Software Update: PowerDNS Recursor 4.0.4 / 3.7.4

PowerDNS is a dns server with a database as back-end, which makes it easy to manage a large number of dns entries. The developers previously decided to release the two parts that make up PowerDNS, a recursor and an authoritative name server, separately. This means that a new version can be released faster and more specifically, according to the developers.

If you do a dns lookup, a recursor will initially start asking this question to a dns root server. This can then redirect to other servers, from where it can redirect to other servers, and so on, until finally a server is reached that knows the answer or knows that the look-up is not possible. The latter can be the case if the name does not exist or the servers do not respond. The process of going through different authoritative servers is called recursion. The developers have released PowerDNS Recursor 4.0.4 and 3.7.4. The changes of these releases look like this:

PowerDNS Recursor 4.0.4

The 4.0.4 version of the PowerDNS Recursor fixes PowerDNS Security Advisories 2016-02 and 2016-04.

Bug fixes

• commit 658d9e4: Check TSIG signature on IXFR (Security Advisory 2016-04)
• commit 91acd82: Don’t parse spurious RRs in queries when we don’t need them (Security Advisory 2016-02)
• commit 400e28d: Fix incorrect length check in DNSName when extracting qtype or qclass
• commit 2168188: rec: Wait until after daemonizing to start the RPZ and protobuf threads
• commit 3beb3b2: On (re-)priming, fetch the root NS records
• commit cfeb109: rec: Fix src/dest inversion in the protobuf message for TCP queries
• commit 46a6666: NSEC3 optout and Bogus insecure forward fixes
• commit bb437d4: On RPZ customPolicy, follow the resulting CNAME
• commit 6b5a8f3: DNSSEC: don’t go bogus on zero configured DSs
• commit 1fa6e1b: Don’t crash on an empty query ring
• commit bfb7e5d: Set the result to NoError before calling preresolve

Additions and Enhancements

• commit 7c3398a: Add max-recursion-depth to limit the number of internal recursion
• commit 3d59c6f: Fix building with ECDSA support disabled in libcrypto
• commit 0170a3b: Add requestorId and some comments to the protobuf definition file
• commit d8cd67b: Make the negcache forwarded zones aware
• commit 46ccbd6: Cache records for zones that were delegated to from a forwarded zone
• commit 5aa64e6, commit 5f4242e and commit 0f707cd: DNSSEC: Implement keysearch based on zone-cuts
• commit ddf6fa5: rec: Add support for boost::context >= 1.61
• commit bb6bd6e: Add getRecursorThreadId() to Lua, identifying the current thread
• commit d8baf17: Handle CNAMEs at the apex of secure zones to other secure zones

PowerDNS Recursor 3.7.4

This release fixes PowerDNS Security Advisory 2016-02.

Changes since 3.7.3:

• commit 8c82b5d: Don’t parse spurious RRs in queries when we don’t need them (Security Advisory 2016-02)
• commit 85243e0: Add some sanity checking to rec_control wipe-cache
• commit 3d11d9f: recursor: Require = in forward zones (Aki Tuomi)
• commit 2b94bb4: recursor: when replacing an expired entry, move it to the back
• commit 0cca616: add lowercase-outgoing flag
• commit 24ef6ea: devpollmplexer is leaky (Josef ‘Jeff’ Sipek)
• commit d2d4926: EMFILE was (out of filedescriptors, too many open files) was reported as an error that could be blamed on the remote nameserver instead of on the OS, causing throttle actions.
• commit fd4871c: mprove file descriptor requesting code
• commit 9a39e6d: devpollmplexer doesn’t compile due to missing sigset_t (Josef ‘Jeff’ Sipek)
• commit 3b05796: Update root hints for h.root-servers.net
• commit ef49a7c: Port the 0x20 hashing to 3.7.3
• commit 7486add and commit d4a96ba: Update YaHTTP (Aki Tuomi)