From bert.hubert at netherlabs.nl Wed Oct 22 19:38:38 2014 From: bert.hubert at netherlabs.nl (bert hubert) Date: Wed, 22 Oct 2014 21:38:38 +0200 Subject: [Pdns-announce] New: PowerDNS Security Status Polling Message-ID: <20141022193837.GA24649@xs.powerdns.com> Hi everybody, PowerDNS software sadly sometimes has critical security bugs. Even though we send out notifications of these via all channels available, our recent security releases have taught us that not everybody actually finds out about important security updates via our mailing lists, Facebook and Twitter. To solve this, the development versions of PowerDNS software have been updated to poll for security notifications over DNS, and log these periodically. Secondly, the security status of the software is available for monitoring using the built-in metrics. This allows operators to poll for the PowerDNS security status and alert on it. In the implementation of this idea, we have taken the unique role of operating system distributors into account. Specifically, we can deal with backported security fixes. This feature can easily be disabled, and operators can also point the queries point at their own status service. In this post, we want to inform you that the most recent snapshots of PowerDNS now include security polling, and we want to solicit your rapid feedback before this feature becomes part of the next PowerDNS releases. Implementation PowerDNS software periodically tries to resolve ‘auth-x.y.z.security-status.secpoll.powerdns.com|TXT’ or ‘recursor-x.y.z.security-status.secpoll.powerdns.com|TXT’ (if the security-poll-suffix setting is left at the default of secpoll.powerdns.com). No other data is included in the request. The data returned is in one of the following forms: * NXDOMAIN or resolution failure * “1 Ok” -> security-status=1 * “2 Upgrade recommended for security reasons, see http://powerdns.com/..” -> security-status=2 * “3 Upgrade mandatory for security reasons, see http://powerdns.com/..” -> security-status=3 In cases 2 or 3, periodic logging commences at syslog level ‘Error’. The metric security-status is set to 2 or 3 respectively. The security status could be lowered however if we discover the issue is less urgent than we thought. If resolution fails, and the previous security-status was 1, the new security-status becomes 0 (‘no data’). If the security-status was higher than 1, it will remain that way, and not get set to 0. In this way, security-status of 0 really means ‘no data’, and can not mask a known problem. Distributions Distributions frequently backport security fixes to the PowerDNS versions they ship. This might lead to a version number that is known to us to be insecure to be secure in reality. To solve this issue, PowerDNS can be compiled with a distribution setting which will move the security polls from: ‘auth-x.y.z.security-status.secpoll.powerdns.com’ to ‘auth-x.y.z-n.debian.security-status.secpoll.powerdns.com Note two things, one, there is a separate namespace for debian, and secondly, we use the package version of this release. This allows us to know that 3.6.0-1 (say) is insecure, but that 3.6.0-2 is not. Details and how to disable The configuration setting ‘security-poll-suffix’ is by default set to ‘secpoll.powerdns.com’. If empty, nothing is polled. This can be moved to ‘secpoll.yourorganization.com’. Our up to date secpoll zonefile is available on github for this purpose. If compiled with PACKAGEVERSION=3.1.6-abcde.debian, queries will be sent to “auth-3.1.6-abcde.debian.security-status.security-poll-suffix”. Delegation If a distribution wants to host its own file with version information, we can delegate dist.security-status.secpoll.powerdns.com to their nameservers directly. From peter.van.dijk at netherlabs.nl Thu Oct 30 13:26:33 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Thu, 30 Oct 2014 14:26:33 +0100 Subject: [Pdns-announce] PowerDNS Authoritative Server 3.4.1 released Message-ID: <85E96EFF-9E89-43F1-80DD-2A70CB408297@netherlabs.nl> Hi everybody, PowerDNS Authoritative Server 3.4.1 is now available! 