From otto.moerbeek at powerdns.com Mon Feb 9 13:50:37 2026 From: otto.moerbeek at powerdns.com (Otto Moerbeek) Date: Mon, 9 Feb 2026 14:50:37 +0100 (CET) Subject: [Pdns-users] PowerDNS Security Advisory 2026-01: Crafted zones can lead to increased resource usage in Recursor Message-ID: <1261927304.90.1770645037118@appsuite.open-xchange.com> Today we have released PowerDNS Recursor 5.1.10, 5.2.8 and 5.3.5. These releases fix a PowerDNS Security Advisory * 2026-01: Crafted zones can lead to increased resource usage in Recursor There are two CVEs associated with this advisory, both of severity Medium. __________________________________________________________________ * CVE: CVE-2026-24027 * Date: 9th February 2026 * Affects: PowerDNS Recursor up and including to 5.1.9, 5.2.7 and 5.3.4 * Not affected: PowerDNS Recursor 5.1.10, 5.2.8 and 5.3.5 * Severity: Medium * Impact: Denial of Service * Exploit: This problem can be triggered by publishing and querying a crafted zone that causes increased incoming network traffic. * Risk of system compromise: None * Solution: Upgrade to patched version CVSS Score: 5.3, see https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P R:N/UI:N/S:U/C:N/I:N/A:L&version=3.1[1] The remedy is: upgrade to a patched version. We would like to thank Shuhan Zhang from Tsinghua University for bringing this issue to our attention. * CVE: CVE-2026-0398 * Date: 9th February 2026 * Affects: PowerDNS Recursor up and including to 5.1.9, 5.2.7 and 5.3.4 * Not affected: PowerDNS Recursor 5.1.10, 5.2.8 and 5.3.5 * Severity: Medium * Impact: Denial of Service * Exploit: This problem can be triggered by publishing and querying a crafted zone that causes large memory usage. * Risk of system compromise: None * Solution: Upgrade to patched version CVSS Score: 5.3, see https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P R:N/UI:N/S:U/C:N/I:N/A:L&version=3.1[2] The remedy is: upgrade to a patched version. We would like to thank Yufan You from Tsinghua University for bringing this issue to our attention. We would also like to thank TaoFei Guo from Peking University and Yang Luo, JianJun Chen from Tsinghua University for bringing an issue of caching irrelevant records related to CNAME chains to our attention. __________________________________________________________________ Please refer to the changelogs (5.1.10[3], 5.2.8[4] and 5.3.5[5]) for additional details Please send us all feedback and issues you might have via the mailing list[6], or in case of a bug, via GitHub[7]. The tarballs (5.1.10[8], 5.2.8[9], 5.3.5[10]) (with signature files 5.1.10[11], 5.2.8[12], 5.3.5[13]) are available from our download server[14] and packages for several distributions are available from our repository[15]. At the moment of writing, the patches[16] are not incorporated yet in the public github repository. There has been a delay in the process to transfer them from our private repository (where they were developed) to the public repository. Recently we made changes to our Open Source End of Life policy. Older release trains are now supported for one year after the following major release. Consult the EOL policy[17] for more details. We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features. References 1. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1 2. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1 3. https://doc.powerdns.com/recursor/changelog/5.1.html#change-5.1.10 4. https://doc.powerdns.com/recursor/changelog/5.2.html#change-5.2.8 5. https://doc.powerdns.com/recursor/changelog/5.3.html#change-5.3.5 6. https://mailman.powerdns.com/mailman/listinfo/pdns-users 7. https://github.com/PowerDNS/pdns/issues/new/choose 8. https://downloads.powerdns.com/releases/pdns-recursor-5.1.10.tar.bz2 9. https://downloads.powerdns.com/releases/pdns-recursor-5.2.8.tar.bz2 10. https://downloads.powerdns.com/releases/pdns-recursor-5.3.5.tar.xz 11. https://downloads.powerdns.com/releases/pdns-recursor-5.1.10.tar.bz2.sig 12. https://downloads.powerdns.com/releases/pdns-recursor-5.2.8.tar.bz2.sig 13. https://downloads.powerdns.com/releases/pdns-recursor-5.3.5.tar.xz.sig 14. https://downloads.powerdns.com/releases/ 15. https://repo.powerdns.com/ 16. https://downloads.powerdns.com/patches/2026-01/ 17. https://docs.powerdns.com/recursor/appendices/EOL.