123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325 |
- Version 1.2.9a fixes a bug in the 1.2.9 release that causes a build failure when
- pdnsd is configured with --enable-strict-rfc2181. Unless you use this option to
- compile pdnsd, there is no need to upgrade from 1.2.9 to 1.2.9a.
- Version 1.2.9 has support for many additional RR types, in particular those
- needed for DNSSEC (though no support for the DNSSEC protocol itself yet in
- pdnsd). Caching data structures are now more efficient when they only store the
- most commonly used RR types. Fine-grained configurability over which RR-types
- are cache-able. Pdnsd now has support for EDNS (Extension mechanisms for DNS),
- although its usefulness is currently limited to enabling UDP messages larger
- than 512 bytes. Defining local TXT records in the configuration file is now
- supported. A new configuration option provides a fix in case the query uptest
- fails due to remote servers ignoring empty queries. Several bugs have been fixed
- including a UDP socket descriptor leak that affected the FreeBSD platform, and
- an IPv6 port binding bug.
- Version 1.2.8 implements support for automatic discovery of root servers.
- There are also some improvements in the resolver and a new default setting for
- the neg_rrs_pol configuration option.
- Version 1.2.7-par fixes some security problems. It contains a fix for a
- "dangling pointer" bug that could cause pdnsd to crash when it received a long
- reply. It also addresses some of the issues raised in the CERT vulnerability
- note VU#800113 by making the default of query_port_start equal to 1024, thereby
- ensuring that source ports are randomly selected by the pdnsd resolver in the
- range 1024-65535. This release also fixes problems with compiling pdnsd for the
- ARM architecture and for the Darwin platform (Max OS X). There are a number of
- (minor) new features. pdnsd now supports "include" files, essentially
- configuration files that only contain definitions for local records. It is now
- possible to define interactively, using pdnsd-ctl, any local record that can be
- defined in a configuration file.
- Version 1.2.6-par has an upgraded license: GPL version 3.
- A bug has been fixed which which caused pdnsd to handle NXDOMAIN replies
- inefficiently when configured with neg_domain_pol=on. Also the code for the
- ping test has been fixed, which was broken for 64-bit systems. A new option
- randomize_servers can be used to give each server in a section of the
- configuration file an equal chance of being queried. The new options reject,
- reject_policy and reject_recursively make it possible to check for the presence
- of certain IP addresses in the replies of name servers and to correct some types
- of unwanted replies or to censor these IP addresses.
- The pdnsd-ctl 'add a' and 'add aaaa' commands now allow multiple IP addresses to
- be specified for the same name. There are some further improvements to pdnsd's
- recursive resolver.
- Version 1.2.5-par introduces a new query method: udp_tcp. With this method a UDP
- query is tried first and, if the UDP answer is truncated, the query is repeated
- using TCP, which is the behaviour that seems to be recommended by the DNS
- standards. There is a new configuration option use_nss, which can be turned off
- to prevent lengthy timeouts and stalls in certain situations. A bug has been
- fixed which could cause pdnsd to crash if debug output was generated before the
- debug output stream was properly initialized.
- In version 1.2.4-par a memory leak and a minor buffer-overflow problem have been
- fixed. There is now a fix for some situations that would previously cause pdnsd
- to exit prematurely (such as ACPI S3 sleep or trying to attach strace to pdnsd).
- Time intervals specified in the configuration file can now be expressed in
- minutes, hours, days and weeks as well as seconds. Support for Apple Mac OS X
- v10.4 Tiger has been improved. The "pdnsd-ctl status" command now also provides
- some information about the status of the running threads. There are some further
- improvements in the debugging information provided by pdnsd.
- TCP-query support is now compiled in by default (but can still be disabled using
- the configure option --disable-tcp-queries).
- In version 1.2.3-par the "pdnsd-ctl empty-cache" command can be provided with an
- include/exclude list, allowing the user to specify a selection of names to be
- removed, instead of emptying the cache completely.
- Additional improvements: pdnsd should now remain responsive while executing the
- "pdnsd-ctl empty-cache" command. With the query_method=tcp_udp option pdnsd will
- now also try a UDP query after a TCP connection times out, which should allow
- pdnsd to resolve the same names with query_method=tcp_udp as with
- query_method=udp_only, although perhaps with an occasional delay.
