Quantcast
Channel: BOT24
Viewing all articles
Browse latest Browse all 8064

Recursor 3.5 is now available!

$
0
0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi everybody,

version 3.5 of the PowerDNS Recursor is now available from
https://www.powerdns.com/downloads.html

Kees Monshouwer provides native RHEL5/6 packages at
http://www.monshouwer.eu/download/3rd_party/pdns-recursor/

Full release notes, with clickable links, are available from:
http://doc.powerdns.com/changelog.html#changelog-recursor-3-5

3.5 is the best version of the PowerDNS Recursor currently available, and we
recommend upgrading to it.

Here is a text-only version:

This is a stability, security and bugfix update to 3.3/3.3.1. It contains
important fixes for slightly broken domain names, which your users expect to
work anyhow.

[Note] Note
       Because a semi-sanctioned 3.4-pre was distributed for a long time, and
       people have come to call that 3.4, we are skipping an actual 3.4 release
       to avoid confusion.

Changes between RC5 and the final 3.5 release:

  * Winfried Angele reported that restarting a very busy recursor could lead to
    crashes. Fixed in r3153, closing ticket 735.

Changes between RC4 and RC5:

  * Bernd-René Predota of Liberty Global reported that Recursor 3.3 would treat
    empty non-AA NOERROR responses as authoritative NXDATA responses. This bug
    turned out to be in 3.5-RC4 too. Fixed in r3146, related to ticket 731.

Changes between RC3 (unreleased) and RC4:

  * Winfried Angele spotted, even before release, that r3132 in RC3 broke
    outgoing IPv6 queries. We are grateful for his attention to detail! Fixed
    in r3141.

Changes between RC2 and RC3 (unreleased):

  * Use private temp dir when running under systemd, thanks Morten Stevens and
    Ruben Kerkhof. Change in r3105.

  * NSD mistakenly compresses labels for RP and other types, violating a MUST
    in RFC 3597. Recursor does not decompress these labels, violating a SHOULD
    in RF3597. We now decompress these labels, and reportedly NSD will stop
    compressing them. Reported by Jan-Piet Mens, fixed in r3109.

  * When forwarding to another recursor, we would handle responses to ANY
    queries incorrectly. Spotted by Jan-Piet Mens, fixed in r3116, closes
    ticket 704.

  * Our local-nets definition (used as a default for some settings) now
    includes the networks from RFC 3927 and RFC 6598. Reported by Maik
    Zumstrull, fixed in r3122.

  * The RC1 change to stop using ANY queries to get A+AAAA for name servers in
    one go had a 5% performance impact. This impact is corrected in r3132.
    Thanks to Winfried Angele for measuring and reporting this. Closees ticket
    710.

  * New command 'rec_control dump-nsspeeds' will dump our NS speeds (latency)
    cache. Code in r3131.

Changes between RC1 and RC2:

  * While Recursor 3.3 was not vulnerable to the specific attack noted in
    'Ghost Domain Names: Revoked Yet Still Resolvable', further investigation
    showed that a variant of the attack could work. This was fixed in r3085.
    This should also close the slightly bogus CVE-2012-1193. Closes ticket 668.

  * The auth-can-lower-ttl flag was removed, as it did not have any effect in
    most situations, and thus did not operate as advertised. We now always
    comply with the related parts of RFC 2181. Change in r3092, closing ticket
    88.

Changes below are in RC1 (and up).

New features:

  * The local zone server now understands wilcards, code in commit 2062.

  * The Lua postresolve and nodata hooks, that had been distributed as a
    '3.3-hooks' snapshot earlier, have been merged. Code in commit 2309.

  * A new feature, rec_control trace-regex allows the tracing of lookups for
    specific names. Code in commit 3044, commit 3073.

  * A new setting, export-etc-hosts-suffix, adds a configurable suffix to names
    imported from /etc/hosts. Code in commit 2544, commit 2545.

Improvements:

  * We now throttle queries that don't work less agressively, code in commit
    1766.

  * Various improvements in tolerance against broken auths, code in commit 1996
    , commit 2188, commit 3074 (thanks Winfried).

  * Additional processing is now optional, and disabled by default. Presumably
    this yields a performance improvement. Change in commit 2542.

  * rec_control reload-lua-script now reports errors. Code in commit 2627,
    closing ticket 278.

  * rec_control help now lists commands. Code in commit 2628.

  * rec_control wipe-cache now also wipes the recursor's packet cache. Code in
    commit 2880 from ticket 333.

  * Morten Stevens contributed a systemd file. Import in commit 2966, now part
    of the recursor tarball.

  * commit 2990 updates the address of D.root-servers.net.

  * Winfried Angele implemented and documented the ipv6-questions metric. Merge
    in commit 3034, closing ticket 619.

  * We no longer use ANY to get A+AAAA for nameservers, because some auth
    operators have decided to break ANY lookups. As a bonus, we now track v4
    and v6 latency separately. Change in commit 3064.

Bugs fixed:

  * Some unaligned memory access was corrected, code in commit 2060, commit
    2122, commit 2123, which would cause problems on UltraSPARC.

  * Garbage encountered during reload-acls could cause crashes. Fixed in commit
    2323, closing ticket 330.

  * The recursor would lose its root hints in a very rare situation. Corrected
    in commit 2380.

  * We did not always drop supplemental groups while dropping privileges.
    Reported by David Black of Atlassian, fixed in commit 2524.

  * Cache aging would sometimes get confused when we had a mix of expired and
    non-expired records in cache. Spotted and fixed by Winfried Angele in
    commit 3068, closing ticket 438.

  * rec_control reload-acl no longer ignores arguments. Fix in commit 3037,
    closing ticket 490.

  * Since we re-parse our commandline in rec_control we've been doubling the
    commands on the commandline, causing weird output. Reported by Winfried
    Angele. Fixed in commit 2992, closing ticket 618. This issue was not
    present in any officially released versions.

  * commit 2879 drops some spurious stderr logging from Lua scripts, and makes
    sure 'place' is always valid.

  * We would sometimes refuse to resolve domains with just one nameserver
    living at the apex. Fixed in commit 2817.

  * We would sometimes stick RRs in the wrong parts of response packets. Fixed
    in commit 2625.

  * The ACL parser was too liberal, sometimes causing recursors to be very
    open. Fixed in commit 2629, closing ticket 331.

  * rec_control now honours socket-dir from recursor.conf. Fixed in commit 2630
    .

  * When traversing CNAME chains, sometimes we would end up with multiple SOAs
    in the result. Fixed in commit 2633.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJRa8ibAAoJENz1E/p+7Rnz1GgQAK/47oeP3XtMyb0zJN4eqk/5
XcWjM0129kltmDqtJy3GTXAAGZCwmHMNaT4E7TFuaFqr+b7Iqj/QJzY17augOvIH
/I6AsXOSrnYofKdwnwM9SDlorJ4xnfc6AMF6KMLUlxndDWoupcHNDKIMH4SV7AdW
DHxc888bBqyC326VR+7Jh3d083W5+TUvctPKeZrSayuXVhdu6ZTNJSlBJ/H5hasV
H73AzRdogQvSALjCY/SKuvBcX6WPZhoJcSSf/gkLaxF6BxTibtQVyYzFfP3E7RZ4
XnWVKZeFs3+yyvLbCJnxe9sIhVSNEA2JNxKZK4crBfVM8eArlSHxMqG6JzBpVu+B
AIDgrJy+qRLCeD+ekTUrcA/ePNuotKkWD77NZE1fPZt1uYEiwzpxdgBYcHBXEno9
9VBrSoU7AePD7zgcHLCvpwEjL9xvLZFciPqHzi4yxKPp746rj12OhPS5wvHlNzTR
WGg+oGuxfB79SeuY1BJ46DQTPlXJSEGTctN2SNVvwpjmLukwcPHQbTUqisBANnMW
QpiLYzEvLbnsQQNp3spkw+cQ/hhdh9C20uaOna8qIlXE0AVy5TD9wY/xBzgWvHKa
3dK/YJ02M2xKgXzA5eP4eW0cR2/UhJ2hruIhooghQslycKhMu+OxMEb4k5uiKiZS
4Gj7OH5hABOEaa8gjSs/
=S/r3
-----END PGP SIGNATURE-----

Viewing all articles
Browse latest Browse all 8064

Trending Articles