[Pdns-users] PowerDNS Recursor 3.1.5 released - security update inside

bert hubert bert.hubert at netherlabs.nl
Mon Mar 31 12:01:08 UTC 2008


PowerDNS Recursor 3.1.5 released
--------------------------------
We would like to thank Amit Klein of Trusteer for bringing a serious
vulnerability to our attention which would enable a smart attacker to
'spoof' previous versions of the PowerDNS Recursor into accepting possibly
mallicious data.

Details can be found on http://www.trusteer.com/docs/powerdnsrecursor.html

It is recommended that all users of the PowerDNS Recursor upgrade to 3.1.5
as soon as practicable, while we simultaneously note that busy servers are
less susceptible to the attack, but not immune.

The PowerDNS Security Advisory can be found in
http://doc.powerdns.com/powerdns-advisory-2008-01.html

PowerDNS Recursor 3.1.5 has been in production use for the past few weeks,
and has been validated by in excess of one billion test queries, the results
of which were compared to those generated by a reference implementation.

Generic GPL sources:
http://downloads.powerdns.com/releases/pdns-recursor-3.1.5.tar.bz2

32-bit Linux:
http://downloads.powerdns.com/releases/deb/pdns-recursor_3.1.5-1_i386.deb
http://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.5-1.i386.rpm

64-bit Linux:
http://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.5-1.x86_64.rpm
http://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.5-1.x86_64.rpm

Release notes with clickable links:
http://doc.powerdns.com/changelog.html#CHANGELOG-RECURSOR-3-1-5

Much like 3.1.4, this release does not add a lot of major features.
Instead, performance has been improved significantly (estimated at around
20%), and many rare and not so rare issues were addressed. Multi-part TXT
records now work as expected - the only significant functional bug found
in 15 months. One of the oldest feature requests was fulfilled: version
3.1.5 can finally forward queries for designated domains to multiple
servers, on differing port numbers if needed. Previously only one
forwarder address was supported. This lack held back a number of
migrations to PowerDNS.

This version can properly benefit from all IPv4 and IPv6 addresses in use
at the root-servers as of early February 2008. In order to implement this,
changes were made to how the Recursor deals internally with A and AAAA
queries for nameservers, see below for more details.

Additionally, newer releases of the G++ compiler required some fixes (see
ticket 173).

This release was made possible by the help of Wichert Akkerman, Winfried
Angele, Arnoud Bakker (Fox-IT), Niels Bakker (no relation!), Leo Baltus
(Nederlandse Publieke Omroep), Marco Davids (SIDN), David Gavarret (Neuf
Cegetel), Peter Gervai, Marcus Goller (UPC), Matti Hiljanen
(Saunalahti/Elisa), Ruben Kerkhoff, Alex Kiernan, Amit Klein (Trusteer),
Kenneth Marshall (Rice University), Thomas Rietz, Marcus Rueckert
(OpenSUSE), Augie Schwer (Sonix), Sten Spans (Bit), Stefan Schmidt
(Freenet.de), Kai Storbeck (xs4all), Alex Trull, Andrew Turnbull (No Wires
LTD) and Aaron Thompson, and many more who filed bugs anonymously, or who
we forgot to mention.

Security related issues:

  * Amit Klein has informed us that System random generator output can be
    predicted based on its past behaviour, allowing a smart attacker to
    'spoof' our nameserver. Full details in Section 1.7.

  * The Recursor will by default no longer query private-space
    nameservers. This closes a slight security risk and simultaneously
    improves performance and stability. For more information, see
    dont-query in Section 12.1. Implemented in commit 923.

  * Applied fix for ticket 110 ('PowerDNS should change directory to '/'
    in chroot), implemented in commit 944.

Performance:

  * The DNS packet writing and parsing infrastructure performance was
    improved in several ways, see commits 925, 926, 928, 931, 1021, 1050.

  * Remove multithreading overhead from the Recursor (commit 999).

Bug fixes:

  * Built-in authoritative server now properly derives the TTL from the
    SOA record if not specified. Implemented in commit 1165. Additionally,
    even when TTL was specified for the built-in authoritative server, it
    was ignored. Reported by Stefan Schmidt, closing ticket 147.

  * Empty TXT record components can now be served. Implemented in commit
    1166, closing ticket 178. Spotted by Matti Hiljanen.

  * The Recursor would not properly override old data with new, sometimes
    serving old and new data concurrently. Fixed in commit 1137.

  * SOA records with embedded carriage-return characters are now parsed
    correctly. Implemented in commit 1167, closing ticket 162.