- "pdnsd-ctl config" or "pdnsd-ctl server" commands should now run without delays,
- even if pdnsd is performing ping or query uptests at the time. A problem with
- resolving certain names using root servers has been fixed.
- Version 1.2.2-par has a number of important portability improvements. A bug has
- been fixed that prevented pdnsd from compiling successfully on some 64 bit
- architectures. The code for determining endianness (most significant or least
- significant byte first) should now be more portable. This release has
- (experimental) support for the Darwin (Apple Mac OS X) platform. On Linux
- systems, the configure script will now try to detect automatically whether the
- system implements the Native POSIX Thread Library, but the method used may not
- necessarily be foolproof. In addition, the debug features have been improved and
- should make it easier to find out why pdnsd considers some queries or replies
- malformed.
- Version 1.2.1-par has improved support for non-Linux platforms. This release has
- (experimental) support for the Cygwin platform, and should also fix some
- compilation glitches that have been reported by FreeBSD users.
- Version 1.2-par is a new and improved version of pdnsd! Most of the changes
- effect the internal workings of pdnsd, but there are also a number of
- interesting new features (well, I think they are interesting). Among the bugs
- fixed are two rather nasty ones which involve the handling of NXT and NAPTR
- records and which can cause pdnsd to crash or abort. The new features include a
- new server availability test which can be specified with uptest=query, support
- for reading the DNS configuration from resolv.conf files, a new option for
- optimizing the use of root servers, a new option that makes defining local
- records for reverse resolving easier, support for defining wildcard records, a
- new pdnsd-ctl command for reloading the config file without restarting pdnsd,
- and a new pdnsd-ctl command for dumping information about the names stored in
- the cache.
- The documentation has also been updated: there is now a pdnsd.conf man page. For
- a more complete list of the changes I'll have to refer you to README.par and the
- ChangeLog.
- Version 1.1.11a-par contains a fix for FreeBSD users that bypasses a problem
- with the macro ENONET, which can cause a compilation failure when it is
- undefined. Linux users will notice no difference between 1.1.11a-par and
- 1.1.11-par.
- Version 1.1.11-par has a rather large number of small changes, which are rather
- difficult to summarize. Among the bugs fixed are a race condition in the cache
- lookup code, a flaw in the code that caused a busy spin when a remote server
- answered with "Not Implemented", and problems with the -4 and -6 command-line
- options. Among the improvements are an alternative sorting algorithm which
- should allow pdnsd to start up faster when reading a large cache file from disk,
- automatic mapping of IPv4 to IPv6 addresses when running in IPv6 mode, somewhat
- more efficient memory use, better compression of the replies and changes in the
- parallel querying algorithm that should improve the chances of catching a reply
- from a remote server. For a more complete list of the changes I'll have to
- refer you to README.par and the ChangeLog.
- Version 1.1.10-par has a new parser for configuration files, completely
- rewritten from scratch in C. The main advantages are: (f)lex and yacc/bison are
- no longer needed to build pdnsd, more informative error messages instead of
- merely "parse error", and string literals no longer need to be enclosed in
- quotes in most cases. Furthermore, a bug has been fixed that caused incorrect
- IPV6-type PTR records to be generated when sourcing /etc/hosts like files.
- There have been other small changes, more details can be found in the ChangeLog.
- Version 1.1.9-par adds some missing pieces to the documentation (the pdnsd
- manual and the man page for pdnsd-ctl). The changes to the code consist mostly
- of optimizations, removal of some size limits due to fixed-size buffers, and
- some cleaning up. I've also tried to make the error responses of pdnsd-ctl more
- helpful. More details can be found in the ChangeLog.
- Version 1.1.8b1-par8 introduces a "delegation-only" feature that may be useful
- for blocking Verisign's Sitefinder. The parser for the configuration file now
- tolerates domain names missing a dot at the end. I have provided alternative
- implementations for some GNU extensions that I used in an effort to make the
- code more portable. In particular, the code should build on FreeBSD again. More
- details can be found in the README.par file.
