Software-update: PowerDNS Recursor 5.0.2

PowerDNS is een dns-server met een database als backend, waardoor het beheer van een groot aantal dns-entries op een gemakkelijke manier kan plaatsvinden. De ontwikkelaars hebben eerder besloten om de twee delen waaruit PowerDNS bestaat, een recursor en een authoritative nameserver, apart uit te geven, waardoor sneller en gerichter een nieuwe versie kan worden uitgebracht, aldus de ontwikkelaars.

Als je een dns-look-up uitvoert, begint een recursor in eerste instantie met het stellen van de look-upvraag aan een dns-rootserver. Deze kan dan doorverwijzen naar andere servers, vanaf waar weer doorverwezen kan worden naar andere servers enzovoort, totdat uiteindelijk een server is bereikt die het antwoord weet of weet dat de look-up niet mogelijk is. Van dit laatste kan sprake zijn als de naam niet bestaat of de servers niet reageren. Het proces van het langslopen van verschillende authoritative servers heet recursie. De ontwikkelaars hebben begin dit jaar PowerDNS Recursor versie 5.0 uitgebracht en nu is er een eerste update verschenen die enkele beveiligingsproblemen moet verhelpen.

Bug Fixes

Security advisory 2024-01: CVE-2023-50387 and CVE-2023-50868. Ref: pull request 13782

Security advisory 2024-01: CVE-2023-50387 and CVE-2023-50868. Ref: pull request 13782

Released: 10th of January 2024, with no changes compared to the second release candidate. Version 5.0.0 was never released publicly.

Improvements

Warn that disabling structured logging is now deprecated. Ref: #13567, pull request 13645

Warn that disabling structured logging is now deprecated. Ref: #13567, pull request 13645

Bug Fixes

Fix handling of RUNTIME_DIRECTORY and NOD dirs. Ref: #13588, #13612, pull request 13646

Fix handling of RUNTIME_DIRECTORY and NOD dirs. Ref: #13588, #13612, pull request 13646

Improvements

Remove experimental warnings for YAML. Ref: pull request 13557Disallow (by answering Refused) RD=0 by default. Ref: #13386, pull request 13507Make syncres code clang-tidy. Ref: pull request 13434Introduce a setting to allow RPZ duplicates, including a dup handling fix. Ref: #12842, pull request 13501Update new b-root-server.net addresses in built-in hints. Ref: pull request 13387Change default of nsec3-max-iterations to 50. Ref: pull request 13478Warn if truncation occurred dumping the trace. Ref: pull request 13477

Remove experimental warnings for YAML. Ref: pull request 13557

Disallow (by answering Refused) RD=0 by default. Ref: #13386, pull request 13507

Make syncres code clang-tidy. Ref: pull request 13434

Introduce a setting to allow RPZ duplicates, including a dup handling fix. Ref: #12842, pull request 13501

Update new b-root-server.net addresses in built-in hints. Ref: pull request 13387

Change default of nsec3-max-iterations to 50. Ref: pull request 13478

Warn if truncation occurred dumping the trace. Ref: pull request 13477

Bug Fixes

A single NSEC3 record covering everything is a special case. Ref: #13542, pull request 13543Document outgoing query counts better, including a small fix. Ref: #13463, pull request 13511Take into account throttled queries when determining if we had a cache hit. Ref: #13483, pull request 13497Correctly apply outgoing.tcp_max_queries bound. Ref: #13467, pull request 13480

A single NSEC3 record covering everything is a special case. Ref: #13542, pull request 13543

Document outgoing query counts better, including a small fix. Ref: #13463, pull request 13511

Take into account throttled queries when determining if we had a cache hit. Ref: #13483, pull request 13497

Correctly apply outgoing.tcp_max_queries bound. Ref: #13467, pull request 13480

Improvements

Be more memory efficient handling RPZ updates. Ref: pull request 13462Change default of extended-resolution-errors setting to true. Ref: pull request 13464Move a few settings from recursor to outgoing section. Ref: pull request 13455For structured logging always log addresses including port. Ref: pull request 13446Teach configure to check for cargo version and require >= 1.64. Ref: pull request 13438Tidy cache and only copy values if non-expired entry was found. Ref: #12612, pull request 13410Add endbr64 instructions in the right spots for OpenBSD/amd64. Ref: #13430, pull request 13430, pull request 13432Handle stack memory on NetBSD as on OpenBSD (Tom Ivar Helbekkmo). Ref: pull request 13408