  * Some routing conditions could cause UDP connected sockets to generate
    an error which PowerDNS did not deal with properly, leading to a
    leaked file descriptor. As these run out over time, the recursor could
    crash. This would also happen for IPv6 queries on a host with no IPv6
    connectivity. Thanks to Kai of xs4all and Wichert Akkerman for
    reporting this issue. Fix in commit 1133.

  * Empty unknown record types can now be stored without generating a
    scary error (commit 1129)

  * Applied fix for ticket 111, ticket 112 and ticket 153 - large
    (multipart) TXT records are now retrieved and served properly. Fix in
    commit 996.

  * Solaris compilation instructions in Recursor documentation were wrong,
    leading to an instant crash on startup. Luckily nobody reads the
    documentation, except for Marcus Goller who found the error. Fixed in
    commit 1124.

  * On Solaris, finally fix the issue where queries get distributed
    strangely over CPUs, or not get distributed at all. Much debugging and
    analysing performed by Alex Kiernan, who also supplied fixes.
    Implemented in commit 1091, commit 1093.

  * Various fixes for modern G++ versions, most spotted by Marcus Rueckert
    (commits 964, 965, 1028, 1052), and Ruben Kerkhoff (commit 1136,
    closing ticket 175).

  * Recursor would not properly clean up pidfile and control socket,
    closing ticket 120, code in commit 988, commit 1098 (part of fix by
    Matti Hiljanen, spotted by Leo Baltus)

  * Recursor can now serve multi-line records from its limited
    authoritative server (commit 1014).

  * When parsing zones, the 'm' time specification stands for minutes, not
    months! Closing Debian bug 406462 (commit 1026)

  * Authoritative zone parser did not support '@' in the content of
    records. Spotted by Marco Davids, fixed in commit 1030.

  * Authoritative zone parser could be confused by trailing TABs on record
    lines (commit 1062).

  * EINTR error code could block entire server if received at the wrong
    time. Spotted by Arnoud Bakker, fix in commit 1059.

  * Fix crash on NetBSD on Alpha CPUs, might improve startup behaviour on
    empty caches on other architectures as well (commit 1061).

  * Outbound TCP queries were being performed sub-optimally because of an
    interaction with the 'Mplexer'. Fixes in commit 1115, commit 1116.

New features:

  * Implemented rec_control command get uptime, as suggested by Niels
    Bakker (commit 935). Added to default rrdtool scripts in commit 940.

  * The Recursor Authorative component, meant for having the Recursor
    serve some zones authoritatively, now supports $INCLUDE and $GENERATE.
    Implemented in commit 951 and commit 952, commit 967 (discovered by
    Thomas Rietz),

  * Implemented forward-zones-file option in order to support larger
    amounts of zones which should be forwarded to another nameserver
    (commit 963).

  * Both forward-zones and forward-zones-file can now specify multiple
    forwarders per domain, implemented in commit 1168, closing ticket 81.
    Additionally, both these settings can also specify non-standard port
    numbers, as suggested in ticket ticket 122. Patch authored by Aaron
    Thompson, with additional work by Augie Schwer.

  * Sten Spans contributed allow-from-file, implemented in commit 1150.
    This feature allows the Recursor to read access rules from a (large)
    file.

General improvements:

  * Ruben Kerkhof fixed up weird permission bits as well as our SGML
    documentation code in commit 936 and commit 937.

  * Full IPv6 parity. If configured to use IPv6 for outgoing queries
    (using query-local-address6=::0 for example), IPv6 and IPv4 addresses
    are finally treated 100% identically, instead of 'mostly'. This
    feature is implemented using 'ANY' queries to find A and AAAA
    addresses in one query, which is a new approach. Treat with caution.

  * Now perform EDNS0 root refreshing queries, so as to benefit from all
    returned addresses. Relevant since early February 2008 when the
    root-servers started to respond with IPv6 addresses, which made the
    default non-EDNS0 maximum packet length reply no longer contain all
    records. Implemented in commit 1130. Thanks to dns-operations AT
    mail.oarc.isc.org for quick suggestions on how to deal with this
    change.

  * rec_control now has a timeout in case the Recursor does not respond.
    Implemented in commit 945.

  * (Error) messages are now logged with saner priorities (commit 955).

  * Outbound query IP interface stemmed from 1997 (!) and was in dire need
    of a cleanup (commit 1117).

  * L.ROOT-SERVERS.NET moved (commit 1118).

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services


More information about the Pdns-users mailing list