<div dir="ltr">Will these updates eventually make their way into CentOS EPEL? Looks like I'm still on 1.3.0 pulling from those repos.</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jul 10, 2018 at 7:20 AM, Remi Gacogne <span dir="ltr"><<a href="mailto:remi.gacogne@powerdns.com" target="_blank">remi.gacogne@powerdns.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello everyone,<br>
<br>
We are very happy to announce the 1.3.2 release of dnsdist. This release<br>
contains a few new features, but is mostly fixing bugs and documentation<br>
issues reported since the release of dnsdist 1.3.0. You might be<br>
wondering why this release is not numbered 1.3.1, we discovered a build<br>
issue on some platforms right after tagging 1.3.1 and therefore decided<br>
to release 1.3.2 right away.<br>
<br>
Breaking changes<br>
================<br>
<br>
After discussing with several users, we noticed that quite a lot of them<br>
were not aware that enabling the dnsdist's console without a key, even<br>
restricted to the local host, could be a security issue and allow<br>
privilege escalation by allowing an unprivileged user to connect to the<br>
console and execute Lua code as the dnsdist user. We therefore decided<br>
to refuse any connection to the console until a key has been set, so<br>
please check that you do set a key before upgrading if you use the console.<br>
<br>
New features<br>
============<br>
<br>
The DNS over TLS feature introduced in 1.3.0 was missing the ability to<br>
support both an RSA and an ECDSA certificate at the same time, and it<br>
was not possible to switch to a new certificate without restarting<br>
dnsdist. This has now been fixed.<br>
<br>
The packet cache has also been improved in this release, with the<br>
addition of a negative TTL option to be able to specify how long NODATA<br>
and NXDOMAIN answers should be cache, as well as a way to dump the<br>
content of the cache. We also made the detection of ECS collisions more<br>
robust, preventing two queries for the same name, type and class but a<br>
different ECS subnet from colliding even if they did hash to the same value.<br>
<br>
This version gained the ability to insert dynamic rules that do nothing,<br>
and do not stop the processing of subsequent rules, which is very useful<br>
for testing purposes. The optimized DynblockRulesGroup introduced in<br>
1.3.0 also gained the ability to whitelist and blacklist ranges from<br>
dynamic rules, for example to prevent some clients from ever being<br>
blocked by a rate-limiting rule.<br>
<br>
Finally, we introduced the new SetECSAction directive to be able to<br>
force the ECS value sent to a downstream server for some or all queries.<br>
<br>
Bug fixes<br>
=========<br>
<br>
In addition to various documentation and cosmetics fixes, a few annoying<br>
bugs have been fixed in this release:<br>
<br>
- If the first connection attempt to a given backend failed, dnsdist<br>
didn't properly reconnect even when the backend became available ;<br>
- Dynamic blocks were sometimes created with the wrong duration ;<br>
- The ability to iterate over the results of the Lua exceed*() functions<br>
was broken in 1.3.0, preventing manual whitelisting from Lua ;<br>
- Some statistics were displayed with too many decimals in the web<br>
interface ;<br>
- A backend outstanding queries counter could become wrong if it dropped<br>
a lot of queries for a while.<br>
<br>
<br>
Please see the dnsdist website [1] for the more complete changelog<br>
[2] and the current documentation.<br>
<br>
Release tarballs are available on the downloads website [3].<br>
<br>
Several packages are also available on our repository [4].<br>
<br>
<br>
[1]: <a href="https://dnsdist.org" rel="noreferrer" target="_blank">https://dnsdist.org</a><br>
[2]: <a href="https://dnsdist.org/changelog.html" rel="noreferrer" target="_blank">https://dnsdist.org/changelog.<wbr>html</a><br>
[3]: <a href="https://downloads.powerdns.com/releases/dnsdist-1.3.2.tar.bz2" rel="noreferrer" target="_blank">https://downloads.powerdns.<wbr>com/releases/dnsdist-1.3.2.<wbr>tar.bz2</a><br>
[4]: <a href="https://repo.powerdns.com/" rel="noreferrer" target="_blank">https://repo.powerdns.com/</a><br>
<br>
Best regards,<br>
<span class="HOEnZb"><font color="#888888"><br>
-- <br>
Remi Gacogne<br>
PowerDNS.COM BV - <a href="https://www.powerdns.com/" rel="noreferrer" target="_blank">https://www.powerdns.com/</a><br>
<br>
</font></span><br>______________________________<wbr>_________________<br>
dnsdist mailing list<br>
<a href="mailto:dnsdist@mailman.powerdns.com">dnsdist@mailman.powerdns.com</a><br>
<a href="https://mailman.powerdns.com/mailman/listinfo/dnsdist" rel="noreferrer" target="_blank">https://mailman.powerdns.com/<wbr>mailman/listinfo/dnsdist</a><br>
<br></blockquote></div><br></div>