| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: pdns-recursor | Distribution: openSUSE Tumbleweed |
| Version: 5.0.5 | Vendor: openSUSE |
| Release: 1.1 | Build date: Sat May 25 11:17:04 2024 |
| Group: Productivity/Networking/DNS/Servers | Build host: reproducible |
| Size: 10783289 | Source RPM: pdns-recursor-5.0.5-1.1.src.rpm |
| Packager: https://bugs.opensuse.org | |
| Url: https://www.powerdns.com/ | |
| Summary: Modern, advanced and high performance recursing/non authoritative nameserver | |
PowerDNS Recursor is a non authoritative/recursing DNS server. Use this
package if you need a dns cache for your network.
Authors:
--------
http://www.powerdns.com
GPL-2.0-or-later
* Sat May 25 2024 Andreas Stieger <andreas.stieger@gmx.de>
- update to 5.0.5:
* Do not count RRSIGs using unsupported algorithms toward RRSIGs
limit
* Correctly count NSEC3s considered when chasing the closest
encloser.
* Let NetmaskGroup parse dont-throttle-netmasks, allowing
negations.
* Fix types of two YAML settings (incoming.edns_padding_from,
incoming.proxy_protocol_from) that should be sequences of
subnets
* Fix trace=fail regression and add regression test for it
* Wed Apr 24 2024 Adam Majer <adam.majer@suse.de>
- update to 5.0.4:
* fixes a case when a crafted responses can lead to a denial of
service in Recursor if recursive forwarding is configured
(bsc#1223262, CVE-2024-25583)
- changes in 5.0.3
* Log if a DNSSEC related limit was hit if log_bogus is set
* Reduce RPZ memory usage by not keeping the initially loaded
RPZs in memory
* Fix the zoneToCache regression introduced by 5.0.2 security
update
* Tue Feb 13 2024 Adam Majer <adam.majer@suse.de>
- update to 5.0.2
* fixes crafted DNSSEC records in a zone can lead to a denial
of service in Recursor
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html
(bsc#1219823, bsc#1219826, CVE-2023-50387, CVE-2023-50868)
* Fri Feb 09 2024 Adam Majer <adam.majer@suse.de> 5.0.1
- update to 5.0.1
https://doc.powerdns.com/recursor/changelog/5.0.html#change-5.0.1
For upgrade from 4.9.x, see
https://doc.powerdns.com/recursor/upgrade.html#to-5-0-0-and-master
- cargo_build_fix.patch: add cargo_build parameters to Makefile...
* Fri Aug 25 2023 Adam Majer <adam.majer@suse.de> 4.9.1
- update to 4.9.1
* The setting of policy tags for packet cache hist has been fixed.
Previously, packet cache hits would not contain policy tags set in
the Lua gettags(-ffi) intercept functions.
* The retrieval of RPZ zones could fail in situations where a read of
the chunk length from the IXFR TCP stream would produce an
incomplete result.
- enable DSN-over-TLS (DoT) via OpenSSL
For complete list of changes, see
https://doc.powerdns.com/recursor/changelog/4.9.html#change-4.9.1
For upgrades since 4.8.x and earlier, see
https://doc.powerdns.com/recursor/upgrade.html
* Tue Apr 04 2023 Adam Majer <adam.majer@suse.de>
- update to 4.8.4
* Deterred spoofing attempts can lead to authoritative servers
being marked unavailable (bsc#1209897, CVE-2023-26437)
* Tue Mar 07 2023 Adam Majer <adam.majer@suse.de> 4.8.3
- update to 4.8.3
* Fix serve-stale logic to not cause intermittent high CPU load by:
+ correcting the removal of a negative cache entry,
+ correcting the serve-stale main loop regarding exception handling,
+ correctly handle negcache entries with serve-state status.
