Update Info


Security update for pdns-recursor

Type: security
Severity: moderate
Issued: 2022-04-07
pdns-recursor was updated to 4.6.1:

- fixes incomplete validation of incoming IXFR transfer in
  the Recursor. It applies to setups retrieving one or more RPZ
  zones from a remote server if the network path to the server
  is not trusted. (bsc#1197525, CVE-2022-27227)

update to 4.6.0

- Compared to the previous major (4.5) release of PowerDNS Recursor, this
  release contains several sets of changes:

    * The ability to flush records from the caches on a incoming
      notify requests.
    * A rewrite of the outgoing TCP code, adding both re-use of
      connections and support for DoT to authoritative servers or
    * Many improvements in the area of metrics: more metrics are
      collected and more metrics are now exported in a Prometheus
      friendly way.
    * A new Zone to Cache function that will retrieve a zone (using
      AXFR, HTTP, HTTPS or a local file) periodically and insert the
      contents into the record cache, allowing the cache to be always hot
      for a zone. This can be used for the root or any other zone.
    * An experimental Event Tracing function, providing insight into
      the time taken by the steps in the process of resolving a name.

update to 4.5.7:

  * A SHA-384 DS should not trump a SHA-256 one, only potentially ignore SHA-1 DS records.
    References: #10908, pull request 10912
  * rec_control wipe-cache-typed should check if a qtype arg is present and valid.
    References: #10905, pull request 10911
  * Put the correct string into appliedPolicyTrigger for Netmask matching rules.
    References: #10842, pull request 10863

update to 4.5.6:

  * Bug Fixes

    - fixes to the way RPZ updates are handled
    - fix to a case where traffic to a forwarder could be throttled while it should not.
    - fixed few minor DNSSEC validation issues
    - fix for case where the combining of equivalent queries wasn't 
      effective were resolved

update to 4.5.5:

  * Improvements

    - Work around clueless servers sending AA=0 answers.
      References: #10555, pull request 10564

  * Bug Fixes

    - Ancestor NSEC3s can only deny the existence of a DS.
      References: #10587, pull request 10593
    - Make really sure we did not miss a cut on validation failure.
      References: #10570, pull request 10575
    - Clear the current proxy protocol values each iteration.
      References: #10515, pull request 10573

update to 4.5.4:

  * Make sure that we pass the SOA along the NSEC(3) proof for
    DS queries.

update to 4.5.2:

  * default value of nsec3-max-iterations[1] has been lowered to 150
  * fixed issue affecting the "refresh almost expired" function

update to 4.5.1:

- Main changes:

  * Dropped support for 32-bit platforms!
  * Rewrite of the way zone cuts are determined, reducing the number of
    outgoing queries by up to 17% when doing DNSSEC validation while reducing
    the CPU usage more than 20% .
  * Added implementation of EDNS0 padding (RFC 7830) for answers sent to clients.
  * Added implementation of RFC 8198[2]: Aggressive use of DNSSEC-Validated Cache.
  * Added a cache of non-resolving nameservers.
  * Re-worked negative cache that is shared between threads.
  * Added support for Extended DNS Errors (RFC 8914[5]).
  * A "refresh almost expired records" (also called "refetch") mechanism[8]
    has been introduced to keep the record cache warm.

- Other new features and improvements:

  * The complete protobuf and dnstap logging code has been rewritten to
    have much smaller performance impact.
  * We have introduced non-offensive synonyms for words used in
    settings. See the upgrade[9] guide.
  * The default minimum TTL[10] override has been changed from 0 to 1.
  * The spoof-nearmiss-max setting[11]'s default has been changed to 1.
    This has the consequence that the Recursor will switch to do TCP
    queries to authoritative nameservers sooner as an effective measure
    against many spoofing attacks.
  * Incoming queries over TCP now also use the packet cache, providing
    another performance increase.
  * File written to by the rec_control command are new opened by the
    command itself. It is also possible to write the content to the
    standard output stream by using a hyphen as file name.
  * TCP FastOpen (RFC 7413[12]) support for outgoing TCP connections to
    authoritative servers and forwarders.

update to 4.4.3:


    Use a short-lived NSEC3 hashes cache for denial validation.
    References: #9856, pull request 10221

  Bug Fixes

    More fail-safe handling of Newly Discovered Domain files.
    Handle policy (if needed) after postresolve.
    Return current rcode instead of 0 if there are no CNAME records to follow.
    Lookup DS entries before CNAME entries.
    Handle failure to start the web server more gracefully.
    Test that we correctly cap the answer’s TTL in expanded wildcard cases.
    Fix the gathering of denial proof for wildcard-expanded answers.
    Make sure we take the right minimum for the packet cache TTL data in the SERVFAIL case.

For details see https://doc.powerdns.com/recursor/changelog/4.4.html#change-4.4.3

update to 4.4.2:


  * UUID: Use the non-cryptographic variant of the boost::uuid.
  * Keep a cached, valid entry over a fresher Bogus one.
  * Ensure socket-dir matches runtime directory on old systemd
  * Move to several distinct Bogus states, for easier debugging.
  * Do not chase CNAME during qname minimization step 4.