3.4.1 is the best version of the PowerDNS Authoratitive Server currently available, and we recommend upgrading to it. Please read http://doc.powerdns.com/html/from3.3.1to3.4.0.html before you do, however! Please see http://doc.powerdns.com/html/changelog.html#changelog-auth-3.4.1 for full release notes and all download links. You can get PowerDNS 3.4.1 from: http://downloads.powerdns.com/releases/pdns-3.4.1.tar.bz2 http://downloads.powerdns.com/releases/deb/pdns-static_3.4.1-1_i386.deb http://downloads.powerdns.com/releases/deb/pdns-static_3.4.1-1_amd64.deb http://downloads.powerdns.com/releases/rpm/pdns-static-3.4.1-1.i386.rpm http://downloads.powerdns.com/releases/rpm/pdns-static-3.4.1-1.x86_64.rpm These files also come with GPG signatures (append .sig or .asc). Additionaly, Kees Monshouwer has kindly provided native builds for RHEL/CentOS 5 and 6 at http://www.monshouwer.eu/download/3rd_party/pdns-server/ This is a bugfix update to 3.4.0 and any earlier version. Changes since 3.4.0: * commit dcd6524, commit a8750a5, commit 7dc86bf, commit 2fda71f: PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in Section 2, “Security polling”. * commit 5fe6dc0: API: Replace HTTP Basic auth with static key in custom header (X-API-Key) * commit 4a95ab4: Use transaction for pdnssec increase-serial * commit 6e82a23: Don't empty ordername during pdnssec increase-serial * commit 535f4e3: honor SOA-EDIT while considering "empty IXFR" fallback, fixes ticket 1835. This fixes slaving of signed zones to IXFR-aware slaves like NSD or BIND. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From peter.van.dijk at netherlabs.nl Thu Oct 30 13:27:50 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Thu, 30 Oct 2014 14:27:50 +0100 Subject: [Pdns-announce] PowerDNS Recursor 3.6.2 released Message-ID: <59F9179E-AD76-45A8-965E-087575387924@netherlabs.nl> Hi everybody, version 3.6.2 of the PowerDNS Recursor is now available from https://www.powerdns.com/downloads.html Kees Monshouwer provides native RHEL5/6 packages at http://www.monshouwer.eu/download/3rd_party/pdns-recursor/ Full release notes, with clickable links, are available from: http://doc.powerdns.com/html/changelog.html#changelog-recursor-3.6.2 3.6.2 is the best version of the PowerDNS Recursor currently available, and we recommend upgrading to it. This is a bugfix update to 3.6.1. A list of changes since 3.6.1 follows. * gab14b4f: expedite servfail generation for ezdns-like failures (fully abort query resolving if we hit more than 50 outqueries) * g42025be: PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in Section 2, "Security polling". * g5027429: We did not transmit the right 'local' socket address to Lua for TCP/IP queries in the recursor. In addition, we would attempt to lookup a filedescriptor that wasn't there in an unlocked map which could conceivably lead to crashes. Closes t1828, thanks Winfried for reporting * g752756c: Sync embedded yahttp copy. API: Replace HTTP Basic auth with static key in custom header * g6fdd40d: add missing #include to rec-channel.hh (this fixes building on OS X). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From bert.hubert at netherlabs.nl Wed Oct 22 19:38:38 2014 From: bert.hubert at netherlabs.nl (bert hubert) Date: Wed, 22 Oct 2014 21:38:38 +0200 Subject: [Pdns-announce] New: PowerDNS Security Status Polling Message-ID: <20141022193837.GA24649@xs.powerdns.com> Hi everybody, PowerDNS software sadly sometimes has critical security bugs. Even though we send out notifications of these via all channels available, our recent security releases have taught us that not everybody actually finds out about important security updates via our mailing lists, Facebook and Twitter. To solve this, the development versions of PowerDNS software have been updated to poll for security notifications over DNS, and log these periodically. Secondly, the security status of the software is available for monitoring using the built-in metrics. This allows operators to poll for the PowerDNS security status and alert on it. In the implementation of this idea, we have taken the unique role of operating system distributors into account. Specifically, we