PowerDNS Recursor 3.1.5 released - security update inside
bert.hubert at netherlabs.nl
Mon Mar 31 15:01:08 CEST 2008
PowerDNS Recursor 3.1.5 released
We would like to thank Amit Klein of Trusteer for bringing a serious
vulnerability to our attention which would enable a smart attacker to
'spoof' previous versions of the PowerDNS Recursor into accepting possibly
Details can be found on http://www.trusteer.com/docs/powerdnsrecursor.html
It is recommended that all users of the PowerDNS Recursor upgrade to 3.1.5
as soon as practicable, while we simultaneously note that busy servers are
less susceptible to the attack, but not immune.
The PowerDNS Security Advisory can be found in
PowerDNS Recursor 3.1.5 has been in production use for the past few weeks,
and has been validated by in excess of one billion test queries, the results
of which were compared to those generated by a reference implementation.
Generic GPL sources:
Release notes with clickable links:
Much like 3.1.4, this release does not add a lot of major features.
Instead, performance has been improved significantly (estimated at around
20%), and many rare and not so rare issues were addressed. Multi-part TXT
records now work as expected - the only significant functional bug found
in 15 months. One of the oldest feature requests was fulfilled: version
3.1.5 can finally forward queries for designated domains to multiple
servers, on differing port numbers if needed. Previously only one
forwarder address was supported. This lack held back a number of
migrations to PowerDNS.
This version can properly benefit from all IPv4 and IPv6 addresses in use
at the root-servers as of early February 2008. In order to implement this,
changes were made to how the Recursor deals internally with A and AAAA
queries for nameservers, see below for more details.
Additionally, newer releases of the G++ compiler required some fixes (see
This release was made possible by the help of Wichert Akkerman, Winfried
Angele, Arnoud Bakker (Fox-IT), Niels Bakker (no relation!), Leo Baltus
(Nederlandse Publieke Omroep), Marco Davids (SIDN), David Gavarret (Neuf
Cegetel), Peter Gervai, Marcus Goller (UPC), Matti Hiljanen
(Saunalahti/Elisa), Ruben Kerkhoff, Alex Kiernan, Amit Klein (Trusteer),
Kenneth Marshall (Rice University), Thomas Rietz, Marcus Rueckert
(OpenSUSE), Augie Schwer (Sonix), Sten Spans (Bit), Stefan Schmidt
(Freenet.de), Kai Storbeck (xs4all), Alex Trull, Andrew Turnbull (No Wires
LTD) and Aaron Thompson, and many more who filed bugs anonymously, or who
we forgot to mention.
Security related issues:
* Amit Klein has informed us that System random generator output can be
predicted based on its past behaviour, allowing a smart attacker to
'spoof' our nameserver. Full details in Section 1.7.
* The Recursor will by default no longer query private-space
nameservers. This closes a slight security risk and simultaneously
improves performance and stability. For more information, see
dont-query in Section 12.1. Implemented in commit 923.
* Applied fix for ticket 110 ('PowerDNS should change directory to '/'
in chroot), implemented in commit 944.
* The DNS packet writing and parsing infrastructure performance was
improved in several ways, see commits 925, 926, 928, 931, 1021, 1050.
* Remove multithreading overhead from the Recursor (commit 999).
* Built-in authoritative server now properly derives the TTL from the
SOA record if not specified. Implemented in commit 1165. Additionally,
even when TTL was specified for the built-in authoritative server, it
was ignored. Reported by Stefan Schmidt, closing ticket 147.
* Empty TXT record components can now be served. Implemented in commit
1166, closing ticket 178. Spotted by Matti Hiljanen.
* The Recursor would not properly override old data with new, sometimes
serving old and new data concurrently. Fixed in commit 1137.
* SOA records with embedded carriage-return characters are now parsed
correctly. Implemented in commit 1167, closing ticket 162.
