To update from one version of Deadwood to the next one, be sure to stop
and disable the old Deadwood service, and be sure the service is using
the latest Deadwood version.

Do this with a cmd shell running as the administrator:

net stop deadwood
Deadwood.exe --remove

That removes the old version of Deadwood. Then, to install the new version:

Deadwood.exe --install
net start Deadwood

Use the services manager (called services in Windows 10) to ensure 
Deadwood is automatically started up.

--

The notes below note changes done between versions of Deadwood;
please go over these notes if updating from an older version
of Deadwood.  If a given version number doesn't have notes,
that indicates the version in question didn't change the
configuration syntax.

--

Deadwood 3.5.0007 now prefers to use ip_blocklist instead of 
ip_blacklist.  The older ip_blacklist name still works as before.

--

Deadwood 3.5.0004 no longer needs to have maximum_cache_elements
increased to store upstream_servers, root_servers, ip4, ip6, or
blocklist entries.

---

Deadwood 3.5.0002 no longer needs to use mkSecretTxt.exe nor a file
named secret.txt to get entropy.  Instead, it uses CryptAcquireContext()
to get random numbers.

---

Deadwood 3.4.01 and Deadwood 3.4.02 do not change any Deadwood code 
relative to Deadwood 3.3.03.

---

Deadwood 3.3.03 is updated to use the https://quad9.net upstream DNS
servers as the default.  If the old behavior of using the ICANN name
servers as root servers is desired, add the following lines to one's
dwood3rc.txt file:

root_servers = {}
root_servers["."]="198.41.0.4, 199.9.14.201, 192.33.4.12, 199.7.91.13,"
root_servers["."]+="192.203.230.10, 192.5.5.241, 192.112.36.4, "
root_servers["."]+="198.97.190.53, 192.36.148.17, 192.58.128.30, "
root_servers["."]+="193.0.14.129, 199.7.83.42, 202.12.27.33"

PLEASE NOTE: The above list of IPs is current as of 2019-04-07, and
was last changed in October of 2017.

Please go to https://root-servers.org to get an up-to-date list of root
servers.

NOTE ALSO: root_servers will still work, but it’s better these days to
use upstream_servers. While root_servers works most of the time with most
domains, there’s enough corner cases out there on the Internet I’m
not going to recommend doing things that way. It’s a 99/1 situation;
Deadwood can resolve 99% of the domains out there, but to get it to
resolve the other 1% would require months to years of work, so it’s
only good enough to have a mostly usable Internet.

---

Deadwood 3.3.02 introduces a new parameter: ip6
No changes to configuration files need to be made for this release.

---

Deadwood 3.3.01 introduces a new parameter: ip4
No changes to configuration files need to be made for this release.

---

Deadwood 3.2.14 is a bugfix update. No changes to configuration files
need to be made for this release.

---

Deadwood 3.2.12 is a security update.  No changes to configuration files
need to be made for this release.

A couple of minor changes that affect configuration since 3.2.02:

* Deadwood now exits with a fatal error when there are over 20,000
  upstream/root server entries in dwood3rc (older Deadwood releases would
  silently not work)

* Default file name for entropy in Windows is now "secret.txt"

* Default maxprocs increased to 1024; maximum maxprocs increased to 
  8,388,608 

---

Deadwood 3.2.02 is a stable release.  This release has a new parameter:
max_ttl, which limits how long an entry can stay in the cache; the default
TTL cap is one day (86400 seconds).  

---

Deadwood 3.2.01 is a stable release.  The default timeout has been decreased
from 2 to 1 second.  This will make resolution faster for the majority of
users; for users on slow connections with problems resolving domains,
add the following line to a dwood3rc file:

timeout_seconds = 3

num_retries now has a default value of 5 instead of 2.  To restore the
old value, add this to the dwood3rc file:

num_retries = 2

---

Deadwood 3.0.04, in addition to fixing a number of bugs, has added some
features.  In particular:

  * I consider it a bug if any valid dwood3rc file does not parse in Python 2.
    That in mind, I have updated the dwood3rc parser to not allow parameters to
    have any leading whitespace (since whitespace is significant in Python).

    This is OK:

recursive_acl = "127.0.0.1/16, 192.168.1.1/24"

    But this will raise an error:

  recursive_acl = "127.0.0.1/16, 192.168.1.1/24"

    (Observe the extra space in the left of the second example)

  * It is no longer allowed to set both root_servers or upstream_servers for a
    given name. In other words, a configuration like this will now raise an
    error:

upstream_servers = {}
upstream_servers["example.com."] = "127.0.0.1"
root_servers = {}
root_servers["example.com."] = "192.168.1.1"

  * Deadwood now raises a warning when the same name is set more than once.
    This will now trigger a warning:

upstream_servers = {}
upstream_servers["example.net."] = "10.1.2.3"
upstream_servers["example.net."] = "192.168.1.1"

    I was tempted to make this fatal, but decided not to because making this
    fatal would make it more difficult to manage large anti-phish/malware
    blocklists.

  * It is no longer permitted to initialize root_servers or upstream_servers
    more than once. This will now raise an error:

upstream_servers = {}
upstream_servers["example.net."] = "10.1.2.3"
upstream_servers = {}
upstream_servers["example.com."] = "192.168.1.1"

  * Deadwood will now raise an error for invalid lists of root or upstream
    servers. This is now fatal:

root_servers = {}
root_servers["."] = "foo"

  * Deadwood now requires that any bind_address is in the recursive ACL.  
    This is now fatal:

bind_address = "127.0.0.1, 192.168.1.42"
recursive_acl = "127.0.0.1/16"

    It can be fixed thusly:

bind_address = "127.0.0.1, 192.168.1.42"
recursive_acl = "127.0.0.1/16, 192.168.1.1/24"


---

Deadwood 3.0.03 is a bugfix-only upgrade of Deadwood 3.0.02.  No changes made
will impact users.

---

Deadwood 3.0.02 is a bugfix-only upgrade of Deadwood 3.0.01.  

The one update that will noticably impact users is the fact that
filter_rfc1918 now filters more DNS replies.  In particular, DNS
answers with the following IP ranges are now filtered by default:

     * 192.168.x.x
     * 172.[16-31].x.x
     * 10.x.x.x
     * 127.x.x.x
     * 169.254.x.x
     * 224.x.x.x
     * 0.0.x.x

If one of the above IPs is detected in a DNS reply, and filter_rfc1918
has a value of 1, Deadwood will return a synthetic "this host does not
reply" response (a SOA record in the NS section) instead of the A record.

The reason for this is to provide a "dnswall" that protects users for
some kinds of attacks, as described at http://crypto.stanford.edu/dns/

If it is desired to have DNS answers with these IPs, add the following
line to dwood3rc.txt:

filter_rfc1918 = 0