can deal with backported security fixes. This feature can easily be disabled, and operators can also point the queries point at their own status service. In this post, we want to inform you that the most recent snapshots of PowerDNS now include security polling, and we want to solicit your rapid feedback before this feature becomes part of the next PowerDNS releases. Implementation PowerDNS software periodically tries to resolve ‘auth-x.y.z.security-status.secpoll.powerdns.com|TXT’ or ‘recursor-x.y.z.security-status.secpoll.powerdns.com|TXT’ (if the security-poll-suffix setting is left at the default of secpoll.powerdns.com). No other data is included in the request. The data returned is in one of the following forms: * NXDOMAIN or resolution failure * “1 Ok” -> security-status=1 * “2 Upgrade recommended for security reasons, see http://powerdns.com/..” -> security-status=2 * “3 Upgrade mandatory for security reasons, see http://powerdns.com/..” -> security-status=3 In cases 2 or 3, periodic logging commences at syslog level ‘Error’. The metric security-status is set to 2 or 3 respectively. The security status could be lowered however if we discover the issue is less urgent than we thought. If resolution fails, and the previous security-status was 1, the new security-status becomes 0 (‘no data’). If the security-status was higher than 1, it will remain that way, and not get set to 0. In this way, security-status of 0 really means ‘no data’, and can not mask a known problem. Distributions Distributions frequently backport security fixes to the PowerDNS versions they ship. This might lead to a version number that is known to us to be insecure to be secure in reality. To solve this issue, PowerDNS can be compiled with a distribution setting which will move the security polls from: ‘auth-x.y.z.security-status.secpoll.powerdns.com’ to ‘auth-x.y.z-n.debian.security-status.secpoll.powerdns.com Note two things, one, there is a separate namespace for debian, and secondly, we use the package version of this release. This allows us to know that 3.6.0-1 (say) is insecure, but that 3.6.0-2 is not. Details and how to disable The configuration setting ‘security-poll-suffix’ is by default set to ‘secpoll.powerdns.com’. If empty, nothing is polled. This can be moved to ‘secpoll.yourorganization.com’. Our up to date secpoll zonefile is available on github for this purpose. If compiled with PACKAGEVERSION=3.1.6-abcde.debian, queries will be sent to “auth-3.1.6-abcde.debian.security-status.security-poll-suffix”. Delegation If a distribution wants to host its own file with version information, we can delegate dist.security-status.secpoll.powerdns.com to their nameservers directly. From peter.van.dijk at netherlabs.nl Thu Oct 30 13:26:33 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Thu, 30 Oct 2014 14:26:33 +0100 Subject: [Pdns-announce] PowerDNS Authoritative Server 3.4.1 released Message-ID: <85E96EFF-9E89-43F1-80DD-2A70CB408297@netherlabs.nl> Hi everybody, PowerDNS Authoritative Server 3.4.1 is now available! 3.4.1 is the best version of the PowerDNS Authoratitive Server currently available, and we recommend upgrading to it. Please read http://doc.powerdns.com/html/from3.3.1to3.4.0.html before you do, however! Please see http://doc.powerdns.com/html/changelog.html#changelog-auth-3.4.1 for full release notes and all download links. You can get PowerDNS 3.4.1 from: http://downloads.powerdns.com/releases/pdns-3.4.1.tar.bz2 http://downloads.powerdns.com/releases/deb/pdns-static_3.4.1-1_i386.deb http://downloads.powerdns.com/releases/deb/pdns-static_3.4.1-1_amd64.deb http://downloads.powerdns.com/releases/rpm/pdns-static-3.4.1-1.i386.rpm http://downloads.powerdns.com/releases/rpm/pdns-static-3.4.1-1.x86_64.rpm These files also come with GPG signatures (append .sig or .asc). Additionaly, Kees Monshouwer has kindly provided native builds for RHEL/CentOS 5 and 6 at http://www.monshouwer.eu/download/3rd_party/pdns-server/ This is a bugfix update to 3.4.0 and any earlier version. Changes since 3.4.0: * commit dcd6524, commit a8750a5, commit 7dc86bf, commit 2fda71f: PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in Section 2, “Security polling”. * commit 5fe6dc0: API: Replace HTTP Basic auth with static key in custom header (X-API-Key) * commit 4a95ab4: Use transaction for pdnssec increase-serial * commit 6e82a23: Don't empty ordername during pdnssec increase-serial * commit 535f4e3: honor SOA-EDIT while considering "empty IXFR" fallback, fixes ticket 1835. This fixes slaving of signed zones to IXFR-aware slaves like NSD or BIND. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From peter.van.dijk at netherlabs.nl Thu Oct 30 13:27:50 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Thu, 30 Oct 2014 14:27:50 +0100 Subject: [Pdns-announce] PowerDNS Recursor 3.6.2 released Message-ID: <59F9179E-AD76-45A8-965E-087575387924@netherlabs.nl> Hi everybody, version 3.6.2 of the PowerDNS Recursor is now available from https://www.powerdns.com/downloads.html Kees Monshouwer provides native RHEL5/6 packages at http://www.monshouwer.eu/download/3rd_party/pdns-recursor/ Full release notes, with clickable links, are available from: http://doc.powerdns.com/html/changelog.html#changelog-recursor-3.6.2 3.6.2 is the best version of the PowerDNS Recursor currently available, and we recommend upgrading to it. This is a bugfix update to 3.6.1. A list of changes since 3.6.1 follows. * gab14b4f: expedite servfail generation for ezdns-like failures (fully abort query resolving if we hit more than 50 outqueries) * g42025be: PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in Section 2, "Security polling". * g5027429: We did not transmit the right 'local' socket address to Lua for TCP/IP queries in the recursor. In addition, we would attempt to lookup a filedescriptor that wasn't there in an unlocked map which could conceivably lead to crashes. Closes t1828, thanks Winfried for reporting * g752756c: Sync embedded yahttp copy. API: Replace HTTP Basic auth with static key in custom header * g6fdd40d: add missing #include to rec-channel.hh (this fixes building on OS X). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From bert.hubert at netherlabs.nl Wed Oct 22 19:38:38 2014 From: bert.hubert at netherlabs.nl (bert hubert) Date: Wed, 22 Oct 2014 21:38:38 +0200 Subject: [Pdns-announce] New: PowerDNS Security Status Polling Message-ID: <20141022193837.GA24649@xs.powerdns.com> Hi everybody, PowerDNS software sadly sometimes has critical security bugs. Even though we send out notifications of these via all channels available, our recent security releases have taught us that not everybody actually finds out about important security updates via our mailing lists, Facebook and Twitter. To solve this, the development versions of PowerDNS software have been updated to poll for security notifications over DNS, and log these periodically. Secondly, the security status of the software is available for monitoring using the built-in metrics. This allows operators to poll for the PowerDNS security status and alert on it. In the implementation of this idea, we have taken the unique role of operating system distributors into account. Specifically, we can deal with backported security fixes. This feature can easily be disabled, and operators can also point the queries point at their own status service. In this post, we want to inform you that the most recent snapshots of PowerDNS now include security polling, and we want to solicit your rapid feedback before this feature becomes part of the next PowerDNS releases. Implementation PowerDNS software periodically tries to resolve ‘auth-x.y.z.security-status.secpoll.powerdns.com|TXT’ or ‘recursor-x.y.z.security-status.secpoll.powerdns.com|TXT’ (if the security-poll-suffix setting is left at the default of secpoll.powerdns.com). No other data is included in the request. The data returned is in one of the following forms: * NXDOMAIN or resolution failure * “1 Ok” -> security-status=1 * “2 Upgrade recommended for security reasons, see http://powerdns.com/..” -> security-status=2 * “3 Upgrade mandatory for security reasons, see http://powerdns.com/..” -> security-status=3 In cases 2 or 3, periodic logging commences at syslog level ‘Error’. The metric security-status is set to 2 or 3 respectively. The security status could be lowered however if we discover the issue is less urgent than we thought. If resolution fails, and the previous security-status was 1, the new security-status becomes 0 (‘no data’). If the security-status was higher than 1, it will remain that way, and not get set to 0. In this way, security-status of 0 really means ‘no data’, and can not mask a known problem. Distributions Distributions frequently backport security fixes to the PowerDNS versions they ship. This might lead to a version number that is known to us to be insecure to be secure in reality. To solve this issue, PowerDNS can be compiled with a distribution setting which will move the security polls from: ‘auth-x.y.z.security-status.secpoll.powerdns.com’ to ‘auth-x.y.z-n.debian.security-status.secpoll.powerdns.com Note two things, one, there is a separate namespace for debian, and secondly, we use the package version of this release. This allows us to know that 3.6.0-1 (say) is insecure, but that 3.6.0-2 is not. Details and how to disable The configuration setting ‘security-poll-suffix’ is by default set to ‘secpoll.powerdns.com’. If empty, nothing is polled. This can be moved to ‘secpoll.yourorganization.com’. Our up to date secpoll zonefile is available on github for this purpose. If compiled with PACKAGEVERSION=3.1.6-abcde.debian, queries will be sent to “auth-3.1.6-abcde.debian.security-status.security-poll-suffix”. Delegation If a distribution wants to host its own file with version information, we can delegate dist.security-status.secpoll.powerdns.com to their nameservers directly. From peter.van.dijk at netherlabs.nl Thu Oct 30 13:26:33 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Thu, 30 Oct 2014 14:26:33 +0100 Subject: [Pdns-announce] PowerDNS Authoritative Server 3.4.1 released Message-ID: <85E96EFF-9E89-43F1-80DD-2A70CB408297@netherlabs.nl> Hi everybody, PowerDNS Authoritative Server 3.4.1 is now available! 3.4.1 is the best version of the PowerDNS Authoratitive Server currently available, and we recommend upgrading to it. Please read http://doc.powerdns.com/html/from3.3.1to3.4.0.html before you do, however! Please see http://doc.powerdns.com/html/changelog.html#changelog-auth-3.4.1 for full release notes and all download links. You can get PowerDNS 3.4.1 from: http://downloads.powerdns.com/releases/pdns-3.4.1.tar.bz2 http://downloads.powerdns.com/releases/deb/pdns-static_3.4.1-1_i386.deb http://downloads.powerdns.com/releases/deb/pdns-static_3.4.1-1_amd64.deb http://downloads.powerdns.com/releases/rpm/pdns-static-3.4.1-1.i386.rpm http://downloads.powerdns.com/releases/rpm/pdns-static-3.4.1-1.x86_64.rpm These files also come with GPG signatures (append .sig or .asc). Additionaly, Kees Monshouwer has kindly provided native builds for RHEL/CentOS 5 and 6 at http://www.monshouwer.eu/download/3rd_party/pdns-server/ This is a bugfix update to 3.4.0 and any earlier version. Changes since 3.4.0: * commit dcd6524, commit a8750a5, commit 7dc86bf, commit 2fda71f: PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in Section 2, “Security polling”. * commit 5fe6dc0: API: Replace HTTP Basic auth with static key in custom header (X-API-Key) * commit 4a95ab4: Use transaction for pdnssec increase-serial * commit 6e82a23: Don't empty ordername during pdnssec increase-serial * commit 535f4e3: honor SOA-EDIT while considering "empty IXFR" fallback, fixes ticket 1835. This fixes slaving of signed zones to IXFR-aware slaves like NSD or BIND. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From peter.van.dijk at netherlabs.nl Thu Oct 30 13:27:50 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Thu, 30 Oct 2014 14:27:50 +0100 Subject: [Pdns-announce] PowerDNS Recursor 3.6.2 released Message-ID: <59F9179E-AD76-45A8-965E-087575387924@netherlabs.nl> Hi everybody, version 3.6.2 of the PowerDNS Recursor is now available from https://www.powerdns.com/downloads.html Kees Monshouwer provides native RHEL5/6 packages at http://www.monshouwer.eu/download/3rd_party/pdns-recursor/ Full release notes, with clickable links, are available from: http://doc.powerdns.com/html/changelog.html#changelog-recursor-3.6.2 3.6.2 is the best version of the PowerDNS Recursor currently available, and we recommend upgrading to it. This is a bugfix update to 3.6.1. A list of changes since 3.6.1 follows. * gab14b4f: expedite servfail generation for ezdns-like failures (fully abort query resolving if we hit more than 50 outqueries) * g42025be: PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in Section 2, "Security polling". * g5027429: We did not transmit the right 'local' socket address to Lua for TCP/IP queries in the recursor. In addition, we would attempt to lookup a filedescriptor that wasn't there in an unlocked map which could conceivably lead to crashes. Closes t1828, thanks Winfried for reporting * g752756c: Sync embedded yahttp copy. API: Replace HTTP Basic auth with static key in custom header * g6fdd40d: add missing #include to rec-channel.hh (this fixes building on OS X). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From bert.hubert at netherlabs.nl Wed Oct 22 19:38:38 2014 From: bert.hubert at netherlabs.nl (bert hubert) Date: Wed, 22 Oct 2014 21:38:38 +0200 Subject: [Pdns-announce] New: PowerDNS Security Status Polling Message-ID: <20141022193837.GA24649@xs.powerdns.com> Hi everybody, PowerDNS software sadly sometimes has critical security bugs. Even though we send out notifications of these via all channels available, our recent security releases have taught us that not everybody actually finds out about important security updates via our mailing lists, Facebook and Twitter. To solve this, the development versions of PowerDNS software have been updated to poll for security notifications over DNS, and log these periodically. Secondly, the security status of the software is available for monitoring using the built-in metrics. This allows operators to poll for the PowerDNS security status and alert on it. In the implementation of this idea, we have taken the unique role of operating system distributors into account. Specifically, we can deal with backported security fixes. This feature can easily be disabled, and operators can also point the queries point at their own status service. In this post, we want to inform you that the most recent snapshots of PowerDNS now include security polling, and we want to solicit your rapid feedback before this feature becomes part of the next PowerDNS releases. Implementation PowerDNS software periodically tries to resolve ‘auth-x.y.z.security-status.secpoll.powerdns.com|TXT’ or ‘recursor-x.y.z.security-status.secpoll.powerdns.com|TXT’ (if the security-poll-suffix setting is left at the default of secpoll.powerdns.com). No other data is included in the request. The data returned is in one of the following forms: * NXDOMAIN or resolution failure * “1 Ok” -> security-status=1 * “2 Upgrade recommended for security reasons, see http://powerdns.com/..” -> security-status=2 * “3 Upgrade mandatory for security reasons, see http://powerdns.com/..” -> security-status=3 In cases 2 or 3, periodic logging commences at syslog level ‘Error’. The metric security-status is set to 2 or 3 respectively. The security status could be lowered however if we discover the issue is less urgent than we thought. If resolution fails, and the previous security-status was 1, the new security-status becomes 0 (‘no data’). If the security-status was higher than 1, it will remain that way, and not get set to 0. In this way, security-status of 0 really means ‘no data’, and can not mask a known problem. Distributions Distributions frequently backport security fixes to the PowerDNS versions they ship. This might lead to a version number that is known to us to be insecure to be secure in reality. To solve this issue, PowerDNS can be compiled with a distribution setting which will move the security polls from: ‘auth-x.y.z.security-status.secpoll.powerdns.com’ to ‘auth-x.y.z-n.debian.security-status.secpoll.powerdns.com Note two things, one, there is a separate namespace for debian, and secondly, we use the package version of this release. This allows us to know that 3.6.0-1 (say) is insecure, but that 3.6.0-2 is not. Details and how to disable The configuration setting ‘security-poll-suffix’ is by default set to ‘secpoll.powerdns.com’. If empty, nothing is polled. This can be moved to ‘secpoll.yourorganization.com’. Our up to date secpoll zonefile is available on github for this purpose. If compiled with PACKAGEVERSION=3.1.6-abcde.debian, queries will be sent to “auth-3.1.6-abcde.debian.security-status.security-poll-suffix”. Delegation If a distribution wants to host its own file with version information, we can delegate dist.security-status.secpoll.powerdns.com to their nameservers directly. From peter.van.dijk at netherlabs.nl Thu Oct 30 13:26:33 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Thu, 30 Oct 2014 14:26:33 +0100 Subject: [Pdns-announce] PowerDNS Authoritative Server 3.4.1 released Message-ID: <85E96EFF-9E89-43F1-80DD-2A70CB408297@netherlabs.nl> Hi everybody, PowerDNS Authoritative Server 3.4.1 is now available! 3.4.1 is the best version of the PowerDNS Authoratitive Server currently available, and we recommend upgrading to it. Please read http://doc.powerdns.com/html/from3.3.1to3.4.0.html before you do, however! Please see http://doc.powerdns.com/html/changelog.html#changelog-auth-3.4.1 for full release notes and all download links. You can get PowerDNS 3.4.1 from: http://downloads.powerdns.com/releases/pdns-3.4.1.tar.bz2 http://downloads.powerdns.com/releases/deb/pdns-static_3.4.1-1_i386.deb http://downloads.powerdns.com/releases/deb/pdns-static_3.4.1-1_amd64.deb http://downloads.powerdns.com/releases/rpm/pdns-static-3.4.1-1.i386.rpm http://downloads.powerdns.com/releases/rpm/pdns-static-3.4.1-1.x86_64.rpm These files also come with GPG signatures (append .sig or .asc). Additionaly, Kees Monshouwer has kindly provided native builds for RHEL/CentOS 5 and 6 at http://www.monshouwer.eu/download/3rd_party/pdns-server/ This is a bugfix update to 3.4.0 and any earlier version. Changes since 3.4.0: * commit dcd6524, commit a8750a5, commit 7dc86bf, commit 2fda71f: PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in Section 2, “Security polling”. * commit 5fe6dc0: API: Replace HTTP Basic auth with static key in custom header (X-API-Key) * commit 4a95ab4: Use transaction for pdnssec increase-serial * commit 6e82a23: Don't empty ordername during pdnssec increase-serial * commit 535f4e3: honor SOA-EDIT while considering "empty IXFR" fallback, fixes ticket 1835. This fixes slaving of signed zones to IXFR-aware slaves like NSD or BIND. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From peter.van.dijk at netherlabs.nl Thu Oct 30 13:27:50 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Thu, 30 Oct 2014 14:27:50 +0100 Subject: [Pdns-announce] PowerDNS Recursor 3.6.2 released Message-ID: <59F9179E-AD76-45A8-965E-087575387924@netherlabs.nl> Hi everybody, version 3.6.2 of the PowerDNS Recursor is now available from https://www.powerdns.com/downloads.html Kees Monshouwer provides native RHEL5/6 packages at http://www.monshouwer.eu/download/3rd_party/pdns-recursor/ Full release notes, with clickable links, are available from: http://doc.powerdns.com/html/changelog.html#changelog-recursor-3.6.2 3.6.2 is the best version of the PowerDNS Recursor currently available, and we recommend upgrading to it. This is a bugfix update to 3.6.1. A list of changes since 3.6.1 follows. * gab14b4f: expedite servfail generation for ezdns-like failures (fully abort query resolving if we hit more than 50 outqueries) * g42025be: PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in Section 2, "Security polling". * g5027429: We did not transmit the right 'local' socket address to Lua for TCP/IP queries in the recursor. In addition, we would attempt to lookup a filedescriptor that wasn't there in an unlocked map which could conceivably lead to crashes. Closes t1828, thanks Winfried for reporting * g752756c: Sync embedded yahttp copy. API: Replace HTTP Basic auth with static key in custom header * g6fdd40d: add missing #include to rec-channel.hh (this fixes building on OS X). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: