Version 1.2.9a fixes a bug in the 1.2.9 release that causes a build failure when pdnsd is configured with --enable-strict-rfc2181. Unless you use this option to compile pdnsd, there is no need to upgrade from 1.2.9 to 1.2.9a. Version 1.2.9 has support for many additional RR types, in particular those needed for DNSSEC (though no support for the DNSSEC protocol itself yet in pdnsd). Caching data structures are now more efficient when they only store the most commonly used RR types. Fine-grained configurability over which RR-types are cache-able. Pdnsd now has support for EDNS (Extension mechanisms for DNS), although its usefulness is currently limited to enabling UDP messages larger than 512 bytes. Defining local TXT records in the configuration file is now supported. A new configuration option provides a fix in case the query uptest fails due to remote servers ignoring empty queries. Several bugs have been fixed including a UDP socket descriptor leak that affected the FreeBSD platform, and an IPv6 port binding bug. Version 1.2.8 implements support for automatic discovery of root servers. There are also some improvements in the resolver and a new default setting for the neg_rrs_pol configuration option. Version 1.2.7-par fixes some security problems. It contains a fix for a "dangling pointer" bug that could cause pdnsd to crash when it received a long reply. It also addresses some of the issues raised in the CERT vulnerability note VU#800113 by making the default of query_port_start equal to 1024, thereby ensuring that source ports are randomly selected by the pdnsd resolver in the range 1024-65535. This release also fixes problems with compiling pdnsd for the ARM architecture and for the Darwin platform (Max OS X). There are a number of (minor) new features. pdnsd now supports "include" files, essentially configuration files that only contain definitions for local records. It is now possible to define interactively, using pdnsd-ctl, any local record that can be defined in a configuration file. Version 1.2.6-par has an upgraded license: GPL version 3. A bug has been fixed which which caused pdnsd to handle NXDOMAIN replies inefficiently when configured with neg_domain_pol=on. Also the code for the ping test has been fixed, which was broken for 64-bit systems. A new option randomize_servers can be used to give each server in a section of the configuration file an equal chance of being queried. The new options reject, reject_policy and reject_recursively make it possible to check for the presence of certain IP addresses in the replies of name servers and to correct some types of unwanted replies or to censor these IP addresses. The pdnsd-ctl 'add a' and 'add aaaa' commands now allow multiple IP addresses to be specified for the same name. There are some further improvements to pdnsd's recursive resolver. Version 1.2.5-par introduces a new query method: udp_tcp. With this method a UDP query is tried first and, if the UDP answer is truncated, the query is repeated using TCP, which is the behaviour that seems to be recommended by the DNS standards. There is a new configuration option use_nss, which can be turned off to prevent lengthy timeouts and stalls in certain situations. A bug has been fixed which could cause pdnsd to crash if debug output was generated before the debug output stream was properly initialized. In version 1.2.4-par a memory leak and a minor buffer-overflow problem have been fixed. There is now a fix for some situations that would previously cause pdnsd to exit prematurely (such as ACPI S3 sleep or trying to attach strace to pdnsd). Time intervals specified in the configuration file can now be expressed in minutes, hours, days and weeks as well as seconds. Support for Apple Mac OS X v10.4 Tiger has been improved. The "pdnsd-ctl status" command now also provides some information about the status of the running threads. There are some further improvements in the debugging information provided by pdnsd. TCP-query support is now compiled in by default (but can still be disabled using the configure option --disable-tcp-queries). In version 1.2.3-par the "pdnsd-ctl empty-cache" command can be provided with an include/exclude list, allowing the user to specify a selection of names to be removed, instead of emptying the cache completely. Additional improvements: pdnsd should now remain responsive while executing the "pdnsd-ctl empty-cache" command. With the query_method=tcp_udp option pdnsd will now also try a UDP query after a TCP connection times out, which should allow pdnsd to resolve the same names with query_method=tcp_udp as with query_method=udp_only, although perhaps with an occasional delay. "pdnsd-ctl config" or "pdnsd-ctl server" commands should now run without delays, even if pdnsd is performing ping or query uptests at the time. A problem with resolving certain names using root servers has been fixed. Version 1.2.2-par has a number of important portability improvements. A bug has been fixed that prevented pdnsd from compiling successfully on some 64 bit architectures. The code for determining endianness (most significant or least significant byte first) should now be more portable. This release has (experimental) support for the Darwin (Apple Mac OS X) platform. On Linux systems, the configure script will now try to detect automatically whether the system implements the Native POSIX Thread Library, but the method used may not necessarily be foolproof. In addition, the debug features have been improved and should make it easier to find out why pdnsd considers some queries or replies malformed. Version 1.2.1-par has improved support for non-Linux platforms. This release has (experimental) support for the Cygwin platform, and should also fix some compilation glitches that have been reported by FreeBSD users. Version 1.2-par is a new and improved version of pdnsd! Most of the changes effect the internal workings of pdnsd, but there are also a number of interesting new features (well, I think they are interesting). Among the bugs fixed are two rather nasty ones which involve the handling of NXT and NAPTR records and which can cause pdnsd to crash or abort. The new features include a new server availability test which can be specified with uptest=query, support for reading the DNS configuration from resolv.conf files, a new option for optimizing the use of root servers, a new option that makes defining local records for reverse resolving easier, support for defining wildcard records, a new pdnsd-ctl command for reloading the config file without restarting pdnsd, and a new pdnsd-ctl command for dumping information about the names stored in the cache. The documentation has also been updated: there is now a pdnsd.conf man page. For a more complete list of the changes I'll have to refer you to README.par and the ChangeLog. Version 1.1.11a-par contains a fix for FreeBSD users that bypasses a problem with the macro ENONET, which can cause a compilation failure when it is undefined. Linux users will notice no difference between 1.1.11a-par and 1.1.11-par. Version 1.1.11-par has a rather large number of small changes, which are rather difficult to summarize. Among the bugs fixed are a race condition in the cache lookup code, a flaw in the code that caused a busy spin when a remote server answered with "Not Implemented", and problems with the -4 and -6 command-line options. Among the improvements are an alternative sorting algorithm which should allow pdnsd to start up faster when reading a large cache file from disk, automatic mapping of IPv4 to IPv6 addresses when running in IPv6 mode, somewhat more efficient memory use, better compression of the replies and changes in the parallel querying algorithm that should improve the chances of catching a reply from a remote server. For a more complete list of the changes I'll have to refer you to README.par and the ChangeLog. Version 1.1.10-par has a new parser for configuration files, completely rewritten from scratch in C. The main advantages are: (f)lex and yacc/bison are no longer needed to build pdnsd, more informative error messages instead of merely "parse error", and string literals no longer need to be enclosed in quotes in most cases. Furthermore, a bug has been fixed that caused incorrect IPV6-type PTR records to be generated when sourcing /etc/hosts like files. There have been other small changes, more details can be found in the ChangeLog. Version 1.1.9-par adds some missing pieces to the documentation (the pdnsd manual and the man page for pdnsd-ctl). The changes to the code consist mostly of optimizations, removal of some size limits due to fixed-size buffers, and some cleaning up. I've also tried to make the error responses of pdnsd-ctl more helpful. More details can be found in the ChangeLog. Version 1.1.8b1-par8 introduces a "delegation-only" feature that may be useful for blocking Verisign's Sitefinder. The parser for the configuration file now tolerates domain names missing a dot at the end. I have provided alternative implementations for some GNU extensions that I used in an effort to make the code more portable. In particular, the code should build on FreeBSD again. More details can be found in the README.par file. Version 1.1.8b1-par7 fixing a number of bugs. I have also reworked some of the code for adding and removing entries in the cache in an effort to improve efficiency and stability. More details can be found in the ChangeLog. Version 1.1.8b1-par6 introduces some further code cleanup. In addition the documentation has been revised. Version 1.1.8b1-par5 fixes a troublesome allocation size error that has been discovered in Thomas Moestl's code. In practice this bug only wastes memory but it could also potentially lead to memory corruption. Upgrading is recommended. More details can be found in the ChangeLog. Version 1.1.8b1-par4 has been released. Due to incompatibilities between various implementations of the pthread library on Linux systems, problems can occur with signal handling in pdnsd. The usual symptom is failure by pdnsd to save the cache to disk, and /var/cache/pdnsd/pdnsd.cache remaining empty. If you experience this kind of trouble, try reconfiguring with different values for the new --with-thread-lib option. The allowable values are described in the documentation. pdnsd is no longer maintained by Thomas Moestl: I have not had time to maintain pdnsd for quite a while now, and have been very slow to respond to issues, or did not respond at all. It is time that I officially announce that pdnsd is no longer actively maintained; I apologize to all those who reported bugs or asked questions without receiving any reply. However, Paul A. Rombouts has published a patch set against the last released version at http://www.phys.uu.nl/~rombouts/pdnsd.html, which cleans up a lot of code fixes many bugs. Version 1.1.7a fixes a reversed assertion that would cause pdnsd to terminate if used with the ping uptest. No other changes were made. Version 1.1.7 fixes some problems that might be remotely exploitable to gain access as the user pdnsd runs as (an unprivileged user by default). To do this, an attacker needs to control a name server that is queried by pdnsd, and send a malicious reply to such a query. Upgrading is strongly recommended! There are also minor bug fixes and stability improvements. Version 1.1.6 adds the query_port_start and query_port_end options (contributed by Andreas Steinmetz), that allow confining the ports pdnsd uses for outgoing queries to a certain range. It also fixes numerous bugs, one of which could cause pdnsd to hang; update is therefore recommended. Version 1.1.5 contains a fix for a security bug that would allow local users that are allowed to use pdnsd-ctl on a running pdnsd server to execute arbitrary code as the user that pdnsd runs as (or on Linux, when strict_setuid is not enabled, as the user that started pdnsd). The danger of this is usually quite limited; the status socket is not enabled by default, it's default permissions do only allow the user pdnsd runs as to use the socket, strict_setuid is enabled by default and pdnsd runs as an unprivileged user. There is also a new configure option, --enable-underscores, that will make pdnsd allow underscores in domain names. Furthermore, the SRV record handling has been fixed to allow underscores in any case (this was not allowed previously, but is required by the RFC). SOA records are not put in the answer section any more if no answers are found (this violates the RFC's). It may be put in the authority section in a later version. There are also various bugfixes in this release. Upgrade is recommended. Version 1.1.4 fixes various smaller bugs, and should also improve the cache write performance especially for larger caches. There are also two new features: servers can now be given a label (using the label server option) which can be used to identify them for the pdnsd-ctl server command (contributed by Andrew M. Bishop), and local records can be marked to make the domain record authoritative in pdnsd's cache (which means that pdnsd will assume that records that are not present in the cache for that domain are non-existent); this is on by default now, and can be controlled using the new authrec server option). Version 1.1.3 added contrib/ and had a lot of robustness fixes. This release addresses a security hole that affects only Linux systems. Due to a bug in glibc, pdnsd could crash during a port scan. This release contains a workaround for this, as well as a fix for a deadlock under heavy load conditions. It also fixes a possible problem that could be triggered by malicious servers, and contains numerous bug fixes. A script, contributed by Marko Stolle, makes pdnsd useful in a DHCP setup. pdnsd also preservers the case of names in the cache, and should work much better on alpha machines (thanks for the contributions by Bjoern Fischer and P.J. Bostley that made this possible). New types were dded for rr sections and pdnsd-ctl. Upgrade is recommended. Version 1.1.2 has a fix for a bug that could cause SERVFAIL to be returned when NXDOMAIN would be appropriate. The bug surfaced only when pdnsd queried name servers with a behaviour different from BIND's in the NXDOMAIN case, e.g. pdnsd querying another pdnsd or e.g. djbdns. Version 1.1.1 fixes a possible race condition in status socket creation. This race might be used by a local attacker to change the access permissions of a certain file in /tmp. The risk of this is probably negligible. The default setup uses a non-privileged user, default mode 0600, and the status socket is disabled normally, so this should be relatively safe. I don't see any possibility to exploit this, it is more of a paranoia fix. There are also some other minor fixes and documentation improvements. Upgrade is recommended. Version 1.1.0 introduces negative cacheing, pdnsd-ctl enhancements and a much improved FreeBSD support. The cache file format has changed from prior releases. Some configuration defaults have changed, too. Version 1.0.15 is mostly a bugfix release. It also has a new option: randomize_recs in the global section. Version 1.0.14 has a fix in icmp.c that will make it build properly on FreeBSD and older Linux systems. Version 1.0.13 has some code cleanup, a fix for the Debian rc install, and a security fix (contributed by Olaf Kirch): when changing user and group id, pdnsd did not drop supplementary group IDs that the original user was member of. Version 1.0.12 is a bugfix release and contains some security enhancements. There are also inclusion/exclusion lists for servers (new options include=, exclude=, policy= in the server section). Version 1.0.11 fixes two bugs that might be used for denial-of-service attacks, upgrading is recommended. Versions 1.0.9 and 1.0.10 are bugfix releases. Version 1.0.8 introduces special linux ppp device support contributed by Ron Yorston, and has some bugfixes. Version 1.0.7 introduces autoconf support, many new config file options and the new pdnsd-ctl run-time configuration program. Version 1.0.6 has another set of bugfixes, in addition to higher compile- time configurability and UDP query support. It also contains Debian rc scripts contributed by Markus Mohr. Version 1.0.5 has some bugfixes and the new "server_ip" option contributed by Wolfgang Ocker. Version 1.0.4 introduces the new options run_as, strict_setuid and paranoid. These new options are optional security enhancements. Versions 1.0.1, 1.0.2 and 1.0.3 are bugfix releases. Version 1.0.0 has a lot of changes compared to the 0.9.x tree, but much of them "under the hood": - IPv6 support (experimental; compile- and run-time configurable) - FreeBSD (and such hopefully *BSD) support - better rfc2181 compatability - new options: - serve_aliases in source section - linkdown_kluge in global section - max_ttl in global section - cache-code reorganization, only one unified hash (of variable depth) - Optimizations & cleanups - Automatic deps (only interesting for developers ;-) Version 0.9.11 fixes a locally exploitable security hole (the cache file was world writeable by default). Please see ChangeLog.old for details. Version 0.9.10 fixes some bugs and improves build on Red Hat. Version 0.9.9 contains the rc scripts for Red Hat Linux contributed by Torben Janssen, in addition to code cleanups and bugfixes. The meaning of the option -v has changed in this release. There is also a new config file option "lean_query" that is on by default. It is an optimization, so please look in the docs when updating whether you want it switched on or not. When compiling versions after 0.9.8, you will probably get more compiler warningsthan before. This is because the C compiler settings have been made stricter. Version 0.9.8 fixes a minor bug some build problems with glibc2.0 systems. The versions 0.9.6 and 0.9.7 are bugfix releases. Version 0.9.5 introduces uptest=exec, and a modified config file syntax (cache sizes are now specified in kB). Version 0.9.4 was the first to be released to the public. For information on changes, see ChangeLog.