse.de
- _constraints: we seem to need at least 8GB RAM to build on S390x
and ppc64
* Mon Dec 04 2017 mrueckert@suse.de
- enable ed25519 support (new BR: libsodium-devel)
- enable net-snmp support (new BR: net-snmp-devel)
- simplify BR for lua: lua-devel everywhere now
* Mon Dec 04 2017 adam.majer@suse.de
- update to version 4.1.0:
+ Improved DNSSEC support
+ Improved documentation
+ Improved RPZ support
+ Improved EDNS Client Subnet support
+ SNMP support
+ Lua engine has gained access to more parts of the recursor
+ CPU affinity can now be specified
+ TCP Fast Open support
+ New performance metrics
+ For complete changes see:
https://blog.powerdns.com/2017/12/04/powerdns-recursor-4-1/
* Mon Nov 27 2017 adam.majer@suse.de
- update to version 4.0.7: (bsc#1069242)
+ fixes CVE-2017-15090: Insufficient validation of DNSSEC
signatures
+ fixes CVE-2017-15092: Cross-Site Scripting in the web interface
+ fixes CVE-2017-15093: Configuration file injection in the API
+ fixes CVE-2017-15094: Memory leak in DNSSEC parsing
+ Fix validation at the exact RRSIG inception or expiration time
+ Extract nested exception from Luawrapper
+ Throw an error when lua-conf-file can?t be loaded
+ Lowercase all outgoing qnames when lowercase-outgoing is set
* Thu Oct 19 2017 adam.majer@suse.de
- Added pdns-recursor.keyring linked from
https://dnsdist.org/install.html
* Fri Sep 29 2017 vcizek@suse.com
- Don't BuildRequire Botan 1.x
* Botan will be dropped as the 1.x branch is EOL and won't get
OpenSSL 1.1 support backported (bsc#1055322)
* Thu Jul 06 2017 adam.majer@suse.de
- update to version 4.0.6
+ fixes ed25519 signer
+ update root-servers.net entries
+ fixes handling of expired cache entries so they expire faster
* Tue Jul 04 2017 adam.majer@suse.de
- Enable DNSSEC validation by default.
* Tue Jun 13 2017 adam.majer@suse.de
- update to version 4.0.5
+ adds ed25519 (algorithm 15) support for DNSSEC
+ adds the 2017 DNSSEC root key
+ complete changeset is available at,
https://doc.powerdns.com/md/changelog/#powerdns-recursor-405
* Thu May 11 2017 mrueckert@suse.de
- move autoreconf into the build section
* Thu Feb 02 2017 adam.majer@suse.de
- use individual libboost-*-devel packages instead of boost-devel
- add signature file for upstream release
* Fri Jan 13 2017 adam.majer@suse.de
- update to version 4.0.4
The following security advisories were fixed
- 2016-02: Crafted queries can cause abnormal CPU usage
(CVE-2016-7068, boo#1018326)
- 2016-04: Insufficient validation of TSIG signatures
(CVE-2016-2120, boo#1018329)
complete changeset is availalbe at,
https://doc.powerdns.com/md/changelog/#powerdns-recursor-404
- remove 4462.patch: in upstream release.
* Mon Dec 12 2016 dimstar@opensuse.org
- BuildRequire pkgconfig(libsystemd) instead of
pkgconfig(libsystemd-daemon): these libs were merged in systemd
209 times. The build system is capable of finding either one.
* Tue Sep 13 2016 adam.majer@suse.de
- 4462.patch:
Disable fcontext usage with Boost 1.61+ and revert back to
slower SystemV ucontext. This fixes failure to build with
newer Boost version. (boo#998408)
* Tue Sep 06 2016 mrueckert@suse.de
- update to 4.0.3
A new release for the PowerDNS Recursor with version 4.0.3 is
available. This release has many fixes and improvements in the
Policy Engine (RPZ) and the Lua bindings to it. Therefore, we
recommend users of RPZ to upgrade to this release. We would like
to thank Wim (42wim on github) for testing and reporting on the
RPZ module.
