./net/powerdns-recursor, PowerDNS resolver/recursing nameserver

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 4.1.8, Package name: pdns-recursor-4.1.8, Maintainer: pkgsrc-users

The PowerDNS recursor is part of the source tarball of the main PowerDNS
distribution, but it is released separately. Starting from the version 3.0
pre-releases, there are zero known bugs or issues with the recursor. It is
known to power the resolving needs of over 2 million internet connections.

PowerDNS recursor can gets names from /etc/hosts.

Required to run:

Required to build:
[devel/boost-headers] [pkgtools/cwrappers]

Master sites:

SHA1: a78c1a7966cab9e2b9032080a7e28227a32a1b3b
RMD160: d98b6881a76fe2caecb8c997996b580779a470af
Filesize: 1208.74 KB

Version history: (Expand)

CVS history: (Expand)

   2018-11-30 13:57:42 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
powerdns-recursor: updated to 4.1.8

Recursor 4.1.8
Crafted query can cause a denial of service (CVE-2018-16855)

Recursor 4.1.7
Revert ‘Keep the EDNS status of a server on FormErr with EDNS’
Refuse queries for all meta-types

Recursor 4.1.6
Revert “rec: Authority records in AA=1 CNAME answer are authoritative”.

Recursor 4.1.5

PowerDNS Security Advisory 2018-04 (CVE-2018-10851)
PowerDNS Security Advisory 2018-06 (CVE-2018-14626)
PowerDNS Security Advisory 2018-07 (CVE-2018-14644)

Add pdnslog to lua configuration scripts (Chris Hofstaedtler)
Fix compilation with libressl 2.7.0+
Export outgoing ECS value and server ID in protobuf (if any)
Switch to devtoolset 7 for el6
Allow the signature inception to be off by a number of seconds (Kees Monshouwer)

Bug Fixes
Crafted answer can cause a denial of service (CVE-2018-10851)
Packet cache pollution via crafted query (CVE-2018-14626)
Crafted query for meta-types can cause a denial of service (CVE-2018-14644)
Delay the creation of rpz threads until we have dropped privileges
Cleanup the netmask trees used for the ecs index on removals
Make sure that the ecs scope from the auth is < to the source
Authority records in aa=1 cname answer are authoritative
Avoid a memory leak in catch-all exception handler
Don’t require authoritative answers for forward-recurse zones
Release memory in case of error in the openssl ecdsa constructor
Convert a few uses to toLogString to print DNSName’s that may be empty in a \ 
safer manner
Avoid a crash on DEC Alpha systems
Clear all caches on (N)TA changes
   2018-09-04 12:22:38 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
net/powerdns-recursor: Update to 4.1.4.


- Split pdns_enable_unit_tests.
- Add a new max-udp-queries-per-round setting.
- Fix warnings reported by gcc 8.1.0.
- Tests: replace awk command by perl.
- Allow the snmp thread to retrieve statistics.

Bug Fixes

- Don’t account chained queries more than once.
- Make rec_control respect include-dir.
- Load lua scripts only in worker threads.
- Purge all auth/forward zone data including subtree.
   2018-05-23 12:34:58 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
net/powerdns-recursor: Update to 4.1.3.

- Add a subtree option to the API cache flush endpoint.
- Use a separate, non-blocking pipe to distribute queries.
- Move carbon/webserver/control/stats handling to a separate thread.
- Add _raw versions for QName / ComboAddresses to the FFI API.
- Update copyright years to 2018
- Fix a warning on botan >= 2.5.0.

Bug Fixes
- Count a lookup into an internal auth zone as a cache miss.
- Don’t increase the DNSSEC validations counters when running with
- Respect the AXFR timeout while connecting to the RPZ server.
- Increase MTasker stacksize to avoid crash in exception unwinding
- Use the SyncRes time in our unit tests when checking cache validity
- Add -rdynamic to C{,XX}FLAGS when we build with LuaJIT.
- Delay the loading of RPZ zones until the parsing is done, fixing a
  race condition.
- Reorder includes to avoid boost L conflict.
   2018-04-05 10:15:02 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
net/powerdns-recursor: Update to 4.1.2.

New Features
- Add FFI version of gettag().

- Add the option to set the AXFR timeout for RPZs.
- IXFR: correct behavior of dealing with DNS Name with multiple
  records and speed up IXFR transaction.
- Add RPZ statistics endpoint to the API.

Bug Fixes
- Retry loading RPZ zones from server when they fail initially.
- Fix ECS-based cache entry refresh code.
- Fix ECS-specific NS AAAA not being returned from the cache.
   2018-01-22 20:21:46 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update net/powerdns-recursor to 4.1.1.

- Don't process records for another class than IN

Bug Fixes
- Correctly handle ancestor delegation NSEC{,3} for children.
- Fix the computation of the closest encloser for positive answers.
- Pass the correct buffer size to arecvfrom().
- Fix to make primeHints threadsafe, otherwise there's a small chance
  on startup that the root-server IPs will be incorrect.
- Don't validate signature for "glue" CNAME, since anything else than
  the initial CNAME can't be considered authoritative.
   2018-01-02 13:23:55 by Filip Hajny | Files touched by this commit (7) | Package updated
Log message:
Update net/powerdns-recursor to 4.1.0.
Lua support no longer optional.

PowerDNS Recursor 4.1.0

- Improved DNSSEC support
- Improved documentation
- Improved RPZ support
- Improved EDNS Client Subnet support
- Support for Botan 2.x (and removal of support for Botan 1.10)
- SNMP support
- Lua engine has gained access to more parts of the recursor
- CPU affinity can now be specified
- TCP Fast Open support
- New performance metrics

Full changelog:


PowerDNS Recursor 4.0.7

- Insufficient validation of DNSSEC signatures (CVE-2017-15090)
- Cross-Site Scripting in the web interface (CVE-2017-15092)
- Configuration file injection in the API (CVE-2017-15093)
- Memory leak in DNSSEC parsing (CVE-2017-15094)

Bug fixes
- Update rec_control manpage
- Check in the detected OpenSSL/libcrypto for ECDSA
- Make more specific Netmasks < to less specific ones
- Fix validation at the exact RRSIG inception or expiration time
- Lowercase all outgoing qnames when lowercase-outgoing is set
- Fix libatomic detection on ppc64
- Edit configname definition to include the 'config-name' argument

- Extract nested exception from Luawrapper
- Use explicit yes for default-enabled settings
- Throw an error when lua-conf-file can't be loaded
- get-remote-ring's "other" report should only have two items.
- PowerDNS sdig does not truncate trailing bits of EDNS Client Subnet
- Only increase no-packet-error on the first read
- Add support for Botan 2.x
- Add more information to recursor cache dumps
- Fix typo in two log messages
- Add help text on autodetecting systemd support
- Be more resilient with broken auths
- Remove pdns.PASS and pdns.TRUNCATE
- Improve dnsbulktest experience in travis for more robustness
- Create socket-dir from init-script
- b.root renumbering, effective 2017-10-24
- Don't retry security polling too often when it fails
   2017-09-03 10:53:18 by Thomas Klausner | Files touched by this commit (165)
Log message:
Follow some redirects.
   2017-08-02 22:15:42 by Filip Hajny | Files touched by this commit (4) | Package updated
Log message:
Update net/powerdns-recursor to 4.0.6

Bug fixes
- Use the incoming ECS for cache lookup if use-incoming-edns-subnet is
- when making a netmask from a comboaddress, we neglected to zero the
  port. This could lead to a proliferation of netmasks.
- Don't take the initial ECS source for a scope one if EDNS is off
- also set d_requestor without Lua: the ECS logic needs it
- Fix IXFR skipping the additions part of the last sequence
- Treat requestor's payload size lower than 512 as equal to 512
- make URI integers 16 bits, fixes ticket #5443
- unbreak quoting

- EDNS Client Subnet becomes compatible with the packet cache, using
  the existing variable answer facility.
- Remove just enough entries from the cache, not one more than asked
- Move expired cache entries to the front so they are expunged
- changed IPv6 addr of b.root-servers.net
- e.root-servers.net has IPv6 now
- hello decaf signers (ED25519 and ED448)
- don't use the libdecaf ed25519 signer when libsodium is enabled
  (Kees Monshouwer)
- do not hash the message in the ed25519 signer (Kees Monshouwer)
- Disable use-incoming-edns-subnet by default