-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi everybody,
version 3.5 of the PowerDNS Recursor is now available from
https://www.powerdns.com/downloads.html
Kees Monshouwer provides native RHEL5/6 packages at
http://www.monshouwer.eu/download/3rd_party/pdns-recursor/
Full release notes, with clickable links, are available from:
http://doc.powerdns.com/changelog.html#changelog-recursor-3-5
3.5 is the best version of the PowerDNS Recursor currently available, and we
recommend upgrading to it.
Here is a text-only version:
This is a stability, security and bugfix update to 3.3/3.3.1. It contains
important fixes for slightly broken domain names, which your users expect to
work anyhow.
[Note] Note
Because a semi-sanctioned 3.4-pre was distributed for a long time, and
people have come to call that 3.4, we are skipping an actual 3.4 release
to avoid confusion.
Changes between RC5 and the final 3.5 release:
* Winfried Angele reported that restarting a very busy recursor could lead to
crashes. Fixed in r3153, closing ticket 735.
Changes between RC4 and RC5:
* Bernd-René Predota of Liberty Global reported that Recursor 3.3 would treat
empty non-AA NOERROR responses as authoritative NXDATA responses. This bug
turned out to be in 3.5-RC4 too. Fixed in r3146, related to ticket 731.
Changes between RC3 (unreleased) and RC4:
* Winfried Angele spotted, even before release, that r3132 in RC3 broke
outgoing IPv6 queries. We are grateful for his attention to detail! Fixed
in r3141.
Changes between RC2 and RC3 (unreleased):
* Use private temp dir when running under systemd, thanks Morten Stevens and
Ruben Kerkhof. Change in r3105.
* NSD mistakenly compresses labels for RP and other types, violating a MUST
in RFC 3597. Recursor does not decompress these labels, violating a SHOULD
in RF3597. We now decompress these labels, and reportedly NSD will stop
compressing them. Reported by Jan-Piet Mens, fixed in r3109.
* When forwarding to another recursor, we would handle responses to ANY
queries incorrectly. Spotted by Jan-Piet Mens, fixed in r3116, closes
ticket 704.
* Our local-nets definition (used as a default for some settings) now
includes the networks from RFC 3927 and RFC 6598. Reported by Maik
Zumstrull, fixed in r3122.
* The RC1 change to stop using ANY queries to get A+AAAA for name servers in
one go had a 5% performance impact. This impact is corrected in r3132.
Thanks to Winfried Angele for measuring and reporting this. Closees ticket
710.
* New command 'rec_control dump-nsspeeds' will dump our NS speeds (latency)
cache. Code in r3131.
Changes between RC1 and RC2:
* While Recursor 3.3 was not vulnerable to the specific attack noted in
'Ghost Domain Names: Revoked Yet Still Resolvable', further investigation
showed that a variant of the attack could work. This was fixed in r3085.
This should also close the slightly bogus CVE-2012-1193. Closes ticket 668.
* The auth-can-lower-ttl flag was removed, as it did not have any effect in
most situations, and thus did not operate as advertised. We now always
comply with the related parts of RFC 2181. Change in r3092, closing ticket
88.
Changes below are in RC1 (and up).
New features:
* The local zone server now understands wilcards, code in commit 2062.
* The Lua postresolve and nodata hooks, that had been distributed as a
'3.3-hooks' snapshot earlier, have been merged. Code in commit 2309.
* A new feature, rec_control trace-regex allows the tracing of lookups for
specific names. Code in commit 3044, commit 3073.
* A new setting, export-etc-hosts-suffix, adds a configurable suffix to names
imported from /etc/hosts. Code in commit 2544, commit 2545.
Improvements:
* We now throttle queries that don't work less agressively, code in commit
1766.
* Various improvements in tolerance against broken auths, code in commit 1996
, commit 2188, commit 3074 (thanks Winfried).
* Additional processing is now optional, and disabled by default. Presumably
this yields a performance improvement. Change in commit 2542.
* rec_control reload-lua-script now reports errors. Code in commit 2627,
closing ticket 278.
