pdns-recursor-4.6.1-bp154.1.32

- update to 4.6.1
  fixes incomplete validation of incoming IXFR transfer in
  the Recursor. It applies to setups retrieving one or more RPZ
  zones from a remote server if the network path to the server
  is not trusted. (bsc#1197525, CVE-2022-27227)

- update to 4.6.0
  Compared to the previous major (4.5) release of PowerDNS Recursor, this
  release contains several sets of changes:
  * The ability to flush records from the caches on a incoming
    notify requests.
  * A rewrite of the outgoing TCP code, adding both re-use of
    connections and support for DoT to authoritative servers or
    forwarders.
  * Many improvements in the area of metrics: more metrics are
    collected and more metrics are now exported in a Prometheus
    friendly way.
  * A new Zone to Cache function that will retrieve a zone (using
    AXFR, HTTP, HTTPS or a local file) periodically and insert the
    contents into the record cache, allowing the cache to be always hot
    for a zone. This can be used for the root or any other zone.
  * An experimental Event Tracing function, providing insight into
    the time taken by the steps in the process of resolving a name.

- update to 4.5.7:
  * A SHA-384 DS should not trump a SHA-256 one, only potentially ignore SHA-1 DS records.
    References: #10908, pull request 10912
  * rec_control wipe-cache-typed should check if a qtype arg is present and valid.
    References: #10905, pull request 10911
  * Put the correct string into appliedPolicyTrigger for Netmask matching rules.
    References: #10842, pull request 10863

- update to 4.5.6:
  * Bug Fixes
  - fixes to the way RPZ updates are handled
  - fix to a case where traffic to a forwarder could be throttled while it should not.
  - fixed few minor DNSSEC validation issues
  - fix for case where the combining of equivalent queries wasn't
    effective were resolved

- update to 4.5.5:
  * Improvements
  - Work around clueless servers sending AA=0 answers.
    References: #10555, pull request 10564
  * Bug Fixes
  - Ancestor NSEC3s can only deny the existence of a DS.
    References: #10587, pull request 10593
  - Make really sure we did not miss a cut on validation failure.
    References: #10570, pull request 10575
  - Clear the current proxy protocol values each iteration.
    References: #10515, pull request 10573

- update to 4.5.4:
  * Make sure that we pass the SOA along the NSEC(3) proof for
    DS queries.

- no longer supports 32-bit arches -- requiers 64-bit time_t
- specfile cleanup - drop initrd cases
- build-require gcc7 on SLE-12 variant

- update to 4.5.2:
  * default value of nsec3-max-iterations[1] has been lowered to 150
  * fixed issue affecting the "refresh almost expired" function

- update to 4.5.1:
- Main changes:
  * Dropped support for 32-bit platforms!
  * Rewrite of the way zone cuts are determined, reducing the number of
    outgoing queries by up to 17% when doing DNSSEC validation while reducing
    the CPU usage more than 20% .
  * Added implementation of EDNS0 padding (RFC 7830) for answers sent to clients.
  * Added implementation of RFC 8198[2]: Aggressive use of DNSSEC-Validated Cache.
  * Added a cache of non-resolving nameservers.
  * Re-worked negative cache that is shared between threads.
  * Added support for Extended DNS Errors (RFC 8914[5]).
  * A "refresh almost expired records" (also called "refetch") mechanism[8]
    has been introduced to keep the record cache warm.
- Other new features and improvements:
  * The complete protobuf and dnstap logging code has been rewritten to
    have much smaller performance impact.
  * We have introduced non-offensive synonyms for words used in
    settings. See the upgrade[9] guide.
  * The default minimum TTL[10] override has been changed from 0 to 1.
  * The spoof-nearmiss-max setting[11]'s default has been changed to 1.
    This has the consequence that the Recursor will switch to do TCP
    queries to authoritative nameservers sooner as an effective measure
    against many spoofing attacks.
  * Incoming queries over TCP now also use the packet cache, providing
    another performance increase.
  * File written to by the rec_control command are new opened by the
    command itself. It is also possible to write the content to the
    standard output stream by using a hyphen as file name.
  * TCP FastOpen (RFC 7413[12]) support for outgoing TCP connections to
    authoritative servers and forwarders.

- update to 4.4.3:
  Improvements
    Use a short-lived NSEC3 hashes cache for denial validation.
    References: #9856, pull request 10221
  Bug Fixes
    More fail-safe handling of Newly Discovered Domain files.
    Handle policy (if needed) after postresolve.
    Return current rcode instead of 0 if there are no CNAME records to follow.
    Lookup DS entries before CNAME entries.
    Handle failure to start the web server more gracefully.
    Test that we correctly cap the answer’s TTL in expanded wildcard cases.
    Fix the gathering of denial proof for wildcard-expanded answers.
    Make sure we take the right minimum for the packet cache TTL data in the SERVFAIL case.
  For details see,
  https://doc.powerdns.com/recursor/changelog/4.4.html#change-4.4.3

- update to 4.4.2:
  Improvements
  * UUID: Use the non-cryptographic variant of the boost::uuid.
  * Keep a cached, valid entry over a fresher Bogus one.
  * Ensure socket-dir matches runtime directory on old systemd
  * Move to several distinct Bogus states, for easier debugging.
  * Do not chase CNAME during qname minimization step 4.
  Bug Fixes
  * Untangle the validation/resolving qnames and qtypes.
  * APL records: fix endianness problem.
  For details see,
  https://doc.powerdns.com/recursor/changelog/4.4.html#change-4.4.2

- update to 4.4.1
  * Allow specifying a name in getMetric() that is used for Prometheus
  * Avoids a CNAME loop detection issue with DNS64
  * No longer sends overly long NOD lookups.
  * If a.b.c CNAME x.a.b.c is encountered, switch off QName Minimization.
  * Fix the processing of answers generated from gettag.

- Only require 'insserv' when this package ships an initscript

- fix default config
  - turn off chroot by default as it is not supported on systemd
    enabled systems
  - set query-local-address to ::,0.0.0.0
    to make ipv6 only nameservers work out of the box

- update to 4.4.0 with these major enhancements:
  * Native DNS64 support, without the need to use Lua.
  * The ability to add custom tags to RPZ hits.
  * Names encountered while resolving CNAMEs are now subject to RPZ
    processing.
  * More detailed information about RPZ handling is now available while
    tracing, in Lua and in the protobuf logging messages.
  * To allow more efficient use, the record cache is now shared between
    threads.
  * A routing tag[3] can be added in Lua code, which will be used as an
    additional record cache key instead of an EDNS subnet mask,
    enabling for a simpler record cache structure which will enhance
    query processing where the EDNS subnet mask is relevant.
  * The Proxy Protocol version 2 has been implemented to allow for a
    structured exchange of information between a client (typically
    dnsdist) and the Recursor.
- removed obsolete back-port fix 9070.patch

- fix building against sle-12 backports with gcc-9
- remove obsolete BR on protobuf
- add bundled information to the spec file
- boost_context.patch: Boost.Context detection fix on SLE12

- update to 4.6.1
  fixes incomplete validation of incoming IXFR transfer in
  the Recursor. It applies to setups retrieving one or more RPZ
  zones from a remote server if the network path to the server
  is not trusted. (bsc#1197525, CVE-2022-27227)

- update to 4.6.0
  Compared to the previous major (4.5) release of PowerDNS Recursor, this
  release contains several sets of changes:
  * The ability to flush records from the caches on a incoming
    notify requests.
  * A rewrite of the outgoing TCP code, adding both re-use of
    connections and support for DoT to authoritative servers or
    forwarders.
  * Many improvements in the area of metrics: more metrics are
    collected and more metrics are now exported in a Prometheus
    friendly way.
  * A new Zone to Cache function that will retrieve a zone (using
    AXFR, HTTP, HTTPS or a local file) periodically and insert the
    contents into the record cache, allowing the cache to be always hot
    for a zone. This can be used for the root or any other zone.
  * An experimental Event Tracing function, providing insight into
    the time taken by the steps in the process of resolving a name.

- update to 4.5.7:
  * A SHA-384 DS should not trump a SHA-256 one, only potentially ignore SHA-1 DS records.
    References: #10908, pull request 10912
  * rec_control wipe-cache-typed should check if a qtype arg is present and valid.
    References: #10905, pull request 10911
  * Put the correct string into appliedPolicyTrigger for Netmask matching rules.
    References: #10842, pull request 10863

- update to 4.5.6:
  * Bug Fixes
  - fixes to the way RPZ updates are handled
  - fix to a case where traffic to a forwarder could be throttled while it should not.
  - fixed few minor DNSSEC validation issues
  - fix for case where the combining of equivalent queries wasn't
    effective were resolved

- update to 4.5.5:
  * Improvements
  - Work around clueless servers sending AA=0 answers.
    References: #10555, pull request 10564
  * Bug Fixes
  - Ancestor NSEC3s can only deny the existence of a DS.
    References: #10587, pull request 10593
  - Make really sure we did not miss a cut on validation failure.
    References: #10570, pull request 10575
  - Clear the current proxy protocol values each iteration.
    References: #10515, pull request 10573

- update to 4.5.4:
  * Make sure that we pass the SOA along the NSEC(3) proof for
    DS queries.

- no longer supports 32-bit arches -- requiers 64-bit time_t
- specfile cleanup - drop initrd cases
- build-require gcc7 on SLE-12 variant

- update to 4.5.2:
  * default value of nsec3-max-iterations[1] has been lowered to 150
  * fixed issue affecting the "refresh almost expired" function

- update to 4.5.1:
- Main changes:
  * Dropped support for 32-bit platforms!
  * Rewrite of the way zone cuts are determined, reducing the number of
    outgoing queries by up to 17% when doing DNSSEC validation while reducing
    the CPU usage more than 20% .
  * Added implementation of EDNS0 padding (RFC 7830) for answers sent to clients.
  * Added implementation of RFC 8198[2]: Aggressive use of DNSSEC-Validated Cache.
  * Added a cache of non-resolving nameservers.
  * Re-worked negative cache that is shared between threads.
  * Added support for Extended DNS Errors (RFC 8914[5]).
  * A "refresh almost expired records" (also called "refetch") mechanism[8]
    has been introduced to keep the record cache warm.
- Other new features and improvements:
  * The complete protobuf and dnstap logging code has been rewritten to
    have much smaller performance impact.
  * We have introduced non-offensive synonyms for words used in
    settings. See the upgrade[9] guide.
  * The default minimum TTL[10] override has been changed from 0 to 1.
  * The spoof-nearmiss-max setting[11]'s default has been changed to 1.
    This has the consequence that the Recursor will switch to do TCP
    queries to authoritative nameservers sooner as an effective measure
    against many spoofing attacks.
  * Incoming queries over TCP now also use the packet cache, providing
    another performance increase.
  * File written to by the rec_control command are new opened by the
    command itself. It is also possible to write the content to the
    standard output stream by using a hyphen as file name.
  * TCP FastOpen (RFC 7413[12]) support for outgoing TCP connections to
    authoritative servers and forwarders.

- update to 4.4.3:
  Improvements
    Use a short-lived NSEC3 hashes cache for denial validation.
    References: #9856, pull request 10221
  Bug Fixes
    More fail-safe handling of Newly Discovered Domain files.
    Handle policy (if needed) after postresolve.
    Return current rcode instead of 0 if there are no CNAME records to follow.
    Lookup DS entries before CNAME entries.
    Handle failure to start the web server more gracefully.
    Test that we correctly cap the answer’s TTL in expanded wildcard cases.
    Fix the gathering of denial proof for wildcard-expanded answers.
    Make sure we take the right minimum for the packet cache TTL data in the SERVFAIL case.
  For details see,
  https://doc.powerdns.com/recursor/changelog/4.4.html#change-4.4.3

- update to 4.4.2:
  Improvements
  * UUID: Use the non-cryptographic variant of the boost::uuid.
  * Keep a cached, valid entry over a fresher Bogus one.
  * Ensure socket-dir matches runtime directory on old systemd
  * Move to several distinct Bogus states, for easier debugging.
  * Do not chase CNAME during qname minimization step 4.
  Bug Fixes
  * Untangle the validation/resolving qnames and qtypes.
  * APL records: fix endianness problem.
  For details see,
  https://doc.powerdns.com/recursor/changelog/4.4.html#change-4.4.2

- update to 4.4.1
  * Allow specifying a name in getMetric() that is used for Prometheus
  * Avoids a CNAME loop detection issue with DNS64
  * No longer sends overly long NOD lookups.
  * If a.b.c CNAME x.a.b.c is encountered, switch off QName Minimization.
  * Fix the processing of answers generated from gettag.

