Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

pdns-recursor-4.3.5-bp153.1.17 RPM for aarch64

From OpenSuSE Leap 15.3 for aarch64

Name: pdns-recursor Distribution: SUSE Linux Enterprise 15 SP3
Version: 4.3.5 Vendor: openSUSE
Release: bp153.1.17 Build date: Sun Mar 14 11:51:43 2021
Group: Productivity/Networking/DNS/Servers Build host: obs-arm-7
Size: 7988232 Source RPM: pdns-recursor-4.3.5-bp153.1.17.src.rpm
Summary: Modern, advanced and high performance recursing/non authoritative nameserver
PowerDNS Recursor is a non authoritative/recursing DNS server. Use this
package if you need a dns cache for your network.







* Tue Oct 13 2020 Adam Majer <>
  - update to 4.3.5:
    * fixes cache pollution related to DNSSEC validation.
      (CVE-2020-25829, bsc#1177383)
    * now raise an exception on invalid content in unknown records
    * fixes the parsing of dont-throttle-netmasks in the presence of
  - 9070.patch: refreshed, looks like only partially upstreamed
* Wed Sep 09 2020 Adam Majer <>
  - 9070.patch: backport compilation fix vs. latest Boost 1.74
    based on
* Tue Sep 08 2020 Michael Ströder <>
  - update to 4.3.4
    * fixes an issue where certain CNAMEs could lead to resolver failure
    * fixes an issue with the hostname reported in Carbon messages
    * allows for multiple recursor services to run under systemd
  - use HTTPS scheme for all URLs
* Fri Jul 17 2020 Michael Ströder <>
  - update to 4.3.3
    * Validate cached DNSKEYs against the DSs, not the RRSIGs only.
    * Ignore cache-only for DNSKEYs and DS retrieval.
    * A ServFail while retrieving DS/DNSKEY records is just that.
    * Refuse DS records received from child zones.
    * Better exception handling in houseKeeping/handlePolicyHit.
    * Take initial refresh time from loaded zone.
* Wed Jul 01 2020 Adam Majer <>
  - update to 4.3.2
    * Fixes a access restriction bypass vulnerability where ACL applied
      to the internal web server via webserver-allow-from is
      not properly enforced, allowing a remote attacker to send
      HTTP queries to the internal web server, bypassing the restriction.
      (CVE-2020-14196, bsc#1173302)
    * improves CNAME loop detection
    * Fix the handling of DS queries for the root
    * Fix RPZ removals when an update has several deltas
* Tue May 19 2020 Adam Majer <>
  - update to 4.3.1
    * fixes an issue where records in the answer section of
      a NXDOMAIN response lacking an SOA were not properly validated
      (CVE-2020-12244, bsc#1171553)
    * fixes an issue where invalid hostname on the server can result in
      disclosure of invalid memory (CVE-2020-10030, bsc#1171553)
    * fixes an issue in the DNS protocol has been found that allows
      malicious parties to use recursive DNS services to attack third
      party authoritative name servers (CVE-2020-10995, bsc#1171553)
* Sat Mar 07 2020 Wolfgang Rosenauer <>
  - fixed configuration to make the service start
* Tue Mar 03 2020 Adam Majer <>
  - update to 4.3.0:
    * A relaxed form of QName Minimization as described in rfc7816bis-01.
      This feature is enabled by default
    * Dnstap support for outgoing queries to authoritative servers and
      the corresponding replies.
    * The recursor now processes a number of requests incoming over
      a TCP connection simultaneously and will return results
      (potentially) out-of-order.
    * Newly Observed Domain (NOD) functionality
    * For details see
* Mon Dec 09 2019 Adam Majer <>
  - update to 4.2.1:
    * Add deviceName field to protobuf messages
    * Purge map of failed auths periodically by keeping
      last changed timestamp.
