Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: pdns-recursor | Distribution: openSUSE Tumbleweed |
Version: 5.1.2 | Vendor: openSUSE |
Release: 1.1 | Build date: Tue Nov 5 02:41:30 2024 |
Group: Productivity/Networking/DNS/Servers | Build host: reproducible |
Size: 10387532 | Source RPM: pdns-recursor-5.1.2-1.1.src.rpm |
Packager: https://bugs.opensuse.org | |
Url: https://www.powerdns.com/ | |
Summary: Modern, advanced and high performance recursing/non authoritative nameserver |
PowerDNS Recursor is a non authoritative/recursing DNS server. Use this package if you need a dns cache for your network. Authors: -------- http://www.powerdns.com
GPL-2.0-or-later
* Tue Nov 05 2024 Marcus Rueckert <mrueckert@suse.de> - update to 5.1.2 (boo#1231292 CVE-2024-25590) https://doc.powerdns.com/recursor/changelog/5.1.html#change-5.1.2 - drop powerdns-5_1_1-2_fix-build-with-boost-1_86_0.patch included in update * Sun Sep 29 2024 Marcus Rueckert <mrueckert@suse.de> - update to 5.1.1 https://doc.powerdns.com/recursor/changelog/5.1.html#change-5.1.1 https://doc.powerdns.com/recursor/changelog/5.0.html#change-5.0.8 - add powerdns-5_1_1-2_fix-build-with-boost-1_86_0.patch from arch linux to fix building with boost 1.86 - refreshed cargo_build_fix.patch - track series file for easier patching - no more conf.dist file. I think we should switch the default config in the package to the yaml format maybe * Sat May 25 2024 Andreas Stieger <andreas.stieger@gmx.de> - update to 5.0.5: * Do not count RRSIGs using unsupported algorithms toward RRSIGs limit * Correctly count NSEC3s considered when chasing the closest encloser. * Let NetmaskGroup parse dont-throttle-netmasks, allowing negations. * Fix types of two YAML settings (incoming.edns_padding_from, incoming.proxy_protocol_from) that should be sequences of subnets * Fix trace=fail regression and add regression test for it * Wed Apr 24 2024 Adam Majer <adam.majer@suse.de> - update to 5.0.4: * fixes a case when a crafted responses can lead to a denial of service in Recursor if recursive forwarding is configured (bsc#1223262, CVE-2024-25583) - changes in 5.0.3 * Log if a DNSSEC related limit was hit if log_bogus is set * Reduce RPZ memory usage by not keeping the initially loaded RPZs in memory * Fix the zoneToCache regression introduced by 5.0.2 security update * Tue Feb 13 2024 Adam Majer <adam.majer@suse.de> - update to 5.0.2 * fixes crafted DNSSEC records in a zone can lead to a denial of service in Recursor https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html (bsc#1219823, bsc#1219826, CVE-2023-50387, CVE-2023-50868) * Fri Feb 09 2024 Adam Majer <adam.majer@suse.de> 5.0.1 - update to 5.0.1 https://doc.powerdns.com/recursor/changelog/5.0.html#change-5.0.1 For upgrade from 4.9.x, see https://doc.powerdns.com/recursor/upgrade.html#to-5-0-0-and-master - cargo_build_fix.patch: add cargo_build parameters to Makefile... * Fri Aug 25 2023 Adam Majer <adam.majer@suse.de> 4.9.1 - update to 4.9.1 * The setting of policy tags for packet cache hist has been fixed. Previously, packet cache hits would not contain policy tags set in the Lua gettags(-ffi) intercept functions. * The retrieval of RPZ zones could fail in situations where a read of the chunk length from the IXFR TCP stream would produce an incomplete result. - enable DSN-over-TLS (DoT) via OpenSSL For complete list of changes, see https://doc.powerdns.com/recursor/changelog/4.9.html#change-4.9.1 For upgrades since 4.8.x and earlier, see https://doc.powerdns.com/recursor/upgrade.html * Tue Apr 04 2023 Adam Majer <adam.majer@suse.de> - update to 4.8.4 * Deterred spoofing attempts can lead to authoritative servers being marked unavailable (bsc#1209897, CVE-2023-26437) * Tue Mar 07 2023 Adam Majer <adam.majer@suse.de> 4.8.3 - update to 4.8.3 * Fix serve-stale logic to not cause intermittent high CPU load by: + correcting the removal of a negative cache entry, + correcting the serve-stale main loop regarding exception handling, + correctly handle negcache entries with serve-state status. - changes