Software-update: PowerDNS Recursor 5.0.2

PowerDNS is een dns-server met een database als backend, waardoor het beheer van een groot aantal dns-entries op een gemakkelijke manier kan plaatsvinden. De ontwikkelaars hebben eerder besloten om de twee delen waaruit PowerDNS bestaat, een recursor en een authoritative nameserver, apart uit te geven, waardoor sneller en gerichter een nieuwe versie kan worden uitgebracht, aldus de ontwikkelaars.

Als je een dns-look-up uitvoert, begint een recursor in eerste instantie met het stellen van de look-upvraag aan een dns-rootserver. Deze kan dan doorverwijzen naar andere servers, vanaf waar weer doorverwezen kan worden naar andere servers enzovoort, totdat uiteindelijk een server is bereikt die het antwoord weet of weet dat de look-up niet mogelijk is. Van dit laatste kan sprake zijn als de naam niet bestaat of de servers niet reageren. Het proces van het langslopen van verschillende authoritative servers heet recursie. De ontwikkelaars hebben begin dit jaar PowerDNS Recursor versie 5.0 uitgebracht en nu is er een eerste update verschenen die enkele beveiligingsproblemen moet verhelpen.

PowerDNS Recursor 5.0.2

Bug Fixes

• Security advisory 2024-01: CVE-2023-50387 and CVE-2023-50868. Ref: pull request 13782

PowerDNS Recursor 5.0.1

Released: 10th of January 2024, with no changes compared to the second release candidate. Version 5.0.0 was never released publicly.

PowerDNS Recursor 5.0.0-rc2

Improvements

• Warn that disabling structured logging is now deprecated. Ref: #13567, pull request 13645

Bug Fixes

• Fix handling of RUNTIME_DIRECTORY and NOD dirs. Ref: #13588, #13612, pull request 13646

PowerDNS Recursor 5.0.0-rc1

Improvements

• Remove experimental warnings for YAML. Ref: pull request 13557
• Disallow (by answering Refused) RD=0 by default. Ref: #13386, pull request 13507
• Make syncres code clang-tidy. Ref: pull request 13434
• Introduce a setting to allow RPZ duplicates, including a dup handling fix. Ref: #12842, pull request 13501
• Update new b-root-server.net addresses in built-in hints. Ref: pull request 13387
• Change default of nsec3-max-iterations to 50. Ref: pull request 13478
• Warn if truncation occurred dumping the trace. Ref: pull request 13477

Bug Fixes

• A single NSEC3 record covering everything is a special case. Ref: #13542, pull request 13543
• Document outgoing query counts better, including a small fix. Ref: #13463, pull request 13511
• Take into account throttled queries when determining if we had a cache hit. Ref: #13483, pull request 13497
• Correctly apply outgoing.tcp_max_queries bound. Ref: #13467, pull request 13480

PowerDNS Recursor 5.0.0-beta1

Improvements

• Be more memory efficient handling RPZ updates. Ref: pull request 13462
• Change default of extended-resolution-errors setting to true. Ref: pull request 13464
• Move a few settings from recursor to outgoing section. Ref: pull request 13455
• For structured logging always log addresses including port. Ref: pull request 13446
• Teach configure to check for cargo version and require >= 1.64. Ref: pull request 13438
• Tidy cache and only copy values if non-expired entry was found. Ref: #12612, pull request 13410
• Add endbr64 instructions in the right spots for OpenBSD/amd64. Ref: #13430, pull request 13430, pull request 13432
• Handle stack memory on NetBSD as on OpenBSD (Tom Ivar Helbekkmo). Ref: pull request 13408

Bug Fixes

• Fix ubsan error: using a value of 80 for bool. Ref: pull request 13468
• Handle serve stale logic in getRootNXTrust(). Ref: #13383, pull request 13409