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 486 bytes Desc: not available URL: From listy at localities.work Wed Feb 11 18:17:23 2026 From: listy at localities.work (listy) Date: Wed, 11 Feb 2026 19:17:23 +0100 Subject: [Pdns-users] forward zone VS rpz with recursor? Message-ID: <75aef5a7-8deb-43bd-a4ef-67d946bcd1ad@localities.work> Hi guys. I forward-zones & use RPZ at the same time - resolvers cannot get to forwarded domains - could it be that RPZ takes precedence over forwarding and if so can this be tweaked so it does not? many thanks, L. From b.candler at pobox.com Wed Feb 11 18:23:07 2026 From: b.candler at pobox.com (Brian Candler) Date: Wed, 11 Feb 2026 18:23:07 +0000 Subject: [Pdns-users] forward zone VS rpz with recursor? In-Reply-To: <75aef5a7-8deb-43bd-a4ef-67d946bcd1ad@localities.work> References: <75aef5a7-8deb-43bd-a4ef-67d946bcd1ad@localities.work> Message-ID: On 11/02/2026 18:17, listy via Pdns-users wrote: > I forward-zones & use RPZ at the same time - resolvers cannot get to > forwarded domains - could it be that RPZ takes precedence over > forwarding and if so can this be tweaked so it does not? What version of pdns-recursor? Can you give an example of the behaviour: * configuration of forwarded domains * configuration of RPZ * whether RPZ data overlaps with the forwarded domains * what the client queries and what response it gets Could it be that the issue is really with DNSSEC and you need a Negative Trust Anchor? From listy at localities.work Wed Feb 11 19:08:56 2026 From: listy at localities.work (listy) Date: Wed, 11 Feb 2026 20:08:56 +0100 Subject: [Pdns-users] forward zone VS rpz with recursor? In-Reply-To: References: <75aef5a7-8deb-43bd-a4ef-67d946bcd1ad@localities.work> Message-ID: Seems that I rushed a bit - forwarding a zone can only be done to NS(es) of that zone? If yes, then my issue was, I forwarded to a public-generic DNSes. Now with forwarding to authoritative servers & with RPZ forwarded domains works. (without TAs) I'm on 5.2.7 thanks, L. From b.candler at pobox.com Wed Feb 11 19:23:24 2026 From: b.candler at pobox.com (Brian Candler) Date: Wed, 11 Feb 2026 19:23:24 +0000 Subject: [Pdns-users] forward zone VS rpz with recursor? In-Reply-To: References: <75aef5a7-8deb-43bd-a4ef-67d946bcd1ad@localities.work> Message-ID: <2639acfe-74ea-4b17-986e-0a83de1adfc2@pobox.com> On 11/02/2026 19:08, listy via Pdns-users wrote: > Seems that I rushed a bit - forwarding a zone can only be done to > NS(es) of that zone? No, not at all. In the most extreme case, you can forward "." to a random public recursor. recursor: ? forward_zones_file: /etc/powerdns/forward.zones.yml # /etc/powerdns/forward.zones.yml - zone: . ? forwarders: ? - 2620:fe::fe ? - 9.9.9.9 ? recurse: true From listy at localities.work Thu Feb 12 06:19:07 2026 From: listy at localities.work (listy) Date: Thu, 12 Feb 2026 07:19:07 +0100 Subject: [Pdns-users] forward zone VS rpz with recursor? In-Reply-To: <2639acfe-74ea-4b17-986e-0a83de1adfc2@pobox.com> References: <75aef5a7-8deb-43bd-a4ef-67d946bcd1ad@localities.work> <2639acfe-74ea-4b17-986e-0a83de1adfc2@pobox.com> Message-ID: <9e7dac31-1b32-4682-a382-dfbac8cebef4@localities.work> Seems that in my 'traditional' forward zones config file I was missing the '+' +forwarded.zone=9.9.9.9,8.8.4.4 then yes, public recursors work - otherwise NS for those domains are needed (as a side-note to beginner like myself) thanks, L. From b.candler at pobox.com Thu Feb 12 08:08:27 2026 From: b.candler at pobox.com (Brian Candler) Date: Thu, 12 Feb 2026 08:08:27 +0000 Subject: [Pdns-users] forward zone VS rpz with recursor? In-Reply-To: <9e7dac31-1b32-4682-a382-dfbac8cebef4@localities.work> References: <75aef5a7-8deb-43bd-a4ef-67d946bcd1ad@localities.work> <2639acfe-74ea-4b17-986e-0a83de1adfc2@pobox.com> <9e7dac31-1b32-4682-a382-dfbac8cebef4@localities.work> Message-ID: On 12/02/2026 06:19, listy via Pdns-users wrote: > Seems that in my 'traditional' forward zones config file I was missing > the '+' > > +forwarded.zone=9.9.9.9,8.8.4.4 > > then yes, public recursors work - otherwise NS for those domains are > needed (as a side-note to beginner like myself) The issue is that you need to set the "Recursion Desired" (RD) bit on requests which are going to recursive servers. It must not be set on requests which are sent to authoritative servers. It's not really a case of NS records being required. An authoritative server will typically have NS records pointing at it (so that it can be found), but it's not necessary to function. You could, for example, set up a standalone authoritative server for a hidden zone, and forward requests to it from the recursor. If the zone above is DNSSEC signed, but the hidden zone is not, that's when a Negative Trust Anchor (NTA) is also required. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sthaug at nethelp.no Thu Feb 12 08:51:16 2026 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Thu, 12 Feb 2026 09:51:16 +0100 (CET) Subject: [Pdns-users] forward zone VS rpz with recursor? In-Reply-To: References: <2639acfe-74ea-4b17-986e-0a83de1adfc2@pobox.com> <9e7dac31-1b32-4682-a382-dfbac8cebef4@localities.work> Message-ID: <20260212.095116.1958882649474707618.sthaug@nethelp.no> > The issue is that you need to set the "Recursion Desired" (RD) bit on > requests which are going to recursive servers. It must not be set on > requests which are sent to authoritative servers. On one of the .no ccTLD servers, around 1% of the queries have RD set. I have no idea if this is typical - but clearly, "must not" does not completely reflect actual query traffic. Steinar Haug, AS2116 From b.candler at pobox.com Thu Feb 12 09:07:46 2026 From: b.candler at pobox.com (Brian Candler) Date: Thu, 12 Feb 2026 09:07:46 +0000 Subject: [Pdns-users] forward zone VS rpz with recursor? In-Reply-To: <20260212.095116.1958882649474707618.sthaug@nethelp.no> References: <2639acfe-74ea-4b17-986e-0a83de1adfc2@pobox.com> <9e7dac31-1b32-4682-a382-dfbac8cebef4@localities.work> <20260212.095116.1958882649474707618.sthaug@nethelp.no> Message-ID: <3e7fc1ef-d88b-45da-ab83-78acddb70819@pobox.com> On 12/02/2026 08:51, sthaug at nethelp.no wrote: > On one of the .no ccTLD servers, around 1% of the queries have RD > set. I have no idea if this is typical - but clearly, "must not" > does not completely reflect actual query traffic. Interesting, thanks for sharing. TBH, I didn't check against the RFCs. What I was trying to say is that pdns-recursor is behaving correctly by not setting RD on outgoing requests by default. It gives a degree of protection against Bad Things? happening in certain misconfigurations, like when there's a lame delegation to a recursive server. From otto.moerbeek at powerdns.com Tue Feb 17 13:04:53 2026 From: otto.moerbeek at powerdns.com (Otto Moerbeek) Date: Tue, 17 Feb 2026 14:04:53 +0100 (CET) Subject: [Pdns-users] First Release Candidate of PowerDNS Recursor 5.4.0 Message-ID: <1195186617.1604.1771333494006@appsuite.open-xchange.com> We are proud to announce the first release candidate of PowerDNS Recursor 5.4.0! Compared to the latest 5.3 release, this pre-release includes the following changes: * DNS cookies[1] are supported for outgoing connections to authoritative servers. This greatly reduces the effectiveness of (spoofing) attacks. This feature currently is disabled by default, but will be enabled by default in a future release. * The server certificate associated with an outgoing