------------------------------------------------------------------- Sun Apr 1 23:56:33 UTC 2018 - mrueckert@suse.de - enable dns over tls support: new BR for gnutls - enable dnstap support: new BR for libfstrm ------------------------------------------------------------------- Sun Apr 1 23:40:36 UTC 2018 - mrueckert@suse.de - update to 1.3.0 https://blog.powerdns.com/2018/03/30/dnsdist-1-3-0-released/ - New Features - Add an optional status parameter to Server:setAuto(). References: pull request 5625 - Add inClientStartup() function. References: pull request 6072 - Add tag-based routing of queries. References: pull request 6037 - Add experimental DNS-over-TLS support. References: pull request 6176, pull request 6177, pull request 6117, pull request 6175, pull request 6189 - Add simple dnstap support (Justin Valentini, Chris Hofstaedtler). References: pull request 5201, pull request 6170 - Add experimental XPF support based on draft-bellis-dnsop-xpf-04. References: #5654, #5079, pull request 6220, pull request 5594 - Add ERCodeRule() to match on extended RCodes (Chris Hofstaedtler). References: pull request 6147 - Add TempFailureCacheTTLAction() (Chris Hofstaedtler). References: pull request 6003 - Add DynBlockRulesGroup to improve processing speed of the maintenance() function by reducing memory usage and not walking the ringbuffers multiple times. References: pull request 6391 - Add console ACL functions. References: #4654, pull request 6399 - Allow adding EDNS Client Subnet information to a query before looking in the cache. This allows serving ECS enabled answers from the cache when all servers in a pool are down. References: #6098, pull request 6400 - Improvements - Add cache sharding, recvmmsg and CPU pinning support. With these, the scalability of dnsdist is drastically improved. References: #5202, #5859, pull request 5576, pull request 5860 - Add burst option to MaxQPSIPRule() (42wim). References: pull request 5970 - Add Pools, cacheHitResponseRules to the API. References: pull request 6022 - Add a class option to health checks. References: #5748, pull request 5929 - Add UUIDs to rules, this allows tracking rules through modifications and moving them around. References: pull request 6030 - Apply ResponseRules to locally generated answers (Chris Hofstaedtler). References: #6182, pull request 6185 - Report LuaAction() and LuaResponseAction() failures in the log and send SERVFAIL instead of not answering the query (Chris Hofstaedtler). References: pull request 6283 - Unify global statistics accounting (Chris Hofstaedtler). References: pull request 6289 - Speed up the processing of large ring buffers. This change will make dnsdist more scalable with a large number of different clients. References: pull request 6366, pull request 6350 - Make custom addLuaAction() and addLuaResponseAction() callback’s second return value optional. References: #6346, pull request 6363 - Add “server-up” metric count to Carbon Reporting (Lowell Mower). References: pull request 6327 - Add xchacha20 support for DNSCrypt. References: pull request 6045, pull request 6382 - Scalability improvement: Add an option to use several source ports towards a backend. References: pull request 6317 - Add ‘?’ and ‘help’ for providing help() output on dnsdist -c (Kirill Ponomarev, Chris Hofstaedtler). References: #4845, pull request 5866, pull request 6375 - Replace the Lua mutex with a rw lock to limit contention. This improves the processing speed and parallelism of the policies. References: pull request 6190, pull request 6381 - Ensure dnsdist compiles on NetBSD (Tom Ivar Helbekkmo). References: pull request 6146 - Also log eBPF dynamic blocks, as regular dynamic block already are. References: #5845, pull request 5845 - Ensure large numbers are shown correctly in the API. References: #6211, pull request 6401 - Add option to showRules() to truncate the output length. References: #5763, pull request 6402 - Fix several warnings reported by clang’s analyzer and cppcheck, should lead to small performance increases. References: pull request 6407 - Bug Fixes - Handle SNMP alarms so we can reconnect to the master. References: #5327, pull request 5328 - Fix signed/unsigned comparison warnings on ARM. References: #5489, pull request 5597 - Keep trying if the first connection to the remote logger failed References: pull request 5770 - Fix escaping unusual DNS label octets in DNSName is off by one (Kees Monshouwer). References: pull request 6018 - Avoid assertion errors in NewServer() (Chris Hofstaedtler). References: pull request 6403 - Removals - Remove the --daemon option from dnsdist. References: #6329, pull request 6394 ------------------------------------------------------------------- Fri Feb 16 10:30:23 UTC 2018 - adam.majer@suse.de - fix user creation code - update to 1.2.1 * Make dnsdist dynamic truncate do right thing on TCP/IP. * Add missing QPSAction. * Don't create a Remote Logger in client mode. * Keep the TCP connection open on cache hit, generated answers. * Add the missing include to mplexer.hh for struct timeval. * Sort the servers based on their 'order' after it has been set. * Fix the outstanding counter when an exception is raised. * Do not connect the snmpAgent from a dnsdist client. ------------------------------------------------------------------- Mon Aug 21 16:29:41 UTC 2017 - mrueckert@suse.de - enable snmp support (new BR: net-snmp-devel) ------------------------------------------------------------------- Mon Aug 21 16:15:43 UTC 2017 - mrueckert@suse.de - update to 1.2.0 (boo#1054799, boo#1054802) This release also addresses two security issues of low severity, CVE-2016-7069 and CVE-2017-7557. The first issue can lead to a denial of service on 32-bit if a backend sends crafted answers, and the second to an alteration of dnsdist’s ACL if the API is enabled, writable and an authenticated user is tricked into visiting a crafted website. More information can be found in our security advisories 2017-01 and 2017-02. - applying rules on cache hits - addition of runtime changeable rules that matches IP address for a - certain time: TimedIPSetRule - SNMP support, exporting statistics and sending traps - preventing the packet cache from ageing responses when deployed in - front of authoritative servers - TTL alteration capabilities - consistent hash results over multiple deployments - exporting CNAME records over protobuf - tuning the size of the ringbuffers used to keep track of recent - queries and responses - various DNSCrypt-related fixes and improvements, including - automatic key rotation Users upgrading from a previous version should be aware that: - the truncateTC option is now off by default, to follow the principle of least astonishment - the signature of the addLocal() and setLocal() functions has been changed, to make it easier to add new parameters without breaking existing configurations - the packet cache does not cache answers without any TTL anymore, to prevent them from being cached forever - blockfilter has been removed, since it was completely redundant This release also deprecates a number of functions, which will be removed in 1.3.0. Those functions had the drawback of making dnsdist’s configuration less consistent by hiding the fact that each rule is composed of a selector and an action. They are still supported in 1.2.0 but a warning is displayed whenever they are used, and a replacement suggested. https://dnsdist.org/changelog.html ------------------------------------------------------------------- Sun Feb 19 18:39:54 UTC 2017 - mrueckert@suse.de - fix build on TW: - no longer look for libsystemd-daemon - enable re2 ------------------------------------------------------------------- Fri Dec 30 01:43:23 UTC 2016 - mrueckert@suse.de - update to 1.1.0 dnsdist 1.1.0 has seen a significant amount of development, mostly based on feedback from they many 1.0 deployments. The majority of the new features have already been taken into production by pre-release and beta users. Highlights include: - TeeAction: send responses to a second nameserver, but ignore responses. Used to test new installations on existing traffic. Also used by the Yeti rootserver project. - Response rules which act on received responses - AXFR/IXFR support, including filtering options - Linux kernel based query type and query name filtering (eBPF), for very high speed packet rejection. Includes counters and statistics - Query counting infrastructure (contributed by TransIP’s Reinier Schoof) For the many other new features, improvements and bug fixes, please see the dnsdist website for the more complete changelog and the current documentation. http://dnsdist.org/changelog/#dnsdist-110 http://dnsdist.org/README/ - refresh dnsdist_bindir.patch to apply cleanly again ------------------------------------------------------------------- Mon Jul 11 15:32:09 UTC 2016 - mrueckert@suse.de - initial package (1.0.0)