Software-update: PowerDNS Recursor 3.1.5

Powerdns is een dns-server met een database als backend waardoor het beheer van een groot aantal dns-entry's op een gemakkelijke manier kan plaatsvinden. De ontwikkelaars hebben eind april van 2006 besloten om de twee delen waaruit Powerdns bestaat, een recursor en een authoritative nameserver, apart uit te geven. Hierdoor kan men sneller een nieuwe versie uitbrengen, aldus de ontwikkelaars. De ontwikkelaars hebben zojuist versie 3.1.5 van Powerdns Recursor met de volgende aankondiging uitgebracht:

PowerDNS Recursor 3.1.5 released

We would like to thank Amit Klein of Trusteer for bringing a serious vulnerability to our attention which would enable a smart attacker to 'spoof' previous versions of the PowerDNS Recursor into accepting possibly mallicious data. Details can be found here.

It is recommended that all users of the PowerDNS Recursor upgrade to 3.1.5 as soon as practicable, while we simultaneously note that busy servers are less susceptible to the attack, but not immune. The PowerDNS Security Advisory can be found here.

PowerDNS Recursor 3.1.5 has been in production use for the past few weeks, and has been validated by in excess of one billion test queries, the results of which were compared to those generated by a reference implementation.

Much like 3.1.4, this release does not add a lot of major features. Instead, performance has been improved significantly (estimated at around 20%), and many rare and not so rare issues were addressed. Multi-part TXT records now work as expected - the only significant functional bug found in 15 months. One of the oldest feature requests was fulfilled: version 3.1.5 can finally forward queries for designated domains to multiple servers, on differing port numbers if needed. Previously only one forwarder address was supported. This lack held back a number of migrations to PowerDNS.

This version can properly benefit from all IPv4 and IPv6 addresses in use at the root-servers as of early February 2008. In order to implement this, changes were made to how the Recursor deals internally with A and AAAA queries for nameservers, see below for more details.

Additionally, newer releases of the G++ compiler required some fixes (see ticket 173).

This release was made possible by the help of Wichert Akkerman, Winfried Angele, Arnoud Bakker (Fox-IT), Niels Bakker (no relation!), Leo Baltus (Nederlandse Publieke Omroep), Marco Davids (SIDN), David Gavarret (Neuf Cegetel), Peter Gervai, Marcus Goller (UPC), Matti Hiljanen (Saunalahti/Elisa), Ruben Kerkhoff, Alex Kiernan, Amit Klein (Trusteer), Kenneth Marshall (Rice University), Thomas Rietz, Marcus Rueckert (OpenSUSE), Augie Schwer (Sonix), Sten Spans (Bit), Stefan Schmidt (Freenet.de), Kai Storbeck (xs4all), Alex Trull, Andrew Turnbull (No Wires LTD) and Aaron Thompson, and many more who filed bugs anonymously, or who we forgot to mention.

Security related issues:

• Amit Klein has informed us that System random generator output can be predicted based on its past behaviour, allowing a smart attacker to 'spoof' our nameserver.
• The Recursor will by default no longer query private-space nameservers. This closes a slight security risk and simultaneously improves performance and stability.
• Applied fix for ticket 110 ('PowerDNS should change directory to '/' in chroot), implemented in commit 944.

Performance:

• The DNS packet writing and parsing infrastructure performance was improved in several ways, see commits 925, 926, 928, 931, 1021, 1050.
• Remove multithreading overhead from the Recursor (commit 999).

Bug fixes:

