Software Update: PowerDNS Recursor 4.0.6

PowerDNS is a dns server with a database as backend, which makes it easy to manage a large number of dns entries. The developers have previously decided to release the two parts that make up PowerDNS, a recursor and an authoritative name server, to allow faster and more targeted release of a new version, the developers said.

If you do a dns lookup, a recursor will initially start asking this question to a dns root server. This can then redirect to other servers, from where it can redirect to other servers and so on, until finally a server is reached that knows the answer or knows that the look-up is not possible. The latter can be the case if the name does not exist or the servers do not respond. The process of going through different authoritative servers is called recursion. The developers have released PowerDNS Recursor 4.0.6. The changes in this release are as follows:

PowerDNS Recursor 4.0.6 released!

This release features a fix for the ed25519 verifier. This verifier hashed the message before verifying, resulting in unverifiable signatures. Also on the Elliptic Curve front, support was added for ED448 (DNSSEC algorithm 16) by using libdecaf.

Besides that, this release features massive improvements to our edns-client-subnet handling, and some IXFR fixes. Note that this release changes use-incoming-edns-subnet to disabled by default.

The full changelog looks like this:

Bug fixes

• Use the incoming ECS ​​for cache lookup if use-incoming-edns-subnet is set
• when making a netmask from a comboaddress, we neglected to zero the port. This could lead to a proliferation of netmasks.
• Don’t take the initial ECS source for a scope one if EDNS is off
• also set d_requestor without Lua: the ECS logic needs it
• Fix IXFR skipping the additions part of the last sequence
• Treat requestor’s payload size lower than 512 as equal to 512
• make URI integers 16 bits, fixes ticket #5443
• unbreak quote; fixes ticket #5401

Improvements

• with this, EDNS Client Subnet becomes compatible with the packet cache, using the existing variable answer facility.
• Remove just enough entries from the cache, not one more than asked
• Move expired cache entries to the front so they are expanded
• changed IPv6 addr of b.root-servers.net
• e.root-servers.net has IPv6 now
• hello decaf signers (ED25519 and ED448) Testing algorithm 15: ‘Decaf ED25519′ ->’Decaf ED25519’ -> ‘Decaf ED25519’ Signature & verify ok, signature 68usec, verify 93usec Testing algorithm 16: ‘Decaf ED448′ ->’Decaf ED448’ -> ‘Decaf ED448’ Signature & verify ok, signature 163usec, verify 252usec
• don’t use the libdecaf ed25519 signer when libsodium is enabled
• do not hash the message in the ed25519 signer
• Disable use-incoming-edns-subnet by default

Tarball is available on the downloads website. Packages for Debian Jessie and Stretch, CentOS 6 and 7 and Ubuntu 14.04, 16.04, 16.10 and 17.04 are uploaded to our repositories.