in version 4.8.2 * Make cache cleaning of record an negative cache more fair * Do not report “not decreasing socket buf size” as an error * Do not use “message” as key, it has a special meaning to systemd-journal * Add the ‘parse packet from auth’ error message to structured logging * Refresh of negcache stale entry might use wrong qtype * Do not chain ECS enabled queries * Properly encode json string containing binary data * Fri Jan 20 2023 Adam Majer <adam.majer@suse.de> - update to 4.8.1 * Avoid unbounded recursion when retrieving DS records from some misconfigured domains. (bsc#1207342, CVE-2023-22617) * Mon Dec 12 2022 Michael Ströder <michael@stroeder.com> - update to 4.8.0 with these major changes: * Structured Logging has been implemented for almost all subsystems. * Optional Serve Stale functionality has been implemented, providing resilience against connectivity problems towards authoritative servers. * Optional Record Locking has been implemented, providing an extra layer of protection against spoofing attempts at the price of reduced cache efficiency. * Internal tables used to track information about authoritative servers are now shared instead of per-thread, resulting in better performance and lower memory usage. * EDNS padding of outgoing DoT queries has been implemented, providing better privacy protection. * Metrics have been added about the protobuf and dnstap logging subsystems and the rcodes received from authoritative servers. * Fri Nov 25 2022 Michael Ströder <michael@stroeder.com> - update to 4.7.4 * Fix compilation of the event ports multiplexer. #12046, PR#12231 * Correct skip record condition in processRecords. #12198, PR#12230 * Also consider recursive forward in the “forwarded DS should not end up in negCache code.” #12189, #12199, PR#12227 * Timout handling for IXFRs as a client. #12125, PR#12190 * Detect invalid bytes in makeBytesFromHex(). #12066, PR#12173 * Log invalid RPZ content when obtained via IXFR. #12081, PR#12171 * When an expired NSEC3 entry is seen, move it to the front of the expiry queue. #12038, PR#12168 * Tue Sep 20 2022 Michael Ströder <michael@stroeder.com> - update to 4.7.3 * Improvements - For zones having many NS records, we are not interested in all so take a sample. #11904, PR#11936 - Also check qperq limit if throttling happened, as it increases counters. #11848, PR#11897 * Bug Fixes - Failure to retrieve DNSKEYs of an Insecure zone should not be fatal. #11890, PR#11940 - Fix recursor not responsive after Lua config reload. #11850, PR#11879 - Clear the caches after loading authzones. #11843, PR#11847 - Resize answer length to actual received length in udpQueryResponse. #11773, PR#11774 * Wed Aug 24 2022 Adam Majer <adam.majer@suse.de> - Bump requires to newer Boost, effectively disabling support for SLE-12 * Tue Aug 23 2022 Michael Ströder <michael@stroeder.com> - update to 4.7.2 * incomplete exception handling related to protobuf message generation. (CVE-2022-37428, bsc#1202664) * Fri Jul 08 2022 Michael Ströder <michael@stroeder.com> - update to 4.7.1 * Improvements - Allow generic format while parsing zone files for ZoneToCache. References: #11724, #11726, pull request 11750 - Force gzip compression for debian packages (Zash). #11735, PR#11740 * Bug Fixes - Run tasks from housekeeping thread in the proper way, causing queued DoT probes to run more promptly. #11692, PR#11748 * Mon May 30 2022 Michael Ströder <michael@stroeder.com> - update to 4.7.0 * A configurable way of adding Additional records to answers sent to the client, so the client does not have to ask for these records. * The step sizes for Query Minimization are now computed following to guidelines in [2]RFC 9156. * The Recursor now schedules tasks to resolve IPv6 addresses of name servers not learned by glue records. This has the consequence that, if applicable, name servers will be contacted over IPv6 more often. * An experimental implementation of unilateral [3]DoT probing. This allows the Recursor to learn if a an authoritative servers supports DoT. * Recursor