PowerDNS Recursor 4.0.8 Released

Today we announce the release of the PowerDNS Recursor 4.0.8 which contains a fix for the following security advisory:

The full changelog looks like this:

Bug fixes

  • #5930: Don’t assume TXT record is first record for secpoll
  • #6082: Don’t add non-IN records to the cache

The tarball is available on downloads.powerdns.com (signature) and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Artful, Trusty, Xenial and Zesty are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailinglist, or in case of a bug, via GitHub.

 

PowerDNS Recursor 4.1

This is a major release containing significant speedups (both in throughput and latency), enhanced capabilities and a highly conformant and robust DNSSEC validation implementation that is ready for heavy production use. In addition, our EDNS Client Subnet implementation now scales effortlessly to networks needing very fine grained scopes (as used by some ‘country sized’ service providers).

4.1 reflects over a year of improvements, cleanups and enhancements – both visible and invisible. Some of the smaller improvements have been backported to 4.0 releases, but most are new.

We are particularly grateful for the help of XS4ALL and Packet Clearing House (Quad9) for their help maturing this release to production readiness. In addition, various very large RFP requirements documents have also been stimulating. Finally, we’d like to thank Akamai for quickly resolving a single bit issue in their DNS responses which led the stricter 4.1-era resolving logic to not cache certain data which caused user noticeable slowdowns.

We have tried to list everyone else in the full changelog, and we are very grateful for all the work and testing PowerDNS has received from the community!

4.1 has seen an astounding amount of pre-release testing and even full production use, and from this data we know this release is rock solid and represents a significant speedup not only in benchmarks but also in real life.

2

DNSSEC

DNSSEC is a complicated protocol, yet operators (rightfully) expect rapid performance that resolves even rare or outlandish signing scenarios, all while not impacting non-DNSSEC enabled domain resolution speed. While Recursor 4.0.7 is suitable for DNSSEC validation, operators have noted that 4.1 delivers superior performance, with no observable errors that are not caused by configuration mistakes by domain owners. In addition, 4.1 works around more issues triggered by non-conforming nameservers and load balancers. Anyone doing DNSSEC validation with 4.0.7 is urged to upgrade.

As part of this DNSSEC work, the central DNS resolving logic of PowerDNS was fully cleaned up and made unit-testable. Large volumes of such unit tests have been added, next to similar large amounts of new regression tests.

After extensive measurements, we are now sure that enabling DNSSEC validation has a negligible impact on user experienced performance.

Improved documentation

Our Pieter Lexis invested a ton of time improving not only the contents but also the appearance and search of our documentation. Take a look at https://doc.powerdns.com/recursor/ and know you can easily edit our documentation via GitHub’s built in editor.

RPZ

RPZ is a standard for retrieving policy through zonefiles, possibly transferred incrementally (IXFR). PowerDNS 4.0 brought support for RPZ, but it was not quite complete and had performance deficiencies on very large RPZ datasets. Some of the 4.1 improvements in this area have already been backported to the 4.0 series. Notable changes in 4.1 are the addition of support for wildcard records, improvements in RPZ reloading & update processing and new debugging facilities (logging of changes and serialization of current RPZ state).

EDNS Client Subnet

EDNS Client Subnet is utilized to transmit (part of) the client IP address to authoritative servers, in the hope that they can provide more relevant answers. ECS is used by large Content Distribution Networks, and can be required to offer good streaming performance for clients within very large operator networks. The 4.0 ECS implementation is running in production in a number of such places, but the 4.1 implementation has been improved to use less CPU cycles and deal better with smaller subnets. In addition, metrics have been added to monitor ECS query loads.

Miscellaneous

SNMP support was added. The built-in authoritative server (which is more important since Authoritative Server 4.1 removed the ‘recursor=’ bypass) gained the ability to serve wildcard CNAMEs. The Lua engine gained a lot of access to relevant data from more places (EDNS Client Subnet details, MAC address, TCP or UDP). CPU affinity can now be specified. Support was added for TCP Fast Open.

There are new performance metrics which track the amount of CPU time used per query, which is useful to study performance isolated from network latencies.

The full changelog can be read here.

The tarball is available on downloads.powerdns.com (signature) and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Artful, Trusty, Xenial and Zesty are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailinglist, or in case of a bug, via GitHub.

PowerDNS Authoritative Server 4.1

Version 4.1 is a major upgrade for the Authoritative Server, delivering improvements and speedups developed and tested over the past 12 months. Many large scale deployments have already migrated to this release because even unreleased, it was a better nameserver than 4.0.x (although the recently released 4.0.5 has fixed a number of relevant issues).

