Log Message:
powerdns-recursor: updated to 4.1.11

4.1.11
Since Spectre/Meltdown, system calls have become more expensive. This made \ 
exporting a very high number of protobuf messages costly, which is addressed in \ 
this release by reducing the number of sycalls per message.

Improvements
Add an option to export only responses over protobuf to the Lua protobufServer() \ 
directive.
Reduce systemcall usage in protobuf logging.

4.1.10
This release fixes a bug when trying to build PowerDNS Recursor with protobuf \ 
support disabled, thus this release is only relevant to people building PowerDNS \ 
Recursor from source and not if you’re installing it as a package from our \ 
repositories.

Bug Fixes
PowerDNS Recursor release 4.1.9 introduced a call to the Lua ipfilter() hook \ 
that required access to the DNS header, but the corresponding variable was only \ 
declared when protobuf support had been enabled.

4.1.9
This release fixes Security Advisory 2019-01 and Security Advisory 2019-02 that \ 
were recently discovered, affecting PowerDNS Recursor:
CVE-2019-3806, 2019-01: from 4.1.4 up to and including 4.1.8 ;
CVE-2019-3807, 2019-02: from 4.1.0 up to and including 4.1.8.

The issues are:
CVE-2019-3806, 2019-01: Lua hooks are not properly applied to queries received \ 
over TCP in some specific combination of settings, possibly bypassing security \ 
policies enforced using Lua ;
CVE-2019-3807, 2019-02: records in the answer section of responses received from \ 
authoritative servers with the AA flag not set were not properly validated, \ 
allowing an attacker to bypass DNSSEC validation.

Improvements
Try another worker before failing if the first pipe was full