From bert.hubert at netherlabs.nl Wed Sep 10 08:02:23 2014 From: bert.hubert at netherlabs.nl (bert hubert) Date: Wed, 10 Sep 2014 10:02:23 +0200 Subject: [Pdns-announce] PowerDNS Recursor Security Release 3.6.1 Message-ID: <20140910080223.GB3912@xs.powerdns.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi everybody, We regret that we have to announce a PowerDNS Recursor security release: Issue: A specific sequence of packets can crash PowerDNS Recursor 3.6.0 remotely CVE: CVE-2014-3614 Affected: All deployments of PowerDNS Recursor 3.6.0 Not Affected: PowerDNS Authoritative Server, PowerDNS Recursor versions other than 3.6.0 Workaround: 1) Only users from netmasks specified in 'allow-from' can cause the crash 2) add automated restarting Remediation: Upgrade 3.6.1 using the packages we provided, or apply our minimal patch and recompile Distributions shipping 3.6.0 have been notified last week and will be providing updates very soon Recently, we've discovered that PowerDNS Recursor 3.6.0 (but NOT earlier) can crash when exposed to a specific sequence of malformed packets. This sequence happened spontaneously with one of our largest deployments, and the packets did not appear to have a malicious origin. Yet, this crash can be triggered remotely, leading to a denial of service attack. There appears to be no way to use this crash for system compromise or stack overflow. Fixed packages and sources are available from: https://www.powerdns.com/downloads.html In addition, if you want to apply a minimal fix, it can be found on: https://xs.powerdns.com/tmp/minipatch-3.6.1 Finally, distributions that ship PowerDNS Recursor 3.6.0 have been notified and will be providing updated packages soon. As for workarounds, only clients in allow-from are able to trigger the crash, so this should be limited to your userbase. Secondly, https://github.com/PowerDNS/pdns/blob/master/contrib/upstart-recursor.conf and https://github.com/PowerDNS/pdns/blob/master/contrib/systemd-pdns-recursor.service can be used to enable Upstart and Systemd to restart the PowerDNS Recursor in case of a crash. In addition to various fixes related to this potential crash, 3.6.1 fixes a few minor issues and adds a debugging feature: * We could not encode IPv6 AAAA records that mapped to IPv4 addresses in some cases (:ffff.1.2.3.4). Fixed in commit c90fcbd , closing ticket 1663. * Improve systemd startup timing with respect to network availability (commit cf86c6a), thanks to Morten Stevens. * Realtime telemetry can now be enabled at runtime, for example with 'rec_control carbon-server 82.94.213.34 ourname1234'. This ties in to our existing carbon-server and carbon-ourname settings, but now at runtime. This specific invocation will make your stats appear automatically on our public telemetry server. We want to thank the dedicated PowerDNS users that spent months investigating the rare crashes they observed. Without such an engaged community, we would never be able to chase down issues like these. If you have any questions regarding this update, or need help upgrading, pleae contact us here or through https://www.powerdns.com/contact.html Bert - -- PowerDNS Website: http://www.powerdns.com/ Contact us by phone on +31-15-7850372 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlQQBY8ACgkQHF7pkNLnFXUeWACgqyD19AIsGG/tQVQqU/iHUQNX 3kQAoKWFsVC4ZV4+0Yl4QDy6ntUFM7Xz =wv1m -----END PGP SIGNATURE----- From peter.van.dijk at netherlabs.nl Tue Sep 23 08:08:53 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Tue, 23 Sep 2014 10:08:53 +0200 Subject: [Pdns-announce] Authoritative Server 3.4.0 Release Candidate Message-ID: <3CE4E57C-2CDE-4529-91F2-2C8EDBAB860C@netherlabs.nl> Hi everybody, Release Candidate 2 of the PowerDNS Authoritative Server 3.4.0 is available from: http://powerdnssec.org/downloads/pdns-3.4.0-rc2.tar.bz2 http://powerdnssec.org/downloads/packages/pdns-static-3.4.0rc2-1.i386.rpm http://powerdnssec.org/downloads/packages/pdns-static-3.4.0rc2-1.x86_64.rpm http://powerdnssec.org/downloads/packages/pdns-static_3.4.0-rc2-1_amd64.deb http://powerdnssec.org/downloads/packages/pdns-static_3.4.0-rc2-1_i386.deb You are cordially invited to (carefully) test this Release Candidate for correct behaviour. Full release notes, with clickable links, are available from: http://doc.powerdns.com/changelog.html#changelog-auth-3.4.0 Here is a text-only version: This is a performance, feature, bugfix and conformity update to 3.3.1 and any earlier version. It contains a huge amount of work by various contributors, to whom we are very grateful. A list of changes since RC1 follows. For the complete changes since 3.3.1, see the URL above. Changes between RC1 and RC2: * commit bb6e54f: document udp6-queries, udp4-queries, add rd-queries, recursion-unanswered metrics & document. Closes ticket 1400. * commit 4a23af7: init script: support DAEMON_ARGS; commit 7e5b3a0: init script: ensure socket dir exists * commit dd930ed: don't import supermaster ips from other accounts * commit ed3afdf: fall back to central bind if reuseport bind fails; improves ticket 1715 * commit 709ca59: GeoIP backend implementation. This is a new backend, still experimental! * commit bf5a484: support EVERY future version of OS X, fixes ticket 1702 * commit 4dbaec6: Check for __FreeBSD_kernel__ as per https:// lists.debian.org/debian-bsd/2006/03/msg00127.html, fixes ticket 1684; commit 74f389d: __FreeBSD_kernel__ is defined but empty on systems with FreeBSD kernels, breaking compile. Thanks pawal * commit 882ca9d: revert setpgrp changes * commit 2e6bbd8: Catch PDNSException in Signingpiper::helperWorker to avoid abort * commit 0ffd51d: improve error reporting on malformed labels * commit c48dec7: Fix forwarded TSIG message issue * commit dad70f2: skip TCP_DEFER_ACCEPT on platforms that do not have it (like FreeBSD); fixes ticket 1658 * commit c7287b6: should fix ticket 1662, reloading while checking for domains that need to be notified in BIND, causing lock * commit 3e67ea8: allow OPT pseudo record type in IXFR query * commit a1caa8b: webserver: htmlescape VERSION and config name * commit df9d980: Remove "log-failed-updates" leftover * commit a1fe72a: Remove unused "soa-serial-offset" option -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From peter.van.dijk at netherlabs.nl Tue Sep 30 10:41:27 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Tue, 30 Sep 2014 12:41:27 +0200 Subject: [Pdns-announce] PowerDNS Authoritative Server 3.4.0 released Message-ID: Hi everybody, PowerDNS Authoritative Server 3.4.0 is now available! 3.4.0 is the best version of the PowerDNS Authoritative Server currently available, and we recommend upgrading to it. Please read http://doc.powerdns.com/html/from3.3.1to3.4.0.html before you do, however! Please see http://doc.powerdns.com/changelog.html#changelog-auth-3.4.0 for full release notes and all download links. You can get PowerDNS 3.4.0 from: http://downloads.powerdns.com/releases/pdns-3.4.0.tar.bz2 http://downloads.powerdns.com/releases/deb/pdns-static_3.4.0-1_i386.deb http://downloads.powerdns.com/releases/deb/pdns-static_3.4.0-1_amd64.deb http://downloads.powerdns.com/releases/rpm/pdns-static-3.4.0-1.i386.rpm http://downloads.powerdns.com/releases/rpm/pdns-static-3.4.0-1.x86_64.rpm These files also come with GPG signatures (append .sig). Additionally, Kees Monshouwer has kindly provided native builds for RHEL and CentOS at https://www.monshouwer.eu/download/3rd_party/pdns/ This is a performance, feature, bugfix and conformity update to 3.3.1 and any earlier version. It contains a huge amount of work by various contributors, to whom we are very grateful. A list of changes since 3.3.1 follows. Changes between RC2 and 3.4.0: * gad189c9, g445d93c: also distribute the dnsdist manual page * gb5a276d, g0b346e9, g74caf87, g642fd2e: Make sure all backends actually work as dynamic modules * g14b11c4: raise log level on dlerror(), fixes t1734, thanks @James-TR * g016d810: improve postgresql detection during ./configure * gdce1e90: DNAME: don't sign the synthesised CNAME * g25e7af3: send empty SERVFAIL after a backend throws a DBException, instead of including useless content Changes between RC1 and RC2: * gbb6e54f: document udp6-queries, udp4-queries, add rd-queries, recursion-unanswered metrics & document. Closes t1400. * g4a23af7: init script: support DAEMON_ARGS; g7e5b3a0: init script: ensure socket dir exists * gdd930ed: don't import supermaster ips from other