NEWS 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325
  1. Version 1.2.9a fixes a bug in the 1.2.9 release that causes a build failure when
  2. pdnsd is configured with --enable-strict-rfc2181. Unless you use this option to
  3. compile pdnsd, there is no need to upgrade from 1.2.9 to 1.2.9a.
  4. Version 1.2.9 has support for many additional RR types, in particular those
  5. needed for DNSSEC (though no support for the DNSSEC protocol itself yet in
  6. pdnsd). Caching data structures are now more efficient when they only store the
  7. most commonly used RR types. Fine-grained configurability over which RR-types
  8. are cache-able. Pdnsd now has support for EDNS (Extension mechanisms for DNS),
  9. although its usefulness is currently limited to enabling UDP messages larger
  10. than 512 bytes. Defining local TXT records in the configuration file is now
  11. supported. A new configuration option provides a fix in case the query uptest
  12. fails due to remote servers ignoring empty queries. Several bugs have been fixed
  13. including a UDP socket descriptor leak that affected the FreeBSD platform, and
  14. an IPv6 port binding bug.
  15. Version 1.2.8 implements support for automatic discovery of root servers.
  16. There are also some improvements in the resolver and a new default setting for
  17. the neg_rrs_pol configuration option.
  18. Version 1.2.7-par fixes some security problems. It contains a fix for a
  19. "dangling pointer" bug that could cause pdnsd to crash when it received a long
  20. reply. It also addresses some of the issues raised in the CERT vulnerability
  21. note VU#800113 by making the default of query_port_start equal to 1024, thereby
  22. ensuring that source ports are randomly selected by the pdnsd resolver in the
  23. range 1024-65535. This release also fixes problems with compiling pdnsd for the
  24. ARM architecture and for the Darwin platform (Max OS X). There are a number of
  25. (minor) new features. pdnsd now supports "include" files, essentially
  26. configuration files that only contain definitions for local records. It is now
  27. possible to define interactively, using pdnsd-ctl, any local record that can be
  28. defined in a configuration file.
  29. Version 1.2.6-par has an upgraded license: GPL version 3.
  30. A bug has been fixed which which caused pdnsd to handle NXDOMAIN replies
  31. inefficiently when configured with neg_domain_pol=on. Also the code for the
  32. ping test has been fixed, which was broken for 64-bit systems. A new option
  33. randomize_servers can be used to give each server in a section of the
  34. configuration file an equal chance of being queried. The new options reject,
  35. reject_policy and reject_recursively make it possible to check for the presence
  36. of certain IP addresses in the replies of name servers and to correct some types
  37. of unwanted replies or to censor these IP addresses.
  38. The pdnsd-ctl 'add a' and 'add aaaa' commands now allow multiple IP addresses to
  39. be specified for the same name. There are some further improvements to pdnsd's
  40. recursive resolver.
  41. Version 1.2.5-par introduces a new query method: udp_tcp. With this method a UDP
  42. query is tried first and, if the UDP answer is truncated, the query is repeated
  43. using TCP, which is the behaviour that seems to be recommended by the DNS
  44. standards. There is a new configuration option use_nss, which can be turned off
  45. to prevent lengthy timeouts and stalls in certain situations. A bug has been
  46. fixed which could cause pdnsd to crash if debug output was generated before the
  47. debug output stream was properly initialized.
  48. In version 1.2.4-par a memory leak and a minor buffer-overflow problem have been
  49. fixed. There is now a fix for some situations that would previously cause pdnsd
  50. to exit prematurely (such as ACPI S3 sleep or trying to attach strace to pdnsd).
  51. Time intervals specified in the configuration file can now be expressed in
  52. minutes, hours, days and weeks as well as seconds. Support for Apple Mac OS X
  53. v10.4 Tiger has been improved. The "pdnsd-ctl status" command now also provides
  54. some information about the status of the running threads. There are some further
  55. improvements in the debugging information provided by pdnsd.
  56. TCP-query support is now compiled in by default (but can still be disabled using
  57. the configure option --disable-tcp-queries).
  58. In version 1.2.3-par the "pdnsd-ctl empty-cache" command can be provided with an
  59. include/exclude list, allowing the user to specify a selection of names to be
  60. removed, instead of emptying the cache completely.
  61. Additional improvements: pdnsd should now remain responsive while executing the
  62. "pdnsd-ctl empty-cache" command. With the query_method=tcp_udp option pdnsd will
  63. now also try a UDP query after a TCP connection times out, which should allow
  64. pdnsd to resolve the same names with query_method=tcp_udp as with
  65. query_method=udp_only, although perhaps with an occasional delay.
  66. "pdnsd-ctl config" or "pdnsd-ctl server" commands should now run without delays,
  67. even if pdnsd is performing ping or query uptests at the time. A problem with
  68. resolving certain names using root servers has been fixed.
  69. Version 1.2.2-par has a number of important portability improvements. A bug has
  70. been fixed that prevented pdnsd from compiling successfully on some 64 bit
  71. architectures. The code for determining endianness (most significant or least
  72. significant byte first) should now be more portable. This release has
  73. (experimental) support for the Darwin (Apple Mac OS X) platform. On Linux
  74. systems, the configure script will now try to detect automatically whether the
  75. system implements the Native POSIX Thread Library, but the method used may not
  76. necessarily be foolproof. In addition, the debug features have been improved and
  77. should make it easier to find out why pdnsd considers some queries or replies
  78. malformed.
  79. Version 1.2.1-par has improved support for non-Linux platforms. This release has
  80. (experimental) support for the Cygwin platform, and should also fix some
  81. compilation glitches that have been reported by FreeBSD users.
  82. Version 1.2-par is a new and improved version of pdnsd! Most of the changes
  83. effect the internal workings of pdnsd, but there are also a number of
  84. interesting new features (well, I think they are interesting). Among the bugs
  85. fixed are two rather nasty ones which involve the handling of NXT and NAPTR
  86. records and which can cause pdnsd to crash or abort. The new features include a
  87. new server availability test which can be specified with uptest=query, support
  88. for reading the DNS configuration from resolv.conf files, a new option for
  89. optimizing the use of root servers, a new option that makes defining local
  90. records for reverse resolving easier, support for defining wildcard records, a
  91. new pdnsd-ctl command for reloading the config file without restarting pdnsd,
  92. and a new pdnsd-ctl command for dumping information about the names stored in
  93. the cache.
  94. The documentation has also been updated: there is now a pdnsd.conf man page. For
  95. a more complete list of the changes I'll have to refer you to README.par and the
  96. ChangeLog.
  97. Version 1.1.11a-par contains a fix for FreeBSD users that bypasses a problem
  98. with the macro ENONET, which can cause a compilation failure when it is
  99. undefined. Linux users will notice no difference between 1.1.11a-par and
  100. 1.1.11-par.
  101. Version 1.1.11-par has a rather large number of small changes, which are rather
  102. difficult to summarize. Among the bugs fixed are a race condition in the cache
  103. lookup code, a flaw in the code that caused a busy spin when a remote server
  104. answered with "Not Implemented", and problems with the -4 and -6 command-line
  105. options. Among the improvements are an alternative sorting algorithm which
  106. should allow pdnsd to start up faster when reading a large cache file from disk,
  107. automatic mapping of IPv4 to IPv6 addresses when running in IPv6 mode, somewhat
  108. more efficient memory use, better compression of the replies and changes in the
  109. parallel querying algorithm that should improve the chances of catching a reply
  110. from a remote server. For a more complete list of the changes I'll have to
  111. refer you to README.par and the ChangeLog.
  112. Version 1.1.10-par has a new parser for configuration files, completely
  113. rewritten from scratch in C. The main advantages are: (f)lex and yacc/bison are
  114. no longer needed to build pdnsd, more informative error messages instead of
  115. merely "parse error", and string literals no longer need to be enclosed in
  116. quotes in most cases. Furthermore, a bug has been fixed that caused incorrect
  117. IPV6-type PTR records to be generated when sourcing /etc/hosts like files.
  118. There have been other small changes, more details can be found in the ChangeLog.
  119. Version 1.1.9-par adds some missing pieces to the documentation (the pdnsd
  120. manual and the man page for pdnsd-ctl). The changes to the code consist mostly
  121. of optimizations, removal of some size limits due to fixed-size buffers, and
  122. some cleaning up. I've also tried to make the error responses of pdnsd-ctl more
  123. helpful. More details can be found in the ChangeLog.
  124. Version 1.1.8b1-par8 introduces a "delegation-only" feature that may be useful
  125. for blocking Verisign's Sitefinder. The parser for the configuration file now
  126. tolerates domain names missing a dot at the end. I have provided alternative
  127. implementations for some GNU extensions that I used in an effort to make the
  128. code more portable. In particular, the code should build on FreeBSD again. More
  129. details can be found in the README.par file.
  130. Version 1.1.8b1-par7 fixing a number of bugs. I have also reworked some of the
  131. code for adding and removing entries in the cache in an effort to improve
  132. efficiency and stability. More details can be found in the ChangeLog.
  133. Version 1.1.8b1-par6 introduces some further code cleanup. In addition the
  134. documentation has been revised.
  135. Version 1.1.8b1-par5 fixes a troublesome allocation size error that has been
  136. discovered in Thomas Moestl's code. In practice this bug only wastes memory but
  137. it could also potentially lead to memory corruption. Upgrading is
  138. recommended. More details can be found in the ChangeLog.
  139. Version 1.1.8b1-par4 has been released. Due to incompatibilities between
  140. various implementations of the pthread library on Linux systems, problems can
  141. occur with signal handling in pdnsd. The usual symptom is failure by pdnsd to
  142. save the cache to disk, and /var/cache/pdnsd/pdnsd.cache remaining empty. If you
  143. experience this kind of trouble, try reconfiguring with different values for the
  144. new --with-thread-lib option. The allowable values are described in the
  145. documentation.
  146. pdnsd is no longer maintained by Thomas Moestl: I have not had time to maintain
  147. pdnsd for quite a while now, and have been very slow to respond to issues, or
  148. did not respond at all. It is time that I officially announce that pdnsd is no
  149. longer actively maintained; I apologize to all those who reported bugs or asked
  150. questions without receiving any reply. However, Paul A. Rombouts has published a
  151. patch set against the last released version at
  152. http://www.phys.uu.nl/~rombouts/pdnsd.html, which cleans up a lot of code fixes
  153. many bugs.
  154. Version 1.1.7a fixes a reversed assertion that would cause pdnsd to terminate
  155. if used with the ping uptest. No other changes were made.
  156. Version 1.1.7 fixes some problems that might be remotely exploitable to
  157. gain access as the user pdnsd runs as (an unprivileged user by default). To do
  158. this, an attacker needs to control a name server that is queried by pdnsd, and
  159. send a malicious reply to such a query. Upgrading is strongly recommended!
  160. There are also minor bug fixes and stability improvements.
  161. Version 1.1.6 adds the query_port_start and query_port_end options (contributed
  162. by Andreas Steinmetz), that allow confining the ports pdnsd uses for outgoing
  163. queries to a certain range. It also fixes numerous bugs, one of which could
  164. cause pdnsd to hang; update is therefore recommended.
  165. Version 1.1.5 contains a fix for a security bug that would allow local users
  166. that are allowed to use pdnsd-ctl on a running pdnsd server to execute
  167. arbitrary code as the user that pdnsd runs as (or on Linux, when strict_setuid
  168. is not enabled, as the user that started pdnsd). The danger of this is usually
  169. quite limited; the status socket is not enabled by default, it's default
  170. permissions do only allow the user pdnsd runs as to use the socket,
  171. strict_setuid is enabled by default and pdnsd runs as an unprivileged user.
  172. There is also a new configure option, --enable-underscores, that will make
  173. pdnsd allow underscores in domain names. Furthermore, the SRV record handling
  174. has been fixed to allow underscores in any case (this was not allowed
  175. previously, but is required by the RFC). SOA records are not put in the
  176. answer section any more if no answers are found (this violates the RFC's).
  177. It may be put in the authority section in a later version.
  178. There are also various bugfixes in this release.
  179. Upgrade is recommended.
  180. Version 1.1.4 fixes various smaller bugs, and should also improve the cache
  181. write performance especially for larger caches. There are also two new
  182. features: servers can now be given a label (using the label server option)
  183. which can be used to identify them for the pdnsd-ctl server command
  184. (contributed by Andrew M. Bishop), and local records can be marked to make
  185. the domain record authoritative in pdnsd's cache (which means that pdnsd will
  186. assume that records that are not present in the cache for that domain are
  187. non-existent); this is on by default now, and can be controlled using the new
  188. authrec server option).
  189. Version 1.1.3 added contrib/ and had a lot of robustness fixes.
  190. This release addresses a security hole that affects only Linux systems. Due to
  191. a bug in glibc, pdnsd could crash during a port scan. This release contains
  192. a workaround for this, as well as a fix for a deadlock under heavy load
  193. conditions. It also fixes a possible problem that could be triggered by
  194. malicious servers, and contains numerous bug fixes.
  195. A script, contributed by Marko Stolle, makes pdnsd useful in a DHCP setup.
  196. pdnsd also preservers the case of names in the cache, and should work much
  197. better on alpha machines (thanks for the contributions by Bjoern Fischer
  198. and P.J. Bostley that made this possible). New types were dded for rr
  199. sections and pdnsd-ctl.
  200. Upgrade is recommended.
  201. Version 1.1.2 has a fix for a bug that could cause SERVFAIL to be
  202. returned when NXDOMAIN would be appropriate. The bug surfaced only when
  203. pdnsd queried name servers with a behaviour different from BIND's in the
  204. NXDOMAIN case, e.g. pdnsd querying another pdnsd or e.g. djbdns.
  205. Version 1.1.1 fixes a possible race condition in status socket creation.
  206. This race might be used by a local attacker to change the access
  207. permissions of a certain file in /tmp. The risk of this is probably
  208. negligible. The default setup uses a non-privileged user, default mode
  209. 0600, and the status socket is disabled normally, so this should be
  210. relatively safe. I don't see any possibility to exploit this, it is
  211. more of a paranoia fix.
  212. There are also some other minor fixes and documentation improvements.
  213. Upgrade is recommended.
  214. Version 1.1.0 introduces negative cacheing, pdnsd-ctl enhancements and
  215. a much improved FreeBSD support. The cache file format has changed from
  216. prior releases. Some configuration defaults have changed, too.
  217. Version 1.0.15 is mostly a bugfix release. It also has a new option:
  218. randomize_recs in the global section.
  219. Version 1.0.14 has a fix in icmp.c that will make it build properly
  220. on FreeBSD and older Linux systems.
  221. Version 1.0.13 has some code cleanup, a fix for the Debian rc install,
  222. and a security fix (contributed by Olaf Kirch): when changing
  223. user and group id, pdnsd did not drop supplementary group IDs that
  224. the original user was member of.
  225. Version 1.0.12 is a bugfix release and contains some security
  226. enhancements. There are also inclusion/exclusion lists for servers
  227. (new options include=, exclude=, policy= in the server
  228. section).
  229. Version 1.0.11 fixes two bugs that might be used for denial-of-service
  230. attacks, upgrading is recommended.
  231. Versions 1.0.9 and 1.0.10 are bugfix releases.
  232. Version 1.0.8 introduces special linux ppp device support contributed
  233. by Ron Yorston, and has some bugfixes.
  234. Version 1.0.7 introduces autoconf support, many new config file options and
  235. the new pdnsd-ctl run-time configuration program.
  236. Version 1.0.6 has another set of bugfixes, in addition to higher compile-
  237. time configurability and UDP query support. It also contains Debian rc
  238. scripts contributed by Markus Mohr.
  239. Version 1.0.5 has some bugfixes and the new "server_ip" option
  240. contributed by Wolfgang Ocker.
  241. Version 1.0.4 introduces the new options run_as, strict_setuid and
  242. paranoid. These new options are optional security enhancements.
  243. Versions 1.0.1, 1.0.2 and 1.0.3 are bugfix releases.
  244. Version 1.0.0 has a lot of changes compared to the 0.9.x tree, but much of
  245. them "under the hood":
  246. - IPv6 support (experimental; compile- and run-time configurable)
  247. - FreeBSD (and such hopefully *BSD) support
  248. - better rfc2181 compatability
  249. - new options:
  250. - serve_aliases in source section
  251. - linkdown_kluge in global section
  252. - max_ttl in global section
  253. - cache-code reorganization, only one unified hash (of variable depth)
  254. - Optimizations & cleanups
  255. - Automatic deps (only interesting for developers ;-)
  256. Version 0.9.11 fixes a locally exploitable security hole (the cache file was
  257. world writeable by default). Please see ChangeLog.old for details.
  258. Version 0.9.10 fixes some bugs and improves build on Red Hat.
  259. Version 0.9.9 contains the rc scripts for Red Hat Linux contributed by Torben
  260. Janssen, in addition to code cleanups and bugfixes.
  261. The meaning of the option -v has changed in this release.
  262. There is also a new config file option "lean_query" that is on by default. It
  263. is an optimization, so please look in the docs when updating whether you want
  264. it switched on or not.
  265. When compiling versions after 0.9.8, you will probably get more
  266. compiler warningsthan before. This is because the C compiler settings
  267. have been made stricter.
  268. Version 0.9.8 fixes a minor bug some build problems with glibc2.0 systems.
  269. The versions 0.9.6 and 0.9.7 are bugfix releases.
  270. Version 0.9.5 introduces uptest=exec, and a modified config file syntax (cache
  271. sizes are now specified in kB).
  272. Version 0.9.4 was the first to be released to the public. For information on
  273. changes, see ChangeLog.