Changelogs for all pre 4.0 releases

Note: Beyond PowerDNS 2.9.20, the Authoritative Server and Recursor are released separately. Hence, this changelog starts at version 3.0.

Note: pre-4.0 releases are End of Life and no longer supported. See EOL Statements.

PowerDNS Recursor 3.6.4

Released 9th of June 2015

This is a security release fixing Security Advisory 2015-01

Bug fixes:

• commit bccd068: Limit the maximum length of a qname

PowerDNS Recursor 3.7.3

Released 9th of June 2015

Bug fixes:

• commit 92f7b2b: Limit the maximum length of a qname

This is a security release fixing Security Advisory 2015-01

Improvements:

• commit 46366a5, commit f318a7d: pdnssec: check for glue and delegations in parent zones (Kees Monshouwer)

PowerDNS Recursor 3.7.2

Released 23rd of April, 2015

Among other bug fixes and improvements (as listed below), this release incorporates a fix for CVE-2015-1868, as detailed in PowerDNS Security Advisory 2015-01

Bug fixes:

• commit adb10be commit 3ec3e0f commit dc02ebf Fix handling of forward references in label compressed packets; fixes CVE-2015-1868
• commit a7be3f1: make sure we never call sendmsg with msg_control!=NULL && msg_controllen>0. Fixes ticket #2227
• commit 9d835ed: Improve robustness of root-nx-trust.

Improvements:

• commit 99c595b: Silence warnings that always occur on FreeBSD (Ruben Kerkhof)

PowerDNS Recursor 3.6.3

Released 23rd of April, 2015

The only difference between Recursor 3.6.2 and 3.6.3 is a fix for CVE-2015-1868, as detailed in PowerDNS Security Advisory 2015-01

PowerDNS Recursor 3.7.0

Unreleased, please see the 3.7.1 changelog below.

PowerDNS Recursor 3.7.1

Released February 12th, 2015.

This version contains a mix of speedups and improvements, the combined effect of which is vastly improved resilience against traffic spikes and malicious query overloads.

Of further note is the massive community contribution, mostly over Christmas. Especially Ruben Kerkhof, Pieter Lexis, Kees Monshouwer and Aki Tuomi delivered a lot of love. Thanks!

Minor changes:

• Removal of dead code here and there 04dc6d618734fc630122de4c56dff641ebaf0988
• Per-qtype response counters are now 64 bit 297bb6acf7902068693a4aae1443c424d0e8dd52 on 64 bit systems
• Add IPv6 addresses for b and c.root-servers.net hints efc2595423c9a1be6f2d8f4da25445198ceb8b57
• Add IP address to logging about terminated queries 37aa9904d1cc967ba4b5d5e17dbe41485f8cdece
• Improve qtype name logging fab3ed3453e15ae88e29a0e4071b214eb19caad9 (Aki Tuomi)
• Redefine ‘BAD_NETS’ for dont-query based on newer IANA guidance 12cd44ee0fcde5893f85dccc499bfc35152c5fff (lochiiconnectivity)
• Add documentation links to systemd unit eb154adfdffa5c78624e2ea98e938d7b5787119e (Ruben Kerkhof)

Improvements:

• Upgrade embedded PolarSSL to 1.3.9: d330a2ea1a93d7675ef680311f8aa0306aeefcf1
• yahttp upgrade c290975778942ed1082ca66918695a5bd2d6bac4 c65a57e888ee48eaa948e590c90c51420bffa847 (Aki Tuomi)
• Replace . in hostnames by - for Carbon so as not to confuse Metronome 46541751ed1c3bc051d78217543d5fc76733e212
• Manpages got a lot of love and are now built from Markdown (Pieter Lexis)
• Move to PolarSSL base64 488360551009784ab35c43ee4580e773a2a8a227 (Kees Monshouwer)
• The quiet=no query logging is now more informative 461df9d20c560d240285f772c09b3beb89d46daa
• We can finally bind to 0.0.0.0 and :: and guarantee answers from the correct source b71b60ee73ef3c86f80a2179981eda2e61c4363f
• We use per-packet timestamps to drop ancient traffic in case of overload b71b60ee73ef3c86f80a2179981eda2e61c4363f, non-Linux portability in d63f0d83631c41eff203d30b0b7c475a88f1db59
• Builtin webserver can be queried with the API key in the URL again c89f8cd022c4a9409b95d22ffa3b03e4e98dc400
• Ringbuffers are now available via API c89f8cd022c4a9409b95d22ffa3b03e4e98dc400
• Lua 5.3 compatibility 59c6fc3e3931ca87d484337daee512e716bc4cf4 (Kees Monshouwer)
• No longer leave a stale UNIX domain socket around from rec_control if the recursor was down 524e4f4d81f4ed9eb218715cbc8a59f0b9868234, ticket #2061
• Running with ‘quiet=no’ would strangely actually prevent debug messages from being logged f48d7b657ec32517f8bfcada3bfe6353ca313314
• Webserver now implements CORS for the API ea89a97e864c43c1cb03f2959ad04c4ebe7580ad, fixing ticket #1984
• Housekeeping thread would sometimes run multiple times simultaneously, which worked, but was odd cc59bce675e62e2b9657b42614ce8be3312cae82

New features:

• New root-nx-trust flag makes PowerDNS generalize NXDOMAIN responses from the root-servers 01402d56846a3a61811ebd4e6bc97e53f908e568
• getregisteredname() for Lua, which turns ‘www.bbc.co.uk’ into ‘bbc.co.uk’ 8cd4851beb78bc6ab320926fb5cb6a09282016b1
• Lua preoutquery filter 3457a2a0ec41d3b3aff7640f30008788e1228a6e
• Lua IP-based filter (ipfilter) before parsing packets 4ea949413c495254acb0bd19335142761c1efc0c
• iputils class for Lua, to quickly process IP addresses and netmasks in their native format
• getregisteredname function for Lua, to find the registered domain for a given name
• Various new ringbuffers: top-servfail-remotes, top-largeanswer-remotes, top-servfail-queries

Speedups:

• Remove unneeded malloc traffic 93d4a89096e64d53740790f58fadec56f6a0af14 8682c32bc45b6ffa7c0f6da778e1b223ae7f03ce a903b39cfe7364c56324038264d3db50b8cece87
• Our nameserver-loop detection carried around a lot of baggage for complex domain names, plus did not differentiate IPv4 and IPv6 well enough 891fbf888ccac074e3edc38864641ca774f2f03c
• Prioritize new queries over nameserver responses, improving latency under query bursts bf3b0cec366c090af000b066267b6f6bbb3a512a
• Remove escaping in case there was nothing to escape 83b746fd1d94c8742d8bd87a44beb44c154230c7
• Our logging infrastructure had a lot of locking d1449e4d073595e1e1581804f121fc90e37158bf
• Reduce logging level of certain common messages, which locked up synchronously logging systems 854d44e31c76aa650520e6d462dd3a02b5936f7a
• Add limit on total wall-clock time spent on a query 9de3e0340fa066d4c59449e1643a1de8c343f8f2
• Packet cache is now case-insensitive, which increases hitrate 90974597aadaf1096e3fd0dc450be7422ea591a5

Security relevant:

• Check for PIE, RELRO and stack protector during configure 8d0354b189c12e1e14f5309d3b49935c17f9eeb0 (Aki Tuomi)
• Testing for support of PIE etc was improved in b2053c28ccb9609e2ce7bcb6beda83f98a062aa3 and beyond, fixes #2125 (Ruben Kerkhof)
• Max query-per-query limit (max-qperq) is now configurable 173d790ead08f67733010ca4c6fc404a040fe699

Bugs fixed:

• IPv6 outgoing queries had a disproportionate effect on our query load. Fixed in 76f190f2a0877cd79ede2994124c1a58dc69ae49 and beyond.
• rec_control gave incorrect output on a timeout 12997e9d800734da51b808767e1e2477244c30eb
• When using the webserver AND having an error in the Lua script, recursor could crash during startup 62f0ae62984adadab687c23fe1b287c1f219b2cb
• Hugely long version strings would trip up security polling 18b7333828a1275ae5f5574a9c8330290d8557ff (Kees Monshouwer)
• The ‘remotes’ ringbuffer was sized incorrectly f8f243b01215d6adcb59389f09ef494f1309041f
• Cache sizes had an off-by-one scaling problem, with the wrong number of entries allocated per thread f8f243b01215d6adcb59389f09ef494f1309041f
• Our automatic file descriptor limit raising was attempted after setuid, which made it a lot less effective. Found and fixed by Aki Tuomi a6414fdce9b0ec32c340d1f2eea2254f3fedc1c1
• Timestamps used for dropping packets were occasionally wrong 183eb8774e4bc2569f06d5894fec65740f4b70b6 and 4c4765c104bacc146533217bcc843efb244a8086 (RC2) with thanks to Winfried for debugging.
• In RC1, our new DoS protection measures would crash the Recursor if too many root servers were unreachable. 6a6fb05ad81c519b4002ed1db00f3ed9b7bce6b4. Debugging and testing by Fusl.

Various other documentation changes by Chris Hofstaedtler and Ruben Kerkhof. Lots of improvements all over the place by Kees Monshouwer.

PowerDNS Recursor 3.6.2

Note: Version 3.6.2 is a bugfix update to 3.6.1. Released on the 30th of October 2014.

Official download page

A list of changes since 3.6.1 follows.

• commit ab14b4f: expedite servfail generation for ezdns-like failures (fully abort query resolving if we hit more than 50 outqueries). This also prevents the issue documented in PowerDNS Security Advisory 2014-02 (CVE-2014-8601)
• commit 42025be: PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in Security polling.
• commit 5027429: We did not transmit the right ‘local’ socket address to Lua for TCP/IP queries in the recursor. In addition, we would attempt to lookup a filedescriptor that wasn’t there in an unlocked map which could conceivably lead to crashes. Closes ticket 1828, thanks Winfried for reporting
• commit 752756c: Sync embedded yahttp copy. API: Replace HTTP Basic auth with static key in custom header
• commit 6fdd40d: add missing #include <pthread.h> to rec-channel.hh (this fixes building on OS X).

PowerDNS Recursor 3.6.1

Warning: Version 3.6.1 is a mandatory security upgrade to 3.6.0! Released on the 10th of September 2014.

PowerDNS Recursor 3.6.0 could crash with a specific sequence of packets. For more details, see the advisory. PowerDNS Recursor 3.6.1 was very well tested, and is in full production already, so it should be a safe upgrade.

Downloads

• Official download page

In addition to various fixes related to this potential crash, 3.6.1 fixes a few minor issues and adds a debugging feature:

• We could not encode IPv6 AAAA records that mapped to IPv4 addresses in some cases (:ffff.1.2.3.4). Fixed in commit c90fcbd , closing ticket 1663.
• Improve systemd startup timing with respect to network availability (commit cf86c6a), thanks to Morten Stevens.
• Realtime telemetry can now be enabled at runtime, for example with ‘rec_control carbon-server 82.94.213.34 ourname1234’. This ties in to our existing carbon-server and carbon-ourname settings, but now at runtime. This specific invocation will make your stats appear automatically on our public telemetry server.

PowerDNS Recursor version 3.6.0

This is a performance, feature and bugfix update to 3.5/3.5.3. It contains important fixes for slightly broken domain names, which your users expect to work anyhow. It also brings robust resilience against certain classes of attacks.

Downloads

• Official download page
• native RHEL5/6 packages from Kees Monshouwer

Changes between RC1 and release

• commit 30b13ef: do not apply some of our filters to root and gtlds, plus remove some useless {}
• commit cc81d90: fix yahttp copy in dist-recursor for BSD cp
• commit b798618: define __APPLE_USE_RFC_3542 during recursor build on Darwin, fixes ticket 1449
• commit 1d7f863: Merge pull request ticket 1443 from zeha/recursor-nostrip
• commit 5cdeede: remove (non-working) [aaaa-]additional-processing flags from the recursor. Closes ticket 1448
• commit 984d747: Support building recursor on kFreeBSD and Hurd
• commit 79240f1: Allow not stripping of binaries in recursor’s make install
• commit e9c2ad3: document pdns.DROP for recursor, add policy-drops metric for it

New features

• commit aadceba: Implement minimum-ttl-override config setting, plus runtime configurability via ‘rec_control set-minimum-ttl’.
• Lots of work on the JSON API, which is exposed via Aki Tuomi’s ‘yahttp’. Massive thanks to Chris Hofstaedtler for delivering this exciting new functionality. Documentation & demo forthcoming, but code to use it is available on GitHub.
• Lua modules can now use ‘pdnslog(INFO..’), as described in ticket 1074, implemented in commit 674a305
• Adopt any-to-tcp feature to the recursor. Based on a patch by Winfried Angele. Closes ticket 836, commit 56b4d21 and commit e661a20.
• commit 2c78bd5: implement built-in statistics dumper using the ‘carbon’ protocol, which is also understood by metronome (our mini-graphite). Use ‘carbon-server’, ‘carbon-ourname’ and ‘carbon-interval’ settings.
• New setting ‘udp-truncation-threshold’ to configure from how many bytes we should truncate. commit a09a8ce.
• Proper support for CHaos class for CHAOS TXT queries. commit c86e1f2, addition for lua in commit f94c53d, some warnings in commit 438db54 however.
• Added support for Lua scripts to drop queries w/o further processing. commit 0478c54.
• Kevin Holly added qtype statistics to recursor and rec_control (get-qtypelist) (commit 79332bf)
• Add support for include-files in configuration, also reload ACLs and zones defined in them (commit 829849d, commit 242b90e, commit 302df81).
• Paulo Anes contributed server-down-max-fails which helps combat Recursive DNS based amplification attacks. Described in this post. Also comes with new metric ‘failed-host-entries’ in commit 406f46f.
• commit 21e7976: Implement “followCNAMERecords” feature in the Lua hooks.

Improvements

• commit 06ea901: make pdns-distributes-queries use a hash so related queries get sent to the same thread. Original idea by Winfried Angele. Astoundingly effective, approximately halves CPU usage!
• commit b13e737: –help now writes to stdout instead of stderr. Thanks Winfried Angele.
• To aid in limiting DoS attacks, when truncating a response, we actually truncate all the way so only the question remains. Suggested in ticket 1092, code in commit add935a.
• No longer experimental, the switch ‘pdns-distributes-queries’ can improve multi-threaded performance on Linux (various cleanup commits).
• Update to embedded PolarSSL, plus remove previous AES implementation and shift to PolarSSL (commit e22d9b4, commit 990ad9a)
• commit 92c0733 moves various Lua magic constants into an enum namespace.
• set group and supplementary groups before chroot (commit 6ee50ce, ticket 1198).
• commit 4e9a20e: raise our socket buffer setting so it no longer generates a warning about lowering it.
• commit 4e9a20e: warn about Linux suboptimal IPv6 settings if we detect them.
• SIGUSR2 turns on a ‘trace’ of all DNS traffic, a second SIGUSR2 now turns it off again. commit 4f217ce.
• Various fixes for Lua 5.2.
• commit 81859ba: No longer attempt to answer questions coming in from port 0, reply would not reach them anyhow. Thanks to Niels Bakker and ‘sid3windr’ for insight & debugging. Closes ticket 844.
• commit b1a2d6c: now, I’m not one to get OCD over things, but that log message about stats based on 1801 seconds got to me. 1800 now.

Fixes

• 0c9de4fc: stay away from getaddrinfo unless we really can’t help it for ascii ipv6 conversions to binary
• commit 08f3f63: fix average latency calculation, closing ticket 424.
• commit 75ba907: Some of our counters were still 32 bits, now 64.
• commit 2f22827: Fix statistics and stability when running with pdns-distributes-queries.
• commit 6196f90: avoid merging old and new additional data, fixes an issue caused by weird (but probably legal) Akamai behaviour
• commit 3a8a4d6: make sure we don’t exceed the number of available filedescriptors for mthreads. Raises performance in case of DoS. See this post for further details.
• commit 7313fe6: implement indexed packet cache wiping for recursor, orders of magnitude faster. Important when reloading all zones, which causes massive cache cleaning.
• rec_control get-all would include ‘cache-bytes’ and ‘packetcache-bytes’, which were expensive operations, too expensive for frequent polling. Removed in commit 8e42d27.
• All old workarounds for supporting Windows of the XP era have been removed.
• Fix issues on S390X based systems which have unsigned characters (commit 916a0fd)

PowerDNS Recursor version 3.5.3

Released September 17th, 2013

This is a bugfix and performance update to 3.5.2. It brings serious performance improvements for dual stack users.

Downloads

• Official download page
• native RHEL5/6 packages from Kees Monshouwer

Changes since 3.5.2

• 3.5 replaced our ANY query with A+AAAA for users with IPv6 enabled. Extensive measurements by Darren Gamble showed that this change had a non-trivial performance impact. We now do the ANY query like before, but fall back to the individual A+AAAA queries when necessary. Change in commit 1147a8b.
• The IPv6 address for d.root-servers.net was added in commit 66cf384, thanks Ralf van der Enden.
• We now drop packets with a non-zero opcode (i.e. special packets like DNS UPDATE) earlier on. If the experimental pdns-distributes-queries flag is enabled, this fix avoids a crash. Normal setups were never susceptible to this crash. Code in commit 35bc40d, closes ticket 945.
• TXT handling was somewhat improved in commit 4b57460, closing ticket 795.

PowerDNS Recursor version 3.5.2

Released June 7th, 2013

This is a stability and bugfix update to 3.5.1. It contains important fixes that improve operation for certain domains.

Downloads

• Official download page
• native RHEL5/6 packages from Kees Monshouwer

Changes since 3.5.1

• Responses without the QR bit set now get matched up to an outstanding query, so that resolution can be aborted early instead of waiting for a timeout. Code in commit ee90f02.
• The depth limiter changes in 3.5.1 broke some legal domains with lots of indirection. Improved in commit d393c2d.
• Slightly improved logging to aid debugging. Code in commit 437824d and commit 182005e.

PowerDNS Recursor version 3.5.1

Released May 3rd, 2013

This is a stability and bugfix update to 3.5. It contains important fixes that improve operation for certain domains.

Downloads

• Official download page
• native RHEL5/6 packages from Kees Monshouwer

Changes since 3.5

• We now abort earlier while following endless glue or CNAME chains. Fix in commit 02d1742.
• Some unused code would crash certain gcc versions on ARM. Reported by Morten Stevens, fixed in commit 5b188e8.
• The 3.5 fix for ticket 731 was too strict, causing trouble with at least one domain. Reported by Aki Tuomi, check slightly relaxed in commit 4134690.
• Automake/autoconf now use non-deprecated syntax. Reported by Morten Stevens, change in commit ca17ef2.

PowerDNS Recursor version 3.5

Released April 15th, 2013

This is a stability, security and bugfix update to 3.3/3.3.1. It contains important fixes for slightly broken domain names, which your users expect to work anyhow. Note: Because a semi-sanctioned 3.4-pre was distributed for a long time, and people have come to call that 3.4, we are skipping an actual 3.4 release to avoid confusion.

Downloads

• Official download page
• native RHEL5/6 packages from Kees Monshouwer

Changes between RC5 and the final 3.5 release

• Winfried Angele reported that restarting a very busy recursor could lead to crashes. Fixed in r3153, closing ticket 735.

Changes between RC4 and RC5

• Bernd-René Predota of Liberty Global reported that Recursor 3.3 would treat empty non-AA NOERROR responses as authoritative NXDATA responses. This bug turned out to be in 3.5-RC4 too. Fixed in commit 3146, related to ticket 731.

Changes between RC3 (unreleased) and RC4

• Winfried Angele spotted, even before release, that commit 3132 in RC3 broke outgoing IPv6 queries. We are grateful for his attention to detail! Fixed in commit 3141. Changes between RC2 and RC3 (unreleased)
• Use private temp dir when running under systemd, thanks Morten Stevens and Ruben Kerkhof. Change in commit 3105.
• NSD mistakenly compresses labels for RP and other types, violating a MUST in RFC 3597. Recursor does not decompress these labels, violating a SHOULD in RFC3597. We now decompress these labels, and reportedly NSD will stop compressing them. Reported by Jan-Piet Mens, fixed in commit 3109.
• When forwarding to another recursor, we would handle responses to ANY queries incorrectly. Spotted by Jan-Piet Mens, fixed in commit 3116, closes ticket 704.
• Our local-nets definition (used as a default for some settings) now includes the networks from RFC 3927 and RFC 6598. Reported by Maik Zumstrull, fixed in commit 3122.
• The RC1 change to stop using ANY queries to get A+AAAA for name servers in one go had a 5% performance impact. This impact is corrected in commit 3132. Thanks to Winfried Angele for measuring and reporting this. Closes ticket 710.
• New command ‘rec_control dump-nsspeeds’ will dump our NS speeds (latency) cache. Code in commit 3131.

Changes between RC1 and RC2

• While Recursor 3.3 was not vulnerable to the specific attack noted in ‘Ghost Domain Names: Revoked Yet Still Resolvable’ (more information at A New DNS Exploitation Technique: Ghost Domain Names), further investigation showed that a variant of the attack could work. This was fixed in commit 3085. This should also close the slightly bogus CVE-2012-1193. Closes ticket 668.
• The auth-can-lower-ttl flag was removed, as it did not have any effect in most situations, and thus did not operate as advertised. We now always comply with the related parts of RFC 2181. Change in commit 3092, closing ticket 88.

New features

• The local zone server now understands wildcards, code in commit 2062.
• The Lua postresolve and nodata hooks, that had been distributed as a ‘3.3-hooks’ snapshot earlier, have been merged. Code in commit 2309.
• A new feature, rec_control trace-regex allows the tracing of lookups for specific names. Code in commit 3044, commit 3073.
• A new setting, export-etc-hosts-search-suffix, adds a configurable suffix to names imported from /etc/hosts. Code in commit 2544, commit 2545.

Improvements

• We now throttle queries that don’t work less aggressively, code in commit 1766.
• Various improvements in tolerance against broken auths, code in commit 1996, commit 2188, commit 3074 (thanks Winfried).
• Additional processing is now optional, and disabled by default. Presumably this yields a performance improvement. Change in commit 2542.
• rec_control reload-lua-script now reports errors. Code in commit 2627, closing ticket 278.
• rec_control help now lists commands. Code in commit 2628.
• rec_control wipe-cache now also wipes the recursor’s packet cache. Code in commit 2880 from ticket 333.
• Morten Stevens contributed a systemd file. Import in commit 2966, now part of the recursor tarball.
• commit 2990 updates the address of D.root-servers.net.
• Winfried Angele implemented and documented the ipv6-questions metric. Merge in commit 3034, closing ticket 619.
• We no longer use ANY to get A+AAAA for nameservers, because some auth operators have decided to break ANY lookups. As a bonus, we now track v4 and v6 latency separately. Change in commit 3064.

Bugs fixed

• Some unaligned memory access was corrected, code in commit 2060, commit 2122, commit 2123, which would cause problems on UltraSPARC.
• Garbage encountered during reload-acls could cause crashes. Fixed in commit 2323, closing ticket 330.
• The recursor would lose its root hints in a very rare situation. Corrected in commit 2380.
• We did not always drop supplemental groups while dropping privileges. Reported by David Black of Atlassian, fixed in commit 2524.
• Cache aging would sometimes get confused when we had a mix of expired and non-expired records in cache. Spotted and fixed by Winfried Angele in commit 3068, closing ticket 438.
• rec_control reload-acl no longer ignores arguments. Fix in commit 3037, closing ticket 490.
• Since we re-parse our commandline in rec_control we’ve been doubling the commands on the commandline, causing weird output. Reported by Winfried Angele. Fixed in commit 2992, closing ticket 618. This issue was not present in any officially released versions.
• commit 2879 drops some spurious stderr logging from Lua scripts, and makes sure ‘place’ is always valid.
• We would sometimes refuse to resolve domains with just one nameserver living at the apex. Fixed in commit 2817.
• We would sometimes stick RRs in the wrong parts of response packets. Fixed in commit 2625.
• The ACL parser was too liberal, sometimes causing recursors to be very open. Fixed in commit 2629, closing ticket 331.
• rec_control now honours socket-dir from recursor.conf. Fixed in commit 2630.
• When traversing CNAME chains, sometimes we would end up with multiple SOAs in the result. Fixed in commit 2633.

Recursor version 3.3.1

Warning:Unreleased

Version 3.3.1 contains a small number of important fixes, adds some memory usage statistics, but no new features.

• Discovered by John J and Robin J, the PowerDNS Recursor did not process packets that were truncated in mid-record, and also did not act on the ‘truncated’ (TC) flag in that case. This broke a very small number of domains, most of them served by very old versions of the PowerDNS Authoritative Server. Fix in commit 1740.
• PowerDNS emitted a harmless, but irritating, error message on receiving certain very short packets. Discovered by Winfried A and John J, fix in commit 1729.
• PowerDNS could crash on startup if configured to provide service on malformed IPv6 addresses on FreeBSD, or in case when the FreeBSD kernel was compiled without any form of IPv6 support. Debugged by Bryan Seitz, fix in commit 1727.
• Add max-mthread-stack metric to debug rare crashes. Could be used to save memory on constrained systems. Implemented in commit 1745.
• Add cache-bytes and packetcache-bytes metrics to measure our ‘pre-malloc’ memory utilization. Implemented in commit 1750.

Recursor version 3.3

Released on the 22nd of September 2010.

Warning: Version 3.3 fixes a number of small but persistent issues, rounds off our IPv6 %link-level support and adds an important feature for many users of the Lua scripts.

In addition, scalability on Solaris 10 is improved.

Bug fixes

• ‘dist-recursor’ script was not compatible with pure POSIX /bin/sh, discovered by Simon Kirby. Fix in commit 1545.
• Simon Bedford, Brad Dameron and Laurient Papier discovered relatively high TCP/IP loads could cause TCP/IP service to shut down over time. Addressed in commits 1546, 1640, 1652, 1685, 1698. Additional information provided by Zwane Mwaikambo, Nicholas Miell and Jeff Roberson. Testing by Chris Hofstaedtler and Michael Renner.
• The PowerDNS Recursor could not read the ‘root zone’ (this is something else than the root hints) because of an unquoted TXT record. This has now been addressed, allowing operators to hardcode the root zone. This can improve security if the root zone used is kept up to date. Change in commit 1547.
• A return of an old bug, when a domain gets new nameservers, but the old nameservers continue to contain a copy of the domain, PowerDNS could get ‘stuck’ with the old servers. Fixed in commit 1548.
• Discovered & reported by Alexander Gall of SWITCH, the Recursor used to try to resolve ‘AXFR’ records over UDP. Fix in commit 1619.
• The Recursor embedded authoritative server messed up parsing a record like ‘@ IN MX 15 @’. Spotted by Aki Tuomi, fix in commit 1621.
• The Recursor embedded authoritative server messed up parsing really really long lines. Spotted by Marco Davids, fix in commit 1624, commit 1625.
• Packet cache was not DNS class correct. Spotted by “Robin”, fix in commit 1688.
• The packet cache would cache some NXDOMAINs for too long. Solving this bug exposed an underlying oddity where the initial NXDOMAIN response had an overly long (untruncated) TTL, whereas all the next ones would be ok. Solved in commit 1679, closing ticket 281. Especially important for RBL operators. Fixed after some nagging by Alex Broens (thanks).

Improvements

• The priming of the root now uses more IPv6 addresses. Change in commit 1550, closes ticket 287. Also, the IPv6 address of I.ROOT-SERVERS.NET was added in commit 1650.
• The rec_control dump-cache command now also dumps the ‘negative query’ cache. Code in commit 1713.
• PowerDNS Recursor can now bind to fe80 IPv6 space with ‘%eth0’ link selection. Suggested by Darren Gamble, implemented with help from Niels Bakker. Change in commit 1620.
• Solaris on x86 has a long-standing bug in port_getn(), which we now work around. Spotted by ‘Dirk’ and ‘AS’. Solution suggested by the Apache runtime library, update in commit 1622.
• New runtime statistic: ‘tcp-clients’ which lists the number of currently active TCP/IP clients. Code in commit 1623.
• Deal better with UltraDNS style CNAME redirects containing SOA records. Spotted by Andy Fletcher from UKDedicated in ticket 303, fix in commit 1628.
• The packet cache, which has ‘ready to use’ packets containing answers, now artificially ages the ready to use packets. Code in commit 1630.
• Lua scripts can now indicate that certain queries will have ‘variable’ answers, which means that the packet cache will not touch these answers. This is great for overriding some domains for some users, but not all of them. Use setvariable() in Lua to indicate such domains. Code in commit 1636.
• Add query statistic called ‘dont-outqueries’, plus add IPv6 address :: and IPv4 address 0.0.0.0 to the default “dont-query” set, preventing the Recursor from talking to itself. Code in commit 1637.
• Work around a gcc 4.1 bug, still in wide use on common platforms. Code in commit 1653.
• Add ‘ARCHFLAGS’ to PowerDNS Recursor Makefile, easing 64 bit compilation on mainly 32 bit platforms (and vice versa).
• Under rare circumstances, querying the Recursor for statistics under very high load could lead to a crash (although this has never been observed). Bad code removed & good code unified in commit 1675.
• Spotted by Jeff Sipek, the rec_control manpage did not list the new get-all command. commit 1677.
• On some platforms, it may be better to have PowerDNS itself distribute queries over threads (instead of leaving it up to the kernel). This is an experimental feature and can be enabled with the ‘pdns-distributes-queries’ setting. Code in commit 1678 and beyond. Speeds up Solaris measurably.
• Cache cleaning code was cleaned up, unified and expanded to cover the ‘negative cache’, which used to be cleaned rather bluntly. Code in commit 1702, further tweaks in commit 1712, spotted by Darren Gamble, Imre Gergely and Christian Kovacic.

Changes between RC1, RC2 and RC3.

• RC2: Fixed linking on RHEL5/CentOS5, which both ship with a gcc compiler that claims to support atomic operations, but doesn’t. Code in commit 1714. Spotted by ‘Bas’ and Imre Gergely.
• RC2: Negative query cache was configured to grow too large, and was not cleaned efficiently. Code in commit 1712, spotted by Imre Gergely.
• RC3: Root failed to be renewed automatically, relied on fallback to make this happen. Code in commit 1716, spotted by Detlef Peeters.

Recursor version 3.2

Released on the 7th of March 2010.

Warning: Lua scripts from version 3.1.7.* are fully compatible with version 3.2. However, scripts written for development snapshot releases, are NOT. Please see Scripting for details!

The 3.2 release is the first major release of the PowerDNS Recursor in a long time. Partly this is because 3.1.7.* functioned very well, and delivered satisfying performance, partly this is because in order to really move forward, some heavy lifting had to be done.

As always, we are grateful for the large PowerDNS community that is actively involved in improving the quality of our software, be it by submitting patches, by testing development versions of our software or helping debug interesting issues. We specifically want to thank Stefan Schmidt and Florian Weimer, who both over the years have helped tremendously in keeping PowerDNS fast, stable and secure.

This version of the PowerDNS Recursor contains a rather novel form of lock-free multithreading, a situation that comes close to the old ‘–fork’ trick, but allows the Recursor to fully utilize multiple CPUs, while delivering unified statistics and operational control.

In effect, this delivers the best of both worlds: near linear scaling, with almost no administrative overhead.

Compared to ‘regular multithreading’, whereby threads cooperate more closely, more memory is used, since each thread maintains its own DNS cache. However, given the economics, and the relatively limited total amount of memory needed for high performance, this price is well worth it.

In practical numbers, over 40,000 queries/second sustained performance has now been measured by a third party, with a 100.0% packet response rate. This means that the needs of around 400,000 residential connections can now be met by a single commodity server.

In addition to the above, the PowerDNS Recursor is now providing resolver service for many more Internet users than ever before. This has brought with it 24/7 Service Level Agreements, and 24/7 operational monitoring by networking personnel at some of the largest telecommunications companies in the world.

In order to facilitate such operation, more statistics are now provided that allow the visual verification of proper PowerDNS Recursor operation. As an example of this there are now graphs that plot how many queries were dropped by the operating system because of a CPU overload, plus statistics that can be monitored to determine if the PowerDNS deployment is under a spoofing attack. All in all, this is a large and important PowerDNS Release, paving the way for further innovation.

Note: This release removes support for the ‘fork’ multi-processor option. In addition, the default is now to spawn two threads. This has been done in such a way that total memory usage will remain identical, so each thread will use half of the allocated maximum number of cache entries.

Changes between RC2 and -release

• ‘Make install’ when an existing configuration file contained a ‘fork’ statement has been fixed. Spotted by Darren Gamble, code in commit 1534.
• Reloading a nonexistent allow-from-file caused the control thread to stop working. Spotted by Imre Gergely, code in commit 1532.
• Parser got confused by reading en empty line in auth-forward-zones. Spotted by Imre Gergely, code in commit 1533.
• David Gavarret discovered undocumented and not-working settings to set the owner, group and access modes of the control socket. Code by Aki Tuomi and documentation in commit 1535. Fixup in commit 1536 for FreeBSD as found by Ralf van der Enden.
• Tiny improvement possibly solving an issue on Solaris 10’s completion port event multiplexer (commit 1537).

Changes between RC1 and RC2

• Compilation on Solaris 10 has been fixed (various patchlevels had different issues), code in commit 1522.
• Compatibility with CentOS4/RHEL4 has been restored, the gcc and glibc versions shipped with this distribution contain a Thread Local Storage bug which we now work around. Thanks to Darren Gamble and Imre Gergely for debugging this issue, code in commit 1527.
• A failed setuid operation, because of misconfiguration, would result in a crash instead of an error message. Fixed in commit 1523.
• Imre Gergely discovered that PowerDNS was doing spurious root repriming when invalidating nssets. Fixed in commit 1531.
• Imre Gergely discovered our rrd graphs had not been changed for the new multithreaded world, and did not allow scaling beyond 200% cpu use. In addition, CPU usage graphs did not add up correctly. Implemented in commit 1524.
• Andreas Jakum discovered the description of ‘max-packetcache-entries’ and ‘forward-zones-recurse’ was wrong in the output of ‘–help’ and ‘–config’. In addition, some stray backup files made it into the RC1 release. Addressed in commit 1529. Full release notes follow, including some overlap with the incremental release notes above. Improvements
• Multithreading, allowing near linear scaling to multiple CPUs or cores. Configured using ‘threads=’ (many commits). This also deprecates the ‘–fork’ option.
• Added ability to read a configuration item of a running PowerDNS Recursor using ‘rec_control get-parameter’ (commit 1243), suggested by Wouter de Jong.
• Added ability to read all statistics in one go of a running PowerDNS Recursor using ‘rec_control get-all’ (commit 1496), suggested by Michael Renner.
• Speedups in packet generation (Commits 1258, 1259, 1262)
• TCP deferred accept() filter is turned on again for slight DoS protection. Code in commit 1414.
• PowerDNS Recursor can now do TCP/IP queries to remote IPv6 addresses (commit 1412).
• Solaris 9 ‘/dev/poll’ support added, Solaris 8 now deprecated. Changes in commit 1421, commit 1422, commit 1424, commit 1413.
• Lua functions can now also see the address _to_ which a question was sent, using getlocaladdress(). Implemented in commit 1309 and commit 1315.
• Maximum cache sizes now default to a sensible value. Suggested by Roel van der Made, implemented in commit 1354.
• Domains can now be forwarded to IPv6 addresses too, using either ::1 syntax or [::1]:25. Thanks to Wijnand Modderman for discovering this issue, fixed in commit 1349.
• Lua scripts can now load libraries at runtime, for example to calculate md5 hashes. Code by Winfried Angele in commit 1405.
• Periodic statistics output now includes average queries per second, as well as packet cache numbers (commit 1493).
• New metrics are available for graphing, plus added to the default graphs (commit 1495, commit 1498, commit 1503)
• Fix errors/crashes on more recent versions of Solaris 10, where the ports functions could return ENOENT under some circumstances. Reported and debugged by Jan Gyselinck, fixed in commit 1372.

New features

• Add pdnslog() function for Lua scripts, so errors or other messages can be logged properly.
• New settings to set the owner, group and access modes of the control socket (socket-owner, socket-group, socket-mode). Code by Aki Tuomi and documentation in commit 1535. Fixup in commit 1536 for FreeBSD as found by Ralf van der Enden.
• rec_control now accepts a –timeout parameter, which can be useful when reloading huge Lua scripts. Implemented in commit 1366.
• Domains can now be forwarded with the ‘recursion-desired’ bit on or off, using either forward-zones-recurse or by prefixing the name of a zone with a ‘+’ in forward-zones-file. Feature suggested by Darren Gamble, implemented in commit 1451.
• Access control lists can now be reloaded at runtime (implemented in commit 1457).
• PowerDNS Recursor can now use a pool of query-local-addresses to further increase resilience against spoofing. Suggested by Ad Spelt, implemented in commit 1426.
• PowerDNS Recursor now also has a packet cache, greatly speeding up operations. Implemented in commit 1426, commit 1433 and further.
• Cache can be limited in how long it maximally stores records, for BIND compatibility (TTL limiting), by setting max-cache-ttl.Idea by Winfried Angele, implemented in commit 1438.
• Cache cleaning turned out to be scanning more of the cache than necessary for cache maintenance. In addition, far more frequent but smaller cache cleanups improve responsiveness. Thanks to Winfried Angele for discovering this issue. (commits 1501, 1507)
• Performance graphs enhanced with separate CPU load and cache effectiveness plots, plus display of various overload situations (commits 1503)

Compiler/Operating system/Library updates

• PowerDNS Recursor can now compile against newer versions of Boost (verified up to and including 1.42.0). Reported & fixed by Darix in commit 1274. Further fixes in commit 1275, commit 1276, commit 1277, commit 1283.
• Fix compatibility with newer versions of GCC (closes ticket ticket 227, spotted by Ruben Kerkhof, code in commit 1345, more fixes in commit 1394, 1416, 1440).
• Rrdtool update graph is now compatible with FreeBSD out of the box. Thanks to Bryan Seitz (commit 1517).
• Fix up Makefile for older versions of Make (commit 1229).
• Solaris compilation improvements (out of the box, no handwork needed).
• Solaris 9 MTasker compilation fixes, as suggested by John Levon. Changes in commit 1431.

Bug fixes

• Under rare circumstances, the recursor could crash on 64 bit Linux systems running glibc 2.7, as found in Debian Lenny. These circumstances became a lot less rare for the 3.2 release. Discovered by Andreas Jakum and debugged by #powerdns, fix in commit 1519.
• Imre Gergely discovered that PowerDNS was doing spurious root repriming when invalidating nssets. Fixed in commit 1531.
• Configuration parser is now resistant against trailing tabs and other whitespace (commit 1242)
• Fix typo in a Lua error message. Close ticket 210, as reported by Stefan Schmidt (commit 1319).
• Profiled-build instructions were broken, discovered & fixes suggested by Stefan Schmidt. ticket 239, fix in commit 1462.
• Fix up duplicate SOA from a remote authoritative server from showing up in our output (commit 1475).
• All security fixes from 3.1.7.2 are included.
• Under highly exceptional circumstances on FreeBSD the PowerDNS Recursor could crash because of a TCP/IP error. Reported and fixed by Andrei Poelov in ticket 192, fixed in commit 1280.
• PowerDNS Recursor can be a root-server again. Error spotted by the ever vigilant Darren Gamble (ticket 229), fix in commit 1458.
• Rare TCP/IP errors no longer lead to PowerDNS Recursor logging errors or becoming confused. Debugged by Josh Berry of Plusnet PLC. Code in commit 1457.
• Do not hammer parent servers in case child zones are misconfigured, requery at most once every 10 seconds. Reported & investigated by Stefan Schmidt and Andreas Jakum, fixed in commit 1265.
• Properly process answers from remote authoritative servers that send error answers without including the original question (commit 1329, commit 1327).
• No longer spontaneously turn on ‘export-etc-hosts’ after reloading zones. Discovered by Paul Cairney, reported in ticket 225, addressed in commit 1348.
• Very abrupt server failure of large numbers of high-volume authoritative servers could trigger an out of memory situation. Addressed in commit 1505.
• Make timeouts for queries to remote authoritative servers configurable with millisecond granularity. In addition, the old code turned out to consider the timeout expired when the integral number of seconds since 1970 increased by 1 - which on average is after 500ms. This might have caused spurious timeouts! New default timeout is 1500ms. See network-timeout setting for more details. Code in commit 1402.

Recursor version 3.1.7.2

Released on the 6th of January 2010.

This release consist of a number of vital security updates. These updates address issues that can in all likelihood lead to a full system compromise. In addition, it is possible for third parties to pollute your cache with dangerous data, exposing your users to possible harm.

This version has been well tested, and at the time of this release is already powering millions of internet connections, and should therefore be a risk-free upgrade from 3.1.7.1 or any earlier version of the PowerDNS Recursor.

All known versions of the PowerDNS Recursor are impacted to a greater or lesser extent, so an immediate update is advised.

These vulnerabilities were discovered by a third party that can’t yet be named, but who we thank for their contribution to a more secure PowerDNS Recursor.

For more information, see PowerDNS Security Advisory 2010-01 and PowerDNS Security Advisory 2010-02.

Recursor version 3.1.7.1

Released on the 2nd of August 2009.

This release consists entirely of fixes for tiny bugs that have been reported over the past year. In addition, compatibility has been restored with the latest versions of the gcc compiler and the ‘boost’ libraries.

No features have been added, but some debugging code that very slightly impacted performance (and polluted the console when operating in the foreground) has been removed.

FreeBSD users may want to upgrade because of a very remote chance of 3.1.7 and previous crashing once every few years. For other operators not currently experiencing problems, there is no reason to upgrade.

• Improved error messages when parsing zones for authoritative serving (commit 1235).
• Better resilience against whitespace in configuration (changesets 1237, 1240, 1242)
• Slight performance increase (commit 1378)
• Fix rare case where timeouts were not being reported to the right query-thread (commit 1260)
• Fix compilation against newer versions of the Boost C++ libraries (commit 1381)
• Close very rare issue with TCP/IP close reporting ECONNRESET on FreeBSD. Reported by Andrei Poelov in ticket 192.
• Silence debugging output (commit 1286).
• Fix compilation against newer versions of gcc (commit 1384)
• No longer set export-etc-hosts to ‘on’ on reload-zones. Discovered by Paul Cairney, closes ticket 225.
• Sane default for the maximum cache size in the Recursor, suggested by Roel van der Made (commit 1354).
• No longer exit because of the changed behaviour of the Solaris ‘completion ports’ in more recent versions of Solaris. Fix in commit 1372, reported by Jan Gyselinck.

Recursor version 3.1.7

Released the 25th of June 2008.

This version contains powerful scripting abilities, allowing operators to modify DNS responses in many interesting ways. Among other things, these abilities can be used to filter out malware domains, to perform load balancing, to comply with legal and other requirements and finally, to implement ‘NXDOMAIN’ redirection.

It is hoped that the addition of Lua scripting will enable responsible DNS modification for those that need it.

For more details about the Lua scripting, which can be modified, loaded and unloaded at runtime, see Scripting. Many thanks are due to the #lua irc channel, for excellent near-realtime Lua support. In addition, a number of PowerDNS users have been enthusiastically testing prereleases of the scripting support, and have found and solved many issues.

In addition, 3.1.7 fixes a number of bugs

• In 3.1.5 and 3.1.6, an authoritative server could continue to renew its authority, even though a domain had been delegated to other servers in the meantime.

  In the rare cases where this happened, and the old servers were not shut down, the observed effect is that users were fed outdated data. Bug spotted and analysed by Darren Gamble, fix in commit 1182 and commit 1183.

• Thanks to long time PowerDNS contributor Stefan Arentz, for the first time, Mac OS X 10.5 users can compile and run the PowerDNS Recursor! Patch in commit 1185.

• Sten Spans spotted that for outgoing TCP/IP queries, the query-local-address setting was not honored. Fixed in commit 1190.

• rec_control wipe-cache now also wipes domains from the negative cache, hurrying up the expiry of negatively cached records. Suggested by Simon Kirby, implemented in commit 1204.

• When a forwarder server is configured for a domain, using the forward-zones setting, this server IP address was filtered using the dont-query setting, which is generally not what is desired: the server to which queries are forwarded will often live in private IP space, and the operator should be trusted to know what he is doing. Reported and argued by Simon Kirby, fix in commit 1211.

• Marcus Rueckert of OpenSUSE reported that very recent gcc versions emitted a (correct) warning on an overly complicated line in syncres.cc, fixed in commit 1189.

• Stefan Schmidt discovered that the netmask matching code, used by the new Lua scripts, but also by all other parts of PowerDNS, had problems with explicit ‘/32’ matches. Fixed in commit 1205.

Recursor version 3.1.6

Released on the 1st of May 2008.

This version fixes two important problems, each on its own important enough to justify a quick upgrade.

• Version 3.1.5 had problems resolving several slightly misconfigured domains, including for a time ‘juniper.net’. Nameserver timeouts were not being processed correctly, leading PowerDNS to not update the internal clock, which in turn meant that any queries immediately following an error would time out as well. Because of retries, this would usually not be a problem except on very busy servers, for domains with different nameservers at different levels of the DNS-hierarchy, like ‘juniper.net’.

  This issue was fixed rapidly because of the help of XS4ALL (Eric Veldhuyzen, Kai Storbeck), Brad Dameron and Kees Monshouwer. Fix in commit 1178.

• The new high-quality random generator was not used for all random numbers, especially in source port selection. This means that 3.1.5 is still a lot more secure than 3.1.4 was, and its algorithms more secure than most other nameservers, but it also means 3.1.5 is not as secure as it could be. A quick upgrade is recommended. Discovered by Thomas Biege of Novell (SUSE), fixed in commit 1179.

Recursor version 3.1.5

Released on the 31st of March 2008.

Much like 3.1.4, this release does not add a lot of major features. Instead, performance has been improved significantly (estimated at around 20%), and many rare and not so rare issues were addressed. Multi-part TXT records now work as expected - the only significant functional bug found in 15 months. One of the oldest feature requests was fulfilled: version 3.1.5 can finally forward queries for designated domains to multiple servers, on differing port numbers if needed. Previously only one forwarder address was supported. This lack held back a number of migrations to PowerDNS.

We would like to thank Amit Klein of Trusteer for bringing a serious vulnerability to our attention which would enable a smart attacker to ‘spoof’ previous versions of the PowerDNS Recursor into accepting possibly malicious data.

Details can be found on this Trusteer page.

It is recommended that all users of the PowerDNS Recursor upgrade to 3.1.5 as soon as practicable, while we simultaneously note that busy servers are less susceptible to the attack, but not immune.

The PowerDNS Security Advisory can be found in PowerDNS Security Advisory 2008-01.

This version can properly benefit from all IPv4 and IPv6 addresses in use at the root-servers as of early February 2008. In order to implement this, changes were made to how the Recursor deals internally with A and AAAA queries for nameservers, see below for more details.

Additionally, newer releases of the G++ compiler required some fixes (see ticket 173).

This release was made possible by the help of Wichert Akkerman, Winfried Angele, Arnoud Bakker (Fox-IT), Niels Bakker (no relation!), Leo Baltus (Nederlandse Publieke Omroep), Marco Davids (SIDN), David Gavarret (Neuf Cegetel), Peter Gervai, Marcus Goller (UPC), Matti Hiljanen (Saunalahti/Elisa), Ruben Kerkhof, Alex Kiernan, Amit Klein (Trusteer), Kenneth Marshall (Rice University), Thomas Rietz, Marcus Rueckert (OpenSUSE), Augie Schwer (Sonix), Sten Spans (Bit), Stefan Schmidt (Freenet), Kai Storbeck (xs4all), Alex Trull, Andrew Turnbull (No Wires) and Aaron Thompson, and many more who filed bugs anonymously, or who we forgot to mention.

Security related issues

• Amit Klein has informed us that System random generator output can be predicted based on its past behaviour, allowing a smart attacker to ‘spoof’ our nameserver. Full details in PowerDNS Security Advisory 2008-01.
• The Recursor will by default no longer query private-space nameservers. This closes a slight security risk and simultaneously improves performance and stability. For more information, see dont-query in pdns_recursor settings. Implemented in commit 923.
• Applied fix for ticket 110 (‘PowerDNS should change directory to ‘/’ in chroot), implemented in commit 944.

Performance

• The DNS packet writing and parsing infrastructure performance was improved in several ways, see commits 925, 926, 928, 931, 1021, 1050.
• Remove multithreading overhead from the Recursor (commit 999).

Bug fixes

• Built-in authoritative server now properly derives the TTL from the SOA record if not specified. Implemented in commit 1165. Additionally, even when TTL was specified for the built-in authoritative server, it was ignored. Reported by Stefan Schmidt, closing ticket 147.
• Empty TXT record components can now be served. Implemented in commit 1166, closing ticket 178. Spotted by Matti Hiljanen.
• The Recursor would not properly override old data with new, sometimes serving old and new data concurrently. Fixed in commit 1137.
• SOA records with embedded carriage-return characters are now parsed correctly. Implemented in commit 1167, closing ticket 162.
• Some routing conditions could cause UDP connected sockets to generate an error which PowerDNS did not deal with properly, leading to a leaked file descriptor. As these run out over time, the recursor could crash. This would also happen for IPv6 queries on a host with no IPv6 connectivity. Thanks to Kai of xs4all and Wichert Akkerman for reporting this issue. Fix in commit 1133.
• Empty unknown record types can now be stored without generating a scary error (commit 1129)
• Applied fix for ticket 111, ticket 112 and ticket 153 - large (multipart) TXT records are now retrieved and served properly. Fix in commit 996.
• Solaris compilation instructions in Recursor documentation were wrong, leading to an instant crash on startup. Luckily nobody reads the documentation, except for Marcus Goller who found the error. Fixed in commit 1124.
• On Solaris, finally fix the issue where queries get distributed strangely over CPUs, or not get distributed at all. Much debugging and analysing performed by Alex Kiernan, who also supplied fixes. Implemented in commit 1091, commit 1093.
• Various fixes for modern G++ versions, most spotted by Marcus Rueckert (commits 964, 965, 1028, 1052), and Ruben Kerkhof (commit 1136, closing ticket 175).
• Recursor would not properly clean up pidfile and control socket, closing ticket 120, code in commit 988, commit 1098 (part of fix by Matti Hiljanen, spotted by Leo Baltus)
• Recursor can now serve multi-line records from its limited authoritative server (commit 1014).
• When parsing zones, the ‘m’ time specification stands for minutes, not months! Closing Debian bug 406462 (commit 1026)
• Authoritative zone parser did not support ‘@’ in the content of records. Spotted by Marco Davids, fixed in commit 1030.
• Authoritative zone parser could be confused by trailing TABs on record lines (commit 1062).
• EINTR error code could block entire server if received at the wrong time. Spotted by Arnoud Bakker, fix in commit 1059.
• Fix crash on NetBSD on Alpha CPUs, might improve startup behaviour on empty caches on other architectures as well (commit 1061).
• Outbound TCP queries were being performed sub-optimally because of an interaction with the ‘MPlexer’. Fixes in commit 1115, commit 1116.

New features

• Implemented rec_control command get uptime, as suggested by Niels Bakker (commit 935). Added to default rrdtool scripts in commit 940.
• The Recursor Authoritative component, meant for having the Recursor serve some zones authoritatively, now supports $INCLUDE and $GENERATE. Implemented in commit 951 and commit 952, commit 967 (discovered by Thomas Rietz),
• Implemented forward-zones-file option in order to support larger amounts of zones which should be forwarded to another nameserver (commit 963).
• Both forward-zones and forward-zones-file can now specify multiple forwarders per domain, implemented in commit 1168, closing ticket 81. Additionally, both these settings can also specify non-standard port numbers, as suggested in ticket ticket 122. Patch authored by Aaron Thompson, with additional work by Augie Schwer.
• Sten Spans contributed allow-from-file, implemented in commit 1150. This feature allows the Recursor to read access rules from a (large) file.

General improvements

• Ruben Kerkhof fixed up weird permission bits as well as our SGML documentation code in commit 936 and commit 937.
• Full IPv6 parity. If configured to use IPv6 for outgoing queries (using query-local-address6=::0 for example), IPv6 and IPv4 addresses are finally treated 100% identically, instead of ‘mostly’. This feature is implemented using ‘ANY’ queries to find A and AAAA addresses in one query, which is a new approach. Treat with caution.
• Now perform EDNS0 root refreshing queries, so as to benefit from all returned addresses. Relevant since early February 2008 when the root-servers started to respond with IPv6 addresses, which made the default non-EDNS0 maximum packet length reply no longer contain all records. Implemented in commit 1130. Thanks to dns-operations AT mail.oarc.isc.org for quick suggestions on how to deal with this change.
• rec_control now has a timeout in case the Recursor does not respond. Implemented in commit 945.
• (Error) messages are now logged with saner priorities (commit 955).
• Outbound query IP interface stemmed from 1997 (!) and was in dire need of a cleanup (commit 1117).
• L.ROOT-SERVERS.NET moved (commit 1118).

Recursor version 3.1.4

Released the 13th of November 2006.

This release contains almost no new features, but consists mostly of minor and major bug fixes. It also addresses two major security issues, which makes this release a highly recommended upgrade.

Security issues

• Large TCP questions followed by garbage could cause the recursor to crash. This critical security issue has been assigned CVE-2006-4251, and is fixed in commit 915. More information can be found in “PowerDNS Security Advisory 2006-01: Malformed TCP queries can lead to a buffer overflow which might be exploitable”.
• CNAME loops with zero second TTLs could cause crashes in some conditions. These loops could be constructed by malicious parties, making this issue a potential denial of service attack. This security issue has been assigned CVE-2006-4252 and is fixed by commit 919. More information can be found in “PowerDNS Security Advisory 2006-02: Zero second CNAME TTLs can make PowerDNS exhaust allocated stack space, and crash”. Many thanks to David Gavarret for helping pin down this problem.

Bugs

• On certain error conditions, PowerDNS would neglect to close a socket, which might therefore eventually run out. Spotted by Stefan Schmidt, fixed in commits 892, 897, 899.
• Some nameservers (including PowerDNS in rare circumstances) emit a SOA record in the authority section. The recursor mistakenly interpreted this as an authoritative “NXRRSET”. Spotted by Bryan Seitz, fixed in commit 893.
• In some circumstances, PowerDNS could end up with a useless (not working, or no longer working) set of nameserver records for a domain. This release contains logic to invalidate such broken NSSETs, without overloading authoritative servers. This problem had previously been spotted by Bryan Seitz, ‘Cerb’ and Darren Gamble. Invalidations of NSSETs can be plotted using the “nsset-invalidations” metric, available through rec_control get. Implemented in commit 896 and commit 901.
• PowerDNS could crash while dumping the cache using rec_control dump-cache. Reported by Wouter of WideXS and Stefan Schmidt and many others, fixed in commit 900.
• Under rare circumstances (depleted TCP buffers), PowerDNS might send out incomplete questions to remote servers. Additionally, on big-endian systems (non-Intel and non-AMD generally), sending out large TCP answers questions would not work at all, and possibly crash. Brought to our attention by David Gavarret, fixed in commit 903.
• The recursor contained the potential for a dead-lock processing an invalid domain name. It is not known how this might be triggered, but it has been observed by ‘Cerb’ on #powerdns. Several dead-locks where PowerDNS consumed all CPU, but did not answer questions, have been reported in the past few months. These might be fixed by commit 904.
• IPv6 ‘allow-from’ matching had problems with the least significant bits, sometimes allowing disallowed addresses, but mostly disallowing allowed addresses. Spotted by Wouter from WideXS, fixed in commit 916.

Improvements

• PowerDNS has support to drop answers from so called ‘delegation only’ zones. A statistic (“dlg-only-drops”) is now available to plot how often this happens. Implemented in commit 890.
• Hint-file parameter was mistakenly named “hints-file” in the documentation. Spotted by my Marco Davids, fixed in commit 898.
• rec_control quit should be near instantaneous now, as it no longer meticulously cleans up memory before exiting. Problem spotted by Darren Gamble, fixed in commit 914, closing ticket 84.
• init.d script no longer refers to the Recursor as the Authoritative Server. Spotted by Wouter of WideXS, fixed in commit 913.
• A potentially serious warning for users of the GNU C Library version 2.5 was fixed. Spotted by Marcus Rueckert, fixed in commit 920.

Recursor version 3.1.3

Released the 12th of September 2006.

Compared to 3.1.2, this release again consists of a number of mostly minor bug fixes, and some slight improvements.

Many thanks are again due to Darren Gamble who together with his team has discovered many misconfigured domains that do work with some other name servers. DNS has long been tolerant of misconfigurations, PowerDNS intends to uphold that tradition. Almost all of the domains found by Darren now work as well in PowerDNS as in other name server implementations.

Thanks to some recent migrations, this release, or something very close to it, is powering over 40 million internet connections that we know of. We appreciate hearing about successful as well as unsuccessful migrations, please feel free to notify pdns.bd@powerdns.com of your experiences, good or bad.

Bug-fixes

• The MThread default stack size was too small, which led to problems, mostly on 64-bit platforms. This stack size is now configurable using the stack-size setting should our estimate be off. Discovered by Darren Gamble, Sten Spans and a number of others. Fixed in commit 868.
• Plug a small memory leak discovered by Kai and Darren Gamble, fixed in commit 870.
• Switch from the excellent nedmalloc to dlmalloc, based on advice by the nedmalloc author. Nedmalloc is optimised for multithreaded operation, whereas the PowerDNS recursor is single threaded. The version of nedmalloc shipped contained a number of possible bugs, which are probably resolved by moving to dlmalloc. Some reported crashes on hitting 2G of allocated memory on 64 bit systems might be solved by this switch, which should also increase performance. See commit 873 for details.

Improvements

• The cache is now explicitly aware of the difference between authoritative and unauthoritative data, allowing it to deal with some domains that have different data in the parent zone than in the authoritative zone. Patch in commit 867.
• No longer try to parse DNS updates as if they were queries. Discovered and fixed by Jan Gyselinck, fix in commit 871.
• Rebalance logging priorities for less log cluttering and add IP address to a remote server error message. Noticed and fixed by Jan Gyselinck (commit 877).
• Add logging-facility setting, allowing syslog to send PowerDNS logging to a separate file. Added in commit 871.

Recursor version 3.1.2

Released Monday 26th of June 2006.

Compared to 3.1.1, this release consists almost exclusively of bug-fixes and speedups. A quick update is recommended, as some of the bugs impact operators of authoritative zones on the internet. This version has been tested by some of the largest internet providers on the planet, and is expected to perform well for everybody.

Many thanks are due to Darren Gamble, Stefan Schmidt and Bryan Seitz who all provided excellent feedback based on their large-scale tests of the recursor.

Bug-fixes

• Internal authoritative server did not differentiate between ‘NXDOMAIN’ and ‘NXRRSET’, in other words, it would answer ‘no such host’ when an AAAA query came in for a domain that did exist, but did not have an AAAA record. This only affects users with auth-zones configured. Discovered by Bryan Seitz, fixed in commit 848.
• ANY queries for hosts where nothing was present in the cache would not work. This did not cause real problems as ANY queries are not reliable (by design) for anything other than debugging, but did slow down the nameserver and cause unnecessary load on remote nameservers. Fixed in commit 854.
• When exceeding the configured maximum amount of TCP sessions, TCP support would break and the nameserver would waste CPU trying to accept TCP connections on UDP ports. Noted by Bryan Seitz, fixed in commit 849.
• DNS queries come in two flavours: recursion desired and non-recursion desired. The latter is not very useful for a recursor, but is sometimes (erroneously) used by monitoring software or load balancers to detect nameserver availability. A non-rd query would not only not recurse, but also not query authoritative zones, which is confusing. Fixed in commit 847.
• Non-standard DNS TCP queries, that did occur however, could drive the recursor to 100% CPU usage for extended periods of time. This did not disrupt service immediately, but does waste a lot of CPU, possibly exhausting resources. Discovered by Bryan Seitz, fixed in commit 858, which is post-3.1.2-rc1.
• The PowerDNS recursor did not honour the rare but standardised ‘ANY’ query class (normally ‘ANY’ refers to the query type, not class), upsetting the Wildfire Jabber server. Discovered and debugged by Daniel Nauck, fixed in commit 859, which is post-3.1.2-rc1.
• Everybody’s favorite, when starting up under high load, a bogus line of statistics was sometimes logged. Fixed in commit 851.
• Remove some spurious debugging output on dropping a packet by an unauthorized host. Discovered by Kai. Fixed in commit 854.

Improvements

• Misconfigured domains, with a broken nameserver in the parent zone, should now work better. Changes motivated and suggested by Darren Gamble. This makes PowerDNS more compliant with RFC 2181 by making it prefer authoritative data over non-authoritative data. Implemented in commit 856.
• PowerDNS can now listen on multiple ports, using the local-address setting. Added in commit 845.
• A number of speedups which should have a noticeable impact, implemented in commits 850, 852, 853, 855
• The recursor now works around an issue with the Linux kernel 2.6.8, as shipped by Debian. Fixed by Christof Meerwald in commit 860, which is post 3.1.2-rc1.

Recursor version 3.1.1

Released on the 23rd of May 2006.

Warning: 3.1.1 is identical to 3.1 except for a bug in the packet chaining code which would mainly manifest itself for IPv6 enabled Konqueror users with very fast connections to their PowerDNS installation. However, all 3.1 users are urged to upgrade to 3.1.1. Many thanks to Alessandro Bono for his quick aid in solving this problem.

Many thanks are due to the operators of some of the largest internet access providers in the world, each having many millions of customers, who have tested the various 3.1 pre-releases for suitability. They have uncovered and helped fix bugs that could impact us all, but are only (quickly) noticeable with such vast amounts of DNS traffic.

After version 3.0.1 has proved to hold up very well under tremendous loads, 3.1 adds important new features

• Ability to serve authoritative data from ‘BIND’ style zone files (using auth-zones statement).
• Ability to forward domains so configured to external servers (using forward-zones).
• Possibility of ‘serving’ the contents of /etc/hosts over DNS, which is very well suited to simple domestic router/DNS setups. Enabled using export-etc-hosts.
• As recommended by recent standards documents, the PowerDNS recursor is now authoritative for RFC-1918 private IP space zones by default (suggested by Paul Vixie).
• Full outgoing IPv6 support (off by default) with IPv6 servers getting equal treatment with IPv4, nameserver addresses are chosen based on average response speed, irrespective of protocol.
• Initial Windows support, including running as a service (‘NET START “POWERDNS RECURSOR”’). rec_channel is still missing, the rest should work. Performance appears to be below that of the UNIX versions, this situation is expected to improve.

Bug fixes

• No longer send out SRV and MX record priorities as zero on big-endian platforms (UltraSPARC). Discovered by Eric Sproul, fixed in commit 773.
• SRV records need additional processing, especially in an Active Directory setting. Reported by Kenneth Marshall, fixed in commit 774.
• The root-records were not being refreshed, which could lead to problems under inconceivable conditions. Fixed in commit 780.
• Fix resolving domain names for nameservers with multiple IP addresses, with one of these addresses being lame. Other nameserver implementations were also unable to resolve these domains, so not a big bug. Fixed in commit 780.
• For a period of 5 minutes after expiring a negative cache entry, the domain would not be re-cached negatively, leading to a lot of duplicate outgoing queries for this short period. This fix has raised the average cache hit rate of the recursor by a few percent. Fixed in commit 783.
• Query throttling was not aggressive enough and not all sorts of queries were throttled. Implemented in commit 786.
• Fix possible crash during startup when parsing empty configuration lines (commit 807).
• Fix possible crash when the first query after wiping a cache entry was for the just deleted entry. Rare in production servers. Fixed in commit 820.
• Recursor would send out differing TTLs when receiving a misconfigured, standards violating, RRSET with different TTLs. Implement fix as mandated by RFC 2181, paragraph 5.2. Reported by Stephen Harker (commit 819).
• The top-remotes would list remotes more than once, once per source port. Discovered by Jorn Ekkelenkamp, fixed in commit 827, which is post 3.1-pre1.
• Default allow-from allowed queries from fe80::/16, corrected to fe80::/10. Spotted by Niels Bakker, fixed in commit 829, which is post 3.1-pre1.
• While PowerDNS blocks failing queries quickly, multiple packets could briefly be in flight for the same domain and nameserver. This situation is now explicitly detected and queries are chained to identical queries already in flight. Fixed in commit 833 and commit 834, post 3.1-pre1.

Improvements

• ANY queries are now implemented as in other nameserver implementations, leading to a decrease in outgoing queries. The RFCs are not very clear on desired behaviour, what is implemented now saves bandwidth and CPU and brings us in line with existing practice. Previously ANY queries were not cached by the PowerDNS recursor. Implemented in commit 784.
• rec_control was very sparse in its error reporting, and user unfriendly as well. Reported by Erik Bos, fixed in commit 818 and commit 820.
• IPv6 addresses were printed in a non-standard way, fixed in commit 788.
• TTLs of records are now capped at two weeks, commit 820.
• allow-from IPv4 netmasks now automatically work for IP4-to-IPv6 mapper IPv4 addresses, which appear when running on the wildcard :: IPv6 address. Lack of feature noted by Marcus ‘darix’ Rueckert. Fixed in commit 826, which is post 3.1-pre1.
• Errors before daemonizing are now also sent to syslog. Suggested by Marcus ‘darix’ Rueckert. Fixed in commit 825, which is post 3.1-pre1.
• When launching without any form of configured network connectivity, all root-servers would be cached as ‘down’ for some time. Detect this special case and treat it as a resource-constraint, which is not accounted against specific nameservers. Spotted by Seth Arnold, fixed in commit 835, which is post 3.1-pre1.
• The recursor now does not allow authoritative servers to keep supplying its own NS records into perpetuity, which causes problems when a domain is redelegated but the old authoritative servers are not updated to this effect. Noticed and explained at length by Darren Gamble of Shaw Communications, addressed by commit 837, which is post 3.1-pre2.
• Some operators may want to follow RFC 2181 paragraph 5.2 and 5.4. This harms performance and does not solve any real problem, but does make PowerDNS more compliant. If you want this, enable auth-can-lower-ttl. Implemented in commit 838, which is post 3.1-pre2.

Recursor version 3.0.1

Released 25th of April 2006, download.

This release consists of nothing but tiny fixes to 3.0, including one with security implications. An upgrade is highly recommended.

• Compilation used both cc and gcc, leading to the possibility of compiling with different compiler versions (commit 766).
• rec_control would leave files named lsockXXXXXX around in the configured socket-dir. Operators may wish to remove these files from their socket-dir (often /var/run), quite a few might have accumulated already (commit 767).
• Certain malformed packets could crash the recursor. As far as we can determine these packets could only lead to a crash, but as always, there are no guarantees. A quick upgrade is highly recommended (commits 760, 761). Reported by David Gavarret.
• Recursor would not distinguish between NXDOMAIN and NXRRSET (commit 756). Reported and debugged by Jorn Ekkelenkamp.
• Some error messages and trace logging statements were improved (commits 756, 758, 759).
• stderr was closed during daemonizing, but not dupped to /dev/null, leading to slight chance of odd behaviour on reporting errors (commit 757)

Operating system specific fixes

• The stock Debian sarge Linux kernel, 2.6.8, claims to support epoll but fails at runtime. The epoll self-testing code has been improved, and PowerDNS will fall back to a select based multiplexer if needed (commit 758) Reported by Michiel van Es.
• Solaris 8 compilation and runtime issues were addressed. See the README for details (commit 765). Reported by Juergen Georgi and Kenneth Marshall.
• Solaris 10 x86_64 compilation issues were addressed (commit 755). Reported and debugged by Eric Sproul.

Recursor version 3.0

Released 20th of April 2006, download.

This is the first separate release of the PowerDNS Recursor. There are many reasons for this, one of the most important ones is that previously we could only do a release when both the recursor and the authoritative nameserver were fully tested and in good shape. The split allows us to release new versions when each part is ready.

Now for the real news. This version of the PowerDNS recursor powers the network access of over two million internet connections. Two large access providers have been running pre-releases of 3.0 for the past few weeks and results are good. Furthermore, the various pre-releases have been tested nearly non-stop with DNS traffic replayed at 3000 queries/second.

As expected, the 2 million households shook out some very rare bugs. But even a rare bug happens once in a while when there are this many users.

We consider this version of the PowerDNS recursor to be the most advanced resolver publicly available. Given current levels of spam, phishing and other forms of internet crime we think no recursor should offer less than the best in spoofing protection. We urge all operators of resolvers without proper spoofing countermeasures to consider PowerDNS, as it is a Better Internet Nameserver Daemon.

Some more information, based on a previous version of PowerDNS, can be found on the PowerDNS development blog.

Warning: Because of recent DNS based denial of service attacks, running an open recursor has become a security risk. Therefore, unless configured otherwise this version of PowerDNS will only listen on localhost, which means it does not resolve for hosts on your network. To fix, configure the local-address setting with all addresses you want to listen on. Additionally, by default service is restricted to RFC 1918 private IP addresses. Use allow-from to selectively open up the recursor for your own network. See pdns_recursor settings for details.

Important new features of the PowerDNS recursor 3.0

• Best spoofing protection and detection we know of. Not only is spoofing made harder by using a new network address for each query, PowerDNS detects when an attempt is made to spoof it, and temporarily ignores the data. For details, see Anti-spoofing.
• First nameserver to benefit from epoll/kqueue/Solaris completion ports event reporting framework, for stellar performance.
• Best statistics of any recursing nameserver we know of, see Statistics.
• Last-recently-used based cache cleanup algorithm, keeping the ‘best’ records in memory
• First class Solaris support, built on a ‘try and buy’ Sun CoolThreads T 2000.
• Full IPv6 support, implemented natively.
• Access filtering, both for IPv4 and IPv6.
• Experimental SMP support for nearly double performance. See PowerDNS Recursor performance.

Many people helped package and test this release. Jorn Ekkelenkamp of ISP-Services helped find the ‘8000 SOAs’ bug and spotted many other oddities and XS4ALL internet funded a lot of the recent development. Joaquín M López Muñoz of the boost::multi_index_container was again of great help.