First release candidate of PowerDNS Recursor 4.6.0

We are proud to announce the first release candidate of PowerDNS Recursor 4.6.0.

Compared to the beta2 release, this release fixes an issue with incoming queries over TCP and with the systemd unit file for virtual hosting.

Compared to the previous major (4.5) release of PowerDNS Recursor, this release contains several sets of changes:

  • The ability to flush records from the caches on a incoming notify requests. Many thanks to Kevin P. Fleming for this feature!
  • A rewrite of the outgoing TCP code, adding both re-use of connections and support for DoT to authoritative servers or forwarders.
  • Many improvements in the area of metrics: more metrics are collected and more metrics are now exported in a Prometheus friendly way.
  • A new Zone to Cache function that will retrieve a zone (using AXFR, HTTP, HTTPS or a local file) periodically and insert the contents into the record cache, allowing the cache to be always hot for a zone. This can be used for the root or any other zone.
  • An experimental Event Tracing function, providing insight into the time taken by the steps in the process of resolving a name.

Re-use of TCP/DoT connections is achieved by not closing connections, leaving them open for re-use. Previously, a TCP connection would be closed after a single query-reply exchange. The policy used to keep idle connections open is governed by various settings.

By default, if a forwarder is specified using port 853, DoT will be used to connect to that forwarder. It is also possible to list specific nameservers that should be contacted over DoT. Note that no certificate validation is done. After the standard committees define discovery of authoritative servers offering DoT, we will add functionality to allow automatic switching to DoT including validation of certificates.

As always, there are also many smaller bug fixes and improvements, please refer to the changelog for additional details. When upgrading do not forget to check the upgrade guide.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarball (signature) is available from our download server and packages for several distributions are available from our repository.

With the final 4.6 release, the 4.3.x releases will be marked EOL and the 4.4.x and 4.5.x releases will go into critical fixes only mode. Consult the EOL policy for more details.

We would also like to mention that with the 4.5 release we stopped supporting systems using 32-bit time. This includes most 32-bit Linux platforms.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

Second beta release of dnsdist 1.7.0

Hello!

We are happy to announce the second beta release of dnsdist 1.7.0, with few fixes since the first beta, the most important one being a memory leak when reusing TLS sessions for outgoing DNS over TLS and DNS over HTTPS connections. During that work we stumbled upon a memory leak in some setups using GnuTLS which will have to be fixed in the library itself. After reporting it upstream we added a warning in dnsdist which will be removed when a fixed version of GnuTLS has been released.

We also fixed an error in the way we check for integer overflows in configuration values, which could have refused valid configurations.

Finally we added a function to see the current configuration of the internal web server.

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The release tarball and its signature are available on the downloads website, and packages for several distributions are available from our repository.

With the future 1.7.0 final release, the 1.4.x releases will be EOL and the 1.5.x and 1.6.x releases will go into critical security fixes only mode.

PowerDNS Authoritative Server 4.4.2

Hello!

We are proud to announce version 4.4.2 of the Authoritative Server. This releases fixes one issue:

  • RFC2136/nsupdate: apply new TTL to whole RRset, not only to the added record

Please find a full list in the changelog.

Please make sure to read the Upgrade Notes before upgrading.

The tarball (signature) is available at downloads.powerdns.com and packages for various Linux distributions are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Second beta release of PowerDNS Recursor 4.6.0

We are proud to announce the second beta release of PowerDNS Recursor 4.6.0.

Compared to the previous major (4.5) release of PowerDNS Recursor, this release contains several sets of changes:

  • The ability to flush records from the caches on a incoming notify requests. Many thanks to Kevin P. Fleming for this feature!
  • A rewrite of the outgoing TCP code, adding both re-use of connections and support for DoT to authoritative servers or forwarders.
  • Many improvements in the area of metrics: more metrics are collected and more metrics are now exported in a Prometheus friendly way.
  • A new Zone to Cache function that will retrieve a zone (using AXFR, HTTP, HTTPS or a local file) periodically and insert the contents into the record cache, allowing the cache to be always hot for a zone. This can be used for the root or any other zone.
  • An experimental Event Tracing function, providing insight into the time taken by the steps in the process of resolving a name.

Re-use of TCP/DoT connections is achieved by not closing connections, leaving them open for re-use. Previously, a TCP connection would be closed after a single query-reply exchange. The policy used to keep idle connections open is governed by various settings.

By default, if a forwarder is specified using port 853, DoT will be used to connect to that forwarder. It is also possible to list specific nameservers that should be contacted over DoT. Note that no certificate validation is done. After the standard committees define discovery of authoritative servers offering DoT, we will add functionality to allow automatic switching to DoT including validation of certificates.

As always, there are also many smaller bug fixes and improvements, please refer to the changelog for additional details. When upgrading do not forget to check the upgrade guide.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarball (signature) is available from our download server and packages for several distributions are available from our repository.

With the final 4.6 release, the 4.3.x releases will be marked EOL and the 4.4.x and 4.5.x releases will go into critical fixes only mode. Consult the EOL policy for more details.

We would also like to mention that with the 4.5 release we stopped supporting systems using 32-bit time. This includes most 32-bit Linux platforms.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

First beta release of dnsdist 1.7.0

Hello!

We are happy to announce the first beta release of dnsdist 1.7.0!

We introduced a fair number of improvements and new features since the second alpha, and we will now iron out the documentation and fix any bugs before hopefully releasing the first release candidate very soon.

The main new feature is the ability to use the same outgoing TCP or DNS over TLS connection for queries coming from different clients, leading to a huge decrease of the number of outgoing connections needed when the backend supports out-of-order processing.

We also added the exact transport type to dnstap and protocol buffer messages, making it possible to differentiate between plaintext queries and DNS over HTTPS or DNS over TLS ones.

Recently Pierre Grié from Nameshield contributed an XDP program to reply to blocked UDP queries with a truncated response directly from the kernel, in a similar way to what we were already doing using eBPF socket filters. This beta finally adds support for eBPF pinned maps, allowing dnsdist to populate the maps using our dynamic blocking mechanism, and letting the external XDP program do the actual blocking or response.

Stéphane Bortzmeyer helped us pinpoint a few issues in the encryption between dnsdist and its backends, notably in the way the outgoing connections are cached while waiting to be reused. That could have led to a waste of memory piling up over time.

We also fixed an issue where the threads handling incoming DoH queries could have stopped processing responses when they were completely overloaded by TLS handshakes, leading to a degradation of performance.

The last issue was that a backend was not properly marked as non-available when a certain exception was raised during a health-check attempt.

Finally Rosen Penev contributed a lot of clean up changes to make sure that we make the best of what C++17 can offer.

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The release tarball and its signature are available on the downloads website, and packages for several distributions are available from our repository.

With the future 1.7.0 final release, the 1.4.x releases will be EOL and the 1.5.x and 1.6.x releases will go into critical security fixes only mode.

PowerDNS Authoritative Server 4.5.2

Hello!

Today we published release 4.5.2 of the Authoritative Server. It contains several robustness fixes for the bindbackend, and for SOA handling. These fixes are especially important for zone cache users.

Please find a full list in the changelog.

Please make sure to read the Upgrade Notes before upgrading.

The tarball (signature) is available at downloads.powerdns.com and packages for various Linux distributions are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

First beta release of PowerDNS Recursor 4.6.0

We are proud to announce the first beta release of PowerDNS Recursor 4.6.0.

Compared to the previous major (4.5) release of PowerDNS Recursor, this release contains several sets of changes:

  • A rewrite of the outgoing TCP code, adding both re-use of connections and support for DoT to authoritative servers or forwarders.
  • Many improvements in the area of metrics: more metrics are collected and more metrics are now exported in a Prometheus friendly way.
  • A new Zone to Cache function that will retrieve a zone (using AXFR, HTTP, HTTPS or a local file) periodically and insert the contents into the record cache, allowing the cache to be always hot for a zone. This can be used for the root or any other zone.
  • An experimental Event Tracing function, providing insight into the time taken by the steps in the process of resolving a name.

Re-use of TCP/DoT connections is achieved by not closing connections, leaving them open for re-use. Previously, a TCP connection would be closed after a single query-reply exchange. The policy used to keep idle connections open is governed by various settings.

By default, if a forwarder is specified using port 853, DoT will be used to connect to that forwarder. It is also possible to list specific nameservers that should be contacted over DoT. Note that no certificate validation is done. After the standard committees define discovery of authoritative servers offering DoT, we will add functionality to allow automatic switching to DoT including validation of certificates.

As always, there are also many smaller bug fixes and improvements, please refer to the changelog for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarball (signature) is available from our download server and packages for several distributions are available from our repository.

With the final 4.6 release, the 4.3.x releases will be marked EOL and the 4.4.x and 4.5.x releases will go into critical fixes only mode. Consult the EOL policy for more details.