accounts * ged3afdf: fall back to central bind if reuseport bind fails; improves t1715 * g709ca59: GeoIP backend implementation. This is a new backend, still experimental! * gbf5a484: support EVERY future version of OS X, fixes t1702 * g4dbaec6: Check for __FreeBSD_kernel__ as per https://lists.debian.org/debian-bsd/2006/03/msg00127.html, fixes t1684; g74f389d: __FreeBSD_kernel__ is defined but empty on systems with FreeBSD kernels, breaking compile. Thanks pawal * g882ca9d: revert setpgrp changes * g2e6bbd8: Catch PDNSException in Signingpiper::helperWorker to avoid abort * g0ffd51d: improve error reporting on malformed labels * gc48dec7: Fix forwarded TSIG message issue * gdad70f2: skip TCP_DEFER_ACCEPT on platforms that do not have it (like FreeBSD); fixes t1658 * gc7287b6: should fix t1662, reloading while checking for domains that need to be notified in BIND, causing lock * g3e67ea8: allow OPT pseudo record type in IXFR query * ga1caa8b: webserver: htmlescape VERSION and config name * gdf9d980: Remove "log-failed-updates" leftover * ga1fe72a: Remove unused "soa-serial-offset" option Changes between 3.3.1 and 3.4.0-RC1 follow. DNSSEC changes: * gbba8413: add option (max-signature-cache-entries) to limit the maximum number of cached signatures. * g28b66a9: limit the number of NSEC3 iterations (see RFC5155 10.3), with the max-nsec3-iterations option. * gb50efd6: drop the 'superfluous NSEC3' option that old BIND validators need. * The bindbackend 'hybrid' mode was reintroduced by Kees Monshouwer. Enable it with bind-hybrid. * Aki Tuomi contributed experimental PKCS#11 support for DNSSEC key management with a (Soft)HSM. * Direct RRSIG queries now return NOTIMP. * gfa37777: add secure-all-zones command to pdnssec * Unrectified zones can now get rectified 'on the fly' during outgoing AXFR. This makes it possible to run a hidden signing master without rectification. * g82fb538: AXFR in: don't accept zones with a mixture of Opt-Out NSEC3 RRs and non-Opt-Out NSEC3 RRs * Various minor bugfixes, mostly from the unstoppable Kees Monshouwer. * g0c4c552: set non-zero exit status in pdnssec if an exception was thrown, for easier automatic usage. * gb8bd119: pdnssec -v show-zone: Print all keys instead of just entry point keys. * g52e0d78: answer direct NSEC queries without DO bit * gca2eb01: output ZSK DNSKEY records if experimental-direct-dnskey support is enabled * g83609e2: SOA-EDIT: fix INCEPTION-INCREMENT handling * gac4a2f1: AXFR-out can handle secure and insecure NSEC3 optout delegations * gff47302: AXFR-in can handle secure and insecure NSEC3 optout delegations New features: * DNAME support. Enable with experimental-dname-processing. * PowerDNS can now send stats directly to Carbon servers. Enable with carbon-server, tweak with carbon-ourname and carbon-interval. * g767da1a: Add list-zone capability to pdns_control * g51f6bca: Add delete-zone to pdnssec. * The gsql backends now support record comments, and disabling records. * The new reuseport config option allows setting SO_REUSEPORT, which allows for some performance improvements. * local-address-nonexist-fail and local-ipv6-nonexist-fail allow pdns to start up even if some addresses fail to bind. * 'AXFR-SOURCE' in domainmetadata sets the source address for an AXFR retrieval. * g451ba51: Implement pdnssec get-meta/set-meta * Experimental RFC2136/DNS UPDATE support from Ruben d'Arco, with extensive testing by Kees Monshouwer. * pdns_control bind-add-zone * New option bind-ignore-broken-records ignores out-of-zone records while loading zone files. * pdnssec now has commands for TSIG key management. * We now support other algorithms than MD5 for TSIG. * gba7244a: implement pdns_control qtypes * Support for += syntax for options Bugfixes: * We verify the algorithm used for TSIG queries, and use the right algorithm in signing if there is possible confusion. Plus a few minor TSIG-related fixes. * gff99a74: making *-threads settings empty now yields a default of one instead of zero. * g9215e60: we had a deadly embrace in getUpdatedMasters in bindbackend reimplementation, thanks to Winfried for detailed debugging! * g9245fd9: don't addSuckRequest after supermaster zone creation to avoid one cause of simultaneous AXFR for the same zone * g719f902: fix dual-stack superslave when multiple namservers share a ip * g33966bf: avoid address truncation in doNotifications * geac85b1: prevent duplicate slave notications caused by different ipv6 address formatting * g3c8a711: make notification queue ipv6 compatible * g0c13e45: make isMaster ip check more tolerant for different ipv6 notations * Various fixes for possible issues reported by Coverity Scan (gf17c93b, ) * g9083987: don't rely on included polarssl header files when using system polarssl. Spotted by Oden Eriksson of Mandriva, thanks! * Various users reported pdns_control hangs, especially when using the guardian. We are confident that all causes of these hangs are now gone. * Decreasing the webserver ringbuffer size could cause crashes. * g4c89cce: nproxy: Add missing chdir("/") after chroot() * g016a0ab: actually notice timeout during AXFR retrieve, thanks hkraal REST API changes: * The REST API was much improved and is nearing stability, thanks to Christian Hofstaedtler and others. * Mark Schouten at Tuxis contributed a zone importer. Other changes: * Our tarballs and packages now include *.sql schema files for the SQL backends. * The webserver (including API) now has an ACL (webserver-allow-from). * Webserver (including API) is now powered by YaHTTP. * Various autotools usage improvements from Ruben Kerkhof. * The dist tarball is now bzip2-compressed instead of gzip. * Various remotebackend updates, including replacing curl with (included) yahttp. * Dynamic module loading is now allowed on Mac OS X. * The AXFR ACL (allow-axfr-ips) now defaults to 127.0.0.0/8,::1 instead of the whole world. * gba91c2f: remove unused gpgsql-socket option and document postgres socket usage * Improved support for Lua 5.2. * The edns-subnet option code is now fixed at 8, and the edns-subnet-option-numbers option has been removed. * geobackend now has very limited edns-subnet support - it will use the 'real' remote if available. * pipebackend ABI v4 adds the zone name to the AXFR command. * We now avoid getaddrinfo() as much as possible. * The packet cache now handles (forwarded) recursive answers better, including TTL aging and respecting allow-recursion. * gff5ba4f: pdns_server --help no longer exits with 1. * Mark Zealey contributed an experimental LMDB backend. Kees Monshouwer added experimental DNSSEC support to it. Thanks, both! * g81859ba: No longer attempt to answer questions coming in from port 0, reply would not reach them anyhow. Thanks to Niels Bakker and sid3windr for insight & debugging. Closes t844. * RCodes are now reported in text in various places, thanks Aki. * Kees Monshouwer set up automatic testing for the oracle and goracle backends, and fixed various issues in them. * Leftovers of previous support for Windows have been removed, thanks to Kees Monshouwer, Aki Tuomi. * Bundled PolarSSL has been upgraded to 1.3.2 * PolarSSL replaced previously bundled implementations of AES (ge22d9b4) and SHA (g9101035) * bindbackend is now a module * g14a2e52: Use the inet data type for supermasters.ip on postgrsql. * We now send an empty SERVFAIL when a CNAME chain is too long, instead of including the partial chain. * g3613a51: Show built-in features in --version output * g4bd7d35: make domainmetadata queries case insensitive * g088c334: output warning message when no to be notified NS's are found * g5631b44: gpsqlbackend: use empty defaults for dbname and user; libpq will use the current user name for both by default * gd87ded3: implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size - no matter what EDNS0 said. Plus document it. * Implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size - no matter what EDNS0 said. * On shutdown, PowerDNS now attempts to stop all processes in its process group, especially useful for pipe/remotebackend users. Feature donated by Spotify. * Removed settings related to fancy records, as we haven't supported those since version 3.0 * Based on earlier work by Mark Zealey, Kees Monshouwer increased our packet cache performance between 200% and 500% depending on the situation, by simplifying some code in g801812e and g8403ade. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From bert.hubert at netherlabs.nl Wed Sep 10 08:02:23 2014 From: bert.hubert at netherlabs.nl (bert hubert) Date: Wed, 10 Sep 2014 10:02:23 +0200 Subject: [Pdns-announce] PowerDNS Recursor Security Release 3.6.1 Message-ID: <20140910080223.GB3912@xs.powerdns.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi everybody, We regret that we have to announce a PowerDNS Recursor security release: Issue: A specific sequence of packets can crash PowerDNS Recursor 3.6.0 remotely CVE: CVE-2014-3614 Affected: All deployments of PowerDNS Recursor 3.6.0 Not Affected: PowerDNS Authoritative Server, PowerDNS Recursor versions other than 3.6.0 Workaround: 1) Only users from netmasks specified in 'allow-from' can cause the crash 2) add automated restarting Remediation: Upgrade 3.6.1 using the packages we provided, or apply our minimal patch and recompile Distributions shipping 3.6.0 have been notified last week and will be providing updates very soon Recently, we've discovered that PowerDNS Recursor 3.6.0 (but NOT earlier) can crash when exposed to a specific sequence of malformed packets. This sequence happened spontaneously with one of our largest deployments, and the packets did not appear to have a malicious origin. Yet, this crash can be triggered remotely, leading to a denial of service attack. There appears to be no way to use this crash for system compromise or stack overflow. Fixed packages and sources are available from: https://www.powerdns.com/downloads.html In addition, if you want to apply a minimal fix, it can be found on: https://xs.powerdns.com/tmp/minipatch-3.6.1 Finally, distributions that ship PowerDNS Recursor 3.6.0 have been notified and will be providing updated packages soon. As for workarounds, only clients in allow-from are able to trigger the crash, so this should be limited to your userbase. Secondly, https://github.com/PowerDNS/pdns/blob/master/contrib/upstart-recursor.conf and https://github.com/PowerDNS/pdns/blob/master/contrib/systemd-pdns-recursor.service can be used to enable Upstart and Systemd to restart the PowerDNS Recursor in case of a crash. In addition to various fixes related to this potential crash, 3.6.1 fixes a few minor issues and adds a debugging feature: * We could not encode IPv6 AAAA records that mapped to IPv4 addresses in some cases (:ffff.1.2.3.4). Fixed in commit c90fcbd , closing ticket 1663. * Improve systemd startup timing with respect to network availability (commit cf86c6a), thanks to Morten Stevens. * Realtime telemetry can now be enabled at runtime, for example with 'rec_control carbon-server 82.94.213.34 ourname1234'. This ties in to our existing carbon-server and carbon-ourname settings, but now at runtime. This specific invocation will make your stats appear automatically on our public telemetry server. We want to thank the dedicated PowerDNS users that spent months investigating the rare crashes they observed. Without such an engaged community, we would never be able to chase down issues like these. If you have any questions regarding this update, or need help upgrading, pleae contact us here or through https://www.powerdns.com/contact.html Bert - -- PowerDNS Website: http://www.powerdns.com/ Contact us by phone on +31-15-7850372 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlQQBY8ACgkQHF7pkNLnFXUeWACgqyD19AIsGG/tQVQqU/iHUQNX 3kQAoKWFsVC4ZV4+0Yl4QDy6ntUFM7Xz =wv1m -----END PGP SIGNATURE----- From peter.van.dijk at netherlabs.nl Tue Sep 23 08:08:53 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Tue, 23 Sep 2014 10:08:53 +0200 Subject: [Pdns-announce] Authoritative Server 3.4.0 Release Candidate Message-ID: <3CE4E57C-2CDE-4529-91F2-2C8EDBAB860C@netherlabs.nl> Hi everybody, Release Candidate 2 of the PowerDNS Authoritative Server 3.4.0 is available from: http://powerdnssec.org/downloads/pdns-3.4.0-rc2.tar.bz2 http://powerdnssec.org/downloads/packages/pdns-static-3.4.0rc2-1.i386.rpm http://powerdnssec.org/downloads/packages/pdns-static-3.4.0rc2-1.x86_64.rpm http://powerdnssec.org/downloads/packages/pdns-static_3.4.0-rc2-1_amd64.deb http://powerdnssec.org/downloads/packages/pdns-static_3.4.0-rc2-1_i386.deb You are cordially invited to (carefully) test this Release Candidate for correct behaviour. Full release notes, with clickable links, are available from: http://doc.powerdns.com/changelog.html#changelog-auth-3.4.0 Here is a text-only version: This is a performance, feature, bugfix and conformity update to 3.3.1 and any earlier version. It contains a huge amount of work by various contributors, to whom we are very grateful. A list of changes since RC1 follows. For the complete changes since 3.3.1, see the URL above. Changes between RC1 and RC2: * commit bb6e54f: document udp6-queries, udp4-queries, add rd-queries, recursion-unanswered metrics & document. Closes ticket 1400. * commit 4a23af7: init script: support DAEMON_ARGS; commit 7e5b3a0: init script: ensure socket dir exists * commit dd930ed: don't import supermaster ips from other accounts * commit ed3afdf: fall back to central bind if reuseport bind fails; improves ticket 1715 * commit 709ca59: GeoIP backend implementation. This is a new backend, still experimental! * commit bf5a484: support EVERY future version of OS X, fixes ticket 1702 * commit 4dbaec6: Check for __FreeBSD_kernel__ as per https:// lists.debian.org/debian-bsd/2006/03/msg00127.html, fixes ticket 1684; commit 74f389d: __FreeBSD_kernel__ is defined but empty on systems with FreeBSD kernels, breaking compile. Thanks pawal * commit 882ca9d: revert setpgrp changes * commit 2e6bbd8: Catch PDNSException in Signingpiper::helperWorker to avoid abort * commit 0ffd51d: improve error reporting on malformed labels * commit c48dec7: Fix forwarded TSIG message issue * commit dad70f2: skip TCP_DEFER_ACCEPT on platforms that do not have it (like FreeBSD); fixes ticket 1658 * commit c7287b6: should fix ticket 1662, reloading while checking for domains that need to be notified in BIND, causing lock * commit 3e67ea8: allow OPT pseudo record type in IXFR query * commit a1caa8b: webserver: htmlescape VERSION and config name * commit df9d980: Remove "log-failed-updates" leftover * commit a1fe72a: Remove unused "soa-serial-offset" option -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From peter.van.dijk at netherlabs.nl Tue Sep 30 10:41:27 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Tue, 30 Sep 2014 12:41:27 +0200 Subject: [Pdns-announce] PowerDNS Authoritative Server 3.4.0 released Message-ID: Hi everybody, PowerDNS Authoritative Server 3.4.0 is now available! 3.4.0 is the best version of the PowerDNS Authoritative Server currently available, and we recommend upgrading to it. Please read http://doc.powerdns.com/html/from3.3.1to3.4.0.html before you do, however! Please see http://doc.powerdns.com/changelog.html#changelog-auth-3.4.0 for full release notes and all download links. You can get PowerDNS 3.4.0 from: http://downloads.powerdns.com/releases/pdns-3.4.0.tar.bz2 http://downloads.powerdns.com/releases/deb/pdns-static_3.4.0-1_i386.deb http://downloads.powerdns.com/releases/deb/pdns-static_3.4.0-1_amd64.deb http://downloads.powerdns.com/releases/rpm/pdns-static-3.4.0-1.i386.rpm http://downloads.powerdns.com/releases/rpm/pdns-static-3.4.0-1.x86_64.rpm These files also come with GPG signatures (append .sig). Additionally, Kees Monshouwer has kindly provided native builds for RHEL and CentOS at https://www.monshouwer.eu/download/3rd_party/pdns/ This is a performance, feature, bugfix and conformity update to 3.3.1 and any earlier version. It contains a huge amount of work by various contributors, to whom we are very grateful. A list of changes since 3.3.1 follows. Changes between RC2 and 3.4.0: * gad189c9, g445d93c: also distribute the dnsdist manual page * gb5a276d, g0b346e9, g74caf87, g642fd2e: Make sure all backends actually work as dynamic modules * g14b11c4: raise log level on dlerror(), fixes t1734, thanks @James-TR * g016d810: improve postgresql detection during ./configure * gdce1e90: DNAME: don't sign the synthesised CNAME * g25e7af3: send empty SERVFAIL after a backend throws a DBException, instead of including useless content Changes between RC1 and RC2: * gbb6e54f: document udp6-queries, udp4-queries, add rd-queries, recursion-unanswered metrics & document. Closes t1400. * g4a23af7: init script: support DAEMON_ARGS; g7e5b3a0: init script: ensure socket dir exists * gdd930ed: don't import supermaster ips from other