Changelogs for 4.1.x
====================
**Note**: 4.1.x and earlier releases are End of Life and no longer supported.
See :doc:`EOL Statements <../appendices/EOL>`.

.. changelog::
  :version: 4.1.18
  :released: 13th of October 2020

  .. change::
    :tags: Bug Fixes
    :pullreq: 9601

    Backport of CVE-2020-25829: Cache pollution.

.. changelog::
  :version: 4.1.17
  :released: 1st of July 2020

  .. change::
    :tags: Bug Fixes
    :pullreq: 9283

    Backport of CVE-2020-14196: Enforce webserver ACL.

  .. change::
    :tags: Bug Fixes
    :pullreq: 9129
    :tickets: 9127, 8640

    Fix compilation on systems that do not define HOST_NAME_MAX.


.. changelog::
  :version: 4.1.16
  :released: 19th of May 2020

  .. change::
     :tags: Bug Fixes
     :pullreq: 9117

     Backport of security fixes for CVE-2020-10995, CVE-2020-12244 and
     CVE-2020-10030, plus avoid a crash when loading an invalid RPZ.

  .. change::
     :tags: Internals
     :pullreq: 8809

     Update python dependencies for docs generation.

  .. change::
     :tags: Improvements
     :pullreq:  8868

     Only log qname parsing errors when 'log-common-errors' is set.

  .. change::
     :tags: Internals
     :pullreq: 8753

     Update boost.m4.

.. changelog::
   :version: 4.1.15
  :released: 6th of December 2019

  .. change::
    :tags: Bug Fixes
    :pullreq: 8554

    Backport 8525 to rec 4.1.x: Purge map of failed auths periodically by keeping a last changed timestamp

  .. change::
    :tags: Bug Fixes
    :pullreq: 8544

    Backport 8470 to rec 4.1.x: prime NS records of root-servers.net parent (.net) 

  .. change::
    :tags: Bug Fixes
    :pullreq: 8543

    Backport 8340 to rec 4.1.x: issue with "zz" abbreviation for IPv6 RPZ triggers

  .. change::
    :tags: Bug Fixes
    :pullreq: 8542

    Backport 7068 to 4.1.x: Do the edns data dump for all threads

  .. change::
    :tags: Internals
    :pullreq: 8123

    Backport #7951 to 4.1.x: update boost.m4

.. changelog::
  :version: 4.1.14
  :released: 13th of June 2019

  .. change::
    :tags: Improvements
    :pullreq: 7906

    Add statistics counters for AD and CD queries.

  .. change::
    :tags: Bug Fixes
    :pullreq: 7912

    Add missing getregisteredname Lua function

.. changelog::
  :version: 4.1.13
  :released: 21st of May 2019

  .. change::
    :tags: Improvements, Performance
    :pullreq: 7673
    :tickets: 7661

    Add the ``disable-real-memory-usage`` setting to skip expensive
    collection of detailed memory usage info.

  .. change::
    :tags: Bug Fixes, DNSSEC
    :pullreq: 7816
    :tickets: 7714

    Fix DNSSEC validation of wildcards expanded onto themselves.

.. changelog::
  :version: 4.1.12
  :released: 2nd of April 2019

  .. change::
    :tags: Bug Fixes, Internals
    :pullreq: 7495
    :tickets: 7494

    Correctly interpret an empty AXFR response to an IXFR query.

  .. change::
    :tags: Improvements, Internals
    :pullreq: 7647

    Provide CPU usage statistics per thread (worker & distributor).

  .. change::
    :tags: Improvements, Internals, Performance
    :pullreq: 7634
    :tickets: 7507

    Use a bounded load-balancing algo to distribute queries.

  .. change::
    :tags: Improvements, Internals
    :pullreq: 7651
    :tickets: 7631, 7572

    Implement a configurable ECS cache limit so responses with an ECS scope more specific than a certain threshold and a TTL smaller than a specific threshold are not inserted into the records cache at all.

.. changelog::
  :version: 4.1.11
  :released: 1st of February 2019

  Since Spectre/Meltdown, system calls have become more expensive.  This made exporting a very high number of protobuf messages costly, which is addressed in this release by reducing the number of syscalls per message.

  .. change::
    :tags: Improvements
    :pullreq: 7434

    Add an option to export only responses over protobuf to the Lua :func:`protobufServer` directive.

  .. change::
    :tags: Improvements
    :pullreq: 7430
    :tickets: 7428

    Reduce systemcall usage in protobuf logging.  (See #7428.)

.. changelog::
  :version: 4.1.10
  :released: 24th of January 2019

  This release fixes a bug when trying to build PowerDNS Recursor with protobuf support disabled, thus this release is only relevant to people building PowerDNS Recursor from source and not if you're installing it as a package from our repositories.

  .. change::
    :tags: Bug Fixes
    :pullreq: 7403

    PowerDNS Recursor release 4.1.9 introduced a call to the Lua :func:`ipfilter` hook that required access to the DNS header, but the corresponding variable was only declared when protobuf support had been enabled.

.. changelog::
  :version: 4.1.9
  :released: 21st of January 2019

  This release fixes :doc:`Security Advisory 2019-01 <../security-advisories/powerdns-advisory-2019-01>` and :doc:`Security Advisory 2019-02 <../security-advisories/powerdns-advisory-2019-02>` that were recently discovered, affecting PowerDNS Recursor:
   - CVE-2019-3806, 2019-01: from 4.1.4 up to and including 4.1.8 ;
   - CVE-2019-3807, 2019-02: from 4.1.0 up to and including 4.1.8.

  The issues are:
    - CVE-2019-3806, 2019-01: Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly bypassing security policies enforced using Lua ;
    - CVE-2019-3807, 2019-02: records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation.

  .. change::
    :tags: Bug Fixes
    :pullreq: 7397

    Properly apply Lua hooks to TCP queries, even with pdns-distributes-queries set (CVE-2019-3806, PowerDNS Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2019-01>`). Validates records in the answer section of responses with AA=0 (CVE-2019-3807, PowerDNS Security Advisory :doc:`2019-02 <../security-advisories/powerdns-advisory-2019-02>`).

  .. change::
    :tags: Improvements
    :pullreq: 7377
    :tickets: 7383

    Try another worker before failing if the first pipe was full

.. changelog::
  :version: 4.1.8
  :released: 26th of November 2018

  This release fixes :doc:`Security Advisory 2018-09 <../security-advisories/powerdns-advisory-2018-09>` that we recently discovered, affecting PowerDNS Recursor up to and including 4.1.7.

  The issue is that a remote attacker can trigger an out-of-bounds memory read via a crafted query, while computing the hash of the query for a packet cache lookup, possibly leading to a crash.

  When the PowerDNS Recursor is run inside a supervisor like supervisord or systemd, a crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.

  .. change::
    :tags: Bug Fixes
    :pullreq: 7221

    Crafted query can cause a denial of service (CVE-2018-16855, PowerDNS Security Advisory :doc:`2018-09 <../security-advisories/powerdns-advisory-2018-09>`)

.. changelog::
  :version: 4.1.7
  :released: 9th of November 2018

  This release updates the mitigation for :doc:`Security Advisory 2018-07 <../security-advisories/powerdns-advisory-2018-07>`, reverting the EDNS fallback strictness increase. This is necessary because there are a lot of broken name servers on the Internet.

  .. change::
    :tags: Improvements
    :pullreq: 7172

    Revert 'Keep the EDNS status of a server on FormErr with EDNS'

  .. change::
    :tags: Improvements
    :pullreq: 7174

    Refuse queries for all meta-types

.. changelog::
  :version: 4.1.6
  :released: 7th of November 2018

  This release reverts `#6980 <https://github.com/PowerDNS/pdns/pull/6980>`__, it could lead to DNSSEC validation issues.

  .. change::
    :tags: Bug Fixes
    :pullreq: 7159
    :tickets: 7158

    Revert "rec: Authority records in AA=1 CNAME answer are authoritative".

.. changelog::
  :version: 4.1.5
  :released: 6th of November 2018

  This release fixes the following security advisories:

  - PowerDNS Security Advisory :doc:`2018-04 <../security-advisories/powerdns-advisory-2018-04>` (CVE-2018-10851)
  - PowerDNS Security Advisory :doc:`2018-06 <../security-advisories/powerdns-advisory-2018-06>` (CVE-2018-14626)
  - PowerDNS Security Advisory :doc:`2018-07 <../security-advisories/powerdns-advisory-2018-07>` (CVE-2018-14644)

  .. change::
    :tags: Bug Fixes
    :pullreq: 7151

    Crafted answer can cause a denial of service (CVE-2018-10851, PowerDNS Security Advisory :doc:`2018-04 <../security-advisories/powerdns-advisory-2018-04>`)

  .. change::
    :tags: Bug Fixes
    :pullreq: 7151

    Packet cache pollution via crafted query (CVE-2018-14626, PowerDNS Security Advisory :doc:`2018-06 <../security-advisories/powerdns-advisory-2018-06>`)

  .. change::
    :tags: Bug Fixes
    :pullreq: 7151

    Crafted query for meta-types can cause a denial of service (CVE-2018-14644, PowerDNS Security Advisory :doc:`2018-07 <../security-advisories/powerdns-advisory-2018-07>`)

  Additionally there are some other minor fixes and improvements listed below.

  .. change::
    :tags: Improvements, Lua
    :pullreq: 6919
    :tickets: 6848

    Add pdnslog to lua configuration scripts (Chris Hofstaedtler)

  .. change::
    :tags: Bug Fixes
    :pullreq: 6961
    :tickets: 6960

    Cleanup the netmask trees used for the ecs index on removals

  .. change::
    :tags: Bug Fixes
    :pullreq: 6963
    :tickets: 6605

    Make sure that the ECS scope from the auth is < to the source

  .. change::
    :tags: Bug Fixes, RPZ, Internals
    :pullreq: 6984
    :tickets: 6792

    Delay the creation of rpz threads until we have dropped privileges

  .. change::
    :tags: Bug Fixes
    :pullreq: 6980
    :tickets: 6979

    Authority records in aa=1 cname answer are authoritative

  .. change::
    :tags: Bug Fixes, Internals
    :pullreq: 7073

    Avoid a memory leak in catch-all exception handler

  .. change::
    :tags: Bug Fixes
    :pullreq: 6741
    :tickets: 6340

    Don't require authoritative answers for forward-recurse zones

  .. change::
    :tags: Improvements
    :pullreq: 6948
    :tickets: 6943

    Fix compilation with libressl 2.7.0+

  .. change::
    :tags: Bug Fixes, Internals
    :pullreq: 6917

    Release memory in case of error in the openssl ecdsa constructor

  .. change::
    :tags: Bug Fixes
    :pullreq: 6925
    :tickets: 6924

    Convert a few uses to toLogString to print DNSName's that may be empty in a safer manner

  .. change::
    :tags: Bug Fixes, Internals
    :pullreq: 6945

    Avoid a crash on DEC Alpha systems

  .. change::
    :tags: Bug Fixes, Internals
    :pullreq: 6951
    :tickets: 6949

    Clear all caches on (N)TA changes

  .. change::
    :tags: Improvements
    :pullreq: 7004
    :tickets: 6989, 6991

    Export outgoing ECS value and server ID in protobuf (if any)

  .. change::
    :tags: Improvements, Internals
    :pullreq: 7122
    :tickets: 7040

    Switch to devtoolset 7 for el6

  .. change::
    :tags: Improvements
    :pullreq: 7125
    :tickets: 7081

    Allow the signature inception to be off by a number of seconds. (Kees Monshouwer)

.. changelog::
  :version: 4.1.4
  :released: 31st of August 2018

  .. change::
    :tags: Improvements
    :pullreq: 6436

    Split ``pdns_enable_unit_tests``. (Chris Hofstaedtler)

  .. change::
    :tags: Bug Fixes
    :pullreq: 6465
    :tickets: 6462

    Don't account chained queries more than once.

  .. change::
    :tags: Improvements
    :pullreq: 6518

    Add a new :ref:`setting-max-udp-queries-per-round` setting.

  .. change::
    :tags: Bug Fixes
    :pullreq: 6557
    :tickets: 6536

    Make :doc:`../../manpages/rec_control.1` respect :ref:`setting-include-dir`.

  .. change::
    :tags: Improvements
    :pullreq: 6590

    Fix warnings reported by gcc 8.1.0.

  .. change::
    :tags: Improvements
    :pullreq: 6809

    Tests: replace awk command by perl.

  .. change::
    :tags: Bug Fixes
    :pullreq: 6812
    :tickets: 6567

    Load lua scripts only in worker threads.

  .. change::
    :tags: Improvements
    :pullreq: 6720

    Allow the snmp thread to retrieve statistics.

  .. change::
    :tags: Bug Fixes
    :pullreq: 6873

    Purge all auth/forward zone data including subtree. (@phonedph1)

.. changelog::
  :version: 4.1.3
  :released: 22nd of May 2018

  This release improves the stability and resiliency of the RPZ implementation, prevents metrics gathering from slowing down the processing of DNS queries and fixes an issue related to the cleaning of EDNS Client Subnet entries from the cache.

  .. change::
    :tags: Bug Fixes
    :pullreq: 6469

    Respect the ``AXFR`` timeout while connecting to the ``RPZ`` server.

  .. change::
    :tags: Bug Fixes
    :pullreq: 6467

    Don't increase the ``DNSSEC`` validations counters when running with ``process-no-validate``.

  .. change::
    :tags: Bug Fixes
    :pullreq: 6313

    Count a lookup into an internal auth zone as a cache miss.

  .. change::
    :tags: Bug Fixes
    :pullreq: 6588
    :tickets: 6237

    Delay the loading of ``RPZ`` zones until the parsing is done, fixing a race condition.

  .. change::
    :tags: Improvements
    :pullreq: 6567

    Move carbon/webserver/control/stats handling to a separate thread.

  .. change::
    :tags: Improvements
    :pullreq: 6566

    Use a separate, non-blocking pipe to distribute queries.

  .. change::
    :tags: Improvements
    :pullreq: 6562
    :tickets: 6550

    Add a subtree option to the :doc:`API <../http-api/index>` cache flush endpoint.

  .. change::
    :tags: Bug Fixes
    :pullreq: 6595
    :tickets: 6542, 6516, 6358, 6517

    Reorder includes to avoid boost ``L`` conflict.

  .. change::
    :tags: Improvements
    :pullreq: 6611
    :tickets: 6130, 6610

    Update copyright years to 2018 (Matt Nordhoff).

  .. change::
    :tags: Improvements
    :pullreq: 6596, 6478
    :tickets: 6474

    Fix a warning on botan >= 2.5.0.

  .. change::
    :tags: Improvements
    :pullreq: 6583

    Add ``_raw`` versions for ``QName`` / ``ComboAddresses`` to the ``FFI`` API.

  .. change::
    :tags: Bug Fixes
    :pullreq: 6586
    :tickets: 6505

     Use canonical ordering in the ``ECS`` index.

  .. change::
    :tags: Bug Fixes
    :pullreq: 6514, 6630

    Add ``-rdynamic`` to ``C{,XX}FLAGS`` when we build with ``LuaJIT``.

  .. change::
    :tags: Bug Fixes
    :pullreq: 6418
    :tickets: 6179

    Increase ``MTasker`` stacksize to avoid crash in exception unwinding (Chris Hofstaedtler).

  .. change::
    :tags: Bug Fixes
    :pullreq: 6419
    :tickets: 6086

    Use the SyncRes time in our unit tests when checking cache validity (Chris Hofstaedtler).

  .. change::
    :tags: Bug Fixes
    :pullreq: 6850
    :tickets: 6849

    Disable only our own tcp listening socket when reuseport is enabled

.. changelog::
  :version: 4.1.2
  :released: 29th of March 2018

  This release improves the stability and resiliency of the RPZ implementation and fixes several issues related to EDNS Client Subnet.

  .. change::
    :tags: Improvements
    :pullreq: 6298, 6303, 6290, 6268

    Add the option to set the AXFR timeout for RPZs.

  .. change::
    :tags: Bug Fixes
    :pullreq: 6336, 6237, 6293
    :tickets: 6238

    Retry loading RPZ zones from server when they fail initially.

  .. change::
    :tags: Improvements
    :pullreq: 6172

    IXFR: correct behavior of dealing with DNS Name with multiple records and speed up IXFR transaction (Leon Xu).

  .. change::
    :tags: Bug Fixes
    :pullreq: 6300

    Fix ECS-based cache entry refresh code.

  .. change::
    :tags: Bug Fixes
    :pullreq: 6320
    :tickets: 6319

    Fix ECS-specific NS AAAA not being returned from the cache.

  .. change::
    :tags: Improvements
    :pullreq: 6379
    :tickets: 6225

    Add :doc:`RPZ statistics endpoint <../http-api/endpoint-rpz-stats>` to the :doc:`API <../http-api/index>`.

  .. change::
    :tags: New Features
    :pullreq: 6344

    Add FFI version of :func:`gettag`.

.. changelog::
  :version: 4.1.1
  :released: 22nd of January 2018

  This is the second release in the 4.1 train.

  This release fixes PowerDNS Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2018-01>`.

  The full release notes can be read `on the blog <https://blog.powerdns.com/2018/01/22/powerdns-recursor-4-1-1/>`__.

  This is a release on the stable branch, containing a fix for the
  abovementioned security issue and several bug fixes from the
  development branch.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 6215

    Correctly handle ancestor delegation NSEC{,3} for children. Fixes
    the DNSSEC validation issue found in Knot Resolver, where a NSEC{3}
    ancestor delegation is wrongly use to prove the non-existence of a
    RR below the delegation.
    We already had the correct check for the exact owner name, but not
    for RRs below the delegation.
    (Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2018-01>`)

  .. change::
    :tags: Internals, Bug Fixes
    :pullreq: 6209
    :tickets: 6212

    Fix to make ``primeHints`` threadsafe, otherwise there's a small
    chance on startup that the root-server IPs will be incorrect.

  .. change::
    :tags: Internals, Improvements
    :pullreq: 6085
    :tickets: 6198

    Don't process records for another class than IN. We don't use
    records of another class than IN, but we used to store some of them
    in the cache which is useless. Just skip them.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 6092
    :tickets: 6199

    Fix the computation of the closest encloser for positive
    answers. When the positive answer is expanded from a wildcard with
    NSEC3, the closest encloser is not always parent of the qname,
    depending on the number of labels in the initial wildcard.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 6095
    :tickets: 6200

    Pass the correct buffer size to ``arecvfrom()``. The incorrect size
    could possibly cause DNSSEC failures.

  .. change::
    :tags: Bug Fixes
    :pullreq: 6137
    :tickets: 6201

    Don't validate signature for "glue" CNAME, since anything else than
    the initial CNAME can't be considered authoritative.

.. changelog::
  :version: 4.1.0
  :released: 4th of December 2017

  This is the first release in the 4.1 train.

  The full release notes can be read `on the blog <https://blog.powerdns.com/2017/12/04/powerdns-recursor-4-1/>`__.

  This is a major release containing significant speedups (both in throughput and latency), enhanced capabilities and a highly conformant and robust DNSSEC validation implementation that is ready for heavy production use. In addition, our EDNS Client Subnet implementation now scales effortlessly to networks needing very fine-grained scopes (as used by some ‘country sized’ service providers).

  - Improved DNSSEC support,
  - Improved documentation,
  - Improved RPZ support,
  - Improved EDNS Client Subnet support,
  - Support for Botan 2.x (and removal of support for Botan 1.10),
  - SNMP support,
  - Lua engine has gained access to more parts of the recursor,
  - CPU affinity can now be specified,
  - TCP Fast Open support,
  - New performance metrics.

  Changes since 4.1.0-rc3:

  .. change::
    :tags: Internals, DNSSEC, Bug Fixes
    :pullreq: 5972

    Dump the validation status of negcache entries, fix DNSSEC type.

  .. change::
    :tags: Internals, Bug Fixes
    :pullreq: 5980

    Cache Secure validation state when inserting negcache entries.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 5978

    Fix DNSSEC validation of DS denial from the negative cache.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 5997

    Store additional records as non-auth, even on AA=1 answers.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 6008

    Don't leak when the loading a public ECDSA key fails.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 6009

    When validating DNSKeys, the zone should be part of the signer.

.. changelog::
  :version: 4.1.0-rc3
  :released: 17th of November 2017

  The third Release Candidate adds support for Botan 2.x (and removes
  support for Botan 1.10!), has a lot of DNSSEC fixes, features a
  cleaned up web UI and has miscellaneous minor improvements.

  .. change::
    :tags: Internals, Bug Fixes
    :pullreq: 5877
    :tickets: 1066

    Sort NS addresses by speed and remove old ones.

  .. change::
    :tags: Internals, Improvements
    :pullreq: 5498
    :tickets: 2250, 5797

    Add support for Botan 2.x and remove support for Botan 1.10.

  .. change::
    :tags: Internals, Bug Fixes
    :pullreq: 5896

    Purge ``nsSpeeds`` entries even if we get less than 2 new entries.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 5889

    Prevent possible downgrade attacks in the recursor.

  .. change::
    :tags: Improvements
    :pullreq: 5876

    Print more details of trust anchors. In addition, the
    :ref:`setting-trace` output that mentions if data from authoritative
    servers gets accepted now also prints the TTL and clarifies the
    'place' number previously printed.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 5885
    :tickets: 5882

    Split NODATA / NXDOMAIN NSEC wildcard denial proof of
    existence. Otherwise there is a very real risk that a NSEC will
    cover a more specific wildcard and we end up with what looks like a
    NXDOMAIN proof but is a NODATA one.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 5904

    Fix incomplete validation of cached entries.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 5912

    Fix going Insecure on NSEC3 hashes with too many iterations, since
    we could have gone Bogus on a positive answer synthesized from a
    wildcard if the corresponding NSEC3 had more iterations that we were
    willing to accept, while the correct result is Insecure.

  .. change::
    :tags: Internals, Bug Fixes
    :pullreq: 5881
    :tickets: 5618

    Add EDNS to truncated, servfail answers.

  .. change::
    :tags: Internals, Improvements
    :pullreq: 5616

    Better support for deleting entries in ``NetmaskTree`` and
    ``NetmaskGroup``.

  .. change::
    :tags: Internals, Bug Fixes
    :pullreq: 5917

    Use ``_exit()`` when we *really* want to exit, for example
    after a fatal error. This stops us dying while we die. A call to
    ``exit()`` will trigger destructors, which may paradoxically stop
    the process from exiting, taking down only one thread, but harming
    the rest of the process.

  .. change::
    :tags: Lua, DNSSEC, Improvements
    :pullreq: 5895
    :tickets: 5888

    Add the DNSSEC validation state to the ``DNSQuestion`` Lua object
    (although the ability to update the validation state from these
    hooks is postponed to after 4.1.0).

  .. change::
    :tags: Bug Fixes
    :pullreq: 5930

    In the recursor secpoll code, we assumed the TXT record would be the
    first record first record we received. Sometimes it was the RRSIG,
    leading to a silent error, and no secpoll check. Fixed the
    assumption, added an error.

  .. change::
    :tags: Internals, Bug Fixes
    :pullreq: 5938

    Don't crash when asked to run with zero threads.

  .. change::
    :tags: Internals, Bug Fixes
    :pullreq: 5939
    :tickets: 5934

    Only accept types not matching the query if we asked for ANY. Even
    from forward-recurse servers.

  .. change::
    :tags: Internals, Bug Fixes
    :pullreq: 5937
    :tickets: 2758

    Allow the use of a 'self-resolving' NS if cached A / AAAA
    exists. Before this, we could skip a perfectly valid NS for which we
    had retrieved the A and / or AAAA entries, for example via a glue.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5961

    Add the config-name argument to the definition of configname. There
    was a bug where the config-name parameter was not used to change the
    path of the config file. This meant that some commands via
    rec_control (e.g. reload-acls) would fail when run against a
    recursor which had config-name defined. The correct behaviour was
    present in some, but not all, definitions of configname. (@jake2184)

.. changelog::
  :version: 4.1.0-rc2
  :released: 30th of October 2017

  The second Release Candidate contains several correctness fixes for DNSSEC,
  mostly in the area of verifying negative responses.

  .. change::
    :tags: API, Improvements
    :pullreq: 5805

    Improve logging for the built-in :doc:`webserver <../../http-api/index>`
    and the :ref:`Carbon <metricscarbon>` sender.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 5808

    Check that the NSEC covers an empty non-terminal when looking for NODATA.

  .. change::
    :tags: Improvements, Internals
    :pullreq: 5824
    :tickets: 5663

    New b.root ipv4 address (Kees Monshouwer).

  .. change::
    :tags: Bug Fixes, Internals
    :pullreq: 5740

    Lowercase all outgoing qnames when :ref:`setting-lowercase-outgoing` is set.

  .. change::
    :tags: DNSSEC, Improvements
    :pullreq: 5834

    Don't directly store NSEC3 records in the positive cache.

  .. change::
    :tags: Improvements
    :pullreq: 5774

    Add experimental :doc:`../metrics` ``x-our-latency`` that track the time spent inside PowerDNS per query.
    These metrics ignore time spent waiting for the network.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 5835
    :tickets: 5827

    Disable validation for infrastructure queries (e.g. when recursing for a name).
    Also validate entries from the Negative cache if they were not validated before.

  .. change::
    :tags: Improvements
    :pullreq: 5842

    Add :ref:`setting-log-timestamp` setting. This option can be used to disable
    printing timestamps to stdout, this is useful when using ``systemd-journald``
    or another supervisor that timestamps output by itself.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5762
    :tickets: 5439

    Create :ref:`setting-socket-dir` from the init-script.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 5868
    :tickets: 5861

    Fix DNSSEC validation for denial of wildcards in negative answers and
    denial of existence proofs in wildcard-expanded positive responses.

  .. change::
    :tags: DNSSEC, Bug Fixes
    :pullreq: 5873

    Fix DNSSEC validation when using ``-flto``.

  .. change::
    :tags: Bug Fixes, Internals
    :pullreq: 5803

    Fix crashes with uncaught exceptions in MThreads.

.. changelog::
  :version: 4.1.0-rc1
  :released: 9th of October 2017

  The RC1 release features many fixes to the DNSSEC validation code, reported by different users. Other improvements include: logging, RPZ and the Remote Logger.

  While not specifically mentioned in the ChangeLog, also thanks to Winfried Angele for bringing a documentation issue to our attention!

  .. change::
    :tags: Bug Fixes
    :pullreq: 5530

    Add a missing header for PRId64 in the negative cache, required on EL5/EL6.

  .. change::
    :tags: Internals, Improvements
    :pullreq: 5543

    Wrap the webserver's and Resolver::tryGetSOASerial objects into smart pointers (also thanks to Chris Hofstaedtler for reviewing!)

  .. change::
    :tags: Internals, Improvements
    :pullreq: 5545

    Add more unit tests for the NetmaskTree and ECS cache index.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5549

    Prevent an infinite loop if we need auth and the best match is not.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5570

    Be more careful about the validation of negative answers.

  .. change::
    :tags: Bug Fixes, DNSSEC
    :pullreq: 5569

    Don't fetch the DNSKEY of a zone to validate the DS of the same zone.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5599
    :tickets: 5456

    Fix libatomic detection on ppc64. (Sander Hoentjen)

  .. change::
    :tags: Improvements
    :pullreq: 5588

    Switch the default webserver's ACL to ``127.0.0.1, ::1``.

  .. change::
    :tags: Improvements
    :pullreq: 5598
    :tickets: 5524

    Add help text on autodetecting systemd support. (Ruben Kerkhof thanks for reporting!)

  .. change::
    :tags: Bug Fixes
    :pullreq: 5615
    :tickets: 5357

    Fix sortlist in the presence of CNAME. (Benoit Perroud thanks for
    reporting this issue!)

  .. change::
    :tags: Bug Fixes, DNSSEC
    :pullreq: 5614

    Improve DNSSEC debug logging,

  .. change::
    :tags: Improvements
    :pullreq: 5622

    Add ``log-rpz-changes`` to log RPZ additions and removals.

  .. change::
    :tags: Improvements
    :pullreq: 5621

    Log the policy type (QName, Client IP, NS IP...) over protobuf.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5515

    Fix cache handling of ECS queries with a source length of 0.

  .. change::
    :tags: Improvements
    :pullreq: 5637

    Remove unused SortList compare operator for ComboAddress.

  .. change::
    :tags: Improvements
    :pullreq: 5620

    Add support for dumping the in-memory RPZ zones to a file.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5328
    :tickets: 5327

    Handle SNMP alarms so we can reconnect to the master.

  .. change::
    :tags: Improvements
    :pullreq: 5646

    Support for identifying devices by id such as mac address.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5662

    Fix Recursor 4.1.0 alpha 1 compilation on FreeBSD. (@RvdE)

  .. change::
    :tags: Bug Fixes, DNSSEC
    :pullreq: 5672
    :tickets: 5649

    Add NSEC records on nx-trust cache hits.

  .. change::
    :tags: Bug Fixes, DNSSEC
    :pullreq: 5671
    :tickets: 5650

    Handle NSEC wrap-around.

  .. change::
    :tags: Bug Fixes, DNSSEC
    :pullreq: 5670
    :tickets: 5648, 5651

    Fix erroneous check for section 4.1 of rfc6840.

  .. change::
    :tags: Bug Fixes, DNSSEC
    :pullreq: 5715
    :tickets: 5705

    Handle direct NSEC queries.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5739

    Remove pdns.PASS and pdns.TRUNCATE.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5734

    Fix a crash when getting a public GOST key if the private one is not set.

  .. change::
    :tags: Improvements
    :pullreq: 5699

    Implement dynamic cache sizing.

  .. change::
    :tags: Bug Fixes, DNSSEC
    :pullreq: 5716
    :tickets: 5681

    Detect zone cuts by asking for DS instead of NS.

  .. change::
    :tags: Bug Fixes, DNSSEC
    :pullreq: 5738
    :tickets: 5735

    Do not allow direct queries for RRSIG or NSEC3.

  .. change::
    :tags: Improvements
    :pullreq: 5755

    Improve dnsbulktest experience in Travis for more robustness.

  .. change::
    :tags: Improvements, DNSSEC
    :pullreq: 5756

    Improve ``--quiet=false`` output to include DNSSEC and more timing details.

  .. change::
    :tags: Improvements
    :pullreq: 5772

    Set ``TC=1`` if we had to omit part of the AUTHORITY section.

  .. change::
    :tags: Bug Fixes, DNSSEC
    :pullreq: 5771

    The target zone being insecure doesn't mean that the denial of the DS is too, if the parent zone is Secure..

  .. change::
    :tags: Improvements, DNSSEC
    :pullreq: 5733

    Add DNSSEC test vectors for RSA, ECDSA, ed25519 and GOST.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5773

    Don't negcache entries for longer than their RRSIG validity.

  .. change::
    :tags: Improvements
    :pullreq: 5764

    autoconf: set ``--with-libsodium`` to ``auto``.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5792

    Gracefully handle Socket::accept() returning a null pointer on EAGAIN.

.. changelog::
  :version: 4.1.0-alpha1
  :released: 18th of July 2017

  This is the first release of the PowerDNS Recursor in the 4.1 release train.
  This release contains several performance and correctness improvements in the EDNS Client subnet area, as well as better DNSSEC processing.

  .. change::
    :tags: New Features
    :pullreq: 5138
    :tickets: 5128

    Add server-side TCP Fast Open support.
    This adds a new option :ref:`setting-tcp-fast-open`.

  .. change::
    :tags: New Features
    :pullreq: 4569

    Pass ``tcp`` to :func:`gettag` to allow a script to take different actions whether a query came in over TCP or UDP.

  .. change::
    :tags: New Features
    :pullreq: 4569

    Allow setting the requestor ID field in the :attr:`DNSQuestion <DNSQuestion.requestorId>` from all hooks.

  .. change::
    :tags: Improvements, DNSSEC
    :pullreq: 5223, 5463, 5486, 5528
    :tickets: 4254, 4362, 4490, 4994

    Implement "on-the-fly" DNSSEC processing. This places the DNSSEC processing alongside the regular recursion, reducing possible cornercases, adding unit tests and making the code better maintainable.

  .. change::
    :tags: New Features
    :pullreq: 5063
    :tickets: 2818

    Implement CNAME wildcards in recursor authoritative component.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5078
    :tickets: 4939, 5075

    Show a useful error when an invalid :ref:`setting-lua-config-file` is configured.

  .. change::
    :tags: Bug Fixes
    :pullreq: 4860

    Fix :class:`DNSQuestion` members alterations from Lua not being taken into account.

  .. change::
    :tags: Bug Fixes, Protobuf
    :pullreq: 4984
    :tickets: 4969

    Fix ``remote``/``local`` inversion in :func:`preoutquery`.

  .. change::
    :tags: New Features, Scripting
    :pullreq: 4982
    :tickets: 4981

    Allow returning the :attr:`DNSQuestion.data` table from :func:`gettag`.

  .. change::
    :tags: New Features, SNMP
    :pullreq: 4990, 5404

    Add :ref:`SNMP <snmp>` support.

  .. change::
    :tags: Improvements
    :pullreq: 5106

    Split SyncRes::doResolveAt, add const and static whenever possible. Possibly improving performance while making the code easier to maintain.

  .. change::
    :tags: Improvements
    :pullreq: 5102

    Packet cache speedup and cleanup.

  .. change::
    :tags: Improvements
    :pullreq: 5146

    Make Lua mandatory for recursor builds.

  .. change::
    :tags: Improvements, Performance
    :pullreq: 5103, 5487

    Use one listening socket per thread when reuseport is enabled.

  .. change::
    :tags: Improvements, RPZ
    :pullreq: 5057

    Use the RPZ zone's TTL and add a new `maxTTL` setting.

  .. change::
    :tags: Improvements, Lua
    :pullreq: 5141

    Stop (de)serializing :attr:`DNSQuestion.data`.

  .. change::
    :tags: New Features, Lua
    :pullreq: 5198
    :tickets: 5195

    Allow access to EDNS options from the :func:`gettag` hook.

  .. change::
    :tags: Improvements
    :pullreq: 5226

    Refactor the negative cache into a class.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5209

    Ensure locks cannot be copied.

  .. change::
    :tags: Improvements, RPZ
    :pullreq: 5275, 5307
    :tickets: 5231, 5236

    RPZ updates are done zone by zone, zones are now shared pointers.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5252
    :tickets: 5246

    Only apply :ref:`setting-root-nx-trust` if the received SOA is ".".

  .. change::
    :tags: New Features
    :pullreq: 4569

    Pass ``tcp`` to :func:`gettag`, allow setting the requestor ID from hooks.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5312

    Don't throw an exception when logging to protobuf without a question set.

  .. change::
    :tags: New Features, Lua
    :pullreq: 5293

    Allow retrieving stats from Lua via the :func:`getStat` call.

  .. change::
    :tags: New Features, RPZ
    :pullreq: 5265
    :tickets: 5237

    Add support for RPZ wildcarded target names.

  .. change::
    :tags: Bug Fixes
    :pullreq: 5320

    Correctly truncate EDNS Client Subnetmasks.

  .. change::
    :tags: Improvements
    :pullreq: 5319

    Only check the netmask for subnet specific cache entries.

  .. change::
    :tags: Improvements
    :pullreq: 5236

    Refactor and split ``SyncRes::doResolveAt()``, making it easier to understand.
    Get rid of ``SyncRes::d_nocache``, makes sure we can't get into a root refresh loop.
    Limit the use of global variables in SyncRes, to make it easier to understand the interaction between components

  .. change::
    :tags: Improvements, EDNS Client Subnet
    :pullreq: 5461, 5472

    Add an ECS index to the cache

  .. change::
    :tags: New Features, EDNS Client Subnet
    :pullreq: 5409

    Add ECS metrics.

  .. change::
    :tags: Improvements, EDNS Client Subnet, DNSSEC
    :pullreq: 5484

    Use ECS when updating the validation state if needed.

  .. change::
    :tags: Bug Fixes, API
    :pullreq: 5466
    :tickets: 5398

    Clean up auth/recursor code mismatches in the API (Chris Hofstaedtler).

  .. change::
    :tags: Bug Fixes
    :pullreq: 5474
    :tickets: 5474

    Only increase ``no-packet-error`` on the first read.

  .. change::
    :tags: Improvements
    :pullreq: 5511

    When dumping the cache, also dump RRSIGs.

  .. change::
    :tags: Bug Fixes, DNSSEC
    :pullreq: 5525

    Fix validation at the exact RRSIG inception or expiration time.

  .. change::
    :tags: Improvements
    :pullreq: 5485

    Don't always override :ref:`setting-loglevel` to 6.

  .. change::
    :tags: Improvements
    :pullreq: 5406, 5530

    Make more specific Netmasks < to less specific ones.

  .. change::
    :tags: New Features
    :pullreq: 5482

    Add a :ref:`setting-cpu-map` directive to set CPU affinity per thread.