* rec_control help now lists commands. Code in commit 2628.
* rec_control wipe-cache now also wipes the recursor's packet cache. Code in
commit 2880 from ticket 333.
* Morten Stevens contributed a systemd file. Import in commit 2966, now part
of the recursor tarball.
* commit 2990 updates the address of D.root-servers.net.
* Winfried Angele implemented and documented the ipv6-questions metric. Merge
in commit 3034, closing ticket 619.
* We no longer use ANY to get A+AAAA for nameservers, because some auth
operators have decided to break ANY lookups. As a bonus, we now track v4
and v6 latency separately. Change in commit 3064.
Bugs fixed:
* Some unaligned memory access was corrected, code in commit 2060, commit
2122, commit 2123, which would cause problems on UltraSPARC.
* Garbage encountered during reload-acls could cause crashes. Fixed in commit
2323, closing ticket 330.
* The recursor would lose its root hints in a very rare situation. Corrected
in commit 2380.
* We did not always drop supplemental groups while dropping privileges.
Reported by David Black of Atlassian, fixed in commit 2524.
* Cache aging would sometimes get confused when we had a mix of expired and
non-expired records in cache. Spotted and fixed by Winfried Angele in
commit 3068, closing ticket 438.
* rec_control reload-acl no longer ignores arguments. Fix in commit 3037,
closing ticket 490.
* Since we re-parse our commandline in rec_control we've been doubling the
commands on the commandline, causing weird output. Reported by Winfried
Angele. Fixed in commit 2992, closing ticket 618. This issue was not
present in any officially released versions.
* commit 2879 drops some spurious stderr logging from Lua scripts, and makes
sure 'place' is always valid.
* We would sometimes refuse to resolve domains with just one nameserver
living at the apex. Fixed in commit 2817.
* We would sometimes stick RRs in the wrong parts of response packets. Fixed
in commit 2625.
* The ACL parser was too liberal, sometimes causing recursors to be very
open. Fixed in commit 2629, closing ticket 331.
* rec_control now honours socket-dir from recursor.conf. Fixed in commit 2630
.
* When traversing CNAME chains, sometimes we would end up with multiple SOAs
in the result. Fixed in commit 2633.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJRa8ibAAoJENz1E/p+7Rnz1GgQAK/47oeP3XtMyb0zJN4eqk/5
XcWjM0129kltmDqtJy3GTXAAGZCwmHMNaT4E7TFuaFqr+b7Iqj/QJzY17augOvIH
/I6AsXOSrnYofKdwnwM9SDlorJ4xnfc6AMF6KMLUlxndDWoupcHNDKIMH4SV7AdW
DHxc888bBqyC326VR+7Jh3d083W5+TUvctPKeZrSayuXVhdu6ZTNJSlBJ/H5hasV
H73AzRdogQvSALjCY/SKuvBcX6WPZhoJcSSf/gkLaxF6BxTibtQVyYzFfP3E7RZ4
XnWVKZeFs3+yyvLbCJnxe9sIhVSNEA2JNxKZK4crBfVM8eArlSHxMqG6JzBpVu+B
AIDgrJy+qRLCeD+ekTUrcA/ePNuotKkWD77NZE1fPZt1uYEiwzpxdgBYcHBXEno9
9VBrSoU7AePD7zgcHLCvpwEjL9xvLZFciPqHzi4yxKPp746rj12OhPS5wvHlNzTR
WGg+oGuxfB79SeuY1BJ46DQTPlXJSEGTctN2SNVvwpjmLukwcPHQbTUqisBANnMW
QpiLYzEvLbnsQQNp3spkw+cQ/hhdh9C20uaOna8qIlXE0AVy5TD9wY/xBzgWvHKa
3dK/YJ02M2xKgXzA5eP4eW0cR2/UhJ2hruIhooghQslycKhMu+OxMEb4k5uiKiZS
4Gj7OH5hABOEaa8gjSs/
=S/r3
-----END PGP SIGNATURE-----