Hello everybody,

Today we are releasing the first release candidate of version 4.0.5 of the 
PowerDNS Recursor. The most import change is the addition of the KSK-2017, the 
new root key for DNSSEC, that will be used to sign the root starting October 
11th 2017 (read more about the keyroll[1]). If you do DNSSEC validation, 
upgrading is **mandatory** to continue to validate DNSSEC after October 11th 
2017! Also on the DNSSEC front, Kees Monshouwer added support for validating 
ed25519 (algorithm 15) signatures when linked against libsodium. Packages 
supplied by us have this support enabled.

The RPZ module has also seen a steady number of improvements, one is support 
for RPZ wildcard target names and several stability and performance 
improvements.

A changelog with clickable links is available[2], the changelog looks like this:

Bug fixes
 * commit bdaa8ad: Only check the netmask for subnet specific cache entries
 * commit 233e144: Fix a race condition when (re)priming the root
 * commit 3642cb3: Don't age the root
 * commit 83f9226: Fix exception when sending a protobuf message for an empty 
question
 * commit 86c4ed0: Clear the RPZ NS IP table when clearing the policy
 * commit ffdd813: LuaWrapper: Allow embedded NULs in strings received from Lua
 * commit 5e660e9: Fix cache-only queries against a forward-zone
 * commit c5ffd90: Fix coredumps on illumos/SmartOS (Roman Dayneko)
 * commit 651c0e9: StateHolder: Allocate (and copy if needed) before taking the 
lock
 * commit 5bec36e: Make sure labelsToAdd is not empty in getZoneCuts()
 * commit 547d68f: SuffixMatchNode: Fix insertion issue for an existing node
 * commit 2875033: rec: only delegate if NS's are below apex in auth-zones
 * commit e7c183d: remove hardcoding of port 53 for TCP/IP forwarded zones in 
recursor, to address ticket #4799
 * commit af76224: Lowercase the TSIG algorithm name in hash computation
 * commit 3ada4e2: Fix negative port detection for IPv6 addresses on 32-bit
 * commit 0f59e05: Wait until after daemonizing to start the outgoing protobuf 
thread

Additions and Enhancements
 * commit 7705e1c: Add support for RPZ wildcarded target names
 * commit 1909556: Add the 2017 root key
 * commit dff1a11: Refuse to start with chroot set in a systemd env
 * commit abfe671 and commit 7abbb2c: Update Ed25519 algorithm number and 
mnemonic and hook up to the Recursor (Kees Monshouwer)
 * commit a052d53: Store the RPZ policies in an unordered_map instead of a map
 * commit 5a38a56: Handle exceptions raised by closesocket()
 * commit 064444d and commit ef43662: Update the rec_control(1) manpage 
(phonedph1)
 * commit 94e6e8a: RPZ: log additions/removals at debug, not info
 * commit b627731: Unconfuse the RPZ summary
 * commit 502a850: g.root-servers.net added IPv6 (Kevin Otte)
 * commit 7a2a645: Log outgoing queries / incoming responses via protobuf

Tarballs[3] (sig[4]) and packages[5] for different operating systems can be 
downloaded from the downloads website. The packages are versioned so that users 
of the 4.0.x repositories can download and install them (using dpkg -i or rpm 
-U) and when the final release of 4.0.5 is added to the repositories, the 
package will be upgraded to version in the repository.

Please test these packages and provide feedback.

Best regards,

Pieter and the PowerDNS team

1 - https://www.icann.org/resources/pages/ksk-rollover/#timeline
2 - https://doc.powerdns.com/md/changelog/#powerdns-recursor-405
3 - https://downloads.powerdns.com/releases/pdns-recursor-4.0.5-rc1.tar.bz2
4 - https://downloads.powerdns.com/releases/pdns-recursor-4.0.5-rc1.tar.bz2.sig
5 - https://downloads.powerdns.com/releases/packages/pdns-recursor-4.0.5-rc1/

--
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

Attachment: pgpBZCRtl4NdK.pgp
Description: OpenPGP digital signature

_______________________________________________
Pdns-dev mailing list
Pdns-dev@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-dev

Reply via email to