- Version 1.1.8b1-par7 fixing a number of bugs. I have also reworked some of the
- code for adding and removing entries in the cache in an effort to improve
- efficiency and stability. More details can be found in the ChangeLog.
- Version 1.1.8b1-par6 introduces some further code cleanup. In addition the
- documentation has been revised.
- Version 1.1.8b1-par5 fixes a troublesome allocation size error that has been
- discovered in Thomas Moestl's code. In practice this bug only wastes memory but
- it could also potentially lead to memory corruption. Upgrading is
- recommended. More details can be found in the ChangeLog.
- Version 1.1.8b1-par4 has been released. Due to incompatibilities between
- various implementations of the pthread library on Linux systems, problems can
- occur with signal handling in pdnsd. The usual symptom is failure by pdnsd to
- save the cache to disk, and /var/cache/pdnsd/pdnsd.cache remaining empty. If you
- experience this kind of trouble, try reconfiguring with different values for the
- new --with-thread-lib option. The allowable values are described in the
- documentation.
- pdnsd is no longer maintained by Thomas Moestl: I have not had time to maintain
- pdnsd for quite a while now, and have been very slow to respond to issues, or
- did not respond at all. It is time that I officially announce that pdnsd is no
- longer actively maintained; I apologize to all those who reported bugs or asked
- questions without receiving any reply. However, Paul A. Rombouts has published a
- patch set against the last released version at
- http://www.phys.uu.nl/~rombouts/pdnsd.html, which cleans up a lot of code fixes
- many bugs.
- Version 1.1.7a fixes a reversed assertion that would cause pdnsd to terminate
- if used with the ping uptest. No other changes were made.
- Version 1.1.7 fixes some problems that might be remotely exploitable to
- gain access as the user pdnsd runs as (an unprivileged user by default). To do
- this, an attacker needs to control a name server that is queried by pdnsd, and
- send a malicious reply to such a query. Upgrading is strongly recommended!
- There are also minor bug fixes and stability improvements.
- Version 1.1.6 adds the query_port_start and query_port_end options (contributed
- by Andreas Steinmetz), that allow confining the ports pdnsd uses for outgoing
- queries to a certain range. It also fixes numerous bugs, one of which could
- cause pdnsd to hang; update is therefore recommended.
- Version 1.1.5 contains a fix for a security bug that would allow local users
- that are allowed to use pdnsd-ctl on a running pdnsd server to execute
- arbitrary code as the user that pdnsd runs as (or on Linux, when strict_setuid
- is not enabled, as the user that started pdnsd). The danger of this is usually
- quite limited; the status socket is not enabled by default, it's default
- permissions do only allow the user pdnsd runs as to use the socket,
- strict_setuid is enabled by default and pdnsd runs as an unprivileged user.
- There is also a new configure option, --enable-underscores, that will make
- pdnsd allow underscores in domain names. Furthermore, the SRV record handling
- has been fixed to allow underscores in any case (this was not allowed
- previously, but is required by the RFC). SOA records are not put in the
- answer section any more if no answers are found (this violates the RFC's).
- It may be put in the authority section in a later version.
- There are also various bugfixes in this release.
- Upgrade is recommended.
- Version 1.1.4 fixes various smaller bugs, and should also improve the cache
- write performance especially for larger caches. There are also two new
- features: servers can now be given a label (using the label server option)
- which can be used to identify them for the pdnsd-ctl server command
- (contributed by Andrew M. Bishop), and local records can be marked to make
- the domain record authoritative in pdnsd's cache (which means that pdnsd will
- assume that records that are not present in the cache for that domain are
- non-existent); this is on by default now, and can be controlled using the new
- authrec server option).
- Version 1.1.3 added contrib/ and had a lot of robustness fixes.
- This release addresses a security hole that affects only Linux systems. Due to
- a bug in glibc, pdnsd could crash during a port scan. This release contains
- a workaround for this, as well as a fix for a deadlock under heavy load
- conditions. It also fixes a possible problem that could be triggered by
- malicious servers, and contains numerous bug fixes.
- A script, contributed by Marko Stolle, makes pdnsd useful in a DHCP setup.
- pdnsd also preservers the case of names in the cache, and should work much
- better on alpha machines (thanks for the contributions by Bjoern Fischer
- and P.J. Bostley that made this possible). New types were dded for rr
- sections and pdnsd-ctl.
