[Pdns-dev] PowerDNS Recursor 3.1.4 release notes
bert.hubert at netherlabs.nl
Mon Nov 13 20:46:57 CET 2006
We've released version 3.1.4 earlier, but delayed the release notes until
the formal security notifications had gone out. Here are the release notes,
please upgrade as soon as possible.
Released the 13th of November 2006.
(html, with links, http://doc.powerdns.com/changelog.html#CHANGELOG-RECURSOR-3-1-4 )
This release contains almost no new features, but consists mostly of minor
and major bug fixes. It also addresses two major security issues, which
makes this release a highly recommended upgrade.
* Large TCP questions followed by garbage could cause the recursor to
crash. This critical security issue has been assigned CVE-2006-4251,
and is fixed in commit 915. More information can be found in Section
* CNAME loops with zero second TTLs could cause crashes in some
conditions. These loops could be constructed by malicious parties,
making this issue a potential denial of service attack. This security
issue has been assigned CVE-2006-4252 and is fixed by commit 919. More
information can be found in Section 1.6. Many thanks to David Gavarret
for helping pin down this problem.
* On certain error conditions, PowerDNS would neglect to close a socket,
which might therefore eventually run out. Spotted by Stefan Schmidt,
fixed in commits 892, 897, 899.
* Some nameservers (including PowerDNS in rare circumstances) emit a SOA
record in the authority section. The recursor mistakenly interpreted
this as an authoritative "NXRRSET". Spotted by Bryan Seitz, fixed in
* In some circumstances, PowerDNS could end up with a useless (not
working, or no longer working) set of nameserver records for a domain.
This release contains logic to invalidate such broken NSSETs, without
overloading authoritative servers. This problem had previously been
spotted by Bryan Seitz, 'Cerb' and Darren Gamble. Invalidations of
NSSETs can be plotted using the "nsset-invalidations" metric,
available through rec_control get. Implemented in commit 896 and
* PowerDNS could crash while dumping the cache using rec_control
dump-cache. Reported by Wouter of WideXS and Stefan Schmidt and many
others, fixed in commit 900.
* Under rare circumstances (depleted TCP buffers), PowerDNS might send
out incomplete questions to remote servers. Additionally, on
big-endian systems (non-Intel and non-AMD generally), sending out
large TCP answers questions would not work at all, and possibly crash.
Brought to our attention by David Gavarret, fixed in commit 903.
* The recursor contained the potential for a dead-lock processing an
invalid domain name. It is not known how this might be triggered, but
it has been observed by 'Cerb' on #powerdns. Several dead-locks where
PowerDNS consumed all CPU, but did not answer questions, have been
reported in the past few months. These might be fixed by commit 904.
* IPv6 'allow-from' matching had problems with the least significant
bits, sometimes allowing disallowed addresses, but mostly disallowing
allowed addresses. Spotted by Wouter from WideXS, fixed in commit 916.
* PowerDNS has support to drop answers from so called 'delegation only'
zones. A statistic ("dlg-only-drops") is now available to plot how
often this happens. Implemented in commit 890.
* Hint-file parameter was mistakenly named "hints-file" in the
documentation. Spotted by my Marco Davids, fixed in commit 898.
* rec_control quit should be near instantaneous now, as it no longer
meticulously cleans up memory before exiting. Problem spotted by
Darren Gamble, fixed in commit 914, closing ticket 84.
* init.d script no longer refers to the Recursor as the Authoritative
Server. Spotted by Wouter of WideXS, fixed in commit 913.
* A potentially serious warning for users of the GNU C Library version
2.5 was fixed. Spotted by Marcus Rueckert, fixed in commit 920.
http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services
More information about the Pdns-dev