    * Prime NS records of parent (.net)
    * Issue with “zz” abbreviation for IPv6 RPZ triggers
    * Basic validation of $GENERATE parameters
    * Fix inverse handler registration logic for SNMP
* Mon Jul 15 2019 Michael Ströder <>
  - update to 4.2.0:
    * removes several workarounds for authoritative servers that
      respond badly to EDNS(0) queries
    * support for DNS X-Proxied-For (draft-bellis-dnsop-xpf-04)
    * EDNS Client Subnet Improvements
    * New and Updated Settings
    - distributor-threads
    - public-suffix-list-file
    - edns-outgoing-bufsize setting’s default has changed
      from 1680 to 1232
    * lot of small, incremental changes
* Tue May 21 2019 Adam Majer <>
  - update to 4.1.13:
    * Add the disable-real-memory-usage setting to skip expensive
      collection of detailed memory usage info
    * Fix DNSSEC validation of wildcards expanded onto themselves.
* Fri Apr 26 2019
  - bsc#1130588: Require shadow instead of old pwdutils
* Tue Apr 02 2019 Michael Ströder <>
  - update to 4.1.12:
    * Improvements
    - Provide CPU usage statistics per thread (worker & distributor).
    - Use a bounded load-balancing algo to distribute queries.
    - Implement a configurable ECS cache limit so responses with an
      ECS scope more specific than a certain threshold and a TTL
      smaller than a specific threshold are not inserted into the
      records cache at all.
    * Bug Fixes
    - Correctly interpret an empty AXFR response to an IXFR query.
  - update to 4.1.11:
    * Improvements
    - Add an option to export only responses over protobuf to the
      Lua protobufServer() directive.
    - Reduce systemcall usage in protobuf logging. (See #7428.)
* Fri Jan 25 2019 Michael Ströder <>
  - update to 4.1.10
    - #7403: Fix compilation in handleRunningTCPQuestion without
      protobuf support
* Mon Jan 21 2019
  - update to 4.1.9
    - Fixes case when Lua hooks are not called over TCP
      (CVE-2019-3806, bsc#1121887)
    - Fixes DNSSEC validation is not performed for AA=0 responses
      (CVE-2019-3807, bsc#1121889)
* Mon Nov 26 2018
  - update to 4.1.8
    - Fixes case where a crafted query can cause a denial of service
      (CVE-2018-16855, bsc#1116592)
* Fri Nov 09 2018
  - update to 4.1.7
    - Revert ‘Keep the EDNS status of a server on FormErr with EDNS’
    - Refuse queries for all meta-types
* Wed Nov 07 2018
  - update to 4.1.6
    - Revert "rec: Authority records in AA=1 CNAME answer are
* Wed Nov 07 2018 Michael Ströder <>
  - update to 4.1.5
    - Improvements
    * Add pdnslog to lua configuration scripts
    * Fix compilation with libressl 2.7.0+
    * Export outgoing ECS value and server ID in protobuf (if any)
    * Switch to devtoolset 7 for el6
    * Allow the signature inception to be off by number of seconds
    - Bug Fixes
    * Crafted answer can cause a denial of service
      (bsc#1114157, CVE-2018-10851)
    * Packet cache pollution via crafted query
      (bsc#1114169, CVE-2018-14626)
    * Crafted query for meta-types can cause a denial of service
      (bsc#1114170, CVE-2018-14644)
    * Delay creation of rpz threads until we dropped privileges
    * Cleanup the netmask trees used for the ecs index on removals
    * Make sure that the ecs scope from the auth is < to the source
    * Authority records in aa=1 cname answer are authoritative
    * Avoid a memory leak in catch-all exception handler
    * Don’t require authoritative answers for forward-recurse zones
    * Release memory in case of error in openssl ecdsa constructor
    * Convert a few uses to toLogString to print DNSName’s that
      may be empty in a safer manner
    * Avoid a crash on DEC Alpha systems
    * Clear all caches on (N)TA changes
* Fri Aug 31 2018
  - update to 4.1.4
    - Improvements
    * Split pdns_enable_unit_tests.
    * Add a new max-udp-queries-per-round setting.
    * Fix warnings reported by gcc 8.1.0.
    * Tests: replace awk command by perl.
    * Allow the snmp thread to retrieve statistics.
    - Bug Fixes
    * Don’t account chained queries more than once.
    * Make rec_control respect include-dir.
    * Load lua scripts only in worker threads.
    * Purge all auth/forward zone data including subtree.
