[Pdns-announce] dnsdist 1.3.2 released

[Remi Gacogne]

Hello everyone,

We are very happy to announce the 1.3.2 release of dnsdist. This release
contains a few new features, but is mostly fixing bugs and documentation
issues reported since the release of dnsdist 1.3.0. You might be
wondering why this release is not numbered 1.3.1, we discovered a build
issue on some platforms right after tagging 1.3.1 and therefore decided
to release 1.3.2 right away.

Breaking changes
================

After discussing with several users, we noticed that quite a lot of them
were not aware that enabling the dnsdist's console without a key, even
restricted to the local host, could be a security issue and allow
privilege escalation by allowing an unprivileged user to connect to the
console and execute Lua code as the dnsdist user. We therefore decided
to refuse any connection to the console until a key has been set, so
please check that you do set a key before upgrading if you use the console.

New features
============

The DNS over TLS feature introduced in 1.3.0 was missing the ability to
support both an RSA and an ECDSA certificate at the same time, and it
was not possible to switch to a new certificate without restarting
dnsdist. This has now been fixed.

The packet cache has also been improved in this release, with the
addition of a negative TTL option to be able to specify how long NODATA
and NXDOMAIN answers should be cache, as well as a way to dump the
content of the cache. We also made the detection of ECS collisions more
robust, preventing two queries for the same name, type and class but a
different ECS subnet from colliding even if they did hash to the same value.

This version gained the ability to insert dynamic rules that do nothing,
and do not stop the processing of subsequent rules, which is very useful
for testing purposes. The optimized DynblockRulesGroup introduced in
1.3.0 also gained the ability to whitelist and blacklist ranges from
dynamic rules, for example to prevent some clients from ever being
blocked by a rate-limiting rule.

Finally, we introduced the new SetECSAction directive to be able to
force the ECS value sent to a downstream server for some or all queries.

Bug fixes
=========

In addition to various documentation and cosmetics fixes, a few annoying
bugs have been fixed in this release:

- If the first connection attempt to a given backend failed, dnsdist
didn't properly reconnect even when the backend became available ;
- Dynamic blocks were sometimes created with the wrong duration ;
- The ability to iterate over the results of the Lua exceed*() functions
was broken in 1.3.0, preventing manual whitelisting from Lua ;
- Some statistics were displayed with too many decimals in the web
interface ;
- A backend outstanding queries counter could become wrong if it dropped
a lot of queries for a while.


Please see the dnsdist website [1] for the more complete changelog
[2] and the current documentation.

Release tarballs are available on the downloads website [3].

Several packages are also available on our repository [4].


[1]: https://dnsdist.org
[2]: https://dnsdist.org/changelog.html
[3]: https://downloads.powerdns.com/releases/dnsdist-1.3.2.tar.bz2
[4]: https://repo.powerdns.com/

Best regards,

-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-announce/attachments/20180710/ec3dc95f/attachment.sig>