PowerDNS Recursor 5.0.0-alpha2

Improvements

• Convert API managed config from old style to YAML if YAML settings are active. Ref: #12679, #13233, pull request 13362
• If we miss glue–but not for all NS records–try to resolve the missing address records. Ref: pull request 13364
• Make QName Minimization parameters from RFC 9156 settable. Ref: pull request 13296
• Conform to RFC 2181 10.3: don’t allow NS records to point to aliases. Ref: pull request 13312
• Do not use Qname Minimization for infra-queries. Ref: #8646, pull request 13295
• Implement probabilistic un-throttle. Ref: pull request 13289
• Put files generated by settings/generate.py into tarball so package builds do not have to run it. Ref: pull request 13290
• Fix packetcache submit refresh task logic. Ref: #13266, pull request 13278
• Allow loglevel to be set to levels < 3. Ref: #13264, pull request 13277
• Move tcp-in processing to dedicated thread(s). Ref: #8394, pull request 13195

Bug Fixes

• If serving stale, wipe CNAME records from cache when we get a NODATA negative response for them. Ref: #12395, pull request 13353
• Fix Coverity 1522436 potential dereference of null return value. Ref: pull request 13363
• Fix log messages text and levels. Ref: pull request 13303, pull request 13311
• Fix sysconfdir handling in new settings code. Ref: #13259, pull request 13276
• Fix Coverity 1519054: Using invalid iterator. Ref: pull request 13250

PowerDNS Recursor 5.0.0-alpha1

Improvements

• Rewrite settings code, introducing YAML settings file, using Rust and generated code to implement YAML processing. Ref: pull request 13008
• Make aggressive cache pruning more effective and more fair. Ref: pull request 13209
• Remove make_tuple and make_pair (Rosen Penev). Ref: pull request 13208
• Rec: fix a few unused argument warnings (depending on features enabled). Ref: pull request 13190
• Change the default for building with net-snmp from auto to no. Ref: pull request 13168
• Channel: Make the blocking parameters of the object queue explicit. Ref: #13147, pull request 13155
• Do not assume the records are in a particular order when determining if an answer is NODATA. Ref: pull request 13102
• Document default for webserver-loglevel (Frank Louwers). Ref: pull request 13111
• Remove unused sysv init files. Ref: pull request 13087
• Fixes a few performance issues reported by Coverity. Ref: pull request 13092
• Highlight why regression tests failed with github annotation (Josh Soref). Ref: pull request 13074
• Switch from deprecated ::set-output (Josh Soref). Ref: pull request 13073
• Use backticks in rec_control(1) (Josh Soref). Ref: pull request 13067
• Clarify why bulktest is failing (Josh Soref). Ref: pull request 13068
• Set TTL in getFakePTRRecords. Ref: #13011, pull request 13043
• Update settings.rst – clarify edns-subnet-allow-list (Seth Arnold). Ref: pull request 13032
• Dnsheader: Switch from bitfield to uint16_t whenever possible. Ref: pull request 13026
• Clarify log message for NODATA/NXDOMAIN without AA (Håkan Lindqvist). Ref: pull request 12805
• Use arc4random only for random values. Ref: pull request 12913, pull request 12931, pull request 12999, pull request 13001, pull request 13022, pull request 13175, pull request 15197
• Update base Debian version in Docker docs (Italo Cunha). Ref: pull request 12851
• Delint pdns recursor.cc. Ref: pull request 12917
• Include qname when logging skip of step 4 of qname minimization (Doug Freed). Ref: pull request 12957
• Fix a set of move optimizations, as suggested by Coverity. Ref: pull request 12952
• Silence Coverity 1462719 Unchecked return value from library. Ref: pull request 12934
• Fix compile warnings. Ref: pull request 12930
• Dns random: add method to get full 32-bits of randomness. Ref: pull request 12913
• Reformat and delint arguments.cc and arguments.hh. Ref: pull request 12808

Bug Fixes

• Remove Before=nss-lookup.target line from unit file. Ref: pull request 13210
• TCPIOHandler: Fix a race when creating the first TLS connections. Ref: pull request 13167
• Rec: Include cstdint in mtasker_ucontext.cc, noted by @zeha. Ref: pull request 13174