DoT connection can optionally be validated[2]. * The emitting of OpenTelemetry trace data can is now controlled by conditions[3] based on properties of the incoming query. The trace data itself is also more elaborate, enabling more insight in the workings of the resolving process. * Queries using query type ANY from clients[4] and to authoritative[5] servers are now forced to use TCP by default. As always, there are also many smaller bug fixes and improvements, please refer to the changelog[6] for additional details. When upgrading do not forget to check the upgrade guide[7]. Starting with the previous release the preferred build system is meson. We encourage third party package maintainers to switch to meson, as the autotools build system will be phased out. Please send us all feedback and issues you might have via the mailing list[8], or in case of a bug, via GitHub[9]. In particular we would like to see feedback regarding the new DNS cookie support feature. The tarball[10] (signature[11]) is available from our download server[12] and packages for several distributions are available from our repository[13]. Older release trains are supported for one year after the following major release. Consult the EOL policy[14] for more details. We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features. References 1. https://docs.powerdns.com/recursor/yamlsettings.html#setting-yaml-outgoing-cookies 2. https://docs.powerdns.com/recursor/yamlsettings.html#setting-yaml-outgoing-tls-configurations 3. https://docs.powerdns.com/recursor/yamlsettings.html#opentelemetrytracecondition 4. https://docs.powerdns.com/recursor/yamlsettings.html#recursor-any-to-tcp 5. https://docs.powerdns.com/recursor/yamlsettings.html#outgoing-any-to-tcp 6. https://doc.powerdns.com/recursor/changelog/5.4.html#change-5.4.0-rc1 7. https://docs.powerdns.com/recursor/upgrade.html 8. https://mailman.powerdns.com/mailman/listinfo/pdns-users 9. https://github.com/PowerDNS/pdns/issues/new/choose 10. https://downloads.powerdns.com/releases/pdns-recursor-5.4.0-rc1.tar.xz 11. https://downloads.powerdns.com/releases/pdns-recursor-5.4.0-rc1.tar.xz.sig 12. https://downloads.powerdns.com/releases/ 13. https://repo.powerdns.com/ 14. https://docs.powerdns.com/recursor/appendices/EOL.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 486 bytes Desc: not available URL: From adrian.minta at gmail.com Thu Feb 19 13:57:24 2026 From: adrian.minta at gmail.com (Adrian M) Date: Thu, 19 Feb 2026 15:57:24 +0200 Subject: [Pdns-users] Hidden supermaster Message-ID: Hi guys. What is the trick to have a hidden supermaster ? Right now the superslaves with sqlite3 backends don't want to create new zones if the supermaster is not present in the NS list of the zone. Te error I get is: pdns_server[27028]: Unable to find backend willing to host 07-test.test.ro for potential autoprimary 10.10.10.10. Remote nameservers: pdns_server[8289]: ns2.srv.ro pdns_server[8289]: ns1.srv.ro pdns_server[8289]: ns3.srv.ro -------------- next part -------------- An HTML attachment was scrubbed... URL: From miod.vallat at powerdns.com Fri Feb 20 09:20:15 2026 From: miod.vallat at powerdns.com (Miod Vallat) Date: Fri, 20 Feb 2026 10:20:15 +0100 Subject: [Pdns-users] PowerDNS Authoritative Server 4.9.13 and 5.0.3 released Message-ID: <6abc986b-438f-403f-b05c-7a1d6750fb26@powerdns.com> Today, we are releasing two new versions of the PowerDNS Authoritative Server. These 4.9.13 and 5.0.3 versions only contain bugfixes. A detailed list of changes can be found in the changelog ([1]4.9.13, [2]5.0.3). Please make sure to read the [3]Upgrade Notes before upgrading. The tarballs ([4]4.9.13, [5]5.0.3) and their signatures ([6]4.9.13, [7]5.0.3) are available at [8]downloads.powerdns.com. Packages for various distributions are available from [9]repo.powerdns.com. Please send us all feedback and issues you might have via the [10]mailing list, or in case of