[Pdns-dev] PowerDNS Recursor 3.1.4 release notes

bert hubert bert.hubert at netherlabs.nl
Mon Nov 13 20:46:57 CET 2006 

Hi,

We've released version 3.1.4 earlier, but delayed the release notes until
the formal security notifications had gone out. Here are the release notes,
please upgrade as soon as possible.

Source:
 http://downloads.powerdns.com/releases/pdns-recursor-3.1.4.tar.bz2

DEBs:
 http://downloads.powerdns.com/releases/deb/pdns-recursor_3.1.4-1_amd64.deb
 http://downloads.powerdns.com/releases/deb/pdns-recursor_3.1.4-1_i386.deb

RPMs:
 http://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.4-1.x86_64.rpm
 http://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.4-1.i386.rpm

 Released the 13th of November 2006.
 (html, with links, http://doc.powerdns.com/changelog.html#CHANGELOG-RECURSOR-3-1-4 )

 This release contains almost no new features, but consists mostly of minor
 and major bug fixes. It also addresses two major security issues, which
 makes this release a highly recommended upgrade.

 Security issues:

   * Large TCP questions followed by garbage could cause the recursor to
     crash. This critical security issue has been assigned CVE-2006-4251,
     and is fixed in commit 915. More information can be found in Section
     1.5.

   * CNAME loops with zero second TTLs could cause crashes in some
     conditions. These loops could be constructed by malicious parties,
     making this issue a potential denial of service attack. This security
     issue has been assigned CVE-2006-4252 and is fixed by commit 919. More
     information can be found in Section 1.6. Many thanks to David Gavarret
     for helping pin down this problem.

 Bugs:

   * On certain error conditions, PowerDNS would neglect to close a socket,
     which might therefore eventually run out. Spotted by Stefan Schmidt,
     fixed in commits 892, 897, 899.

   * Some nameservers (including PowerDNS in rare circumstances) emit a SOA
     record in the authority section. The recursor mistakenly interpreted
     this as an authoritative "NXRRSET". Spotted by Bryan Seitz, fixed in
     commit 893.

   * In some circumstances, PowerDNS could end up with a useless (not
     working, or no longer working) set of nameserver records for a domain.
     This release contains logic to invalidate such broken NSSETs, without
     overloading authoritative servers. This problem had previously been
     spotted by Bryan Seitz, 'Cerb' and Darren Gamble. Invalidations of
     NSSETs can be plotted using the "nsset-invalidations" metric,
     available through rec_control get. Implemented in commit 896 and
     commit 901.

   * PowerDNS could crash while dumping the cache using rec_control
     dump-cache. Reported by Wouter of WideXS and Stefan Schmidt and many
     others, fixed in commit 900.

   * Under rare circumstances (depleted TCP buffers), PowerDNS might send
     out incomplete questions to remote servers. Additionally, on
     big-endian systems (non-Intel and non-AMD generally), sending out
     large TCP answers questions would not work at all, and possibly crash.
     Brought to our attention by David Gavarret, fixed in commit 903.

   * The recursor contained the potential for a dead-lock processing an
     invalid domain name. It is not known how this might be triggered, but
     it has been observed by 'Cerb' on #powerdns. Several dead-locks where
     PowerDNS consumed all CPU, but did not answer questions, have been
     reported in the past few months. These might be fixed by commit 904.

   * IPv6 'allow-from' matching had problems with the least significant
     bits, sometimes allowing disallowed addresses, but mostly disallowing
     allowed addresses. Spotted by Wouter from WideXS, fixed in commit 916.

 Improvements:

   * PowerDNS has support to drop answers from so called 'delegation only'
     zones. A statistic ("dlg-only-drops") is now available to plot how
     often this happens. Implemented in commit 890.

   * Hint-file parameter was mistakenly named "hints-file" in the
     documentation. Spotted by my Marco Davids, fixed in commit 898.

   * rec_control quit should be near instantaneous now, as it no longer
     meticulously cleans up memory before exiting. Problem spotted by
     Darren Gamble, fixed in commit 914, closing ticket 84.

   * init.d script no longer refers to the Recursor as the Authoritative
     Server. Spotted by Wouter of WideXS, fixed in commit 913.

   * A potentially serious warning for users of the GNU C Library version
     2.5 was fixed. Spotted by Marcus Rueckert, fixed in commit 920.

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

More information about the Pdns-dev mailing list