- Upgrade is recommended.
- Version 1.1.2 has a fix for a bug that could cause SERVFAIL to be
- returned when NXDOMAIN would be appropriate. The bug surfaced only when
- pdnsd queried name servers with a behaviour different from BIND's in the
- NXDOMAIN case, e.g. pdnsd querying another pdnsd or e.g. djbdns.
- Version 1.1.1 fixes a possible race condition in status socket creation.
- This race might be used by a local attacker to change the access
- permissions of a certain file in /tmp. The risk of this is probably
- negligible. The default setup uses a non-privileged user, default mode
- 0600, and the status socket is disabled normally, so this should be
- relatively safe. I don't see any possibility to exploit this, it is
- more of a paranoia fix.
- There are also some other minor fixes and documentation improvements.
- Upgrade is recommended.
- Version 1.1.0 introduces negative cacheing, pdnsd-ctl enhancements and
- a much improved FreeBSD support. The cache file format has changed from
- prior releases. Some configuration defaults have changed, too.
- Version 1.0.15 is mostly a bugfix release. It also has a new option:
- randomize_recs in the global section.
- Version 1.0.14 has a fix in icmp.c that will make it build properly
- on FreeBSD and older Linux systems.
- Version 1.0.13 has some code cleanup, a fix for the Debian rc install,
- and a security fix (contributed by Olaf Kirch): when changing
- user and group id, pdnsd did not drop supplementary group IDs that
- the original user was member of.
- Version 1.0.12 is a bugfix release and contains some security
- enhancements. There are also inclusion/exclusion lists for servers
- (new options include=, exclude=, policy= in the server
- section).
- Version 1.0.11 fixes two bugs that might be used for denial-of-service
- attacks, upgrading is recommended.
- Versions 1.0.9 and 1.0.10 are bugfix releases.
- Version 1.0.8 introduces special linux ppp device support contributed
- by Ron Yorston, and has some bugfixes.
- Version 1.0.7 introduces autoconf support, many new config file options and
- the new pdnsd-ctl run-time configuration program.
- Version 1.0.6 has another set of bugfixes, in addition to higher compile-
- time configurability and UDP query support. It also contains Debian rc
- scripts contributed by Markus Mohr.
- Version 1.0.5 has some bugfixes and the new "server_ip" option
- contributed by Wolfgang Ocker.
- Version 1.0.4 introduces the new options run_as, strict_setuid and
- paranoid. These new options are optional security enhancements.
- Versions 1.0.1, 1.0.2 and 1.0.3 are bugfix releases.
- Version 1.0.0 has a lot of changes compared to the 0.9.x tree, but much of
- them "under the hood":
- - IPv6 support (experimental; compile- and run-time configurable)
- - FreeBSD (and such hopefully *BSD) support
- - better rfc2181 compatability
- - new options:
- - serve_aliases in source section
- - linkdown_kluge in global section
- - max_ttl in global section
- - cache-code reorganization, only one unified hash (of variable depth)
- - Optimizations & cleanups
- - Automatic deps (only interesting for developers ;-)
- Version 0.9.11 fixes a locally exploitable security hole (the cache file was
- world writeable by default). Please see ChangeLog.old for details.
- Version 0.9.10 fixes some bugs and improves build on Red Hat.
- Version 0.9.9 contains the rc scripts for Red Hat Linux contributed by Torben
- Janssen, in addition to code cleanups and bugfixes.
- The meaning of the option -v has changed in this release.
- There is also a new config file option "lean_query" that is on by default. It
- is an optimization, so please look in the docs when updating whether you want
- it switched on or not.
- When compiling versions after 0.9.8, you will probably get more
- compiler warningsthan before. This is because the C compiler settings
- have been made stricter.
- Version 0.9.8 fixes a minor bug some build problems with glibc2.0 systems.
- The versions 0.9.6 and 0.9.7 are bugfix releases.
- Version 0.9.5 introduces uptest=exec, and a modified config file syntax (cache
- sizes are now specified in kB).
- Version 0.9.4 was the first to be released to the public. For information on
- changes, see ChangeLog.
|