  Bug Fixes

  * Untangle the validation/resolving qnames and qtypes.
  * APL records: fix endianness problem.

For details see https://doc.powerdns.com/recursor/changelog/4.4.html#change-4.4.2

update to 4.4.1

  * Allow specifying a name in getMetric() that is used for Prometheus
  * Avoids a CNAME loop detection issue with DNS64
  * No longer sends overly long NOD lookups.
  * If a.b.c CNAME x.a.b.c is encountered, switch off QName Minimization.
  * Fix the processing of answers generated from gettag.

fix default config

  - turn off chroot by default as it is not supported on systemd
    enabled systems
  - set query-local-address to ::,
    to make ipv6 only nameservers work out of the box

update to 4.4.0 with these major enhancements:

  * Native DNS64 support, without the need to use Lua.
  * The ability to add custom tags to RPZ hits.
  * Names encountered while resolving CNAMEs are now subject to RPZ
  * More detailed information about RPZ handling is now available while
    tracing, in Lua and in the protobuf logging messages.
  * To allow more efficient use, the record cache is now shared between
  * A routing tag[3] can be added in Lua code, which will be used as an
    additional record cache key instead of an EDNS subnet mask,
    enabling for a simpler record cache structure which will enhance
    query processing where the EDNS subnet mask is relevant.
  * The Proxy Protocol version 2 has been implemented to allow for a
    structured exchange of information between a client (typically
    dnsdist) and the Recursor.

update to 4.3.5:

   * fixes cache pollution related to DNSSEC validation.
     (CVE-2020-25829, bsc#1177383)
  * now raise an exception on invalid content in unknown records
  * fixes the parsing of dont-throttle-netmasks in the presence of

update to 4.3.4

  * fixes an issue where certain CNAMEs could lead to resolver failure
  * fixes an issue with the hostname reported in Carbon messages
  * allows for multiple recursor services to run under systemd
update to 4.3.3

  * Validate cached DNSKEYs against the DSs, not the RRSIGs only.
  * Ignore cache-only for DNSKEYs and DS retrieval.
  * A ServFail while retrieving DS/DNSKEY records is just that.
  * Refuse DS records received from child zones.
  * Better exception handling in houseKeeping/handlePolicyHit.
  * Take initial refresh time from loaded zone.

update to 4.3.2

  * Fixes a access restriction bypass vulnerability where ACL applied
    to the internal web server via webserver-allow-from is
    not properly enforced, allowing a remote attacker to send
    HTTP queries to the internal web server, bypassing the restriction.
    (CVE-2020-14196, bsc#1173302)
  * improves CNAME loop detection
  * Fix the handling of DS queries for the root
  * Fix RPZ removals when an update has several deltas
update to 4.3.0:

  * A relaxed form of QName Minimization as described in rfc7816bis-01.
    This feature is enabled by default
  * Dnstap support for outgoing queries to authoritative servers and
    the corresponding replies.
  * The recursor now processes a number of requests incoming over
    a TCP connection simultaneously and will return results
    (potentially) out-of-order.
  * Newly Observed Domain (NOD) functionality
  * For details see

update to 4.2.1:

  * Add deviceName field to protobuf messages
  * Purge map of failed auths periodically by keeping
    last changed timestamp.
  * Prime NS records of root-servers.net parent (.net)
  * Issue with “zz” abbreviation for IPv6 RPZ triggers
  * Basic validation of $GENERATE parameters
  * Fix inverse handler registration logic for SNMP

update to 4.2.0:

  * removes several workarounds for authoritative servers that
    respond badly to EDNS(0) queries
  * support for DNS X-Proxied-For (draft-bellis-dnsop-xpf-04)
  * EDNS Client Subnet Improvements
  * New and Updated Settings
    - distributor-threads
    - public-suffix-list-file
    - edns-outgoing-bufsize setting’s default has changed
      from 1680 to 1232
  * lot of small, incremental changes

update to 4.1.13:

  * Add the disable-real-memory-usage setting to skip expensive
    collection of detailed memory usage info
  * Fix DNSSEC validation of wildcards expanded onto themselves.

- bsc#1130588: Require shadow instead of old pwdutils

update to 4.1.12:

  * Improvements

    - Provide CPU usage statistics per thread (worker & distributor).
    - Use a bounded load-balancing algo to distribute queries.
    - Implement a configurable ECS cache limit so responses with an
      ECS scope more specific than a certain threshold and a TTL
      smaller than a specific threshold are not inserted into the
      records cache at all.

  * Bug Fixes

    - Correctly interpret an empty AXFR response to an IXFR query.
update to 4.1.11:

  * Improvements

    - Add an option to export only responses over protobuf to the
      Lua protobufServer() directive.
    - Reduce systemcall usage in protobuf logging. (See #7428.)



  • pdns-recursor-4.6.1-2.1