[Pdns-dev] PowerDNS Recursor 4.0.4 released

Pieter Lexis pieter.lexis at powerdns.com
Fri Jan 13 12:05:08 UTC 2017

Hello everyone,

We are happy to announce the release of the PowerDNS Recursor version 4.0.4. This release fixes 2 security issues and adds several improvements to the DNSSEC validation code.

The following PowerDNS Security Advisories are fixed:

 * 2016-02: Crafted queries can cause abnormal CPU usage[1]
 * 2016-04: Insufficient validation of TSIG signatures[2]

Minimal patches are available for those unable to fully upgrade[3,4]

The full changelog is available online[5] and reproduced here:

 * Check TSIG signature on IXFR (Security Advisory 2016-04)
 * Don't parse spurious RRs in queries when we don't need them (Security Advisory 2016-02)
 * Fix incorrect length check in `DNSName` when extracting qtype or qclass
 * Wait until after daemonizing to start the RPZ and protobuf threads
 * On (re-)priming, fetch the root NS records
 * Fix src/dest inversion in the protobuf message for TCP queries
 * On RPZ customPolicy, follow the resulting CNAME
 * Add requestorId and some comments to the protobuf definition file
 * Make the negcache forwarded zones aware
 * Cache records for zones that were delegated to from a forwarded zone
 * Add `getRecursorThreadId()` to Lua, identifying the current thread
 * Add support for boost::context >= 1.61
 * DNSSEC: Implement keysearch based on zone-cuts
 * DNSSEC: don't go bogus on zero configured DSs
 * DNSSEC: NSEC3 optout and Bogus insecure forward fixes
 * DNSSEC: Handle CNAMEs at the apex of secure zones to other secure zones

We urge all users of the Recursor to upgrade to this version.
Tarballs with sources are available (with signatures)[6,7].
Packages for Debian Stable, Ubuntu Trusty, Xenial and Wily and CentOS 6 and 7 are available from our repositories[8].

1 - https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/
2 - https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/
3 - https://downloads.powerdns.com/patches/2016-02
4 - https://downloads.powerdns.com/patches/2016-04
5 - https://doc.powerdns.com/md/changelog/#powerdns-recursor-404
6 - https://downloads.powerdns.com/releases/pdns-recursor-4.0.4.tar.bz2
7 - https://downloads.powerdns.com/releases/pdns-recursor-4.0.4.tar.bz2.sig
8 - https://repo.powerdns.com/

Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-dev/attachments/20170113/96f83c83/attachment.sig>

More information about the Pdns-dev mailing list