[dnsdist] dnsdist 1.2.0 released

Mon Aug 21 15:46:37 UTC 2017

Hi everybody,

We are very pleased to announce the availability of dnsdist 1.2.0,
bringing a lot of new features and fixes since 1.1.0.

This release also addresses two security issues of low severity,
CVE-2016-7069 and CVE-2017-7557. The first issue can lead to a denial of
service on 32-bit if a backend sends crafted answers, and the second to
an alteration of dnsdist's ACL if the API is enabled, writable and an
authenticated user is tricked into visiting a crafted website. More
information can be found in our security advisories 2017-01 [1] and
2017-02 [2].

Highlights include:

* applying rules on cache hits
* addition of runtime changeable rules that matches IP address for a
certain time: TimedIPSetRule
* SNMP support, exporting statistics and sending traps
preventing the packet cache from ageing responses when deployed in front
of authoritative servers
* TTL alteration capabilities
* consistent hash results over multiple deployments
* exporting CNAME records over protobuf
* tuning the size of the ringbuffers used to keep track of recent
queries and responses
* various DNSCrypt-related fixes and improvements, including automatic
key rotation

Users upgrading from a previous version should be aware that:

* the truncateTC option is now off by default, to follow the principle
of least astonishment
* the signature of the addLocal() and setLocal() functions has been
changed, to make it easier to add new parameters without breaking
existing configurations
* the packet cache does not cache answers without any TTL anymore, to
prevent them from being cached forever
* blockfilter has been removed, since it was completely redundant

This release also deprecates a number of functions, which will be
removed in 1.3.0. Those functions had the drawback of making dnsdist's
configuration less consistent by hiding the fact that each rule is
composed of a selector and an action. They are still supported in 1.2.0
but a warning is displayed whenever they are used, and a replacement
suggested.

For the many other new features, improvements and bug fixes, please see
the dnsdist website [3] for the more complete changelog [4] and
the current documentation.

Release tarballs are available on the downloads website [5].

Several packages are also available on our repository [6].

Best regards,

[1]:
https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2017-01.html
[2]:
https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2017-02.html
[3]: https://dnsdist.org/
[4]: https://dnsdist.org/changelog.html
[5]: https://downloads.powerdns.com/releases/dnsdist-1.2.0.tar.bz2
[6]: https://repo.powerdns.com/

-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20170821/e5b443b5/attachment.sig>