accounts * ged3afdf: fall back to central bind if reuseport bind fails; improves t1715 * g709ca59: GeoIP backend implementation. This is a new backend, still experimental! * gbf5a484: support EVERY future version of OS X, fixes t1702 * g4dbaec6: Check for __FreeBSD_kernel__ as per https://lists.debian.org/debian-bsd/2006/03/msg00127.html, fixes t1684; g74f389d: __FreeBSD_kernel__ is defined but empty on systems with FreeBSD kernels, breaking compile. Thanks pawal * g882ca9d: revert setpgrp changes * g2e6bbd8: Catch PDNSException in Signingpiper::helperWorker to avoid abort * g0ffd51d: improve error reporting on malformed labels * gc48dec7: Fix forwarded TSIG message issue * gdad70f2: skip TCP_DEFER_ACCEPT on platforms that do not have it (like FreeBSD); fixes t1658 * gc7287b6: should fix t1662, reloading while checking for domains that need to be notified in BIND, causing lock * g3e67ea8: allow OPT pseudo record type in IXFR query * ga1caa8b: webserver: htmlescape VERSION and config name * gdf9d980: Remove "log-failed-updates" leftover * ga1fe72a: Remove unused "soa-serial-offset" option Changes between 3.3.1 and 3.4.0-RC1 follow. DNSSEC changes: * gbba8413: add option (max-signature-cache-entries) to limit the maximum number of cached signatures. * g28b66a9: limit the number of NSEC3 iterations (see RFC5155 10.3), with the max-nsec3-iterations option. * gb50efd6: drop the 'superfluous NSEC3' option that old BIND validators need. * The bindbackend 'hybrid' mode was reintroduced by Kees Monshouwer. Enable it with bind-hybrid. * Aki Tuomi contributed experimental PKCS#11 support for DNSSEC key management with a (Soft)HSM. * Direct RRSIG queries now return NOTIMP. * gfa37777: add secure-all-zones command to pdnssec * Unrectified zones can now get rectified 'on the fly' during outgoing AXFR. This makes it possible to run a hidden signing master without rectification. * g82fb538: AXFR in: don't accept zones with a mixture of Opt-Out NSEC3 RRs and non-Opt-Out NSEC3 RRs * Various minor bugfixes, mostly from the unstoppable Kees Monshouwer. * g0c4c552: set non-zero exit status in pdnssec if an exception was thrown, for easier automatic usage. * gb8bd119: pdnssec -v show-zone: Print all keys instead of just entry point keys. * g52e0d78: answer direct NSEC queries without DO bit * gca2eb01: output ZSK DNSKEY records if experimental-direct-dnskey support is enabled * g83609e2: SOA-EDIT: fix INCEPTION-INCREMENT handling * gac4a2f1: AXFR-out can handle secure and insecure NSEC3 optout delegations * gff47302: AXFR-in can handle secure and insecure NSEC3 optout delegations New features: * DNAME support. Enable with experimental-dname-processing. * PowerDNS can now send stats directly to Carbon servers. Enable with carbon-server, tweak with carbon-ourname and carbon-interval. * g767da1a: Add list-zone capability to pdns_control * g51f6bca: Add delete-zone to pdnssec. * The gsql backends now support record comments, and disabling records. * The new reuseport config option allows setting SO_REUSEPORT, which allows for some performance improvements. * local-address-nonexist-fail and local-ipv6-nonexist-fail allow pdns to start up even if some addresses fail to bind. * 'AXFR-SOURCE' in domainmetadata sets the source address for an AXFR retrieval. * g451ba51: Implement pdnssec get-meta/set-meta * Experimental RFC2136/DNS UPDATE support from Ruben d'Arco, with extensive testing by Kees Monshouwer. * pdns_control bind-add-zone * New option bind-ignore-broken-records ignores out-of-zone records while loading zone files. * pdnssec now has commands for TSIG key management. * We now support other algorithms than MD5 for TSIG. * gba7244a: implement pdns_control qtypes * Support for += syntax for options Bugfixes: * We verify the algorithm used for TSIG queries, and use the right algorithm in signing if there is possible confusion. Plus a few minor TSIG-related fixes. * gff99a74: making *-threads settings empty now yields a default of one instead of zero. * g9215e60: we had a deadly embrace in getUpdatedMasters in bindbackend reimplementation, thanks to Winfried for detailed debugging! * g9245fd9: don't addSuckRequest after supermaster zone creation to avoid one cause of simultaneous AXFR for the same zone * g719f902: fix dual-stack superslave when multiple namservers share a ip * g33966bf: avoid address truncation in doNotifications * geac85b1: prevent duplicate slave notications caused by different ipv6 address formatting * g3c8a711: make notification queue ipv6 compatible * g0c13e45: make isMaster ip check more tolerant for different ipv6 notations * Various fixes for possible issues reported by Coverity Scan (gf17c93b, ) * g9083987: don't rely on included polarssl header files when using system polarssl. Spotted by Oden Eriksson of Mandriva, thanks! * Various users reported pdns_control hangs, especially when using the guardian. We are confident that all causes of these hangs are now gone. * Decreasing the webserver ringbuffer size could cause crashes. * g4c89cce: nproxy: Add missing chdir("/") after chroot() * g016a0ab: actually notice timeout during AXFR retrieve, thanks hkraal REST API changes: * The REST API was much improved and is nearing stability, thanks to Christian Hofstaedtler and others. * Mark Schouten at Tuxis contributed a zone importer. Other changes: * Our tarballs and packages now include *.sql schema files for the SQL backends. * The webserver (including API) now has an ACL (webserver-allow-from). * Webserver (including API) is now powered by YaHTTP. * Various autotools usage improvements from Ruben Kerkhof. * The dist tarball is now bzip2-compressed instead of gzip. * Various remotebackend updates, including replacing curl with (included) yahttp. * Dynamic module loading is now allowed on Mac OS X. * The AXFR ACL (allow-axfr-ips) now defaults to 127.0.0.0/8,::1 instead of the whole world. * gba91c2f: remove unused gpgsql-socket option and document postgres socket usage * Improved support for Lua 5.2. * The edns-subnet option code is now fixed at 8, and the edns-subnet-option-numbers option has been removed. * geobackend now has very limited edns-subnet support - it will use the 'real' remote if available. * pipebackend ABI v4 adds the zone name to the AXFR command. * We now avoid getaddrinfo() as much as possible. * The packet cache now handles (forwarded) recursive answers better, including TTL aging and respecting allow-recursion. * gff5ba4f: pdns_server --help no longer exits with 1. * Mark Zealey contributed an experimental LMDB backend. Kees Monshouwer added experimental DNSSEC support to it. Thanks, both! * g81859ba: No longer attempt to answer questions coming in from port 0, reply would not reach them anyhow. Thanks to Niels Bakker and sid3windr for insight & debugging. Closes t844. * RCodes are now reported in text in various places, thanks Aki. * Kees Monshouwer set up automatic testing for the oracle and goracle backends, and fixed various issues in them. * Leftovers of previous support for Windows have been removed, thanks to Kees Monshouwer, Aki Tuomi. * Bundled PolarSSL has been upgraded to 1.3.2 * PolarSSL replaced previously bundled implementations of AES (ge22d9b4) and SHA (g9101035) * bindbackend is now a module * g14a2e52: Use the inet data type for supermasters.ip on postgrsql. * We now send an empty SERVFAIL when a CNAME chain is too long, instead of including the partial chain. * g3613a51: Show built-in features in --version output * g4bd7d35: make domainmetadata queries case insensitive * g088c334: output warning message when no to be notified NS's are found * g5631b44: gpsqlbackend: use empty defaults for dbname and user; libpq will use the current user name for both by default * gd87ded3: implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size - no matter what EDNS0 said. Plus document it. * Implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size - no matter what EDNS0 said. * On shutdown, PowerDNS now attempts to stop all processes in its process group, especially useful for pipe/remotebackend users. Feature donated by Spotify. * Removed settings related to fancy records, as we haven't supported those since version 3.0 * Based on earlier work by Mark Zealey, Kees Monshouwer increased our packet cache performance between 200% and 500% depending on the situation, by simplifying some code in g801812e and g8403ade. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From bert.hubert at netherlabs.nl Wed Sep 10 08:02:23 2014 From: bert.hubert at netherlabs.nl (bert hubert) Date: Wed, 10 Sep 2014 10:02:23 +0200 Subject: [Pdns-announce] PowerDNS Recursor Security Release 3.6.1 Message-ID: <20140910080223.GB3912@xs.powerdns.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi everybody, We regret that we have to announce a PowerDNS Recursor security release: Issue: A specific sequence of packets can crash PowerDNS Recursor 3.6.0 remotely CVE: CVE-2014-3614 Affected: All deployments of PowerDNS Recursor 3.6.0 Not Affected: PowerDNS Authoritative Server, PowerDNS Recursor versions other than 3.6.0 Workaround: 1) Only users from netmasks specified in 'allow-from' can cause the crash 2) add automated restarting Remediation: Upgrade 3.6.1 using the packages we provided, or apply our minimal patch and recompile Distributions shipping 3.6.0 have been notified last week and will be providing updates very soon Recently, we've discovered that PowerDNS Recursor 3.6.0 (but NOT earlier) can crash when exposed to a specific sequence of malformed packets. This sequence happened spontaneously with one of our largest deployments, and the packets did not appear to have a malicious origin. Yet, this crash can be triggered remotely, leading to a denial of service attack. There appears to be no way to use this crash for system compromise or stack overflow. Fixed packages and sources are available from: https://www.powerdns.com/downloads.html In addition, if you want to apply a minimal fix, it can be found on: https://xs.powerdns.com/tmp/minipatch-3.6.1 Finally, distributions that ship PowerDNS Recursor 3.6.0 have been notified and will be providing updated packages soon. As for workarounds, only clients in allow-from are able to trigger the crash, so this should be limited to your userbase. Secondly, https://github.com/PowerDNS/pdns/blob/master/contrib/upstart-recursor.conf and https://github.com/PowerDNS/pdns/blob/master/contrib/systemd-pdns-recursor.service can be used to enable Upstart and Systemd to restart the PowerDNS Recursor in case of a crash. In addition to various fixes related to this potential crash, 3.6.1 fixes a few minor issues and adds a debugging feature: * We could not encode IPv6 AAAA records that mapped to IPv4 addresses in some cases (:ffff.1.2.3.4). Fixed in commit c90fcbd , closing ticket 1663. * Improve systemd startup timing with respect to network availability (commit cf86c6a), thanks to Morten Stevens. * Realtime telemetry can now be enabled at runtime, for example with 'rec_control carbon-server 82.94.213.34 ourname1234'. This ties in to our existing carbon-server and carbon-ourname settings, but now at runtime. This specific invocation will make your stats appear automatically on our public telemetry server. We want to thank the dedicated PowerDNS users that spent months investigating the rare crashes they observed. Without such an engaged community, we would never be able to chase down issues like these. If you have any questions regarding this update, or need help upgrading, pleae contact us here or through https://www.powerdns.com/contact.html Bert - -- PowerDNS Website: http://www.powerdns.com/ Contact us by phone on +31-15-7850372 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlQQBY8ACgkQHF7pkNLnFXUeWACgqyD19AIsGG/tQVQqU/iHUQNX 3kQAoKWFsVC4ZV4+0Yl4QDy6ntUFM7Xz =wv1m -----END PGP SIGNATURE----- From peter.van.dijk at netherlabs.nl Tue Sep 23 08:08:53 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Tue, 23 Sep 2014 10:08:53 +0200 Subject: [Pdns-announce] Authoritative Server 3.4.0 Release Candidate Message-ID: <3CE4E57C-2CDE-4529-91F2-2C8EDBAB860C@netherlabs.nl> Hi everybody, Release Candidate 2 of the PowerDNS Authoritative Server 3.4.0 is available from: http://powerdnssec.org/downloads/pdns-3.4.0-rc2.tar.bz2 http://powerdnssec.org/downloads/packages/pdns-static-3.4.0rc2-1.i386.rpm http://powerdnssec.org/downloads/packages/pdns-static-3.4.0rc2-1.x86_64.rpm http://powerdnssec.org/downloads/packages/pdns-static_3.4.0-rc2-1_amd64.deb http://powerdnssec.org/downloads/packages/pdns-static_3.4.0-rc2-1_i386.deb You are cordially invited to (carefully) test this Release Candidate for correct behaviour. Full release notes, with clickable links, are available from: http://doc.powerdns.com/changelog.html#changelog-auth-3.4.0 Here is a text-only version: This is a performance, feature, bugfix and conformity update to 3.3.1 and any earlier version. It contains a huge amount of work by various contributors, to whom we are very grateful. A list of changes since RC1 follows. For the complete changes since 3.3.1, see the URL above. Changes between RC1 and RC2: * commit bb6e54f: document udp6-queries, udp4-queries, add rd-queries, recursion-unanswered metrics & document. Closes ticket 1400. * commit 4a23af7: init script: support DAEMON_ARGS; commit 7e5b3a0: init script: ensure socket dir exists * commit dd930ed: don't import supermaster ips from other accounts * commit ed3afdf: fall back to central bind if reuseport bind fails; improves ticket 1715 * commit 709ca59: GeoIP backend implementation. This is a new backend, still experimental! * commit bf5a484: support EVERY future version of OS X, fixes ticket 1702 * commit 4dbaec6: Check for __FreeBSD_kernel__ as per https:// lists.debian.org/debian-bsd/2006/03/msg00127.html, fixes ticket 1684; commit 74f389d: __FreeBSD_kernel__ is defined but empty on systems with FreeBSD kernels, breaking compile. Thanks pawal * commit 882ca9d: revert setpgrp changes * commit 2e6bbd8: Catch PDNSException in Signingpiper::helperWorker to avoid abort * commit 0ffd51d: improve error reporting on malformed labels * commit c48dec7: Fix forwarded TSIG message issue * commit dad70f2: skip TCP_DEFER_ACCEPT on platforms that do not have it (like FreeBSD); fixes ticket 1658 * commit c7287b6: should fix ticket 1662, reloading while checking for domains that need to be notified in BIND, causing lock * commit 3e67ea8: allow OPT pseudo record type in IXFR query * commit a1caa8b: webserver: htmlescape VERSION and config name * commit df9d980: Remove "log-failed-updates" leftover * commit a1fe72a: Remove unused "soa-serial-offset" option -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From peter.van.dijk at netherlabs.nl Tue Sep 30 10:41:27 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Tue, 30 Sep 2014 12:41:27 +0200 Subject: [Pdns-announce] PowerDNS Authoritative Server 3.4.0 released Message-ID: Hi everybody, PowerDNS Authoritative Server 3.4.0 is now available! 3.4.0 is the best version of the PowerDNS Authoritative Server currently available, and we recommend upgrading to it. Please read http://doc.powerdns.com/html/from3.3.1to3.4.0.html before you do, however! Please see http://doc.powerdns.com/changelog.html#changelog-auth-3.4.0 for full release notes and all download links. You can get PowerDNS 3.4.0 from: http://downloads.powerdns.com/releases/pdns-3.4.0.tar.bz2 http://downloads.powerdns.com/releases/deb/pdns-static_3.4.0-1_i386.deb http://downloads.powerdns.com/releases/deb/pdns-static_3.4.0-1_amd64.deb http://downloads.powerdns.com/releases/rpm/pdns-static-3.4.0-1.i386.rpm http://downloads.powerdns.com/releases/rpm/pdns-static-3.4.0-1.x86_64.rpm These files also come with GPG signatures (append .sig). Additionally, Kees Monshouwer has kindly provided native builds for RHEL and CentOS at https://www.monshouwer.eu/download/3rd_party/pdns/ This is a performance, feature, bugfix and conformity update to 3.3.1 and any earlier version. It contains a huge amount of work by various contributors, to whom we are very grateful. A list of changes since 3.3.1 follows. Changes between RC2 and 3.4.0: * gad189c9, g445d93c: also distribute the dnsdist manual page * gb5a276d, g0b346e9, g74caf87, g642fd2e: Make sure all backends actually work as dynamic modules * g14b11c4: raise log level on dlerror(), fixes t1734, thanks @James-TR * g016d810: improve postgresql detection during ./configure * gdce1e90: DNAME: don't sign the synthesised CNAME * g25e7af3: send empty SERVFAIL after a backend throws a DBException, instead of including useless content Changes between RC1 and RC2: * gbb6e54f: document udp6-queries, udp4-queries, add rd-queries, recursion-unanswered metrics & document. Closes t1400. * g4a23af7: init script: support DAEMON_ARGS; g7e5b3a0: init script: ensure socket dir exists * gdd930ed: don't import supermaster ips from other