[dnsdist] dnsdist 1.3.2 released

Fri Aug 24 01:53:14 UTC 2018

Will these updates eventually make their way into CentOS EPEL?  Looks like
I'm still on 1.3.0 pulling from those repos.

On Tue, Jul 10, 2018 at 7:20 AM, Remi Gacogne <remi.gacogne at powerdns.com>
wrote:

> Hello everyone,
>
> We are very happy to announce the 1.3.2 release of dnsdist. This release
> contains a few new features, but is mostly fixing bugs and documentation
> issues reported since the release of dnsdist 1.3.0. You might be
> wondering why this release is not numbered 1.3.1, we discovered a build
> issue on some platforms right after tagging 1.3.1 and therefore decided
> to release 1.3.2 right away.
>
> Breaking changes
> ================
>
> After discussing with several users, we noticed that quite a lot of them
> were not aware that enabling the dnsdist's console without a key, even
> restricted to the local host, could be a security issue and allow
> privilege escalation by allowing an unprivileged user to connect to the
> console and execute Lua code as the dnsdist user. We therefore decided
> to refuse any connection to the console until a key has been set, so
> please check that you do set a key before upgrading if you use the console.
>
> New features
> ============
>
> The DNS over TLS feature introduced in 1.3.0 was missing the ability to
> support both an RSA and an ECDSA certificate at the same time, and it
> was not possible to switch to a new certificate without restarting
> dnsdist. This has now been fixed.
>
> The packet cache has also been improved in this release, with the
> addition of a negative TTL option to be able to specify how long NODATA
> and NXDOMAIN answers should be cache, as well as a way to dump the
> content of the cache. We also made the detection of ECS collisions more
> robust, preventing two queries for the same name, type and class but a
> different ECS subnet from colliding even if they did hash to the same
> value.
>
> This version gained the ability to insert dynamic rules that do nothing,
> and do not stop the processing of subsequent rules, which is very useful
> for testing purposes. The optimized DynblockRulesGroup introduced in
> 1.3.0 also gained the ability to whitelist and blacklist ranges from
> dynamic rules, for example to prevent some clients from ever being
> blocked by a rate-limiting rule.
>
> Finally, we introduced the new SetECSAction directive to be able to
> force the ECS value sent to a downstream server for some or all queries.
>
> Bug fixes
> =========
>
> In addition to various documentation and cosmetics fixes, a few annoying
> bugs have been fixed in this release:
>
> - If the first connection attempt to a given backend failed, dnsdist
> didn't properly reconnect even when the backend became available ;
> - Dynamic blocks were sometimes created with the wrong duration ;
> - The ability to iterate over the results of the Lua exceed*() functions
> was broken in 1.3.0, preventing manual whitelisting from Lua ;
> - Some statistics were displayed with too many decimals in the web
> interface ;
> - A backend outstanding queries counter could become wrong if it dropped
> a lot of queries for a while.
>
>
> Please see the dnsdist website [1] for the more complete changelog
> [2] and the current documentation.
>
> Release tarballs are available on the downloads website [3].
>
> Several packages are also available on our repository [4].
>
>
> [1]: https://dnsdist.org
> [2]: https://dnsdist.org/changelog.html
> [3]: https://downloads.powerdns.com/releases/dnsdist-1.3.2.tar.bz2
> [4]: https://repo.powerdns.com/
>
> Best regards,
>
> --
> Remi Gacogne
> PowerDNS.COM BV - https://www.powerdns.com/
>
>
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20180823/a78dbd93/attachment.html>