Bug fixes
- #4350: Call gettag() for TCP queries
- #4376: Fix the use of an uninitialized filtering policy
- #4381: Parse query-local-address before lua-config-file
- #4383: Fix accessing an empty policyCustom, policyName from Lua
- #4387: ComboAddress: don?t allow invalid ports
- #4388: Fix RPZ default policy not being applied over IXFR
- #4391: DNSSEC: Actually follow RFC 7646 2.1
- #4396: Add boost context ldflags so freebsd builds can find the
libs
- #4402: Ignore NS records in a RPZ zone received over IXFR
- #4403: Fix build with OpenSSL 1.1.0 final
- #4404: Don?t validate when a Lua hook took the query
- #4425: Fix a protobuf regression (requestor/responder mix-up)
Additions and Enhancements
- #4394: Support Boost 1.61+ fcontext
- #4402: Add Lua binding for DNSRecord::d_place
* Sun Sep 04 2016 michael@stroeder.com
- update to 4.0.2
Bug fixes
- #4264: Set dq.rcode before calling postresolve
- #4294: Honor PIE flags.
- #4310: Fix build with LibreSSL, for which
OPENSSL_VERSION_NUMBER is irrelevant
- #4340: Don't shuffle CNAME records. (thanks to Gert van Dijk
for the extensive bug report!)
- #4354: Fix delegation-only
Additions and enhancements
- #4288: Respect the timeout when connecting to a protobuf server
- #4300: allow newDN to take a DNSName in; document missing
methods
- #4301: expose SMN toString to lua
- #4318: Anonymize the protobuf ECS value as well (thanks to Kai
Storbeck of XS4All for finding this)
- #4324: Allow Lua access to the result of the Policy Engine
decision, skip RPZ, finish RPZ implementation
- #4349: Remove unused DNSPacket::d_qlen
- #4351: RPZ: Use query-local-address(6) by default (thanks to
Oli Schacher of switch.ch for the bug report)
- #4357: Move the root DNSSEC data to a header file
* Sat Jul 30 2016 michael@stroeder.com
- update to 4.0.1
Bug fixes
- #4119 Improve DNSSEC record skipping for non dnssec queries
(Kees Monshouwer)
- #4162 Don't validate zones from the local auth store, go one
level down while validating when there is a CNAME
- #4187:
- Don't go bogus on islands of security
- Check all possible chains for Insecures
- Don't go Bogus on a CNAME at the apex
- #4215 RPZ: default policy should also override local data RRs
- #4243 Fix a crash when the next name in a chained query is
empty and rec_control current-queries is invoked
Improvements
- #4056 OpenSSL 1.1.0 support (Christian Hofstaedtler)
- #4140 Fix warnings with gcc on musl-libc (James Taylor)
- #4160 Also validate on +DO
- #4164 Fail to start when the lua-dns-script does not exist
- #4168 Add more Netmask methods for Lua (Aki Tuomi)
- #4210 Validate DNSSEC for security polling
- #4217 Turn on root-nx-trust by default and
log-common-errors=off
- #4207 Allow for multiple trust anchors per zone
- #4242 Fix compilation warning when building without Protobuf
- #4133 Add limits to the size of received {A,I}XFR
(CVE-2016-6172)
* Mon Jul 11 2016 mrueckert@suse.de
- update to 4.0.0
https://blog.powerdns.com/2016/07/11/powerdns-recursor-4-0-0-released/
https://blog.powerdns.com/2016/07/11/welcome-to-powerdns-4-0-0/
- packaging changes:
- enabled protobuf based stats
- enabled botan based code
- use upstream systemd files
* Tue Jul 21 2015 mrueckert@suse.de
- do not use /run/pdns instead of /var/run/pdns in the init script
for the rest we have the systemd unit file
* Tue Jun 09 2015 michael@stroeder.com
- update to 3.7.3 will prevent short bursts of high
resource usage with malformed qnames.