[Pdns-dev] PowerDNS Recursor 3.5-RC2 released!
Peter van Dijk
peter.van.dijk at netherlabs.nl
Mon Feb 11 15:07:04 CET 2013
-----BEGIN PGP SIGNED MESSAGE-----
Release Candidate 2 of the PowerDNS Recursor 3.5 is available from:
semistatic packages: http://powerdnssec.org/downloads/packages/
RHEL5/6 native: http://www.monshouwer.eu/download/3rd_party/pdns-recursor/rc2/
You are cordially invited to (carefully) test this Release Candidate for
Full release notes, with clickable links, are available from:
Here is a text-only version:
This is a stability and bugfix update to 3.3/3.3.1. It contains important fixes
for slightly broken domain names, which your users expect to work anyhow.
Because a semi-sanctioned 3.4-pre was distributed for a long time, and
people have come to call that 3.4, we are skipping an actual 3.4 release
to avoid confusion.
Changes between RC1 and RC2:
* While Recursor 3.3 was not vulnerable to the specific attack noted in
'Ghost Domain Names: Revoked Yet Still Resolvable', further investigation
showed that a variant of the attack could work. This was fixed in r3085.
* The auth-can-lower-ttl flag was removed, as it did not have any effect in
most situations, and thus did not operate as advertised. We now always
comply with the related parts of RFC 2181. Change in r3092, closing ticket
Changes below are in RC1 (and up).
* The local zone server now understands wilcards, code in commit 2062.
* The Lua postresolve and nodata hooks, that had been distributed as a
'3.3-hooks' snapshot earlier, have been merged. Code in commit 2309.
* A new feature, rec_control trace-regex allows the tracing of lookups for
specific names. Code in commit 3044, commit 3073.
* A new setting, export-etc-hosts-suffix, adds a configurable suffix to names
imported from /etc/hosts. Code in commit 2544, commit 2545.
* We now throttle queries that don't work less agressively, code in commit
* Various improvements in tolerance against broken auths, code in commit 1996
, commit 2188, commit 3074 (thanks Winfried).
* Additional processing is now optional, and disabled by default. Presumably
this yields a performance improvement. Change in commit 2542.
* rec_control reload-lua-script now reports errors. Code in commit 2627,
closing ticket 278.
* rec_control help now lists commands. Code in commit 2628.
* rec_control wipe-cache now also wipes the recursor's packet cache. Code in
commit 2880 from ticket 333.
* Morten Stevens contributed a systemd file. Import in commit 2966, now part
of the recursor tarball.
* commit 2990 updates the address of D.root-servers.net.
* Winfried Angele implemented and documented the ipv6-questions metric. Merge
in commit 3034, closing ticket 619.
* We no longer use ANY to get A+AAAA for nameservers, because some auth
operators have decided to break ANY lookups. As a bonus, we now track v4
and v6 latency separately. Change in commit 3064.
* Some unaligned memory access was corrected, code in commit 2060, commit
2122, commit 2123, which would cause problems on UltraSPARC.
* Garbage encountered during reload-acls could cause crashes. Fixed in commit
2323, closing ticket 330.
* The recursor would lose its root hints in a very rare situation. Corrected
in commit 2380.
* We did not always drop supplemental groups while dropping privileges.
Reported by David Black of Atlassian, fixed in commit 2524.
* Cache aging would sometimes get confused when we had a mix of expired and
non-expired records in cache. Spotted and fixed by Winfried Angele in
commit 3068, closing ticket 438.
* rec_control reload-acl no longer ignores arguments. Fix in commit 3037,
closing ticket 490.
* Since we re-parse our commandline in rec_control we've been doubling the
commands on the commandline, causing weird output. Reported by Winfried
Angele. Fixed in commit 2992, closing ticket 618. This issue was not
present in any officially released versions.
* commit 2879 drops some spurious stderr logging from Lua scripts, and makes
sure 'place' is always valid.
* We would sometimes refuse to resolve domains with just one nameserver
living at the apex. Fixed in commit 2817.
* We would sometimes stick RRs in the wrong parts of response packets. Fixed
in commit 2625.
* The ACL parser was too liberal, sometimes causing recursors to be very
open. Fixed in commit 2629, closing ticket 331.
* rec_control now honours config-dir from recursor.conf. Fixed in commit 2630
* When traversing CNAME chains, sometimes we would end up with multiple SOAs
in the result. Fixed in commit 2633.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
-----END PGP SIGNATURE-----
More information about the Pdns-dev