- Only require 'insserv' when this package ships an initscript

- fix default config
  - turn off chroot by default as it is not supported on systemd
    enabled systems
  - set query-local-address to ::,0.0.0.0
    to make ipv6 only nameservers work out of the box

- update to 4.4.0 with these major enhancements:
  * Native DNS64 support, without the need to use Lua.
  * The ability to add custom tags to RPZ hits.
  * Names encountered while resolving CNAMEs are now subject to RPZ
    processing.
  * More detailed information about RPZ handling is now available while
    tracing, in Lua and in the protobuf logging messages.
  * To allow more efficient use, the record cache is now shared between
    threads.
  * A routing tag[3] can be added in Lua code, which will be used as an
    additional record cache key instead of an EDNS subnet mask,
    enabling for a simpler record cache structure which will enhance
    query processing where the EDNS subnet mask is relevant.
  * The Proxy Protocol version 2 has been implemented to allow for a
    structured exchange of information between a client (typically
    dnsdist) and the Recursor.
- removed obsolete back-port fix 9070.patch

- 9070.patch: backport compilation fix vs. latest Boost 1.74
  based on https://github.com/PowerDNS/pdns/pull/9070

- update to 4.3.4
  * fixes an issue where certain CNAMEs could lead to resolver failure
  * fixes an issue with the hostname reported in Carbon messages
  * allows for multiple recursor services to run under systemd
- use HTTPS scheme for all URLs

- update to 4.3.3
  * Validate cached DNSKEYs against the DSs, not the RRSIGs only.
  * Ignore cache-only for DNSKEYs and DS retrieval.
  * A ServFail while retrieving DS/DNSKEY records is just that.
  * Refuse DS records received from child zones.
  * Better exception handling in houseKeeping/handlePolicyHit.
  * Take initial refresh time from loaded zone.

- pdns-recursor-4.4.7-xfr.patch: fixes incomplete validation of
  incoming IXFR transfers. It applies to setups retrieving
  one or more RPZ zones from a remote server if the network path
  to the server  is not trusted. (bsc#1197525, CVE-2022-27227)

- 9070.patch: backport compilation fix vs. latest Boost 1.74
  based on https://github.com/PowerDNS/pdns/pull/9070

- update to 4.3.4
  * fixes an issue where certain CNAMEs could lead to resolver failure
  * fixes an issue with the hostname reported in Carbon messages
  * allows for multiple recursor services to run under systemd
- use HTTPS scheme for all URLs

- update to 4.3.3
  * Validate cached DNSKEYs against the DSs, not the RRSIGs only.
  * Ignore cache-only for DNSKEYs and DS retrieval.
  * A ServFail while retrieving DS/DNSKEY records is just that.
  * Refuse DS records received from child zones.
  * Better exception handling in houseKeeping/handlePolicyHit.
  * Take initial refresh time from loaded zone.

- update to 4.3.1
  * fixes an issue where records in the answer section of
    a NXDOMAIN response lacking an SOA were not properly validated
    (CVE-2020-12244, bsc#1171553)
  * fixes an issue where invalid hostname on the server can result in
    disclosure of invalid memory (CVE-2020-10030, bsc#1171553)
  * fixes an issue in the DNS protocol has been found that allows
    malicious parties to use recursive DNS services to attack third
    party authoritative name servers (CVE-2020-10995, bsc#1171553)

- fixed configuration to make the service start
  https://docs.powerdns.com/recursor/upgrade.html#x-to-4-3-0-or-master

- update to 4.3.0:
  * A relaxed form of QName Minimization as described in rfc7816bis-01.
    This feature is enabled by default
  * Dnstap support for outgoing queries to authoritative servers and
    the corresponding replies.
  * The recursor now processes a number of requests incoming over
    a TCP connection simultaneously and will return results
    (potentially) out-of-order.
  * Newly Observed Domain (NOD) functionality
  * For details see
    https://blog.powerdns.com/2020/03/03/powerdns-recursor-4-3-0-released/

- update to 4.2.1:
  * Add deviceName field to protobuf messages
  * Purge map of failed auths periodically by keeping
    last changed timestamp.
  * Prime NS records of root-servers.net parent (.net)
  * Issue with ?zz? abbreviation for IPv6 RPZ triggers
  * Basic validation of $GENERATE parameters
  * Fix inverse handler registration logic for SNMP

- update to 4.2.0:
  * removes several workarounds for authoritative servers that
    respond badly to EDNS(0) queries
  * support for DNS X-Proxied-For (draft-bellis-dnsop-xpf-04)
  * EDNS Client Subnet Improvements
  * New and Updated Settings
  - distributor-threads
  - public-suffix-list-file
  - edns-outgoing-bufsize setting?s default has changed
    from 1680 to 1232
  * lot of small, incremental changes

- update to 4.1.13:
  * Add the disable-real-memory-usage setting to skip expensive
    collection of detailed memory usage info
  * Fix DNSSEC validation of wildcards expanded onto themselves.