* Some routing conditions could cause UDP connected sockets to generate
an error which PowerDNS did not deal with properly, leading to a
leaked file descriptor. As these run out over time, the recursor could
crash. This would also happen for IPv6 queries on a host with no IPv6
connectivity. Thanks to Kai of xs4all and Wichert Akkerman for
reporting this issue. Fix in commit 1133.
* Empty unknown record types can now be stored without generating a
scary error (commit 1129)
* Applied fix for ticket 111, ticket 112 and ticket 153 - large
(multipart) TXT records are now retrieved and served properly. Fix in
* Solaris compilation instructions in Recursor documentation were wrong,
leading to an instant crash on startup. Luckily nobody reads the
documentation, except for Marcus Goller who found the error. Fixed in
* On Solaris, finally fix the issue where queries get distributed
strangely over CPUs, or not get distributed at all. Much debugging and
analysing performed by Alex Kiernan, who also supplied fixes.
Implemented in commit 1091, commit 1093.
* Various fixes for modern G++ versions, most spotted by Marcus Rueckert
(commits 964, 965, 1028, 1052), and Ruben Kerkhoff (commit 1136,
closing ticket 175).
* Recursor would not properly clean up pidfile and control socket,
closing ticket 120, code in commit 988, commit 1098 (part of fix by
Matti Hiljanen, spotted by Leo Baltus)
* Recursor can now serve multi-line records from its limited
authoritative server (commit 1014).
* When parsing zones, the 'm' time specification stands for minutes, not
months! Closing Debian bug 406462 (commit 1026)
* Authoritative zone parser did not support '@' in the content of
records. Spotted by Marco Davids, fixed in commit 1030.
* Authoritative zone parser could be confused by trailing TABs on record
lines (commit 1062).
* EINTR error code could block entire server if received at the wrong
time. Spotted by Arnoud Bakker, fix in commit 1059.
* Fix crash on NetBSD on Alpha CPUs, might improve startup behaviour on
empty caches on other architectures as well (commit 1061).
* Outbound TCP queries were being performed sub-optimally because of an
interaction with the 'Mplexer'. Fixes in commit 1115, commit 1116.
* Implemented rec_control command get uptime, as suggested by Niels
Bakker (commit 935). Added to default rrdtool scripts in commit 940.
* The Recursor Authorative component, meant for having the Recursor
serve some zones authoritatively, now supports $INCLUDE and $GENERATE.
Implemented in commit 951 and commit 952, commit 967 (discovered by
* Implemented forward-zones-file option in order to support larger
amounts of zones which should be forwarded to another nameserver
* Both forward-zones and forward-zones-file can now specify multiple
forwarders per domain, implemented in commit 1168, closing ticket 81.
Additionally, both these settings can also specify non-standard port
numbers, as suggested in ticket ticket 122. Patch authored by Aaron
Thompson, with additional work by Augie Schwer.
* Sten Spans contributed allow-from-file, implemented in commit 1150.
This feature allows the Recursor to read access rules from a (large)
* Ruben Kerkhof fixed up weird permission bits as well as our SGML
documentation code in commit 936 and commit 937.
* Full IPv6 parity. If configured to use IPv6 for outgoing queries
(using query-local-address6=::0 for example), IPv6 and IPv4 addresses
are finally treated 100% identically, instead of 'mostly'. This
feature is implemented using 'ANY' queries to find A and AAAA
addresses in one query, which is a new approach. Treat with caution.
* Now perform EDNS0 root refreshing queries, so as to benefit from all
returned addresses. Relevant since early February 2008 when the
root-servers started to respond with IPv6 addresses, which made the
default non-EDNS0 maximum packet length reply no longer contain all
records. Implemented in commit 1130. Thanks to dns-operations AT
mail.oarc.isc.org for quick suggestions on how to deal with this
* rec_control now has a timeout in case the Recursor does not respond.
Implemented in commit 945.
* (Error) messages are now logged with saner priorities (commit 955).
* Outbound query IP interface stemmed from 1997 (!) and was in dire need
of a cleanup (commit 1117).
* L.ROOT-SERVERS.NET moved (commit 1118).
http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services
More information about the Pdns-dev