From otto.moerbeek at open-xchange.com Mon Jul 15 13:57:11 2019 From: otto.moerbeek at open-xchange.com (Otto Moerbeek) Date: Mon, 15 Jul 2019 15:57:11 +0200 (CEST) Subject: [Pdns-announce] PowerDNS Recursor 4.2.0 Released Message-ID: <311317872.432.1563199031881@appsuite-guard.open-xchange.com> (via: https://blog.powerdns.com/2019/07/15/powerdns-recursor-4-2-0-released/) July 15, 2019 PowerDNS Recursor 4.2.0 Released We’re proud to announce version 4.2.0 for the PowerDNS Recursor 4.2 release train. The 4.2.0 release of the PowerDNS Recursor brings a lot of small, incremental changes over the 4.1.x releases. We expect little operational impact when upgrading from 4.1.x. However, several new features have been implemented and some features have changed. This release was made possible by contributions from: Gibheer, cclauss, Aki Tuomi, Ruben, Doug Freed, Richard Gibson, Peter Gervai, Oli, Josh Soref, Rens Houben, Kirill Ponomarev, Kees Monshouwer, Matt Nordhoff, OSSO B.V., phonedph1, Rafael Buchbinder, Ruben Kerkhof, spirillen, Tom Ivar Helbekkmo and Chris Hofstaedtler. Thanks! DNS Flag Day The 4.2.0 release of the PowerDNS Recursor removes several workarounds for authoritative servers that respond badly to EDNS(0) queries. This is part of a multi-vendor effort known as DNS flag day to move the DNS ecosystem forward by being less lenient on non-conforming implementations. XPF Support This release adds support for DNS X-Proxied-For (draft-bellis-dnsop-xpf-04). This technique is roughly equivalent to HTTP’s X-Forwarded-For header, it can communicate the IP address and port of the original requestor from a loadbalancer/frontend (like dnsdist) to the backend server. This can allow the backend server to make decisions regarding that specific client. XPF is disabled by default and can be enabled by setting the xpf-allow-from setting to the source IP address of the front-end proxy and setting xpf-rr-code to the code of the resource record used by the frontend. EDNS Client Subnet Improvements More granularity has been added for the users of EDNS Client Subnet. The new ecs-add-for setting can be set to a list of netmasks for which the requestor’s IP address should be used as the EDNS Client Subnet for outgoing queries. For IP addresses not on this list, the PowerDNS Recursor will use the ecs-scope-zero-address instead, which matches the behavior of 4.1.x. Valid incoming ECS values from use-incoming-edns-subnet are not replaced. New and Updated Settings Sites that process large numbers of queries per second (100k+), may benefit from the new distributor-threads setting. This can be used in combination with pdns-distributes-queries=yes to spawn multiple threads that will pick up incoming queries and distribute them over the worker threads. For several statistics, the PowerDNS Recursor uses a public suffix list to group queries. Before, this list was built into the binary and only updated for every release. This release adds the public-suffix-list-file setting that allows operators to supply their own public suffix list. This option is unset by default, which means the built-in list is used. Over the last years it has become clear that many networks on the internet lose large UDP packets, leading to authoritative servers being seen as dead from the recursor’s perspective. To ensure return packets from authoritative servers have a better chance of reaching the recursor, the edns-outgoing-bufsize setting’s default has changed from 1680 to 1232. 1232 was chosen because it is the largest DNS response that can be carried on an IPv6 link with the IPv6 minimal MTU (1280). In tandem with this change, the udp-truncation-threshold that decides when to truncate responses to clients has also been changed from 1680 to 1232. Changes since release candidate 2 There have been some minor changes since release candidate 2: #8074: Make sure we always compile with BOOST_CB_ENABLE_DEBUG set to 0 #8052: Limit compression pointers to 14 bits #8009: Fix the export of only outgoing queries or incoming responses #8005: Clear CMSG_SPACE(sizeof(data)) in cmsghdr to appease valgrind Please see the changelog[1] for details. Release cycles Starting with this release, we intend to move to 6 month release cycles. This means the next release of PowerDNS recursor (4.3) is scheduled for January 2020. We will support a release for two cycles (one year). After that, a release will only get security fixes for one more cycle and then move to end of life status. Starting with the upcoming releases, our other two open source products dnsdist and the authoritative server will also move to a 6 month cycle with the same support periods. Specific information can be found in the end of life statement. Availability The tarball[2] (signature[3]) is available at downloads.powerdns.com and packages for CentOS 6 and 7, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com. We no longer build Debian Jessie and Trusty packages. We would like the PowerDNS community for continued support, feedback, bug fixes and submitted features. Please send us all feedback and issues you might have via the mailing list[4], or in case of a bug, via GitHub[5]. [1] https://doc.powerdns.com/recursor/changelog/4.2.html#change-4.2.0 [2] https://downloads.powerdns.com/releases/pdns-recursor-4.2.0.tar.bz2 [3] https://downloads.powerdns.com/releases/pdns-recursor-4.2.0.tar.bz2.sig [4] https://mailman.powerdns.com/mailman/listinfo/pdns-users [5] https://github.com/PowerDNS/pdns/issues/new -- kind regards, Otto Moerbeek PowerDNS -- https://www.powerdns.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 475 bytes Desc: not available URL: From peter.van.dijk at powerdns.com Tue Jul 30 11:35:07 2019 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Tue, 30 Jul 2019 13:35:07 +0200 Subject: [Pdns-announce] PowerDNS Security Advisory 2019-06: Denial of service via crafted zone records Message-ID: <7c879960e94cc3629bf71b4207b3961ff74db275.camel@powerdns.com> Hello, please find below the text of PowerDNS Security Advisory 2019-06. Updated packages (that only contain a Postgres schema change) will be released later. Just upgrading at that time will not fix the vulnerability - applying the schema change is mandatory. > PowerDNS Security Advisory 2019-06: Denial of service via crafted zone records > ============================================================================== > > - CVE: CVE-2019-10203 > - Date: July 30th, 2019 > - Affects: PowerDNS Authoritative 4.0.0 and up, when using the gpgsql (PostgreSQL) backend > - Not affected: 4.2.0, 4.1.11, 4.0.9 > - Severity: Low > - Impact: Denial of Service > - Exploit: This problem can be triggered via crafted records > - Risk of system compromise: No > - Solution: Update the database schema > - Workaround: run the process inside the guardian or inside a supervisor > > An issue has been found in PowerDNS Authoritative Server allowing an > authorized user to cause the server to exit by inserting a crafted record in a > MASTER type zone under their control. The issue is due to the fact that the > Authoritative Server will exit when it tries to store the notified serial in > the PostgreSQL database, if this serial cannot be represented in 31 bits. > > This issue has been assigned CVE-2019-10203. > > PowerDNS Authoritative up to and including 4.1.10 is affected. Please note > that at the time of writing, PowerDNS Authoritative 3.4 and below are no > longer supported, as described in > https://doc.powerdns.com/authoritative/appendices/EOL.html. > > To fix the issue, run the following command against your PostgreSQL pdns > database: `ALTER TABLE domains ALTER notified_serial TYPE bigint USING CASE > WHEN notified_serial >= 0 THEN notified_serial::bigint END;`. No software > changes are required. > > We would like to thank Klaus Darilion for finding and subsequently reporting > this issue! Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 914 bytes Desc: This is a digitally signed message part URL: