PowerDNS Authoritative Server 4.0.3 released!

Today we’ve released version 4.0.3 of the PowerDNS Authoritative Server. This release fixes an issue when using multiple backends, where one of the backends is the BIND backend. This regression was introduced in version 4.0.2.

This makes the changelog very short:

  • #4905: Revert “In `Bind2Backend::lookup()`, use the `zoneId` when we have it”

Users with multiple backends are encouraged to upgrade.

Tarballs(sig) can be downloaded from the releases page. And the packages in the repositories have been updated.

PowerDNS Authoritative Server 3.4.11 and Recursor 3.7.4 released!

Today, we are releasing version 3.4.11 of the PowerDNS Authoritative Server and version 3.7.4 of the PowerDNS Recursor. These releases fix several security issues that were reported to PowerDNS.

It concerns the following security advisories:

  • 2016-02: Crafted queries can cause abnormal CPU usage
  • 2016-03: Denial of service via the web server (Authoritative only)
  • 2016-04: Insufficient validation of TSIG signatures (Authoritative only)
  • 2016-05: Crafted zone record can cause a denial of service (Authoritative only)

For those who cannot update, minimal patches are available (2016-02, 2016-03, 2016-04, 2016-05).

A few other issues have been fixed as well, see the Authoritative Server 3.4.11 changelog and the Recursor 3.7.4 changelog.

We urge all users to upgrade to these new versions.

Source tarballs and packages are available on:

PowerDNS Recursor 4.0.4 released!

We are happy to announce the release of the PowerDNS Recursor version 4.0.4. This release fixes 2 security issues and adds several improvements to the DNSSEC validation code.

The following PowerDNS Security Advisories are fixes:

  • 2016-02: Crafted queries can cause abnormal CPU usage
  • 2016-04: Insufficient validation of TSIG signatures

Minimal patches are available for those unable to fully upgrade (2016-02, 2016-04)

The full changelog is available, highlights include:

  • Check TSIG signature on IXFR (Security Advisory 2016-04)
  • Don’t parse spurious RRs in queries when we don’t need them (Security Advisory 2016-02)
  • Add `max-recursion-depth` to limit the number of internal recursion
  • Wait until after daemonizing to start the RPZ and protobuf threads
  • On RPZ customPolicy, follow the resulting CNAME
  • Make the negcache forwarded zones aware
  • Cache records for zones that were delegated to from a forwarded zone
  • DNSSEC: don’t go bogus on zero configured DSs
  • DNSSEC: NSEC3 optout and Bogus insecure forward fixes
  • DNSSEC: Handle CNAMEs at the apex of secure zones to other secure zones

We recommend all users of the Recursor to upgrade to this version. Tarballs with sources are available (signature).

Packages for Debian Stable, Ubuntu Trusty, Xenial and Wily and CentOS 6 and 7 are available from our repositories.

PowerDNS Authoritative Server 4.0.2 released!

We are pleased to announce the release of the PowerDNS Authoritative Server 4.0.2. This release fixes several security issues reported to us in the last few months, as well as a memory leak in the Postgresql backend.

The following security issues were fixed:

  • 2016-02: Crafted queries can cause abnormal CPU usage
  • 2016-03: Denial of service via the web server
  • 2016-04: Insufficient validation of TSIG signatures
  • 2016-05: Crafted zone record can cause a denial of service

For those who cannot update, minimal patches are available (2016-02, 2016-03, 2016-04, 2016-05).

The full changelog is available, highlights include:

  • Don’t parse spurious RRs in queries when we don’t need them (Security Advisory 2016-02)
  • Don’t exit if the webserver can’t accept a connection (Security Advisory 2016-03)
  • Check TSIG signature on IXFR (Security Advisory 2016-04)
  • Correctly check unknown record content size (Security Advisory 2016-05)
  • ODBC backend: actually prepare statements
  • Improve root-zone performance
  • Plug memory leak in postgresql backend (Christian Hofstaedtler)
  • calidns: Don’t crash if we don’t have enough ‘unknown’ queries remaining
  • Improve PacketCache cleaning (Kees Monshouwer)
  • Bind backend: update status message on reload, keep the existing zone on failure
  • Fix TSIG for single thread distributor (Kees Monshouwer)
  • Change default for any-to-tcp to yes (Kees Monshouwer)
  • Don’t look up the packet cache for TSIG-enabled queries
  • Fix build with OpenSSL 1.1.0 final (Christian Hofstaedtler)
  • pdnsutil: create-slave-zone accept multiple masters (Hannu Ylitalo)

We highly recommend all users to update to the latest version.

Source tarball(signature) is available and packages for Debian Stable, Ubuntu Trusty, Xenial and Wily and CentOS 6 and 7 are available form our repositories.

dnsdist 1.1.0 released

We are very pleased to announce the availability of dnsdist 1.1.0. There have been very few changes since 1.1.0-beta2, the most significant ones being that we now handle header-only responses, and that “Refused” responses are now handled by the cache in the same way as “ServFail” ones.

dnsdist 1.1.0 has seen a significant amount of development, mostly based on feedback from they many 1.0 deployments. The majority of the new features have already been taken into production by pre-release and beta users.

Highlights include:

  • TeeAction: send queries to a second nameserver, but ignore responses. Used to test new installations on existing traffic. Also used by the Yeti rootserver project.
  • Response rules which act on received responses
  • AXFR/IXFR support, including filtering options
  • Linux kernel based query type and query name filtering (eBPF), for very high speed packet rejection. Includes counters and statistics
  • Query counting infrastructure (contributed by TransIP’s Reinier Schoof)

For the many other new features, improvements and bug fixes, please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available on our repository.

PowerDNS: 2016 in review

Hi everyone,

As 2016 draws to a close, we’d like to share a few words on what has been achieved over the past year, our second year within Open-Xchange. This post will cover both our technical and commercial efforts, including the PowerDNS Platform which provides per-subscriber malware filtering & parental control. And, we are hiring!

At the end of 2015, we released ‘Technology Preview Releases’ of PowerDNS Authoritative Server 4, PowerDNS Recursor 4 and dnsdist 1.0. This was done to somewhat keep our promise of releasing those versions in 2015, but fell short of what we had hoped to achieve.

Now at the end of 2016 the news is a lot better. The actual 4.0 and 1.0 (dnsdist) releases have happened and are being deployed far faster than we’d been hoping for. This is probably due to some of the exciting new features:

  • RPZ for security & DNS filtering purposes (including IXFR)
  • dnsdist for reliability, flexibility and DoS protection
  • pdnsutil edit-zone for a pretty awesome way to edit DNS zones
  • DNSSEC validation in Recursor
  • Vastly more powerful Lua engines
  • ALIAS record type that now powers many of the .GOV search engines DNSSEC (including the White House!)

A notable DNSSEC deployment is over at our friends of xs4all who not only sign domains with the PowerDNS Authoritative Server, but recently have also turned on validation on their PowerDNS Recursors for their large userbase.

4.0 and dnsdist were both part of a ‘spring cleaning’ exercise. It is good to realize how rare it is for a software project to go through such an exercise. 4.0 and dnsdist are based on a much cleaned up and improved codebase.

We are also very grateful for our community that stepped up to contribute to 4.x in the form of code, great bug reports, design ideas, documentation and actual bug fixes. Our meagre offering of ‘PowerDNS Crew’ mugs is the least we could do!

Some stats that bear out the community involvement: In 2016, our Github repository was forked over a 100 times, yielding almost a 1000 Pull Requests most of which were merged, for a total of over 2500 new commits. These commits closed 1300 issue tickets.

As you may recall, since 2015 PowerDNS is part of OX, together with our cousins from Dovecot. When we announced the merger, some voiced fear about what this would mean for PowerDNS. We can now safely say that the state of the PowerDNS source in 2016 is way stronger than it was in 2015.

Besides finishing the spring cleaning of our open source products, 2016 also saw the release of the PowerDNS Platform which, unusually for us, is not fully open source. We explained this in our blog post as follows:

Putting it more strongly: we have learned that many organizations simply no longer have the time or desire to assemble all the technologies themselves around our Open Source products.

We will therefore be marketing the additional functionalities we have been delivering to our customers as a product tentatively called the “PowerDNS Platform”

The “PowerDNS Platform” as we ship it consists of our core unmodified Open Source products, plus loads of other open source technologies, combined with a management shell that is not an Open Source product that we’ll in fact sell.

The PowerDNS Platform is described here. Feedback on the move to supply the Platform has been good, both from our commercial users and from the PowerDNS development  and wider DNS community, for which we are grateful.

Now at the end of 2016 we can report that the PowerDNS Platform has been selected to provide a malware & parental control enabled DNS solution for over 10 million Internet subscribers in Europe. We will be displacing a fully closed solution, which is a win for an open internet.

In addition, this commercial progress provides a healthy & sustainable basis on which to continue to develop the PowerDNS nameservers and dnsdist.

PowerDNS.org

We have regained control over powerdns.org. As outlined in our blogpost:

Recently we decided it was time to get the .org back anyhow and after negotiating for a few days we finally paid up, and shortly after that we were back in control of powerdns.org, at a cost of $1000.

This personally left me with a bad aftertaste since effectively we have paid a chain of people that specialise in taking over domains for ransom purposes.

msf

To compensate for all this, we’ve decided to donate €1000 to the Doctors without Borders charity.

Mugs

We have shipped close to 500 PowerDNS Release mugs to contributors, friends and conference visitors. If you missed out on our giveaway, you can order PowerDNS mugs online from our friends over at Mugbug, who have been an absolute joy to work with.

Root-server speedup

We also had a good time working with the fine people of the RIPE NCC. Anand Buddhdev there decided to do some benchmarking to determine the root-server suitability of a bunch of nameservers. And lo, during his testing, he found that PowerDNS 4.0 was not very suitable. After a good month of investigations & improvements, we managed to achieve a 400% speedup in the PowerDNS Authoritative Server which actually also helped the PowerDNS Recursor.

We shared our learnings on modern optimization in this Medium post which at >10k visits is the second best read post we have ever done. These speedups will be available in the 4.1 releases of our software.

People

PowerDNS grew this year! Open-Xchange gained a product manager (Alexander ter Haar) and we are also benefiting greatly from Nico Cartron (previously of EfficientIP) and Andrea Tosatto who are helping with automation, deployability and pre-sales work. In addition, we continue to work happily with members of the extended PowerDNS family who we contract with for development, training, documentation and professional services.

But.. it is not enough. We are still looking for two permanent positions, one in professional services, one in front-end development with a smattering of backend. For more details, please head to our careers page.

Finally

Thank you for being involved with PowerDNS, the software and the community. Reading this post to the end means you really care. 🙂

We wish you a great 2017!

dnsdist 1.1.0 Beta 2 released

We are pleased to announce the availability of the second beta release of dnsdist 1.1.0. We fixed several bugs since beta 1, especially in the TCP area, and added a few new features:

  • EDNS Client Subnet can be configured per-query
  • The UDP timeout is now configurable
  • Dynamic blocks can send a REFUSED response instead of simply dropping the query
  • A ServFail response can be returned when no server are available, instead of dropping the query
  • Our internal statistics counters are readable from Lua
  • The configuration engine can include every configuration files found in a given directory
  • ACL rules can be edited via the API
  • The percentage of the cache scanned to expunge expired entries can be configured

See the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available on our repository.