- changes in version 4.8.2
* Make cache cleaning of record an negative cache more fair
* Do not report “not decreasing socket buf size” as an error
* Do not use “message” as key, it has a special meaning to systemd-journal
* Add the ‘parse packet from auth’ error message to structured logging
* Refresh of negcache stale entry might use wrong qtype
* Do not chain ECS enabled queries
* Properly encode json string containing binary data
* Fri Jan 20 2023 Adam Majer <adam.majer@suse.de>
- update to 4.8.1
* Avoid unbounded recursion when retrieving DS records from some
misconfigured domains. (bsc#1207342, CVE-2023-22617)
* Mon Dec 12 2022 Michael Ströder <michael@stroeder.com>
- update to 4.8.0 with these major changes:
* Structured Logging has been implemented for almost all
subsystems.
* Optional Serve Stale functionality has been implemented,
providing resilience against connectivity problems towards
authoritative servers.
* Optional Record Locking has been implemented, providing an extra
layer of protection against spoofing attempts at the price of
reduced cache efficiency.
* Internal tables used to track information about authoritative
servers are now shared instead of per-thread, resulting in
better performance and lower memory usage.
* EDNS padding of outgoing DoT queries has been implemented,
providing better privacy protection.
* Metrics have been added about the protobuf and dnstap logging
subsystems and the rcodes received from authoritative
servers.
* Fri Nov 25 2022 Michael Ströder <michael@stroeder.com>
- update to 4.7.4
* Fix compilation of the event ports multiplexer. #12046, PR#12231
* Correct skip record condition in processRecords. #12198, PR#12230
* Also consider recursive forward in the “forwarded DS should not end up in negCache code.” #12189, #12199, PR#12227
* Timout handling for IXFRs as a client. #12125, PR#12190
* Detect invalid bytes in makeBytesFromHex(). #12066, PR#12173
* Log invalid RPZ content when obtained via IXFR. #12081, PR#12171
* When an expired NSEC3 entry is seen, move it to the front of the expiry queue. #12038, PR#12168
* Tue Sep 20 2022 Michael Ströder <michael@stroeder.com>
- update to 4.7.3
* Improvements
- For zones having many NS records, we are not interested in all so take a sample. #11904, PR#11936
- Also check qperq limit if throttling happened, as it increases counters. #11848, PR#11897
* Bug Fixes
- Failure to retrieve DNSKEYs of an Insecure zone should not be fatal. #11890, PR#11940
- Fix recursor not responsive after Lua config reload. #11850, PR#11879
- Clear the caches after loading authzones. #11843, PR#11847
- Resize answer length to actual received length in udpQueryResponse. #11773, PR#11774
* Wed Aug 24 2022 Adam Majer <adam.majer@suse.de>
- Bump requires to newer Boost, effectively disabling support for SLE-12
* Tue Aug 23 2022 Michael Ströder <michael@stroeder.com>
- update to 4.7.2
* incomplete exception handling related to protobuf message generation.
(CVE-2022-37428, bsc#1202664)
* Fri Jul 08 2022 Michael Ströder <michael@stroeder.com>
- update to 4.7.1
* Improvements
- Allow generic format while parsing zone files for ZoneToCache.
References: #11724, #11726, pull request 11750
- Force gzip compression for debian packages (Zash). #11735, PR#11740
* Bug Fixes
- Run tasks from housekeeping thread in the proper way, causing queued
DoT probes to run more promptly. #11692, PR#11748
* Mon May 30 2022 Michael Ströder <michael@stroeder.com>
- update to 4.7.0
* A configurable way of adding Additional records to answers sent
to the client, so the client does not have to ask for these
records.
* The step sizes for Query Minimization are now computed following to
guidelines in [2]RFC 9156.
* The Recursor now schedules tasks to resolve IPv6 addresses of name
servers not learned by glue records. This has the consequence that,
if applicable, name servers will be contacted over IPv6 more often.
* An experimental implementation of unilateral [3]DoT probing. This
allows the Recursor to learn if a an authoritative servers supports
DoT.
* Recursor has gained a way to fall back to the parent NS set if
contacting servers in the child NS set does not lead to an answer.
This works around some broken authoritative servers configurations.
* ZONEMD validation of the zones retrieved by the [5]Zone to Cache,
providing integrity guarantees for the zone retrieved.
* The table recording round trip times of authoritative server IP
addresses is now shared between threads to make it more effective
and to reduce its memory footprint.
* A Lua FFI hook for post-resolve interception: [6]postresolve_ffi,
providing a very fast way to do post-resolve Lua scripting.
* Mon Apr 04 2022 Michael Ströder <michael@stroeder.com>
- update to 4.6.2
* Improvements
- Allow disabling of processing the root hints.
- References: #11283, pull request 11360
- Log an error if pdns.DROP is used as rcode in Lua callbacks.
- References: #11288, pull request 11361
- A CNAME answer on DS query should abort DS retrieval.
- References: #11245, pull request 11358
- Reject non-apex NSEC(3)s that have both the NS and SOA bits set.
- References: #11225, pull request 11357
- Fix build with OpenSSL 3.0.0.
- References: pull request 11260
- Shorter thread names.
- References: #11137, pull request 11170
- Two more features to print (DoT and scrypt).
- References: #11109, pull request 11169
* Bug Fixes
- Be more careful using refresh mode only for the record asked.
- References: #11371, pull request 11418
- Use the Lua context stored in SyncRes when calling hooks.
- References: #11300, pull request 11380
- QType ADDR is supposed to be used internally only.
- References: #11338, pull request 11363
- If we get NODATA on an AAAA in followCNAMERecords, try native dns64.
- References: #11327, pull request 11362
- Initialize isNew before calling a exception throwing function.
- References: #11257, pull request 11359
* Mon Mar 28 2022 Adam Majer <adam.majer@suse.de>
- fix building against sle-12 backports with gcc-9
- remove obsolete BR on protobuf
- add bundled information to the spec file
- boost_context.patch: Boost.Context detection fix on SLE12
* Fri Mar 25 2022 Adam Majer <adam.majer@suse.de>
- update to 4.6.1
fixes incomplete validation of incoming IXFR transfer in
the Recursor. It applies to setups retrieving one or more RPZ
zones from a remote server if the network path to the server
is not trusted. (bsc#1197525, CVE-2022-27227)
* Fri Dec 17 2021 Michael Ströder <michael@stroeder.com>
- update to 4.6.0
Compared to the previous major (4.5) release of PowerDNS Recursor, this
release contains several sets of changes:
* The ability to flush records from the caches on a incoming
notify requests.
* A rewrite of the outgoing TCP code, adding both re-use of
connections and support for DoT to authoritative servers or
forwarders.
* Many improvements in the area of metrics: more metrics are
collected and more metrics are now exported in a Prometheus
friendly way.
* A new Zone to Cache function that will retrieve a zone (using
AXFR, HTTP, HTTPS or a local file) periodically and insert the
contents into the record cache, allowing the cache to be always hot
for a zone. This can be used for the root or any other zone.
* An experimental Event Tracing function, providing insight into
the time taken by the steps in the process of resolving a name.
* Fri Nov 05 2021 Michael Ströder <michael@stroeder.com>
- update to 4.5.7:
* A SHA-384 DS should not trump a SHA-256 one, only potentially ignore SHA-1 DS records.
References: #10908, pull request 10912
* rec_control wipe-cache-typed should check if a qtype arg is present and valid.
References: #10905, pull request 10911
* Put the correct string into appliedPolicyTrigger for Netmask matching rules.
References: #10842, pull request 10863
* Mon Oct 11 2021 Michael Ströder <michael@stroeder.com>
- update to 4.5.6:
* Bug Fixes
- fixes to the way RPZ updates are handled
- fix to a case where traffic to a forwarder could be throttled while it should not.
- fixed few minor DNSSEC validation issues
- fix for case where the combining of equivalent queries wasn't
effective were resolved
* Fri Jul 30 2021 Michael Ströder <michael@stroeder.com>
- update to 4.5.5:
* Improvements
- Work around clueless servers sending AA=0 answers.
References: #10555, pull request 10564
* Bug Fixes
- Ancestor NSEC3s can only deny the existence of a DS.