• Built-in authoritative server now properly derives the TTL from the SOA record if not specified. Implemented in commit 1165. Additionally, even when TTL was specified for the built-in authoritative server, it was ignored. Reported by Stefan Schmidt, closing ticket 147.
• Empty TXT record components can now be served. Implemented in commit 1166, closing ticket 178. Spotted by Matti Hiljanen.
• The Recursor would not properly override old data with new, sometimes serving old and new data concurrently. Fixed in commit 1137.
• SOA records with embedded carriage-return characters are now parsed correctly. Implemented in commit 1167, closing ticket 162.
• Some routing conditions could cause UDP connected sockets to generate an error which PowerDNS did not deal with properly, leading to a leaked file descriptor. As these run out over time, the recursor could crash. This would also happen for IPv6 queries on a host with no IPv6 connectivity. Thanks to Kai of xs4all and Wichert Akkerman for reporting this issue. Fix in commit 1133.
• Empty unknown record types can now be stored without generating a scary error (commit 1129)
• Applied fix for ticket 111, ticket 112 and ticket 153 - large (multipart) TXT records are now retrieved and served properly. Fix in commit 996.
• Solaris compilation instructions in Recursor documentation were wrong, leading to an instant crash on startup. Luckily nobody reads the documentation, except for Marcus Goller who found the error. Fixed in commit 1124.
• On Solaris, finally fix the issue where queries get distributed strangely over CPUs, or not get distributed at all. Much debugging and analysing performed by Alex Kiernan, who also supplied fixes. Implemented in commit 1091, commit 1093.
• Various fixes for modern G++ versions, most spotted by Marcus Rueckert (commits 964, 965, 1028, 1052), and Ruben Kerkhoff (commit 1136, closing ticket 175).
• Recursor would not properly clean up pidfile and control socket, closing ticket 120, code in commit 988, commit 1098 (part of fix by Matti Hiljanen, spotted by Leo Baltus)
• Recursor can now serve multi-line records from its limited authoritative server (commit 1014).
• When parsing zones, the 'm' time specification stands for minutes, not months! Closing Debian bug 406462 (commit 1026)
• Authoritative zone parser did not support '@' in the content of records. Spotted by Marco Davids, fixed in commit 1030.
• Authoritative zone parser could be confused by trailing TABs on record lines (commit 1062).
• EINTR error code could block entire server if received at the wrong time. Spotted by Arnoud Bakker, fix in commit 1059.
• Fix crash on NetBSD on Alpha CPUs, might improve startup behaviour on empty caches on other architectures as well (commit 1061).
• Outbound TCP queries were being performed sub-optimally because of an interaction with the 'Mplexer'. Fixes in commit 1115, commit 1116.

New features:

• Implemented rec_control command get uptime, as suggested by Niels Bakker (commit 935). Added to default rrdtool scripts in commit 940.
• The Recursor Authorative component, meant for having the Recursor serve some zones authoritatively, now supports $INCLUDE and $GENERATE. Implemented in commit 951 and commit 952, commit 967 (discovered by Thomas Rietz),
• Implemented forward-zones-file option in order to support larger amounts of zones which should be forwarded to another nameserver (commit 963).
• Both forward-zones and forward-zones-file can now specify multiple forwarders per domain, implemented in commit 1168, closing ticket 81. Additionally, both these settings can also specify non-standard port numbers, as suggested in ticket ticket 122. Patch authored by Aaron Thompson, with additional work by Augie Schwer.
• Sten Spans contributed allow-from-file, implemented in commit 1150. This feature allows the Recursor to read access rules from a (large) file.

General improvements:

• Ruben Kerkhof fixed up weird permission bits as well as our SGML documentation code in commit 936 and commit 937.
• Full IPv6 parity. If configured to use IPv6 for outgoing queries (using query-local-address6=::0 for example), IPv6 and IPv4 addresses are finally treated 100% identically, instead of 'mostly'. This feature is implemented using 'ANY' queries to find A and AAAA addresses in one query, which is a new approach. Treat with caution.
• Now perform EDNS0 root refreshing queries, so as to benefit from all returned addresses. Relevant since early February 2008 when the root-servers started to respond with IPv6 addresses, which made the default non-EDNS0 maximum packet length reply no longer contain all records. Implemented in commit 1130. Thanks to dns-operations AT mail.oarc.isc.org for quick suggestions on how to deal with this change.
• rec_control now has a timeout in case the Recursor does not respond. Implemented in commit 945.
• (Error) messages are now logged with saner priorities (commit 955).
• Outbound query IP interface stemmed from 1997 (!) and was in dire need of a cleanup (commit 1117).
• L.ROOT-SERVERS.NET moved (commit 1118).