debian/0000775000000000000000000000000013037504166007175 5ustar debian/watch0000664000000000000000000000044212200467030010213 0ustar # Example watch control file for uscan # Rename this file to "watch" and then you can run the "uscan" command # to check for upstream updates and more. # Site Directory Pattern Version Script version=3 http://downloads.powerdns.com/releases/ pdns-recursor-(.*)\.tar\.bz2 debian uupdate debian/pdns-recursor.default0000664000000000000000000000013512200467030013335 0ustar # Variables for PowerDNS recursor # # Set START to yes to start the pdns-recursor START=yes debian/copyright0000664000000000000000000000164012200467030011116 0ustar This is the Debian prepackaged version of pDNS, the PowerDNS nameserver. pDNS can be downloaded from http://www.powerdns.com/ Copyright and license: Copyright 2002 PowerDNS.COM BV This program is free software; you can redistribute it and/or modify it under the terms of version 2 of the GNU General Public License as published by the Free Software Foundation. Additionally, the license of this program contains a special exception which allows to distribute the program in binary form when it is linked against OpenSSL. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL-2 debian/patches/0000775000000000000000000000000013037504525010623 5ustar debian/patches/do-not-strip-binaries0000664000000000000000000000104712200467030014667 0ustar --- a/Makefile +++ b/Makefile @@ -73,10 +73,10 @@ install: all -mkdir -p $(DESTDIR)/$(SBINDIR) mv pdns_recursor $(DESTDIR)/$(SBINDIR) - strip $(DESTDIR)/$(SBINDIR)/pdns_recursor + #strip $(DESTDIR)/$(SBINDIR)/pdns_recursor mkdir -p $(DESTDIR)/$(BINDIR) mv rec_control $(DESTDIR)/$(BINDIR) - strip $(DESTDIR)/$(BINDIR)/rec_control + #strip $(DESTDIR)/$(BINDIR)/rec_control -mkdir -p $(DESTDIR)/$(CONFIGDIR) $(DESTDIR)/$(SBINDIR)/pdns_recursor --config > $(DESTDIR)/$(CONFIGDIR)/recursor.conf-dist -mkdir -p $(DESTDIR)/usr/share/man/man1 debian/patches/CVE-2015-1868-2.patch0000664000000000000000000000117313037502012013400 0ustar Description: CVE-2015-1868: add length check Origin: https://sources.debian.net/patches/pdns-recursor/3.6.2-2%2Bdeb8u2~bpo70%2B1/CVE-2015-1868-2.patch/ Bug: https://bugs.launchpad.net/ubuntu/+source/pdns-recursor/+bug/1656931 Forwarded: not-needed Reviewed-by: Scott Kitterman Last-Update: 2017-01-17 --- --- pdns-recursor-3.5.3.orig/dnsparser.cc 2017-01-13 13:02:29.561478097 -0500 +++ pdns-recursor-3.5.3/dnsparser.cc 2017-01-13 13:02:29.557478096 -0500 @@ -470,6 +470,8 @@ } ret.append(1,'.'); } + if (ret.length() > 1024) + throw MOADNSException("Total name too long"); } } debian/patches/qtypes.patch0000664000000000000000000000415713037504355013201 0ustar Description: Add missing qtypes * Add debian/patches/qtypes.patch so qtypes required for CVE-2016-7068.patch are available Author: Scott Kitterman Origin: upstream Last-Update: 2017-01-13 Index: pdns-recursor-3.5.3/qtype.hh =================================================================== --- pdns-recursor-3.5.3.orig/qtype.hh +++ pdns-recursor-3.5.3/qtype.hh @@ -77,8 +77,8 @@ public: static int chartocode(const char *p); //!< convert a character string to a code // more solaris fun #undef DS - enum typeenum {A=1,NS=2,CNAME=5,SOA=6, MR=9, PTR=12,HINFO=13,MX=15,TXT=16,RP=17,AFSDB=18,KEY=25,AAAA=28,LOC=29,SRV=33,NAPTR=35, KX=36, - CERT=37,OPT=41, DS=43, SSHFP=44, IPSECKEY=45, RRSIG=46, NSEC=47, DNSKEY=48, DHCID=49, NSEC3=50, NSEC3PARAM=51, + enum typeenum {A=1,NS=2,CNAME=5,SOA=6, MR=9, PTR=12,HINFO=13,MX=15,TXT=16,RP=17,AFSDB=18, SIG=24, KEY=25,AAAA=28,LOC=29,SRV=33,NAPTR=35, KX=36, + CERT=37, A6=38, OPT=41, DS=43, SSHFP=44, IPSECKEY=45, RRSIG=46, NSEC=47, DNSKEY=48, DHCID=49, NSEC3=50, NSEC3PARAM=51, TLSA=52, SPF=99, TSIG=250, AXFR=252, IXFR=251, ANY=255, URL=256, MBOXFW=257, CURL=258, ADDR=259, DLV=32769} types; typedef pair namenum; static vector names; @@ -109,18 +109,25 @@ private: qtype_insert("AAAA",28); qtype_insert("LOC",29); qtype_insert("SRV",33); + qtype_insert("NAPTR",35); + qtype_insert("KX",36); qtype_insert("CERT", 37); qtype_insert("A6",38); - qtype_insert("NAPTR",35); + qtype_insert("OPT",41); qtype_insert("DS", 43); qtype_insert("SSHFP", 44); + qtype_insert("IPSECKEY", 45); qtype_insert("RRSIG", 46); qtype_insert("NSEC", 47); qtype_insert("DNSKEY", 48); + qtype_insert("DHCID", 49); qtype_insert("NSEC3", 50); qtype_insert("NSEC3PARAM", 51); qtype_insert("TLSA",52); qtype_insert("SPF",99); + qtype_insert("EUI48",108); + qtype_insert("EUI64",109); + qtype_insert("TSIG", 250); qtype_insert("IXFR",251); qtype_insert("AXFR",252); qtype_insert("ANY",255); debian/patches/CVE-2015-1868.patch0000664000000000000000000000253013037502522013245 0ustar Description: CVE-2015-1868: limit loop iterations during decompression to prevent DoS Origin: https://downloads.powerdns.com/patches/2015-01/others.patch Bug: https://bugs.launchpad.net/ubuntu/+source/pdns-recursor/+bug/1656931 Forwarded: not-needed Author: Aki Tuomi Reviewed-by: Scott Kitterman Last-Update: 2017-01-17 --- --- pdns-recursor-3.5.3.orig/dnsparser.cc 2017-01-13 12:59:06.053472869 -0500 +++ pdns-recursor-3.5.3/dnsparser.cc 2017-01-13 12:59:06.049472869 -0500 @@ -434,9 +434,10 @@ void PacketReader::getLabelFromContent(const vector& content, uint16_t& frompos, string& ret, int recurs) { - if(recurs > 1000) // the forward reference-check below should make this test 100% obsolete + if(recurs > 100) // the forward reference-check below should make this test 100% obsolete throw MOADNSException("Loop"); + int pos = frompos; for(;;) { unsigned char labellen=content.at(frompos++); @@ -449,7 +450,7 @@ uint16_t offset=256*(labellen & ~0xc0) + (unsigned int)content.at(frompos++) - sizeof(dnsheader); // cout<<"This is an offset, need to go to: "<= frompos-2) + if(offset >= pos) throw MOADNSException("forward reference during label decompression"); return getLabelFromContent(content, offset, ret, ++recurs); } debian/patches/pdns-recursor-less-chatty0000664000000000000000000000435312200774304015612 0ustar --- a/pdns_recursor.cc +++ b/pdns_recursor.cc @@ -237,7 +237,7 @@ socklen_t len=sizeof(psize); if(!getsockopt(fd, SOL_SOCKET, optname, (char*)&psize, &len) && psize > size) { - L<= 0) { if(i==locals.begin()) - L< Last-Update: 2016-01-17 --- diff --git a/pdns_recursor.cc b/pdns_recursor.cc index dcadf1b..3708137 100644 --- a/pdns_recursor.cc +++ b/pdns_recursor.cc @@ -533,7 +533,14 @@ void startDoResolve(void *p) bool variableAnswer = false; // if there is a RecursorLua active, and it 'took' the query in preResolve, we don't launch beginResolve if(!t_pdl->get() || !(*t_pdl)->preresolve(dc->d_remote, g_listenSocketsAddresses[dc->d_socket], dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), ret, res, &variableAnswer)) { - res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret); + try { + res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret); + } + catch(ImmediateServFailException &e) { + L<d_mdp.d_qname<<"' because: "<get()) { if(res == RCode::NoError) { diff --git a/syncres.cc b/syncres.cc index afadfbc..f98f116 100644 --- a/syncres.cc +++ b/syncres.cc @@ -915,6 +915,7 @@ int SyncRes::doResolveAt(set nameservers, string auth, } else { s_outqueries++; d_outqueries++; + if(d_outqueries > 50) throw ImmediateServFailException("more than 50 queries sent while resolving "+qname); TryTCP: if(doTCP) { LOG(prefix<toStringWithPort() < #include "syncres.hh" #include -#ifdef __FreeBSD__ +#if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) #include #endif #include debian/patches/hurd-ftbfs-patch0000664000000000000000000000070212200467030013674 0ustar --- a/misc.cc +++ b/misc.cc @@ -25,6 +25,9 @@ #include #include #endif // WIN32 +#ifndef MAXHOSTNAMELEN +# define MAXHOSTNAMELEN 255 +#endif #include "misc.hh" #include --- a/Makefile +++ b/Makefile @@ -33,6 +33,9 @@ ifeq ($(shell uname),GNU/kFreeBSD) -include sysdeps/FreeBSD.inc endif +ifeq ($(shell uname),GNU/Hurd) + -include sysdeps/Linux.inc +endif ifeq ($(LUA), 1) LUALIBS=$(LUA_LIBS_CONFIG) debian/patches/remove-pdns_hw-patch0000664000000000000000000000044512200467030014571 0ustar --- a/Makefile +++ b/Makefile @@ -93,7 +93,7 @@ -rm -f dep *~ *.gcda *.gcno optional/*.gcda optional/*.gcno binclean: - -rm -f *.o pdns_recursor rec_control optional/*.o + -rm -f *.o pdns_hw pdns_recursor rec_control optional/*.o dep: $(CXX) $(CXXFLAGS) -MM -MG *.cc *.c *.hh > $@ debian/patches/CVE-2016-7068.patch0000664000000000000000000001054613037504431013253 0ustar Description: CVE-2016-7068, fix DoS caused by specially crafted DNS queries Origin: backport, https://downloads.powerdns.com/patches/2016-02/rec-3.6.4-spuriosurrs-167732.patch Forwarded: not-needed Bug: https://bugs.launchpad.net/ubuntu/+source/pdns-recursor/+bug/1656931 Author: Florian Heinz and Martin Kluge Reviewed-by: Scott Kitterman Last-Update: 2017-01-17 --- --- pdns-recursor-3.5.3.orig/dnsparser.cc 2017-01-13 13:11:08.457491426 -0500 +++ pdns-recursor-3.5.3/dnsparser.cc 2017-01-13 13:16:16.253499333 -0500 @@ -138,7 +138,7 @@ memcpy(&packet[pos], &drh, sizeof(drh)); pos+=sizeof(drh); memcpy(&packet[pos], serialized.c_str(), serialized.size()); pos+=(uint16_t)serialized.size(); - MOADNSParser mdp((char*)&*packet.begin(), (unsigned int)packet.size()); + MOADNSParser mdp(false, (char*)&*packet.begin(), (unsigned int)packet.size()); shared_ptr ret= mdp.d_answers.begin()->first.d_content; ret->header.d_type=ret->d_qtype; ret->label=mdp.d_answers.begin()->first.d_label; @@ -195,7 +195,7 @@ return zmakermap; } -void MOADNSParser::init(const char *packet, unsigned int len) +void MOADNSParser::init(bool query, const char *packet, unsigned int len) { if(len < sizeof(dnsheader)) throw MOADNSException("Packet shorter than minimal header"); @@ -209,6 +209,9 @@ d_header.ancount=ntohs(d_header.ancount); d_header.nscount=ntohs(d_header.nscount); d_header.arcount=ntohs(d_header.arcount); + + if (query && (d_header.qdcount > 1)) + throw MOADNSException("Query with QD > 1 ("+lexical_cast(d_header.qdcount)+")"); uint16_t contentlen=len-sizeof(dnsheader); @@ -253,7 +256,13 @@ dr.d_label=label; dr.d_clen=ah.d_clen; - dr.d_content=boost::shared_ptr(DNSRecordContent::mastermake(dr, pr)); + if (query && (dr.d_place == DNSRecord::Answer || dr.d_place == DNSRecord::Nameserver || (dr.d_type != QType::OPT && dr.d_type != QType::TSIG && dr.d_type != QType::SIG) || ((dr.d_type == QType::TSIG || dr.d_type == QType::SIG) && dr.d_class != 0xff))) { + dr.d_content=boost::shared_ptr(new UnknownRecordContent(dr, pr)); + } + else { + dr.d_content=boost::shared_ptr(DNSRecordContent::mastermake(dr, pr)); + } + d_answers.push_back(make_pair(dr, pr.d_pos)); if(dr.d_type == QType::TSIG && dr.d_class == 0xff) --- pdns-recursor-3.5.3.orig/dnsparser.hh 2017-01-13 13:11:08.457491426 -0500 +++ pdns-recursor-3.5.3/dnsparser.hh 2017-01-13 13:11:08.453491426 -0500 @@ -295,15 +295,15 @@ { public: //! Parse from a string - MOADNSParser(const string& buffer) : d_tsigPos(0) + MOADNSParser(bool query, const string& buffer) : d_tsigPos(0) { - init(buffer.c_str(), (unsigned int)buffer.size()); + init(query, buffer.c_str(), (unsigned int)buffer.size()); } //! Parse from a pointer and length - MOADNSParser(const char *packet, unsigned int len) : d_tsigPos(0) + MOADNSParser(bool query, const char *packet, unsigned int len) : d_tsigPos(0) { - init(packet, len); + init(query, packet, len); } dnsheader d_header; @@ -329,7 +329,7 @@ } private: void getDnsrecordheader(struct dnsrecordheader &ah); - void init(const char *packet, unsigned int len); + void init(bool query, const char *packet, unsigned int len); vector d_content; uint16_t d_tsigPos; }; --- pdns-recursor-3.5.3.orig/lwres.cc 2017-01-13 13:11:08.457491426 -0500 +++ pdns-recursor-3.5.3/lwres.cc 2017-01-13 13:11:08.453491426 -0500 @@ -165,7 +165,7 @@ lwr->d_result.clear(); try { lwr->d_tcbit=0; - MOADNSParser mdp((const char*)buf.get(), len); + MOADNSParser mdp(false, (const char*)buf.get(), len); lwr->d_aabit=mdp.d_header.aa; lwr->d_tcbit=mdp.d_header.tc; lwr->d_rcode=mdp.d_header.rcode; --- pdns-recursor-3.5.3.orig/pdns_recursor.cc 2017-01-13 13:11:08.457491426 -0500 +++ pdns-recursor-3.5.3/pdns_recursor.cc 2017-01-13 13:22:47.661509387 -0500 @@ -125,7 +125,7 @@ //! used to send information to a newborn mthread struct DNSComboWriter { - DNSComboWriter(const char* data, uint16_t len, const struct timeval& now) : d_mdp(data, len), d_now(now), + DNSComboWriter(const char* data, uint16_t len, const struct timeval& now) : d_mdp(true, data, len), d_now(now), d_tcp(false), d_socket(-1) {} MOADNSParser d_mdp; debian/patches/series0000664000000000000000000000031213037500115012023 0ustar do-not-strip-binaries kfreebsd-ftbfs-patch pdns-recursor-less-chatty hurd-ftbfs-patch remove-pdns_hw-patch CVE-2014-8601.patch CVE-2015-1868.patch CVE-2015-1868-2.patch CVE-2016-7068.patch qtypes.patch debian/changelog0000664000000000000000000002705413037504166011057 0ustar pdns-recursor (3.5.3-1ubuntu0.1) trusty-security; urgency=high * SECURITY UPDATE: * References * CVE-2014-8601: PowerDNS Recursor before 3.6.2 does not limit delegation chaining, which allows remote attackers to cause a denial of service ("performance degradations") via a large or infinite number of referrals, as demonstrated by resolving domains hosted by ezdns.it. - Added debian/patches/CVE-2014-8601.patch * CVE-2015-1868: The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authoritative (Auth) Server 3.2.x, 3.3.x before 3.3.2, and 3.4.x before 3.4.4 allows remote attackers to cause a denial of service (CPU consumption or crash) via a request with a name that refers to itself. - Added debian/patches/CVE-2015-1868.patch * CVE-2015-5470: The label decompression functionality in PowerDNS Recursor before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth) Server before 3.3.3 and 3.4.x before 3.4.5 allows remote attackers to cause a denial of service (CPU consumption or crash) via a request with a long name that refers to itself. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1868. - Added debian/patches/CVE-2015-1868-2.patch * CVE-2016-7068: Florian Heinz and Martin Kluge reported that pdns-recursor parses all records present in a query regardless of whether they are needed or even legitimate, allowing a remote, unauthenticated attacker to cause an abnormal CPU usage load on the pdns server, resulting in a partial denial of service if the system becomes overloaded. - Added debian/patches/CVE-2016-7068.patch * Add debian/patches/qtypes.patch so qtypes required for CVE-2016-7068.patch are available -- Scott Kitterman Fri, 13 Jan 2017 15:20:50 -0500 pdns-recursor (3.5.3-1) unstable; urgency=low * New upstream version -- Matthijs Möhlmann Sun, 22 Sep 2013 14:45:58 +0200 pdns-recursor (3.5.2-2) unstable; urgency=low * Enable on all architectures (Closes: #579194) -- Matthijs Möhlmann Sat, 24 Aug 2013 16:13:37 +0200 pdns-recursor (3.5.2-1) unstable; urgency=low * New upstream version (Closes: #710048, #682851, #671592, #697355, #649724) - Refresh patches * Improve the patch to make pdns-recursor less chatty * Standards-Version: 3.9.4 (no changes necessary) * Remove pdns_hw on cleanup (Closes: #652833) -- Matthijs Möhlmann Tue, 06 Aug 2013 21:43:01 +0200 pdns-recursor (3.3-3) unstable; urgency=low * new maintainer team * new Vcs links * add Homepage * debhelper 9 (enable hardening) (Closes: 656859) * prepare new version * set unapply-patches * set Architecture to "all but arm{el,hf}" (Closes: 661959) * Standards-Version: 3.9.3 (no changes necessary) -- Marc Haber Mon, 18 Jun 2012 14:45:50 +0000 pdns-recursor (3.3-2) unstable; urgency=low * Fix my name in the init script and debian/control too. * Update Standards-Version to 3.9.2 * Use new build system dh instead of individual dh_* commands. -- Matthijs Möhlmann Mon, 08 Aug 2011 11:56:58 +0200 pdns-recursor (3.3-1) unstable; urgency=low * New upstream release. (Closes: #565052) * Init loop is fixed in pdns (Closes: #594805) * Now my name is spelled correctly. * Update Standards-Version to 3.9.1 * Update the recursor.conf and include new configuration parameters. * Add debug package (Closes: #594243) -- Matthijs Möhlmann Sat, 22 Jan 2011 16:39:02 +0100 pdns-recursor (3.2-4) unstable; urgency=high * Upgrading from a previous version fails when the pdns-recursor isn't started, this is RC bug hence urgency high. (Closes: #565415) * Fix watch file * Fix FTBFS on hurd again. -- Matthijs Mohlmann Tue, 20 Jul 2010 13:42:45 +0200 pdns-recursor (3.2-3) unstable; urgency=low * Add watch file * Switch to dpkg-source 3.0 (quilt) format * Fix FTBFS on hurd * Update logcheck rules. (Closes: #588135) * Update Standards-Version to 3.9.0 * Use dh_installinit instead of the pdns-recursor.install file. -- Matthijs Mohlmann Mon, 19 Jul 2010 14:39:02 +0200 pdns-recursor (3.2-2) unstable; urgency=low * Remove Christoph Haas from Uploaders. Thanks for the great work! * Add fix for FTBFS thanks to Petr Salinger (Closes: #575006) * Make pdns-recursor on startup less chatty (Closes: #438469) -- Matthijs Mohlmann Sat, 03 Apr 2010 13:46:23 +0200 pdns-recursor (3.2-1) unstable; urgency=low * New upstream version. * Update Standards-Version to 3.8.4 * Fix boot order, thanks to Petter Reinholdtsen (Closes: #566877) * All architectures enabled, needs testing (Closes: #489925) -- Matthijs Mohlmann Wed, 17 Mar 2010 10:59:28 +0100 pdns-recursor (3.1.7.2-1) unstable; urgency=high * New upstream version. (CVE-2009-4009 and CVE-2009-4010) (Closes: #564145) * Make lintian happy. * Now really add sh4 to the architecture list. (Closes: #551153) -- Matthijs Mohlmann Fri, 08 Jan 2010 18:14:44 +0100 pdns-recursor (3.1.7.1-4) unstable; urgency=low * Add mips, mipsel and sh4 to the supported list of architectures, only arm, armel and armeb are missing. See #369453 (Closes: #551153) -- Matthijs Mohlmann Fri, 06 Nov 2009 18:09:29 +0100 pdns-recursor (3.1.7.1-3) unstable; urgency=low * Update incorrect dependencies in the init.d script. (Closes: #547033) -- Matthijs Mohlmann Sun, 11 Oct 2009 18:46:58 +0200 pdns-recursor (3.1.7.1-2) unstable; urgency=low * Fixing FTBFS on several archs (Closes: #540867, #541689) * Added hppa and sparc architectures. See #489925, leaving open because of more unsupported architectures. -- Matthijs Mohlmann Sun, 16 Aug 2009 15:39:54 +0200 pdns-recursor (3.1.7.1-1) unstable; urgency=low * New upstream release (Closes: #497920) * Using new patch system quilt. * Updated Standards-Version to 3.8.2 * Enable lua scripting support (Closes: #534893) -- Matthijs Mohlmann Sun, 09 Aug 2009 12:58:06 +0200 pdns-recursor (3.1.7-5) unstable; urgency=low * Fix FTBFS bug with GCC 4.4 (closes: #506003) * Make pdns-recursor available on hppa and sparc (closes: #489925) by adding libc6-dev in a recent version to debian/control -- Christoph Haas Wed, 13 May 2009 21:36:55 +0200 pdns-recursor (3.1.7-4) unstable; urgency=low * Fix FTBFS bug (closes: #528164) -- Christoph Haas Mon, 11 May 2009 22:24:44 +0200 pdns-recursor (3.1.7-3) unstable; urgency=low * Fixed repository URL (SVN->Git) * Increased policy version to 3.8.0 (lintian warning) * Added proper description for gcc-4.2-ftbfs-fix.dpatch dpatch (lintian warning) * Fixed PIDFILE setting in init.d script (thanks to Serge Belyshev) -- Christoph Haas Sun, 14 Sep 2008 22:48:59 +0200 pdns-recursor (3.1.7-2) unstable; urgency=low * Regard return code from stopping pdns in init.d script (Closes: #478593) * Fixed init.d script's force-stop function. -- Christoph Haas Sun, 14 Sep 2008 17:36:42 +0200 pdns-recursor (3.1.7-1) unstable; urgency=low * New upstream version (Closes: #490069) (Closes: #477130) * init.d scripts gets socket-dir information from recursor.conf (Closes: #471568) * Added config file directives * Set dont-query to nothing so it won't break pre-3.1.7 configs. (Closes: #476841) -- Christoph Haas Mon, 31 Mar 2008 21:51:59 +0200 pdns-recursor (3.1.4-6) unstable; urgency=low * Standards-Version 3.7.3.0 * Remove pdns_hw too on cleanup. * Fix for truncating long TXT queries (Closes: #462114) * Don't ignore build errors (Closes: #462128) * Build option noopt was inoperative (Closes: #462126) * Added gcc 4.3 fixes from upstream (Closes: #455631) -- Matthijs Mohlmann Wed, 13 Feb 2008 22:49:08 +0100 pdns-recursor (3.1.4-5) unstable; urgency=low * daemon=no is now working if used in /etc/powerdns/recursor.conf (Closes: #440020) * patch added to reflect change of L root server (Closes: #449483) * Makefile patched to prevent stripping of binaries (Closes: #437765) -- Christoph Haas Fri, 09 Nov 2007 21:57:58 +0100 pdns-recursor (3.1.4-4) unstable; urgency=low * Update to debhelper 5. * Fix lintian warning: debian-rules-sets-DH_COMPAT. * Restore the changelog, it was partly removed by accident. (Closes: #421393) * Fix FTBFS with gcc-4.2 (Closes: #387113) -- Matthijs Mohlmann Sun, 03 Jun 2007 15:11:22 +0200 pdns-recursor (3.1.4-3) unstable; urgency=low * Stop/stop script does not return an error code when being called as 'stop' when the service is actually not running. (Closes: #406428) -- Debian PowerDNS Maintainers Wed, 21 Feb 2007 23:10:00 +0200 pdns-recursor (3.1.4-2) unstable; urgency=medium * Run pdns-recursor by default as non-privileged user. (Closes: #399669) * swapcontext is supported by kfreebsd (Fixes a FTBFS) (Closes: #403746) * Added lsb-base to the dependencies. (Closes: #402732) -- Matthijs Mohlmann Mon, 25 Dec 2006 14:00:10 +0100 pdns-recursor (3.1.4-1) unstable; urgency=medium * New upstream release. -- Matthijs Mohlmann Sun, 12 Nov 2006 23:52:20 +0100 pdns-recursor (3.1.3-3) unstable; urgency=low [ Matthijs Mohlmann ] * Don't build pdns-recursor for the following architectures: arm, mips, mipsel, hppa and sparc. No support for swapcontext system call. (Closes: #395801) * Fix a big endian problem with TCP processing large answers. * Fix a crash on any record we couldn't properly print for whatever reason. -- Matthijs Mohlmann Sun, 29 Oct 2006 17:50:34 +0100 pdns-recursor (3.1.3-2) unstable; urgency=low * Added patch to close a connectionless socket on an error. * Added patch to fix a FD leak. * Added missing lsb keyword Short-Description. -- Debian PowerDNS Maintainers Sun, 1 Oct 2006 14:52:46 +0200 pdns-recursor (3.1.3-1) unstable; urgency=low * New upstream release. * Make a lsb compliant init script, fixes a lintian warning. -- Debian PowerDNS Maintainers Thu, 14 Sep 2006 21:20:56 +0200 pdns-recursor (3.1.2-2) unstable; urgency=low * Added patch to fix crashes on 64bit platforms (Closes: #380403) * Added patch to prevent overwriting of auth data by unauth data. * Fix a small memleak. -- Debian PowerDNS Maintainers Sun, 6 Aug 2006 13:20:45 +0200 pdns-recursor (3.1.2-1) unstable; urgency=low * New upstream release. * Drop build-with-g++-4.1 patch. g++ 4.1 is default now. (Closes: #376696) * Fixed minor typo in recursor.conf (Closes: #369957) * Add logcheck rule for pdns-recursor to suppress logcheck warnings. (Closes: #367702) -- Debian PowerDNS Maintainers Tue, 4 Jul 2006 19:16:19 +0200 pdns-recursor (3.1.1-1) unstable; urgency=low * New upstream version. -- Debian PowerDNS Maintainers Wed, 24 May 2006 19:41:09 +0200 pdns-recursor (3.0.1-1) unstable; urgency=low * New upstream release (Closes: #366681) -- Debian PowerDNS Maintainers Tue, 25 Apr 2006 21:27:26 +0200 debian/pdns-recursor.init0000664000000000000000000000730412200773750012672 0ustar #!/bin/sh ### BEGIN INIT INFO # Provides: pdns-recursor # Required-Start: $network $remote_fs $syslog # Required-Stop: $network $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # X-Start-After: slapd mysql postgresql # X-Stop-Before: slapd mysql postgresql # Short-Description: Start the recursor at boot time. ### END INIT INFO # # Authors: Matthijs Möhlmann # Christoph Haas # # Thanks to: # Thomas Hood # # initscript for PowerDNS recursor . /lib/lsb/init-functions PATH=/sbin:/bin:/usr/sbin:/usr/bin DESC="PowerDNS recursor" NAME=pdns_recursor DAEMON=/usr/sbin/$NAME # Derive the socket-dir setting from /etc/powerdns/recursor.conf # or fall back to the default /var/run if not specified there. PIDDIR=$(awk -F= '/^socket-dir=/ {print $2}' /etc/powerdns/recursor.conf) if [ -z "$PIDDIR" ]; then PIDDIR=/var/run; fi PIDFILE=$PIDDIR/$NAME.pid # Gracefully exit if the package has been removed. test -x $DAEMON || exit 0 # Read config file if it is present. if [ -r /etc/default/pdns-recursor ]; then . /etc/default/pdns-recursor fi start() { # Return # 0 if daemon has been started / was already running # >0 if daemon could not be started start-stop-daemon --start --oknodo --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null || return 0 start-stop-daemon --start --oknodo --quiet --pidfile $PIDFILE --exec $DAEMON || return 2 } start_resolvconf() { if [ -x /sbin/resolvconf ]; then echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.pdns-recursor fi return 0 } stop() { # Return # 0 if daemon has been stopped # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occured start-stop-daemon --stop --quiet --retry=HUP/30/TERM/5/KILL/5 --pidfile $PIDFILE --name $NAME RETVAL="$?" [ "$RETVAL" = 2 ] && return 2 rm -f $PIDFILE return "$RETVAL" } stop_resolvconf() { if [ -x /sbin/resolvconf ]; then /sbin/resolvconf -d lo.pdns-recursor fi return 0 } case "$1" in start) if [ "$START" != "yes" ]; then log_begin_msg "Not starting $DESC -- disabled." log_end_msg 0 exit 0 fi log_daemon_msg "Starting $DESC" "pdns-recursor" start case "$?" in 0) start_resolvconf break ;; 1) log_progress_msg "(already running)" break ;; *) log_progress_msg " (failed)." log_end_msg 1 exit 1 ;; esac log_end_msg 0 ;; stop) stop_resolvconf log_daemon_msg "Stopping $DESC" "pdns-recursor" stop case "$?" in 0) break ;; 1) log_progress_msg "(not running)" break ;; *) log_progress_msg "(failed)" log_end_msg 1 exit 1 ;; esac log_end_msg 0 ;; restart|force-reload) if [ "$START" != "yes" ]; then $0 stop exit 0 fi log_daemon_msg "Restarting $DESC" "pdns-recursor" stop case "$?" in 0|1) start case "$?" in 0) log_end_msg 0 exit 0 ;; 1) log_progress_msg "(failed -- old process still running)" log_end_msg 1 exit 1 ;; *) log_progress_msg "(failed to start)" log_end_msg 1 exit 1 ;; esac ;; *) log_progress_msg "(failed to stop)" log_end_msg 1 exit 1 ;; esac ;; force-stop) killall -v -9 pdns_recursor echo "killed" ;; *) echo "Usage: $0 {start|stop|restart|force-reload|force-stop}" >&2 exit 3 ;; esac exit 0 debian/pdns-recursor.prerm0000664000000000000000000000064612200467030013045 0ustar #!/bin/sh # # Add an error handler to catch up with a fault in the pdns-recursor script. set -e # Set the old version. MODE=$1 OLDVERSION=$2 # Init script has errors in previous versions. initscript_error() { # Versions older then 3.2-4 have a bug in the initscript. if dpkg --compare-versions "$OLDVERSION" lt-nl "3.2-4" && [ "$MODE" = "failed-upgrade" ]; then return 0 fi return $1 } #DEBHELPER# exit 0 debian/pdns-recursor.install0000664000000000000000000000017612200773724013376 0ustar debian/tmp/usr/sbin/pdns_recursor usr/sbin/ debian/tmp/usr/bin/rec_control usr/bin/ debian/config/recursor.conf etc/powerdns/ debian/pdns-recursor.postinst0000664000000000000000000000204512200467030013576 0ustar #!/bin/sh # # set -e case "$1" in configure) if [ -z "`getent group pdns`" ]; then addgroup --quiet --system pdns fi if [ -z "`getent passwd pdns`" ]; then echo -n "Creating user and group pdns..." adduser --quiet --system --home /var/spool/powerdns --shell /bin/false --ingroup pdns --disabled-password --disabled-login --gecos "PowerDNS" pdns echo "done" fi ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac # Those using dependency based boot sequencing with sysv-rc and # installing pdns-recursor version 3.1.7.1-2 or earlier would have wrong # runlevel symlinks. Recover from this. if [ "$1" = "configure" ] && dpkg --compare-versions "$2" le "3.1.7.1-2" \ && [ -f /etc/rc2.d/S[0-9][0-9]pdns-recursor ] && [ ! -f /etc/rc1.d/K[0-9][0-9]pdns-recursor ] then update-rc.d -f pdns-recursor remove fi # Init script has errors in previous versions. Postinst script should just # return the exit status of this script initscript_error() { return $1 } #DEBHELPER# exit 0 debian/source/0000775000000000000000000000000012200467030010462 5ustar debian/source/format0000664000000000000000000000001412200467030011670 0ustar 3.0 (quilt) debian/rules0000775000000000000000000000037212200467030010244 0ustar #!/usr/bin/make -f # Enable lua export LUA := 1 # Use new build system %: dh $@ --parallel override_dh_strip: dh_strip --dbg-package=pdns-recursor-dbg override_dh_installinit: dh_installinit --error-handler=initscript_error -- defaults 19 85 debian/README.source0000664000000000000000000000004712200467030011342 0ustar See /usr/share/doc/quilt/README.source debian/compat0000664000000000000000000000000212200467030010360 0ustar 9 debian/config/0000775000000000000000000000000012200467030010427 5ustar debian/config/recursor.conf0000664000000000000000000001653012200467030013147 0ustar # Autogenerated configuration file template ################################# # aaaa-additional-processing turn on to do AAAA additional processing (slow) # # aaaa-additional-processing=off ################################# # allow-from If set, only allow these comma separated netmasks to recurse # # allow-from=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10 ################################# # allow-from-file If set, load allowed netmasks from this file # # allow-from-file= ################################# # auth-can-lower-ttl If we follow RFC 2181 to the letter, an authoritative server can lower the TTL of NS records # # auth-can-lower-ttl=off ################################# # auth-zones Zones for which we have authoritative data, comma separated domain=file pairs # # auth-zones= ################################# # chroot switch to chroot jail # # chroot= ################################# # client-tcp-timeout Timeout in seconds when talking to TCP clients # # client-tcp-timeout=2 ################################# # config-dir Location of configuration directory (recursor.conf) # # config-dir=/etc/powerdns/ ################################# # daemon Operate as a daemon # # daemon=yes ################################# # delegation-only Which domains we only accept delegations from # # delegation-only= ################################# # disable-edns Disable EDNS # # disable-edns= ################################# # disable-edns-ping Disable EDNSPing # # disable-edns-ping=no ################################# # disable-packetcache Disable packetcache # # disable-packetcache=no ################################# # dont-query If set, do not query these netmasks for DNS data # # dont-query=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10 ################################# # entropy-source If set, read entropy from this file # # entropy-source=/dev/urandom ################################# # etc-hosts-file Path to 'hosts' file # # etc-hosts-file=/etc/hosts ################################# # export-etc-hosts If we should serve up contents from /etc/hosts # # export-etc-hosts=off ################################# # forward-zones Zones for which we forward queries, comma separated domain=ip pairs # # forward-zones= ################################# # forward-zones-file File with (+)domain=ip pairs for forwarding # # forward-zones-file= ################################# # forward-zones-recurse Zones for which we forward queries with recursion bit, comma separated domain=ip pairs # # forward-zones-recurse= ################################# # hint-file If set, load root hints from this file # # hint-file= ################################# # ignore-rd-bit Assume each packet requires recursion, for compatability # # ignore-rd-bit=off ################################# # local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports. # local-address=127.0.0.1 ################################# # local-port port to listen on # local-port=53 ################################# # log-common-errors If we should log rather common errors # # log-common-errors=yes ################################# # logging-facility Facility to log messages as. 0 corresponds to local0 # # logging-facility= ################################# # lua-dns-script Filename containing an optional 'lua' script that will be used to modify dns answers # # lua-dns-script= ################################# # max-cache-entries If set, maximum number of entries in the main cache # # max-cache-entries=1000000 ################################# # max-cache-ttl maximum number of seconds to keep a cached entry in memory # # max-cache-ttl=86400 ################################# # max-mthreads Maximum number of simultaneous Mtasker threads # # max-mthreads=2048 ################################# # max-negative-ttl maximum number of seconds to keep a negative cached entry in memory # # max-negative-ttl=3600 ################################# # max-packetcache-entries maximum number of entries to keep in the packetcache # # max-packetcache-entries=500000 ################################# # max-tcp-clients Maximum number of simultaneous TCP clients # # max-tcp-clients=128 ################################# # max-tcp-per-client If set, maximum number of TCP sessions per client (IP address) # # max-tcp-per-client=0 ################################# # network-timeout Wait this nummer of milliseconds for network i/o # # network-timeout=1500 ################################# # no-shuffle Don't change # # no-shuffle=off ################################# # packetcache-servfail-ttl maximum number of seconds to keep a cached servfail entry in packetcache # # packetcache-servfail-ttl=60 ################################# # packetcache-ttl maximum number of seconds to keep a cached entry in packetcache # # packetcache-ttl=3600 ################################# # pdns-distributes-queries If PowerDNS itself should distribute queries over threads (EXPERIMENTAL) # # pdns-distributes-queries=no ################################# # processes Launch this number of processes (EXPERIMENTAL, DO NOT CHANGE) # # processes=1 ################################# # query-local-address Source IP address for sending queries # # query-local-address=0.0.0.0 ################################# # query-local-address6 Source IPv6 address for sending queries # # query-local-address6= ################################# # quiet Suppress logging of questions and answers # quiet=yes ################################# # remotes-ringbuffer-entries maximum number of packets to store statistics for # # remotes-ringbuffer-entries=0 ################################# # serve-rfc1918 If we should be authoritative for RFC 1918 private IP space # # serve-rfc1918= ################################# # server-id Returned when queried for 'server.id' TXT or NSID, defaults to hostname # # server-id= ################################# # setgid If set, change group id to this gid for more security # setgid=pdns ################################# # setuid If set, change user id to this uid for more security # setuid=pdns ################################# # single-socket If set, only use a single socket for outgoing queries # # single-socket=off ################################# # soa-minimum-ttl Don't change # # soa-minimum-ttl=0 ################################# # soa-serial-offset Don't change # # soa-serial-offset=0 ################################# # socket-dir Where the controlsocket will live # # socket-dir=/var/run/ ################################# # socket-group Group of socket # # socket-group= ################################# # socket-mode Permissions for socket # # socket-mode= ################################# # socket-owner Owner of socket # # socket-owner= ################################# # spoof-nearmiss-max If non-zero, assume spoofing after this many near misses # # spoof-nearmiss-max=20 ################################# # stack-size stack size per mthread # # stack-size=200000 ################################# # threads Launch this number of threads # # threads=2 ################################# # trace if we should output heaps of logging # # trace=off ################################# # version-string string reported on version.pdns or version.bind # # version-string=PowerDNS Recursor 3.3 $Id: pdns_recursor.cc 1712 2010-09-11 13:40:03Z ahu $ debian/pdns-recursor.logcheck.ignore.server0000664000000000000000000000010612200467030016255 0ustar ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pdns_recursor\[[0-9]+\]: stats: .* debian/pdns-recursor.dirs0000664000000000000000000000012112200773750012656 0ustar etc/powerdns etc/init.d etc/default usr/bin usr/sbin usr/share/doc/pdns-recursor debian/control0000664000000000000000000000324513037504211010573 0ustar Source: pdns-recursor Section: net Priority: extra Standards-Version: 3.9.4 Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Debian PowerDNS Maintainers Uploaders: Matthijs Möhlmann , Marc Haber Build-Depends: debhelper (>= 9~), quilt, dpkg-dev (>= 1.10.17), libboost-dev, libboost-serialization-dev, liblua5.1-0-dev Vcs-Git: git://git.debian.org/pkg-pdns/pdns-recursor.git Vcs-Browser: http://git.debian.org/?p=pkg-pdns/pdns-recursor.git Homepage: http://www.powerdns.com/ Package: pdns-recursor Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, lsb-base (>= 3.0-6), adduser Replaces: pdns Recommends: pdns-doc Description: PowerDNS recursor PowerDNS is a versatile nameserver which supports a large number of different backends ranging from simple zonefiles to relational databases and load balancing/failover algorithms. PowerDNS tries to emphasize speed and security. . This is the recursive nameserver that goes out to the internet and resolve queries about other domains. Package: pdns-recursor-dbg Section: debug Architecture: any Depends: pdns-recursor (= ${binary:Version}), ${misc:Depends} Description: debugging symbols for PowerDNS recursor PowerDNS is a versatile nameserver which supports a large number of different backends ranging from simple zonefiles to relational databases and load balancing/failover algorithms. PowerDNS tries to emphasize speed and security. . This package contains debugging symbols for PowerDNS to assist in debugging, such as with gdb. It is not required for normal operation. debian/pdns-recursor.manpages0000664000000000000000000000003612200467030013504 0ustar pdns_recursor.1 rec_control.1