1

This release features prominent contributions from our community. We’d like to highlight the tireless work of Kees Monshouwer in improving the Authoritative Server based on his huge experience scaling PowerDNS to millions of DNSSEC production zones. Christian Hofstaedtler and Jan-Piet Mens contributed massively as well in many different places. Also a round of thanks to Grégory Oestreicher for revamping and reviving the LDAP backend. Wolfgang Studier, “#MrM0nkey”, Tudor Soroceanu and Benjamin Zengin delivered the DNSSEC management API, as part of their studies at TU Berlin.

We have tried to list everyone else in the full changelog, and we are very grateful for all the work and testing PowerDNS has received from the community!

Improved performance: 4x speedup in some scenarios

More than a year ago, the RIPE NCC benchmarked several nameserver implementations, and found PowerDNS was not a performant root-server. Although PowerDNS is great at serving millions of zones, we’d like to be fast on smaller zones as well. Results of this optimization spree are described here, and also in this longer article “Optimizing optimizing: some insights that led to a 400% speedup of PowerDNS”. Kees Monshouwer’s cache (re)work has been vital to attaining this performance improvement.

Crypto API: DNSSEC fully configurable via RESTful API

Our RESTful HTTP API has gained support for DNSSEC & key management. This API is “richer than most” since it is aware of DNSSEC semantics, and therefore allows you to manipulate zones without having to think about DNSSEC details. The API will do the right thing. This work was contributed by Wolfgang Studier, #MrM0nkey, Tudor Soroceanu and Benjamin Zengin as part of their work over at TU Berlin.

Database related: reconnection and 64 bit id fields

Database servers sometimes disconnect after shorter or longer idle periods. This could confuse both PowerDNS and database client libraries under some quiet conditions. 4.1 contains enhanced reconnection logic that we believe solves all associated problems. In a pleasing development, one PowerDNS user has a database so large they exceeded a 32 bit id counter, which has now been made 64 bit.

Improved documentation

Our Pieter Lexis invested a ton of time improving not only the contents but also the appearance and search of our documentation. Take a look at https://doc.powerdns.com/authoritative/ and know you can easily edit our documentation via GitHub’s built in editor.

Recursor passthrough removal

This will impact many installations, and we realize this may be painful, but it is necessary. Previously, the PowerDNS Authoritative Server contained a facility for sending recursion desired queries to a resolving backend, possibly after first consulting its local cache. This feature (‘recursor=’) was frequently confusing and also delivered inconsistent results, for example when a query ended up referring to a CNAME that was outside of the Authoritative Server’s knowledge. To migrate from a 3.0 or 4.0 era PowerDNS Authoritative Server with a ‘recursor’ statement in the configuration file, please see Migrating from using recursion on the Authoritative Server to using a Recursor.

Miscellaneous

Support was added for TCP Fast Open. Non-local bind is now supported. pdnsutil check-zone will now warn about more errors or unlikely configurations. Our packages now ship with PKCS #11 support (which previously required a recompilation). Improved integration with systemd logging (timestamp removal).

The full changelog can be read here.

The tarball is available on downloads.powerdns.com (signature) and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Artful, Trusty, Xenial and Zesty are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailinglist, or in case of a bug, via GitHub.

PowerDNS Authoritative Server 4.0.5 and Recursor 4.0.7 Released

Today we announce the release of both the PowerDNS Authoritative Server 4.0.5 and Recursor 4.0.7 which contain a lot of backports from the 4.1.x branch.
These releases also drop support for Botan 1.10 in favor of Botan 2.x.
More importantly there are fixes for the following security advisories.

Authoritative Server

Recursor

(We thank Nixu for their discoveries of CVE-2017-15092, CVE-2017-15093 and CVE-2017-15094.)

 Changelog: PowerDNS Authoritative Server 4.0.5

The full changelog looks like this:

Bug fixes

  • #4650: Bindbackend: do not corrupt data supplied by other backends in getAllDomains (Christian Hofstaedtler)
  • #4751: API: prevent sending nameservers list and zone-level NS in rrsets (Christian Hofstaedtler)
  • #4929: gpgsql: make statement names actually unique (Christian Hofstaedtler)
  • #4997: Fix remotebackend params (Aki Tuomi)
  • #5051: Fix godbc query logging
  • #5125: For create-slave-zone, actually add all slaves, and not only first n times
  • #5161: Fix a regression in axfr-rectify + test (Arthur Gautier)
  • #5408: When making a netmask from a comboaddress, we neglected to zero the port
  • #5599: Fix libatomic detection on ppc64
  • #5641: Catch DNSName exception in the Zoneparser
  • #5722: Publish inactive KSK/CSK as CDNSKEY/CDS
  • #5730: Handle AFSDB record separately due to record structure. Fixes #4703 (Johan Jatko)
  • #5678: Treat requestor’s payload size lower than 512 as equal to 512
  • #5766: Correctly purge entries from the caches after a transfer
  • #5777: Handle a signing pipe worker dying with work still pending
  • #5815: Ignore SOA-EDIT for PRESIGNED zones. Fixes #5814
  • #5933: Check return value for all getTSIGKey calls. Fixes #5931

Improvements

  • #4922: Fix ldap-strict autoptr feature, including a test
  • #5043: mydnsbackend: Add getAllDomains (Aki Tuomi)
  • #5112: Stubresolver: Use only recursor setting if given
  • #5147: LuaWrapper: Allow embedded NULs in strings received from Lua
  • #5277: sdig: Clarify that the ednssubnet option takes “subnet/mask”
  • #5309: Tests: Ensure all required tools are available (Arthur Gautier)
  • #5320: PowerDNS sdig does not truncate trailing bits of EDNS Client Subnet mask
  • #5349: LuaJIT 2.1: Lua fallback functionality no longer uses Lua namespace
  • #5498: Add support for Botan 2.x
  • #5509: Ship ldapbackend schema files in tarball (Christian Hofstaedtler)
  • #5518: Collection of schema changes (Kees Monshouwer)
  • #5523: Fix typo in two log messages (Ruben Kerkhof)
  • #5598: Add help text on autodetecting systemd support
  • #5723: Use a unique pointer for bind backend’s d_of
  • #5826: Fix some of the issues found by @jpmens

The tarball is available on downloads.powerdns.com (signature) and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Artful, Trusty, Xenial and Zesty are available from repo.powerdns.com.

Changelog: PowerDNS Recursor 4.0.7

The full changelog looks like this:

Bug fixes

  • #4561: Update rec_control manpage (Winfried Angele)
  • #4824: Check in the detected OpenSSL/libcrypto for ECDSA
  • #5406: Make more specific Netmasks < to less specific ones
  • #5525: Fix validation at the exact RRSIG inception or expiration time
  • #5740: Lowercase all outgoing qnames when lowercase-outgoing is set
  • #5599: Fix libatomic detection on ppc64
  • #5961: Edit configname definition to include the ‘config-name’ argument (Jake Reynolds)

Improvements

  • #4646: Extract nested exception from Luawrapper
  • #4960: Use explicit yes for default-enabled settings (Christian Hofstaedtler)
  • #5078: Throw an error when lua-conf-file can’t be loaded
  • #5261: get-remote-ring’s “other” report should only have two items. (Patrick Cloke)
  • #5320: PowerDNS sdig does not truncate trailing bits of EDNS Client Subnet mask
  • #5488: Only increase no-packet-error on the first read
  • #5498: Add support for Botan 2.x
  • #5511: Add more information to recursor cache dumps
  • #5523: Fix typo in two log messages (Ruben Kerkhof)
  • #5598: Add help text on autodetecting systemd support
  • #5726: Be more resilient with broken auths
  • #5739: Remove pdns.PASS and pdns.TRUNCATE
  • #5755: Improve dnsbulktest experience in travis for more robustness
  • #5762: Create socket-dir from init-script
  • #5843: b.root renumbering, effective 2017-10-24
  • #5921: Don’t retry security polling too often when it fails

The tarball is available on downloads.powerdns.com (signature) and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Artful, Trusty, Xenial and Zesty are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailinglist, or in case of a bug, via GitHub.

FOSDEM 2018 DNS devroom CfP!

Hello DNS-enthusiasts and other developers,

After two successful BoF sessions at FOSDEM 2016 and 2017, FOSDEM 2018 will see a real DNS devroom! We hope to host talks anywhere from hardcore protocol stuff, to practical sessions for programmers that are not directly involved with DNS but may have to deal with DNS in their day to day coding or system administrators responsible for DNS infrastructure.

We have been allotted half a day on Sunday 4 February 2018. We expect to schedule 30 minutes per talk, including questions, but this is open to discussion.

If you have something you’d like to share with your fellow developers, please head to pentabarf at https://penta.fosdem.org/submission/FOSDEM18. Examples of topics are measuring, monitoring, DNS libraries, and anecdotes on how you’ve (ab)used the DNS.

The deadline for submission is December 8th. If you have a FOSDEM pentabarf account from a previous year, please use that account. Reach out to dns-devroom-manager@fosdem.org if you run into any trouble.

We are also looking for volunteers to help with cameras etc. Please drop us an email at dns-devroom-manager@fosdem.org if you’re interested in helping out.

See you there!

Cheers,
Peter van Dijk, Shane Kerr, Pieter Lexis

PowerDNS Recursor 4.1.0 Release Candidate 3 Available

PowerDNS Recursor 4.1.0 RC3 is here!

We’d like to thank everyone that has helped us test the previous Recursor release candidates.

The third Release Candidate adds support for Botan 2.x (and removes support for Botan 1.10!), has some important DNSSEC fixes, features a cleaned up web UI and has miscellaneous minor improvements.

Also thanks to Jan-Piet Mens for help on the documentation!

The full changelog looks like this:

Improvements

  • #5895: Add the DNSSEC validation state to the DNSQuestion Lua object (although the ability to update the validation state from these hooks is postponed to after 4.1.0).
  • #5498: Add support for Botan 2.x and remove support for Botan 1.10.
  • #5876: Print more details of trust anchors. In addition, the trace output that mentions if data from authoritative servers gets accepted now also prints the TTL and clarifies the ‘place’ number previously printed.
  • #5616: Better support for deleting entries in NetmaskTree and NetmaskGroup.

Bug Fixes

  • #5889: Prevent possible downgrade attacks in the recursor.
  • #5885: Split NODATA / NXDOMAIN NSEC wildcard denial proof of existence. Otherwise there is a very real risk that a NSEC will cover a more specific wildcard and we end up with what looks like a NXDOMAIN proof but is a NODATA one.
  • #5904: Fix incomplete validation of cached entries.
  • #5912: Fix going Insecure on NSEC3 hashes with too many iterations, since we could have gone Bogus on a positive answer synthetized from a wildcard if the corresponding NSEC3 had more iterations that we were willing to accept, while the correct result is Insecure.
  • #5877: Sort NS addresses by speed and remove old ones.
  • #5896: Purge nsSpeeds entries even if we get less than 2 new entries.
  • #5881: Add EDNS to truncated, servfail answers.
  • #5917: Use _exit() when we really really want to exit, for example after a fatal error. This stops us dying while we die. A call to exit() will trigger destructors, which may paradoxically stop the process from exiting, taking down only one thread, but harming the rest of the process.
  • #5930: In the recursor secpoll code, we assumed the TXT record would be the first record first record we received. Sometimes it was the RRSIG, leading to a silent error, and no secpoll check. Fixed the assumption, added an error.
  • #5938: Don’t crash when asked to run with zero threads.
  • #5939: Only accept types not matching the query if we asked for ANY. Even from forward-recurse servers.
  • #5937: Allow the use of a ‘self-resolving’ NS if cached A / AAAA exists. Before this, we could skip a perfectly valid NS for which we had retrieved the A and / or AAAA entries, for example via a glue.
  • #5961: Add the config-name argument to the definition of configname. There was a bug where the config-name parameter was not used to change the path of the config file. This meant that some commands via rec_control (e.g. reload-acls) would fail when run against a recursor which had config-name defined. The correct behaviour was present in some, but not all, definitions of configname. (@jake2184)

The tarball is available on downloads.powerdns.com (signature) and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Artful, Trusty, Xenial and Zesty are available from repo.powerdns.com.  (The Raspberry Pi packages will follow Monday morning.)

We invite you to test this release candidate and send us all feedback and issues you might have via the mailinglist, or in case of a bug, via GitHub.

Enjoy!

PowerDNS Authoritative Server 4.1.0 Release Candidate 3 Available

We present what should be our last release candidate for PowerDNS Authoritative Server 4.1.0: Release Candidate 3!

If no major issues are found we expect to release the final version within the next two weeks.

Thanks to everyone who tested the previous release candidates.

This release features various bug fixes, some improvements to pdnsutil, documentation improvements by Christian Hofstaedtler and logging message improvements by Job Snijders.

The Raspbian packages will follow Monday since the builder is still working on them.

The full changelog looks like this:

New Features

  • #5936: Make it possible to disable DNSSEC via the API, this is equivalent to doing pdnsutil disable-dnssec.
  • #5883: Add add-meta command to pdnsutil that can be used to append to existing metadata without clobbering it.

Improvements

  • #5616: Better support for deleting entries in NetmaskTree and NetmaskGroup.
  • #5935: Throw exception for metadata endpoint with wrong zone. Before, We would happily accept this POST.
  • #5879: Warn if records in a zone are occluded.

Bug Fixes

  • #5917: Use _exit() when we really really want to exit, for example after a fatal error. This stops us dying while we die. A call to exit() will trigger destructors, which may paradoxically stop the process from exiting, taking down only one thread, but harming the rest of the process.
  • #5884: Fix messages created by pdnsutil generate-tsig-key.
  • #5928: Add back missing output details to rectifyZone.
  • #5905: Use 302 redirects in the webserver for ringbuffer reset or resize. With the current 301 redirect it is only possible to reset or resize once. Every next duplicate action is replaced by the destination cached in the browser.

The tarball is available on downloads.powerdns.com (signature) and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Artful, Trusty, Xenial and Zesty are available from repo.powerdns.com. (The Raspbian packages will come later, possibly Monday, because they are still building.)

We invite you to test this release candidate and send us all feedback and issues you might have via the mailinglist, or in case of a bug, via GitHub.