Be more memory efficient handling RPZ updates. Ref: pull request 13462

Change default of extended-resolution-errors setting to true. Ref: pull request 13464

Move a few settings from recursor to outgoing section. Ref: pull request 13455

For structured logging always log addresses including port. Ref: pull request 13446

Teach configure to check for cargo version and require >= 1.64. Ref: pull request 13438

Tidy cache and only copy values if non-expired entry was found. Ref: #12612, pull request 13410

Add endbr64 instructions in the right spots for OpenBSD/amd64. Ref: #13430, pull request 13430, pull request 13432

Handle stack memory on NetBSD as on OpenBSD (Tom Ivar Helbekkmo). Ref: pull request 13408

Bug Fixes

Fix ubsan error: using a value of 80 for bool. Ref: pull request 13468Handle serve stale logic in getRootNXTrust(). Ref: #13383, pull request 13409

Fix ubsan error: using a value of 80 for bool. Ref: pull request 13468

Handle serve stale logic in getRootNXTrust(). Ref: #13383, pull request 13409

Improvements

Convert API managed config from old style to YAML if YAML settings are active. Ref: #12679, #13233, pull request 13362If we miss glue–but not for all NS records–try to resolve the missing address records. Ref: pull request 13364Make QName Minimization parameters from RFC 9156 settable. Ref: pull request 13296Conform to RFC 2181 10.3: don’t allow NS records to point to aliases. Ref: pull request 13312Do not use Qname Minimization for infra-queries. Ref: #8646, pull request 13295Implement probabilistic un-throttle. Ref: pull request 13289Put files generated by settings/generate.py into tarball so package builds do not have to run it. Ref: pull request 13290Fix packetcache submit refresh task logic. Ref: #13266, pull request 13278Allow loglevel to be set to levels < 3. Ref: #13264, pull request 13277Move tcp-in processing to dedicated thread(s). Ref: #8394, pull request 13195

Convert API managed config from old style to YAML if YAML settings are active. Ref: #12679, #13233, pull request 13362

If we miss glue–but not for all NS records–try to resolve the missing address records. Ref: pull request 13364

Make QName Minimization parameters from RFC 9156 settable. Ref: pull request 13296

RFC 9156

Conform to RFC 2181 10.3: don’t allow NS records to point to aliases. Ref: pull request 13312

RFC 2181

Do not use Qname Minimization for infra-queries. Ref: #8646, pull request 13295

Implement probabilistic un-throttle. Ref: pull request 13289

Put files generated by settings/generate.py into tarball so package builds do not have to run it. Ref: pull request 13290

Fix packetcache submit refresh task logic. Ref: #13266, pull request 13278

Allow loglevel to be set to levels < 3. Ref: #13264, pull request 13277

Move tcp-in processing to dedicated thread(s). Ref: #8394, pull request 13195

Bug Fixes

If serving stale, wipe CNAME records from cache when we get a NODATA negative response for them. Ref: #12395, pull request 13353Fix Coverity 1522436 potential dereference of null return value. Ref: pull request 13363Fix log messages text and levels. Ref: pull request 13303, pull request 13311Fix sysconfdir handling in new settings code. Ref: #13259, pull request 13276Fix Coverity 1519054: Using invalid iterator. Ref: pull request 13250

If serving stale, wipe CNAME records from cache when we get a NODATA negative response for them. Ref: #12395, pull request 13353

Fix Coverity 1522436 potential dereference of null return value. Ref: pull request 13363

Fix log messages text and levels. Ref: pull request 13303, pull request 13311

Fix sysconfdir handling in new settings code. Ref: #13259, pull request 13276

Fix Coverity 1519054: Using invalid iterator. Ref: pull request 13250

Improvements

Rewrite settings code, introducing YAML settings file, using Rust and generated code to implement YAML processing. Ref: pull request 13008Make aggressive cache pruning more effective and more fair. Ref: pull request 13209Remove make_tuple and make_pair (Rosen Penev). Ref: pull request 13208Rec: fix a few unused argument warnings (depending on features enabled). Ref: pull request 13190Change the default for building with net-snmp from auto to no. Ref: pull request 13168Channel: Make the blocking parameters of the object queue explicit. Ref: #13147, pull request 13155Do not assume the records are in a particular order when determining if an answer is NODATA. Ref: pull request 13102Document default for webserver-loglevel (Frank Louwers). Ref: pull request 13111Remove unused sysv init files. Ref: pull request 13087Fixes a few performance issues reported by Coverity. Ref: pull request 13092Highlight why regression tests failed with github annotation (Josh Soref). Ref: pull request 13074Switch from deprecated ::set-output (Josh Soref). Ref: pull request 13073Use backticks in rec_control(1) (Josh Soref). Ref: pull request 13067Clarify why bulktest is failing (Josh Soref). Ref: pull request 13068Set TTL in getFakePTRRecords. Ref: #13011, pull request 13043Update settings.rst – clarify edns-subnet-allow-list (Seth Arnold). Ref: pull request 13032Dnsheader: Switch from bitfield to uint16_t whenever possible. Ref: pull request 13026Clarify log message for NODATA/NXDOMAIN without AA (Håkan Lindqvist). Ref: pull request 12805Use arc4random only for random values. Ref: pull request 12913, pull request 12931, pull request 12999, pull request 13001, pull request 13022, pull request 13175, pull request 15197Update base Debian version in Docker docs (Italo Cunha). Ref: pull request 12851Delint pdns recursor.cc. Ref: pull request 12917Include qname when logging skip of step 4 of qname minimization (Doug Freed). Ref: pull request 12957Fix a set of move optimizations, as suggested by Coverity. Ref: pull request 12952Silence Coverity 1462719 Unchecked return value from library. Ref: pull request 12934Fix compile warnings. Ref: pull request 12930Dns random: add method to get full 32-bits of randomness. Ref: pull request 12913Reformat and delint arguments.cc and arguments.hh. Ref: pull request 12808

Rewrite settings code, introducing YAML settings file, using Rust and generated code to implement YAML processing. Ref: pull request 13008

Make aggressive cache pruning more effective and more fair. Ref: pull request 13209

Remove make_tuple and make_pair (Rosen Penev). Ref: pull request 13208

Rec: fix a few unused argument warnings (depending on features enabled). Ref: pull request 13190

Change the default for building with net-snmp from auto to no. Ref: pull request 13168

Channel: Make the blocking parameters of the object queue explicit. Ref: #13147, pull request 13155

Do not assume the records are in a particular order when determining if an answer is NODATA. Ref: pull request 13102

Document default for webserver-loglevel (Frank Louwers). Ref: pull request 13111

Remove unused sysv init files. Ref: pull request 13087

Fixes a few performance issues reported by Coverity. Ref: pull request 13092

Highlight why regression tests failed with github annotation (Josh Soref). Ref: pull request 13074

Switch from deprecated ::set-output (Josh Soref). Ref: pull request 13073

Use backticks in rec_control(1) (Josh Soref). Ref: pull request 13067

Clarify why bulktest is failing (Josh Soref). Ref: pull request 13068

Set TTL in getFakePTRRecords. Ref: #13011, pull request 13043

Update settings.rst – clarify edns-subnet-allow-list (Seth Arnold). Ref: pull request 13032

Dnsheader: Switch from bitfield to uint16_t whenever possible. Ref: pull request 13026

Clarify log message for NODATA/NXDOMAIN without AA (Håkan Lindqvist). Ref: pull request 12805

Use arc4random only for random values. Ref: pull request 12913, pull request 12931, pull request 12999, pull request 13001, pull request 13022, pull request 13175, pull request 15197

Update base Debian version in Docker docs (Italo Cunha). Ref: pull request 12851

Delint pdns recursor.cc. Ref: pull request 12917

Include qname when logging skip of step 4 of qname minimization (Doug Freed). Ref: pull request 12957

Fix a set of move optimizations, as suggested by Coverity. Ref: pull request 12952

Silence Coverity 1462719 Unchecked return value from library. Ref: pull request 12934

Fix compile warnings. Ref: pull request 12930

Dns random: add method to get full 32-bits of randomness. Ref: pull request 12913

Reformat and delint arguments.cc and arguments.hh. Ref: pull request 12808

Bug Fixes

Remove Before=nss-lookup.target line from unit file. Ref: pull request 13210TCPIOHandler: Fix a race when creating the first TLS connections. Ref: pull request 13167Rec: Include cstdint in mtasker_ucontext.cc, noted by @zeha. Ref: pull request 13174

Remove Before=nss-lookup.target line from unit file. Ref: pull request 13210

TCPIOHandler: Fix a race when creating the first TLS connections. Ref: pull request 13167

Rec: Include cstdint in mtasker_ucontext.cc, noted by @zeha. Ref: pull request 13174

Source: Tweakers.net