accounts * ged3afdf: fall back to central bind if reuseport bind fails; improves t1715 * g709ca59: GeoIP backend implementation. This is a new backend, still experimental! * gbf5a484: support EVERY future version of OS X, fixes t1702 * g4dbaec6: Check for __FreeBSD_kernel__ as per https://lists.debian.org/debian-bsd/2006/03/msg00127.html, fixes t1684; g74f389d: __FreeBSD_kernel__ is defined but empty on systems with FreeBSD kernels, breaking compile. Thanks pawal * g882ca9d: revert setpgrp changes * g2e6bbd8: Catch PDNSException in Signingpiper::helperWorker to avoid abort * g0ffd51d: improve error reporting on malformed labels * gc48dec7: Fix forwarded TSIG message issue * gdad70f2: skip TCP_DEFER_ACCEPT on platforms that do not have it (like FreeBSD); fixes t1658 * gc7287b6: should fix t1662, reloading while checking for domains that need to be notified in BIND, causing lock * g3e67ea8: allow OPT pseudo record type in IXFR query * ga1caa8b: webserver: htmlescape VERSION and config name * gdf9d980: Remove "log-failed-updates" leftover * ga1fe72a: Remove unused "soa-serial-offset" option Changes between 3.3.1 and 3.4.0-RC1 follow. DNSSEC changes: * gbba8413: add option (max-signature-cache-entries) to limit the maximum number of cached signatures. * g28b66a9: limit the number of NSEC3 iterations (see RFC5155 10.3), with the max-nsec3-iterations option. * gb50efd6: drop the 'superfluous NSEC3' option that old BIND validators need. * The bindbackend 'hybrid' mode was reintroduced by Kees Monshouwer. Enable it with bind-hybrid. * Aki Tuomi contributed experimental PKCS#11 support for DNSSEC key management with a (Soft)HSM. * Direct RRSIG queries now return NOTIMP. * gfa37777: add secure-all-zones command to pdnssec * Unrectified zones can now get rectified 'on the fly' during outgoing AXFR. This makes it possible to run a hidden signing master without rectification. * g82fb538: AXFR in: don't accept zones with a mixture of Opt-Out NSEC3 RRs and non-Opt-Out NSEC3 RRs * Various minor bugfixes, mostly from the unstoppable Kees Monshouwer. * g0c4c552: set non-zero exit status in pdnssec if an exception was thrown, for easier automatic usage. * gb8bd119: pdnssec -v show-zone: Print all keys instead of just entry point keys. * g52e0d78: answer direct NSEC queries without DO bit * gca2eb01: output ZSK DNSKEY records if experimental-direct-dnskey support is enabled * g83609e2: SOA-EDIT: fix INCEPTION-INCREMENT handling * gac4a2f1: AXFR-out can handle secure and insecure NSEC3 optout delegations * gff47302: AXFR-in can handle secure and insecure NSEC3 optout delegations New features: * DNAME support. Enable with experimental-dname-processing. * PowerDNS can now send stats directly to Carbon servers. Enable with carbon-server, tweak with carbon-ourname and carbon-interval. * g767da1a: Add list-zone capability to pdns_control * g51f6bca: Add delete-zone to pdnssec. * The gsql backends now support record comments, and disabling records. * The new reuseport config option allows setting SO_REUSEPORT, which allows for some performance improvements. * local-address-nonexist-fail and local-ipv6-nonexist-fail allow pdns to start up even if some addresses fail to bind. * 'AXFR-SOURCE' in domainmetadata sets the source address for an AXFR retrieval. * g451ba51: Implement pdnssec get-meta/set-meta * Experimental RFC2136/DNS UPDATE support from Ruben d'Arco, with extensive testing by Kees Monshouwer. * pdns_control bind-add-zone * New option bind-ignore-broken-records ignores out-of-zone records while loading zone files. * pdnssec now has commands for TSIG key management. * We now support other algorithms than MD5 for TSIG. * gba7244a: implement pdns_control qtypes * Support for += syntax for options Bugfixes: * We verify the algorithm used for TSIG queries, and use the right algorithm in signing if there is possible confusion. Plus a few minor TSIG-related fixes. * gff99a74: making *-threads settings empty now yields a default of one instead of zero. * g9215e60: we had a deadly embrace in getUpdatedMasters in bindbackend reimplementation, thanks to Winfried for detailed debugging! * g9245fd9: don't addSuckRequest after supermaster zone creation to avoid one cause of simultaneous AXFR for the same zone * g719f902: fix dual-stack superslave when multiple namservers share a ip * g33966bf: avoid address truncation in doNotifications * geac85b1: prevent duplicate slave notications caused by different ipv6 address formatting * g3c8a711: make notification queue ipv6 compatible * g0c13e45: make isMaster ip check more tolerant for different ipv6 notations * Various fixes for possible issues reported by Coverity Scan (gf17c93b, ) * g9083987: don't rely on included polarssl header files when using system polarssl. Spotted by Oden Eriksson of Mandriva, thanks! * Various users reported pdns_control hangs, especially when using the guardian. We are confident that all causes of these hangs are now gone. * Decreasing the webserver ringbuffer size could cause crashes. * g4c89cce: nproxy: Add missing chdir("/") after chroot() * g016a0ab: actually notice timeout during AXFR retrieve, thanks hkraal REST API changes: * The REST API was much improved and is nearing stability, thanks to Christian Hofstaedtler and others. * Mark Schouten at Tuxis contributed a zone importer. Other changes: * Our tarballs and packages now include *.sql schema files for the SQL backends. * The webserver (including API) now has an ACL (webserver-allow-from). * Webserver (including API) is now powered by YaHTTP. * Various autotools usage improvements from Ruben Kerkhof. * The dist tarball is now bzip2-compressed instead of gzip. * Various remotebackend updates, including replacing curl with (included) yahttp. * Dynamic module loading is now allowed on Mac OS X. * The AXFR ACL (allow-axfr-ips) now defaults to 127.0.0.0/8,::1 instead of the whole world. * gba91c2f: remove unused gpgsql-socket option and document postgres socket usage * Improved support for Lua 5.2. * The edns-subnet option code is now fixed at 8, and the edns-subnet-option-numbers option has been removed. * geobackend now has very limited edns-subnet support - it will use the 'real' remote if available. * pipebackend ABI v4 adds the zone name to the AXFR command. * We now avoid getaddrinfo() as much as possible. * The packet cache now handles (forwarded) recursive answers better, including TTL aging and respecting allow-recursion. * gff5ba4f: pdns_server --help no longer exits with 1. * Mark Zealey contributed an experimental LMDB backend. Kees Monshouwer added experimental DNSSEC support to it. Thanks, both! * g81859ba: No longer attempt to answer questions coming in from port 0, reply would not reach them anyhow. Thanks to Niels Bakker and sid3windr for insight & debugging. Closes t844. * RCodes are now reported in text in various places, thanks Aki. * Kees Monshouwer set up automatic testing for the oracle and goracle backends, and fixed various issues in them. * Leftovers of previous support for Windows have been removed, thanks to Kees Monshouwer, Aki Tuomi. * Bundled PolarSSL has been upgraded to 1.3.2 * PolarSSL replaced previously bundled implementations of AES (ge22d9b4) and SHA (g9101035) * bindbackend is now a module * g14a2e52: Use the inet data type for supermasters.ip on postgrsql. * We now send an empty SERVFAIL when a CNAME chain is too long, instead of including the partial chain. * g3613a51: Show built-in features in --version output * g4bd7d35: make domainmetadata queries case insensitive * g088c334: output warning message when no to be notified NS's are found * g5631b44: gpsqlbackend: use empty defaults for dbname and user; libpq will use the current user name for both by default * gd87ded3: implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size - no matter what EDNS0 said. Plus document it. * Implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size - no matter what EDNS0 said. * On shutdown, PowerDNS now attempts to stop all processes in its process group, especially useful for pipe/remotebackend users. Feature donated by Spotify. * Removed settings related to fancy records, as we haven't supported those since version 3.0 * Based on earlier work by Mark Zealey, Kees Monshouwer increased our packet cache performance between 200% and 500% depending on the situation, by simplifying some code in g801812e and g8403ade. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From bert.hubert at netherlabs.nl Wed Sep 10 08:02:23 2014 From: bert.hubert at netherlabs.nl (bert hubert) Date: Wed, 10 Sep 2014 10:02:23 +0200 Subject: [Pdns-announce] PowerDNS Recursor Security Release 3.6.1 Message-ID: <20140910080223.GB3912@xs.powerdns.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi everybody, We regret that we have to announce a PowerDNS Recursor security release: Issue: A specific sequence of packets can crash PowerDNS Recursor 3.6.0 remotely CVE: CVE-2014-3614 Affected: All deployments of PowerDNS Recursor 3.6.0 Not Affected: PowerDNS Authoritative Server, PowerDNS Recursor versions other than 3.6.0 Workaround: 1) Only users from netmasks specified in 'allow-from' can cause the crash 2) add automated restarting Remediation: Upgrade 3.6.1 using the packages we provided, or apply our minimal patch and recompile Distributions shipping 3.6.0 have been notified last week and will be providing updates very soon Recently, we've discovered that PowerDNS Recursor 3.6.0 (but NOT earlier) can crash when exposed to a specific sequence of malformed packets. This sequence happened spontaneously with one of our largest deployments, and the packets did not appear to have a malicious origin. Yet, this crash can be triggered remotely, leading to a denial of service attack. There appears to be no way to use this crash for system compromise or stack overflow. Fixed packages and sources are available from: https://www.powerdns.com/downloads.html In addition, if you want to apply a minimal fix, it can be found on: https://xs.powerdns.com/tmp/minipatch-3.6.1 Finally, distributions that ship PowerDNS Recursor 3.6.0 have been notified and will be providing updated packages soon. As for workarounds, only clients in allow-from are able to trigger the crash, so this should be limited to your userbase. Secondly, https://github.com/PowerDNS/pdns/blob/master/contrib/upstart-recursor.conf and https://github.com/PowerDNS/pdns/blob/master/contrib/systemd-pdns-recursor.service can be used to enable Upstart and Systemd to restart the PowerDNS Recursor in case of a crash. In addition to various fixes related to this potential crash, 3.6.1 fixes a few minor issues and adds a debugging feature: * We could not encode IPv6 AAAA records that mapped to IPv4 addresses in some cases (:ffff.1.2.3.4). Fixed in commit c90fcbd , closing ticket 1663. * Improve systemd startup timing with respect to network availability (commit cf86c6a), thanks to Morten Stevens. * Realtime telemetry can now be enabled at runtime, for example with 'rec_control carbon-server 82.94.213.34 ourname1234'. This ties in to our existing carbon-server and carbon-ourname settings, but now at runtime. This specific invocation will make your stats appear automatically on our public telemetry server. We want to thank the dedicated PowerDNS users that spent months investigating the rare crashes they observed. Without such an engaged community, we would never be able to chase down issues like these. If you have any questions regarding this update, or need help upgrading, pleae contact us here or through https://www.powerdns.com/contact.html Bert - -- PowerDNS Website: http://www.powerdns.com/ Contact us by phone on +31-15-7850372 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlQQBY8ACgkQHF7pkNLnFXUeWACgqyD19AIsGG/tQVQqU/iHUQNX 3kQAoKWFsVC4ZV4+0Yl4QDy6ntUFM7Xz =wv1m -----END PGP SIGNATURE----- From peter.van.dijk at netherlabs.nl Tue Sep 23 08:08:53 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Tue, 23 Sep 2014 10:08:53 +0200 Subject: [Pdns-announce] Authoritative Server 3.4.0 Release Candidate Message-ID: <3CE4E57C-2CDE-4529-91F2-2C8EDBAB860C@netherlabs.nl> Hi everybody, Release Candidate 2 of the PowerDNS Authoritative Server 3.4.0 is available from: http://powerdnssec.org/downloads/pdns-3.4.0-rc2.tar.bz2 http://powerdnssec.org/downloads/packages/pdns-static-3.4.0rc2-1.i386.rpm http://powerdnssec.org/downloads/packages/pdns-static-3.4.0rc2-1.x86_64.rpm http://powerdnssec.org/downloads/packages/pdns-static_3.4.0-rc2-1_amd64.deb http://powerdnssec.org/downloads/packages/pdns-static_3.4.0-rc2-1_i386.deb You are cordially invited to (carefully) test this Release Candidate for correct behaviour. Full release notes, with clickable links, are available from: http://doc.powerdns.com/changelog.html#changelog-auth-3.4.0 Here is a text-only version: This is a performance, feature, bugfix and conformity update to 3.3.1 and any earlier version. It contains a huge amount of work by various contributors, to whom we are very grateful. A list of changes since RC1 follows. For the complete changes since 3.3.1, see the URL above. Changes between RC1 and RC2: * commit bb6e54f: document udp6-queries, udp4-queries, add rd-queries, recursion-unanswered metrics & document. Closes ticket 1400. * commit 4a23af7: init script: support DAEMON_ARGS; commit 7e5b3a0: init script: ensure socket dir exists * commit dd930ed: don't import supermaster ips from other accounts * commit ed3afdf: fall back to central bind if reuseport bind fails; improves ticket 1715 * commit 709ca59: GeoIP backend implementation. This is a new backend, still experimental! * commit bf5a484: support EVERY future version of OS X, fixes ticket 1702 * commit 4dbaec6: Check for __FreeBSD_kernel__ as per https:// lists.debian.org/debian-bsd/2006/03/msg00127.html, fixes ticket 1684; commit 74f389d: __FreeBSD_kernel__ is defined but empty on systems with FreeBSD kernels, breaking compile. Thanks pawal * commit 882ca9d: revert setpgrp changes * commit 2e6bbd8: Catch PDNSException in Signingpiper::helperWorker to avoid abort * commit 0ffd51d: improve error reporting on malformed labels * commit c48dec7: Fix forwarded TSIG message issue * commit dad70f2: skip TCP_DEFER_ACCEPT on platforms that do not have it (like FreeBSD); fixes ticket 1658 * commit c7287b6: should fix ticket 1662, reloading while checking for domains that need to be notified in BIND, causing lock * commit 3e67ea8: allow OPT pseudo record type in IXFR query * commit a1caa8b: webserver: htmlescape VERSION and config name * commit df9d980: Remove "log-failed-updates" leftover * commit a1fe72a: Remove unused "soa-serial-offset" option -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From peter.van.dijk at netherlabs.nl Tue Sep 30 10:41:27 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Tue, 30 Sep 2014 12:41:27 +0200 Subject: [Pdns-announce] PowerDNS Authoritative Server 3.4.0 released Message-ID: Hi everybody, PowerDNS Authoritative Server 3.4.0 is now available! 3.4.0 is the best version of the PowerDNS Authoritative Server currently available, and we recommend upgrading to it. Please read http://doc.powerdns.com/html/from3.3.1to3.4.0.html before you do, however! Please see http://doc.powerdns.com/changelog.html#changelog-auth-3.4.0 for full release notes and all download links. You can get PowerDNS 3.4.0 from: http://downloads.powerdns.com/releases/pdns-3.4.0.tar.bz2 http://downloads.powerdns.com/releases/deb/pdns-static_3.4.0-1_i386.deb http://downloads.powerdns.com/releases/deb/pdns-static_3.4.0-1_amd64.deb http://downloads.powerdns.com/releases/rpm/pdns-static-3.4.0-1.i386.rpm http://downloads.powerdns.com/releases/rpm/pdns-static-3.4.0-1.x86_64.rpm These files also come with GPG signatures (append .sig). Additionally, Kees Monshouwer has kindly provided native builds for RHEL and CentOS at https://www.monshouwer.eu/download/3rd_party/pdns/ This is a performance, feature, bugfix and conformity update to 3.3.1 and any earlier version. It contains a huge amount of work by various contributors, to whom we are very grateful. A list of changes since 3.3.1 follows. Changes between RC2 and 3.4.0: * gad189c9, g445d93c: also distribute the dnsdist manual page * gb5a276d, g0b346e9, g74caf87, g642fd2e: Make sure all backends actually work as dynamic modules * g14b11c4: raise log level on dlerror(), fixes t1734, thanks @James-TR * g016d810: improve postgresql detection during ./configure * gdce1e90: DNAME: don't sign the synthesised CNAME * g25e7af3: send empty SERVFAIL after a backend throws a DBException, instead of including useless content Changes between RC1 and RC2: * gbb6e54f: document udp6-queries, udp4-queries, add rd-queries, recursion-unanswered metrics & document. Closes t1400. * g4a23af7: init script: support DAEMON_ARGS; g7e5b3a0: init script: ensure socket dir exists * gdd930ed: don't import supermaster ips from other