* Tue May 22 2018
  - update to 4.1.3
    - Improvements
    * Add a subtree option to the API cache flush endpoint
    * Use a separate, non-blocking pipe to distribute queries
    * Move carbon/webserver/control/stats handling to a separate
    * Add _raw versions for QName / ComboAddresses to the FFI API
    * Fix a warning on botan >= 2.5.0
    - Bug Fixes
    * Count a lookup into an internal auth zone as a cache miss
    * Don’t increase the DNSSEC validations counters when running
      with process-no-validate
    * Respect the AXFR timeout while connecting to the RPZ server
    * Increase MTasker stacksize to avoid crash in exception
    * Use the SyncRes time in our unit tests when checking cache
    * Add -rdynamic to C{,XX}FLAGS when we build with LuaJIT
    * Delay the loading of RPZ zones until the parsing is done,
      fixing a race condition
    * Reorder includes to avoid boost L conflict (bsc#1089814)
* Fri Apr 13 2018
  - protobuf support is available in SLE-15
  - Boost.Context library is not available on s390x
* Sun Apr 01 2018
  - update to 4.1.2
    - New Features
    - #6344: Add FFI version of gettag().
    - Improvements
    - #6298, #6303, #6268, #6290: Add the option to set the AXFR
      timeout for RPZs.
    - #6172: IXFR: correct behavior of dealing with DNS Name with
      multiple records and speed up IXFR transaction (Leon Xu).
    - #6379: Add RPZ statistics endpoint to the API.
    - Bug Fixes
    - #6336, #6293, #6237: Retry loading RPZ zones from server when
      they fail initially.
    - #6300: Fix ECS-based cache entry refresh code.
    - #6320: Fix ECS-specific NS AAAA not being returned from the
* Mon Jan 22 2018
  - update to version 4.1.1:
    + Fixes security vulnerability where man-in-the-middle to send
      a NXDOMAIN answer for a DNSSEC name that does exist.
      (bsc#1077154, CVE-2018-1000003)
    + Don't validate signature for "glue" CNAME, since anything else
      than the initial CNAME can’t be considered authoritative.
* Fri Dec 29 2017
  - _constraints: we seem to need at least 8GB RAM to build on S390x
    and ppc64
* Mon Dec 04 2017
  - enable ed25519 support (new BR: libsodium-devel)
  - enable net-snmp support (new BR: net-snmp-devel)
  - simplify BR for lua: lua-devel everywhere now
* Mon Dec 04 2017
  - update to version 4.1.0:
    + Improved DNSSEC support
    + Improved documentation
    + Improved RPZ support
    + Improved EDNS Client Subnet support
    + SNMP support
    + Lua engine has gained access to more parts of the recursor
    + CPU affinity can now be specified
    + TCP Fast Open support
    + New performance metrics
    + For complete changes see:
* Mon Nov 27 2017
  - update to version 4.0.7: (bsc#1069242)
    + fixes CVE-2017-15090: Insufficient validation of DNSSEC
    + fixes CVE-2017-15092: Cross-Site Scripting in the web interface
    + fixes CVE-2017-15093: Configuration file injection in the API
    + fixes CVE-2017-15094: Memory leak in DNSSEC parsing
    + Fix validation at the exact RRSIG inception or expiration time
    + Extract nested exception from Luawrapper
    + Throw an error when lua-conf-file can’t be loaded
    + Lowercase all outgoing qnames when lowercase-outgoing is set
* Thu Oct 19 2017
  - Added pdns-recursor.keyring linked from
* Fri Sep 29 2017
  - Don't BuildRequire Botan 1.x
    * Botan will be dropped as the 1.x branch is EOL and won't get
      OpenSSL 1.1 support backported (bsc#1055322)
* Thu Jul 06 2017
  - update to version 4.0.6
    + fixes ed25519 signer
    + update entries
    + fixes handling of expired cache entries so they expire faster
* Tue Jul 04 2017
  - Enable DNSSEC validation by default.
* Tue Jun 13 2017
  - update to version 4.0.5
    + adds ed25519 (algorithm 15) support for DNSSEC
    + adds the 2017 DNSSEC root key
    + complete changeset is available at,
* Thu May 11 2017
  - move autoreconf into the build section
* Thu Feb 02 2017
  - use individual libboost-*-devel packages instead of boost-devel
  - add signature file for upstream release
* Fri Jan 13 2017
  - update to version 4.0.4
    The following security advisories were fixed
    - 2016-02: Crafted queries can cause abnormal CPU usage
    (CVE-2016-7068, boo#1018326)
    - 2016-04: Insufficient validation of TSIG signatures
    (CVE-2016-2120, boo#1018329)
    complete changeset is availalbe at,
  - remove 4462.patch: in upstream release.
* Mon Dec 12 2016
  - BuildRequire pkgconfig(libsystemd) instead of
    pkgconfig(libsystemd-daemon): these libs were merged in systemd
    209 times. The build system is capable of finding either one.
* Tue Sep 13 2016
  - 4462.patch:
    Disable fcontext usage with Boost 1.61+ and revert back to
    slower SystemV ucontext. This fixes failure to build with
    newer Boost version. (boo#998408)
* Tue Sep 06 2016
  - update to 4.0.3
    A new release for the PowerDNS Recursor with version 4.0.3 is
    available. This release has many fixes and improvements in the
    Policy Engine (RPZ) and the Lua bindings to it. Therefore, we
    recommend users of RPZ to upgrade to this release. We would like
    to thank Wim (42wim on github) for testing and reporting on the
    RPZ module.
    Bug fixes
    - #4350: Call gettag() for TCP queries
    - #4376: Fix the use of an uninitialized filtering policy
    - #4381: Parse query-local-address before lua-config-file
    - #4383: Fix accessing an empty policyCustom, policyName from Lua
    - #4387: ComboAddress: don’t allow invalid ports
    - #4388: Fix RPZ default policy not being applied over IXFR
    - #4391: DNSSEC: Actually follow RFC 7646 §2.1
    - #4396: Add boost context ldflags so freebsd builds can find the
    - #4402: Ignore NS records in a RPZ zone received over IXFR
    - #4403: Fix build with OpenSSL 1.1.0 final
    - #4404: Don’t validate when a Lua hook took the query
    - #4425: Fix a protobuf regression (requestor/responder mix-up)
    Additions and Enhancements
    - #4394: Support Boost 1.61+ fcontext
    - #4402: Add Lua binding for DNSRecord::d_place
* Sun Sep 04 2016
  - update to 4.0.2
    Bug fixes
    - #4264: Set dq.rcode before calling postresolve
    - #4294: Honor PIE flags.
    - #4310: Fix build with LibreSSL, for which
      OPENSSL_VERSION_NUMBER is irrelevant
    - #4340: Don't shuffle CNAME records. (thanks to Gert van Dijk
      for the extensive bug report!)
    - #4354: Fix delegation-only
    Additions and enhancements
    - #4288: Respect the timeout when connecting to a protobuf server
    - #4300: allow newDN to take a DNSName in; document missing
    - #4301: expose SMN toString to lua
    - #4318: Anonymize the protobuf ECS value as well (thanks to Kai
      Storbeck of XS4All for finding this)
    - #4324: Allow Lua access to the result of the Policy Engine
      decision, skip RPZ, finish RPZ implementation
    - #4349: Remove unused DNSPacket::d_qlen
    - #4351: RPZ: Use query-local-address(6) by default (thanks to
      Oli Schacher of for the bug report)
    - #4357: Move the root DNSSEC data to a header file
* Sat Jul 30 2016
  - update to 4.0.1
    Bug fixes
    - #4119 Improve DNSSEC record skipping for non dnssec queries
      (Kees Monshouwer)
    - #4162 Don't validate zones from the local auth store, go one
      level down while validating when there is a CNAME
    - #4187:
    - Don't go bogus on islands of security
    - Check all possible chains for Insecures
    - Don't go Bogus on a CNAME at the apex
    - #4215 RPZ: default policy should also override local data RRs
    - #4243 Fix a crash when the next name in a chained query is
      empty and rec_control current-queries is invoked
    - #4056 OpenSSL 1.1.0 support (Christian Hofstaedtler)
    - #4140 Fix warnings with gcc on musl-libc (James Taylor)
    - #4160 Also validate on +DO
    - #4164 Fail to start when the lua-dns-script does not exist
    - #4168 Add more Netmask methods for Lua (Aki Tuomi)
    - #4210 Validate DNSSEC for security polling
    - #4217 Turn on root-nx-trust by default and
    - #4207 Allow for multiple trust anchors per zone
    - #4242 Fix compilation warning when building without Protobuf
    - #4133 Add limits to the size of received {A,I}XFR
* Mon Jul 11 2016
  - update to 4.0.0
  - packaging changes:
    - enabled protobuf based stats
    - enabled botan based code
    - use upstream systemd files
* Tue Jul 21 2015
  - do not use /run/pdns instead of /var/run/pdns in the init script
    for the rest we have the systemd unit file
* Tue Jun 09 2015
  - update to 3.7.3 will prevent short bursts of high
    resource usage with malformed qnames.
* Wed Apr 29 2015
  - call systemd-tmpfiles during installation
* Thu Apr 23 2015
  - update to 3.7.2 with a fix for CVE-2015-1868 (boo# 927569)
    Bug fixes:
    - commit adb10be commit 3ec3e0f commit dc02ebf Fix handling of
      forward references in label compressed packets; fixes
    - commit a7be3f1: make sure we never call sendmsg with
      msg_control!=NULL && msg_controllen>0. Fixes ticket #2227
    - commit 9d835ed: Improve robustness of root-nx-trust.
    - commit 99c595b: Silence warnings that always occur on FreeBSD
      (Ruben Kerkhof)
* Thu Feb 12 2015
  - update to 3.7.1
    This version contains a mix of speedups and improvements, the combined effect
    of which is vastly improved resilience against traffic spikes and malicious
    query overloads.
    Minor changes:
    - Removal of dead code here and there
    - Per-qtype response counters are now 64 bit
      297bb6acf7902068693a4aae1443c424d0e8dd52 on 64 bit systems
    - Add IPv6 addresses for b and hints
    - Add IP address to logging about terminated queries
    - Improve qtype name logging
      fab3ed3453e15ae88e29a0e4071b214eb19caad9 (Aki Tuomi)
    - Redefine 'BAD_NETS' for dont-query based on newer IANA guidance
      12cd44ee0fcde5893f85dccc499bfc35152c5fff (lochiiconnectivity)
    - Add documentation links to systemd unit
      eb154adfdffa5c78624e2ea98e938d7b5787119e (Ruben Kerkhof)
    - Upgrade embedded PolarSSL to 1.3.9:
    - yahttp upgrade c290975778942ed1082ca66918695a5bd2d6bac4
      c65a57e888ee48eaa948e590c90c51420bffa847 (Aki Tuomi)
    - Replace . in hostnames by - for Carbon so as not to confuse
      Metronome 46541751ed1c3bc051d78217543d5fc76733e212
    - Manpages got a lot of love and are now built from Markdown
      (Pieter Lexis)
    - Move to PolarSSL base64
      488360551009784ab35c43ee4580e773a2a8a227 (Kees Monshouwer)
    - The quiet=no query logging is now more informative
    - We can finally bind to and :: and guarantee answers
      from the correct source
    - We use per-packet timestamps to drop ancient traffic in case of
      overload b71b60ee73ef3c86f80a2179981eda2e61c4363f, non-Linux
      portability in d63f0d83631c41eff203d30b0b7c475a88f1db59
    - Builtin webserver can be queried with the API key in the URL
      again c89f8cd022c4a9409b95d22ffa3b03e4e98dc400
    - Ringbuffers are now available via API
    - Lua 5.3 compatibility 59c6fc3e3931ca87d484337daee512e716bc4cf4
      (Kees Monshouwer)
    - No longer leave a stale UNIX domain socket around from
      rec_control if the recursor was down
      524e4f4d81f4ed9eb218715cbc8a59f0b9868234, ticket #2061
    - Running with 'quiet=no' would strangely actually prevent debug
      messages from being logged
    - Webserver now implements CORS for the API
      ea89a97e864c43c1cb03f2959ad04c4ebe7580ad, fixing ticket #1984
    - Houskeeping thread would sometimes run multiple times
      simultaneously, which worked, but was odd
    New features:
    - New `root-nx-trust` flag makes PowerDNS generalize NXDOMAIN
      responses from the root-servers
    - `getregisteredname()` for Lua, which turns '' into
      '' 8cd4851beb78bc6ab320926fb5cb6a09282016b1
    - Lua preoutquery filter 3457a2a0ec41d3b3aff7640f30008788e1228a6e
    - Lua IP-based filter (ipfilter) before parsing packets
    - `iputils` class for Lua, to quickly process IP addresses and
      netmasks in their native format
    - `getregisteredname` function for Lua, to find the registered
      domain for a given name
    - Various new ringbuffers: top-servfail-remotes,
      top-largeanswer-remotes, top-servfail-queries
    - Remove unneeded malloc traffic
    - Our nameserver-loop detection carried around a lot of baggage
      for complex domain names, plus did not differentiate IPv4 and
      IPv6 well enough 891fbf888ccac074e3edc38864641ca774f2f03c
    - Prioritize new queries over nameserver responses, improving
      latency under query bursts
    - Remove escaping in case there was nothing to escape
    - Our logging infrastructure had a lot of locking
    - Reduce logging level of certain common messages, which locked
      up synchronously logging systems
    - Add limit on total wall-clock time spent on a query
    - Packet cache is now case-insensitive, which increases hitrate
    Security relevant:
    - Check for PIE, RELRO and stack protector during configure
      8d0354b189c12e1e14f5309d3b49935c17f9eeb0 (Aki Tuomi)
    - Testing for support of PIE etc was improved in
      b2053c28ccb9609e2ce7bcb6beda83f98a062aa3 and beyond, fixes
      [#2125] (Ruben Kerkhof)
    - Max query-per-query limit (max-qperq) is now configurable
    Bugs fixed:
    - IPv6 outgoing queries had a disproportionate effect on our
      query load. Fixed in 76f190f2a0877cd79ede2994124c1a58dc69ae49
      and beyond.
    - rec_control gave incorrect output on a timeout
    - When using the webserver AND having an error in the Lua script,
      recursor could crash during startup
    - Hugely long version strings would trip up security polling
      18b7333828a1275ae5f5574a9c8330290d8557ff (Kees Monshouwer)
    - The 'remotes' ringbuffer was sized incorrectly
    - Cache sizes had an off-by-one scaling problem, with the wrong
      number of entries allocated per thread
    - Our automatic file descriptor limit raising was attempted
    * after* setuid, which made it a lot less effective. Found and
      fixed by Aki Tuomi a6414fdce9b0ec32c340d1f2eea2254f3fedc1c1
    - Timestamps used for dropping packets were occasionaly wrong
      183eb8774e4bc2569f06d5894fec65740f4b70b6 and
      4c4765c104bacc146533217bcc843efb244a8086 (RC2) with thanks to
      Winfried for debugging.
    - In RC1, our new DoS protection measures would crash the
      Recursor if too many root servers were unreachable.
      6a6fb05ad81c519b4002ed1db00f3ed9b7bce6b4. Debugging and testing
      by Fusl.
  - remove pdns-rec-lua52.patch:
    no longer needed
* Sun Nov 09 2014
  - Fixed broken _localstatedir
* Thu Oct 30 2014
  - update to upstream release 3.6.2 (boo# 906583) CVE-2014-8601
    This is a bugfix update to 3.6.1.
    A list of changes since 3.6.1 follows.
    * gab14b4f: expedite servfail generation for ezdns-like
      failures (fully abort query resolving if we hit more than
      50 outqueries)
    * g42025be: PowerDNS now polls the security status of a
      release at startup and periodically. More detail on this
      feature, and how to turn it off, can be found in Section 2,
      "Security polling".
    * g5027429: We did not transmit the right 'local' socket
      address to Lua for TCP/IP queries in the recursor. In
      addition, we would attempt to lookup a filedescriptor that
      wasn't there in an unlocked map which could conceivably
      lead to crashes. Closes t1828, thanks Winfried for
    * g752756c: Sync embedded yahttp copy. API: Replace HTTP
      Basic auth with static key in custom header
    * g6fdd40d: add missing #include <pthread.h> to
      rec-channel.hh (this fixes building on OS X).
* Tue Oct 28 2014
  - sync permissions/ownership of home and config dir with the pdns



Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Nov 9 18:27:03 2021