- update to 4.1.8
  https://blog.powerdns.com/2018/11/26/powerdns-recursor-4-1-8-released/
  - Fixes case where a crafted query can cause a denial of service
    (CVE-2018-16855, bsc#1116592)

- update to 4.1.7
  https://blog.powerdns.com/2018/11/09/powerdns-recursor-4-1-7-released/
  - Revert ?Keep the EDNS status of a server on FormErr with EDNS?
  - Refuse queries for all meta-types

- update to 4.1.6
  - Revert "rec: Authority records in AA=1 CNAME answer are
    authoritative"
    https://github.com/PowerDNS/pdns/issues/7158

- update to 4.1.5
  - Improvements
  * Add pdnslog to lua configuration scripts
  * Fix compilation with libressl 2.7.0+
  * Export outgoing ECS value and server ID in protobuf (if any)
  * Switch to devtoolset 7 for el6
  * Allow the signature inception to be off by number of seconds
  - Bug Fixes
  * Crafted answer can cause a denial of service
    (bsc#1114157, CVE-2018-10851)
  * Packet cache pollution via crafted query
    (bsc#1114169, CVE-2018-14626)
  * Crafted query for meta-types can cause a denial of service
    (bsc#1114170, CVE-2018-14644)
  * Delay creation of rpz threads until we dropped privileges
  * Cleanup the netmask trees used for the ecs index on removals
  * Make sure that the ecs scope from the auth is < to the source
  * Authority records in aa=1 cname answer are authoritative
  * Avoid a memory leak in catch-all exception handler
  * Don?t require authoritative answers for forward-recurse zones
  * Release memory in case of error in openssl ecdsa constructor
  * Convert a few uses to toLogString to print DNSName?s that
    may be empty in a safer manner
  * Avoid a crash on DEC Alpha systems
  * Clear all caches on (N)TA changes

- update to 4.1.4
  - Improvements
  * Split pdns_enable_unit_tests.
  * Add a new max-udp-queries-per-round setting.
  * Fix warnings reported by gcc 8.1.0.
  * Tests: replace awk command by perl.
  * Allow the snmp thread to retrieve statistics.
  - Bug Fixes
  * Don?t account chained queries more than once.
  * Make rec_control respect include-dir.
  * Load lua scripts only in worker threads.
  * Purge all auth/forward zone data including subtree.

- update to 4.1.3
  - Improvements
  * Add a subtree option to the API cache flush endpoint
  * Use a separate, non-blocking pipe to distribute queries
  * Move carbon/webserver/control/stats handling to a separate
    thread
  * Add _raw versions for QName / ComboAddresses to the FFI API
  * Fix a warning on botan >= 2.5.0
  - Bug Fixes
  * Count a lookup into an internal auth zone as a cache miss
  * Don?t increase the DNSSEC validations counters when running
    with process-no-validate
  * Respect the AXFR timeout while connecting to the RPZ server
  * Increase MTasker stacksize to avoid crash in exception
    unwinding
  * Use the SyncRes time in our unit tests when checking cache
    validity
  * Add -rdynamic to C{,XX}FLAGS when we build with LuaJIT
  * Delay the loading of RPZ zones until the parsing is done,
    fixing a race condition
  * Reorder includes to avoid boost L conflict (bsc#1089814)

- update to 4.1.9
  https://blog.powerdns.com/2019/01/21/powerdns-recursor-4-1-9-released/
  - Fixes case when Lua hooks are not called over TCP
    (CVE-2019-3806, bsc#1121887)
  - Fixes DNSSEC validation is not performed for AA=0 responses
    (CVE-2019-3807, bsc#1121889)

- CVE-2018-16855-rec-4.1.7.patch: fix out-of-bounds memory read
  via a crafted query (bsc#1116592, CVE-2018-16855)

- CVE-2018-10851-rec-4.1.4.patch: fixes possible DoS due to memory
  leak in crafted zone processing (bsc#1114157, CVE-2018-10851)
- CVE-2018-14626-rec-4.1.4.patch: fixes a potential DoS for DNSSEC
  domains via query for meta-types (bsc#1114170, CVE-2018-14644)
- CVE-2018-14644-rec-4.1.4.patch: fixes packet cache pollution via
  crafted query (bsc#1114169, CVE-2018-14626)

- protobuf support is available in SLE-15
- Boost.Context library is not available on s390x

- update to 4.1.2
  - New Features
  - #6344: Add FFI version of gettag().
  - Improvements
  - #6298, #6303, #6268, #6290: Add the option to set the AXFR
    timeout for RPZs.
  - #6172: IXFR: correct behavior of dealing with DNS Name with
    multiple records and speed up IXFR transaction (Leon Xu).
  - #6379: Add RPZ statistics endpoint to the API.
  - Bug Fixes
  - #6336, #6293, #6237: Retry loading RPZ zones from server when
    they fail initially.
  - #6300: Fix ECS-based cache entry refresh code.
  - #6320: Fix ECS-specific NS AAAA not being returned from the
    cache.

- update to version 4.1.1:
  + Fixes security vulnerability where man-in-the-middle to send
    a NXDOMAIN answer for a DNSSEC name that does exist.
    (bsc#1077154, CVE-2018-1000003)
  + Don't validate signature for "glue" CNAME, since anything else
    than the initial CNAME can?t be considered authoritative.

- update to 4.3.5:
  * fixes cache pollution related to DNSSEC validation.
    (CVE-2020-25829, bsc#1177383)
  * now raise an exception on invalid content in unknown records
  * fixes the parsing of dont-throttle-netmasks in the presence of
    dont-throttle-names
- 9070.patch: refreshed, looks like only partially upstreamed

- update to 4.1.17
  * fixes access restriction bypass. While API key and password
    authentication is performed, the ACL set by `webserver-allow-from`
    was not enforced. (CVE-2020-14196, bsc#1173302)

- update to 4.1.16
  * fixes an issue where records in the answer section of
    a NXDOMAIN response lacking an SOA were not properly validated
    (CVE-2020-12244, bsc#1171553)
  * fixes an issue where invalid hostname on the server can result in
    disclosure of invalid memory (CVE-2020-10030, bsc#1171553)
  * fixes an issue in the DNS protocol has been found that allows
    malicious parties to use recursive DNS services to attack third
    party authoritative name servers (CVE-2020-10995, bsc#1171553)
- old_boost.patch: fix compilation with boost version from SLE
  For details see
  https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.16

- update to 4.3.5:
  * fixes cache pollution related to DNSSEC validation.
    (CVE-2020-25829, bsc#1177383)
  * now raise an exception on invalid content in unknown records
  * fixes the parsing of dont-throttle-netmasks in the presence of
    dont-throttle-names
- 9070.patch: refreshed, looks like only partially upstreamed

- update to 4.3.2
  * Fixes a access restriction bypass vulnerability where ACL applied
    to the internal web server via webserver-allow-from is
    not properly enforced, allowing a remote attacker to send
    HTTP queries to the internal web server, bypassing the restriction.
    (CVE-2020-14196, bsc#1173302)
  * improves CNAME loop detection
  * Fix the handling of DS queries for the root
  * Fix RPZ removals when an update has several deltas

- bogus-empty-nxd-4.1.15.diff: fixes an issue where records in
  the answer section of a NXDOMAIN response lacking an SOA were
  not properly validated (CVE-2020-12244, bsc#1171553)
- hostname-4.1.15.diff: fixes an issue where invalid hostname
  on the server can result in disclosure of invalid memory
  (CVE-2020-10030, bsc#1171553)
- ns-ampl-4.1.15.diff: fixes an issue in the DNS protocol has been found that
  allows malicious parties to use recursive DNS services to attack third
  party authoritative name servers (CVE-2020-10995, bsc#1171553)

- bsc#1130588: Require shadow instead of old pwdutils

- update to 4.1.12:
  * Improvements
  - Provide CPU usage statistics per thread (worker & distributor).
  - Use a bounded load-balancing algo to distribute queries.
  - Implement a configurable ECS cache limit so responses with an
    ECS scope more specific than a certain threshold and a TTL
    smaller than a specific threshold are not inserted into the
    records cache at all.
  * Bug Fixes
  - Correctly interpret an empty AXFR response to an IXFR query.
- update to 4.1.11:
  * Improvements
  - Add an option to export only responses over protobuf to the
    Lua protobufServer() directive.
  - Reduce systemcall usage in protobuf logging. (See #7428.)

- update to 4.1.10
  - #7403: Fix compilation in handleRunningTCPQuestion without
    protobuf support

- update to 4.1.5
  - Improvements
  * Add pdnslog to lua configuration scripts
  * Fix compilation with libressl 2.7.0+
  * Export outgoing ECS value and server ID in protobuf (if any)
  * Switch to devtoolset 7 for el6
  * Allow the signature inception to be off by number of seconds
  - Bug Fixes
  * Crafted answer can cause a denial of service
    (bsc#1114157, CVE-2018-10851)
  * Packet cache pollution via crafted query
    (bsc#1114169, CVE-2018-14626)
  * Crafted query for meta-types can cause a denial of service
    (bsc#1114170, CVE-2018-14644)
  * Delay creation of rpz threads until we dropped privileges
  * Cleanup the netmask trees used for the ecs index on removals
  * Make sure that the ecs scope from the auth is < to the source
  * Authority records in aa=1 cname answer are authoritative
  * Avoid a memory leak in catch-all exception handler
  * Don?t require authoritative answers for forward-recurse zones
  * Release memory in case of error in openssl ecdsa constructor
  * Convert a few uses to toLogString to print DNSName?s that
    may be empty in a safer manner
  * Avoid a crash on DEC Alpha systems
  * Clear all caches on (N)TA changes

- update to 4.1.10
  - #7403: Fix compilation in handleRunningTCPQuestion without
    protobuf support

- _constraints: we seem to need at least 8GB RAM to build on S390x
  and ppc64

- enable ed25519 support (new BR: libsodium-devel)
- enable net-snmp support (new BR: net-snmp-devel)
- simplify BR for lua: lua-devel everywhere now

- update to version 4.1.0:
  + Improved DNSSEC support
  + Improved documentation
  + Improved RPZ support
  + Improved EDNS Client Subnet support
  + SNMP support
  + Lua engine has gained access to more parts of the recursor
  + CPU affinity can now be specified
  + TCP Fast Open support
  + New performance metrics
  + For complete changes see:
    https://blog.powerdns.com/2017/12/04/powerdns-recursor-4-1/

- update to version 4.0.7: (bsc#1069242)
  + fixes CVE-2017-15090: Insufficient validation of DNSSEC
    signatures
  + fixes CVE-2017-15092: Cross-Site Scripting in the web interface
  + fixes CVE-2017-15093: Configuration file injection in the API
  + fixes CVE-2017-15094: Memory leak in DNSSEC parsing
  + Fix validation at the exact RRSIG inception or expiration time
  + Extract nested exception from Luawrapper
  + Throw an error when lua-conf-file can?t be loaded
  + Lowercase all outgoing qnames when lowercase-outgoing is set

- Added pdns-recursor.keyring linked from
  https://dnsdist.org/install.html

- Don't BuildRequire Botan 1.x
  * Botan will be dropped as the 1.x branch is EOL and won't get
    OpenSSL 1.1 support backported (bsc#1055322)

- update to version 4.0.6
  + fixes ed25519 signer
  + update root-servers.net entries
  + fixes handling of expired cache entries so they expire faster

- Enable DNSSEC validation by default.

- update to version 4.0.5
  + adds ed25519 (algorithm 15) support for DNSSEC
  + adds the 2017 DNSSEC root key
  + complete changeset is available at,
  https://doc.powerdns.com/md/changelog/#powerdns-recursor-405

- move autoreconf into the build section

- use individual libboost-*-devel packages instead of boost-devel
- add signature file for upstream release

- update to version 4.0.4
  The following security advisories were fixed
  - 2016-02: Crafted queries can cause abnormal CPU usage
  (CVE-2016-7068, boo#1018326)
  - 2016-04: Insufficient validation of TSIG signatures
  (CVE-2016-2120, boo#1018329)
  complete changeset is availalbe at,
  https://doc.powerdns.com/md/changelog/#powerdns-recursor-404
- remove 4462.patch: in upstream release.

- BuildRequire pkgconfig(libsystemd) instead of
  pkgconfig(libsystemd-daemon): these libs were merged in systemd
  209 times. The build system is capable of finding either one.