accounts * ged3afdf: fall back to central bind if reuseport bind fails; improves t1715 * g709ca59: GeoIP backend implementation. This is a new backend, still experimental! * gbf5a484: support EVERY future version of OS X, fixes t1702 * g4dbaec6: Check for __FreeBSD_kernel__ as per https://lists.debian.org/debian-bsd/2006/03/msg00127.html, fixes t1684; g74f389d: __FreeBSD_kernel__ is defined but empty on systems with FreeBSD kernels, breaking compile. Thanks pawal * g882ca9d: revert setpgrp changes * g2e6bbd8: Catch PDNSException in Signingpiper::helperWorker to avoid abort * g0ffd51d: improve error reporting on malformed labels * gc48dec7: Fix forwarded TSIG message issue * gdad70f2: skip TCP_DEFER_ACCEPT on platforms that do not have it (like FreeBSD); fixes t1658 * gc7287b6: should fix t1662, reloading while checking for domains that need to be notified in BIND, causing lock * g3e67ea8: allow OPT pseudo record type in IXFR query * ga1caa8b: webserver: htmlescape VERSION and config name * gdf9d980: Remove "log-failed-updates" leftover * ga1fe72a: Remove unused "soa-serial-offset" option Changes between 3.3.1 and 3.4.0-RC1 follow. DNSSEC changes: * gbba8413: add option (max-signature-cache-entries) to limit the maximum number of cached signatures. * g28b66a9: limit the number of NSEC3 iterations (see RFC5155 10.3), with the max-nsec3-iterations option. * gb50efd6: drop the 'superfluous NSEC3' option that old BIND validators need. * The bindbackend 'hybrid' mode was reintroduced by Kees Monshouwer. Enable it with bind-hybrid. * Aki Tuomi contributed experimental PKCS#11 support for DNSSEC key management with a (Soft)HSM. * Direct RRSIG queries now return NOTIMP. * gfa37777: add secure-all-zones command to pdnssec * Unrectified zones can now get rectified 'on the fly' during outgoing AXFR. This makes it possible to run a hidden signing master without rectification. * g82fb538: AXFR in: don't accept zones with a mixture of Opt-Out NSEC3 RRs and non-Opt-Out NSEC3 RRs * Various minor bugfixes, mostly from the unstoppable Kees Monshouwer. * g0c4c552: set non-zero exit status in pdnssec if an exception was thrown, for easier automatic usage. * gb8bd119: pdnssec -v show-zone: Print all keys instead of just entry point keys. * g52e0d78: answer direct NSEC queries without DO bit * gca2eb01: output ZSK DNSKEY records if experimental-direct-dnskey support is enabled * g83609e2: SOA-EDIT: fix INCEPTION-INCREMENT handling * gac4a2f1: AXFR-out can handle secure and insecure NSEC3 optout delegations * gff47302: AXFR-in can handle secure and insecure NSEC3 optout delegations New features: * DNAME support. Enable with experimental-dname-processing. * PowerDNS can now send stats directly to Carbon servers. Enable with carbon-server, tweak with carbon-ourname and carbon-interval. * g767da1a: Add list-zone capability to pdns_control * g51f6bca: Add delete-zone to pdnssec. * The gsql backends now support record comments, and disabling records. * The new reuseport config option allows setting SO_REUSEPORT, which allows for some performance improvements. * local-address-nonexist-fail and local-ipv6-nonexist-fail allow pdns to start up even if some addresses fail to bind. * 'AXFR-SOURCE' in domainmetadata sets the source address for an AXFR retrieval. * g451ba51: Implement pdnssec get-meta/set-meta * Experimental RFC2136/DNS UPDATE support from Ruben d'Arco, with extensive testing by Kees Monshouwer. * pdns_control bind-add-zone * New option bind-ignore-broken-records ignores out-of-zone records while loading zone files. * pdnssec now has commands for TSIG key management. * We now support other algorithms than MD5 for TSIG. * gba7244a: implement pdns_control qtypes * Support for += syntax for options Bugfixes: * We verify the algorithm used for TSIG queries, and use the right algorithm in signing if there is possible confusion. Plus a few minor TSIG-related fixes. * gff99a74: making *-threads settings empty now yields a default of one instead of zero. * g9215e60: we had a deadly embrace in getUpdatedMasters in bindbackend reimplementation, thanks to Winfried for detailed debugging! * g9245fd9: don't addSuckRequest after supermaster zone creation to avoid one cause of simultaneous AXFR for the same zone * g719f902: fix dual-stack superslave when multiple namservers share a ip * g33966bf: avoid address truncation in doNotifications * geac85b1: prevent duplicate slave notications caused by different ipv6 address formatting * g3c8a711: make notification queue ipv6 compatible * g0c13e45: make isMaster ip check more tolerant for different ipv6 notations * Various fixes for possible issues reported by Coverity Scan (gf17c93b, ) * g9083987: don't rely on included polarssl header files when using system polarssl. Spotted by Oden Eriksson of Mandriva, thanks! * Various users reported pdns_control hangs, especially when using the guardian. We are confident that all causes of these hangs are now gone. * Decreasing the webserver ringbuffer size could cause crashes. * g4c89cce: nproxy: Add missing chdir("/") after chroot() * g016a0ab: actually notice timeout during AXFR retrieve, thanks hkraal REST API changes: * The REST API was much improved and is nearing stability, thanks to Christian Hofstaedtler and others. * Mark Schouten at Tuxis contributed a zone importer. Other changes: * Our tarballs and packages now include *.sql schema files for the SQL backends. * The webserver (including API) now has an ACL (webserver-allow-from). * Webserver (including API) is now powered by YaHTTP. * Various autotools usage improvements from Ruben Kerkhof. * The dist tarball is now bzip2-compressed instead of gzip. * Various remotebackend updates, including replacing curl with (included) yahttp. * Dynamic module loading is now allowed on Mac OS X. * The AXFR ACL (allow-axfr-ips) now defaults to 127.0.0.0/8,::1 instead of the whole world. * gba91c2f: remove unused gpgsql-socket option and document postgres socket usage * Improved support for Lua 5.2. * The edns-subnet option code is now fixed at 8, and the edns-subnet-option-numbers option has been removed. * geobackend now has very limited edns-subnet support - it will use the 'real' remote if available. * pipebackend ABI v4 adds the zone name to the AXFR command. * We now avoid getaddrinfo() as much as possible. * The packet cache now handles (forwarded) recursive answers better, including TTL aging and respecting allow-recursion. * gff5ba4f: pdns_server --help no longer exits with 1. * Mark Zealey contributed an experimental LMDB backend. Kees Monshouwer added experimental DNSSEC support to it. Thanks, both! * g81859ba: No longer attempt to answer questions coming in from port 0, reply would not reach them anyhow. Thanks to Niels Bakker and sid3windr for insight & debugging. Closes t844. * RCodes are now reported in text in various places, thanks Aki. * Kees Monshouwer set up automatic testing for the oracle and goracle backends, and fixed various issues in them. * Leftovers of previous support for Windows have been removed, thanks to Kees Monshouwer, Aki Tuomi. * Bundled PolarSSL has been upgraded to 1.3.2 * PolarSSL replaced previously bundled implementations of AES (ge22d9b4) and SHA (g9101035) * bindbackend is now a module * g14a2e52: Use the inet data type for supermasters.ip on postgrsql. * We now send an empty SERVFAIL when a CNAME chain is too long, instead of including the partial chain. * g3613a51: Show built-in features in --version output * g4bd7d35: make domainmetadata queries case insensitive * g088c334: output warning message when no to be notified NS's are found * g5631b44: gpsqlbackend: use empty defaults for dbname and user; libpq will use the current user name for both by default * gd87ded3: implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size - no matter what EDNS0 said. Plus document it. * Implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size - no matter what EDNS0 said. * On shutdown, PowerDNS now attempts to stop all processes in its process group, especially useful for pipe/remotebackend users. Feature donated by Spotify. * Removed settings related to fancy records, as we haven't supported those since version 3.0 * Based on earlier work by Mark Zealey, Kees Monshouwer increased our packet cache performance between 200% and 500% depending on the situation, by simplifying some code in g801812e and g8403ade. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: