Changelogs for 3.x and older
These changelogs are included for historical purposes.
Broken links may exist.
PowerDNS Authoritative Server 3.4.9
Released 17th of May 2016
This is a minor bugfix and performance release. Two contributions by
Kees Monshouwer make 3.4.9 fully compatible with the new single key
ECDSA default that is coming in version 4.0.0.
Changes since 3.4.8:
PowerDNS Authoritative Server 3.4.8
Released 3rd of February 2016
This is a small bugfix release. Additionally, the deb/RPM packages on
downloads.powerdns.com (those with -static in the name) for 3.4.8 have
been built against Botan 1.10.11 instead of Botan 1.10.3 like previous
packages. Please see the Botan Security
page for more information
on the fixes in Botan 1.10.11. As a PowerDNS user, these issues only
affect you if you ran our -static packages and allowed your users to
upload private keys to your configuration.
Changes since 3.4.7:
- commit edfa60a:
Use AC_SEARCH_LIBS (Ruben Kerkhof)
- commit 7b7a3af:
Check for inet_aton in libresolv (Ruben Kerkhof)
- commit 9322aee:
Remove hardcoded -lresolv, -lnsl and -lsocket (Ruben Kerkhof)
- commit 23d26d8:
pdnssec: don’t check disabled records (Pieter Lexis)
- commit ce92ff1:
pdnssec: check all records (including disabled ones) only in verbose
mode (Kees Monshouwer)
- commit f745312:
trailing dot in DNAME content (Kees Monshouwer)
- commit ed02761:
Fix luabackend compilation on FreeBSD i386 (RvdE)
- commit 07ea6ac:
silence g++ 6.0 warnings and error (Kees Monshouwer)
- commit c6077b1:
add gcc 5.3 and 6.0 support to boost.m4 (Kees Monshouwer)
PowerDNS Authoritative Server 3.4.7
Released 3rd of November 2015
This is a security release fixing Security Advisory
2015-03
Bug fixes:
Improvements:
New features:
PowerDNS Authoritative Server 3.4.6
Released 28th of August 2015
This is a security release fixing Security Advisory
2015-02
Bug fixes:
- commits c849701
and 8c91e2c:
Avoid superfluous backend recycling
- commits
463fcff,
0fc08e8,
0fbe69c,
1a6af1c and
07f69d3:
Removal of dnsdist from the authoritative server distribution (Kees
Monshouwer among others).
- commits 5cfea4c
and ef011d9:
Add EDNS unknown version handling and tests EDNS unknown version
handling (Aki Tuomi)
Improvements:
- commits 88dd8a7
and dc6c63d:
Update YaHTTP to v0.1.7 (Aki Tuomi)
- commit 0a344bc:
Make trailing/leading spaces stand out in
pdnssec check_zone
- commits 2e982ad
and 09bec1f:
GCC 5.2 support and sync boost.m4 macro with upstream (Kees
Monshouwer among others)
- commit 1ad4e44:
Log answer packets only if log-dns-details is enabled (Kees
Monshouwer)
PowerDNS Authoritative Server 3.3.3
Released 9th of June 2015
This is a security release fixing Security Advisory
2015-01
Bug fixes:
PowerDNS Authoritative Server 3.4.5
Released 9th of June 2015
This is a security release fixing Security Advisory
2015-01
Bug fixes:
- commit ffaae2b:
be careful reading empty lines in our config parser and prevent
integer overflow.
- commit 8e30209:
prevent crash after ^^list-modules (Ruben Kerkhof)
- commit 6cf71cf:
Limit the maximum length of a qname
Improvements:
PowerDNS Authoritative Server 3.3.2
Released 1st of May, 2015
Among other bug fixes and improvements (as listed below), this release
incorporates a fix for CVE-2015-1868, as detailed in PowerDNS Security
Advisory 2015-01
If you are running DNSSEC with version 3.3.1 or below, and you cannot
currently upgrade to 3.4.4, please consider upgrading to 3.3.2; it has a
lot of improvements and bug fixes and tremendously increases compliance.
We want to explicitly thank Kees Monshouwer for digging up all the
DNSSEC improvements and porting them back to this release.
When upgrading, please run pdnssec rectify-all-zones
and trigger an
AXFR for all DNSSEC zones to make sure you benefit from all the
compliance improvements present in this version.
Security fixes:
- commit 9df4944:
import CVE-2015-1868 patch (Peter van Dijk)
- commit dbedfc5:
kill some further mallocs and add note to remind us not to add them
back (bert hubert)
Improvements:
Bug fixes:
- commit 88c52fe:
make makeRelative() case-insensitive (Kees Monshouwer)
DNSSEC improvements:
- commit b3dec9c:
change default for add-superfluous-nsec3-for-old-bind config option
(Kees Monshouwer)
- commit 017a78b:
limit the number of NSEC3 iterations RFC5155 10.3 (Kees Monshouwer)
- commit d768d7f:
NSEC3 and related RRSIGS are not part of the dnstree (Kees
Monshouwer)
- commit 3a36a1c:
import bindbackend rectify code from master (Kees Monshouwer)
- commit 1ee7e22:
limit mode 0 closest provable encloser to optout (Kees Monshouwer)
- commit bbc0bc5:
fix for errata 3441 of RFC5155 (Kees Monshouwer)
- commit e8bfa7b:
allow covering NSEC3 record in NODATA response (Kees Monshouwer)
- commit f0b3b24:
return NOTIMP for direct RRSIG request (Kees Monshouwer)
- commit c79addc:
import pdnssec checkZone() from master (Kees Monshouwer)
- commit 2f1fec7:
import pdnssec rectifyZone() from master (Kees Monshouwer)
PowerDNS Authoritative Server 3.4.4
Released 23rd of April, 2015
Warning: Version 3.4.4 of the PowerDNS Authoritative Server is a
major upgrade if you are coming from 2.9.x. Additionally, if you are
coming from any 3.x version (including 3.3.1), there is a mandatory SQL
schema upgrade. Please refer to the Upgrade
documentation for important information
on correct and stable operation, as well as notes on performance and
memory use.
Among other bug fixes and improvements (as listed below), this release
incorporates a fix for CVE-2015-1868, as detailed in PowerDNS Security
Advisory 2015-01
Bug fixes:
New Features:
- commit 5ae212e:
pdnssec: warn for insecure wildcards in opt-out zones
- commits
cd3f21c,
8b582f6,
0b7e766,
f743af9,
dcde3c8 and
f12fcf7: TKEY
record type (Aki Tuomi)
- commits
0fda1d9,
3dd139d,
ba146ce,
25109e2,
c011a01,
0600350,
fc96b5e,
4414468,
c163d41,
f52c7f6,
8d56a31,
7821417,
ea62bd9,
c5ababd,
91c8351 and
073ac49: Many
PKCS#11 improvements (Aki Tuomi)
- commits 6f0d4f1
and 5eb33cb:
Introduce xfrBlobNoSpaces and use them for TSIG (Aki Tuomi)
Improvements:
- commit e4f48ab:
allow “pdnssec set-nsec3 ZONE” for insecure zones; this saves on one
rectify when securing a NSEC3 zone
- commits
cce95b9,
e2e9243 and
e82da97:
Improvements to the config-file parsing (Aki Tuomi)
- commit 2180e21:
postgresql check should not touch LDFLAGS (Ruben Kerkhof)
- commit 0481021:
Log error when remote cannot do AXFR (Aki Tuomi)
- commit 1ecc3a5:
Speed improvements when AXFR is disabled (Chris Hofstaedtler)
- commits 1f7334e
and b17799a:
NSEC3 and related RRSIGS are not part of the dnstree (Kees
Monshouwer)
- commits dd943dd
and 58c4834:
Change ifdef to check for
__GLIBC__
instead of __linux__
to
prevent errors with other libc’s (James Taylor)
- commit c929d50:
Try to raise open files before dropping privileges (Aki Tuomi)
- commit 69fd3dc:
Add newline to carbon error message on auth (Aki Tuomi)
- commit 3064f80:
Make sure we send servfail on error (Aki Tuomi)
- commit b004529:
Ship lmdb-example.pl in tarball (Ruben Kerkhof)
- commit 9e6b24f:
Allocate TCP buffer dynamically, decreasing stack usage
- commit 267fdde:
throw if getSOA gets non-SOA record
PowerDNS Authoritative Server 3.4.3
Warning: Version 3.4.3 of the PowerDNS Authoritative Server is a
major upgrade if you are coming from 2.9.x. Additionally, if you are
coming from any 3.x version (including 3.3.1), there is a mandatory SQL
schema upgrade. Please refer to the Upgrade
documentation for important information
on correct and stable operation, as well as notes on performance and
memory use.
Released March 2nd, 2015
Find the downloads on our download
page.
Bug fixes:
- commit ceb49ce:
pdns_control: exit 1 on unknown command (Ruben Kerkhof)
- commit 1406891:
evaluate KSK ZSK pairs per algorithm (Kees Monshouwer)
- commit 3ca050f:
always set di.notified_serial in getAllDomains (Kees Monshouwer)
- commit d9d09e1:
pdns_control: don’t open socket in /tmp (Ruben Kerkhof)
New features:
- commit 2f67952:
Limit who can send us AXFR notify queries (Ruben Kerkhof)
Improvements:
- commit d7bec64:
respond REFUSED instead of NOERROR for “unknown zone” situations
- commit ebeb9d7:
Check for Lua 5.3 (Ruben Kerkhof)
- commit d09931d:
Check compiler for relro support instead of linker (Ruben Kerkhof)
- commit c4b0d0c:
Replace PacketHandler with UeberBackend where possible (Christian
Hofstaedtler)
- commit 5a85152:
PacketHandler: Share UeberBackend with DNSSECKeeper (Christian
Hofstaedtler)
- commit 97bd444:
fix building with GCC 5
Experimental API changes (Chris Hofstaedtler):
PowerDNS Authoritative Server 3.4.2
Warning: Version 3.4.2 of the PowerDNS Authoritative Server is a
major upgrade if you are coming from 2.9.x. Additionally, if you are
coming from any 3.x version (including 3.3.1), there is a mandatory SQL
schema upgrade. Please refer to the Upgrade
documentation for important information
on correct and stable operation, as well as notes on performance and
memory use.
Released February 3rd, 2015
Find the downloads on our download
page.
This is a performance and bugfix update to 3.4.1 and any earlier
version. For high traffic setups, including those using DNSSEC,
upgrading to 3.4.2 may show tremendous performance increases.
A list of changes since 3.4.1 follows.
Improvements:
Bug fixes:
Minor changes:
New features:
- commit 1b97ba0:
add signatures metric to auth, so we can plot signatures/second
- commit 92cef2d:
pdns_control: make it possible to notify all zones at once
- commit f648752:
JSON API: provide flush-cache, notify, axfr-retrieve
- commit 02653a7:
add ‘bench-db’ to do very simple database backend performance
benchmark
- commit a83257a:
enable callback based metrics to statbas, and add 5 such metrics:
uptime, sys-msec, user-msec, key-cache-size, meta-cache-size,
signature-cache-size
Performance improvements:
PowerDNS Authoritative Server 3.4.1
Warning: Version 3.4.1 of the PowerDNS Authoritative Server is a
major upgrade if you are coming from 2.9.x. Additionally, if you are
coming from any 3.x version (including 3.3.1), there is a mandatory SQL
schema upgrade. Please refer to the Upgrade
documentation for important information
on correct and stable operation, as well as notes on performance and
memory use.
Released October 30th, 2014
Find the downloads on our download
page.
This is a bugfix update to 3.4.0 and any earlier version.
A list of changes since 3.4.0 follows.
PowerDNS Authoritative Server 3.4.0
Released September 30th, 2014
This is a performance, feature, bugfix and conformity update to 3.3.1
and any earlier version. It contains a huge amount of work by various
contributors, to whom we are very grateful.
Warning: Version 3.4.0 of the PowerDNS Authoritative Server is a
major upgrade if you are coming from 2.9.x. Additionally, if you are
coming from any 3.x version (including 3.3.1), there is a mandatory SQL
schema upgrade. Please refer to the Upgrade
documentation for important information
on correct and stable operation, as well as notes on performance and
memory use.
Downloads
Find the downloads on our download
page.
A list of changes since 3.3.1 follows.
Changes between RC2 and 3.4.0:
Changes between RC1 and RC2:
Changes between 3.3.1 and 3.4.0-RC1 follow.
DNSSEC changes
- commit bba8413:
add option (max-signature-cache-entries) to limit the maximum number
of cached signatures.
- commit 28b66a9:
limit the number of NSEC3 iterations (see RFC5155 10.3), with the
max-nsec3-iterations option.
- commit b50efd6:
drop the ‘superfluous NSEC3’ option that old BIND validators need.
- The bindbackend ‘hybrid’ mode was reintroduced by Kees Monshouwer.
Enable it with bind-hybrid.
- Aki Tuomi contributed experimental PKCS#11 support for DNSSEC key
management with a (Soft)HSM.
- Direct RRSIG queries now return NOTIMP.
- commit fa37777:
add secure-all-zones command to pdnssec
- Unrectified zones can now get rectified ‘on the fly’ during outgoing
AXFR. This makes it possible to run a hidden signing master without
rectification.
- commit 82fb538:
AXFR in: don’t accept zones with a mixture of Opt-Out NSEC3 RRs and
non-Opt-Out NSEC3 RRs
- Various minor bugfixes, mostly from the unstoppable Kees Monshouwer.
- commit 0c4c552:
set non-zero exit status in pdnssec if an exception was thrown, for
easier automatic usage.
- commit b8bd119:
pdnssec -v show-zone: Print all keys instead of just entry point
keys.
- commit 52e0d78:
answer direct NSEC queries without DO bit
- commit ca2eb01:
output ZSK DNSKEY records if experimental-direct-dnskey support is
enabled
- commit 83609e2:
SOA-EDIT: fix INCEPTION-INCREMENT handling
- commit ac4a2f1:
AXFR-out can handle secure and insecure NSEC3 optout delegations
- commit ff47302:
AXFR-in can handle secure and insecure NSEC3 optout delegations
New features
- DNAME support. Enable with experimental-dname-processing.
- PowerDNS can now send stats directly to Carbon servers. Enable with
carbon-server, tweak with carbon-ourname and carbon-interval.
- commit 767da1a:
Add list-zone capability to pdns_control
- commit 51f6bca:
Add delete-zone to pdnssec.
- The gsql backends now support record comments, and disabling records.
- The new reuseport config option allows setting SO_REUSEPORT, which
allows for some performance improvements.
- local-address-nonexist-fail and local-ipv6-nonexist-fail allow pdns
to start up even if some addresses fail to bind.
- ‘AXFR-SOURCE’ in domainmetadata sets the source address for an AXFR
retrieval.
- commit 451ba51:
Implement pdnssec get-meta/set-meta
- Experimental RFC2136/DNS UPDATE support from Ruben d’Arco, with
extensive testing by Kees Monshouwer.
- pdns_control bind-add-zone
- New option bind-ignore-broken-records ignores out-of-zone records
while loading zone files.
- pdnssec now has commands for TSIG key management.
- We now support other algorithms than MD5 for TSIG.
- commit ba7244a:
implement pdns_control qtypes
- Support for += syntax for options
Bugfixes
- We verify the algorithm used for TSIG queries, and use the right
algorithm in signing if there is possible confusion. Plus a few minor
TSIG-related fixes.
- commit ff99a74:
making *-threads settings empty now yields a default of one instead
of zero.
- commit 9215e60:
we had a deadly embrace in getUpdatedMasters in bindbackend
reimplementation, thanks to Winfried for detailed debugging!
- commit 9245fd9:
don’t addSuckRequest after supermaster zone creation to avoid one
cause of simultaneous AXFR for the same zone
- commit 719f902:
fix dual-stack superslave when multiple nameservers share an ip
- commit 33966bf:
avoid address truncation in doNotifications
- commit eac85b1:
prevent duplicate slave notifications caused by different ipv6
address formatting
- commit 3c8a711:
make notification queue ipv6 compatible
- commit 0c13e45:
make isMaster ip check more tolerant for different ipv6 notations
- Various fixes for possible issues reported by Coverity Scan (commit
f17c93b, )
- commit 9083987:
don’t rely on included polarssl header files when using system
polarssl. Spotted by Oden Eriksson of Mandriva, thanks!
- Various users reported pdns_control hangs, especially when using the
guardian. We are confident that all causes of these hangs are now
gone.
- Decreasing the webserver ringbuffer size could cause crashes.
- commit 4c89cce:
nproxy: Add missing chdir(“/”) after chroot()
- commit 016a0ab:
actually notice timeout during AXFR retrieve, thanks hkraal
REST API changes
- The REST API was much improved and is nearing stability, thanks to
Chris Hofstaedtler and others.
- Mark Schouten at Tuxis contributed a zone importer.
Other changes
- Our tarballs and packages now include *.sql schema files for the SQL
backends.
- The webserver (including API) now has an ACL (webserver-allow-from).
- Webserver (including API) is now powered by YaHTTP.
- Various autotools usage improvements from Ruben Kerkhof.
- The dist tarball is now bzip2-compressed instead of gzip.
- Various remotebackend updates, including replacing curl with
(included) yahttp.
- Dynamic module loading is now allowed on Mac OS X.
- The AXFR ACL (allow-axfr-ips) now defaults to 127.0.0.0/8,::1 instead
of the whole world.
- commit ba91c2f:
remove unused gpgsql-socket option and document postgres socket usage
- Improved support for Lua 5.2.
- The edns-subnet option code is now fixed at 8, and the
edns-subnet-option-numbers option has been removed.
- geobackend now has very limited edns-subnet support - it will use the
‘real’ remote if available.
- pipebackend ABI v4 adds the zone name to the AXFR command.
- We now avoid
getaddrinfo()
as much as possible.
- The packet cache now handles (forwarded) recursive answers better,
including TTL aging and respecting allow-recursion.
- commit ff5ba4f:
pdns_server ^^help no longer exits with 1.
- Mark Zealey contributed an experimental LMDB backend. Kees Monshouwer
added experimental DNSSEC support to it. Thanks, both!
- commit 81859ba:
No longer attempt to answer questions coming in from port 0, reply
would not reach them anyhow. Thanks to Niels Bakker and sid3windr for
insight & debugging. Closes ticket
844.
- RCodes are now reported in text in various places, thanks Aki.
- Kees Monshouwer set up automatic testing for the oracle and goracle
backends, and fixed various issues in them.
- Leftovers of previous support for Windows have been removed, thanks
to Kees Monshouwer, Aki Tuomi.
- Bundled PolarSSL has been upgraded to 1.3.2
- PolarSSL replaced previously bundled implementations of AES (commit
e22d9b4) and SHA
(commit
9101035)
- bindbackend is now a module
- commit 14a2e52:
Use the inet data type for supermasters.ip on postgresql.
- We now send an empty SERVFAIL when a CNAME chain is too long, instead
of including the partial chain.
- commit 3613a51:
Show built-in features in ^^version output
- commit 4bd7d35:
make domainmetadata queries case-insensitive
- commit 088c334:
output warning message when no to be notified NS’s are found
- commit 5631b44:
gpsqlbackend: use empty defaults for dbname and user; libpq will use
the current user name for both by default
- commit d87ded3:
implement udp-truncation-threshold to override the previous 1680 byte
maximum response datagram size - no matter what EDNS0 said. Plus
document it.
- Implement udp-truncation-threshold to override the previous 1680 byte
maximum response datagram size - no matter what EDNS0 said.
- Removed settings related to fancy records, as we haven’t supported
those since version 3.0
- Based on earlier work by Mark Zealey, Kees Monshouwer increased our
packet cache performance between 200% and 500% depending on the
situation, by simplifying some code in commit
801812e and
commit 8403ade.
PowerDNS Authoritative Server version 3.3.1
Released December 17th, 2013
This is a bugfix update to 3.3.
Changes since 3.3
- direct-dnskey is no longer experimental, thanks Kees Monshouwer & co
for extensive testing (commit
e4b36a4).
- Handle signals during poll (commit
5dde2c6).
- commit 7538e56:
Fix zone2{sql,json} exit codes
- commit 7593c40:
geobackend: fix possible nullptr deref
- commit 3506cc6:
gpsqlbackend: don’t append empty dbname=/user= values to connect
string
- gpgsql queries were simplified through the use of casting (commit
9a6e39c).
- commit a7aa9be:
Replace hardcoded make with variable
- commit e4fe901:
make sure to run
PKG_PROG_PKG_CONFIG
before the first PKG_*
usage
- commit 29bf169:
fix hmac-md5 TSIG key lookup
- commit c4e348b:
fix 64+ character TSIG keys
- commit 00a7b25:
Fix comparison between signed and unsigned by using uint32_t for
inception on INCEPTION-EPOCH
- commit d3f6432:
fix building on os x 10.9, thanks Martijn Bakker.
- We now allow building against Lua 5.2 (commit
bef3000, commit
2bdd03b, commit
88d9e99).
- commit fa1f845:
autodetect MySQL 5.5+ connection charset
- When misconfigured using ‘right’ timezones, a bug in (g)libc gmtime
breaks our signatures. Fixed in commit
e4faf74 by Kees
Monshouwer by implementing our own gmtime_r.
- When sending SERVFAIL due to a CNAME loop, don’t uselessly include
the CNAMEs (commit
dfd1b82).
- Build fixes for platforms with ‘weird’ types (like s390/s390x):
commit c669f7c
(details),
commit 07b904e
and commit
2400764.
- Support for += syntax for options, commit
98dd325 and
others.
- commit f8f29f4:
nproxy: Add missing chdir(“/”) after chroot()
- commit 2e6e9ad:
fix for “missing” libmysqlclient on RHEL/CentOS based systems
- pdnssec check-zone improvements in commit
5205892, commit
edb255f, commit
0dde9d0, commit
07ee700, commit
79a3091, commit
08f3452, commit
bcf9daf, commit
c9a3dd7, commit
6ebfd08, commit
fd53bd0, commit
7eaa83a, commit
e319467, ,
- NSEC/NSEC3 fixes in commit
3191709, commit
f75293f, commit
cd30e94, commit
74baf86, commit
1fa8b2b
- The webserver could crash when the ring buffers were resized, fixed
in commit
3dfb45f.
- commit 213ec4a:
add constraints for name to pg schema
- commit f104427:
make domainmetadata queries case-insensitive
- commit 78fc378:
no label compression for name in TSIG records
- commit 15d6ffb:
pdnssec now outputs ZSK DNSKEY records if experimental-direct-dnskey
support is enabled (renamed to direct-dnskey before release!)
- commit ad67d0e:
drop cryptopp from static build as libcryptopp.a is broken on Debian
7, which is what we build on
- commit 7632dd8:
support polarssl 1.3 externally.
- Remotebackend was fully updated in various commits.
- commit 82def39:
SOA-EDIT: fix INCEPTION-INCREMENT handling
- commit a3a546c:
add innodb-read-committed option to gmysql settings.
- commit 9c56e16:
actually notice timeout during AXFR retrieve, thanks hkraal
PowerDNS Authoritative Server version 3.3
Released on July 5th 2013
This a stability, bugfix and conformity update to 3.2. It improves
interoperability with various validators, either through bugfixes or by
catering to their needs beyond the specifications.
Warning: Version 3.3 of the PowerDNS Authoritative Server is a major
upgrade if you are coming from 2.9.x. There are also some important
changes if you are coming from 3.0, 3.1 or 3.2. Please refer to the
Upgrade documentation for important
information on correct and stable operation, as well as notes on
performance and memory use.
Changes between RC2 and final
- pdnssec rectify-zone now refuses to operate on presigned zones, as
rectification already happens during incoming transfer. Patch by Kees
Monshouwer in commit
9bd211e.
- We now handle zones with a mix of NSEC3 opt-out and non-opt-out
ranges correctly during inbound and outbound AXFR. Many thanks to
Kees Monshouwer. Code in commit
5aa7003 and
commit d3e7b17.
- More remotebackend fixes (commit
32d4f44, commit
44c2ee8, commit
1fcc7b7, commit
0b1a3b2, commit
9a319b1), thanks
Aki Tuomi.
- Some compiler warnings were squashed (commit
ed554db), thanks
Morten Stevens.
- Fix broken memory access in LOC parser (commit
4eec51b, commit
bea513c), thanks
Aki Tuomi.
- DNSSEC: DS queries at the apex of a zone for which we are not hosting
the parent, would wrongly get an ‘unauth NOERROR’. Fixed by Kees
Monshouwer in commit
34479a6.
Changes between RC1 and RC2
- Added dnstcpbench tool, by popular demand.
- We always shipped a static tools RPM; we now have a similar Debian
package. All packages have been cleaned up a bit, and the binary
collections are now consistent between RPM and Deb. New: pass
^^enable-tools to configure to have the tools included in ‘make all’
and ‘make install’.
- commit 4d2e3f5:
add selinux policy files
- We would sometimes send a single NULL byte, or nothing at all,
instead of an OPT record. Fixed in commit
bf7f822, commit
063076b, commit
90d361d.
- commit 2ee9ba2:
expand any-to-tcp to direct RRSIG queries
- commit 5fff084,
commit e38ef51:
drop no-op flag strict-rfc-axfrs, thanks Jelte Jansen.
- commit f3d8902,
commit 7c0b859,
commit 5eea730:
Implement MINFO qtype for better interaction when slaving zones from
NSD (that contain MINFO). Thanks to Jelte Jansen.
- commit 8655a42,
commit bf79c6a,
commit 38c941b:
SRV record can have a ‘.’ as final field, from which we would
dutifully strip the trailing ., leaving void, confusing everything.
We now remove the trailing . in the right place, and not if we are
trying to server ‘.’. Again thanks to Jelte & SIDN for catching this.
- commit 70d5a66:
improve error message in ill formed unknown record type, thanks Jelte
Jansen for reporting.
- commit 3640473:
Built in webserver can now listen on IPv6, fixes ticket
843. Also silences
some useless messages about timeouts.
- commit 7db735c,
commit d72166c:
CHANGES BEHAVIOUR: before we launch, check if we can connect to the
controlsocket we are about to obliterate. If it works, abort. Fixes
ticket 841 and
changes standing behaviour. There might be circumstances where
PowerDNS now refuses to start, where it previously would. However,
starting and making our previous instance mute wasn’t good.
- commit 9130f9e:
correctly refuse out-of-zone data in bindbackend, closes ticket
845
- commit 3363ef7:
initialise server-id after all parsing is done, instead of half way
through. Fixes situations where server-id was emptied explicitly.
Reported by Wouter de Jong
- commit cd4f253:
bump boost requirement, thanks Wouter de Jong
- commit 58cad74:
Update pdns auth init script so it works on wheezy
- commit 8714c9c:
clang fixes by Aki Tuomi, thanks!
- commit 146601d:
stretch supermasters.ip for IPv6, thanks Dennis Krul
- commit 1a5c5f9:
various remotebackend improvements by Aki Tuomi
- commit 6ab1a11:
make sure systemd starts PowerDNS after relevant databases have been
started, thanks Morten Stevens.
- commit 606018f,
commit ee5e175,
commit c76f6f4:
check scopeMask of answer packet, not of query packet!
- commit 2b18bcf:
Added warning if trailing dot is used, thanks Aki Tuomi.
- commit 16cf913:
make superfluous ‘bind’ NSEC3 record optional
New features and important changes since 3.2 (these changes are in RC1 and up)
- commit 04576ee,
commit b0e15c8:
Implement pdnssec increase-serial, thanks Ruben d’Arco.
- commit cee857b:
PowerDNS now sets additional groups while dropping privileges.
- commit 7796a3b:
Merge support for include-dir directive, thanks Aki Tuomi!
- commit d725755:
make pdns-static Conflict with pdns-server, closes ticket
640
- commit c0d5504:
pdnssec now emits ‘INSERT INTO domain ..’ queries when running
without named.conf, thanks Ruben d’Arco.
- commit a1d6b0c:
Older versions of the BIND 9 validating recursor need a superfluous
NSEC3 record on positive wildcard responses. We now send this extra
NSEC3. Closes ticket
814.
- commit 07bf35d:
catch a lot more errors in pdnssec and report them. Fixes ticket
588.
- commit 032e390:
make pdnssec exit with 1 on some error conditions, closes ticket
677
- commit 4af49b8,
commit 4cec6ac:
add ability to create an ‘active’ or inactive key using add-zone-key
and import-zone-key, plus silenced some debugging. Fixes ticket
707.
- commit fae4167:
Compiling against Lua 5.2 (^^with-lua=lua5.2) now disables some code
used for regression testing, instead of breaking during compile. This
means that Lua 5.2 can be used in production.
- commit abc8f3f,
357f6a7:
Implement the new any-to-tcp option that, when set, always replies
with a truncated response (TC=1) to ANY queries, forcing them to use
TCP.
- commit 496073b:
Since 3.0, pdnssec secure-zone has always generated 3 keys: one KSK
and two ZSK, with one ZSK active. For most, if not almost all, users,
this inactive ZSK is never used. We now no longer generate this
useless ZSK. The resulting smaller DNSKEY RRset improves
interoperability with certain validators. Closes ticket
824.
- commit df55450:
Non-DNSSEC ANY queries no longer get sent DNSSEC records. This
improves interoperability with some old resolvers. Patch by Kees
Monshouwer.
- commit 04b4bf6:
Merge support for not using opt-out with NSEC3. Many thanks to Kees
Monshouwer.
- commit 8db49a6:
We now try not to NOTIFY ourselves. In convoluted cases involving
REUSE_PORT and binding to 0.0.0.0 and ::, it might be possible that
we guess wrong, in which case you can set prevent-self-notification
to off.
Important bug fixes
- commit 63e365d:
don’t mess up encoding when copying qname from question to answer in
packetcache. Based on reports&debugging by Jimmy Bergman (sigint),
Daniel Norman (Loopia) and the fine people at ISC. This avoids most
issues related to BIND 9 erroneously blacklisting PowerDNS for lack
of EDNS support.
- commit 3526186:
fix backslash handling in TXT parser, includes test. Thanks Jan-Piet
Mens.
- commit 830281f,
aef7330: Accept
chars >127 (‘high ASCII’) in TXT records, closing ticket
541 and
723.
- commit feef1ec:
fix missing NSEC3 for secure delegation, thanks Kees Monshouwer,
closes ticket 682
- commit b61e407:
around Thursday midnight, during signature rollovers, we would update
the SOA serial too early. Fixed by reverting commit
d90efbf, adding
7 days margin to inception. Fix by Kees Monshouwer.
- commit ff64750:
make sure mixed-case queries get a correct apex NSEC3 type bitmap
- commit 4b153d8:
always lowercase next name in NSEC to avoid interop troubles with
validators, thanks Marco Davids&Matthijs Mekking.
Other changes
- commit 49977c6:
fix bug in boost.m4 where it insists on setting -L, causing useless
RPATH in our binaries. Closes ticket
728
- commit 62ac758:
use PolarSSL for MD5 hashing instead of shipping our own copy of md5
hashing code, thanks Aki Tuomi.
- commit 775acd9:
give a better error on trying to add nsec3 parameters to a weird zone
like “1 0 1 ab” (which indicates that you forgot to specify a zone
name on the command line). Fixes ticket
800.
- commit 315dd2e:
Simplify socket listening code, and make sure we always set the
nonblocking flag correctly. Patch by Mark Zealey, closes ticket
664.
- commit b35da1b:
if_ether.h is in netinet/ not net/ on OpenBSD, thanks Florian Obser.
- commit 71301b6:
Replicate gsql backend feature of having separate -auth queries for
DNSSEC into oraclebackend. Also lets you disable dnssec if you are
not ready for it. Closes ticket
527, patch by Aki
Tuomi.
- commit 2125dac:
drop unused ignore-rd-bit flag
- commit 8c1a6d6:
NSECx optimizations, thanks Kees Monshouwer.
- commit 664716a:
drop unused variables in lua backend ( ticket
653)
- commit d8ec70f:
fix db2 backend includes ( ticket
653)
- commit 6477102:
add goracle schema, thanks Aki Tuomi.
- commit 9118638:
make goraclebackend “at least work”, closes ticket
729, thanks Aki
Tuomi.
- commit e0ad7bb:
add DS digest type 4 to show-zone output; add algorithm names. Based
on a patch by Aki Tuomi, closes ticket
744
- commit 61a7fac:
enable AM_SILENT_RULES, closing ticket
647
- commit 837f4b4:
do a better job at escaping TXT, fixes ticket
795
- commit 6ca3fa7:
add SOA-EDIT INCEPTION-INCREMENT mode, thanks stbuehler
- commit 6159c49:
Add connection info to sql-connect message
- commit 9f62e34,
commit 0fc965f,
commit 2035112:
Added EUI48 and EUI64 record types
- commit f9cf6d9:
cut the number of database queries in half for AXFR-in, thanks Kees
Monshouwer.
- commit c87f987:
add default for SOA contact e-mail
- commit bb4a573:
move random backend to modules, thanks Kees Monshouwer.
- commit 1071abd:
restyle builtin webserver page, thanks Chris Hofstaedtler.
- commit cd5e158:
correct bogus use of poll(2) related constants, improving non-Linux
portability. Thanks Wouter de Jong.
- commit 27ff60a:
make sure our NSEC(3)s for names with spaces in them are correct.
Reported by Jimmy Bergman. Includes test.
- commit 116e28a:
reduce log level of successful gpgsql/gsqlite3 connection to Info
- commit b23b90a:
Metadata update is now in the same transaction as the AXFR. This
improves slaving speed tremendously, especially for SQLite users.
Patch by Kees Monshouwer.
- commit 4620e8a:
Added zone2json, thanks Aki Tuomi.
- commit f0fa8b6:
Fix remotebackend setdomainmetadata return value handling. Fix by Aki
Tuomi, closes ticket
740.
- commit 80e82d6:
log control listener abort even more explicitly.
- commit 7c0cb15,
a718d74:
support automake 1.12
- commit 3fe22eb,
6707cb1: update
autoconf/automake preamble to non-deprecated variant, thanks Morten
Stevens
- commit 6c4e531:
disarm dead code that causes gcc crashes on ARM, thanks Morten
Stevens.
- commit 36855b5:
if we failed to make a new UDP socket, we’d report a confusing error
about it.
- commit 1b8e5e6:
autoconf support for oracle, thanks Aki Tuomi. Closes ticket
726.
- commit 8ac0c06:
allow setting of some oracle env vars. Patch by Aki Tuomi, closes
ticket 725.
- commit 45e845b:
add example.rb sample script for remotebackend, thanks Aki Tuomi.
- commit 950bddd:
add pdnssec generate-zone-key command, thanks Aki. Closes ticket
711.
- commit 2c03cde:
Replace select with waitForData in remotebackend. Patch by Aki Tuomi,
closes ticket 715.
- commit 450292c:
accept ANY responses during recursive forwarding, thanks Jan-Piet
Mens.
- commit d9dd76b:
actually clean up unix domain sockets too after use.
- commit 36758d2:
merge ticket 476 by
Aki Tuomi, providing default-ksk/zsk-algorithms/size configuration
parameters for pdnssec.
- commit 2f2b014:
apply variant of code in ticket
714 so we can launch
pipe backend scripts with parameters, plus add experimental code that
if pipe-command is a unix domain socket, we use that.
- commit 9566683:
merge patch from ticket 712 addressing memory leak in remotebackend,
thanks Aki.
- commit fb6ed6f:
explicitly set domain id during bindbackend superslave domain create,
thanks Kees Monshouwer&Aki Tuomi.
- commit 69bae20:
use private temp dir when running under systemd, thanks Morten
Stevens&Ruben Kerkhof.
- commit b26a48a:
fix rapidjson usage in remotebackend, patch by Aki Tuomi. Closes
ticket 697.
- commit da8e6ae:
also answer questions with : in them.
- commit ef1c4bf:
also spot trailing dots on CNAME content, thanks Jan-Piet Mens and
Ruben d’Arco.
- commit fb31631:
only setCloseOnExec on valid sockets
PowerDNS Authoritative Server 3.2
Released January 17th, 2013
This is a stability and conformity update to 3.1. It mostly makes our
DNSSEC implementation more robust, and improves interoperability with
various validators. 3.2 has received very extensive testing on a lot of
edge cases, verifying output both against common validators and compared
against other authoritative servers.
Warning: Version 3.2 of the PowerDNS Authoritative Server is a major
upgrade if you are coming from 2.9.x. There are also some important
changes if you are coming from 3.0 or 3.1. Please refer to the Upgrade
documentation for important information
on correct and stable operation, as well as notes on performance and
memory use.
Changes between 3.2-RC4 and the final 3.2 release
- Aki Tuomi contributed a bunch of fixes to our crypto drivers. Code in
commit
3036 and
commit
3055/commit
3057.
- The ksk|zsk argument for pdnssec import-zone-key was required while
it should be optional. Fixed in commit
3051.
Changes between 3.2-RC3 and 3.2-RC4
- The experimental undocumented bindbackend superslave mode would break
the first added domain until a restart. Fixed by Kees Monshouwer in
commit
3013.
- Sander Hoentjen reported an issue with our choice of ports for
outgoing TCP connections. Investigating it turned up that we were
randomizing TCP connections on purpose while leaving UDP port choice
to the kernel, which should be the other way around. Fixed in commit
3014,
closing ticket 643
and ticket 644.
- Aki Tuomi contributed some autoconf code to use mysql_config if it
is available. Code in commit
3015 and
commit
3019,
closing ticket 458.
- The MongoDB backend was removed at the author’s request, as it does
not work with any current libmongo versions. Change in commit
3017.
- Mark Zealey discovered we were retrieving the ascii powerdns version
string for each packet, not just for version string queries. Fixed in
commit
3018,
closing ticket 651.
- Our new json code would not compile on solaris 9 and 10 due to lack
of strcasestr. Juraj Lutter contributed a portable version in commit
3020.
- Mark Zealey noted that RRs with low TTLs could lower our
query-cache-ttl persistently. Fixed in commit
3023,
closing ticket 662.
- pdnssec now honours module-dir, patch by Fredrik Danerklint in
commit
3026.
Changes between 3.2-RC2 and 3.2-RC3
- Michael Scheffler noticed that the lazy-recursion setting had no
effect at all. Setting removed in commit
3003.
- Mark Zealey found that an earlier performance improvement could cause
crashes under high load, with lots of IPs configured in local-address
and receiver-threads greater than 1. Fixed in commit
3005.
Changes between 3.2-RC1 and 3.2-RC2
- The udp-queries metric would only count on the first thread launched,
instead of on all threads. Additionally, it was initialised at MAXINT
at startup, instead of at 0. Both issues fixed by Kees Monshouwer in
commit
2999,
closing ticket 491
and ticket 582.
- Aki Tuomi contributed zone2json, a great way for programmers to
benefit from our zone file parser. Code in commit
2997,
closes ticket 509.
- Our DNS TXT parser is not 8-bit safe, but our DNS TXT writer assumes
the reader is! Reported by Jan-Piet Mens in ticket
541, commit
2993 fixes
our writer but not yet our parser.
- Ruben d’Arco did some improvements to the MyDNS backend, and provided
a full test suite for it, that we now run after every commit. Code in
commit
2988.
- Some exceptions from backends would lose their meaning while bubbling
up. Fixed by Aki Tuomi in commit
2985,
closing ticket 639.
- The packet-cache honours max reply length while matching cached
packets against queries, but not EDNS status. This would mean that
EDNS-enabled replies with a 512 reply len could be returned on
non-EDNS queries. Spotted while investigating a report from Winfried
Angele, patched by Ruben d’Arco in commit
2982,
closing ticket 630.
- Errors involving creating, deletion or changing permissions on the
control socket were unclear. Ruben d’Arco improved this in commit
2981.
- pipe-timeout was always documented to be in milliseconds, but it
turns out it was in seconds! commit
2971
changes them to actually be in ms, and ‘increases’ the default from
1000 seconds to 2000 milliseconds.
- Some exceptions would get dropped during inbound AXFR, yielding a log
file that says ‘transaction started’ and nothing after that, making
AXFR fail silently. commit
2976 and
commit
2977
improve this somewhat.
- We now error out on empty labels inside of names (www..example.com)
instead of generating bogus reply packets. Code in commit
2972,
reported by several users.
- Doing chmod before chown, instead of the other way around, apparently
avoids requiring a whole SELinux capability. Reported by Sander
Hoentjen, fixed in commit
2965.
- Chris Hofstaedtler fixed a bug in our Debian init.d script. Code
in commit
2963.
- Superslave errors (‘Unable to find backend willing to host ..’) now
include the NSset found at the master, to aid debugging. Code in
commit
2887.
- commit
2874 in
RC1 broke compilation without SQLite3 and made query logging
unreliable. Fixed in commit
2888,
commit
2889.
- The dnsreplay tool now processes single packet pcaps. Fix in commit
2895.
- PowerDNS always derives NSEC/NSEC3 from the actual zone content. To
accommodate this, zone2sql now drops NSEC/NSEC3 records, as those
should never be in a PowerDNS backend directly (commit
2915),
bindbackend ignores NSEC/NSEC3 while reading zonefiles (commit
2917) and
pdnssec reports NSEC/NSEC3 in the database as an error condition
(commit
2918).
- The bindbackend now ignores NSEC/NSEC3 records while reading
zonefiles. Change in commit
2917.
- An EXPERIMENTAL feature (‘direct-dnskey’) for reading ZSKs from the
records table/your BIND zonefile was added in commit
2920,
commit
2921,
commit
2922.
- While fully optional, PowerDNS supports direct RRSIG queries. Kees
Monshouwer improved on our behaviour for those queries in commit
2927.
- IPv6 glue situations require AAAA records for the receiving end of a
delegation in the ADDITIONAL section of a referral. This was
supported (‘do-ipv6-additional-processing’) but not enabled by
default. commit
2929
enables it by default.
- pdnssec check-zone now warns for CNAME-and-other data at names in
your zones. Code by Ruben d’Arco in commit
2930.
- Positive ANY-responses would include a spurious NSEC3. Corrected in
commit
2932 and
commit
2933,
cleaned up by Kees Monshouwer in commit
2935.
- The ldapbackend now allows overriding the base dn for AXFR subtree
search. Fixed in commit
2934,
closing ticket 536.
Changes below are in 3.2-RC1 and up.
DNSSEC changes in 3.2
- Kees Monshouwer did a tremendous amount of work to improve and
perfect our DNSSEC implementation, mostly in the NSEC3 area. Code in
commit
2687,
commit
2689,
commit
2691,
fixing ticket 486,
ticket 537, ticket
540. He also
implemented support for Empty Non-Terminals, code in commit
2721,
commit
2732,
commit
2745,
fixing ticket 127
and ticket 558.
- Presigned wildcard operation was improved with the help of many
parties (see commit message for commit
2676).
Presigned operation was also changed to be more consistent with
master/live-signing operation. Code and a full test suite in commit
2709,
which also improves TTL behaviour for various situations. Fixes
ticket 460, ticket
533, ticket
559.
- Depending on database & locale settings, names starting with
underscore would sometimes cause broken records. commit
2710
contains schema and code changes for the gpgsql and gmysql backends
to sort this (no pun intended) definitively, closing ticket
550. In addition, a
pdnssec test-schema command was added (experimental and incomplete).
It can be used to verify underscore sorting and a few other
parameters of the database. Code in commit
2714.
- We now always include an EDNS section in responses to queries that
also had an EDNS section. This was thought to improve BIND
interoperability, but this turned out to be false. In any case, this
change improves standards compliance. Spotted by Mats Dufberg, code
in commit
2649.
- It turns out we were storing Botan keys the wrong way. Botan did not
care but Polar did, causing interoperability problems. Fixed in
commit
2720, with
the kind help of Paul Bakker of PolarSSL. Fixes ticket
492 as reported by
Florian Obser via Debian.
- pdnssec add-zone-key now defaults to RSASHA256, like secure-zone
already did. Code in commit
2692.
- pdns_control purge now also purges DNSSEC-related caches (keys and
metadata). Code in commit
2694, by
Ruben d’Arco. Fixes ticket
530.
- The signer thread would die in specific situations, leaving you with
a non-working but very busy system. Fixed in commit
2668,
commit
2670,
closing ticket 517.
- pdnssec secure-zone now warns when you just signed a slave zone.
Suggested by Mark Scholten, code in commit
2795,
closes ticket 592.
- pdnssec check-zone now warns about out-of-zone data. Patch by Kees
Monshouwer in commit
2826,
closing ticket 604.
- pdnssec now honours ^^no-config. Patch by Kees Monshouwer in commit
2810.
- Various fixes for bindbackend presigned operation, mostly by Kees
Monshouwer. Code in commit
2815,
closing ticket 600.
- Bindbackend could get confused about domain metadata, sometimes even
causing hangs. Fixes by Kees Monshouwer in commit
2819 and
commit
2834,
closing ticket 600
and ticket 603.
- SQL queries in gsql backends that reference the domain_id column
have been made explicit about from what table they want this column.
This makes it easier to operate custom schemas without changing the
queries. Fix by Nicky Gerritsen in commit
2821.
- In various situations involving CNAMEs and wildcards, and for ANY
queries involving CNAMEs, we would sometimes return bogus results.
Fixed in commit
2825 by
Kees Monshouwer.
- rectify-zone accidentally set auth=1 on NS records of secure
delegations. Reported by George Notaras, fixed by Kees Monshouwer in
commit
2831,
closing ticket 605.
- The DNSSEC signature cache now actually gets cleaned up, avoiding
lasting spikes in memory usage every thursday. Code in commit
2836 and
commit
2843,
closing ticket 594.
- Signatures used to roll at midnight on thursday. We now roll them one
hour after midnight, with inception still set to midnight, to allow
for some variations in clock quality on resolvers. Code in commit
2857.
- Duplicate records (same name/type/content/priority) would sometimes
get broken RRSIGs during outgoing AXFR. Fixed in commit
2856.
- A root zone (name=””) with DNSSEC would cause crashes in some
situations. Reported by Luuk Hendriks. Fixed in commit
2867,
commit
2868,
closing ticket 614.
- Direct RRSIG queries for zones with auto-completed SOA records would
cause trouble. Reported by Kees Monshouwer and fixed by him in
commit
2869.
- When a name is matched only by a wildcard, but the type in the query
is not present, we would be lacking one NSEC(3) record to prove the
existence of the wildcard. Fixed by Kees Monshouwer in commit
2872 and
commit
2873.
- Luuk Hendriks spotted that our PolarSSL RSA key generation code was
using inferior entropy. This can be important on virtual machines
with badly implemented clocks. Fixed in commit
2876,
closing ticket 615.
Non-DNSSEC improvements/changes
- Bindbackend would sometimes crash on startup, due to a
sync_with_stdio call. This call has been moved to pdns_server
proper to occur before any threads are spawned, avoiding race
conditions in this call. Note that this crash has only been observed
twice in thousands of regression test runs and has never been
reported in the real world. Change in commit
2882.
- Leen Besselink submitted query logging support for the SQLite3 parts
in the bindbackend. Code in commit
2874.
- Multi-backend operation would sometimes cause garbage domain IDs to
be passed to backends. Reported by Kees Monshouwer and fixed by him
in commit
2871.
- Bindbackend would sometimes crash during reloads/rediscovers. The
changes in commit
2837 get
rid of the crash, at the cost of returning SERVFAIL during reloads.
Closes ticket 564.
- Our label decompression code was naive, causing troubles for slaving
of very specifically formatted zones. Fix in ticket
2822, closes
ticket 599.
- Bindbackend slaves would choke on unknown RR types and do silly
things with RP and SRV records. Fixed in commit
2811 and
commit
2812.
- The luabackend can now compile against Lua 5.2. Patch by Fredrik
Danerklint in commit
2794,
additional luabackend compile fixes in commit
2854.
- A new backend, the ‘Remote backend’ Remote
Backend was submitted by Aki
Tuomi. It aims to replace the pipebackend with a better protocol and
support for more connection methods, including HTTP. Code in commit
2755,
commit
2756,
commit
2757,
commit
2758,
commit
2759,
commit
2824,
closing ticket 529,
ticket 597.
- The gsqlite (SQLite 2) backend was removed. We were not aware of any
users and it was not actually working anyway. Changes in commits
2773-2777,
closing ticket 565.
- Various tinydnsbackend improvements: ignore-bogus-records option; TAI
offset updated; strip dots on names where suitable; various internal
improvements. Code in commit
2762.
- gpgsql no longer logs the database password in connection errors.
Code in commit
2609,
commit
2612,
closing ticket 459.
- You can now finally specify 0.0.0.0 or :: as local-address/local-ipv6
without getting replies from the wrong address. This much-requested
feature is implemented in commit
2763,
commit
2766,
commit
2779 and
commit
2781.
Tested on Linux, FreeBSD and Mac OS X.
- 3.2 can be reliably built with or without Lua. This and many other
configure/compile-related fixes in commit
2610,
commit
2611 /
ticket 461, commit
2666,
commit
2671,
commit
2672 /
ticket 522, commit
2673 /
ticket 522, commit
2696 /
ticket 555, commit
2697 /
ticket 457, commit
2698,
commit
2708,
commit
2742 /
ticket 462),
commit
2752 /
ticket 437, commit
2764,
commit
2809,
commit
2844,
commit
2845,
commit
2846,
commit
2881.
- Juraj Lutter contributed AXFR-SOURCE per zone metadata settings. Code
in commit
2616.
- Initscripts now have exit codes, submitted by Sander Hoentjen. Code
in commit
2728.
Guardian now returns 0 instead of 1 when receiving SIGTERM, requested
by Morten Stevens of Fedora. Code in commit
2717.
- Mark Zealey submitted various performance improvement patches and
suggestions. Accepted as commit
2729 /
ticket 579, commit
2730 /
ticket 584),
commit
2731 /
ticket 583),
commit
2768 /
ticket 578). Please
see commit messages for more details.
- pdnssec check-all-zones now reuses database connections, avoiding a
socket exhaustion issue in some situations. Code in commit
2749,
closes ticket 519.
- Ruben d’Arco submitted various improvements regarding trailing dots.
Additional lookups now try harder, pdnssec errors about trailing dots
in names, pdnssec warns about trailing dots in names inside content
fields, AXFR now strips the dot from SRV hostnames. Code in commit
2748,
fixes ticket 289.
- Pre-3.0, backends would get cycled if they threw the right error. 3.2
reinstates this behaviour, as it is more robust. Change in commit
2734
(reverting commit
2100),
fixes ticket 386.
- PowerDNS auth does not use the select() kernel/library call anymore.
This means fd-numbers over 1023 (and, in general, more than 1024
sockets, including more than 1024 listening sockets) should now work
reliably. Code in commit
2739,
commit
2740,
fixes ticket 408.
- gmysql users can now specify the ‘group’ we connect as, using the
gmysql-group setting. Submitted by Kees Monshouwer, code in commit
2770,
commit
2771,
commit
2778,
commit
2780,
closing ticket 463.
- The Linux-only traceback handler is now optional (use
traceback-handler=off to disable it). Suggested by Marc Haber. Change
in commit
2798,
closes ticket 497.
- We now use IPV6_V6ONLY to bind IPv6 sockets. This ensures consistent
behaviour between different operating systems. Change in commit
2799.
- MySQL connections are now logged at a higher loglevel, reducing log
clutter. Change in commit
2800.
- We now ship a systemd unit file in contrib/. Added in commit
2847 and
commit
2848,
submitted by Morten Stevens.
Assorted bugfixes
- If a slave domain is removed while a transfer for it is queued, we no
longer try the transfer. This also avoids a rare crash in similar
circumstances. Code in commit
2802,
closes ticket 596.
- When using pdnssec with gsql backends, sometimes an SSqlException
would pop up without any useful information. This no longer happens
and errors are now in general more meaningful. Fix in commit
2803.
- zone2sql now uses correct string syntax for PostgreSQL. This is
needed for importing with the changed default settings in PostgreSQL
9.2 and up. Code in commit
2797,
closes ticket 471.
- We no longer send v6 notifications if v6 is not available. Same for
IPv4. Code in commit
2772,
fixes ticket 515.
- We would sometimes serve stale data after an incoming AXFR. Reported
by Martin Draschl, fixed by Ruben d’Arco in commit
2699,
closing ticket 525.
- Duplicate incoming NOTIFYs could cause PowerDNS to try to insert the
same domain name into a database twice. Fixed in commit
2703,
closing ticket 453.
- pdnssec show-zone now works on a zone that has any number of keys,
instead of requiring active keys. Reported by Jeroen Tushuizen of
myH2Oservers, code in commit
2769,
closes ticket 586.
- pdns-control notify-host now accepts v6 literals. Reported by
Christof Meerwald, fixed in commit
2704.
- The tinydnsbackend no longer chokes on questions longer than 64
bytes. Code in commit
2622.
- *-all-domains commands in pdnssec now work with Postgres (gpgsql)
too. Code in commit
2645,
closing ticket 472.
- We would sometimes leave the opcode of an outgoing packet
uninitialized. Fixed in commit
2680,
closing ticket 532.
- nproxy can now listen on a configurable port. Code in commit
2684,
fixes ticket 534.
- Improve mydnsbackend for SOA queries. Code in commit
2751,
fixes ticket 439,
by Ruben d’Arco.
- Various non-functional fixes that make Valgrind happy (note that
Valgrind was right to complain in all of these situations), in
commit
2715,
commit
2716,
commit
2718.
PowerDNS Authoritative Server 3.1
Released on the 4th of May 2012 RC3 released on the 30th of April 2012
RC2 released on the 14th of April 2012 RC1 released on the 23th of March
2012
Warning: Version 3.1 of the PowerDNS Authoritative Server is a major
upgrade if you are coming from 2.9.x. There are also some important
changes if you are coming from 3.0. Please refer to the Upgrade
documentation for important information
on correct and stable operation, as well as notes on performance and
memory use.
Version 3.1 of the PowerDNS Authoritative Server represents the ‘coming
of age’ of our DNSSEC implementation. In addition, 3.1 solves a lot of
‘.0’ issues typically associated with a major new release.
As usual, we are very grateful for the involvement of the PowerDNS
community. The uptake of 3.0 was rapid, and many users were very helpful
in shaking out the bugs, and willing to test the fixes we provided or,
in many cases, provided the fixes themselves.
Of specific note is the giant PowerDNS DNSSEC deployment in Sweden by
Atomia and Binero. PowerDNS 3.0 now powers over 150000 DNSSEC domains in
Sweden, around 95% of all DNSSEC domains, in a country were most
internet service providers actually validate all .SE domains.
Finally, this release has benefited a lot from Peter van Dijk joining
us, as he has merged a tremendous amount of patches, cleaned up years of
accumulated dust in the code, and massively improved our regression
testing into a full blown continuous integration setup with full DNSSEC
tests!
Additionally, we would like to thank Ruben d’Arco, Jose Arthur Benetasso
Villanova, Marc Haber, Jimmy Bergman, Aki Tuomi and everyone else who
helped us out!
Changes between RC3 and final
- pdnssec now honours the default-soa-name setting. Reported by Kees
Monshouwer, fixed in commit
2600.
Changes between RC2 and RC3
- The hidden test-algorithms command for pdnssec now has a little
brother ‘test-algorithm X’. Code in commit
2596, by
Aki Tuomi.
- PolarSSL upgraded to 1.1.2 due to weak RSA key generation (commit
2586). If
you created RSA keys with RC1 or RC2 using PolarSSL, please replace
them! This upgrade introduced a slowdown; speedup patch in commit
2593.
- It turns out we were using libmysqlclient in a thread-unsafe manner.
This issue was reported and painstakingly debugged by Marc Haber.
Presumably fixed in commit
2591.
- Updated a bunch of internal counters to be threadsafe. Code in
commit
2579.
- NSEC(3) bitmaps can now cover RRtypes above 255. Reported by Michael
Braunoeder, patch by Aki Tuomi in commit
2590.
- pdnssec check-zone now reports MBOXFW and URL records (as those are
unsupported since 3.0). Reported by Gerwin Krist of Digitalus, patch
by Ruben d’Arco. Closes ticket
446.
- The odbcbackend was removed. It only runs on Windows and Windows is
unsupported since 3.0. Removal in commit
2576.
- We used to send the chunk length and the actual chunk in two separate
writes (often resulting in two separate TCP packets) during outbound
AXFR. This confused MSDNS. We now combine those writes. Code in
commit
2575.
- The bindbackend can now run without SQLite3, as previously intended.
Fix in commit
2574.
- Some high-concurrency master setups would crash under load. Fixed in
commit
2571.
Changes between RC1 and RC2
- We imported the TinyDNS backend by Ruben d’Arco. Code mostly in
commit
2559. See
TinyDNS Backend.
- Overriding C(XX)FLAGS is easier now. Problem pointed out by Jose
Arthur Benetasso Villanova and others, fix suggested by Sten Spans.
Patch in commit
2533.
- TSIG fixes: skip embedded spaces in keys (commit
2536),
compute signatures correctly (by Ruben d’Arco in commit
2547),
- nproxy, dnsscan and dnsdemog did not compile at all. Fixes in commit
2538,
commit
2554.
- We now allow unescaped tabs in TXT records. Fix in commit
2539.
- SOA records no longer disappear during incoming transfers. Fix by
Ruben d’Arco in commit
2540.
- PowerDNS compiles on OS X (and other platforms that support our auth
server but not the recursor) again, fix in commit
2566.
- Cleanups related to warnings from gcc and valgrind in commit
2561,
commit
2562,
commit
2565.
- Solaris compatibility fixes by Ruben d’Arco, Juraj Lutter and others
in commit
2548,
commit
2552,
commit
2553,
commit
2560.
Fixes for *BSD in commit
2546.
- pdns_control help would report ‘version’ twice, reported by Gerwin,
fix in commit
2549.
Bug fixes
- Winfried Angele discovered we would open an additional backend
connection per zone in the BIND backend. This only impacted users
with multiple simultaneous backends. Fix in commit
2253,
closing ticket 383.
- All versions of max-cache-entries setting had confusing behaviour
when set to 0. Now clarified to mean that 0 truly means 0, and not
‘infinite’. Change in commit
2328.
- Wildcards in the presence of delegations were broken. Reported by a
cast of thousands. Fix & regression test in commit
2368.
Closes ticket 389.
- Internal caches used an order of magnitude more memory than expected
and some were not purged properly, which hindered real life
deployments. Spotted by Winfried Angele and others. Fixed in commit
2287 and
commit
2328.
- Christof Meerwald discovered our .tar file missed a file of the Lua
backend. Change in commit
2257.
- Paul Xek found out that the edns-subnet support did not work for
subnets tinier than a /25 or /121. Fix in commit
2258.
- edns-subnet aware PIPE scripts received bogus remote information on
AXFR requests. Fixed in commit
2284.
- Fix compilation against older versions of MySQL that do not have
MYSQL_OPT_RECONNECT. commit
2264,
closing ticket 378.
- D. Stussy of Snarked.net discovered that PowerDNS could not parse a
DNS packet with a trailing blob of unknown length. Fixed in commit
2267.
- ‘pdnssec’ did not work for records with NULL ttls. Fixed in commit
2266,
closing ticket 432.
- Pipe backend had issues parsing IPv6 records in ABI version 3. Fixed
in commit
2260.
- We truncated the altitude in LOC records! I hope no one got lost. Fix
in commit
2268.
- Xander Soldaat discovered that even if the web server was not
configured, we’d still listen on the port. Fix in commit
2269,
closes ticket 402.
- The PIPE backend issues frequent fork()s, leading to potential fd
leaks if these are not marked as ‘close on exec’. Solved in commit
2273,
closing ticket 194.
- Robert van der Meulen found that we messed up the interaction between
wildcards and CNAMEs. Fixed in commit
2276,
which also adds a regression test to prevent this issue from
recurring.
- Fred Wittekind discovered that our notification proxy ‘nproxy’ no
longer built from source. Fixed in commit
2278.
- Grant Keller found that we were inconsistent with spaces in labels,
thus breaking DNS-SD. Fix in commit
2305.
- Winfried Angele fixed our autoconf script for Lua detection in
commit
2308.
- BIND backend would leak an fd when including a configuration file
from named.conf. Spotted by Hannu Ylitalo of Nebula Oy in commit
2359.
- GSQLite3 backend could crash on a network error at the wrong moment,
leading to a restart by the guardian. Fix in commit
2336.
- ‘./configure ^^enable-verbose-logging’ was broken, fixed in commit
2312.
- PowerDNS would serve up old SOA data immediately after sending out a
notification. Complicated bug documented perfectly in ticket
427, which also came
with not one but with two different patches to fix the problem.
Thanks to Keith Buck. Code in commit
2408.
- Flag ‘^^start-id’ in zone2sql was not functional. Removed for now in
commit
2387,
closing ticket 332.
- Our distribution tarball did not have the SQL schemas. Fixed in
commit
2459 and
commit
2460.
- “Empty” MX records would confuse one of our parsers. Fixed in commit
2468,
closing Debian bug 533023.
- The pdns.conf ‘wildcards’-setting did not do anything in 3.0, so it
was removed. Change in commit
2508,
commit
2509.
- Additional processing based on records loaded by the BIND backend
might fail because of a trailing dot mismatch. Fix in commit
2398.
New features
- Per-zone AXFR ACLs, based on the allow-axfr-ips zone metadata item.
Code in commit
2274.
Also, remove some remains of our previous approach to supporting this
in commit
2326.
- New SOA Serial Tweak mode INCEPTION-EPOCH for when operating as a
‘signing slave’, contributed by Jimmy Bergman. Code and documentation
in commit
2320.
- Newlines in the ‘content’ field of backends are now allowed,
restoring some DKIM setups to working condition. Update in commit
2394,
closing ticket 395.
Improvements
- Depending on the encoding used, MySQL could take issue with our
‘tsigkeys’ table which contained very large rows. Trimmed in commit
2400,
closing ticket 410.
- Various build/configure-related fixes in commit
2319,
commit
2373,
commit
2386,
closing ticket 380,
ticket 405, ticket
420.
- We now show the SOA serial after zone transfers. Code in commit
2385,
closing ticket 416.
- Ruben d’Arco submitted a full rework of our slave-side AXFR TSIG
handling, closing ticket
393 and ticket
400 in the process.
Code in commit
2506.
Additional improvement in commit
2513.
- The records.name-column in the gpgsql schema is now constrained to
lowercase, as PowerDNS would be unable to find other entries anyway.
Fix in commit
2503,
closing ticket 426.
- The gsql-backends can now handle huge records, thanks to a patch by
Ruben d’Arco. Code in commit
2476,
closing ticket 407.
Additional changes in commit
2292,
commit
2487,
commit
2489.
Closes ticket 218,
ticket 316.
- Some of PowerDNS’ internal classes would work with uninitialized data
when repurposed outside of the PowerDNS core logic. Fix in commit
2469,
- pdnssec now has ‘check-all-zones’ and ‘rectify-all-zones’ commands.
Submitted by Ruben d’Arco, code in commit
2467.
- ‘restart’ in our init.d-script would not start pdns if it was down
before. Fixed in commit
2462.
- ‘pdnssec rectify-zone’ now honours ^^verbose and is rather quiet
without it. Code in commit
2443.
- Improved error messages for systems without IPv6. Changes in commit
2425.
- The packet- and querycache now honour TTLs from backend data. Code in
commit
2414.
- ‘pdns_control help’ now shows useful usage information. Code in
commit
2410 and
commit
2465.
- Jasper Spaans improved our init.d script for compliance with Debian
Squeeze. Patch in commit
2251.
Further improvement with ‘set -e’ to initscript contributed by Marc
Haber in commit
2301.
- Klaus Darilion discovered our configuration file template and ^^help
output explained the various cache TTLs wrongly, and he also added
documentation for some missing parameters. commit
2271 and
commit
2272.
- Add support for building against Botan 1.10 (stable) and drop support
for 1.9 (development). Changes in commit
2334. This
fixes several bugs when building against 1.9.
- Upgrade internal PolarSSL library to their version 1.1.1. Change in
commit
2389 and
beyond.
- Compilation of several backends failed for Boost in non-standard
locations. Fixes in commit
2316..
- We now do additional processing for SRV records too. Code in commit
2388,
closing ticket 423
(which also contained the patch). Regression test updates that flow
from this in commit
2390.
- Fix compilation on OSX. commit
2316.
- Fix pdnssec crash when asked to do DNSSEC without a DNSSEC capable
backend. Code in commit
2369.
- If PowerDNS was not configured to operate as a DNS master, it would
still accept ‘pdns_control notify’ commands, but then not do it.
Spotted by David Gavarret, patch by Jose Arthur Benetasso Villanova
in commit
2379.
- In various places we would only accept UPPERCASE DNS typenames. Fixed
in commit
2370,
closing ticket 390.
- We would not always drop supplemental groups correctly. Reported by
David Black of Atlassian.
- Our regression tests have been strengthened a lot, and now cover way
more features. Commits in
2280,
2281,
2282,
2317,
2348,
2349,
2350,
2351 and
beyond.
- Update to support the latest draft of DANE/TLSA. Spotted by James
Cloos (commit
2338).
Further improvements by Pieter Lexis in commit
2347,
commit
2358.
- Compilation on OpenBSD was eased by patches from Brad Smith, which
can be found in commit
2288 and
commit
2291,
closing ticket 95.
- ‘make check’ failed on the internal PolarSSL. Spotted by Daniel
Briley, fix in commit
2283.
- The default SQL schemas were expanded to contain far longer content
fields. commit
2292,
commit
2293.
- Documentation typos, Jake Spencer (commit
2304),
Jose Arthur Benetasso Villanova (commit
2337).
Code typos in commit
2324
(closes ticket
296).
- Manpage updates from Debian, provided by Matthijs Möhlmann. Content
in commit
2306.
- pdnssec rectify-zone can now accept multiple zones at the same time.
Code in commit
2383.
- As suggested in ticket
416, we now log the
SOA serial number after committing an AXFR’d zone to the backend.
Code in commit
2385.
- Pick up location of sqlite3 libraries using pkg-config. Implemented
using a variation of the patch found in the, now closed, ticket
380. Code in commit
2386.
- Documented ‘pdnssec ^^verbose’ flag is now accepted. Code in commit
2384,
closing ticket 404.
- ‘pdnssec ^^help’ now lists all supported signing algorithms.
Suggested by Jose Arthur Benetasso Villanova.
- PIPE backend example script with edns-subnet support was improved to
actually use edns-subnet field. Plus update PIPE backend
documentation. Code in commit
2285, more
documentation regarding MX and SRV in commit
2313.
- edns-subnet fields now also output in logfile when available (commit
2321).
- When running with virtualized configuration files, we now allow
dashes in the configuration name. Suggested by Marc Haber, code in
commit
2295.
Further fixes by Brielle Bruns in commit
2327.
- Compilation fixes for GNU/Hurd in commit
2307 via
Matthijs Möhlmann.
- Marc Haber improved our Debian packaging scripts for smoother
upgrades. Code in commit
2315.
- When failing to bind to an IP address, report to which one it failed.
commit
2325.
- Supermaster checks were performed synchronously, leading to the
possibilities of slowdowns. Fixed in commit
2402.
Other changes
- Removed the deprecated non-generic mysqlbackend, in commit
2488,
commit
2514,
commit
2515.
- Removed the deprecated ‘pdnsbackend’, in commit
2490,
commit
2516.
- Removed GRANT statements from the gpgsql schema, as we can’t assume
they will work for everyone. Change in commit
2493.
Tickets closed but not associated with a commit
- ticket 125:
“PowerDNS offers wild card info. when it is not queried for.”
- ticket 219: “Accept
NOTIFY from masters on non-standard port”
- ticket 247: “pdns
caching weirdness with recursion-desired flag”
- ticket 253: “bind
backend crashes on long comment line in included file”
- ticket 271:
“PowerDNS Server responding with out-of-zone authority section in
case there is a cname”
- ticket 304:
“also-notify option for pdns, also gives also-notify for
bindbackend.”
- ticket 311:
“PowerDNSSEC responding with SERVFAIL upon IN A query for a CNAME”
- ticket 325: “CNAME
working strange!”
- ticket 376: “Unable
to create long TXT records”
- ticket 412:
“^^without-lua doesn’t disable lua”
- ticket 415:
“Signing thread died during AXFR of signed domain”
- ticket 422:
“ecdsa256 keys bug”
Authoritative Server version 2.9.22.6
Warning: The 2.9.22.x series of releases is end-of-life and
unsupported. It contains many issues and potential security problems. We
urge you to upgrade to a recent version of PowerDNS!
The improvements to the master/slave engine in 2.9.22.5 contained one
serious bug that can cause crashes on busy setups. 2.9.22.6 fixes this
crash.
Authoritative Server version 2.9.22.5
Warning: The 2.9.22.x series of releases is end-of-life and
unsupported. It contains many issues and potential security problems. We
urge you to upgrade to a recent version of PowerDNS!
2.9.22.5 is an interim release for those not yet ready to make the jump
to 3.0, but do need a more recent version of the Authoritative Server.
It also contains the patch from PowerDNS Security Advisory
2012-01.
- Improved performance of master/slave engine, especially when hosting
tens or hundreds of thousands of slave zones. Code in commits
1657,
1658,
1661
(which also brings multi-master support),
1662
(non-standard ports for masters),
1664,
1665,
1666,
1667,
1672,
1673,
2063).
- Compilation fixes for more modern compilers (commit
1660,
commit
1694)
- Don’t crash on communication error with pdns_control (commit
2015).
- Packet cache fixes for UltraSPARC (commit
1663)
- Fix crashes in the BIND backend (commit
1693,
commit
1692)
PowerDNS Authoritative Server 3.0.1
Warning: The DNSSEC implementation of PowerDNS Authoritative Server
3.0 and 3.0.1 contains many issues regarding CNAMES, wildcards and
(in)secure delegations. If you use any of these, and you use DNSSEC you
MUST upgrade to 3.1 or beyond!
3.0.1 consists of 3.0, plus the patch from PowerDNS Security Advisory
2012-01
PowerDNS Authoritative Server 3.0
Released on the 22nd of July 2011 RC1 released on the 4th of April 2011
RC2 released on the 19th of April 2011 RC3 released on the 19th of July
2011
Warning: Version 3.0 of the PowerDNS Authoritative Server is a major
upgrade if you are coming from 2.9.x. Please refer to the Upgrade
documentation for important information
on correct and stable operation, as well as notes on performance and
memory use.
Warning: The DNSSEC implementation of PowerDNS Authoritative Server
3.0 and 3.0.1 contains many issues regarding CNAMES, wildcards and
(in)secure delegations. If you use any of these, and you use DNSSEC you
MUST upgrade to 3.1 or beyond!
Version 3.0 of the PowerDNS Authoritative Server brings a number of
important features, as well as over two years of accumulated bug fixing.
The largest news in 3.0 is of course the advent of DNSSEC. Not only does
PowerDNS now (finally) support DNSSEC, we think that our support of this
important protocol is among the easiest to use available. In addition,
all important algorithms are supported.
Complete detail can be found in Serving authoritative DNSSEC
data. The goal of PowerDNS’s DNSSEC support
is to allow existing PowerDNS installations to start serving DNSSEC with
as little hassle as possible, while maintaining performance and
achieving high levels of security.
PowerDNS Authoritative Server 3.0 development has been made possible by
the financial and moral support of
This release has received exceptional levels of community support, and
we’d like to thank the following people in addition to those mentioned
explicitly below: Peter Koch (DENIC), Olaf Kolkman (NLNetLabs), Wouter
Wijngaards (NLNetLabs), Marco Davids (SIDN), Markus Travaille (SIDN),
Leen Besselink, Antoin Verschuren (SIDN), Olafur Guðmundsson (IETF), Dan
Kaminsky (Recursion Ventures), Roy Arends (Nominet), Miek Gieben (SIDN),
Stephane Bortzmeyer (AFNIC), Michael Braunoeder (nic.at), Peter van
Dijk, Maik Zumstrull, Jose Arthur Benetasso Villanova (Locaweb), Stefan
Schmidt, Roland van Rijswijk (Surfnet), Paul Bakker (Brainspark/Fox-IT),
Mathew Hennessy, Johannes Kuehrer (Austrian World4You GmbH), Marc van de
Geijn (bHosted.nl), Stefan Arentz and Martin van Hensbergen (Fox-IT),
Christof Meerwald, Detlef Peeters, Jack Lloyd, Frank Altpeter, Fredrik
Danerklint, Vasiliy G Tolstov, Brielle Bruns, Evan Hunt, Ralf van der
Enden, Marc Laros, Serge Belyshev, Chris Hofstaedtler, Charlie
Smurthwaite, Nikolaos Milas, ..
Known issues as of RC3
- Not all new features are fully documented yet
Changes between RC3 and final
- Slight tweak to the pipebackend to ease DNSSEC operations (commit
2239,
commit
2247).
Also fix pipebackend support in pdnssec tool (commit
2244).
- Upgrade the experimental native Lua backend to the latest version
from Fredrik Danerklint (commit
2240) and
include this backend in the .deb packages (commit
2242)
- Remove IPv6 dependency, it was only possible to run master/slave
operations on a server with at least one IPv6 address. Some very old
virtualized setups turned out to have no IPv6 at all. Fix in commit
2246.
Changes between RC2 and RC3
- PowerDNS Authoritative Server could not be configured to use an IPv6
based resolving backend. Solved in commit
2191.
- LDAP backend reconfigured the timezone (TZ) setting of the daemon,
leading to confusing logfile entries. Fixed by Chris Hofstaedtler
in commit
2913,
closing ticket 313.
- Non-DNSSEC capable backends could crash on DNSSEC queries. Fixed in
commit
2194 and
commit
2196
(thanks to Charlie Smurthwaite) closing ticket
360.
- Errors looking up a UID or GID were reported confusingly (‘Success’),
fixed in commit
2195,
closing ticket 359.
- Fix compilation against older MySQL, client libraries (commit
2198,
commit
2199,
commit
2204),
especially for older RHEL/CentOS. Also addresses the failure to look
in lib64 directory for PostgreSQL.
- Sqlite3 needs write access not just to its database file, but also to
the directory it is in. If this wasn’t the case, no useful error
message was provided. Improvement in commit
2202.
- Update of MongoDB backend (commit
2203,
commit
2212).
- ‘pdnssec hash-zone-record’ emitted an inverted warning about narrow
NSEC3 hashes. Spotted by Jan-Piet Mens, fix in commit
2205.
- PowerDNS can fill out default fields for SOA records, but neglected
to do so if the SOA record was matched by an incoming ANY question.
Spotted by Marc Laros & others. Fixes ticket
357, code in commit
2206.
- PowerDNS would mistreat binary data in TXT records. Fix in commit
2207.
Again spotted by Jan-Piet Mens. Closes ticket
356.
- Add experimental Lua backend by our star contributor Fredrik
Danerklint. commit
2208.
- Christoph Meerwald discovered our RRSIG freshness checking checked
more than the intended RRSIG (on the SOA record). Fix in commit
2209.
- Christoph Meerwald discovered we got confused by TSIG signed
EDNS-adorned queries, since we expected the EDNS OPT pseudorecord to
be the very last record. Fix in commit
2214.
- Christoph Meerwald discovered that when using SOA outgoing editing we
would sign and THEN edit. This was not productive. Fixed in commit
2215.
- Add missing-but-documented pdnssec command ‘disable-dnssec’. Spotted
by Craig Whitmore. Plus fixed misleading ^^help output. Code in
commit
2216.
- By popular demand, a tweak which makes an overloaded database no
longer restart PowerDNS but to drop queries until the database is
available again. Code in commit
2217,
lightly tested. Enable by setting ‘overload-queue-length=100’ (for
example).
- By suggestion of Miek Gieben of SIDN, add SOA-EDIT mode ‘EPOCH’ which
sets the SOA serial number to the ‘UNIX time’. Implemented in commit
2218.
- Added some US export control & ECCN to documentation, needed because
of DNSSEC content. Update in commit
2219.
- Fix up various spelling mistakes and badly formatted messages
(commit
2220 and
commit
2221) by
Maik Zumstrull and ‘anonymous’.
- After a lot of thought, we now handle CNAMEs to names outside our
knowledge (‘bailiwick’) exactly as in BIND 9.8.0, even though our way
was standards compliant too. It confused things. Update in commit
2222 and
commit
2224.
- Tweak sqlite3 library location detection for newer Ubuntu versions.
Change in commit
2223.
- DNSSEC SQL schema improvements allowing for the use of constraints
and foreign keys in commit
2225, by
Gerald Gruenberg, closing ticket
371.
- Add support for EDNS option ‘edns-subnet’, based on
draft-vandergaast-edns-client-subnet (commit
2226,
commit
2228,
commit
2229,
commit
2230,
commit
2231,
commit
2233).
- Zone2sql sent out the wrong ‘COMMIT’ statement in sqlite mode. In
addition, in this mode, zone2sql would not emit statements to update
the domains table unless the ‘slave’ setting was chosen. Code in
commit
2167.
- We dropped the Authoritative Answer flag on an out-of-bailiwick CNAME
referral, which was unnecessary. Code in commit
2170.
- Kees Monshouwer discovered that we failed to detect the location of
PostgreSQL on RHEL/CentOS. Fix in commit
2144. In
addition, commit
2162 eases
detection of MySQL on RHEL/CentOS 64 bits systems.
- Marc Laros re-reported an old bug in the internally used ‘pdns’
backend where details of the SOA record were not filled out
correctly. Resolved in commit
2145.
- Jan-Piet Mens found that our TSIG signed SOA zone freshness check was
signed incorrectly. Fixed in commit
2147.
Improved error messages that helped debug this issue in commit
2148,
commit
2149.
- Jan-Piet Mens helped debug an issue where some servers were “almost
always” unable to transfer a TSIG signed zone correctly. Turns out
that the TSIG signing code used an internal timestamp and not the
remote timestamp. Because of good NTP synchronization this quite
often was not a problem. Fix in commit
2159.
- Thor Spruyt of Telenet discovered that the PowerDNS code would try to
emit DNS answers over TCP of over 65535 bytes long, which failed. We
now truncate such answers properly. Code in commit
2150.
- The Slave engine now reuses an existing database connection, removing
the need to create a new database connection every minute (and worse,
log about it). Code in commit
2153.
- Fix a potential Year 2106 bug in the TSIG signing code. Because we
care (commit
2156).
- Added experimental support for the ‘DANE’ TLSA record which is used
to authenticate SSL certificates via DNSSEC. commit
2161.
- Added experimental support for the MongoDB ‘NoSQL’ backend,
contributed by Fredrik Danerklint in commit
2162.
Other major new features
- TSIG for authorizing and authenticating AXFR requests & incoming zone
transfers (Code in
2024,
2025,
2033,
2034).
This allows for retrieving TSIG protected content, as well as serving
it.
- Per zone also-notify.
- MyDNS compatible backend, allowing for ‘instantaneous’ migration from
this authoritative nameserver. Code in commit
1418,
contributed by Jonathan Oddy.
- PowerDNS can now slave zones over IPv6 and notify IPv6 remotes of
updates. Already. Code in commit
2009 and
beyond.
- Lua based incoming zone editing, allowing masters or signing slaves
to add information to the zone they will (re-)serve. Implemented in
commit
2065. To
enable, use LUA-AXFR-SCRIPT zone metadata setting.
- Native Oracle backend with full DNSSEC support. Contributed by Maik
Zumstrull, then at the Steinbuch Centre for Computing at the
Karlsruhe Institute of Technology.
- “Also-notify” support, implemented by Aki Tuomi in commit
1400.
Support for Generic SQL backends and for the BIND backend. Further
code in commit
1360.
- Support for binding to thousands of IP addresses, code in commit
1443.
- Generic MySQL backend now supports stored procedures. Implemented in
commit
2084,
closing ticket 231.
- Generic ODBC backend compiles again, and is reported to work for some
users that need it. Code contributed in ticket
309, author unknown.
- Massively parallel slaving infrastructure, able to check the
freshness of thousands of remote zones per second, plus perform many
incoming zone transfers simultaneously. Sponsored by Tyler Hall, code
in 1449,
1500,
1859
- Core DNS logic replaced completely to deal with the brave new world
of DNSSEC.
Bugs fixed
- sqlite2 and sqlite3 backends used MySQL-style escaping, leading to
SQL errors in some cases. Discovered by Sten Spans. Fixed in commit
1342.
- Internal webserver no longer prints ‘1e2%’. Bug rediscovered by Jeff
Sipek. Fixed in commit
1342.
- PowerDNS would refuse to serve domain names with spaces in them, or
otherwise non-printable characters. Addressed in commit
2081.
- PowerDNS can now serve escaped labels, as described by RFC 4343. Data
should be present in backends in that escaped form. Code in commit
2089.
- In some cases, we would include duplicate CNAMEs. In addition, we
would hand out a full root-referral when not configured to in some
cases (ticket 223).
Discovered by Andreas Jakum, fixed in commit
1344.
- Shane Kerr discovered we would corrupt DNS transaction IDs from the
packet cache on big endian systems. Fix in commit
1346,
closing ticket 222.
- PowerDNS did not use RFC 1982 serial arithmetic, leading to a SOA
serial number of 1 to be regarded as older than 4400000000, when in
fact it is ‘newer’. Issue (re-)discovered by Jan-Piet Mens.
- BIND backend got confused of a zone’s file name changed after a
configuration reload. Fix in commit
1347,
closing ticket 228.
- When restarted by the Guardian, PowerDNS will perform a full
multi-threaded cache cleanup, which took a long time and could crash.
Fix in commit
1364.
- Under artificial circumstances, PowerDNS would never clean its packet
cache. Found by Marcus Goller, fix in commit
1399 and
commit
1408. This
update also retunes the cleanup frequency.
- Packetcache would cache things it should not have been caching. Fixes
in commits
1407,
1488,
1869,
1880
- When processing incoming notifications, the BIND backend was
case-sensitive, and would disregard notifications in the wrong case.
Discovered by ‘Dolphin’, fix in commit
1420.
- The init.d script did not mention the ‘reload’ command. Code in
commit
1463,
closes ticket 233.
- Generic SQL Backends would sometimes emit obscure error messages. Fix
in commit
2049.
- PowerDNS would be confused by embedded NULs in domain names, and
would also mess up the escaping of some characters. Fix in commit
1468,
commit
1469,
commit
1478,
commit
1480,
- SOA queries for the name of a delegation point were not referred. Fix
in commit
1466,
closing ticket 224.
In addition, queries for AAAA for a CNAMEd record pointing to a name
with no AAAA would deliver a direct SOA, without the CNAME in
between. Fix in commit
1542,
commit
1607.
Also, wildcard CNAMEs pointing to a record without the type requested
suffered from the same issue, fix in commit
1543.
- On processing an incoming AXFR, once an MX or SRV record had been
seen, all future fields got a ‘priority’ entry as well. This had no
operational impact, but looked messy. Fixed in commit
1437.
- Aki Tuomi discovered that the BIND zone file parser would
misrepresent ‘something IN MX 15 @’. Fix in commit
1621.
- Marco Davids discovered the BIND zone file parser would trip over
really long lines. Fix in commit
1624,
commit
1625.
- Thomas Mieslinger discovered that our webserver would only be started
after dropping privileges, which could cause problems. Fix in commit
1629.
- Zone2sql did quite often not do exactly what was required, which
users fixed by editing the SQL output. Revamped in commit
2032.
- An Ubuntu user discovered in Launchpad bug 600479 that restarting
database threads cost a lot of memory. Normally this is rare, except
in case of problems. Addressed in commit
1676.
- BIND backend could crash under (very) high load with very large
numbers of zones (hundreds of thousands). Fixed in commit
1690.
- Miek Gieben and Marco Davids spotted that PowerDNS would answer the
version.bind query in the IN class too. Bug reported via twitter! Fix
in commit
1709.
- Marcus Lauer and the OpenDNSSEC project discovered that outgoing
notifications did not carry the ‘aa’ flag. Fixed in commit
1746.
- Debugging PowerDNS, or backgrounding it, could cause crashes. Fixed
by Anders Kaseorg in commit
1747.
- Fixed a bug that could cause crashes on launching thousands of
backend connections. Never observed to occur, but who knows. Fix in
commit
1792.
- Under some circumstances, large answers could be truncated in
mid-record. While technically legal, this upset a number of resolver
implementations (including the PowerDNS Recursor!). Fixed in commit
1830,
re-closes ticket
200.
- Jan Piet Mens and Florian Weimer discovered we had problems dealing
with escaped labels and escaped TXT fields. Fixed in commit
2000.
- After 2.2 billion queries, statistics would wrap oddly. Fix in
commit
2019,
closing ticket 327.
Improvements
- Long TXT records are now split into 255-byte components
automatically. Implemented in commit
1340,
reported by Darren Gamble in ticket
188.
- When receiving large numbers of notifications, PowerDNS would check
these synchronously, leading to a slowdown for other services. Fixed
in commit
2058,
problem diagnosed by Richard Poole of Heart Internet.
- Fixed compilation on newer compilers and newer versions of Boost.
Changes in
1345
(closes ticket
227),
1391,
1394,
1425,
1427,
1428,
1429,
1440,
1653,
thanks to Ruben Kerkhof and others.
- Moved Generic PostgreSQL backend over to the newer E’’ style escapes.
commit
2094.
- Compilation fixes for Mac OS X 10.5.7 in commit
1389,
thanks to Tobias Markmann.
- We can now bind to scoped IPv6 addresses, lack spotted by Darren
Gamble. Part of the fix is in commit
2018.
- Built-in query cache can now also cache queries which lead to
multiple answers. Code in commit
2069.
- Prodded on by Jan Piet Mens, we now support ‘unknown types’ (which
look like TYPE65534).
- Add ‘slave-renotify’ to retransmit notifies for slaved zones, which
is helpful when acting as a ‘signing slave’ for a hidden master. Code
in commit
1950.
- No longer let zone2sql and zone2ldap import BIND ‘hint’ zones.
commit
1998.
- Allow for timestamps to explicitly be specified in (s)econds. Code in
commit
1398,
closing ticket 250.
- Zones with URL and MBOXFW records can be transferred over AXFR, code
in commit
1464.
- Maik Zumstrull cleaned up the BIND Backend makefile, plus taught our
init.d script to read /etc/default/pdns. Code in commit
1601,
commit
1602.
- Generic SQL backends now support multiple masters in the domains
table. Code in commit
1857.
Additionally, masters can also have :port numbers. Code in commit
1858.
Authoritative Server version 2.9.22
Warning: The 2.9.22.x series of releases is end-of-life and
unsupported. It contains many issues and potential security problems. We
urge you to upgrade to a recent version of PowerDNS!
Released on the 27th of January 2009.
This is a huge release, spanning almost 20 months of development.
Besides fixing a lot of bugs, of note is the addition of the so called
‘Notification Proxy’, which allows PowerDNS to function as a master
server behind a firewall, plus the huge performance improvement of the
internal caches.
This work has been made possible by UPC Broadband and Directi,
respectively.
Finally, the release candidates of this version have been tested &
improved by Jorn Ekkelenkamp, Ton van Rosmalen, Jeff Sipek, Tyler Hall,
Christof Meerwald and Stefan Schmidt.
Fixed between rc1 and rc2, but not an issue in 2.9.21.
- pdns_control ccounts again outputs proper cache statistics.
Implemented in commit
1304.
- Negative query caching was reinstated, leading to 6 times fewer
backend queries than rc1 on the Express.powerdns.com servers.
- Packetcache no longer needlessly parses outgoing packets before
sending them.
- Fancy records work again. This work has been sponsored by ISP
Services. Implemented in commit
1302 and
commit
1299.
New features
- pdns_control can now also work over TCP/IP. Sponsored by
Directi. Commits
1246,
1251,
1254,
1255.
- Implemented a notification proxy, see “Notification proxy
(nproxy)”. This work was sponsored
by UPC Broadband. Implemented in commits
1075,
1077,
1082,
1083,
1085 and
1086.
- IXFR queries are now supported in the sense that we treat them as
AXFR queries, silencing warnings in other nameservers. Suggested in
ticket 131.
- The PIPE backend has been extended by David Apgar to allow the
reporting of errors using the ‘FAIL’ command, plus support for
responses with whitespace. Implemented in commit
1114.
- PowerDNS Authoritative server now parses incoming EDNS options, like
maximum allowed packet size. Implemented in commit
1123 and
commit
1281.
- Added support for DHCID, IPSECKEY and KX records, thanks Norbert
Sendetzky for the hint. Implemented in commit
1144.
- Norbert Sendetzky has added support for all record types
supported by PowerDNS to the LDAPBackend. Furthermore, the detection
of OpenLDAP in autoconf has been improved. Finally, debian has
supplied some fixes to PowerLDAP. Implemented in commit
1152 and
commit
1153.
- Implemented EDNS NSID option for retrieving the nameserver ID out of
band. Defaults to hostname, can be specified using the server-id
setting. Code in commit
1232.
- Implemented experimental EDNS PING for enhanced forgery resilience.
Code in commit
1232.
Bugs fixed
- Tyler Hall discovered the PowerDNS configuration file parser had
problems with trailing tabs. This turned out to be a wider problem in
PowerDNS. Buggy code replaced by a library call in commit
1237 and
commit
1240.
- David Apgar of Yahoo discovered that our ‘guardian’ method of
restarting PowerDNS in case of problems was not fool proof, and
submitted a fix. A variation of this fix can be found in commit
1323. Also
reported by Directi.
- Connection reset by peer events in the TCP nameserver no longer lead
to the cycling of database connections. Code in commit
1241.
- FreeBSD compilation with Generic PostgreSQL backend was fixed.
Reported by Wouter de Jong of WideXS, fixed in commit
1305,
closes ticket 95.
- Webserver no longer prints ‘1e2%’. Finally closes ticket
26. Much friendly
nagging for over 3 years by Jeff Sipek, code in commit
1303.
- PowerDNS used to ignore certain queries it could not answer. These
queries are no longer ignored, but get a SERVFAIL response.
Implemented in commit
1239.
- Fix subtle CNAME and wildcard interactions reported by ‘zzyzz’,
implemented in commit
1147.
- The generic backends did not honour the default-ttl setting.
Spotted and implemented by Matti Hiljanen.
- Matti Hiljanen discovered that the OpenDBX backend did not fill out
the SOA ttl value properly. Matti also improved the SQL statements
for better compatibility. Implemented in commit
1181.
- Treat invalid WWW requests better. Spotted by Maikel Verheijen,
implemented in commit
1092.
- Documentation errors and typos, spotted by Marco Davids (commit
1097) and
Rejo Zengers (commit
1119)
- Properly fill out the ‘recursion available’-flag. Spotted by Augie
Schwer in ticket
167.
- Several memory leaks on bad data in the database or other errors have
been fixed. Addressed in
1078 and
1079.
- In contravention to the documentation, the domain type as specified
in the database (‘MASTER’, ‘SLAVE’ or ‘NATIVE’) was interpreted case
sensitively.
1084.
- BIND backend could crash on processing information about slave zones
to be checked. Spotted by Stefan Schmidt, fixed in
1089.
- Jelte Jansen of Stichting NLNetLabs discovered PowerDNS in BIND mode
couldn’t operate as a root-server! Fixed in
1057.
- ‘DPS’ discovered there was a rare opportunity for PowerDNS to lock up
waiting for new data. Addressed in
1076.
- Make singlethreaded mode more resilient against errors. commit
1272.
- DNSSEC records were part of 2.9.21, but were not actually hooked up.
Please note that while PowerDNS can serve most DNSSEC records, it
does not do DNSSEC processing. Implemented in
1046.
- Shawn Starr migrated all his domains to PowerDNS in one evening, from
an installation that had been used since BIND4. In doing so, he found
3 bugs in as many hours. An IN statement in the BIND
named.conf
with a zone with a trailing dot was misparsed, fixed
in commit
1233.
Secondly, the zone file parser tripped over a line consisting of
nothing but comments in the wrong place. Finally ‘$ORIGIN .’ was
misparsed. Last two issues fixed in commit
1234.
- Our statistics counters did not wrap correctly after the 2.15 billion
mark. Spotted by Stefan Schmidt, reported in ticket
179, fixed in
commit
1284.
- Bindbackend could sometimes generate very strange error messages
while processing a malformed zone file. Sometimes such error messages
could cause a crash (reported on HP-UX). Addressed by commit
1279. This
could not be triggered remotely. Closes ticket ticket
203.
- Pipe backend did not clean up killed coprocesses. Found and fixed by
Daniel Drown
- Installations with tens of thousands of slave domains would never
complete the cycle to check the freshness of all zones as each
incoming notification disrupted this cycle. Addressed in cooperation
with Tyler Hall of EditDNS.
Improvements
- Zone parser improvements mean $TTL and $INCLUDES now work a lot
better. Implemented in
1056,
1062.
- No longer report temporary recvfrom errors, which used to spam the
log on many systems. Addressed in commit
1320.
- Direct queries for ‘fancy records’ would lead to errors, such queries
now fail early. Spotted by Jorn Ekkelenkamp, implemented in
1051.
- Fix typo in geobackend, closing ticket
157, implemented in
1090.
- Initial work on TSIG support - not done yet. Spurred on by Marco
Davids.
- Embarrassingly, the ‘master’ configuration setting was not documented
in the list of all settings!
- Norbert has updated OpenDBX so that SQLite reads and writes no longer
deadlock, plus compilation fixes on Solaris, plus the addition of
autoserials to backends that support triggers. Implemented in commit
1154.
- Random generator is now based on AES, improving the security of
certain proxy operations. This is the same random generator that is
in the recursor. Implemented in commit
1256.
- Documentation for ‘supermaster’ mode was improved due to popular
demand.
- When binding to a UDP port failed, supply a more precise error
message (commit
1245)
- The zone parser error messages were vastly improved, partially
inspired by Shawn’s cowboy migration. Code in commit
1235.
- Labels are compressed more efficiently (case-insensitively), leading
to smaller packets. Implemented in commit
1156.
- Fix handling of TCP timeouts to not cause a reload of the backends.
Implemented in commit
1092.
- TCP Receiver no longer spams the log with common network errors.
Implemented in commit
1306.
- Move from select() to poll()-based multiplexing, allowing PowerDNS to
listen on more than 1024 sockets simultaneously. One big PowerDNS
user needs this. Implemented in
1072.
- Zone2sql now reads source files in performance enhancing inode order.
Additionally, zone2sql no longer dies on a missing zone file if
^^on-error-resume-next was specified. Finally, statistics of
zone2sql conversion have been improved. Implemented in
1055.
- Address issues found by more recent g++ versions. Spotted and/or
fixed by Jorn Ekkelenkamp (commit
1051),
Marcus Rueckert (commit
1094),
Norbert Sendetzky (commit
1107),
Serge Belyshev (commit
1171).
- The Intel C Compiler implements certain things differently, causing
the master/slave communicator to malfunction. Spotted by Marcus
Rueckert, implemented in
1052,
plus fallout in
1105.
- PowerDNS can now be compiled with Boost 1.37.0.
- Andre Lorbach of Adiscon discovered the Microsoft Windows 2003
nameserver adds out of zone data to zone transfers, which we need to
ignore, instead of rejecting the entire zone. Implemented in
1048.
- PowerDNS now skips remote master servers which consistently generate
timeout messages, improving the master checking cycle time
tremendously. Developed in cooperation with Tyler Hall. Implemented
in commit
1278.
- When binding to a UDP port failed, supply a more precise error
message (commit
1245)
- dnsreplay now waits for the final answers to arrive, making it
possible to process even small pcap files and get meaningful
statistics. commit
1268.
- dnsreplay has a more sane default timeout now, which can be
configured too. Suggested by Augie Schwer in ticket
163, implemented in
commit
1287.
Authoritative Server version 2.9.21.2
Released on the 18th of November 2008.
This release consists of a single patch to PowerDNS Authoritative Server
version 2.9.21.1. In some configurations, notably with configuration
option ‘distributor-threads=1’, the PowerDNS Authoritative Server
crashes easily in some error conditions.
All users are urged to upgrade. Even though PowerDNS restarts itself on
encountering such error conditions, and even though most PowerDNS
configurations do not run in single threaded mode, an upgrade is
recommended.
More detail can be found in PowerDNS Security Advisory
2008-02.
Authoritative Server version 2.9.21.1
Released on the 6th of August 2008.
This release consists of a single patch to PowerDNS Authoritative Server
version 2.9.21. Brian J. Dowling of Simplicity Communications has
discovered a security implication of the previous PowerDNS behaviour to
drop queries it considers malformed. We are grateful that Brian notified
us quickly about this problem.
This issue has been assigned CVE-2008-3337. The single patch is in
commit 1239.
More detail can be found in PowerDNS Security Advisory
2008-02.
The implication is that while the PowerDNS Authoritative server itself
does not face a security risk because of dropping these malformed
queries, other resolving nameservers run a higher risk of accepting
spoofed answers for domains being hosted by PowerDNS Authoritative
Servers before 2.9.21.1.
While the dropping of queries does not aid sophisticated spoofing
attempts, it does facilitate simpler attacks.
It may be good to know that several large sites already run with this
patch applied, as it has been in the public code base for some weeks
already.
PowerDNS Authoritative Server version 2.9.21
Released the 21st of April 2007.
This is the first release the PowerDNS Authoritative Server since the
Recursor was split off to a separate product, and also marks the
transfer of the new technology developed specifically for the recursor,
back to the authoritative server.
This move has reduced the amount of code of the Authoritative server by
over 2000 lines, while improving the quality of the program enormously.
However, since so much has been changed, care should be taken when
deploying 2.9.21.
To signify the magnitude of the underlying improvements, the next
release of the PowerDNS Authoritative Server will be called 3.0.
This release would not have been possible without large amounts of help
and support from the PowerDNS Community. We specifically want to thank
Massimo Bandinelli of Italy’s Register.it,
Dave Aaldering of Aaldering ICT, True
BV, XS4ALL, Daniel Bilik
of Neosystem,
EasyDNS, Heinrich
Ruthensteiner of Siemens, Augie
Schwer, Mark
Bergsma, Marco
Davids, Marcus Rueckert of
OpenSUSE, Andre Muraro of
Locaweb, Antony Lesuisse, Norbert
Sendetzky, Marco
Chiavacci, Christoph Haas, Ralf van der Enden
and Ruben Kerkhof.
Security issues
- The previous packet parsing and generating code contained no known
bugs, but was however very lengthy and overly complex, and might have
had security problems. The new code is ‘inherently safe’ because it
relies on bounds-checking C++ constructs. Therefore, a move to 2.9.21
is highly recommended.
- Pre-2.9.21, communication between master and server nameservers was
not checked as rigidly as possible, possibly allowing third parties
to disrupt but not modify such communications.
Warning: The ‘bind1’ legacy version of our BIND backend has been
dropped! There should be no need to rely on this old version anymore, as
the main BIND backend has been very well tested recently.
Bugs
- Multi-part TXT records weren’t supported. This has been fixed, and
regression tests have been added. Code in commits
1016,
996,
994.
- Email addresses with embedded dots in SOA records were not parsed
correctly, nor were other embedded dots. Noted by ‘Bastiaan’, fixed
in commit
1026.
- BIND backend treated the ‘m’ TTL modifier as ‘months’ and not
‘minutes’. Closes Debian bug 406462. Addressed in commit
1026.
- Our snapshots were built against a static version of PostgreSQL that
was incompatible with many Linux distributions, leading to instant
crashes on startup. Fixed in
1022 and
1023.
- CNAME referrals to child zones gave improper responses. Noted by
Augie Schwer in ticket
123, fixed in
commit
992.
- When passing a port number with the recursor setting, this would
sometimes generate errors during additional processing. Switched off
overly helpful additional processing for recursive queries to remove
this problem. Implemented in commit
1031,
spotted by Ralf van der Enden.
- NS to a nameserver with the name of the zone itself generated
problems. Spotted by Augie Schwer, fixed in commit
947.
- Multi-line records in the BIND backend were not always parsed
correctly. Fixed in commit
1014.
- The LOC-record had problems operating outside of the eastern
hemisphere of the northern part of the world! Fixed in commit
1011.
- Backends were compiled without multithreading preprocessor flags. As
far as we can determine, this would only cause problems for the BIND
backend, but we cannot rule out this caused instability in other
backends. Fixed in commit
1001.
- The BIND backend was highly unstable under reloads, and leaked memory
and file descriptors. Thanks to Mark Bergsma and Massimo Bandinelli
for respectively pointing this out to us and testing large amounts of
patches to fix the problem. The fixes have resulted in better
performance, less code, and a remarkable simplification of this
backend. Commits
1039,
1034,
1035,
1006,
999,
905 and
previous.
- BIND backend gave convincing NXDOMAINs on unloaded zones in some
cases. Spotted and fixed by Daniel Bilik in commit
984.
- SOA records in zone transfers sometimes contained the wrong SOA TTL.
Spotted by Christian Kuehn, fixed in commit
902.
- PowerDNS could get confused by very high SOA serial numbers. Spotted
and fixed by Dan Bilik, fixed in commit
626.
- Some versions of FreeBSD perform very strict checks on socket address
sizes passed to ‘connect’, which could lead to problems retrieving
zones over AXFR. Fixed in commit
891.
- Some versions of FreeBSD perform very strict checks on IPv6 socket
addresses, leading to problems. Discovered by Sten Spans, fixed in
commit 885
and commit
886.
- IXFR requests were not logged properly. Noted by Ralf van der Enden,
fixed in commit
990.
- Some NAPTR records needed an additional space character to encode
correctly. Spotted by Heinrich Ruthensteiner, fixed in commit
1029.
- Many bugs in the TCP nameserver, leading to a PowerDNS process that
did not respond to TCP queries over time. Many fixes provided by Dan
Bilik, other problems were fixed by rewriting our TCP handling code.
Commits
982 and
980,
950,
924,
889,
874,
869,
685,
684.
- Fix crashes on the ARM processor due to alignment errors. Thanks to
Sjoerd Simons. Closes Debian bug 397031.
- Missing data in generic SQL backends would sometimes lead to faked
SOA serial data. Spotted by Leander Lakkas from True. Fix in commit
866.
- When receiving two quick notifications in succession, the packet
cache would sometimes “process” the second one, leading PowerDNS to
ignore it. Spotted by Dan Bilik, fixed in commit
686.
- Geobackend (by Mark Bergsma) did not properly override the getSOA
method, breaking non-overlay operation of this fine backend. The
geobackend now also skips ‘.hidden’ configuration files, and now
properly disregards empty configuration files. Additionally, the
overlapping abilities were improved. Details available in commit
876, by
Mark.
Features
- Thanks to EasyDNS, PowerDNS now supports
multiple masters per domain. For configuration details, see Slave
operation.
Implemented in commit
1018,
commit
1017.
- Thanks to EasyDNS, PowerDNS now supports
the KEY record type, as well the SPF record. In commit
976.
- Added support for CERT, SSHFP, DNSKEY, DS, NSEC, RRSIG record types,
as part of the move to the new DNS parsing/generating code.
- Support for the AFSDB record type, as requested by ‘Bastian’.
Implemented in commit
978,
closing ticket 129.
- Support for the MR record type. Implemented in commit
941 and
commit
1019.
- Gsqlite3 backend was added by Antony Lesuisse in commit
942;
- Added the ability to send out light-weight root-referrals that save
bandwidth yet still placate mediocre resolver implementations.
Implemented in commit
912, enable
with ‘root-referral=lean’.
Improvements
- Miscellaneous OpenDBX and LDAP backend improvements by Norbert
Sendetzky. Applied in commit
977 and
commit
1040.
- SGML source of the documentation was cleaned up by Ruben Kerkhof in
commit
936.
- Speedups in core DNS label processing code. Implemented in commit
928,
commit
654,
commit
1020.
- When communicating with master servers and encountering errors, more
useful details are logged. Reported by Stefan Arentz in ticket
137, closed by
commit
1015.
- Database errors are now logged with more details. Addressed in
commit
1004.
- pdns_control problems are now logged more verbosely. Change in
commit
910.
- Erroneous address configuration was logged unclearly. Spotted by
River Tarnell, fixed in commit
888.
- Example configuration shipped with PowerDNS was very old. Noted by
Leen Besselink, fixed in commit
946.
- PowerDNS neglected to chdir to the root when chrooted. This closes
ticket 110, fixed
in commit
944.
- Microsoft resolver had problems with responses we generated for
CNAMEs pointing out of our bailiwick. Fixed in commit
983 and
expedited by Locaweb.com.br.
- Built-in webserver logs errors more verbosely. Closes ticket
82, fixed in commit
991.
- Queries containing ‘@’ no longer flood the logs. Addressed in commit
1014.
- The build process now looks for PostgreSQL in more places.
Implemented in commit
998, closes
ticket 90.
- Speedups in the BIND backend now mean large installations enjoy
startup times up to 30 times faster than with the original BIND
nameserver. Many thanks to Massimo Bandinelli.
- BIND backend now offers full support for query logging, implemented
in commit
1026,
commit
1029.
- BIND backend named.conf parsing is now fully case-insensitive for
domain names. This closes Debian bug 406461, fixed in commit
1027.
- IPv6 and IPv4 address parsing routines have been replaced, which
should result in prettier output in some cases. commit
962,
commit
1012 and
others.
- 5 new regression tests have been added to insure old bugs do not
return.
- Fix small issues with very modern compilers and BOOST snapshots.
Noted by Marcus Rueckert, addressed in commit
954,
commit 964
commit
965,
commit
1003.
Version 2.9.20
Released the 15th of March 2006
Besides adding OpenDBX, this release is mostly about fixing problems and
speeding up the recursor. This release has been made possible by
XS4ALL and True. Thanks!
Furthermore, we are very grateful for the help of Andrew Pinski, who
hacks on gcc, and of Joaquín M López Muñoz, the author of
boost::multi_index_container.
Without their near-realtime help this release would’ve been delayed a
lot. Thanks!
Bugs fixed in the recursor
- Possible stability issues in the recursor on encountering errors
(commit
532,
commit
533)
- Memory leaks in recursor fixed (commit
534,
commit
572). In a
test 800 million real life DNS packets have been sent to the
recursor, representing several days of traffic from a major ISP,
memory use was high (500MB), but stable.
- Prune all data in PowerDNS - previously per-nameserver and per-query
performance statistics were kept around forever (commit
535)
- IPv6 additional processing was broken. Reported by Lionel Elie
Mamane, who also provided a fix. The problem was fixed differently in
the end. commit
562.
- pdns_recursor did not shuffle answers since 2.9.19, leading to
problems sending mail to the Hotmail servers. Reported in ticket
54, fixed in commit
567.
- If a single nameserver had multiple IP addresses listed, PowerDNS
would only use one of them. Noted by Mark Martin, fixed in commit
570, who
depends on a domain with 4 nameserver IP addresses of which 2 are
broken.
Improvements to the recursor
- Commits
535,
540,
541,
542,
543,
544,
545,
547 and
548,
574 all
speed up the recursor by a large factor, without altering the DNS
algorithm.
- Move recursor to the incredible boost::multi_index_container
(commit
580). This
brings a huge improvement in cache pruning times.
- commit 549
and commit
550 work
around gcc bug
24704 if
requested, which speeds up the recursor a lot, but involves a dirty
hack. Enable with ./configure ^^enable-gcc-skip-locking. No
guarantees!
Bugs fixed in the authoritative nameserver
- PowerDNS would no longer allow a ‘/’ in domain names, fixed by
commit
537,
reported in ticket
48.
- Parameters to pdns_control notify-host were not checked, leading
to possible crashes. Reported in ticket
24, fixed in commit
565.
- On some compilers, processing of NAPTR records could cause the server
to crash. Reported by Bernd Froemel in ticket
29, fixed in commit
538.
- Backend errors could make the whole nameserver exit under some
circumstances, notably using the LDAP backend. Fixed in commit
583,
reported in ticket
62.
- Referrals were subtly broken by recent CNAME/Wildcard improvements,
fixed in commit
539. Fix
and other improvements sponsored by True.
- PowerDNS would try to insert records it has no knowledge about in
slave zones, which did not work. Reported in ticket
60, fixed in commit
566. A
superior fix would be to implement the relevant unknown record
standard.
Improvements to the authoritative nameserver
- Pipebackend did not properly propagate the ABI version to its
children, fixed in commit
546,
reported by kickdaddy@gmail.com in ticket
45.
- OpenDBX backend
added (commit
559,
commit
560,
commit
561) by
Norbert Sendetzky. From the website: “ The OpenDBX backend enables it
to fetch DNS information from every DBMS supported by the OpenDBX
library and combines the power of one of the best DNS server
implementations with the flexibility of the OpenDBX library. ”
OpenDBX adds some other features like database failover. Thanks
Norbert!
- LDAP fixes as reported in ticket
37, fixed in commit
558, which
make pdns_control notify work.
- Arjo Hooimeijer added support for soa-refresh-default,
soa-retry-default, soa-expire-default, which were previously
hardcoded. commit
563 and
fallout in commit
573 (thanks
to Wolfram Schlich).
Miscellaneous
- Fixes for g++ 4.1. Compiling with 4.1 realizes notable speedups.
commit
568,
commit
569.
- PowerDNS now reports if it is running in 32 or 64 bit mode, useful
for bi-arch users that need to know if they are benefiting from
AMD’s great processor. commit
571.
- dnsscope compiles again, commit
551,
commit 564
(FreeBSD 64-bit time_t).
- dnsreplay_mindex compiles again, fixed by commit
572. Its
performance, and the performance of the recursor was improved by
commit
559.
- Build scripts were added, mostly for internal use but we know some
PowerDNS users build their own packages too. commit
553,
commit
554,
commit
555,
commit
556,
commit
557.
bootstrap
script was not included in release. Thanks to Stefan
Arentz for noticing. Fixed in commit
574.
Version 2.9.19
Released 29th of October 2005.
As with other recent releases, the usage of PowerDNS appears to have
skyrocketed. Informal, though strict, measurements show that PowerDNS
now powers around 50% of all German domains, and somewhere in the order
of 10-15% of the rest of the world. Furthermore, DNS is set to take a
central role in connecting Voice over IP providers, with PowerDNS
offering a very good feature set for these ENUM deployments. PowerDNS is
already powering the E164.info ENUM zone and also acts as the backend
for a major VoIP provisioning platform.
Included in this release is the now complete packet parsing/generating,
record parsing/generating infrastructure. Furthermore, this framework is
used by the recursor, hopefully making it very fast, memory efficient
and robust. Many records are now processed using a single line of code.
This has made the recursor a lot stricter in packet parsing, you will
see some error messages which did not appear before. Rest assured
however that these only happen for queries which have no valid answer in
any case.
Furthermore, support for DNSSEC records is available in the new
infrastructure, although is should be emphasised that there is more to
DNSSEC than parsing records. There is no real support for DNSSEC (yet).
Additionally, the BIND Backend has been replaced by what was up to now
known as the ‘Bind2Backend’. Initial benchmarking appears to show that
this backend is faster, uses less memory and has shorter startup times.
The code is also shorter.
This release fixes a number of embarrassing bugs and is a recommended
upgrade.
Thanks are due to XS4ALL who are supporting
continuing development of PowerDNS, the fruits of which can be found in
this release already. Furthermore, a remarkable number of people have
helped report bugs, validate solutions or have submitted entire patches.
Many thanks!
Improvements
- dnsreplay now has a help message and has received further massive
updates, making the code substantially faster. It turns out that
dnsreplay is often ‘heavier’ than the PowerDNS process being
benchmarked.
- PowerDNS recursor no longer prints out its queries by default as most
recursor deployments have too much traffic for this to be useful.
- PowerDNS recursor is now able to read its root-hints from disk, which
is useful to operate with alternate roots, like the Open Root Server
Network. See PowerDNS
Recursor.
- PowerDNS can now send out old-fashioned root-referrals when queried
for domains for which it is not authoritative. Wastes some bandwidth
but may solve incoming query floods if domains are delegated to you
for which you are not authoritative, but which are queried by broken
recursors.
- PowerDNS now prints out a warning when running with legacy
LinuxThreads implementation instead of the high performance NPTL
library. commit
455.
- A lot of superfluous calls to gettimeofday() have been removed,
making PowerDNS and especially the recursor faster. Suggested by Kai.
- SPF records are now supported natively. commit
472,
closing ticket 22.
- Improved IPv6 ‘bound to’ messages. Thanks to Niels Bakker, Wichert
Akkerman and Gerty de Wolf for suggestions.
- Separate graphs can now be made of IPv6 queries and answers. commit
485.
- Out of zone additional processing is now on by default to better
comply with standards. commit
487.
- Regression tests have been expanded to deal with more record types
(SRV, NAPTR, TXT, duplicate SRV).
- Improved query-logging in Bindbackend, which can be used for
debugging purposes.
- Dropped libpcap dependency, making compilation easier
- pdns_control now has a help message.
- Add RRSIG, DNSKEY, DS and NSEC records for DNSSEC-bis to new parser
infrastructure.
- Recursor now honours EDNS0 allowing it to send out larger answers.
Bugs fixed
- Domain name validation has been made a lot stricter - it turns out
PostgreSQL was interpreting some (corrupt) domain names as unicode.
Tested and suggested by Register.com (commit
451).
- LDAP backend did not compile (commits
452,
453) due
to partially applied patch (Norbert Sendetzky)
- Incoming zone transfers work reliably again. Fixed in commit
460 and
beyond. And commit
523 -
closing Debian bug 330184.
- Recent g++ versions exposed a mistake in the PowerDNS recursor cache
pruning code, causing random crashes. Fixed in commit
465.
Reported by several Red Hat users.
- PowerDNS recursor, and MTasker in general, did not work on Solaris.
Patch by Juergen Ilse, commit
471. Also
moved most of PowerDNS over to uint32_t style typedefs, which eases
compilation problems on Solaris, commit
477.
- Bindbackend2 did not properly search its include path for $INCLUDE
statements. Noted by Mark Bergsma, commit
474.
- Bindbackend did not notice changed zones, this problem has been fixed
by the move to Bind2.
- Pipebackend did not clean up, leading to an additional pipe backend
per AXFR or pdns_control reload. Discovered by Marc Jauvin, fixed by
commit
525.
- Bindbackend (both old and current versions) did not honour ‘include’
statements in
named.conf
on pdns_control rediscover. Noted
by Marc Jauvin, fixed by commit
526.
- Zone transfers were sometimes shuffled, which wastes useless time,
commit
478.
- CNAMEs and Wildcards now work as in Bind, fixing many complaints,
commit
487.
- NAPTR records were compressed, which would work, but was in violation
of the RFC, commit 493.
- NAPTR records were not always parsed correctly from BIND zone files,
fixed, commit 494.
- Geobackend needed additional include statement to compile on more
recent Linux distributions, commit 496.
Version 2.9.18
Released on the 16th of July 2005.
The ‘8 million domains’ release, which also marks the battle readiness
of the PowerDNS Recursor. The latest improvements have been made
possible by financial support and contributions by
Register.com and
XS4ALL. Thanks!
This release brings a number of new features (vastly improved recursor,
Generic Oracle Support, DNS analysis and replay tools, and more) but
also has a new build dependency, the Boost
library (version 1.31 or higher).
Currently several big ISPs are evaluating the PowerDNS recursor for
their resolving needs, some of them have switched already. In the course
of testing, over 350 million actual queries have been recorded and
replayed, the answers turn out to be satisfactorily.
This testing has verified that the pdns recursor, as shipped in this
release, can stand up to heavy duty ISP loads (over 20000
queries/second) and in fact does so better than major other nameservers,
giving more complete answers and being faster to boot.
We invite ISPs who note recursor problems to record their problematic
traffic and replay it using the tools described in Tools to analyse DNS
traffic to discover if PowerDNS does a better
job, and to let us know the results.
Additionally, the bind2backend is almost ready to replace the stock bind
backend. If you run with Bind zones, you are cordially invited to
substitute launch=bind2
for launch=bind
. This will happen
automatically in 2.9.19!
In other news, the entire Wikipedia constellation now runs on PowerDNS
using the Geo Backend! Thanks to Mark Bergsma for keeping us updated.
There are two bugs with security implications, which only apply to
installations running with the LDAP backend, or installations providing
recursion to a limited range of IP addresses. If any of these apply to
you, an upgrade is highly advised
- The LDAP backend did not properly escape all queries, allowing it to
fail and not answer questions. We have not investigated further risks
involved, but we advise LDAP users to update as quickly as possible
(Norbert Sendetzky, Jan de Groot)
- Questions from clients denied recursion could blank out answers to
clients who are allowed recursion services, temporarily. Reported by
Wilco Baan. This would’ve made it possible for outsiders to blank out
a domain temporarily to your users. Luckily PowerDNS would send out
SERVFAIL or Refused, and not a denial of a domain’s existence.
General bugs fixed
- TCP authoritative server would not relaunch a backend after failure
(reported by Norbert Sendetzky)
- Fix backend restarting logic (reported, and fix suggested by Norbert
Sendetzky)
- Launching identical backends multiple times, with different settings,
did not work. Reported by Mario Manno.
- Master/slave queries did not honour the query-local-address
setting. Spotted by David Levy of Register.com. The fix also
randomises the local port used, slightly improving security.
Compilation fixes
- Fix compile on Solaris, they define ‘PC’ for some reason. Reported by
Eric Yiu.
- PowerDNS recursor would not compile on FreeBSD due to Linux specific
defines, as reported in cvstrac ticket 26 (Ralf van der Enden)
- Several 64 bits issues have been fixed, especially in the Logging
subsystem.
- SSQLite would fail to compile on recent Debian systems (Matthijs
Möhlmann)
- Generic MySQL would not compile on 64-bit platforms.
Improvements
- PowerDNS now reports stray command line arguments, like when running
‘^^local-port 5300’ instead of ‘^^local-port=5300’. Reported by
Christian Welzel.
- We now warn against erroneous logging-facility specification, ie
specifying an unknown facility.
- ^^version now outputs gcc version used, so we can tell people
2.95 is no longer supported.
- Extended regression tests, moved them to the new ‘sdig’ tool (see
below).
- Bind2backend is now blazingly fast, and highly memory efficient to
boot. As a special bonus it can read gzipped zones directly. The
‘.NET’ zone is hosted using 401MB of memory, the same size as the
zone on disk.
- The Pipe Backend has been improved such that it can send out
different answers based on the IP address the question was received
ON. See PipeBackend
protocol for
how this changed the Pipe Backend protocol. Note that you need to set
pipebackend-abi-version to benefit from this change, existing
clients are not affected. Change and documentation contributed by
Marc Jauvin of Register4Less.
- LDAP backend has been updated (Norbert Sendetzky).
Recursor improvements and fixes.
See Recursion for details. The changes
below mean that all of the caveats listed for the recursor have now been
addressed.
- After half an hour of uptime, the entire cache would be pruned for
each packet, which is a tad slow. It now appears the pdns recursor is
among the fastest around.
- Under high loads, or when unlucky, some query mthreads would get
‘stuck’, and show up in the statistics as eternally running queries.
- Lots of redundant gettimeofday() and time() calls were removed, which
has resulted in a measurable speedup.
- pdns_recursor can now listen on several addresses simultaneously.
- Now supports setuid and setgid operation to allow running as a less
privileged user (Bram Vandoren).
- Return code of pdns_recursor binary did not make sense (Matthijs
Möhlmann and Thomas Hood)
- Timeouts and errors are now split out in statistics.
- Many people reported broken statistics, it turned out that no
statistics were being reported if there had been no questions to base
them on. We now log a message to that effect.
- Add query-local-address support, which allows the recursor to
send questions from a specific IP address. Useful for anycast setups.
- Add outgoing TCP query support and proper truncated answer support.
Needed for Worldnic Denial of Service protection, which sends out
truncated packets to force clients to connect over TCP, which
prevents spoofing.
- Properly truncate our own answers.
- Improve our TCP answers by using writev, which is slightly friendlier
to the network.
- On FreeBSD, TCP errors could cause the recursor to exit suddenly due
to a SIGPIPE signal.
- Maximum number of simultaneous client TCP connections can now be
limited with the max-tcp-clients setting.
- Add aggressive timeouts for TCP clients to make sure resources are
not wasted. Defaults to two seconds, can be configured with the
client-tcp-timeout setting.
Backend fixes
- SQLite backend would not slave properly (Darron Broad)
- Generic MySQL would not compile on 64-bit platforms.
New technology
- Added the new DNS parser logic, called MOADNSParser. Completely
modular, every memory access checked.
- ‘sdig’, a simple dig work-alike with ‘canonical’ output, which is
used for the regression tests. Based on the new DNS parser logic.
- dnswasher, dnsreplay and dnsscope, all DNS analysis
tools. See Tools to analyse DNS traffic for
more details.
- Generic Oracle Backend, sponsored by Register.COM. See Oracle
specifics.
Version 2.9.17
See the new timeline for
progress reports.
The ‘million domains’ release - PowerDNS has now firmly established
itself as a major player with the unofficial count (ie, guesswork) now
at over two million PowerDNS domains! Also, the GeoBackend has been
tested by a big website and may soon see wider deployment. Thanks to
Mark Bergsma for spreading the word!
It is also a release with lots of changes and fixes. Take care when
deploying!
Security issues
- PowerDNS could be temporarily DoSed using a random stream of bytes.
Reported cause of this has been fixed.
Enhancements
- Reported version can be changed, or removed - see the
“version-string” setting.
- Duplicate MX records are now no longer considered duplicate if their
priorities differ. Some people need this feature for spam filtering.
Bug fixes
- NAPTR records can now be slaved, patch by Lorens Kockum.
- GMySQL now works on Solaris
- PowerDNS could be confused by questions with a %-sign in them -
fixing cvstrac ticket #16 (reported by dilinger at voxel.net)
- An authentication bug in the webserver was possibly fixed, please
report if you were suffering from this. Being unable to authenticate
to the webserver was what you would’ve noticed.
- Fix for cvstrac ticket #2, PowerDNS could lose sync when sending out
a very large number of notifications. Excellent bug report by Martin
Hoffman, who also improved our original bugfix.
- Fix the oldest PowerDNS bug in existence - under some circumstances,
PowerDNS would log to syslog one character at a time. This was
cvstrac ticket #4
- HINFO records can now be slaved, fixing cvstrac ticket #8.
- pdns_recursor could block under some circumstances, especially in
case of corrupt UDP packets. Reported by Wichert Akkerman. Fix by
Christopher Meer. This was cvstrac ticket #13.
- Large SOA serial numbers would sometimes be logged as a signed
integer, leading to negative numbers in the log.
- PowerDNS now fully supports 32 bit SOA serial numbers (thanks to Mark
Bergsma), closing cvstrac ticket #5.
- pdns_recursor ^^local-address help text was wrong.
- Very devious bug - PowerDNS did not clear its cache before sending
out update notifications, leading slaves to conclude there was no
update to AXFR. Excellent debugging by mkuchar at wproduction.cz.
- Probably fixed cvstrac ticket #26, which caused pdns_recursor to
fail on recent FreeBSD 5.3 systems. Please check, I have no such
system to test on.
- Geobackend did not get built for Debian.
Version 2.9.16
The ‘it must still be Friday somewhere’ release. Massive number of
fixes, portability improvements and the new Geobackend by Mark Bergsma &
friends.
New
- The Geobackend which makes it possible to send different answers to
different IP ranges. Initial documentation can be found in
pdns/modules/geobackend/README.
- qgen query generation tool. Nearly completely undocumented and hard
to build too, it requires Boost. But very spiffy. Use cd pdns; make
qgen to build it.
Bugfixes
- The most reported bug ever was fixed. Zone2sql required the inclusion
of unistd.h, except on Debian unstable.
- PowerDNS tried to listen on its control “pipe” which does not work.
Probably harmless, but might have caused some oddities.
- The Packet Cache did not always set its TTL immediately, causing some
packets to be inserted, even when running with the cache disabled
(Mark Bergsma).
- Valgrind found some uninitialized reads, causing bogus values in the
priority field when it was not needed.
- Valgrind found a bug in MTasker where we used delete instead of
delete[].
- SOA serials and other parameters are unsigned. This means that very
large SOA serial numbers would be messed up (Michel Stol, Stefano
Straus)
- PowerDNS left its controlsocket around after exit and reported
confusing errors if a socket was already in use.
- The recursor proxy did not work on big endian systems like SPARC and
some MIPS processors (Remco Post)
- We no longer dump core on processing LOC records on UltraSPARC
(Andrew Mulholland supplied a testing machine)
Improvements
- MySQL can now connect to a specified port again (Chris Anderton).
- When running chroot()ed and with master or slave support active,
PowerDNS needs to resolve domain names to find slaves. This in turn
may require access to certain libraries. Previously, these needed to
be available in the chroot directory but by forcing an initial
lookup, these libraries are now loaded before the chrooting.
- pdns_recursor was very slow after having done a larger number of
queries because of the checks to see if a query should be throttled.
This is now done using a set which is a lot faster than the previous
full sequential scan.
- The throttling code may not have throttled as much as was configured.
- Yet another big LDAP update. The LDAP backend now load balances
connections over several hosts (Norbert Sendetzky)
- Updated b.root-servers.net address in the recursor
Version 2.9.15
This release fixes up some of the shortcomings in 2.9.14, and adds some
new features too.
Bugfixes
- allow-recursion-override was on by default, it was meant to be
off.
- Logging was still off in daemon mode, fixed.
- debian/rules forgot to build an sqlite package
- Recursor accidentally linked in MySQL - this was the result of an
experiment with a persistent recursor cache.
- The PowerDNS recursor had stability problems. It now sorts
nameservers (roughly) by responsiveness. The ‘roughly’ part upset the
sorting algorithm used, the speeds being sorted on changed during
sorting.
- The recursor now outputs the nameserver average response times in
trace mode
- LDAP compiles again.
Improvements
- zone2sql can now accept
-
as a file name which causes it to read
stdin. This allows the following to work: dig axfr example.org |
zone2sql ^^gmysql ^^zone=- | mysql pdns, which is a nice way to
import a zone.
- zone2sql now ignores duplicate SOA records which are identical -
which also makes the above possible.
- Remove libpqpp dependencies - since we now use the native C API for
PostgreSQL
Version 2.9.14
Big release with the fix for the all important 2^30 seconds problem and
a lot of other news. - errno problems would cause compilation problems
when using LDAP (Norbert Sendetzky) - The Generic SQL backend could
cause crashes on PostgreSQL when using pdns_control notify (Georg
Bauer) - Debian compatible init.d script (Wichert Akkerman) - If using
the master or slave features, pdns had the notion of eternity ending in
2038, except that due to a thinko, eternity ended out to be the 10th of
January 2004. This caused a loop to timeout immediately. Many thanks to
Jasper Spaans for spotting the bug within five minutes. - Parts of the
SOA field were not canonicalized. - The loglevel could in fact cause
nothing to be logged (Norbert Sendetzky)
Improvements
- The recursor now chooses the fastest nameserver, which causes a big
speedup!
- LDAP now has different lookup models
- Cleanups, better load distribution, better exception handling,
zone2ldap improvements
- The recursor was somewhat chatty about TCP connections
- PostgreSQL now only depends on the C API and not on the deprecated
C++ one
- PowerDNS can now fully overrule external zones when doing recursion.
See Recursion.
Version 2.9.13
Big news! Windows is back! Our great friend Michel Stol found the time
to update the PowerDNS code so it works again under windows.
Furthermore, big thanks go out to Dell who quickly repaired my trusty
laptop.
His changes - Generic SQLite support added - Removed the ODBC backend,
replaced it by the Generic ODBC Backend, which has all the cool
configurability of the Generic MySQL and PostgreSQL backends. - The
PowerDNS Recursor now runs as a Service. It defaults to running on port
5300, PowerDNS itself is configured to expect the Recursor on port 5300
now. - The PowerDNS Service is now known as ‘PowerDNS’ to Windows. - The
Installer was redone, this time with NSIS2. -
General updates and fixes.
Other news
Note: There appears to be a problem with PowerDNS on Red Hat 7.3
with GCC 2.96 and self-compiled binaries. The symptoms are that PowerDNS
works on the foreground but fails as a daemon. We’re working on it.
If you do note problems, let the list know, if you don’t, please do so
as well. Tell us if you use the RPM or compiled yourself.
It is known that not compiling in MySQL support helps solve the problem,
but then you don’t have MySQL.
There have been a number of reports on MySQL connections being dropped
on FreeBSD 4.x, which sometimes causes PowerDNS to give up and reload
itself. To combat this, MySQL error messages have been improved in some
places in hopes of figuring out what is up. The initial indication is
that MySQL itself sometimes terminates the connection and, amazingly,
that switching to a Unix domain socket instead of TCP solves the
problem.
Bug fixes
- allow-axfr-ips did not work for individual IP addresses (bug &
fix by Norbert Sendetzky)
Improvements
Opteron support! Thanks to Jeff Davey for providing a shell on an
Opteron. The fixes should also help PowerDNS on other platforms with
a 64 bit userspace.
Btw, the PowerDNS team has a strong desire for an Opteron :-)
pdns_recursor jumbles answers now. This means that you can do poor
man’s round robin by supplying multiple A, MX or AAAA records for a
service, and get a random one on top each time. Interestingly, this
feature appeared out of nowhere, this change was made to the
authoritative code but due to the wonders of code-reuse had an effect
on pdns_recursor too.
Big LDAP cleanup. Support for TLS was added. Zone2LDAP also gained
the ability to generate ldif files containing a tree or a list of
entries. (Norbert Sendetzky)
Zone2sql is now somewhat clearer when reporting malformed line errors
- it did not always include the name of the file causing a problem,
especially for big installations. Problem noted by Thom May.
pdns_recursor now survives the expiration of all its root records,
most often caused by prolonged disconnection from the net.
Version 2.9.12
Release rich in features. Work on Verisign oddities, addition of SQLite
backend, pdns_recursor maturity.
New features
- ^^version command (requested by Mike Benoit)
- delegation-only, a Verisign special.
- Generic SQLite support, by Michel ‘Who da
man?’ Stol. See Generic SQLite
backend.
- init.d script for pdns_recursor
- Recursor now actually purges its cache, saving memory.
- Slave configuration now no longer falls over when presented with a
NULL master
- Bindbackend2 now has supermaster support (Mark Bergsma, untested)
- Answers are now shuffled! It turns out a few recursors don’t do
shuffling (pdns_recursor, djbdns), so we do it now. Requested by
Jorn Ekkelenkamp of ISP-Services. This means that if you have
multiple IP addresses for one host, they will be returned in
differing order every once in a while.
Bugs
- 0.0.0.0/0 didn’t use to work (Norbert Sendetzky)
- pdns_recursor would try to resolve IP address which to bind to,
potentially causing chicken/egg problem
- gpgsql no longer reports as gmysql (Sherwin Daganoto)
- SRV would not be parsed right from disk (Christof Meerwald)
- An AXFR from a zone hosted on the LDAP backend no longer transmits
all the reverse entries too (Norbert Sendetzky)
- PostgreSQL backend now does error checking. It would be a bit too
trusting before.
Improvements, cleanups
- PowerDNS now reports the numerical IP addresses it binds to instead
of the, possibly, alphanumeric names the operator passed.
- Removed only-soa hackery (noticed by Norbert Sendetzky)
- Debian packaging fixes (Wichert Akkerman)
- Some parameter descriptions were improved.
- Cleanups by Norbert: getAuth moved to chopOff, arguments::contains
massive cleanup, more.
Version 2.9.11
Yet another iteration, hopefully this will be the last silly release.
Warning: There has been a change in behaviour whereby
disable-axfr does what it means now! From now on, setting
allow-axfr-ips automatically disables AXFR from unmentioned subnets.
This release enables AXFR again, disable-axfr did the opposite of
what it claimed. Furthermore, the pdns_recursor now cleans its cache,
which should save some memory in the long run. Norbert contributed some
small LDAP work which should come in useful in the future.
Version 2.9.10
Small bugfixes, LDAP update. Released 3rd of July 2003. Apologies for
the long delay, real life keeps interfering.
Warning: Do not use or try to use 2.9.9, it was a botched release!
Warning: There has been a change in behaviour whereby
disable-axfr does what it means now! From now on, setting
allow-axfr-ips automatically disables AXFR from unmentioned subnets.
- 2.9.8 was prone to crash on adding additional records. Thanks to
excellent debugging by PowerDNS users worldwide, the bug was found
quickly and is in fact present in all earlier PowerDNS releases, but
for some reason doesn’t cause crashes there.
- Notifications now jump in front of the queue of domains that need to
be checked for changes, giving much greater perceived performance.
This is needed if you have tens of thousands of slave domains and
your master server is on a high latency link. Thanks to Mark Jeftovic
of EasyDNS for suggesting this change and testing it on their
platform.
- Dean Mills reported that PowerDNS does confusing logging about
changing GIDs and UIDs, fixed. Cosmetic only.
- pdns_recursor may have logged empty lines for some users, fixed.
Solution suggested by Norbert Sendetzky.
- LDAP: DNS TTLs were random values (Norbert Sendetzky, Stefan
Pfetzing). New ldap-default-ttl option.
- LDAP: Now works with OpenLDAP 2.1 (Norbert Sendetzky)
- LDAP: error handling for invalid MX records implemented (Norbert
Sendetzky)
- LDAP: better exception handling (Norbert Sendetzky)
- LDAP: code cleanup of lookup() (Norbert Sendetzky)
- LDAP: added support for scoped searches (Norbert Sendetzky)
Version 2.9.8
Queen’s day release! 30th of April 2003.
Added support for AIX, fixed negative SOA caching. Some other cleanups.
Not a major release but enough reasons to upgrade.
Bugs fixed
- Recursor had problems expiring negatively cached entries, which
wasted memory and also led to the continued non-existence of hosts
that since had come into existence.
- The Generic SQL backends did not lowercase the names of records,
which led to new records not being found by case-sensitive databases
(notably PostgreSQL). Found by Volker Goetz.
- NS queries for zones for which we did not carry authority, but only
had delegation information, had their NS records in the wrong
section. Minor detail, but a standards violation nonetheless. Spotted
by Stephane Bortzmeyer.
Improvements
- Removed crypt.h dependency from powerldap.hh, which was a problem on
some platforms (Richard Arends)
- PowerDNS can’t parse so called binary labels which we now detect and
ignore, after printing a warning.
- Specifying allow-axfr-ips now automatically disables AXFR for all
non-mentioned addresses.
- A Solaris ready init.d script is now part of the tar.gz (contributed,
but I lost by whom).
- Added some fixes to PowerDNS can work on AIX (spotted by Markus
Heimhilcher).
- Norbert Sendetzky contributed
zone2ldap
.
- Everybody’s favorite compiler warning from
zone2sql.cc
was
removed!
- Recursor now listens on TCP!
Version 2.9.7
Released on 2003-03-20.
This is a sweeping release in the sense of cleanup. There are some new
features but mostly a lot of cleanup going on. Hiding inside is the
bind2backend
, the next generation of the bind backend. A work in
progress. Those of you with overlapping zones, as mentioned in the
changelog of 2.9.6, are invited to check it out by replacing
launch=bind by launch=bind2 and renaming all bind-
parameters to bind2-. Be aware that if you run with many small
zones, this backend is faster, but if you run with a few large ones, it
is slower. This will improve.
Features
- Mark Bergsma contributed query-local-address which allows the
operator to select which source address to use. This is useful on
servers with multiple source addresses and the operating system
selecting an unintended one, leading to remotes denying access.
- PowerDNS can now perform AAAA additional processing optionally,
turned on by setting do-ipv6-additional-processing. Thanks to
Stephane Bortzmeyer for pointing out the need.
- Bind2backend, which is almost in compliance with the new IETF
AXFR-clarify (some would say ‘redefinition’) draft. This backend is
not ready for primetime but you may want to try it if you currently
have overlapping zones and note problems. An overlapping zone would
be having “ipv6.powerdns.com” and “powerdns.com” zones on one server.
Improvements
- Zone2sql would happily try to read from a directory and not give a
useful error about this.
- PowerDNS now reports the case where it can’t figure out any IP
address of slave nameservers for a zone
- Removed receiver-threads setting which was experimental and in
fact only made things worse.
- LDAP backend updates from its author Norbert Sendetzky. Reverse
lookups should work now too.
- An error message about unparsable packets did not include the
originating IP address (fixed by Mark Bergsma)
- PowerDNS can now be started via path resolution while running with a
guardian. Suggested by Maurice Nonnekes.
pdns_recursor
moved to sbin
(reported by Norbert Sendetzky)
- Retuned some logger errorlevels, a lot of master/slave chatter was
logged as ‘Error’. Reported by Willem de Groot.
Bugs fixed
zone2sql
did not remove trailing dots in SOA records.
- ldapbackend did not include
utility.hh
which caused compilation
problems on Solaris (reported by Remco Post)
pdns_control
could leave behind remnants in case PowerDNS was not
running (reported by dG)
- Incoming AXFR did not work on Solaris and other big-endian systems
(Willem de Groot helped debugging this long-standing problem).
- Recursor could crash on convoluted CNAME loops. Thanks to Dan Faerch
for delivering core dumps.
- Silly ‘wuh’ debugging output in zone2sql and bindbackend removed
(spotted by Ivo van der Wijk).
- Recursor neglected to differentiate between negative cache of
NXDOMAIN and NOERROR, leading to problems with IPv6 enabled Windows
clients. Thanks to Stuart Walsh for reporting this and testing the
fix.
- PowerDNS set the ‘aa’ bit on serving NS records in a zone for which
it was authoritative. Most implementations drop the ‘aa’ bit in this
case and Stephane Bortzmeyer informed us of this. PowerDNS now also
drops the ‘aa’ bit in this case.
- The webserver tended to fail after prolonged operation on FreeBSD,
this was due to an uninitialised timeout, other platforms were lucky.
Thanks to G.P. de Boer for helping debug this.
- getAnswers() in dnspacket.cc could be forced to read bytes beyond the
end of the packet, leading to crashes in the PowerDNS recursor. This
is an ongoing project that needs more work. Reported by Dan Faerch,
with a core dump proving the problem.
Version 2.9.6
Two new backends - Generic ODBC (windows only) and LDAP. Furthermore, a
few important bugs have been fixed which may have hampered sites seeing
a lot of outgoing zone transfers. Additionally, the pdns recursor now
has ‘query throttling’ which is pretty cool. In short this makes sure
that PowerDNS does not send out heaps of queries if a nameserver is
unable to provide an answer. Many operators of authoritative setups are
all too aware of recursing nameservers that hammer them for zones they
don’t have, PowerDNS won’t do that anymore now, no matter what clients
request of it.
Warning: There is an unresolved issue with the BIND backend and
‘overlapping’ slave zones. So if you have ‘example.com’ and also have a
separate slave zone called ‘external.example.com’, things may go wrong
badly. Thanks to Christian Laursen for working with us a lot in finding
this issue. We hope to resolve it soon.
- BIND Backend now honours notifies, code to support this was
accidentally left out. Thanks to Christian Laursen for noticing this.
- Massive speedup for those of you using the slightly deprecated MBOXFW
records. Thanks to Jorn of ISP
Services for helping and testing this
improvement.
- $GENERATE had an off-by-one bug where it would omit the last record
to be generated (Christian Laursen)
- Simultaneous AXFRs may have been problematic on some backends. Thanks
to Jorn of ISP-Services again for helping us resolve this issue.
- Added LDAP backend by Norbert Sendetzky, see LDAP
Backend.
- Added Generic ODBC backend for Windows by Michel Stol.
- Simplified ‘out of zone data’ detection in incoming AXFR support,
hopefully removing a case sensitivity bug there. Thanks again to
Christian Laursen for reporting this issue.
- $include in-zonefile was broken under some circumstances, losing the
last character of a file name. Thanks to Joris Vandalon for noticing
this.
- The zone parser was more case-sensitive than BIND, refusing to accept
‘in’ as well as ‘IN’. Thanks to Joris Vandalon for noticing this.
Version 2.9.5
Released on 2002-02-03.
This version is almost entirely about recursion with major changes to
both the pdns recursor, which is renamed to ‘pdns_recursor
’ and to
the main PowerDNS binary to make it interact better with the recursing
component.
Sadly, due to technical
reasons,
compiling the pdns recursor and pdns authoritative nameserver into one
binary is not immediately possible. During the release of 2.9.4 we
stated that the recursing nameserver would be integrated in the next
release - this won’t happen now.
However, this turns out to not be that bad at all. The recursor can now
be restarted without having to restart the rest of the nameserver, for
example. Cooperation between the both halves of PowerDNS is also almost
seamless. As a result, ‘non-lazy recursion’ has been dropped. See
Recursion for more details.
Furthermore, the recursor only works on Linux, Windows and Solaris (not
entirely). FreeBSD does not support the required functions. If you know
any important FreeBSD people, plea with them to support
set/get/swapcontext! Alternatively, FreeBSD coders could read the
solution presented here in figure
5.
The ‘Contributor of the Month’ award goes to Mark Bergsma who has
responded to our plea for help with the label compressor and contributed
a wonderfully simple and right fix that allows PowerDNS to compress just
as well as other nameservers out there. An honorary mention goes to Ueli
Heuer who, despite having no C++ experience, submitted an excellent SRV
record implementation.
Excellent work was also performed by Michel Stol, the Windows guy, in
fixing all our non-portable stuff again. Christof Meerwald has also done
wonderful work in porting MTasker to Windows, which was then used by
Michel to get the recursor functioning on Windows.
Other changes
- dnspacket.cc was cleaned up by factoring out common operations
- Heaps of work on the recursing nameserver. Has now achieved days of
uptime!
- Recursor renamed from syncres to
pdns_recursor
- PowerDNS can now serve records it does not know about. To benefit
from this slightly undocumented feature, add 1024 to the numerical
type of a record and include the record in binary form in your
database. Used internally by the recursing nameserver but you can use
it too.
- PowerDNS now knows about SIG and KEY records names. It does not
support them yet but can at least report so now.
- HINFO records can now be transferred from a master to PowerDNS
(thanks to Ueli Heuer for noticing it didn’t work).
- Yet more UltraSPARC alignment issues fixed (Chris Andrews).
- Dropped non-lazy recursion, nobody was using it. Lazy recursion
became even more lazy after Dan Bernstein pointed out that additional
processing is not vital, so PowerDNS does its best to do additional
processing on recursive queries, but does not scream murder if it
does not succeed. Due to caching, the next identical query will be
successfully additionally processed.
- Label compression was improved so we can now fit all . records in 436
bytes, this used to be 460! (Code & formal proof of correctness by
Mark Bergsma).
- SRV support (incoming and outgoing), submitted by Ueli Heuer.
- Generic backends do not support SOA serial autocalculation, it
appears. Could lead to random SOA serials in case of a serial of 0 in
the database. Fixed so that 0 stays zero in that case. Don’t set the
SOA serial to 0 when using Generic MySQL or Generic PostgreSQL!
- J root-server address was updated to its new location.
- SIGUSR1 now forces the recursor to print out statistics to the log.
- Meaning of recursor logging was changed a bit - a cache hit is now a
question that was answered with 0 outgoing packets needed. Used to be
a weighted average of internal cache hits.
- MySQL compilation did not include -lz which causes problems on some
platforms. Thanks to James H. Cloos Jr for reporting this.
- After a suggestion by Daniel Meyer and Florus Both, the built in
webserver now reports the configuration name when multiple PowerDNS
instances are active.
- Brad Knowles noticed that zone2sql had problems with the root.zone,
fixed. This also closes some other zone2sql annoyances with
converting single zones.
Version 2.9.4
Yet another grand release. Big news is the addition of a recursing
nameserver which has sprung into existence over the past week. It is in
use on several computers already but it is not ready for prime time.
Complete integration with PowerDNS is expected around 2.9.5, for now the
recursor is a separate program.
In preliminary tests, the recursor appears to be four times faster than
BIND 9 on a naive benchmark starting from a cold cache. BIND 9 managed
to get through to some slower nameservers however, which were given up
on by PowerDNS. We will continue to tune the recursor. See PowerDNS
Recursor for further details.
The BIND Backend has also been tested (see the bind-domain-status
item below) rather heavily by several parties. After some discussion
online, one of the BIND authors ventured that the newsgroup
comp.protocols.dns.bind may now in fact be an appropriate venue for
discussing PowerDNS. Since this discussion, traffic to the PowerDNS
pages has increased sixfold and shows no signs of slowing down.
From this, it is apparent that far more people are interested in
PowerDNS than yet know about it. So spread the word!
In other news, we now have a security page at
Security. Furthermore, Maurice Nonnekes
contributed an OpenBSD port! See his
page for more details!
New features and improvements
- All SQL queries in the generic backends are now available for
configuration. (Martin Klebermass, Bert Hubert). See Generic SQL
backends.
- A recursing nameserver! See PowerDNS
Recursor.
- An incoming AXFR now only starts a backend zone replacement
transaction after the first record arrived successfully, thus making
sure no work is done when a remote nameserver is unable/unwilling to
AXFR a zone to us.
- Zone parser error messages were improved slightly (thanks to Stef van
Dessel for spotting this shortcoming)
- XS4ALL’s Erik Bos checked how PowerDNS reacted to a BIND installation
with almost 60.000 domains, some of which with >100.000 records, and
he discovered the pdns_control bind-domain-status command became
very slow with larger numbers of domains. Fixed, 60.000 domains are
now listed in under one second.
- If a remote nameserver disconnects during an incoming AXFR, the
update is now rolled back, unless the AXFR was properly terminated.
- The migration chapter mentioned the use of deprecated backends.
A tremendous number of bugs were discovered and fixed
- Zone parser would only accept $include and not $INCLUDE
- Zone parser had problems with $lines with comments on the end
- Wildcard ANY queries were broken (thanks Colemarcus for spotting
this)
- A connection failure with the Generic backends would lead to a
powerdns reload (cast of many)
- Generic backends had some semantic problems with slave support.
Symptoms were oft-repeated notifications and transfers (thanks to
Mark Bergsma for helping resolve this).
- Solaris version compiles again. Thanks to Mohamed Lrhazi for
reporting that it didn’t.
- Some UltraSPARC alignment fixes. Thanks to Mohamed Lrhazi for being
helpful in spotting these. One problem is still outstanding, Mohamed
sent a core dump that tells us where the problem is. Expect the fix
to be in 2.9.5. Volunteers can grep the source for ‘UltraSPARC’ to
find where the problem is.
- Our support of IPv6 on FreeBSD had phase of moon dependent bugs,
fixed by Peter van Dijk.
- Some crashes of and by pdns_control were fixed, thanks to Mark
Bergsma for helping resolve these.
- Outgoing AXFR in pdns installations with multiple loaded backends was
broken (thanks to Stuart Walsh for reporting this).
- A failed BIND Backend incoming AXFR would block the zone until it
succeeded again.
- Generic PostgreSQL backend wouldn’t compile with newer libpq++, fixed
by Julien Lemoine/SpeedBlue.
- Potential bug (not observed) when listening on multiple interfaces
fixed.
- Some typos in manpages fixed (reported by Marco Davids).
Version 2.9.3a
Note: 2.9.3a is identical to 2.9.3 except that zone2sql does work
Broad range of huge improvements. We now have an all-static .rpm and
.deb for Linux users and a link to an OpenBSD port. Major news is that
work on the Bind backend has progressed to the point that we’ve just
retired our last Bind server and replaced it with PowerDNS in Bind mode!
This server is operating a number of master and slave setups so it
should stress the Bind backend somewhat.
This version is rapidly approaching the point where it is a
better-Bind-than-Bind and nearly a drop-in replacement for authoritative
setups. PowerDNS is now equipped with a powerful master/slave apparatus
that offers a lot of insight and control to the user, even when
operating from Bind zone files and a Bind configuration. Observe.
After the SOA of example.org was raised
pdns[17495]: All slave domains are fresh
pdns[17495]: 1 domain for which we are master needs notifications
pdns[17495]: Queued notification of domain 'example.org' to 195.193.163.3
pdns[17495]: Queued notification of domain 'example.org' to 213.156.2.1
pdns[17520]: AXFR of domain 'example.org' initiated by 195.193.163.3
pdns[17520]: AXFR of domain 'example.org' to 195.193.163.3 finished
pdns[17521]: AXFR of domain 'example.org' initiated by 213.156.2.1
pdns[17521]: AXFR of domain 'example.org' to 213.156.2.1 finished
pdns[17495]: Removed from notification list: 'example.org' to 195.193.163.3 (was acknowledged)
pdns[17495]: Removed from notification list: 'example.org' to 213.156.2.1 (was acknowledged)
pdns[17495]: No master domains need notifications
If however our slaves would ignore us, as some are prone to do, we can
send some additional notifications
$ sudo pdns_control notify example.org
Added to queue
pdns[17492]: Notification request for domain 'example.org' received
pdns[17492]: Queued notification of domain 'example.org' to 195.193.163.3
pdns[17492]: Queued notification of domain 'example.org' to 213.156.2.1
pdns[17495]: Removed from notification list: 'example.org' to 195.193.163.3 (was acknowledged)
pdns[17495]: Removed from notification list: 'example.org' to 213.156.2.1 (was acknowledged)
Conversely, if PowerDNS needs to be reminded to retrieve a zone from a
master, a command is provided
$ sudo pdns_control retrieve forfun.net
Added retrieval request for 'forfun.net' from master 212.187.98.67
pdns[17495]: AXFR started for 'forfun.net', transaction started
pdns[17495]: Zone 'forfun.net' (/var/cache/bind/forfun.net) reloaded
pdns[17495]: AXFR done for 'forfun.net', zone committed
Also, you can force PowerDNS to reload a zone from disk immediately with
pdns_control bind-reload-now. All this happens ‘live’, per your
instructions. Without instructions, the right things also happen, but
the operator is in charge.
For more about all this coolness, see
“pdns_control” and
“pdns_control
commands”.
Warning: Again some changes in compilation instructions. The hybrid
pgmysql backend has been split up into ‘gmysql’ and ‘gpgsql’, sharing a
common base within the PowerDNS server itself. This means that you can
no longer compile ^^with-modules=”pgmysql” ^^enable-mysql
^^enable-pgsql but that you should now use: ^^with-modules=”gmysql
gpgsql”. The old launch-names remain available.
If you launch the Generic PostgreSQL backend as gpgsql2, all parameters
will have gpgsql2 as a prefix, for example gpgsql2-dbname. If
launched as gpgsql, the regular names are in effect.
Warning: The pdns_control protocol was changed which means that
older pdns_controls cannot talk to 2.9.3. The other way around is
broken too. This may lead to problems with automatic upgrade scripts, so
pay attention if your daemon is truly restarted.
Also make sure no old pdns_control command is around to confuse things.
Improvements
- Bind backend can now deal with missing files and try to find them
later.
- Bind backend is now explicitly master capable and triggers the
sending of notifications.
- General robustness improvements in Bind backend - many errors are now
non-fatal.
- Accessibility, Serviceability. New pdns_server commands like
bind-list-rejects (lists zones that could not be loaded, and the
reason why), bind-reload-now (reload a zone from disk NOW),
rediscover (reread named.conf NOW). More is coming up.
- Added support for retrieving RP (Responsible Person) records from
remote masters. Serving them was already possible.
- Added support for LOC records, which encode the geographical location
of a host, both serving and retrieving (thanks to Marco Davids using
them on our last Bind server, forcing us to implement this silly
record).
- Configuration file parser now strips leading spaces too, allowing
“chroot= /tmp” to work, as well as “chroot=/tmp” (Thanks to Hub
Dohmen for reporting this for months on end).
- Added bind-domain-status command that shows the status of all
domains (when/if they were parsed, any errors encountered while
parsing them).
- Added bind-reload-now command that tries to reload a zone from
disk NOW, and reports back errors to the operator immediately.
- Added retrieve command that queues a request to retrieve a zone
from its master.
- Zones retrieved from masters are now stored way smaller on disk
because the domain is stripped from records, which is derived from
the configuration file. Retrieved zones are now prefixed with some
information on where they came from.
Changes
- gpgsql and gmysql backends split out of the hybrid pgmysqlbackend.
This again changed compilation instructions!
- pdns_control now uses the rarely seen SOCK_STREAM Unix Domain
socket variety so it can transport large amounts of text, which is
needed for the bind-domain-status command, for which see
Pdns_control
commands.
This breaks compatibility with older pdns_control and pdns_server
binaries!
- Bind backend now ignores ‘hint’ and ‘forward’ and other unsupported
zone types.
- AXFRs are now logged more heavily by default. An AXFR is a heavy
operation anyhow, some more logging does not further increase the
load materially. Does help in clearing up what slaves are doing.
- A lot of master/slave chatter has been silenced, making output more
relevant. No more repetitive ‘No master domains need notifications’
etc, only changes are reported now.
Bugfixes
- Windows version did not compile without minor changes.
- Confusing error reporting on Windows 98 (which does not support
PowerDNS) fixed
- Potential crashes with shortened packets addressed. An upgrade is
advised!
- notify (which was already there, just badly documented) no longer
prints out debugging garbage.
- pgmysql backend had problems launching when not compiled in but
available as a module. Workaround for 2.9.2 is
‘load-modules=pgmysql’, but even then gpgsql would not work! gmysql
would then, however. These modules are now split out, removing such
issues.
Version 2.9.2
Bugfixes galore. Solaris porting created some issues on all platforms.
Great news is that PowerDNS is now in Debian ‘sid’ (unstable). The 2.9.1
packages in there currently aren’t very good but the 2.9.2 ones will be.
Many thanks to Wichert Akkerman, our ‘downstream’ for making this
possible.
Warning: The Generic MySQL backend, part of the Generic MySQL &
PostgreSQL backend, is now the DEFAULT! The previous default, the
‘mysql’ backend (note the lack of ‘g’) is now DEPRECATED. This was the
source of much confusion. The ‘mysql’ backend does not support MASTER or
SLAVE operation. The Generic backends do.
To get back the mysql backend, add ^^with-modules=”mysql” or
^^with-dynmodules=”mysql” if you prefer to load your modules at runtime.
Bugs fixed
- Silly debugging output removed from the webserver (found by Paul
Wouters)
- SEVERE: due to Solaris portability fixes, qtypes<127 were broken.
These include NAPTR, ANY and AXFR. The upshot is that powerdns wasn’t
performing outgoing AXFRs nor ANY queries. These were the ‘question
for type -1’ warnings in the log
- incoming AXFR could theoretically miss some trailing records (not
observed, but could happen)
- incoming AXFR did not support TXT records (spotted by Paul Wouters)
- with some remotes, an incoming AXFR would not terminate until a
timeout occurred (observed by Paul Wouters)
- Documentation bug, pgmysql != mypgsql
Features
- pdns init.d script is now +x by default
- OpenBSD is on its way of becoming a supported platform! As of 2.9.2,
PowerDNS compiles on OpenBSD but swiftly crashes. Help is welcome.
- ODBC backend (for Windows only) was missing from the distribution,
now added.
- xdb backend added - see XDB
Backend.
Designed for use by root-server operators.
- Dynamic modules are back which is good news for distributors who want
to make a pdns packages that does not depend one every database under
the sun.
Version 2.9.1
Thanks to the great enthusiasm from around the world, powerdns is now
available for Solaris and FreeBSD users again! Furthermore, the Windows
build is back. We are very grateful for the help of
- Michel Stol
- Wichert Akkerman
- Edvard Tuinder
- Koos van den Hout
- Niels Bakker
- Erik Bos
- Alex Bleker
- Steven Stillaway
- Roel van der Made
- Steven Van Steen
We are happy to have been able to work with the open source community to
improve PowerDNS!
Changes
- The monitor command set no longer allows the changing of
nonexistent variables.
- IBM Universal Database DB2 backend now included in source
distribution (untested!)
- Oracle backend now included in source distribution (slightly tested!)
- configure script now searches for postgresql and mysql includes
- Bind parser now no longer dies on records with a ‘ in them (Erik Bos)
- The pipebackend was accidentally left out of 2.9
- FreeBSD fixes (with help from Erik Bos, Alex Bleeker, Niels Bakker)
- Heap of Solaris work (with help from Edvard Tuinder, Stefan Van
Steen, Koos van den Hout, Roel van der Made and especially Mark
Bakker). Now compiles in 2.7 and 2.8, haven’t tried 2.9. May be a bit
dysfunctional on 2.7 though - it won’t do IPv6 and it won’t serve
AAAA. Patches welcome!
- Windows 32 build is back! Michel Stol updated his earlier work to the
current version.
- S/Linux (Linux on Sparc) build works now (with help from Steven
Stillaway).
- Silly debugging message (‘sd.ttl from cache’) removed
- .deb files are back, hopefully in ‘sid’ soon! (Wichert Akkerman)
- Removal of bzero and other less portable constructs. Discovered that
recent Linux glibc’s need -D_GNU_SOURCE (Wichert Akkerman).
Version 2.9
Open source release. Do not deploy unless you know what you are doing.
Stability is expected to return with 2.9.1, as are the binary builds.
- License changed to the GNU General Public License version 2.
- Cleanups by Erik Bos @ xs4all.
- Build improvements by Wichert Akkerman
- Lots of work on the build system, entirely revamped. By PowerDNS.
Version 2.8
From this release onwards, we’ll concentrate on stabilising for the 3.0
release. So if you have any must-have features, let us know soonest. The
2.8 release fixes a bunch of small stability issues and add two new
features. In the spirit of the move to stability, this release has
already been running 24 hours on our servers before release.
- pipe backend gains the ability to restricts its invocation to a
limited number of requests. This allows a very busy nameserver to
still serve packets from a slow perl backend.
- pipe backend now honors query-logging, which also documents which
queries were blocked by the regex.
- pipe backend now has its own backend chapter.
- An incoming AXFR timeout at the wrong moment had the ability to crash
the binary, forcing a reload. Thanks to our bug spotting champions
Mike Benoit and Simon Kirby of NetNation for reporting this.
Version 2.7 and 2.7.1
This version fixes some very long-standing issues and adds a few new
features. If you are still running 2.6, upgrade yesterday. If you were
running 2.6.1, an upgrade is still strongly advised.
Features
- The controlsocket is now readable and writable by the ‘setgid’ user.
This allows for non-root access to PowerDNS which is nice for mrtg or
cricket graphs.
- MySQL backend (the non-generic one) gains the ability to read from a
different table using the mysql-table setting.
- pipe backend now has a configurable timeout using the
pipe-timeout setting. Thanks to Steve Bromwich for pointing out
the need for this.
- Experimental backtraces. If PowerDNS crashes, it will log a lot of
numbers and sometimes more to the syslog. If you see these, please
report them to us. Only available under Linux.
Bugs
- 2.7 briefly broke the mysql backend, so don’t use it if you use that.
2.7.1 fixes this.
- SOA records could sometimes have the wrong TTL. Thanks to Jonas
Daugaard for reporting this.
- An ANY query might lead to duplicate SOA records being returned under
exceptional circumstances. Thanks to Jonas Daugaard for reporting
this.
- Underlying the above bug, packet compression could sometimes suddenly
be turned off, leading to overly large responses and non-removal of
duplicate records.
- The allow-axfr-ips setting did not accept IP ranges
(192.0.2.0/24) which the documentation claimed it did (thanks to
Florus Both of Ascio technologies for being sufficiently persistent
in reporting this).
- Killed backends were not being respawned, leading to suboptimal
behaviour on intermittent database errors. Thanks to Steve Bromwich
for reporting this.
- Corrupt packets during an incoming AXFR when acting as a slave would
cause a PowerDNS reload instead of just failing that AXFR. Thanks to
Mike Benoit and Simon Kirby of NetNation for reporting this.
- Label compression in incoming AXFR had problems with large offsets,
causing the above mentioned errors. Thanks to Mike Benoit and Simon
Kirby of NetNation for reporting this.
Version 2.6.1
Quick fix release for a big cache problem.
Version 2.6
Performance release. A lot of work has been done to raise PowerDNS
performance to staggering levels in order to take part in benchmarketing
efforts. Together with our as yet unnamed partner, PowerDNS has been
benchmarked at 60.000 mostly cached queries/second on off the shelf PC
hardware. Uncached performance was 17.000 uncached DNS queries/second on
the .ORG domain.
Performance has been increased by both making PowerDNS itself quicker
but also by lowering the number of backend queries typically needed.
Operators will typically see PowerDNS taking less CPU and the backend
seeing less load.
Furthermore, some real bugs were fixed. A couple of undocumented
performance switches may appear in ^^help output but you are advised to
stay away from these.
Developers: this version needs the pdns-2.5.1 development kit, available
on http://downloads.powerdns.com/releases/dev. See also Backend
writers’ guide.
Performance
- A big error in latency calculations - cached packets were weighed 50
times less, leading to inflated latency reporting. Latency
calculations are now correct and way lower - often in the
microseconds range.
- It is now possible to run with 0 second cache TTLs. This used to
cause very frequent cache cleanups, leading to performance
degradation.
- Many tiny performance improvements, removing duplicate cache key
calculations, etc. The cache itself has also been reworked to be more
efficient.
- First ‘CNAME’ backend query replaced by an ‘ANY’ query, which most of
the time returns the actual record, preventing the need for a
separate CNAME lookup, halving query load.
- Much of the same for same-level-NS records on queries needing
delegation.
Bugs fixed
- Incidentally, the cache count would show ‘unknown’ packets, which was
harmless but confusing. Thanks to Mike and Simon of NetNation for
reporting this.
- SOA hostmaster with a . in the local-part would be cached wrongly,
leading to a stray backslash in case of multiple successively SOA
queries. Thanks to Ascio Technologies for spotting this bug.
- zone2sql did not parse Verisign zone files correctly as these
contained a $TTL statement in mid-record.
- Sometimes packets would not be accounted, leading to ‘udp-queries’
and ‘udp-answers’ divergence.
Features
- ‘cricket’ command added to init.d scripts that provides unadorned
output for parsing by ‘Cricket’.
Version 2.5.1
Brown paper
bag
release fixing a huge memory leak in the new Query Cache.
Developers: this version needs the new pdns-2.5.1 development kit,
available on http://downloads.powerdns.com/releases/dev. See also
Backend writers’ guide.
And some small changes
- Added support for RFC 2308 compliant negative-answer caching. This
allows remotes to cache the fact that a domain does not exist and
will not exist for a while. Thanks to Chris Thompson for pointing
out how tiny our minds
are.
This feature may cause a noticeable reduction in query load.
- Small speedup to non-packet-cached queries, incidentally fixing the
huge memory leak.
- pdns_control ccounts command outputs statistics on what is in
the cache, which is useful to help optimize your caching strategy.
Version 2.5
An important release which has seen quite a lot of trial and error
testing. As a result, PowerDNS can now run with a huge cache and
concurrent invalidations. This is useful when running of a slower
database or under high traffic load with a fast database.
Furthermore, the gpgsql2 backend has been validated for use and will
soon supplant the gpgsql backend entirely. This also bodes well for the
gmysql backend which is the same code.
Also, a large amount of issues biting large scale slave operators were
addressed. Most of these issues would only show up after prolonged
uptime.
New features
Query cache. The old Packet Cache only cached entire questions and
their answers. This is very CPU efficient but does not lead to
maximum hitrate. Two packets both needing to resolve smtp.you.com
internally would not benefit from any caching. Furthermore, many
different DNS queries lead to the same backend queries, like ‘SOA for
.COM?’.
PowerDNS now also caches backend queries, but only those having no
answer (the majority) and those having one answer (almost the rest).
In tests, these additional caches appear to halve the database
backend load numerically and perhaps even more in terms of CPU load.
Often, queries with no answer are more expensive than those having
one.
The default ttls for the query-cache and negquery-cache are set
to safe values (20 and 60 seconds respectively), you should be seeing
an improvement in behaviour without sacrificing a lot in terms of
quick updates.
The webserver also displays the efficiency of the new Query Cache.
The old Packet Cache is still there (and useful) but see
Authoritative Server Performance
for more details.
There is now the ability to shut off some logging at a very early
stage. High performance sites doing thousands of queries/second may
in fact spend most of their CPU time on attempting to write out
logging, even though it is ignored by syslog. The new flag
log-dns-details, on by default, allows the operator to kill most
informative-only logging before it takes any cpu.
Flags which can be switched ‘on’ and ‘off’ can now also be set to
‘off’ instead of only to ‘no’ to turn them off.
Enhancements
Packet Cache is now case-insensitive, leading to a higher hitrate
because identical queries only differing in case now both match. Care
is taken to restore the proper case in the answer sent out.
Packet Cache stores packets more efficiently now, savings are
estimated at 50%.
The Packet Cache is now asynchronous which means that PowerDNS
continues to answer questions while the cache is busy being purged or
queried. Incidentally this will mean a cache miss where previously
the question would wait until the cache became available again.
The upshot of this is that operators can call pdns_control purge
as often as desired without fearing performance loss. Especially the
full, non-specific, purge was sped up tremendously.
This optimization is of little merit for small sites but is very
important when running with a large packetcache, such as when using
recursion under high load.
AXFR log messages now all contain the word ‘AXFR’ to ease grepping.
Linux static version now compiled with gcc 3.2 which is known to
output better and faster code than the previously used 3.0.4.
Bugs fixed
- Packetcache would sometimes send packets back with slightly modified
flags if these differed from the flags of the cached copy.
- Resolver code did bad things with file descriptors leading to fd
exhaustion after prolonged uptimes and many slave SOA currency
checks.
- Resolver code failed to properly log some errors, leading to operator
uncertainty regarding to AXFR problems with remote masters.
- After prolonged uptime, slave code would try to use privileged ports
for originating queries, leading to bad replication efficiency.
- Masters sending back answers in differing case from questions would
lead to bogus ‘Master tried to sneak in out-of-zone data’ errors and
failing AXFRs.
Version 2.4
Developers: this version is compatible with the pdns-2.1 development
kit, available on http://downloads.powerdns.com/releases/dev. See also
*Backend writers’ guide*.
This version fixes some stability issues with malformed or malcrafted
packets. An upgrade is advised. Furthermore, there are interesting new
features.
New features
Recursive queries are now also cached, but in a separate namespace so
non-recursive queries don’t get recursed answers and vice versa. This
should mean way lower database load for sites running with the
current default lazy-recursion. Up to now, each and every recursive
query would lead to a large amount of SQL queries.
To prevent the packetcache from becoming huge, a separate
recursive-cache-ttl can be specified.
The ability to change parameters at runtime was added. Currently,
only the new query-logging flag can be changed.
Added query-logging flag which hints a backend that it should
output a textual representation of queries it receives. Currently
only gmysql and gpgsql2 honor this flag.
Gmysql backend can now also talk to PostgreSQL, leading to less code.
Currently, the old postgresql driver (‘gpgsql’) is still the default,
the new driver is available as ‘gpgsql2’ and has the benefit that it
does query logging. In the future, gpgsql2 will become the default
gpgsql driver.
DNS recursing proxy is now more verbose in logging odd events which
may be caused by buggy recursing backends.
Webserver now displays peak queries/second 1 minute average.
Bugs fixed
- Failure to connect to database in master/slave communicator thread
could lead to an unclean reload, fixed.
Documentation: added details for strict-rfc-axfrs. This feature can
be used if very old clients need to be able to do zone transfers with
PowerDNS. Very slow.
Version 2.3
Developers: this version is compatible with the pdns-2.1 development
kit, available on http://downloads.powerdns.com/releases/dev. See also
Backend writers’ guide
This release adds the Generic MySQL backend which allows full
master/slave semantics with MySQL and InnoDB tables (or other tables
that support transactions). See Generic MySQL
backend.
Other new features
- Improved error messages in master/slave communicator will help down
track problems.
- slave-cycle-interval setting added. Very large sites with
thousands of slave domains may need to raise this value above the
default of 60. Every cycle, domains in indeterminate state are
checked for their condition. Depending on the health of the masters,
this may entail many SOA queries or attempted AXFRs.
Bugs fixed
- ‘pdns_control purge ``domain``’ and ‘pdns_control purge
``domain$``’ were broken in version 2.2 and did not in fact purge
the cache. There is a slight risk that domain-specific purge commands
could force a reload in previous version. Thanks to Mike Benoit of
NetNation for discovering this.
- Master/slave communicator thread got confused in case of delayed
answers from slow masters. While not causing harm, this caused
inefficient behaviour when testing large amounts of slave domains
because additional ‘cycles’ had to pass before all domains would have
their status ascertained.
- Backends implementing special SOA semantics (currently only the
undocumented ‘pdns express backend’, or homegrown backends) would
under some circumstances not answer the SOA record in case of an ANY
query. This should put an end to the last DENIC problems. Thanks to
DENIC for helping us find the problem.
Version 2.2
Developers: this version is compatible with the pdns-2.1 development
kit, available on http://downloads.powerdns.com/releases/dev. See also
Backend writers’ guide
Again a big release. PowerDNS is seeing some larger deployments in more
demanding environments and these are helping shake out remaining issues,
especially with recursing backends.
The big news is that wildcard CNAMEs are now supported, an oft requested
feature and nearly the only part in which PowerDNS differed from BIND in
authoritative capabilities.
If you were seeing signal 6 errors in PowerDNS causing reloads and
intermittent service disruptions, please upgrade to this version.
For operators of PowerDNS Express trying to host .DE domains, the very
special soa-serial-offset feature has been added to placate the new
DENIC requirement that the SOA serial be at least six digits. PowerDNS
Express uses the SOA serial as an actual serial and not to insert dates
and hence often has single digit soa serial numbers, causing big
problems with .DE redelegations.
Bugs fixed
- Malformed or shortened TCP recursion queries would cause a signal 6
and a reload. Same for EOF from the TCP recursing backend. Thanks to
Simon Kirby and Mike Benoit of NetNation for helping debug this.
- Timeouts on the TCP recursing backend were far too long, leading to
possible exhaustion of TCP resolving threads.
- pdns_control purge domain accidentally cleaned all packets with
that name as a prefix. Thanks to Simon Kirby for spotting this.
- Improved exception error logging - in some circumstances PowerDNS
would not properly log the cause of an exception, which hampered
problem resolution.
New features
- Wildcard CNAMEs now work as expected!
- pdns_control purge can now also purge based on suffix, allowing
operators to purge an entire domain from the packet cache instead of
only specific records. See also
pdns_control Thanks to
Mike Benoit for this suggestion.
- soa-serial-offset for installations with small SOA serial numbers
wishing to register .DE domains with DENIC which demands six-figure
SOA serial numbers. See also Chapter 21, *Index of all Authoritative
Server settings*.
Version 2.1
This is a somewhat bigger release due to pressing demands from
customers. An upgrade is advised for installations using Recursion. If
you are using recursion, it is vital that you are aware of changes in
semantics. Basically, local data will now override data in your
recursing backend under most circumstances. Old behaviour can be
restored by turning lazy-recursion off.
Developers: this version has a new pdns-2.1 development kit, available
on http://downloads.powerdns.com/releases/dev. See also Backend
writers’ guide.
Warning: Most users will run a static version of PowerDNS which has
no dependencies on external libraries. However, some may need to run the
dynamic version. This warning applies to these users.
To run the dynamic version of PowerDNS, which is needed for backend
drivers which are only available in source form, gcc 3.0 is required.
RedHat 7.2 comes with gcc 3.0 as an optional component, RedHat 7.3 does
not. However, the RedHat 7.2 Update gcc rpms install just fine on RedHat
7.3. For Debian, we suggest running ‘woody’ and installing the g++-3.0
package. We expect to release a FreeBSD dynamic version shortly.
Bugs fixed
- RPM releases sometimes overwrote previous configuration files. Thanks
to Jorn Ekkelenkamp of Hubris/ISP Services for reporting this.
- TCP recursion sent out overly large responses due to a byte order
mistake, confusing some clients. Thanks to the capable engineers of
NetNation for bringing this to our attention.
- TCP recursion in combination with a recursing backend on a
non-standard port did not work, leading to a non-functioning TCP
listener. Thanks to the capable engineers of NetNation for bringing
this to our attention.
Unexpected behaviour
- Wildcard URL records where not implemented because they are a
performance penalty. To turn these on, enable wildcard-url in the
configuration.
- Unlike other nameservers, local data did not override the internet
for recursing queries. This has mostly been brought into conformance
with user expectations. If a recursive question can be answered
entirely from local data, it is. To restore old behaviour, disable
lazy-recursion. Also see
Recursion.
Features
- Oracle support has been tuned, leading to the first public release of
the Oracle backend. Zone2sql now outputs better SQL and the backend
is now fully documented. Furthermore, the queries are compatible with
the PowerDNS XML-RPC product, allowing PowerDNS express to run off
Oracle. See Oracle backend.
- Zone2sql now accepts ^^transactions to wrap zones in a transaction
for PostgreSQL and Oracle output. This is a major speedup and also
makes for better isolation of inserts. See
Zone2sql.
- pdns_control now has the ability to purge the PowerDNS cache or
parts of it. This enables operators to raise the TTL of the Packet
Cache to huge values and only to invalidate the cache when changes
are made. See also Authoritative Server
Performance and
pdns_control.
Version 2.0.1
Maintenance release, fixing three small issues.
Developers: this version is compatible with 1.99.11 backends.
- PowerDNS ignored the logging-facility setting unless it was
specified on the command line. Thanks to Karl Obermayer from
WebMachine Technologies for noticing this.
- Zone2sql neglected to preserve ‘slaveness’ of domains when converting
to the slave capable PostgreSQL backend. Thanks to Mike Benoit of
NetNation for reporting this. Zone2sql now has a ^^slave option.
- SOA Hostmaster addresses with dots in them before the @-sign were
mis-encoded on the wire.
Version 2.0
Two bugfixes, one stability/security related. No new features.
Developers: this version is compatible with 1.99.11 backends.
Bugfixes - zone2sql refused to work under some circumstances, taking
100% cpu and not functioning. Thanks to Andrew Clark and Mike Benoit for
reporting this. - Fixed a stability issue where malformed packets could
force PowerDNS to reload. Present in all earlier 2.0 versions.
Version 2.0 Release Candidate 2
Mostly bugfixes, no really new features.
Developers: this version is compatible with 1.99.11 backends.
Bugs fixed
- chroot() works again - 2.0rc1 silently refused to chroot. Thanks to
Hub Dohmen for noticing this.
- setuid() and setgid() security features were silently not being
performed in 2.0rc1. Thanks to Hub Dohmen for noticing this.
- MX preferences over 255 now work as intended. Thanks to Jeff Crowe
for noticing this.
- IPv6 clients can now also benefit from the recursing backend feature.
Thanks to Andy Furnell for proving beyond any doubt that this did not
work.
- Extremely bogus code removed from DNS notification reception code -
please test! Thanks to Jakub Jermar for working with us in figuring
out just how broken this was.
- AXFR code improved to handle more of the myriad different zone
transfer dialects available. Specifically, interoperability with Bind
4 was improved, as well as Bind 8 in ‘strict rfc conformance’ mode.
Thanks again for Jakub Jermar for running many tests for us. If your
transfers failed with ‘Unknown type 14!!’ or words to that effect,
this was it.
Features
- Win32 version now has a zone2sql tool.
- Win32 version now has support for specifying how urgent messages
should be before they go to the NT event log.
Remaining issues
- One persistent report of the default ‘chroot=./’ configuration not
working.
- One report of disable-axfr and allow-axfr-ips not working as
intended.
- Support for relative paths in zones and in Bind configuration is not
bug-for-bug compatible with bind yet.
Version 2.0 Release Candidate 1
The Mac OS X release! A very experimental OS X 10.2 build has been added.
Furthermore, the Windows version is now in line with Unix with respect
to capabilities. The ODBC backend now has the code to function as both a
master and a slave.
Developers: this version is compatible with 1.99.11 backends.
Implemented native packet response parsing code, allowing Windows to
perform AXFR and NS and SOA queries.
This is the first version for which we have added support for Darwin
6.0, which is part of the forthcoming Mac OS X 10.2. Please note that
although this version is marked RC1, that we have not done extensive
testing yet. Consider this a technology preview.
- The Darwin version has been developed on Mac OS X 10.2 (6C35).
Other versions may or may not work.
- Currently only the random, bind, mysql and pdns backends are
included.
- The menu based installer script does not work, you will have to
edit pathconfig by hand as outlined in chapter 2.
- On Mac OS X Client, PowerDNS will fail to start because a system
service is already bound to port 53.
This version is distributed as a compressed tar file. You should
follow the generic UNIX installation instructions.
Bugs fixed
- Zone2sql PostgreSQL mode neglected to lowercase $ORIGIN. Thanks to
Maikel Verheijen of Ladot for spotting this.
- Zone2sql PostgreSQL mode neglected to remove a trailing dot from
$ORIGIN if present. Thanks to Thanks to Maikel Verheijen of Ladot for
spotting this.
- Zone file parser was not compatible with bind when $INCLUDING
non-absolute file names. Thanks to Jeff Miller for working out how
this should work.
- Bind configuration parser was not compatible with bind when including
non-absolute file names. Thanks to Jeff Miller for working out how
this should work.
- Documentation incorrectly listed the Bind backend as ‘slave capable’.
This is not yet true, now labeled ‘experimental’.
Windows changes. We are indebted to Dimitry Andric who educated us in
the ways of distributing Windows software.
pdns.conf
is now read if available.
- Console version responds to ^c now.
- Default pdns.conf added to distribution
- Uninstaller missed several files, leaving remnants behind
- DLLs are now installed locally, with the pdns executable.
- pdns_control is now also available on Windows
- ODBC backend can now act as master and slave. Experimental.
- The example zone missed indexes and had other faults.
- A runtime DLL that is present on most windows systems (but not all!)
was missing.
Version 1.99.12 Prerelease
The Windows release! See Installing on Microsoft
Windows. Beware, windows support is
still very fresh and untested. Feedback is very welcome.
Developers: this version is compatible with 1.99.11 backends.
- Windows 2000 code base merge completed. This resulted in quite some
changes on the Unix end of things, so this may impact reliability.
- ODBC backend added for Windows. See ODBC
backend.
- IBM DB2 Universal Database backend available for Linux. See DB2
backend.
- Zone2sql now understands $INCLUDE. Thanks to Amaze Internet for
nagging about this
- The SOA Minimum TTL now has a configurable default
(soa-minimum-ttl)value to placate the DENIC requirements.
- Added a limit on the simultaneous numbers of TCP connections to
accept (max-tcp-connections). Defaults to 10.
Bugs fixed
- When operating in virtual hosting mode (See Virtual
hosting), the
additional init.d scripts would not function correctly and interface
with other pdns instances.
- PowerDNS neglected to conserve case on answers. So a query for
WwW.PoWeRdNs.CoM would get an answer listing the address of
www.powerdns.com. While this did not confuse resolvers, it is better
to conserve case. This has semantic consequences for all backends,
which the documentation now spells out.
- PostgreSQL backend was case-sensitive and returned only answers in
case an exact match was found. The Generic PostgreSQL backend is now
officially all lower case and zone2sql in PostgreSQL mode enforces
this. Documentation has been updated to reflect the case change.
Thanks to Maikel Verheijen of Ladot for spotting this!
- Documentation bug - postgresql create/index statements created a
duplicate index. If you’ve previously copy pasted the commands and
not noticed the error, execute CREATE INDEX rec_name_index ON
records(name) to remedy. Thanks to Jeff Miller for reporting this.
This also lead to depressingly slow ‘ANY’ lookups for those of you
doing benchmarks.
Version 1.99.11 Prerelease
This release is important because it is the first release which is
accompanied by an Open Source Backend Development Kit, allowing external
developers to write backends for PowerDNS. Furthermore, a few bugs have
been fixed
- Lines with only whitespace in zone files confused PowerDNS (thanks
Henk Wevers)
- PowerDNS did not properly parse TTLs with symbolic suffixes in zone
files, ie 2H instead of 7200 (thanks Henk Wevers)
Version 1.99.10 Prerelease
IMPORTANT: there has been a tiny license change involving free
public webbased dns hosting, check out the changes before deploying!
PowerDNS is now feature complete, or very nearly so. Besides adding
features, a lot of ‘fleshing out’ work is done now. There is an
important performance bug fix which may have lead to disappointing
benchmarks - so if you saw any of that, please try either this version
or 1.99.8 which also does not have the bug.
This version has been very stable for us on multiple hosts, as was
1.99.9.
PostgreSQL users should be aware that while 1.99.10 works with the
schema as presented in earlier versions, advanced features such as
master or slave support will not work unless you create the new
‘domains’ table as well.
Bugs fixed
- Wildcard AAAA queries sometimes received an NXDOMAIN error where they
should have gotten an empty NO ERROR. Thanks to Jeroen Massar for
spotting this on the .TK TLD!
- Do not disable the packetcache for ‘recursion desired’ packets unless
a recursor was configured. Thanks to Greg Schueler for noticing this.
- A failing backend would not be reinstated. Thanks to ‘Webspider’ for
discovering this problem with PostgreSQL connections that die after
prolonged inactivity.
- Fixed loads of IPv6 transport problems. Thanks to Marco Davids and
others for testing. Considered ready for production now.
- Zone2sql printed a debugging statement on range $GENERATE
commands. Thanks to Rene van Valkenburg for spotting this.
Features
- PowerDNS can now act as a master, sending out notifications in case
of changes and allowing slaves to AXFR. Big rewording of replication
support, domains are now either ‘native’, ‘master’ or ‘slave’. See
Master/Slave operation &
replication for lots of
details.
- Zone2sql in PostgreSQL mode now populates the ‘domains’ table for
easy master, slave or native replication support.
- Ability to run on IPv6 transport only
- Logging can now happen under a ‘facility’ so all PowerDNS messages
appear in their own file. See Operational logging using
syslog.
- Different OS releases of PowerDNS now get different install path
defaults. Thanks to Mark Lastdrager for nagging about this and to
Nero Imhard and Frederique Rijsdijk for suggesting saner defaults.
- Infrastructure for ‘also-notify’ statements added.
Version 1.99.9 Early Access Prerelease
This is again a feature and an infrastructure release. We are nearly
feature complete and will soon start work on the backends to make sure
that they are all master, slave and ‘superslave’ capable.
Bugs fixed
- PowerDNS sometimes sent out duplicate replies for packets passed to
the recursing backend. Mostly a problem on SMP systems. Thanks to
Mike Benoit for noticing this.
- Out-of-bailiwick CNAMEs (ie, a CNAME to a domain not in PowerDNS)
caused a ‘ServFail’ packet in 1.99.8, indicating failure, leading to
hosts not resolving. Thanks to Martin Gillstrom for noticing this.
- Zone2sql balked at zones edited under operating systems terminating
files with ^Z (Windows). Thanks Brian Willcott for reporting this.
- PostgreSQL backend logged the password used to connect. Now only does
so in case of failure to connect. Thanks to ‘Webspider’ for noticing
this.
- Debian unstable distribution wrongly depended on home compiled
PostgreSQL libraries. Thanks to Konrad Wojas for noticing this.
Features
- When operating as a slave, AAAA records are now supported in the
zone. They were already supported in master zones.
- IPv6 transport support - PowerDNS can now listen on an IPv6 socket
using the local-ipv6 setting.
- Very silly randombackend added which appears in the documentation as
a sample backend. See Backend writers’
guide.
- When transferring a slave zone from a master, out of zone data is now
rejected. Malicious operators might try to insert bad records
otherwise.
- ‘Supermaster’ support for automatic provisioning from masters. See
Supermaster automatic provisioning of
slaves.
- Recursing backend can now live on a non-standard (!=53) port. See
Recursion.
- Slave zone retrieval is now queued instead of immediate, which scales
better and is more resilient to temporary failures.
- max-queue-length parameter. If this many packets are queued for
database attention, consider the situation hopeless and respawn.
Internal
- SOA records are now ‘special’ and each backend can optionally
generate them in special ways. PostgreSQL backend does so when
operating as a slave.
- Writing backends is now a lot easier. See Backend writers’
guide.
- Added Bindbackend to internal regression tests, confirming that it is
compliant.
Version 1.99.8 Early Access Prerelease
A lot of infrastructure work gearing up to 2.0. Some stability bugs
fixed and a lot of new features.
Bugs fixed
- Bindbackend was overly complex and crashed on some systems on
startup. Simplified launch code.
- SOA fields were not always properly filled in, causing default values
to go out on the wire
- Obscure bug triggered by malicious packets (we know who you are) in
SOA finding code fixed.
- Magic serial number calculation contained a double free leading to
instability.
- Standards violation, questions for domains for which PowerDNS was
unauthoritative now get a SERVFAIL answer. Thanks to the IETF
Namedroppers list for helping out with this.
- Slowly launching backends were being relaunched at a great rate when
queries were coming in while launching backends.
- MySQL-on-unix-domain-socket on SMP systems was overwhelmed by the
quick connection rate on launch, inserted a small 50ms delay.
- Some SMP problems appear to be compiler related. Shifted to GCC 3.0.4
for Linux.
- Ran ispell on documentation.
Known bugs
- Wildcard CNAMEs do not work as they do with bind.
- Recursion sometimes sends out duplicate packets (fixed in 1.99.9
snapshots)
- Some stability issues which are caught by the guardian
Missing features
Features present in this document, but disabled or withheld from the
current release - gmysqlbackend, oraclebackend
Version 1.99.7 Early Access Prerelease
Named.conf parsing got a lot of work and many more bind configurations
can now be parsed. Furthermore, error reporting was improved. Stability
is looking good.
Bugs fixed
- Bind parser got confused by file names with underscores and colons.
- Bind parser got confused by spaces in quoted names
- FreeBSD version now stops and starts when instructed to do so.
- Wildcards were off by default, which violates standards. Now on by
default.
- ^^oracle was broken in zone2sql
Feature enhancements
- Line number counting goes on as it should when including files in
named.conf
- Added ^^no-config to enable users to start the pdns daemon without
parsing the configuration file.
- zone2sql now has ^^bare for unformatted output which can be used to
generate insert statements for different database layouts
- zone2sql now has ^^gpgsql, which is an alias for ^^mysql, to output
in a format useful for the default Generic PostgreSQL backend
- zone2sql is now documented.
Known bugs
Wildcard CNAMEs do not work as they do with bind.
Missing features
Features present in this document, but disabled or withheld from the
current release - gmysqlbackend, oraclebackend
Some of these features will be present in newer releases.
Version 1.99.6 Early Access Prerelease
This version is now running on dns-eu1.powerdns.net and working very
well for us. But please remain cautious before deploying!
Bugs fixed
- Webserver neglected to show log messages
- TCP question/answer miscounted multiple questions over one socket.
Fixed misnaming of counter
- Packetcache now detects clock skew and times out entries
- named.conf parser now reports errors with line number and offending
token
- File names in named.conf can now contain:
Feature enhancements
- The webserver now by default does not print out configuration
statements, which might contain database backends. Use
webserver-print-arguments to restore the old behaviour.
- Generic PostgreSQL backend is now included. Still rather beta.
Known bugs
- FreeBSD version does not stop when requested to do so.
- Wildcard CNAMEs do not work as they do with bind.
Missing features
Features present in this document, but disabled or withheld from the
current release - gmysqlbackend, oraclebackend
Some of these features will be present in newer releases.
Version 1.99.5 Early Access Prerelease
The main focus of this release is stability and TCP improvements. This
is the first release PowerDNS-the-company actually considers for running
on its production servers!
Major bugs fixed
- Zone2sql received a floating point division by zero error on
named.confs with less than 100 domains.
- Huffman encoder failed without specific error on illegal characters
in a domain
- Fixed huge memory leaks in TCP code.
- Removed further file descriptor leaks in guardian respawning code
- Pipebackend was too chatty.
- pdns_server neglected to close fds 0, 1 & 2 when daemonizing
Feature enhancements
- bindbackend can be instructed not to check the ctime of a zone by
specifying bind-check-interval=0, which is also the new default.
- pdns_server ^^list-modules lists all available modules.
Known bugs
- FreeBSD version does not stop when requested to do so.
- Wildcard CNAMEs do not work as they do with bind.
Missing features
Features present in this document, but disabled or withheld from the
current release - gmysqlbackend, oraclebackend, gpgsqlbackend
Some of these features will be present in newer releases.
Version 1.99.4 Early Access Prerelease
A lot of new named.confs can now be parsed, zone2sql & bindbackend have
gained features and stability.
Major bugs fixed
- Label compression was not always enabled, leading to large reply
packets sometimes.
- Database errors on TCP server lead to a nameserver reload by the
guardian.
- MySQL backend neglected to close its connection properly.
- BindParser miss parsed some IP addresses and netmasks.
- Truncated answers were also truncated on the packetcache, leading to
truncated TCP answers.
Feature enhancements
- Zone2sql and the bindbackend now understand the Bind $GENERATE{}
syntax.
- Zone2sql can optionally gloss over non-existing zones with
^^on-error-resume-next.
- Zone2sql and the bindbackend now properly expand @ also on the right
hand side of records.
- Zone2sql now sets a default TTL.
- DNS UPDATEs and NOTIFYs are now logged properly and sent the right
responses.
Performance enhancements
- ‘Fancy records’ are no longer queried for on ANY queries - this is a
big speedup.
Known bugs
- FreeBSD version does not stop when requested to do so.
- Zone2sql refuses named.confs with less than 100 domains.
- Wildcard CNAMEs do not work as they do with bind.
Missing features
Features present in this document, but disabled or withheld from the
current release - gmysqlbackend, oraclebackend, gpgsqlbackend
Some of these features will be present in newer releases.
Version 1.99.3 Early Access Prerelease
The big news in this release is the BindBackend which is now capable of
parsing many more named.conf Bind configurations. Furthermore, PowerDNS
has successfully parsed very large named.confs with large numbers of
small domains, as well as small numbers of large domains (TLD).
Zone transfers are now also much improved.
Major bugs fixed - zone2sql leaked file descriptors on each domain, used
wrong Bison recursion leading to parser stack overflows. This limited
the amount of domains that could be parsed to 1024. - zone2sql can now
read all known zone files, with the exception of those containing
$GENERATE - Guardian relaunching a child lost two file descriptors -
Don’t die on a connection reset by peer during zone transfer. -
Webserver does not crash anymore on ringbuffer resize
Feature enhancements
- AXFR can now be disabled, and re-enabled per IP address
- ^^help accepts a parameter, will then show only help items with that
prefix.
- zone2sql now accepts a ^^zone-name parameter
- BindBackend maturing - 9500 zones parsed in 3.5 seconds. No longer
case-sensitive.
Performance enhancements
- Implemented RFC-breaking AXFR format (which is the industry
standard). Zone transfers now zoom along at wire speed (many
megabits/s).
Known bugs
- FreeBSD version does not stop when requested to do so.
- BindBackend cannot parse zones with $GENERATE statements.
Missing features
Features present in this document, but disabled or withheld from the
current release
- gmysqlbackend, oraclebackend, gpgsqlbackend
Some of these features will be present in newer releases.
Version 1.99.2 Early Access Prerelease
Major bugs fixed
- Database backend reload does not hang the daemon anymore
- Buffer overrun in local socket address initialisation may have caused
binding problems
- setuid changed the uid to the gid of the selected user
- zone2sql doesn’t crash (dump core) on invocation anymore. Fixed lots
of small issues.
- Don’t parse configuration file when creating configuration file. This
was a problem with reinstalling.
Usability improvements
- Fixed error checking in init.d script (show, mrtg)
- Added ‘uptime’ to the mrtg output
- removed further GNUisms from installer and init.d scripts for use on
FreeBSD
- Debian package and apt repository, thanks to Wichert Akkerman.
- FreeBSD /usr/ports, thanks to Peter van Dijk (in progress).
Stability may be an issue as well as performance. This version has a
tendency to log a bit too much which slows the nameserver down a lot.
Known bugs
- Decreasing a ringbuffer on the website is a sure way to crash the
daemon. Zone2sql, while improved, still has problems with a zone in
the following format
name IN A 192.0.2.4
IN A 192.0.2.5
To fix, add ‘name’ to the second line.
Zone2sql does not close file descriptors.
FreeBSD version does not stop when requested via the init.d script.
Missing features
Features present in this document, but disabled or withheld from the
current release - gmysqlbackend, oraclebackend, gpgsqlbackend - fully
functioning bindbackend - will try to parse named.conf, but probably
fail
Some of these features will be present in newer releases.
Version 1.99.1 Early Access Prerelease
This is the first public release of what is going to become PowerDNS
2.0. As such, it is not of production quality. Even PowerDNS-the-company
does not run this yet.
Stability may be an issue as well as performance. This version has a
tendency to log a bit too much which slows the nameserver down a lot.
Known bugs
Decreasing a ringbuffer on the website is a sure way to crash the
daemon. Zone2sql is very buggy.
Missing features
Features present in this document, but disabled or withheld from the
current release:
- gmysqlbackend, oraclebackend, gpgsqlbackend
- fully functioning bindbackend - will not parse configuration files
Some of these features will be present in newer releases.