Het programma PowerDNS is een DNS server met een database als back-end waardoor het beheer van een groot aantal DNS entries op een gemakkelijke manier kan plaats vinden. De ontwikkelaars hebben eind april van dit jaar besloten om de twee delen waaruit PowerDNS bestaat, namelijk een recursor en een authoritative nameserver, apart uit te geven. Hierdoor kan men sneller een nieuwe versie uitbrengen, aldus de ontwikkelaars. Inmiddels is versie 3.1.4 van de PowerDNS recursor beschikbaar met de volgende aanpassingen:
This release contains almost no new features, but consists mostly of minor and major bug fixes. It also addresses two major security issues, which makes this release a highly recommended upgrade.
- Large TCP questions followed by garbage could cause the recursor to crash. This critical security issue has been assigned CVE-2006-4251, and is fixed in commit 915. More information can be found in Section 1.5.
- CNAME loops with zero second TTLs could cause crashes in some conditions. These loops could be constructed by malicious parties, making this issue a potential denial of service attack. This security issue has been assigned CVE-2006-4252 and is fixed by commit 919. More information can be found in Section 1.6. Many thanks to David Gavarret for helping pin down this problem.
- On certain error conditions, PowerDNS would neglect to close a socket, which might therefore eventually run out. Spotted by Stefan Schmidt, fixed in commits 892, 897, 899.
- Some nameservers (including PowerDNS in rare circumstances) emit a SOA record in the authority section. The recursor mistakenly interpreted this as an authoritative "NXRRSET". Spotted by Bryan Seitz, fixed in commit 893.
- In some circumstances, PowerDNS could end up with a useless (not working, or no longer working) set of nameserver records for a domain. This release contains logic to invalidate such broken NSSETs, without overloading authoritative servers. This problem had previously been spotted by Bryan Seitz, 'Cerb' and Darren Gamble. Invalidations of NSSETs can be plotted using the "nsset-invalidations" metric, available through rec_control get. Implemented in commit 896 and commit 901.
- PowerDNS could crash while dumping the cache using rec_control dump-cache. Reported by Wouter of WideXS and Stefan Schmidt and many others, fixed in commit 900.
- Under rare circumstances (depleted TCP buffers), PowerDNS might send out incomplete questions to remote servers. Additionally, on big-endian systems (non-Intel and non-AMD generally), sending out large TCP answers questions would not work at all, and possibly crash. Brought to our attention by David Gavarret, fixed in commit 903.
- The recursor contained the potential for a dead-lock processing an invalid domain name. It is not known how this might be triggered, but it has been observed by 'Cerb' on #powerdns. Several dead-locks where PowerDNS consumed all CPU, but did not answer questions, have been reported in the past few months. These might be fixed by commit 904.
- IPv6 'allow-from' matching had problems with the least significant bits, sometimes allowing disallowed addresses, but mostly disallowing allowed addresses. Spotted by Wouter from WideXS, fixed in commit 916.
[break]PowerDNS recursor 3.1.4 is in de volgende smaken binnen te halen:
- PowerDNS has support to drop answers from so called 'delegation only' zones. A statistic ("dlg-only-drops") is now available to plot how often this happens. Implemented in commit 890.
- Hint-file parameter was mistakenly named "hints-file" in the documentation. Spotted by my Marco Davids, fixed in commit 898.
- rec_control quit should be near instantaneous now, as it no longer meticulously cleans up memory before exiting. Problem spotted by Darren Gamble, fixed in commit 914, closing ticket 84.
- init.d script no longer refers to the Recursor as the Authoritative Server. Spotted by Wouter of WideXS, fixed in commit 913.
- A potentially serious warning for users of the GNU C Library version 2.5 was fixed. Spotted by Marcus Rueckert, fixed in commit 920.