- 4462.patch:
  Disable fcontext usage with Boost 1.61+ and revert back to
  slower SystemV ucontext. This fixes failure to build with
  newer Boost version. (boo#998408)

- update to 4.0.3
  A new release for the PowerDNS Recursor with version 4.0.3 is
  available. This release has many fixes and improvements in the
  Policy Engine (RPZ) and the Lua bindings to it. Therefore, we
  recommend users of RPZ to upgrade to this release. We would like
  to thank Wim (42wim on github) for testing and reporting on the
  RPZ module.
  Bug fixes
  - #4350: Call gettag() for TCP queries
  - #4376: Fix the use of an uninitialized filtering policy
  - #4381: Parse query-local-address before lua-config-file
  - #4383: Fix accessing an empty policyCustom, policyName from Lua
  - #4387: ComboAddress: don?t allow invalid ports
  - #4388: Fix RPZ default policy not being applied over IXFR
  - #4391: DNSSEC: Actually follow RFC 7646 2.1
  - #4396: Add boost context ldflags so freebsd builds can find the
    libs
  - #4402: Ignore NS records in a RPZ zone received over IXFR
  - #4403: Fix build with OpenSSL 1.1.0 final
  - #4404: Don?t validate when a Lua hook took the query
  - #4425: Fix a protobuf regression (requestor/responder mix-up)
  Additions and Enhancements
  - #4394: Support Boost 1.61+ fcontext
  - #4402: Add Lua binding for DNSRecord::d_place

- update to 4.0.2
  Bug fixes
  - #4264: Set dq.rcode before calling postresolve
  - #4294: Honor PIE flags.
  - #4310: Fix build with LibreSSL, for which
    OPENSSL_VERSION_NUMBER is irrelevant
  - #4340: Don't shuffle CNAME records. (thanks to Gert van Dijk
    for the extensive bug report!)
  - #4354: Fix delegation-only
  Additions and enhancements
  - #4288: Respect the timeout when connecting to a protobuf server
  - #4300: allow newDN to take a DNSName in; document missing
    methods
  - #4301: expose SMN toString to lua
  - #4318: Anonymize the protobuf ECS value as well (thanks to Kai
    Storbeck of XS4All for finding this)
  - #4324: Allow Lua access to the result of the Policy Engine
    decision, skip RPZ, finish RPZ implementation
  - #4349: Remove unused DNSPacket::d_qlen
  - #4351: RPZ: Use query-local-address(6) by default (thanks to
    Oli Schacher of switch.ch for the bug report)
  - #4357: Move the root DNSSEC data to a header file

- update to 4.0.1
  Bug fixes
  - #4119 Improve DNSSEC record skipping for non dnssec queries
    (Kees Monshouwer)
  - #4162 Don't validate zones from the local auth store, go one
    level down while validating when there is a CNAME
  - #4187:
  - Don't go bogus on islands of security
  - Check all possible chains for Insecures
  - Don't go Bogus on a CNAME at the apex
  - #4215 RPZ: default policy should also override local data RRs
  - #4243 Fix a crash when the next name in a chained query is
    empty and rec_control current-queries is invoked
  Improvements
  - #4056 OpenSSL 1.1.0 support (Christian Hofstaedtler)
  - #4140 Fix warnings with gcc on musl-libc (James Taylor)
  - #4160 Also validate on +DO
  - #4164 Fail to start when the lua-dns-script does not exist
  - #4168 Add more Netmask methods for Lua (Aki Tuomi)
  - #4210 Validate DNSSEC for security polling
  - #4217 Turn on root-nx-trust by default and
    log-common-errors=off
  - #4207 Allow for multiple trust anchors per zone
  - #4242 Fix compilation warning when building without Protobuf
  - #4133 Add limits to the size of received {A,I}XFR
    (CVE-2016-6172)

- update to 4.0.0
  https://blog.powerdns.com/2016/07/11/powerdns-recursor-4-0-0-released/
  https://blog.powerdns.com/2016/07/11/welcome-to-powerdns-4-0-0/
- packaging changes:
  - enabled protobuf based stats
  - enabled botan based code
  - use upstream systemd files

- do not use /run/pdns instead of /var/run/pdns in the init script
  for the rest we have the systemd unit file

- update to 3.7.3 will prevent short bursts of high
  resource usage with malformed qnames.