has gained a way to fall back to the parent NS set if contacting servers in the child NS set does not lead to an answer. This works around some broken authoritative servers configurations. * ZONEMD validation of the zones retrieved by the [5]Zone to Cache, providing integrity guarantees for the zone retrieved. * The table recording round trip times of authoritative server IP addresses is now shared between threads to make it more effective and to reduce its memory footprint. * A Lua FFI hook for post-resolve interception: [6]postresolve_ffi, providing a very fast way to do post-resolve Lua scripting. * Mon Apr 04 2022 Michael Ströder <michael@stroeder.com> - update to 4.6.2 * Improvements - Allow disabling of processing the root hints. - References: #11283, pull request 11360 - Log an error if pdns.DROP is used as rcode in Lua callbacks. - References: #11288, pull request 11361 - A CNAME answer on DS query should abort DS retrieval. - References: #11245, pull request 11358 - Reject non-apex NSEC(3)s that have both the NS and SOA bits set. - References: #11225, pull request 11357 - Fix build with OpenSSL 3.0.0. - References: pull request 11260 - Shorter thread names. - References: #11137, pull request 11170 - Two more features to print (DoT and scrypt). - References: #11109, pull request 11169 * Bug Fixes - Be more careful using refresh mode only for the record asked. - References: #11371, pull request 11418 - Use the Lua context stored in SyncRes when calling hooks. - References: #11300, pull request 11380 - QType ADDR is supposed to be used internally only. - References: #11338, pull request 11363 - If we get NODATA on an AAAA in followCNAMERecords, try native dns64. - References: #11327, pull request 11362 - Initialize isNew before calling a exception throwing function. - References: #11257, pull request 11359 * Mon Mar 28 2022 Adam Majer <adam.majer@suse.de> - fix building against sle-12 backports with gcc-9 - remove obsolete BR on protobuf - add bundled information to the spec file - boost_context.patch: Boost.Context detection fix on SLE12 * Fri Mar 25 2022 Adam Majer <adam.majer@suse.de> - update to 4.6.1 fixes incomplete validation of incoming IXFR transfer in the Recursor. It applies to setups retrieving one or more RPZ zones from a remote server if the network path to the server is not trusted. (bsc#1197525, CVE-2022-27227) * Fri Dec 17 2021 Michael Ströder <michael@stroeder.com> - update to 4.6.0 Compared to the previous major (4.5) release of PowerDNS Recursor, this release contains several sets of changes: * The ability to flush records from the caches on a incoming notify requests. * A rewrite of the outgoing TCP code, adding both re-use of connections and support for DoT to authoritative servers or forwarders. * Many improvements in the area of metrics: more metrics are collected and more metrics are now exported in a Prometheus friendly way. * A new Zone to Cache function that will retrieve a zone (using AXFR, HTTP, HTTPS or a local file) periodically and insert the contents into the record cache, allowing the cache to be always hot for a zone. This can be used for the root or any other zone. * An experimental Event Tracing function, providing insight into the time taken by the steps in the process of resolving a name. * Fri Nov 05 2021 Michael Ströder <michael@stroeder.com> - update to 4.5.7: * A SHA-384 DS should not trump a SHA-256 one, only potentially ignore SHA-1 DS records. References: #10908, pull request 10912 * rec_control wipe-cache-typed should check if a qtype arg is present and valid. References: #10905, pull request 10911 * Put the correct string into appliedPolicyTrigger for Netmask matching rules. References: #10842, pull request 10863 * Mon Oct 11 2021 Michael Ströder <michael@stroeder.com> - update to 4.5.6: * Bug Fixes - fixes to the way RPZ updates are handled - fix to a case where traffic to a forwarder could be throttled while it should not. - fixed few minor DNSSEC validation issues - fix for case where the combining of equivalent