We would also like to mention that with the 4.5 release we stopped supporting systems using 32-bit time. This includes most 32-bit Linux platforms.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

PowerDNS Recursor 4.4.7 and 4.5.7 Released

We are proud to announce the release of PowerDNS Recursor 4.4.7. and 4.5.7.

Both releases are maintenance releases correcting an issue where a DS record with a SHA-256 digest could be ignored if a DS record with SHA-384 digest is also present. The 4.5.7 release also contains a fix for the issue where an incorrect appliedPolicyTrigger value is set on some RPZ hits.

Please refer to the change logs for the 4.4.7 and 4.5.7 releases for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarballs (4.4.7, 4.5.7) and signatures (4.4.7, 4.5.7) are available from our download server and packages for several distributions are available from our repository.

The 4.2.x release is EOL and the 4.3.x and 4.4.x releases are in critical fixes only mode. Consult the EOL policy for more details.

We would also like to repeat that starting with the 4.5 release branch we will stop supporting systems using 32-bit time. This includes most 32-bit Linux platforms.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

Second alpha release of PowerDNS Recursor 4.6.0

We are proud to announce the second alpha release of PowerDNS Recursor 4.6.0.

Compared to the previous major (4.5) release of PowerDNS Recursor, this release contains several sets of changes:

  • A rewrite of the outgoing TCP code, adding both re-use of connections and support for DoT to authoritative servers or forwarders.
  • Many improvements in the area of metrics: more metrics are collected and more metrics are now exported in a Prometheus friendly way.
  • A new Zone to Cache function that will retrieve a zone (using AXFR, HTTP, HTTPS or a local file) periodically and insert the contents into the record cache, allowing the cache to be always hot for a zone. This can be used for the root or any other zone.
  • An experimental Event Tracing function, providing insight into the time taken by the steps in the process of resolving a name.

Re-use of TCP/DoT connections is achieved by not closing connections, leaving them open for re-use. Previously, a TCP connection would be closed after a single query-reply exchange. The policy used to keep idle connections open is governed by various settings.

By default, if a forwarder is specified using port 853, DoT will be used to connect to that forwarder. It is also possible to list specific nameservers that should be contacted over DoT. Note that no certificate validation is done. After the standard committees define discovery of authoritative servers offering DoT, we will add functionality to allow automatic switching to DoT including validation of certificates.

As always, there are also many smaller bug fixes and improvements, please refer to the changelog for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarball (signature) is available from our download server and packages for several distributions are available from our repository.

With the final 4.6 release, the 4.3.x releases will be marked EOL and the 4.4.x and 4.5.x releases will go into critical fixes only mode. Consult the EOL policy for more details.

We would also like to mention that with the 4.5 release we stopped supporting systems using 32-bit time. This includes most 32-bit Linux platforms.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

Second alpha release of dnsdist 1.7.0

Hello!

We are happy to announce the second alpha release of dnsdist 1.7.0!

We spent quite some time since alpha1 reproducing an issue reported by Stéphane Bortzmeyer in our new outgoing DNS over TLS feature. The issue turned out to be triggered by the use of the GnuTLS provider, and to be only present with some versions of that library. We are still working with the GnuTLS project to get this issue resolved, but in the meantime we implemented a work-around in dnsdist itself. In addition to that work-around, this release contains a few new features, improvements and bug fixes.

Among the new features is the ability to add a custom EDNS option to a query before forwarding it to a backend, via SetEDNSOptionAction. phonedph1 also contributed a new rule making it possible to route a query based on the number of outstanding queries in a pool, PoolOutstandingRule.

The packet cache has been improved so that one can now configure which EDNS options should be ignored, raising the cache hit ratio behind customer-premises equipment. The incoming and outgoing protocols have been added to the output of the grepq command for a better understanding of the recently processed traffic. We also reduced the memory consumption of dnsdist in constrained environments a bit further.

Denis Machard reported that queries received over UDP and forwarded via a TCP, DoH or DoT were not properly cached. We also noticed that the includeDirectory configuration directive might not properly function if an exception was raised during the processing. Both issues are now fixed.

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The release tarball and its signature are available on the downloads website, and packages for several distributions are available from our repository.

With the future 1.7.0 final release, the 1.4.x releases will be EOL and the 1.5.x and 1.6.x releases will go into critical security fixes only mode.

Finally, we would like to thank the PowerDNS community and all external contributors for their great work in this release!