a bug, via [11]GitHub. References 1. https://doc.powerdns.com/authoritative/changelog/4.9.html#change-4.9.13 2. https://doc.powerdns.com/authoritative/changelog/5.0.html#change-5.0.3 3. https://doc.powerdns.com/authoritative/upgrading.html 4. https://downloads.powerdns.com/releases/pdns-4.9.13.tar.bz2 5. https://downloads.powerdns.com/releases/pdns-5.0.3.tar.bz2 6. https://downloads.powerdns.com/releases/pdns-4.9.13.tar.bz2.sig 7. https://downloads.powerdns.com/releases/pdns-5.0.3.tar.bz2.sig 8. https://downloads.powerdns.com/releases/ 9. https://repo.powerdns.com/ 10. https://mailman.powerdns.com/mailman/listinfo/pdns-users 11. https://github.com/PowerDNS/pdns/issues/new/choose From remi.gacogne at powerdns.com Mon Feb 23 09:14:45 2026 From: remi.gacogne at powerdns.com (Remi Gacogne) Date: Mon, 23 Feb 2026 10:14:45 +0100 Subject: [Pdns-users] First beta release of PowerDNS DNSdist 2.1.0 Message-ID: <36af41ca-305f-4272-8353-bc5595348a53@powerdns.com> Today we released the first beta version of what will become PowerDNS DNSdist 2.1.0. This new version brings new features and improvements since the first alpha: - Opentelemetry: add flags field in TRACEPARENT EDNS option - Add prepend and append methods to Lua DNSName - Export DNS flags via ProtoBuf - Add actions, methods and FFI functions to unset a tag - Implement "allowed rcodes/total" ratio dynamic rule - Subnets excluded from dynamic rules should not count towards thresholds - Add a Lua callback to validate health-check responses It also fixes several issues reported against the first alpha: - Do not create dnsdist.yml in RPM system configuration directory - Only install dnsdist.yml-dist if yaml support was enabled (Holger Hoffst?tte) - Work around Quiche not dealing well with removed congestion algorithms - Better handling of invalid ``Base64`` content - Fix build issues with ipcrypt2 - Correctly set Span ID to downstreams - Fix invalid substr() use in the DNS overlay parser - Don't start the NetworkListener thread in config check mode - Meson: Add missing checks for TLS_client_method, gnutls_transport_set_fastopen Compared to 2.0, 2.1 also brings the following new features: - OpenTelemetry tracing support has been added - Structured logging has been added - A and AAAA records can now be shuffled in the packet cache (Karel Bilek) - Lua parsers are now available for A, AAAA and CNAME records (Ensar Saraj?i?) - a Lua hook can now be invoked on server state changes (@pacnal) Please be aware that DNSdist now looks by default for a configuration file named "dnsdist.yml" in the systemd configuration directory, instead of "dnsdist.conf". It will however fall back for a "dnsdist.conf" file if there is no "dnsdist.yml" file, so existing configurations should still work as expected. Other notable changes are the removal of DNS over HTTPS support via the h2o library, meaning DNS over HTTPS is now only available via the nghttp2 library. As this release introduces major changes, we invite everyone to test it as soon as possible to make sure that all existing use cases are still working properly, and that there is no performance degradation. Please see the DNSdist website [1] for the more complete changelog [2] and the current documentation. The upgrade guide is also available there [3]. Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub [4]. The release tarball [5] and its signature [6] are available on the downloads website, and packages for several distributions are available from our repository [7]. [1]: https://dnsdist.org [2]: https://dnsdist.org/changelog.html#change-2.1.0-beta1 [3]: https://dnsdist.org/upgrade_guide.html [4]: https://github.com/PowerDNS/pdns/issues/new/choose [5]: https://downloads.powerdns.com/releases/dnsdist-2.1.0-beta1.tar.xz [6]: https://downloads.powerdns.com/releases/dnsdist-2.1.0-beta1.tar.xz.sig [7]: https://repo.powerdns.com Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: