325 lines
18 KiB
Plaintext
325 lines
18 KiB
Plaintext
Version 1.2.9a fixes a bug in the 1.2.9 release that causes a build failure when
|
|
pdnsd is configured with --enable-strict-rfc2181. Unless you use this option to
|
|
compile pdnsd, there is no need to upgrade from 1.2.9 to 1.2.9a.
|
|
|
|
Version 1.2.9 has support for many additional RR types, in particular those
|
|
needed for DNSSEC (though no support for the DNSSEC protocol itself yet in
|
|
pdnsd). Caching data structures are now more efficient when they only store the
|
|
most commonly used RR types. Fine-grained configurability over which RR-types
|
|
are cache-able. Pdnsd now has support for EDNS (Extension mechanisms for DNS),
|
|
although its usefulness is currently limited to enabling UDP messages larger
|
|
than 512 bytes. Defining local TXT records in the configuration file is now
|
|
supported. A new configuration option provides a fix in case the query uptest
|
|
fails due to remote servers ignoring empty queries. Several bugs have been fixed
|
|
including a UDP socket descriptor leak that affected the FreeBSD platform, and
|
|
an IPv6 port binding bug.
|
|
|
|
Version 1.2.8 implements support for automatic discovery of root servers.
|
|
There are also some improvements in the resolver and a new default setting for
|
|
the neg_rrs_pol configuration option.
|
|
|
|
Version 1.2.7-par fixes some security problems. It contains a fix for a
|
|
"dangling pointer" bug that could cause pdnsd to crash when it received a long
|
|
reply. It also addresses some of the issues raised in the CERT vulnerability
|
|
note VU#800113 by making the default of query_port_start equal to 1024, thereby
|
|
ensuring that source ports are randomly selected by the pdnsd resolver in the
|
|
range 1024-65535. This release also fixes problems with compiling pdnsd for the
|
|
ARM architecture and for the Darwin platform (Max OS X). There are a number of
|
|
(minor) new features. pdnsd now supports "include" files, essentially
|
|
configuration files that only contain definitions for local records. It is now
|
|
possible to define interactively, using pdnsd-ctl, any local record that can be
|
|
defined in a configuration file.
|
|
|
|
Version 1.2.6-par has an upgraded license: GPL version 3.
|
|
A bug has been fixed which which caused pdnsd to handle NXDOMAIN replies
|
|
inefficiently when configured with neg_domain_pol=on. Also the code for the
|
|
ping test has been fixed, which was broken for 64-bit systems. A new option
|
|
randomize_servers can be used to give each server in a section of the
|
|
configuration file an equal chance of being queried. The new options reject,
|
|
reject_policy and reject_recursively make it possible to check for the presence
|
|
of certain IP addresses in the replies of name servers and to correct some types
|
|
of unwanted replies or to censor these IP addresses.
|
|
The pdnsd-ctl 'add a' and 'add aaaa' commands now allow multiple IP addresses to
|
|
be specified for the same name. There are some further improvements to pdnsd's
|
|
recursive resolver.
|
|
|
|
Version 1.2.5-par introduces a new query method: udp_tcp. With this method a UDP
|
|
query is tried first and, if the UDP answer is truncated, the query is repeated
|
|
using TCP, which is the behaviour that seems to be recommended by the DNS
|
|
standards. There is a new configuration option use_nss, which can be turned off
|
|
to prevent lengthy timeouts and stalls in certain situations. A bug has been
|
|
fixed which could cause pdnsd to crash if debug output was generated before the
|
|
debug output stream was properly initialized.
|
|
|
|
In version 1.2.4-par a memory leak and a minor buffer-overflow problem have been
|
|
fixed. There is now a fix for some situations that would previously cause pdnsd
|
|
to exit prematurely (such as ACPI S3 sleep or trying to attach strace to pdnsd).
|
|
Time intervals specified in the configuration file can now be expressed in
|
|
minutes, hours, days and weeks as well as seconds. Support for Apple Mac OS X
|
|
v10.4 Tiger has been improved. The "pdnsd-ctl status" command now also provides
|
|
some information about the status of the running threads. There are some further
|
|
improvements in the debugging information provided by pdnsd.
|
|
TCP-query support is now compiled in by default (but can still be disabled using
|
|
the configure option --disable-tcp-queries).
|
|
|
|
In version 1.2.3-par the "pdnsd-ctl empty-cache" command can be provided with an
|
|
include/exclude list, allowing the user to specify a selection of names to be
|
|
removed, instead of emptying the cache completely.
|
|
Additional improvements: pdnsd should now remain responsive while executing the
|
|
"pdnsd-ctl empty-cache" command. With the query_method=tcp_udp option pdnsd will
|
|
now also try a UDP query after a TCP connection times out, which should allow
|
|
pdnsd to resolve the same names with query_method=tcp_udp as with
|
|
query_method=udp_only, although perhaps with an occasional delay.
|
|
"pdnsd-ctl config" or "pdnsd-ctl server" commands should now run without delays,
|
|
even if pdnsd is performing ping or query uptests at the time. A problem with
|
|
resolving certain names using root servers has been fixed.
|
|
|
|
Version 1.2.2-par has a number of important portability improvements. A bug has
|
|
been fixed that prevented pdnsd from compiling successfully on some 64 bit
|
|
architectures. The code for determining endianness (most significant or least
|
|
significant byte first) should now be more portable. This release has
|
|
(experimental) support for the Darwin (Apple Mac OS X) platform. On Linux
|
|
systems, the configure script will now try to detect automatically whether the
|
|
system implements the Native POSIX Thread Library, but the method used may not
|
|
necessarily be foolproof. In addition, the debug features have been improved and
|
|
should make it easier to find out why pdnsd considers some queries or replies
|
|
malformed.
|
|
|
|
Version 1.2.1-par has improved support for non-Linux platforms. This release has
|
|
(experimental) support for the Cygwin platform, and should also fix some
|
|
compilation glitches that have been reported by FreeBSD users.
|
|
|
|
Version 1.2-par is a new and improved version of pdnsd! Most of the changes
|
|
effect the internal workings of pdnsd, but there are also a number of
|
|
interesting new features (well, I think they are interesting). Among the bugs
|
|
fixed are two rather nasty ones which involve the handling of NXT and NAPTR
|
|
records and which can cause pdnsd to crash or abort. The new features include a
|
|
new server availability test which can be specified with uptest=query, support
|
|
for reading the DNS configuration from resolv.conf files, a new option for
|
|
optimizing the use of root servers, a new option that makes defining local
|
|
records for reverse resolving easier, support for defining wildcard records, a
|
|
new pdnsd-ctl command for reloading the config file without restarting pdnsd,
|
|
and a new pdnsd-ctl command for dumping information about the names stored in
|
|
the cache.
|
|
The documentation has also been updated: there is now a pdnsd.conf man page. For
|
|
a more complete list of the changes I'll have to refer you to README.par and the
|
|
ChangeLog.
|
|
|
|
Version 1.1.11a-par contains a fix for FreeBSD users that bypasses a problem
|
|
with the macro ENONET, which can cause a compilation failure when it is
|
|
undefined. Linux users will notice no difference between 1.1.11a-par and
|
|
1.1.11-par.
|
|
|
|
Version 1.1.11-par has a rather large number of small changes, which are rather
|
|
difficult to summarize. Among the bugs fixed are a race condition in the cache
|
|
lookup code, a flaw in the code that caused a busy spin when a remote server
|
|
answered with "Not Implemented", and problems with the -4 and -6 command-line
|
|
options. Among the improvements are an alternative sorting algorithm which
|
|
should allow pdnsd to start up faster when reading a large cache file from disk,
|
|
automatic mapping of IPv4 to IPv6 addresses when running in IPv6 mode, somewhat
|
|
more efficient memory use, better compression of the replies and changes in the
|
|
parallel querying algorithm that should improve the chances of catching a reply
|
|
from a remote server. For a more complete list of the changes I'll have to
|
|
refer you to README.par and the ChangeLog.
|
|
|
|
Version 1.1.10-par has a new parser for configuration files, completely
|
|
rewritten from scratch in C. The main advantages are: (f)lex and yacc/bison are
|
|
no longer needed to build pdnsd, more informative error messages instead of
|
|
merely "parse error", and string literals no longer need to be enclosed in
|
|
quotes in most cases. Furthermore, a bug has been fixed that caused incorrect
|
|
IPV6-type PTR records to be generated when sourcing /etc/hosts like files.
|
|
There have been other small changes, more details can be found in the ChangeLog.
|
|
|
|
Version 1.1.9-par adds some missing pieces to the documentation (the pdnsd
|
|
manual and the man page for pdnsd-ctl). The changes to the code consist mostly
|
|
of optimizations, removal of some size limits due to fixed-size buffers, and
|
|
some cleaning up. I've also tried to make the error responses of pdnsd-ctl more
|
|
helpful. More details can be found in the ChangeLog.
|
|
|
|
Version 1.1.8b1-par8 introduces a "delegation-only" feature that may be useful
|
|
for blocking Verisign's Sitefinder. The parser for the configuration file now
|
|
tolerates domain names missing a dot at the end. I have provided alternative
|
|
implementations for some GNU extensions that I used in an effort to make the
|
|
code more portable. In particular, the code should build on FreeBSD again. More
|
|
details can be found in the README.par file.
|
|
|
|
Version 1.1.8b1-par7 fixing a number of bugs. I have also reworked some of the
|
|
code for adding and removing entries in the cache in an effort to improve
|
|
efficiency and stability. More details can be found in the ChangeLog.
|
|
|
|
Version 1.1.8b1-par6 introduces some further code cleanup. In addition the
|
|
documentation has been revised.
|
|
|
|
Version 1.1.8b1-par5 fixes a troublesome allocation size error that has been
|
|
discovered in Thomas Moestl's code. In practice this bug only wastes memory but
|
|
it could also potentially lead to memory corruption. Upgrading is
|
|
recommended. More details can be found in the ChangeLog.
|
|
|
|
Version 1.1.8b1-par4 has been released. Due to incompatibilities between
|
|
various implementations of the pthread library on Linux systems, problems can
|
|
occur with signal handling in pdnsd. The usual symptom is failure by pdnsd to
|
|
save the cache to disk, and /var/cache/pdnsd/pdnsd.cache remaining empty. If you
|
|
experience this kind of trouble, try reconfiguring with different values for the
|
|
new --with-thread-lib option. The allowable values are described in the
|
|
documentation.
|
|
|
|
pdnsd is no longer maintained by Thomas Moestl: I have not had time to maintain
|
|
pdnsd for quite a while now, and have been very slow to respond to issues, or
|
|
did not respond at all. It is time that I officially announce that pdnsd is no
|
|
longer actively maintained; I apologize to all those who reported bugs or asked
|
|
questions without receiving any reply. However, Paul A. Rombouts has published a
|
|
patch set against the last released version at
|
|
http://www.phys.uu.nl/~rombouts/pdnsd.html, which cleans up a lot of code fixes
|
|
many bugs.
|
|
|
|
Version 1.1.7a fixes a reversed assertion that would cause pdnsd to terminate
|
|
if used with the ping uptest. No other changes were made.
|
|
|
|
Version 1.1.7 fixes some problems that might be remotely exploitable to
|
|
gain access as the user pdnsd runs as (an unprivileged user by default). To do
|
|
this, an attacker needs to control a name server that is queried by pdnsd, and
|
|
send a malicious reply to such a query. Upgrading is strongly recommended!
|
|
There are also minor bug fixes and stability improvements.
|
|
|
|
Version 1.1.6 adds the query_port_start and query_port_end options (contributed
|
|
by Andreas Steinmetz), that allow confining the ports pdnsd uses for outgoing
|
|
queries to a certain range. It also fixes numerous bugs, one of which could
|
|
cause pdnsd to hang; update is therefore recommended.
|
|
|
|
Version 1.1.5 contains a fix for a security bug that would allow local users
|
|
that are allowed to use pdnsd-ctl on a running pdnsd server to execute
|
|
arbitrary code as the user that pdnsd runs as (or on Linux, when strict_setuid
|
|
is not enabled, as the user that started pdnsd). The danger of this is usually
|
|
quite limited; the status socket is not enabled by default, it's default
|
|
permissions do only allow the user pdnsd runs as to use the socket,
|
|
strict_setuid is enabled by default and pdnsd runs as an unprivileged user.
|
|
There is also a new configure option, --enable-underscores, that will make
|
|
pdnsd allow underscores in domain names. Furthermore, the SRV record handling
|
|
has been fixed to allow underscores in any case (this was not allowed
|
|
previously, but is required by the RFC). SOA records are not put in the
|
|
answer section any more if no answers are found (this violates the RFC's).
|
|
It may be put in the authority section in a later version.
|
|
There are also various bugfixes in this release.
|
|
Upgrade is recommended.
|
|
|
|
Version 1.1.4 fixes various smaller bugs, and should also improve the cache
|
|
write performance especially for larger caches. There are also two new
|
|
features: servers can now be given a label (using the label server option)
|
|
which can be used to identify them for the pdnsd-ctl server command
|
|
(contributed by Andrew M. Bishop), and local records can be marked to make
|
|
the domain record authoritative in pdnsd's cache (which means that pdnsd will
|
|
assume that records that are not present in the cache for that domain are
|
|
non-existent); this is on by default now, and can be controlled using the new
|
|
authrec server option).
|
|
|
|
Version 1.1.3 added contrib/ and had a lot of robustness fixes.
|
|
This release addresses a security hole that affects only Linux systems. Due to
|
|
a bug in glibc, pdnsd could crash during a port scan. This release contains
|
|
a workaround for this, as well as a fix for a deadlock under heavy load
|
|
conditions. It also fixes a possible problem that could be triggered by
|
|
malicious servers, and contains numerous bug fixes.
|
|
A script, contributed by Marko Stolle, makes pdnsd useful in a DHCP setup.
|
|
pdnsd also preservers the case of names in the cache, and should work much
|
|
better on alpha machines (thanks for the contributions by Bjoern Fischer
|
|
and P.J. Bostley that made this possible). New types were dded for rr
|
|
sections and pdnsd-ctl.
|
|
Upgrade is recommended.
|
|
|
|
Version 1.1.2 has a fix for a bug that could cause SERVFAIL to be
|
|
returned when NXDOMAIN would be appropriate. The bug surfaced only when
|
|
pdnsd queried name servers with a behaviour different from BIND's in the
|
|
NXDOMAIN case, e.g. pdnsd querying another pdnsd or e.g. djbdns.
|
|
|
|
Version 1.1.1 fixes a possible race condition in status socket creation.
|
|
This race might be used by a local attacker to change the access
|
|
permissions of a certain file in /tmp. The risk of this is probably
|
|
negligible. The default setup uses a non-privileged user, default mode
|
|
0600, and the status socket is disabled normally, so this should be
|
|
relatively safe. I don't see any possibility to exploit this, it is
|
|
more of a paranoia fix.
|
|
There are also some other minor fixes and documentation improvements.
|
|
Upgrade is recommended.
|
|
|
|
Version 1.1.0 introduces negative cacheing, pdnsd-ctl enhancements and
|
|
a much improved FreeBSD support. The cache file format has changed from
|
|
prior releases. Some configuration defaults have changed, too.
|
|
|
|
Version 1.0.15 is mostly a bugfix release. It also has a new option:
|
|
randomize_recs in the global section.
|
|
|
|
Version 1.0.14 has a fix in icmp.c that will make it build properly
|
|
on FreeBSD and older Linux systems.
|
|
|
|
Version 1.0.13 has some code cleanup, a fix for the Debian rc install,
|
|
and a security fix (contributed by Olaf Kirch): when changing
|
|
user and group id, pdnsd did not drop supplementary group IDs that
|
|
the original user was member of.
|
|
|
|
Version 1.0.12 is a bugfix release and contains some security
|
|
enhancements. There are also inclusion/exclusion lists for servers
|
|
(new options include=, exclude=, policy= in the server
|
|
section).
|
|
|
|
Version 1.0.11 fixes two bugs that might be used for denial-of-service
|
|
attacks, upgrading is recommended.
|
|
|
|
Versions 1.0.9 and 1.0.10 are bugfix releases.
|
|
|
|
Version 1.0.8 introduces special linux ppp device support contributed
|
|
by Ron Yorston, and has some bugfixes.
|
|
|
|
Version 1.0.7 introduces autoconf support, many new config file options and
|
|
the new pdnsd-ctl run-time configuration program.
|
|
|
|
Version 1.0.6 has another set of bugfixes, in addition to higher compile-
|
|
time configurability and UDP query support. It also contains Debian rc
|
|
scripts contributed by Markus Mohr.
|
|
|
|
Version 1.0.5 has some bugfixes and the new "server_ip" option
|
|
contributed by Wolfgang Ocker.
|
|
|
|
Version 1.0.4 introduces the new options run_as, strict_setuid and
|
|
paranoid. These new options are optional security enhancements.
|
|
|
|
Versions 1.0.1, 1.0.2 and 1.0.3 are bugfix releases.
|
|
|
|
Version 1.0.0 has a lot of changes compared to the 0.9.x tree, but much of
|
|
them "under the hood":
|
|
- IPv6 support (experimental; compile- and run-time configurable)
|
|
- FreeBSD (and such hopefully *BSD) support
|
|
- better rfc2181 compatability
|
|
- new options:
|
|
- serve_aliases in source section
|
|
- linkdown_kluge in global section
|
|
- max_ttl in global section
|
|
- cache-code reorganization, only one unified hash (of variable depth)
|
|
- Optimizations & cleanups
|
|
- Automatic deps (only interesting for developers ;-)
|
|
|
|
Version 0.9.11 fixes a locally exploitable security hole (the cache file was
|
|
world writeable by default). Please see ChangeLog.old for details.
|
|
|
|
Version 0.9.10 fixes some bugs and improves build on Red Hat.
|
|
|
|
Version 0.9.9 contains the rc scripts for Red Hat Linux contributed by Torben
|
|
Janssen, in addition to code cleanups and bugfixes.
|
|
The meaning of the option -v has changed in this release.
|
|
There is also a new config file option "lean_query" that is on by default. It
|
|
is an optimization, so please look in the docs when updating whether you want
|
|
it switched on or not.
|
|
|
|
When compiling versions after 0.9.8, you will probably get more
|
|
compiler warningsthan before. This is because the C compiler settings
|
|
have been made stricter.
|
|
|
|
Version 0.9.8 fixes a minor bug some build problems with glibc2.0 systems.
|
|
|
|
The versions 0.9.6 and 0.9.7 are bugfix releases.
|
|
|
|
Version 0.9.5 introduces uptest=exec, and a modified config file syntax (cache
|
|
sizes are now specified in kB).
|
|
|
|
Version 0.9.4 was the first to be released to the public. For information on
|
|
changes, see ChangeLog.
|
|
|