References: #10587, pull request 10593
- Make really sure we did not miss a cut on validation failure.
References: #10570, pull request 10575
- Clear the current proxy protocol values each iteration.
References: #10515, pull request 10573
* Mon Jul 05 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- update to 4.5.4:
* Make sure that we pass the SOA along the NSEC(3) proof for
DS queries.
* Fri Jun 25 2021 Adam Majer <adam.majer@suse.de>
- no longer supports 32-bit arches -- requiers 64-bit time_t
- specfile cleanup - drop initrd cases
- build-require gcc7 on SLE-12 variant
* Wed Jun 09 2021 Michael Ströder <michael@stroeder.com>
- update to 4.5.2:
* default value of nsec3-max-iterations[1] has been lowered to 150
* fixed issue affecting the "refresh almost expired" function
* Tue May 11 2021 Michael Ströder <michael@stroeder.com>
- update to 4.5.1:
- Main changes:
* Dropped support for 32-bit platforms!
* Rewrite of the way zone cuts are determined, reducing the number of
outgoing queries by up to 17% when doing DNSSEC validation while reducing
the CPU usage more than 20% .
* Added implementation of EDNS0 padding (RFC 7830) for answers sent to clients.
* Added implementation of RFC 8198[2]: Aggressive use of DNSSEC-Validated Cache.
* Added a cache of non-resolving nameservers.
* Re-worked negative cache that is shared between threads.
* Added support for Extended DNS Errors (RFC 8914[5]).
* A "refresh almost expired records" (also called "refetch") mechanism[8]
has been introduced to keep the record cache warm.
- Other new features and improvements:
* The complete protobuf and dnstap logging code has been rewritten to
have much smaller performance impact.
* We have introduced non-offensive synonyms for words used in
settings. See the upgrade[9] guide.
* The default minimum TTL[10] override has been changed from 0 to 1.
* The spoof-nearmiss-max setting[11]'s default has been changed to 1.
This has the consequence that the Recursor will switch to do TCP
queries to authoritative nameservers sooner as an effective measure
against many spoofing attacks.
* Incoming queries over TCP now also use the packet cache, providing
another performance increase.
* File written to by the rec_control command are new opened by the
command itself. It is also possible to write the content to the
standard output stream by using a hyphen as file name.
* TCP FastOpen (RFC 7413[12]) support for outgoing TCP connections to
authoritative servers and forwarders.
* Wed Mar 31 2021 Adam Majer <adam.majer@suse.de>
- update to 4.4.3:
Improvements
Use a short-lived NSEC3 hashes cache for denial validation.
References: #9856, pull request 10221
Bug Fixes
More fail-safe handling of Newly Discovered Domain files.
Handle policy (if needed) after postresolve.
Return current rcode instead of 0 if there are no CNAME records to follow.
Lookup DS entries before CNAME entries.
Handle failure to start the web server more gracefully.
Test that we correctly cap the answer’s TTL in expanded wildcard cases.
Fix the gathering of denial proof for wildcard-expanded answers.
Make sure we take the right minimum for the packet cache TTL data in the SERVFAIL case.
For details see,
https://doc.powerdns.com/recursor/changelog/4.4.html#change-4.4.3
/etc/pdns/recursor.conf /etc/pdns/recursor.conf-dist /etc/pdns/recursor.yml-dist /usr/lib/systemd/system/pdns-recursor.service /usr/lib/systemd/system/pdns-recursor@.service /usr/sbin/pdns_recursor /usr/sbin/rcpdns-recursor /usr/sbin/rec_control /usr/share/doc/packages/pdns-recursor /usr/share/doc/packages/pdns-recursor/README /usr/share/licenses/pdns-recursor /usr/share/licenses/pdns-recursor/COPYING /usr/share/man/man1/pdns_recursor.1.gz /usr/share/man/man1/rec_control.1.gz
Generated by rpm2html 1.8.1
Fabrice Bellet, Wed Oct 2 00:42:51 2024