Headline
CVE-2023-22617: Changelogs for 4.8.X — PowerDNS Recursor documentation
A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS records for a misconfigured domain, because QName minimization is used in QM fallback mode. This is fixed in 4.8.1.
4.8.1¶
Released: 20th of January 2023
Bug Fixes¶
Avoid unbounded recursion when retrieving DS records from some misconfigured domains. CVE-2023-22617.¶
References: pull request 12442
4.8.0-beta2¶
Released: 7th of November 2022
Improvements¶
Only replace protobuf logger config objects if the reload changed them.¶
References: #12063, pull request 12146
Be more lenient replacing auth by non-auth records in cache.¶
References: #12140, pull request 12150
Bug Fixes¶
Fix SNMP OID numbers for rcode stats.¶
References: #12155, pull request 12163
Implement output operator for QTypes, avoids numeric qtypes in trace logs.¶
References: #12122, pull request 12162
Handle IXFR connect and transfer timeouts.¶
References: #12125, pull request 12161
Log invalid RPZ content when obtained via IXFR.¶
References: #12081, pull request 12145
Detect invalid bytes in makeBytesFromHex().¶
References: #12066, pull request 12147
4.8.0-beta1¶
Released: 5th of October 2022
Improvements¶
Add support for NOD/UDR notifications using dnstap.¶
References: pull request 12047
Protobuf and dnstap metrics, including rec_control subcommand to show them.¶
References: #11841, pull request 11903, pull request 12049
Provide metrics for rcode received from authoritative servers.¶
References: #7164, pull request 11949
Proxymapping metrics, including rec_control subcommand to show them.¶
References: #11648, pull request 11866
Add querytime attribute to Lua DNSQuestion object, to see the time a query was received.¶
References: pull request 11909
Enable include-dir by default in RPM builds, to be in line with DEB builds (Frank Louwers).¶
References: #11766, pull request 11768
Improve error message when invalid values for local-address are provided in recursor config file.¶
References: pull request 11989
Enable SNMP support for debian and ubuntu builds.¶
References: #11999, pull request 12011
Warn if snmp-agent is set but SNMP support is not available.¶
References: #11998, pull request 12009
A few tweaks to structured logging calls.¶
References: pull request 11959
Bug Fixes¶
Fix –config (should be equal to –config=default), followup to #11907.¶
References: pull request 12048
Fix compilation of the event ports multiplexer.¶
References: #12044, pull request 12046
When an expired NSEC3 entry is seen move it to the front of the expiry queue.¶
References: pull request 12038
If new data is auth and existing data is not, replace even if cache locking is active.¶
References: #11958, pull request 12027
4.8.0-alpha1¶
Released: 23rd of September 2022
Improvements¶
Lock record cache entries if enabled by record-cache-locked-ttl-perc.¶
References: pull request 11958
Use nullptr in getNSEC3PARAM + init bool at call site (Axel Viala).¶
References: pull request 11957
Axfr-retriever: abort on chunk with TC set.¶
References: #11804, pull request 11953
Clarify return codes for the Lua hooks in the Recursor (Frank Louwers).¶
References: pull request 11955
Recursor: Add --config[=check|=diff|=default].¶
References: pull request 11907
Implement optional Serve stale functionality, enabled by serve-stale-extensions…¶
References: pull request 11776
Implement padding of (DoT) messages to authoritative servers, if set by edns-padding-out (default yes).¶
References: pull request 11906
Log socket directory path if there is a problem.¶
References: pull request 11800
Handle Lua script loading errors.¶
References: pull request 11823
Stop sending Server: header (Chris Hofstaedtler).¶
References: #4979, pull request 11813
Keep time and count metrics when maintenance is called.¶
References: #6981, pull request 11869
Consider dns64 processing in more cases than Rcode == NoError.¶
References: pull request 11849
Set rec_control_LDFLAGS, needed for MacOS or any platforms where libcrypto is not in default lib path.¶
References: #11855, pull request 11857
Replace/remove jQuery (Chris Hofstaedtler)¶
References: pull request 11812
Remove unused jsrender.js (Chris Hofstaedtler).¶
References: pull request 11811
Save the last nameserver speed recorded plus output it in rec_control dump-nsspeeds.¶
References: #11736, pull request 11780
Set TCP_NODELAY on in and outgoing TCP.¶
References: #11734, pull request 11754
Remove > 5 check on TTL of glue from the cache.¶
References: pull request 11744
Structured logging for various subsystems.¶
References: pull request 11631, pull request 11642, pull request 11654, pull request 11662, pull request 11681, pull request 11693, pull request 11710, pull request 11714, pull request 11854
Make edns table a sparse table.¶
References: pull request 11704, pull request 11779
Shared ednsmap.¶
References: pull request 11601
Load IPv6 entries from etc-hosts file.¶
References: #2248, pull request 11682
Use systemd-journal for structured logging if it is available and set by structured-logging-backend.¶
References: #11705, #11706, pull request 11660, pull request 11709
Fix typos in stats log messages (Matt Nordhoff).¶
References: #11654, #11671, pull request 11671, pull request 11680
Shared throttle map.¶
References: pull request 11598
Adaptive root refresh interval, normally at 80% of max-cache-ttl.¶
References: pull request 11381
Bug Fixes¶
Libssl: Properly load ciphers and digests with OpenSSL 3.0.¶
References: #11853, pull request 11862
rec_control: test for --version before requiring an argument.¶
References: #11864, pull request 11867
Make rec zone files with trailing dot (phonedph1).¶
References: pull request 11672
Handle file related errors initially loading Lua script.¶
References: #10079, #11818, pull request 11820