queries wasn't effective were resolved * Fri Jul 30 2021 Michael Ströder <michael@stroeder.com> - update to 4.5.5: * Improvements - Work around clueless servers sending AA=0 answers. References: #10555, pull request 10564 * Bug Fixes - Ancestor NSEC3s can only deny the existence of a DS. References: #10587, pull request 10593 - Make really sure we did not miss a cut on validation failure. References: #10570, pull request 10575 - Clear the current proxy protocol values each iteration. References: #10515, pull request 10573 * Mon Jul 05 2021 Wolfgang Rosenauer <wr@rosenauer.org> - update to 4.5.4: * Make sure that we pass the SOA along the NSEC(3) proof for DS queries. * Fri Jun 25 2021 Adam Majer <adam.majer@suse.de> - no longer supports 32-bit arches -- requiers 64-bit time_t - specfile cleanup - drop initrd cases - build-require gcc7 on SLE-12 variant * Wed Jun 09 2021 Michael Ströder <michael@stroeder.com> - update to 4.5.2: * default value of nsec3-max-iterations[1] has been lowered to 150 * fixed issue affecting the "refresh almost expired" function * Tue May 11 2021 Michael Ströder <michael@stroeder.com> - update to 4.5.1: - Main changes: * Dropped support for 32-bit platforms! * Rewrite of the way zone cuts are determined, reducing the number of outgoing queries by up to 17% when doing DNSSEC validation while reducing the CPU usage more than 20% . * Added implementation of EDNS0 padding (RFC 7830) for answers sent to clients. * Added implementation of RFC 8198[2]: Aggressive use of DNSSEC-Validated Cache. * Added a cache of non-resolving nameservers. * Re-worked negative cache that is shared between threads. * Added support for Extended DNS Errors (RFC 8914[5]). * A "refresh almost expired records" (also called "refetch") mechanism[8] has been introduced to keep the record cache warm. - Other new features and improvements: * The complete protobuf and dnstap logging code has been rewritten to have much smaller performance impact. * We have introduced non-offensive synonyms for words used in settings. See the upgrade[9] guide. * The default minimum TTL[10] override has been changed from 0 to 1. * The spoof-nearmiss-max setting[11]'s default has been changed to 1. This has the consequence that the Recursor will switch to do TCP queries to authoritative nameservers sooner as an effective measure against many spoofing attacks. * Incoming queries over TCP now also use the packet cache, providing another performance increase. * File written to by the rec_control command are new opened by the command itself. It is also possible to write the content to the standard output stream by using a hyphen as file name. * TCP FastOpen (RFC 7413[12]) support for outgoing TCP connections to authoritative servers and forwarders. * Wed Mar 31 2021 Adam Majer <adam.majer@suse.de> - update to 4.4.3: Improvements Use a short-lived NSEC3 hashes cache for denial validation. References: #9856, pull request 10221 Bug Fixes More fail-safe handling of Newly Discovered Domain files. Handle policy (if needed) after postresolve. Return current rcode instead of 0 if there are no CNAME records to follow. Lookup DS entries before CNAME entries. Handle failure to start the web server more gracefully. Test that we correctly cap the answer’s TTL in expanded wildcard cases. Fix the gathering of denial proof for wildcard-expanded answers. Make sure we take the right minimum for the packet cache TTL data in the SERVFAIL case. For details see, https://doc.powerdns.com/recursor/changelog/4.4.html#change-4.4.3
/etc/pdns/recursor.conf /etc/pdns/recursor.yml-dist /usr/lib/systemd/system/pdns-recursor.service /usr/lib/systemd/system/pdns-recursor@.service /usr/sbin/pdns_recursor /usr/sbin/rcpdns-recursor /usr/sbin/rec_control /usr/share/doc/packages/pdns-recursor /usr/share/doc/packages/pdns-recursor/README /usr/share/licenses/pdns-recursor /usr/share/licenses/pdns-recursor/COPYING /usr/share/man/man1/pdns_recursor.1.gz /usr/share/man/man1/rec_control.1.gz
Generated by rpm2html 1.8.1
Fabrice Bellet, Wed Nov 13 00:41:02 2024